Schedulability analysis for the design of reliable and cost-effective automotive embedded systems

HAL Id: tel-01749552

https://hal.univ-lorraine.fr/tel-01749552

Submitted on 29 Mar 2018

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

Schedulability analysis for the design of reliable and

cost-effective automotive embedded systems

Dawood Ashraf Khan

To cite this version:

Dawood Ashraf Khan. Schedulability analysis for the design of reliable and cost-effective automotive

embedded systems. Computers and Society [cs.CY]. Institut National Polytechnique de Lorraine,

2011. English. �NNT : 2011INPL097N�. �tel-01749552�

AVERTISSEMENT

Ce document est le fruit d'un long travail approuvé par le jury de

soutenance et mis à disposition de l'ensemble de la

communauté universitaire élargie.

Il est soumis à la propriété intellectuelle de l'auteur. Ceci

implique une obligation de citation et de référencement lors de

l’utilisation de ce document.

D'autre part, toute contrefaçon, plagiat, reproduction illicite

encourt une poursuite pénale.

Contact : ddoc-theses-contact@univ-lorraine.fr

LIENS

Code de la Propriété Intellectuelle. articles L 122. 4

Code de la Propriété Intellectuelle. articles L 335.2- L 335.10

http://www.cfcopies.com/V2/leg/leg_droi.php

        

ÉCOLE DOCTORALE IAEM

Département de formation do torale

en informatique

T H È S E

présentéeetsoutenue publiquement le29/11/2011

pour l'obtension du

Do torat de l'Institut National Polyte hnique de Lorraine

(spé ialité informatique)

par

Dawood A. KHAN

S hedulability Analysis for the Design of

Reliable and Cost-ee tive Automotive

Embedded Systems

Thèse dirigée par Françoise SIMONOT-LION et

Ni olas NAVET

préparée á l'INRIA Grand-Est, Projet TRIO

Jury :

Rapporteurs :

Emmanuel GROLLEAU - Professeur àl'ENSMA/Lisi

Jean-Lu SCHARBARG - MCà l'Universit de Toulouse,IRIT

Examinateur : Yvon TRINQUET - Professeur àl'Universitde Nantes

SylvainCONTASSOT-VIVIER - Professeur auLORIA/UHP

 Laboratoire Lorrain deRe her heenInformatique etses

Following is a list of people with whom I have done resear h, o-authored papers,

or generallyworked,on resear h problems:

•

RienderJ.Bril, Te hni alUniversityEidhoven: OntheinitialpartofChapter 3 dealing withintegrationof opy-timeinto theCANs hedulabilityanalysis.

•

Robert I. Davis, University of York: On the later part of Chapter 3 dealing with integration of non-abortable transmission into the CAN s hedulability

analysis.

•

Lu a Santinelli, TRIO,INRIA Grand Est: On theanalysis framework devel-opedinChapter 4.

Indeed, all praise belongs to ALLAH,the almighty, on whom ultimately we depend

for sustenan e and guidan e; and may His pea e and blessing be upon His last and

nal prophetMuhammad S.A.W

Foremost, I express my sin ere gratitude to my o-advisor Dr. Ni olas Navet

for the ontinuous support during my Ph.D. study and resear h. I appre iate his

patien e, motivation, enthusiasm, and immense knowledge. His guidan e helped

me to shape my resear h goals. I will always remember him as the best advisor

and the mentor. I amthankfulto Prof. Françoise Simonot-Lion, mymain advisor,

for supportingmeadministratively andfor makingita worthwhile stayfor meina

TRIO team.

Besidesmyadvisors,Iamthankfultotherestofmythesis ommittee: Prof.

Em-manuel Grolleau, Dr. Jean-Lu S harbarg, Prof. YvonTrinquet and Prof. Sylvain

Contassot-Vivier, fortheir en ouragement,useful omments,andpositive riti ism.

I also like to extend my gratitude to Prof. Y-Q Song, Prof. René S hott and Dr.

Liliana Cu ufor their advi esand time.

IamgratefultotheInstitutnationaldere her heeninformatiqueeten

automa-tique, INRIAof Fran efor funding thisresear h.

My gratitude also goes to all the olleagues with whom I worked and shared

su h a pleasant working times, namely: Dr. Robert I Davis, Dr. Reinder J. Bril,

and Dr. Lu a Santinelli.

I owe my deepest gratitude to my friends: Ehtesham Zahoor, Atif Mashkoor,

BilelNefzi,andNajetBoughmani;for beingthereformephysi ally,spiritually,and

morally; wheneverI neededthem.

IalsoowemygratitudetothememeberofTRIOteam,namely: Lauren eBenini,

LionelHavet,AurélienMonot,DorinMaxim,andAdrienGuenard;forwhomIoer

myfondest regards for allof thetimewe have passed together.

Lastly, and above all, I wish to thank my family: My parents: Muhammad

Ashraf and Yasmeen Jabeen; and notably to my wife and hildren: Summaiya

Amin, Sarim Shahbaz, and Zuhayr Shahbaz; for supporting me un onditionally

and unpre edentedly. They gave me the hoi es I wanted, the time I needed, the

strength I required, the support I wished; they gave me everything I demanded.

Thank you guysfor all ofyour support!

Dawood A.KHAN

Mar h13, 2012

1 Introdu tion 1

1.1 Introdu tion . . . 1

1.1.1 Timing budget . . . 2

1.1.2 Simulations . . . 3

1.1.3 Analyti al models . . . 4

1.2 Stateof theart . . . 5

1.2.1 Simulation. . . 5

1.2.2 Deterministi analyses . . . 6

1.2.3 Compositionalperforman e analysis . . . 7

1.2.4 Probabilisti performan eanalysis . . . 8

1.3 Resear hquestions andContributions . . . 9

1.4 Thesis outline . . . 10

2 Probabilisti CAN S hedulability Analysis 11 2.1 Introdu tion . . . 11

2.1.1 CAN Proto ol. . . 12

2.1.2 Problemdenition . . . 12

2.1.3 Handling aperiodi tra . . . 13

2.2 SystemModel . . . 14

2.3 Modeling aperiodi tra . . . 14

2.3.1 Approximatingarrival pro ess. . . 15

2.3.2 Errors inapproximation . . . 16

2.3.3 Findingdistribution . . . 17

2.3.4 Threshold basedwork-arrivalfun tion . . . 23

2.3.5 Handling priority . . . 29

2.4 S hedulability analysis . . . 32

2.5 Case study . . . 34

2.6 Summary . . . 39

3 S hedulability analysis with hardware limitations 41 3.1 Introdu tion . . . 42

3.2 Workingof aCAN ontroller . . . 44

3.2.1 AUTOSARCANdriverimplementation . . . 45

3.2.2 Implementation overhead( opy-time) . . . 47

3.2.3 Single buerwith preemption. . . 48

3.2.4 Dualbuer withpreemption . . . 48

3.2.5 FIFOmessagequeue inaCAN driver . . . 49

3.2.6 CAN ontroller message index. . . 49

3.2.7 Impossibilityto an el messagetransmissions . . . 50

3.4 Response time analysis: abortable ase . . . 52

3.4.1 Case 1: safefrom any priorityinversion . . . 53

3.4.2 Case 2: messagesundergoing priorityinversion . . . 53

3.5 Optimized implementation and ase-study . . . 54

3.6 Response timeanalysis: non-abortable ase . . . 55

3.6.1 Additional Delay . . . 55

3.6.2 Additional Jitter . . . 60

3.6.3 Responsetime analysis. . . 61

3.7 Comparative Evaluation . . . 64

3.7.1 SAE ben hmark . . . 65

3.7.2 Automotive bodynetwork . . . 65

3.8 Summary . . . 67

4 Probabilisti Analysis for Component-Based Embedded Systems 69 4.1 Introdu tion . . . 70

4.1.1 Deterministi omponent models . . . 71

4.1.2 Probabilisti analysisofreal-time systems . . . 71

4.1.3 Safety riti al systems . . . 72

4.2 Component model . . . 73

4.2.1 Workloadmodel . . . 74

4.2.2 Resour emodel . . . 75

4.2.3 Residual workloadand resour es . . . 76

4.3 Component-based probabilisti analysis . . . 78

4.3.1 Probabilisti interfa es . . . 79

4.3.2 Composability . . . 81

4.3.3 Component systemmetri s . . . 83

4.3.4 S hedulability . . . 84 4.4 Safetyguarantees . . . 86 4.5 Case study . . . 89 4.6 Summary . . . 93 5 Summary 95 5.1 Future work . . . 96 5.1.1 Near Future . . . 97 6 Résumé français 99 6.1 perspe tivehistorique de systèmesembarqués automobiles(AES) . . 99

6.2 Systèmes embarquésautomobiles . . . 101

6.3 Réseauxde Communi ation Automobiles. . . 119

6.4 Exigen es de ommuni ationd'AES . . . 120

6.5 Le systèmetemps-réel embarqué automobile . . . 125

6.5.1 Budget temporel . . . 128

6.5.2 simulations . . . 129

6.6 Lesquestionsde re her he etles ontributions . . . 132

6.7 Résumé . . . 136

6.8 Lestravauxfuturs . . . 139

Bibliography 147

7 Letter and Abstra ts 161

7.1 l'autorisation de soutenan e . . . 161

7.2 Abstra t: . . . 163

Introdu tion Contents 1.1 Introdu tion . . . 1 1.1.1 Timingbudget . . . 2 1.1.2 Simulations . . . 3 1.1.3 Analyti almodels . . . 4

1.2 Stateof the art . . . 5

1.2.1 Simulation . . . 5

1.2.2 Deterministi analyses . . . 6

1.2.3 Compositionalperforman eanalysis . . . 7

1.2.4 Probabilisti performan eanalysis . . . 8

1.3 Resear hquestionsand Contributions . . . 9

1.4 Thesisoutline. . . 10

1.1 Introdu tion

Automotive embedded systemsaredistributedar hite tures of omputer-based

ap-pli ationswithphysi alpro esses(me hani al,hydrauli )thattheyhaveto ontrol.

The growth in proliferation of omputers (ECU, Ele troni Control Unit) has an

impa t on the safety. The in reased use of ECUs in modern automotive systems

hasbroughtmanybenetssu h asthe mergingof hassis ontrolsystemsfor a tive

safetywithpassive-safety systems

1

. Mostof theautomotive appli ationsaresafety

riti al and therefore providing guarantees for these appli ations is an important

requirement. Moreover, su h a proliferation has ome with an in reasing

hetero-geneityand omplexityoftheembedded ar hite ture. Therefore,thereisagrowing

need to ensure thatautomotive embedded systems have reliability,availabilityand

safety guarantees during normal operation or riti al situations (e.g. airbags

dur-ing ollision), taking into a ount harsh environment (heat, humidity, vibration,

ele tro-stati dis harge ESD andele tro-magneti interferen e EMI).

To provide guarantee on safety property, modelbased approa hes, and

analyt-i al methods during the design a tivity are required. These approa hes should be

1

A tivesafetysystemsarethesystemswhi hareemployedfor rashprevention,whileaspassive

able to modelthese systems,whi h areheterogeneous by nature: dis rete and

on-tinuoussystems,deterministi andprobabilisti variables. Inparti ular,tovalidate

timingpropertiesimposedbythetime onstraintsofthephysi alsystemsand their

ontrollawsisofutmostimportan e. Thedistributionofsu hsystemsin reasesthe

validation ofthese safetyproperties.

Ele troni systems inthe automobiles are required to respond in a predi table

manner, i.e. timely manner. The predi tability of these systemsis ensured,among

others, by timing veri ation on system models, whi h he ks if performan e

re-quirements likedeadlines, jitters,throughput et . arebeingmet.

The timing onstraints veri ation analyses has to be arried out as soon as

possible inthe development life- y le. Moreover,su h analyses maybe mandatory

for erti ation issues.

However, developing timing veri ation models an be omplex to build. We

have to nd a trade-o between a ura y/ omplexity/ omputing time. First, it is

di ulttohaveadetailedmodelattheearlieststepandthereforeroughassumptions

have to be done on thehardware performan es for example. However, su h

trade-os should not over-simplify the models thus making the analyses unsafe for use.

Analyti al timing models, whi h tend to overlook/oversimplify the system model,

may leadto optimisti results thatmaynot t to the on retesystem.

The automotive embedded systems an be lassied into following ategories

based ontheir timing requirements:

1. Hard: Ahard real-timesystemisanembedded systemwhi h doesnot a ept

anylateness, asbeing late (missinga deadline) ould resultina atastrophi

event (for example, ar rash when brake does not respond within required

deadline) for su hsystems.

2. Firm: A rm real-time system is an embedded system whi h an tolerate

infrequent deadline misses; however, at if the frequen y of deadline misses

in reases it mayresult ina atastrophi event forsu hsystems (forexample,

in the ontrol loops o asional missed message an be tolerated but frequent

missed messages an ausethe systemto go out of ontrol).

3. Soft: A soft real-time system is an embedded system whi h a ept deadline

missedwithoutany atastrophi onsequen es;however, atthe ostde reased

performan e (forexample,inmulti-media systemstheperforman e de reases

withthe deadline missesanditdoesnot resultina atastrophi event).

Therefore, it is imperative to verify the temporal orre tness of the automotive

system, asthey ertainly fallinthe above ategories ofreal-time systems.

1.1.1 Timing budget

The automotiveOriginalEquipmentManufa turers(OEMs)de ompose theoverall

end-to-end laten y into the timing budget of the individual ECUs, the

OEMs need to assignthese timing budgets to the suppliers. Therefore, theOEMs

mustproperlyde idethetimingbudgetforea hECUand ommuni ate the

spe i- ationattheinitialstageoftheautomotivedevelopment. TheOEMsmayrevisethe

initial timingestimates oftheindividual"timing budget"ofvehi ularfun tions, to

a hieve optimalperforman eor ostof the entire vehi leasthesuppliers renethe

solution (OEMS may ask suppliers to adjust or improve thetime budget).

There-fore, OEMs should be able to do better estimates for allo ating timing budgets at

theinitial stagesof the proje ts. The OEMs inpra ti e, therefore, may arry-over

fromtheexisting(proveninuse)systemswithdomain-spe i rulestoestimatethe

timingbudgets, like:

1. TheloadonanautomotiveCANnetworkmustnotbehigherthan30per ent.

2. A framependingfor transmissionfor more than

30ms

is an eled out. However, su h an approa h has potential problems like being sub-optimal and

beingunsafedesign,withproblemsthat an behard to reprodu e andare ostlyto

repair later inthedevelopment y le. However, we an use thetiming information

from previous design (of an automotive system)to infer the timing propertiesof a

systemintheearlystage ofdesign, whenvery little timinginformation isavailable

and thus help in better dimensioning of a system. We propose one su h model

inthis thesis, whi h uses the probabilisti model of aperiodi tra from previous

developmentrunofavehi letoadjusttheaperiodi tra ona urrentdevelopment

run ofa vehi le.

1.1.2 Simulations

Simulationisatoolfor he kingthevalidityofasystem. However,evenifthedesign

passesallthe testssu essfully,itisnot ne essarythatthesafetypropertieswill be

met. Inorderto theverifyworst- ase(forsafety riti alsystems),we mustperform

exhaustive simulations of the design. The simulations utilizes a logi al model of

system (physi al) to imitate state hanges in response to random or deterministi

events at simulated points in time. The system state hanges based on the given

systemdes ription. Simulation of a network ould be usedto measure the

end-to-end responsetime of messagesa rossthe network. Inpra ti e softwaresimulations

areusedintheearlystagesofthedevelopment y le. Thesimulationsarealsoused

to validate analyti al models : laten ies, buer o upation, et . telling us about

how long we stay in the worst- ase situation. Moreover, the simulations are also

performedin onjun tion withtheECUs asthey be ome available, HiL (Hardware

intheLoop)

2

,to validatethe system.

However, simulations only annotbe usedto do timing veri ation for the

sys-tems with safety and riti ality requirements. The reason being the di ulty to

as ertain the worst- ase from the simulation tra es, as they do not provide any

boundon the performan e results.

2

1.1.3 Analyti al models

The analyti al models ofautomotive systemshave been developed and areusedto

performtimingveri ations. Thesemodels ombinethe ommuni ation onstraints

and message spe i ations (e.g., a tivations) to do timing veri ation. The

ana-lyti al models of the automotive system often onsider the periodi and sporadi

tasks a tivations only. For example,analyti al modelsdeveloped for CANareused

to perform timing veri ation of the messages on CAN bus based on periodi or

sporadi a tivations.

The analyti al models have to guarantee that the timing requirements of all

tasks are met, i.e. the ommuni ations delay between a sending task queuing a

message,and are eiving taskbeingableto a essthatmessage,mustbebounded.

This total delay is termed the end-to-end ommuni ations delay. The end-to-end

ommuni ation delay is then used to on lude about thefeasibility of the system.

Therefore, it is of paramount importan e, parti ularly for safety riti al systems,

that theupperboundreturned bythese analyses isa trueupperbound.

However, some analyti al models have been proven to be optimisti and thus

wrong (espe ially unpublished omplex ones), [Davis2007℄, and ignore the impa t

of hardware limitations and error-proneness of embedded software. Some of the

models do an overestimation, whi h is pessimisti for soft real-time automotive

appli ations.

Moreover, the timing veri ation models fall short in modeling a urately

ev-erything, for example, taking in the a ount the queuing poli y used a in devi e

driver, opy-time of messagesfrom devi e driverto ommuni ation hardware,

lim-itedtransmit buersinahardwareet . andunfortunately thestandardsdonotsay

everythingabout this,e.g., AUTOSAR CANdriverspe i ation.

Moreover, these analyti al models do not hara terize the network tra very

well e.g. aperiodi tra . These analysis models usually rely on periodi or

sporadi tra models for pessimisti analysis, based on riti al-instan es of the

tasks/messagesinordertondtheworst- asetimingpropertiesandtestthe

s hedu-labilityrequirementsofthetasks/messages. Evenifitisappropriateinsomespe i

appli ation areas,this approa h doesnotallowto addressmanyoftheappli ations

inaheterogeneoussystemlikeautomobiles;be ause,whenthearrivaltimesare

ape-riodi withhighvarian e, itmayleadto asigni ant over-provisioningof resour es

at the design time. Thus for real-time systems (RTS) in whi h the task/messages

set exhibit substantial variability in arrivals (aperiodi ), it is pra ti al to develop

anapproa htakinginto a ountthe sto hasti natureofarrivalsoftasks/messages.

Su h approa hes an lead to a drasti redu tion in the amount of resour e

provi-sioning. Thus leading a system, on eived to beanalyzable intemporaldomain,to

be apotentiallyunsafedesign,whi h isuna eptable parti ularly for safety riti al

1.2 State of the art

Timing enables an earlyanalysis of whether a system an meet the desired timing

requirements, andavoidover-orunder-dimensioningofsystemsandalsosavefrom

unne essaryiterationsinthe development pro ess. The resultisa shortened

devel-opment y lewithin reasedpredi tability/timeliness, whi hisofgreaterinterestin

safety- riti alsystems.

Today,duringtheautomotivedevelopment pro essthedesignersrstlyfo uson

thefun tionalbehaviorofthesystemand,therefore,thetemporalpropertiesofthe

systemsmaybe veried late inthepro ess. Besides, whenthetemporalproperties

areveried, itisusually throughtestingand measurementsand ifatiming error is

dete teditislateinthepro ess. Therefore,resultingina ostlydesignre-iterations.

Thus, we need the analyti al models whi h we an usefrom theearlystagesof the

design (not just testingand measurements at theend) to verify timing properties.

Theseanalyti almodelsshouldbedetailedenough(forbothhardwareandsoftware)

to he k thetemporal properties, parti ularly forsafety- riti alsystems. There are

various methods for temporal analyses, whi h an be broadly grouped into four

ategories basedon the modeling framework they use,and areexplained below.

1.2.1 Simulation

Thesimulationsutilizesalogi almodelofsystem(physi al)toimitatestate hanges

in response to random or deterministi events at simulated points in time. The

system state hanges based on the given system des ription. In RTS the Dis rete

Event simulationisusedto analyze theperforman e ofthesystem, for example,in

anetwork tomeasuretheend-to-endresponsetimeofmessagesa rossthenetwork.

The transfer time is determined for dierent bus loads, priorities of the messages

and arrangements of the devi es. Simulations are often used when an analyti al

approa h isnot possibleor is omplex and expensive. There arevarious simulation

frameworksavailableforreal-timesystemsandsomeofthemaredes ribedhereafter.

Modeling and Analysis Suite for Real-Time Appli ations (MAST),

see [Gonzalez Harbour 2001℄ is provides a worst- ase s hedulability analysis

for hard timing requirements, and dis rete-event simulation for soft timing

re-quirements. In MAST a system representation is analyzable through a set of

tools that have been developed within the MAST suite. These tools des ribe a

model for representing thetemporal andlogi al elements of real-time appli ations.

MAST allows a very ri h des ription of the system, in luding the ee ts of event

or message-based syn hronization, multipro essor and distributed ar hite tures

as well as shared resour e syn hronization. MAST urrently in ludes only xed

priority s heduling, but, it is on eived as an open model and is easily extensible

to a ommodates heduling algorithms.

Ptolemy, see [Bu k2002℄, is another framework whi h an provide simulation

and prototyping of heterogeneous systems. The models in Ptolemy are des ribed

networkingand transport, all-pro essing andsignaling software, embedded

mi ro- ontrollers, signal pro essing (in luding implementation in real-time), s heduling

of parallel digital signal pro essors, board-level hardware timing simulation, and

ombinationsof these.

True-TimeisatoolboxforMATLAB,see[Henriksson2003℄,forsimulating

net-worked and embedded real-time ontrol systems. Oneof its main featuresinvolves

thepossibilityof o-simulationoftheintera tionbetween thereal-world ontinuous

dynami s and the omputerar hite ture intheformoftaskexe utionandnetwork

ommuni ation. Itsupports various ommuni ationproto olsfor bothwireless and

wired networks.

DRTSS, see[Stor h 1996℄,is anotherframeworkwhi h allows its users to easily

onstru t dis rete-event simulators of omplex, heterogeneousdistributed real-time

systems. The framework allows simulation of initial high-level system designs to

gaininsightintothetimingfeasibilityofthesystem. Whi hatlater stagesofdesign

pro ess an beexpanded into adetailed hierar hi al designsfor detailed analysis.

Cheddar,see[Singho 2004℄,isanAdaframeworkwhi hprovidestoolsto he k

temporal hara teristi s of real time appli ations. The framework is based on the

real time s heduling theory. Cheddar model denes an appli ation asa set of

pro- essors, tasks, buers, shared resour es and messages. It hasa exible simulation

enginewhi hallowsthedesignertodes ribeandrunsimulationsofspe i systems.

The heddarframework isopen and extension an beeasily designed for tools and

simulators.

RTaW-Sim,see[rts ℄,forCANnetworkisane-graineddis reteeventsimulator

providing performan e analysis, buer usage, thereby helps to make a orre t

im-plementation hoi e e.g. queueingpoli y. It hasfeatures to perform fault-inje tion

interms offrame transmissionerrors, ECUreboots, lo ksdrifting.

Besides these frameworks, simulations in RTS have been used to evaluate the

robustness ofa systemforexample, see[Nilsson 2009℄, where Nilssonetal. reated

and simulated atta ks in the automotive ommuni ations proto ol FlexRay and

showedthatsu hatta ks aneasilybe reated. Theseatta ks animpa tthesafety

of in-vehi lenetwork and leadto a atastrophi event.

However, itis di ultto as ertain the worst- asefrom thesimulation tra esas

they do not provide any bound on the performan e results. Thus simulations do

not qualify for he king temporal propertiesof hard real-timesystems.

1.2.2 Deterministi analyses

Theideaofholisti s hedulingistoextendwell-knownresultsofthe lassi al

s hedul-ingtheorytodistributedsystems. Theseanalyses ombinesthes hedulability

anal-ysesof pro essorand ommuni ation bus to ompute theend-to-end responsetime

in a distributed real-time system. Tindell and Clark in [Tindell 1994a℄ use this

approa h to analyze distributed hard real-time system where tasks with arbitrary

deadlines ommuni ate bymessage passingand shared data obje ts andthe nodes

ommuni ationdelaysand overheads at the destination pro essor.

The ommuni ationlinksaddboth hipandboard osts,anddesignersfrequently

underestimate peak load. In [Yen 1995,Yen 1998℄ authors present a holisti

anal-ysis approa h for distributed systems where inthey des ribea methodology to

o-synthesize ommuni ation so as to avoid ommuni ation bottlene k in embedded

systems. They use a bus model for ommuni ation in an arbitrary topology in a

point-to-point manner.

In[Pop 2002℄,aholisti analysisispresentedforemergingdistributedautomotive

appli ationsspe i allydealingwiththeissuesrelatedtomixed,event-triggeredand

time-triggered task sets, whi h ommuni ate over bus proto ols onsistingof both

stati and dynami phases.

However, the problem with holisti s heduling is that it is tailored towards a

parti ular ombination of input event model, resour e sharing poli y and

om-muni ation arbitration. Therefore, for the large heterogeneous systems it results

in a large and heterogeneous olle tion of analyses methods, whi h makes holisti

s heduling analysisdi ult to useinpra ti e.

1.2.3 Compositional performan e analysis

In ontrasttoholisti methodsthatextend lassi als hedulinganalyses,the

ompo-sitional analyseste hniques aremodular innature ( omponents). The omponents

of a system are analyzed with lassi al algorithms and the lo al results are

prop-agated in the system through appropriate omponent interfa es relying on event

stream models for propagation between omponents. That isfor ea h y le of

sys-tem level ompositional analysis, lo al analysis on ea h omponent is performed.

The output event models resulting from thelo alanalysis of omponents are then

propagated through the omponent interfa e to the onne ted omponents. The

re eiving omponent uses theoutput event model fromthe previous omponent as

its inputmodel.

Thieleetal. in[Thiele 2000℄presentedModularPerforman eAnalysis(MPA)as

onesu hanalysismethodofRTS.ThemethodusesReal-TimeCal ulus,whi hisan

extensionofNetworkCal ulus[Le Boude 2001℄,toanalyzetheowofeventstreams

through pro essing and ommuni ation elements of the system. The important

feature of MPA is that it is not limited to only ertain input event models and

the omponentinterfa es, see[Henzinger 2006℄, but analso spe ifythe omponent

ompatibilityandrelationships dependingonassumptionsaboutinputevent model

and allo ated resour e apa ities.

SymTA/S (Symboli Timing Analysis for Systems) is another ompositional

analysisapproa h similartoMPA,see[Henia 2005℄. The SymTA/S isbasedonthe

te hnique to ouple lo al s heduling analysisalgorithms using event streams. The

eventstreamsdes ribethepossibletaska tivations. Forthe ompositionalanalysis,

the input and output event streams are des ribed by standard event models, for

example,aperiodi withjittereventmodelhavingtwoparameters anbedes ribed

inMPA,to adaptthepossibletiming ofevents inanevent stream.

1.2.4 Probabilisti performan e analysis

The worst- ase evaluation may not be su ient or needed as there are not many

stri thardreal-timesystems. Therefore,forthesesystemsprobabilisti performan e

analyses anbeperformed. Themotivation isthatnotmanyappli ationsare

time- riti al, but nonetheless they are sensitive to laten ies. For example, for ontrol

appli ations the qualityof the ontrols dependsalso on theaverage response time,

besides the deadline, whi h needs to be minimized. Moreover, the a tivation of

tasksand messages anbeaperiodi (probabilisti ) in ertainsystem. Importantly,

not allof thedesign parameters maybeavailableat theinitial phaseofautomotive

systemdesignandadesigner anstart withaprobabilisti modelofasystemwhi h

an provide an important dire tion for future phases of the proje t. Moreover, for

manysafety riti alsystemthe onstraintson riti alityarerepresentedintermsof

the probability thresholds (e.g. mean-timeto failureprobability).

Sto hasti NetworkCal ulus (SNC),see[Jiang 2008℄,isone su hmethodwhi h

fo useson performan eguarantees. It issimilarto network al ulus, a theory

deal-ing with queuing systems found in omputer networks, but works with sto hasti

arrival urves and provides probabilisti guarantees of timing and ba klog

infor-mation. Moreover, automotive systems have been analyzed using probabilisti

ap-proa h, be ause of problem being expli itly probabilisti in nature. For example,

in [Navet2000℄, Navet et al. introdu e the on ept of worst ase deadline failure

probability(WCDFP),theprobabilitythattoomanyerrorso ursu hthata

mes-sage an not meet its deadline. Nolte et al. in [Nolte2001℄ extend the worst- ase

response time analysis for message with random message transmission times due

to bit stung. This analysis depends on the probability distribution of a given

number of stuedbits due to the me hanism in CAN proto ol, su h that a frame

ontaining a sequen e of ve onse utive identi al bits are bit-stued to hange

polarities. Gardneretal. in[Gardner 1999℄analyzea sto hasti xedpriorityRTS

su hthatano asionalmisseddeadlineisa eptable,butatde reasedperforman e.

They present an analysis te hnique inwhi h they bound (lower) theper entage of

deadlines that a periodi taskmeets and ompare that withthe lower bound with

simulation results. Diaz etal. in [Díaz2002℄provide a sto hasti analysismethod

for general periodi real-time systems,a urately omputingtheresponsetime

dis-tribution of ea h task inthe system, makingit possible to determine thedeadline

miss probability of individual tasks, even for systems with maximum utilization

fa tor greaterthanone. Bernat etal. in[Bernat 2002℄deviseanapproa h for

om-puting probabilisti bound on exe ution time by ombining the measurement and

analyti al approa hes into a model. The method ombines, probabilisti ally, the

observed worst- ase ee ts to formulate an exe ution-time model of a worst- ase

1.3 Resear h questions and Contributions

This thesis address the timing veri ation issues for the automotive systems and

providestheanalyti almodelsandimplementation guidelinestoaddressthese

prob-lemsin asafety riti al automotive environment. We investigate and provide tight

worst- ase bound in a mixed ommuni ation paradigmbased on aperiodi

(proba-bilisti ) and periodi messages, thus helping in better dimensioning of the systems

at thedevelopment time. We also investigate the impli ation of diverse

ommuni- ation ontrollers (when message abortion is not possible) on response time of the

messages that are assumed to be en-queued by the middle-ware-level task before

being ex hanged on a CAN network and provide a tight bound on response time

of the messages. We also integrate implementation over-heads, su h as opy-time,

into the s hedulability analysis of CAN networks. We also develop a probabilisti

system-levelanalysisfor omponentbasedRTSinamixed ommuni ationparadigm

i.e. havingbothprobabilisti anddeterministi arrivals. Mostoftheanalyses

devel-opedinthisthesisintegratethe on eptoffun tionalsafetybasedonSafetyIntegrity

Levels into response time analysis, inorder to guarantee therequired safetylevels.

Ea h hapterprovidesa ase-studywhi h isevaluated usingthedeveloped analysis

toprovideanunderstandingaboutimprovementsandinnovationsour analyseshave

broughtabout. Spe i ally,thisthesistriesaddressthefollowingresear hquestion:

•

Q1 How to perform mixed (probabilisti and deterministi ) timing analysis of an automotive ommuni ation network in order to dimension the system

properly?

 Q1aHowto model theaperiodi data probabilisti ally?

 Q1b How to integrate the model of aperiodi data in thes hedulability

analysis?

 Q1 How to ensure that the analysis guarantees the required level of

safety?

Answer: Weprovideaprobabilisti approa htomodeltheaperiodi tra and

integrationofitintoresponsetimeanalysisalongwiththedeterministi part,

modeled by periodi a tivations. The approa h allows the system designer

to hoose the safety level ofthe analysisbasedon thesystem'sdependability

requirements. Compared to existing deterministi approa hes the approa h

leadstomorerealisti WCRTevaluationandthusto abetterdimensioningof

the hardwareplatform.

•

Q2How an dierent hardware andsoftwareimplementationsae t the tem-poral behaviorinan automotive network?

 Q2aHowtointegratetheimplementationover-headsinthes hedulability

analysis?

 Q2b How to integrate th ee t of limited transmission buers in the

 Q2 Whatarethe guidelines for devi edriverimplementations?

Answer: Weprovide analysisofthereal-timepropertiesofmessage ina CAN

network having hardware onstraints and implementation over-heads

( opy-time of messages). The overhead, ifnot onsidered, may result ina deadline

violationin urred dueadditional laten ies. We explainthe auseofthis

addi-tionallaten yandextendtheexistingCANs hedulabilityanalysistointegrate

it. Wealso provide someguidelines that anbeusefulfor theimplementation

of CANdevi e drivers.

•

Q3How anwe perform amixed(deterministi andprobabilisti ) omponent basedperforman eanalysis,for systemdimensioningand omponentreuse,of

an automotive system?

 Q3a How to modelthe probabilisti omponent and its interfa e?

 Q3b How to ompose the mixed (deterministi and probabilisti )

om-ponentstogetherina system?

 Q3 Howtodotheperforman eanalysisofthismixed omponentsystem?

 Q3d How to ensure that the analysis guarantees the required level of

safety?

Answer: We provide an analysis of omplex real-time systems involving

omponent-based design and abstra tion models. We developed an

abstra -tion whi h provides both deterministi and probabilisti models for

ompo-nent interfa es based on urves and probability thresholds asso iated with

those urves, resulting in an analysis for real-time systems whi h has both

deterministi and probabilisti omponents, based on an extension of

real-time al ulus to probabilisti domain. The analysis an oer either hard or

softreal-time guaranteesa ordingto the requirementsandthespe i ations

of the system. We also show the exibility of the analysis to ope with the

required safety riti alitylevelofa system.

1.4 Thesis outline

•

Chapter 2: Periodi and Aperiodi (mixed) analysis of CAN based on inte-grating safetyrequirements.

•

Chapter 3: CAN ontroller hardware and software limitations and modeling theanalysis toin lude thoselimitations fortighterboundsonresponsetime.

•

Chapter4: Systemlevelresponsetimeanalysisfor omponent basedanalysis, in a mixed (probabilisti and deterministi ) analysisfor system level

perfor-man e withguarantees for safetyandreal-time onstraints.

Probabilisti CAN S hedulability Analysis Contents 2.1 Introdu tion . . . 11 2.1.1 CANProto ol . . . 12 2.1.2 Problemdenition . . . 12

2.1.3 Handlingaperiodi tra . . . 13

2.2 SystemModel . . . 14

2.3 Modeling aperiodi tra . . . 14

2.3.1 Approximatingarrivalpro ess. . . 15

2.3.2 Errorsinapproximation . . . 16

2.3.3 Findingdistribution . . . 17

2.3.4 Thresholdbasedwork-arrivalfun tion . . . 23

2.3.5 Handlingpriority . . . 29

2.4 S hedulability analysis . . . 32

2.5 Case study . . . 34

2.6 Summary . . . 39

In this hapter a probabilisti approa h to model the aperiodi tra and

in-tegration of it into response time analysis is dis ussed. The approa h allows the

system designer to hoose the safety level of the analysis based on the system's

dependabilityrequirements. Comparedtoexistingdeterministi approa hesthe

ap-proa h leads tomore realisti WCRTevaluationand thus to abetterdimensioning

of thehardware platform.

2.1 Introdu tion

In the eld of real-time systems, methods to assess the real-time performan es of

periodi a tivities(tasks,messages)have beenextensivelystudied. Responsetimes,

worst- ase or average, and jitters an be evaluated by simulation or analysis for a

wide rangeof s heduling poli ies provided thatthea tivation patternsof thetasks

and messages are well identied. The problem is more intri ate for aperiodi

theira tivationpatternandbe ausedeterministi WCRTanalysishasnotbeen

on- eived to handle aperiodi a tivities. For example, thearrival pattern of aperiodi

framesinthebodynetworkofa vehi leishard topredi t, asitisdependentonthe

userintera tions. Howeveraperiodi framesofhigherpriorityex hanged amongthe

Ele troni ControlUnits(ECUs)inthebodynetworkofavehi le andelayperiodi

tra . Indeed,most oftentheControllerArea Network (CAN)prioritybus isused

and the aperiodi frames do not ne essarilyget the lowest prioritylevels

1

assigned

to them.

2.1.1 CAN Proto ol

The Controller Area Network (CAN), was developed in the beginning of the 80s

by Bos h. Today CAN is the most widely used network te hnology in the

au-tomotive industry, found in almost all domains. CAN transmits messages in an

event-triggered fashion using deterministi ollision resolution to ontrol a ess to

thebus (so alledCSMA/CR).Messagesaretransmitted inframes ontaining0to

8 bytes of payload data. These frames an be transmitted at speeds of 10 Kbps

up to 1 Mbps. Ea h CAN message has a unique ID value, whi h is used for the

bus arbitration. However, CAN ID is also used as themessage priority, su h that

lowervalue of CAN ID indi ates higher-priority message and higher-value of CAN

ID indi atelower-priority message. At thestart ofarbitration,ea h nodehopingto

senda messagestartsto transmit themessageID (leastsigni ant bit rst);While

transmitting theCANIDea hnotalsolistenstothebus(forea htransmittedbit).

When a node noti es azero on the bus whileit transmitted one itba k-o, Whi h

impliesa thatsomeother node hashigherprioritymessageto send;thearbitration

an bethought of anAND gatesu h thatifanybitiszero theresultiszero.

2.1.2 Problem denition

Inthis hapter, weaddresstheproblemofevaluatingresponsetimeswhenboth

pe-riodi and aperiodi a tivities aretaken into a ount. A tivitiesaretermedframes

in the rest of the hapter, be ause the approa h will be developed and illustrated

on the CAN bus, but our approa h equally holds for tasks. The in rease in the

WCRToftheperiodi frameswhi h maybe ausedbythehigher priorityaperiodi

frames ouldbe riti alforhardreal-timesystemsasit ouldleadtotheviolationof

thedeadlines. Besides,large responsetimes ofaperiodi framesmayjeopardizethe

exe ution of a fun tionor may even raisesafety on erns insome ases (e.g.

head-lights ashes ina vehi le). In addition, low responsiveness is negatively per eived

bythe user. It is worthmentioningthat a tivitiesthat areperiodi by essen eare

sometimes implemented inan aperiodi mannerinorder to save resour es.

Whatever the exa t approa h, one of the main steps is to derive a model of

the arrival patterns for aperiodi a tivities, what will be alled in the following

1

Be ause ofthe in rementaldesignpro ess,in-house usagesor onstraintsof the ooperation pro essbetween ar-makersandsuppliers,prioritiesontheCANbusdonotne essarilyree tthe

the aperiodi Work Arrival Fun tion (WAF). Then, this aperiodi WAF hasto be

integratedinto theresponsetimeanalysis. There arehoweverdi ulties:

•

obtainingaperiodi data(i.e.,bymeasurements or simulation),

•

modeling aperiodi data,

•

integrating themodelinto s hedulability analysis.

Whatwearedis ussinginthis hapterisnot howto obtaindatabuthowto model

itand integrate itinto s hedulabilityanalysis.

2.1.3 Handling aperiodi tra

There aretwo lassi alapproa hesto handlethe aperiodi tra :

•

worst- asedeterministi approa h: aperiodi framesare onsideredasperiodi frameswiththeirperiods equaltotheminimuminter-arrivaltimes,thisisthe

well known sporadi model [Spuri1996℄. However, in many ases, the

mini-mum inter-arrival time is so small that the resulting workload is unrealisti ,

and oftengreaterthan 100%[Zhang2008℄.

•

An average- ase probabilisti approa h: the aperiodi tra is modeled a - ording to a probabilisti inter-arrivals pro ess, the next step is then to

es-timate the 'probable' number of arrivals in a given interval of time. This

approa h is learlynot suited toreal-timesystemsbe auseitlargely

underes-timatesthearrivalsofaperiodi tra whi h ano urinsmalltimeintervals

2

A basi probabilisti framework wasset for in lusion of aperiodi framesin a

on-trolled manner using a threshold value in [Burns2003℄. This hapter builds upon

this framework and dis usses pre isely the me hanism of deriving the aperiodi

WAF,aswellasitremovessomeassumptionspla edin[Burns 2003℄. Inparti ular,

we showthatinour spe i ontextitisnot ne essarythatthedierent streamsof

aperiodi framesaremodeledindividually.

Overview of approa h

We do not assume any prior knowledge of the aperiodi frame a tivation pattern,

howeverwe assumethatitispossibleto monitorthesystem,or asimulationmodel

of it, and gather data about thearrival times of aperiodi frames. Then, from the

measurements, we build a probabilisti model of the aperiodi inter-arrival times

under the form of an empiri al frequen y histogram or a distribution obeying a

losed-form equation whenever it is possible. The next step is to derive a

deter-ministi WAF fromthe probability distributionof theaperiodi frame inter-arrival

times. A general me hanism is provided enabling to derive the deterministi WAF

2

A ordingtothe prin ipleoflargedeviations: thesmallertheinterval,thelarger (in

a

ρ

C(mse ) 0.5 341 0.760 0.5 878 0.696 0.5 2000 0.760 9 33 0.632 12 256 0.632

(a)Approximatedtra e

a

ρ

C (mse ) 0.500 341 0.760 1.250 878 0.696 1.954 2000 0.760 9 33 0.632 12 256 0.632 (b)A tualtra e1 a'

ρ

' C' (mse ) 0.5 341 0.760 1.260 878 0.696 1.956 2000 0.760 9 33 0.632 12 256 0.632 ( )A tualtra e2

Figure2.1: Approximated tra eagainst tra e1and tra e 2.

from theunderlying probabilisti distributions oftheaperiodi tra evengivenin

form of empiri al histograms, whi h is worthy in pra ti e sin e aperiodi arrivals

do not ne essarily obey a losed-form equation. Another advantage is that the

te hnique is independent of the s heduling and an be used whatever the poli y

is (preemptive, non-preemptive, xedpriority,dynami -priority, et ) and whatever

the task model is. All in all, we believe that our proposal oers a better solution

for takinginto a ount aperiodi tra insystems with dependability onstraints,

ompared toworst- aseandaverage aseprobabilisti approa hes.

2.2 System Model

The tra e of aperiodi events is hara terized by a set

D = E

1

, E

2

, ..., E

n

where

E

i

is an

i

th

aperiodi event su h that

E

1

is re orded before

E

2

on the bus. The events in D are re orded in order of their arrivals on the bus. Ea h aperiodi

event is hara terized by a set

E

i

= {a

i

, ρ

i

, C

i

}

where

a

i

is an arrival time (

a

′

i

is the estimated arrival time),

ρ

i

is a priority of the aperiodi frame, and

C

i

is the worst- ase exe ution time of the frame. The length of set D depends on the time

when tra e apture was stopped, but it should be su iently large to dedu e the

probabilisti modelofinter-arrivals.

2.3 Modeling aperiodi tra

The data used in this work omes from measurements taken on-board of a PSA vehi le but be ause of ondentiality reasons we have obs ured the hara teristi s whi h ouldree t about thedesign at PSAPeugeotCitröen.

0.5

1.0

1.5

2.0

2.5

9.0

9.5

10.0

10.5

11.0

11.5

12.0

12.5

E1

E1

E2

E2

E3

E3

E5

E5

E6

E6

E1

E2

E3

E5

E6

Figure 2.2: Gant hart for tra e1: bla k arrows are a tual release times and red

arrows areobserved arrivaltimesindatatra e.Thebluearrows willbethe

approx-imatedarrivaltimes.

and not thetimesat whi h thetransmissionrequestswere issued. Espe iallywhen thenetworkisloaded,the two anbesigni antly dierentbe auseofframes trans-missionsbeingdelayed byhigher priority frames. This ould be taken into a ount by studying the busy periods on the bus and onstru ting a worst- ase a tivation pro ess,whi h isdis ussed inse tion2.3.1.

2.3.1 Approximating arrival pro ess

The modeling pro ess of the aperiodi tra involves estimating the probabilisti

distribution ofaperiodi inter-arrivalsfrom the aptured datatra e ofa simulation

modelofavehi leorfromarealvehi le. The aptureddatatra eofbusa tivitygives

usthearrivaltimesofframesonthebus,priorities offramesandsize oftheframes.

The di ulty in using this aptured data tra e lies inthe fa t that the measured

arrivaltimeoftheframesonthe busmaynot oin idewiththea tualreleasetimes

of the frames. This requires us to approximate an a tual arrival pro ess from the

aptureddatatra e. The a tualarrivaltimefor someframe i an be approximated

bysubtra tingthelevel-ibusyperiodseenbytheframe. Thelevel-ibusyperiodseen

by frame ion bus an be easily omputed froma tra e. The simple subtra tion of

thelevel-ibusyperiodgiveustheworst- asearrivalpro essoftheaperiodi frames,

whi hiswhatisrequired. Theapproximatedarrivalpro essfortheaperiodi frames

givesus theworst- asearrivalpro esswhi h an leadto burstinessinlowerpriority

framesastheyaretheoneswhi harepushedba kwhentheaperiodi tra arrives.

Assumption:

•

No inter-framesequen e forframe separation. Otherwise allframesafterrst frame willbeequallyshiftedbythree bittime.

0.5

1.0

1.5

2.0

2.5

9.0

9.5

10.0

10.5

11.0

11.5

12.0

12.5

E1

E1

E2

E2

E3

E3

E5

E5

E6

E6

E1

E2

E3

E5

E6

Figure 2.3: Gant hart for tra e2: bla k arrows are a tual release times and red

arrowsareobserved arrivaltimesindatatra e. Thebluearrowswillbethe

approx-imated arrivaltimes.

x1

x2

a2

0

5

10

15

20

Figure 2.4: Approximation error when approximating the arrival of a frame. The

framearrivesattime

x

1

,observedatarrivaltime

x

2

indatatra eandapproximated arrival time isat

a

2

.

•

The data tra e is sorted a ording to arrivaltimes thenpriorities; su h that iftwo framesarrive atsame timethenthehighestpriorityframe will pre ede

thelowerone inthetable,whi his natural for a aptured datatra e.

Therefore, for some frame i the level-i busy period seen by it will be equal to the

summation oftransmissiontimeofallhigherpriorityframespre edingthe

i

th

frame

indatatra e; seealgorithm 1.

2.3.2 Errors in approximation

When approximating the arrival pro ess from aptured data tra es e.g. arrival

timesoftable2.1,wewillhaveanapproximationerrorfortheapproximatedarrival pro ess ifthe a tual arrival pro ess was not theworst- ase arrival pro ess e.g. for

the tra esof gure2.3 and 2.2we will getan approximation error (see gure 2.3.1

for further understanding) asblueand bla k arrows do not oin ide. Supposethat

an aperiodi event o urs at time

x

1

and bus is busy transmitting the frames of higher priority. Whenthe level-ibusyperiodfor framereleasedattime

x

1

isoverit

beginstransmittingattime

x

2

whi hisobservedandre ordedinadatatra e. When approximating thea tual arrivaltime (

x

1

) of frame fromtheobserved arrivaltime from tra e (

x

2

) we get a wost- ase arrival timeof

a

2

for theframe whi h is earlier than

x

1

and thus we have an error intheapproximation. The approximationerror

ǫ

isgiven by:

ǫ = x

1

− a

2

andis dire tlydependent uponthelength ofbusyperiod seen by the frame as

a

2

= x

2

− l

,where l is thelength of level-ibusy period. The maximumapproximationerrorwill o urwhentheframearrivesneartheobserved

arrivaltime fromtra e (

x

2

− x

1

≈ 0

) and thereforemaximumapproximation error is

ǫ = x

2

− l

.

However,we arenot on erned bythisapproximation errorasweareinterested

intheworst- asearrivalpro ess.

2.3.3 Finding distribution

In order to model the inter-arrival times of the aperiodi tra , we rst analyze some important stru tural properties of the data (e.g., linear and non-linear or-relation) then nd out the probability distribution that best ts our data. The presen eoflinear andnon-linear dependen ies inthedata wouldimpa t its

model-ing be ause it would imply a departure from the i.i.d. property (independent and identi allydistribution). Totestthesetwo kindofdependen ies,as lassi allydone inexploratorydataanalysis,wemakeuseofsomevisual onrmatorytests,therun sequen e plot and lag plot,aswell astheauto- orrelation andBDS test (Bro k, De hert, S heinkman, see[Broo k1996℄).

Run sequen e plot

The run sequen e plot displays an observed univariate data ina timesequen e. It helpstodete toutliersandshiftsinthepro ess. Figure2.5(upper)isarunsequen e plotofourdatatra ewherethedatapointsareindexedbytheirorderofo urren e. Theplotindi atesthatdatadoesnothaveanylongtermshiftsinheightsovertime.

Lag plot

Alagplothelpstogainsomeinsightintowhetheradatasetortimeseriesisrandom or not. Random data should not exhibit any visually identiable stru ture in the lag plot. Figure 2.5(lower) is a lag plot of our data tra e (here the lag is hosen equal to 1:

x = X

k+1

and

y = X

k

,where

X

k

is the

k

th

observation). Sin ethe lag plotappears to be stru tureless, the randomnessassumption annot be reje ted.

2.3.3.1 Auto orrelation analysis

The auto orrelation analysis dete ts the existen e of serial orrelations in a data tra e. Pre isely the orrelation of order k indi ates the linear relationship that may exist between data values separated byk positions. The rst 100 orrelation oe ientsof thedatatra e are showningure 2.6asso iated withthethresholds

Algorithm 1: Algorithm for estimation of worst- ase arrival time for frame

arriving at

a

i

from aptureddatatra e. Input:

a

i

,

data_tra e

Output:

a

′

i

a

i

is the arrival-time of a frame and tra e has all aptured frames

while

!EOF (

data_tra e

)

do

/*where

j

and

k

are the frame indexes su h that

j

and

k

points to the frame with arrival time of

a

j

and

a

k

*/

k = i − 1

;

k

points to frame whi h arrived before frame

i

in data_tra e

j = i

;

j

points to frame

i

in data_tra e /*

ρ

i

is the priority of frame with index

i

*/ while

ρ

i

> ρ

k

∧ k > 0

do

/*

C

k

is WCET of

k

th

frame*/

if

a

k

+ C

k

< a

j

then

/*Sin e CAN bus be ame idle after

C

k

was transmitted*/ return

a

′

i

= a

j

end

end

/*Che k the previous frame in the data_tra e*/

j = k

k = k − 1

end

/*To he k for negative value of

k

at the end of tra e when no estimate for arrival of

a

i

was found*/

if

k > 0

then

a

′

_i

= a

k

end else

a

′

_i

= a

i

end

a

′

_i

is Estimated arrival time of

i

th

frame

return

a

′

i

Figure 2.5: Visual analysis of aptured data tra e. The upper graphi is a run

sequen eplot where thex-axisis the index ofthedata points andthey-axis isthe

timetillthenextaperiodi arrivalexpressedinse onds. Inthelowergraphi s,alag

Figure2.6: Auto- orrelationof aptured datatra e.

beyondwhi hthevaluesarestatisti allysigni ant(1%signi an elevelhere). The graphi visualizationofthe orrelation oe ients makesitpossibleto evaluatethe importan eandthedurationofthetemporaldependen ies. Here,serial orrelations intheaperiodi tra arerelatively limited:

•

limited infrequen y: onthe entire aperiodi tra , thereare only 19 signi- ant auto- orrelations oe ientsuntil alagof 100,

•

limited inintensity: thefew signi ant auto- orrelations arebelow0.2 whi h is insu ient to be usedat endsofpredi tions.

These auto orrelations an probably be explained by the fa t that the a tivation of ertain fun tions of the vehi le requires the transmission of several onse utive frames, but, the instants of a tivations of the fun tions have small orrelations. Also, the spike that an be observed around the lag 50 is likely due to a periodi frame thathasnot been properlylteredout inthedatatra e.

2.3.3.2 BDS analysis

Auto- orrelation has the limitation that it an only test the linear dependen y in thedata. Inordertotest fornon-lineardependen iesamoregeneral statisti altest thantheauto- orrelationmustbeused. Onesu htestistheBDStest[Broo k1996℄ whi h employs the on ept of spatial orrelation from haos theoryto test the hy-pothesis thatthe values of asequen e, inthis hapter inter-arrival times, are inde-pendent and identi ally distributed (i.i.d.). Deviation from the i.i.d. ase will be aused by thenon-stationarityof thepro ess (e.g.,existen e oftrends), or thefa t that therearelinear ornon-linear dependen ies inthe data.

Figure2.7: Probabilityplots for 3 andidate distributions, fromtop tobottom,the

exponential law, the log-normal lawand theWeibullLaw.

We arriedout theBDS test for various ombinations of its parameters

m

and

δ

(forexample for

m = 2

and

δ = 3

asre ommended bytheauthorsofthetest. For ertain ombinations we ould not reje t the hypothesis that the data points are i.i.d. at the 1% onden e level. The results of auto- orrelation analysisand BDS testenableusto on ludethatitispossibleinourspe i ontexttomodelthe ape-riodi inter-arrivaltra bya randomvariableobeying amemory-less probabilisti distribution withoutdiverging fromreality.

2.3.3.3 Distribution tting

We now need to nd theprobability distribution and its parameters whi h models theexperimental datathemost a urately. Afterhavingdrawn aside ertain possi-bilitiesforobviousreasons(forexample,thenormallawbe auseitsdensityfun tion isnotmonotonouslyde reasing),wetesteddistributionsidentiedbyadjustingtheir parameters a ordingtotheprin iple ofthemaximumoflikelihood(MLE). Spe if-i ally,we have su essively onsidered the exponential law, thelog-normal lawand theWeibulllaw. Theexponential lawwasplausibleaprioritakingintoa ount the de reaseof the density whi h one an observeinthedata tra e,thetwo otherlaws havebeen hosenfor their well-knownexibility.

2.3.3.4 Probability plots for visual sele tion

Thedistributionofthe observeddataisplotted againstatheoreti aldistributionin su h a way thatthe pointsshould form approximately a straight line. Departures from this straight line indi ate departures from the spe ied distribution. If the probability plot is approximately linear, the underlying distribution is lose to the theoreti al distribution. What anbeobservedingure2.7isthattheWeibulllaw is the distribution that best ts the data. This visual on lusion is onrmed by statisti al a eptan etestsdis ussed inthe next paragraph.

2.3.3.5 A eptan e test

In previous se tion evaluation of the quality of results was done visually. In this se tionweusethestatisti alteststoverifytheassumptionthatdatatra efollowsa parti ular distribution. Spe i ally, we are using the

χ

2

and Kolmogorov-Smirnov "goodness-o-t tests"[Millard1967,Brumba k1987℄. The best results were ob-tained usingtheWeibulllaw, followedat somedistan ebythelog-normallaw. The on lusion of the two testsis that one annot reje t theassumption that thedata followsaWeibulldistributionat asigni an elevelof1%. Forabroaddatasample olle ted on a real system, and not arti ially generated data, it is a on lusive result.

Figure 2.8 presents the real data tra e and an "arti ial" tra e generated by a Weibull law with MLE-tted parameters. It is observed that some "patterns" presentintherealtra edisappearandthatthesimulatedtra eismorehomogeneous in time, but overall adequa y of the modeling seems good. From the analysis, arriedout inthisse tion, we an on ludethatinour spe i ontext theWeibull distributionprovidesasatisfa torymodelfortheaperiodi tra inter-arrivaltimes, followed bylog-normaland exponential distributions at some distan e.

2.3.3.6 Using two-parameter distributions

The hoi e of a distribution is often di tated by the nature of the empiri al data

whi h is often over-dispersed and heterogeneous in pra ti e. The sele tion of a

distribution fromthefamilyofdistributions whi harelikelytomodeltheempiri al

data is often governed by the exibility of the distribution to handle dispersion

andheterogeneity. For examplethePoissonandexponentialdistributions aresingle

parameter distribution whi h impli itly assumesimple parametri models and la k

in the freedom to adjust the varian e independent of the mean, bringing in the

handi ap to model the dispersed data. A model with an additional parameter to

take are of dispersion independent of mean may provide a better t. The weibull

andgamma distributionsaretwo-parameterdistributions whi h havethisexibility

ofhandlingthevarian eindependentlyfromthemean. Besidesthesetwo-parameter

distributions will onverge to the simple parametri distribution depending on the

values ofthe parameters used. For thesereason intherestof thework,theweibull

Figure 2.8: Comparison between the aptured data tra e and a random tra e

gen-erated bya Weibull modelwithMLE-tted parameters.

2.3.4 Threshold based work-arrival fun tion

S(t)

is the aperiodi work arrivalfun tion whi h givesus thenumber of aperiodi frames in a time interval

t

and that will be used in the response time analysis.

S(t)

is an in reasing "stair ase" fun tion su h that the "jumps" in the fun tion orrespond to the arrival of an aperiodi frame. To onstru t this fun tion, we proposeto dis retizethe timeand al ulate the value taken by

S(t)

for ea h value of

t

between

1

and

T

where

T

,expressedinmillise onds,isthelargestvaluethatwe may reasonably require during the omputation of a response time. For example, one anset

T = 1000

ms ifthelargestperiodofa tivityon thebus (i.e.,thelargest busy period)doesnot ex eed a se ond.

2.3.4.1 Safety threshold

α

for

S(t)

We denote by

X(t)

the sto hasti pro ess whi h ounts the number of aperiodi frames in time interval

t

. For example, in the datatra e whi h we studied in the pre edingse tions, inter-arrivals wouldbe ontrolled bya Weibull law. Theidea is to nd the smallest

S(t)

ˆ

su h that the probability of

X(t)

introdu ing aperiodi framesequalton islowerthanathresholdvalue

α

xedbythedesigner. where n is the numberof aperiodi framesintrodu ed by

S(t)

. Formally,we arelookingfor:

ˆ

Figure 2.9: Graphi al representation of algorithm for omputation of

S(5)

. It on-sistsinndingthesmallestvalueofkusingtheCDFoftheinter-arrivaldistribution

a ording toequations 2.1 and2.2.

Forexample,ifonesets

α = 0.01

itmeansthatinnomorethan

1%

ofitstraje tories thesto hasti pro ess

X(t)

indu esmoreaperiodi tra than

S(t)

ˆ

. If

X(t)

models the real aperiodi tra a urately, the number of aperiodi frames integrated in the al ulation of the response time of a periodi frame will have more than 99 per ent han es to be higher than what ea h instan e of the frame will undergo. Of ourse, the hoi e of

α

depends on the dependability obje tives of SIL(System IntegrityLevel)but

α = 10

−4

isareasonablevalueinthe ontext ofabodynetwork that willbe onsideredintheexperimentshereafter.

2.3.4.2 Computation of

S(t)

We need a wayto evaluate

P r[X(t) = n] ≤ α

at ea h time instant

t

. Let

F

n

(t)

be theCumulative Distribution Fun tion (CDF) ofinterarrivals.

P r[X(t) = n] = P r[X(t) ≥ n] − P r[X(t) ≥ n + 1]

(2.2)

P r[X(t) = n] = F

n

(t) − F

n+1

(t)

Figure2.10: WAFusing monte- arlo simulations

•

Distribution for whi h we have a losed-form expressions and an evaluate

P r[X(t) = n]

e.g poissondistribution.

•

Distribution for whi h we have no losed-form expression e.g. weibull distri-bution.

Therst aseiseasytoevaluateusing losed-formexpressionandforthese ond ase we ouldeitherresortto numeri al orsimulation methods to evaluatethe equation

2.1.

2.3.4.3 Graphi al illustration

Figure2.9 illustratesthe omputation of

S(t)

for a spe i valueof

t

,here

t = 5

:

ˆ

S(5) = min{S(5) | P r[X(5) ≥ n] ≤ α}

(2.3)

The probability

P r[X(5) ≥ n]

an be found using values of

n = 1, 2, 3, ...

and for

t = 5

inequation andterminating whenprobabilityis more than

α

.

2.3.4.4 Monte-Carlo simulation approa h

We do not always have a dis rete distribution modeling the data nor a

ontinu-ous distribution su h that equation 2.1 an be evaluated analyti ally. We need an alternate method to evaluate equation 2.2 in su h ases. This an be done with numeri al integration te hniques or using Monte Carlo simulation method. The

latter approa h is des ribed in algorithm 2 where

α

is the safety level,

∆

is the dis rete time step,

θ

is the set of parameters of the aperiodi frame arrival

distri-bution,

T

is the time horizon,

N

is the number of random samples

3

to be drawn

for theMonte-Carlo simulation. Basi ally,

S(t)

is omputed for ea h time unit by drawing

N

values from theprobabilisti distribution modeling theaperiodi frame arrivalpro essand he kingifthea umulatedprobabilityvalueissmallerthanthe

probability value for whi h we areevaluating

S(t)

.

Algorithm 2:Deriving

S(t)

byMonte-Carlosimulation. Input:

{T, α, ∆, θ, N}

Output:

{

S(t)

: T he work − arrival f unction}

index = 0

Data =

random

(θ, N )

;Array of N random numbers

for

IDX = 0; IDX ≤ T ; IDX+ = ∆

do

Array = []

; Temporary array initialized to zero forea h

i ∈ 1 : N

do

AccT ime = 0

k = 0

while

AccT ime < IDX

do

/*A umulate the random arrival-times and ount the

bumber of arrivals*/

AccT ime = AccT ime + Data[index]

index = index + 1

k = k + 1

end

Array[i] = k

end

S(IDX) =

quantile

(Array, 1 − α)

; where quantile fun tion returns umulative probability value su h that bound by

α

end

return

S(t)

Asan illustration of theapproa h, we derived

S(t)

inthe ases where the ape-riodi inter-arrival distribution obeys 1) an exponential law 2) a Weibull law 3) a

log-normal law. The numberof randomdraws oftheMonte-Carlosimulations

(pa-rameter

N

in algorithm 2) is set to 5 million for ea h distribution. For all three distributions, theparameters arettedusing MLE againstthedata tra es andthe

threedistributions leadtothesameaverageintensity. What anbeobservedisthat

thedistribution, and not only the average intensity ofthe aperiodi tra , plays a

major rolein theshapeand height of the aperiodi WAF, seegure2.10.

3

Central Limit Theorem tells us that the onvergen e rate is of order

N

1/2

where

N

is the numberofrandomdraws,whi hmeansthataddingonesigni antdigitrequiresin reasing

N

by afa tor100. Thevalueof

N

shouldbesetdependingonthethreshold

α

anda ura yobje tives.

2.3.4.5 Numeri al approa h

TheWAFisamonotoni allyin reasingstair ase urvewhi hreturnsthenumberof

aperiodi eventsthathaveo urredinanintervaloftimemeasuredfromtheorigin,

alsoknowas ountmodel. Let

X(t)

denotethenumberofeventsthathaveo urred upuntil timet,

X(t)|t > 0

. Let

I

n

be thetimefromtheoriginto themeasurement point at whi h

n

th

event o urred. The relationship between inter-arrival times

I

n

and the numberofevents

X(t)

is:

I

n

≤ t ⇔ X(t) ≥ n

We an restatethisrelationshipbysayingthattheamount oftimeat whi h the

n

th

evento urredfromthetimeoriginislessthanorequaltot ifandonlyifthenumber

ofeventsthat have o urredbytimet isgreater than orequal to n. Therefore,the

following relationshipallows us to derive the ount model

C

n

(t)

,whi h returnsthe numberofaperiodi eventsthathaveo urred inanintervaloftimemeasuredfrom

theorigin:

Cn(t) = P r[X(t) = n] = P r[X(t) >= n] − P r[X(t) >= n + 1]

=⇒ C

n

(t) = P r[In <= t] − P r[In + 1 <= t]

If we let the umulative density fun tion ( df) of

I

n

be

F

n

(t)

, then

C

n

(t) =

P [X(t) = n] = F

n

(t) − F

n+1

(t)

. In the ase where the measurement time origin (and thus the ounting pro ess) oin ides with the o urren e of an event, then

F

n

(t)

issimplythe n-fold onvolution ofthe ommoninter-arrivaltimedistribution whi h may(e.g. poissondistribution) or maynot (e.g. weibulldistribution) havea

losed-formsolution. Forthedistributions

4

whi hdonothavea losed-formwe an

geta losed-formapproximationusingmonte- arlosimulation [Khan2009℄or usea

polynomialexpansionof

F (t)

e.g. for weibulldistributionwehave[M Shane 2008℄:

P [X(t) = n] = C

n

(t) =

∞

X

j=n

(−1)

j+n

(λt

c

)

j

α

n

_j

Γ(cj + 1)

n = 0, 1, 2...

(2.4) where

α

0

_j

=

Γ(cj + 1)

Γ(j + 1)

j = 0, 1, 2, . . .

4

Mostlikelydistributionforaperiodi arrivalsareexponential,weibullandgamma. The ount modelsofweibullandgammadistributionareof parti ularinterestfor theirtwo-parameter ex-ibility. Parti ularly gamma distribution as the omputation of mean and varian e is easier as

Figure2.11: Numeri alWAFwith MLEadjusted parameters and

α = 10

−4

and

α

n+1

_j

=

j−1

X

m=n

α

n

m

Γ(cj − cm + 1)

Γ(j − m + 1)

n = 0, 1, 2, . . . j = n + 1, n + 2, n + 3, . . .

Where the Gamma fun tion is an extension of the fa torial fun tion to the

real and omplex numbers. To build the arrival urves we wish to minimize the

probabilitynumberofeventso urringinanintervalinaparametri manner(safety

level) for weibull distribution we use equation 2.4 withMLE adjusted parameters, see gure2.11,su hthat:

S(t) = min{P r[X(t) = n] ≤ α}

2.3.4.6 Parameter estimation without data tra e

Be ause of ost and design time onstraints, it is not always possible to derive the inter-arrival modelfroma realdatatra e,or tra esofsimulation. Thisisoftenthe ase in automobile proje ts. In su h a situation, as an approximation, a solution is to set the parameters of the distribution based on already known parameters orrespondingtoanotherele troni ar hite tures. Inthefollowing,weshowhowto