The DART-Europe E-theses Portal

HAL Id: tel-01749552

https://hal.univ-lorraine.fr/tel-01749552

Submitted on 29 Mar 2018

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires

Schedulability analysis for the design of reliable and cost-effective automotive embedded systems

Dawood Ashraf Khan

To cite this version:

Dawood Ashraf Khan. Schedulability analysis for the design of reliable and cost-effective automotive

embedded systems. Computers and Society [cs.CY]. Institut National Polytechnique de Lorraine,

2011. English. �NNT : 2011INPL097N�. �tel-01749552�

AVERTISSEMENT

Ce document est le fruit d'un long travail approuvé par le jury de soutenance et mis à disposition de l'ensemble de la communauté universitaire élargie.

Il est soumis à la propriété intellectuelle de l'auteur. Ceci implique une obligation de citation et de référencement lors de l’utilisation de ce document.

D'autre part, toute contrefaçon, plagiat, reproduction illicite encourt une poursuite pénale.

Contact : [email protected]

LIENS

Code de la Propriété Intellectuelle. articles L 122. 4

Code de la Propriété Intellectuelle. articles L 335.2- L 335.10 http://www.cfcopies.com/V2/leg/leg_droi.php

http://www.culture.gouv.fr/culture/infos-pratiques/droits/protection.htm

ÉCOLE DOCTORALE IAEM

Département de formation dotorale

en informatique

T H È S E

présentéeetsoutenue publiquement le29/11/2011

pour l'obtension du

Dotorat de l'Institut National Polytehnique de Lorraine

(spéialité informatique)

par

Dawood A. KHAN

Shedulability Analysis for the Design of

Reliable and Cost-eetive Automotive

Embedded Systems

Thèse dirigée par Françoise SIMONOT-LION et

Niolas NAVET

préparée á l'INRIA Grand-Est, Projet TRIO

Jury :

Rapporteurs :

Emmanuel GROLLEAU - Professeur àl'ENSMA/Lisi

Jean-Lu SCHARBARG - MCà l'Universit de Toulouse,IRIT

Examinateur : Yvon TRINQUET - Professeur àl'Universitde Nantes

SylvainCONTASSOT-VIVIER - Professeur auLORIA/UHP

Laboratoire Lorrain deReherheenInformatique etses

appliations UMR7503

Following is a list of people with whom I have done researh, o-authored papers,

or generallyworked,on researh problems:

•

^{RienderJ.Bril, TehnialUniversityEidhoven: OntheinitialpartofChapter}

3 dealing withintegrationof opy-timeinto theCANshedulabilityanalysis.

•

^{Robert I. Davis, University of York: On the later part of Chapter 3 dealing}

with integration of non-abortable transmission into the CAN shedulability

analysis.

•

^Lua Santinelli, TRIO,INRIA Grand Est: On theanalysis framework devel- opedinChapter 4.

Indeed, all praise belongs to ALLAH,the almighty, on whom ultimately we depend

for sustenane and guidane; and may His peae and blessing be upon His last and

nal prophetMuhammad S.A.W

Foremost, I express my sinere gratitude to my o-advisor Dr. Niolas Navet

for the ontinuous support during my Ph.D. study and researh. I appreiate his

patiene, motivation, enthusiasm, and immense knowledge. His guidane helped

me to shape my researh goals. I will always remember him as the best advisor

and the mentor. I amthankfulto Prof. Françoise Simonot-Lion, mymain advisor,

for supportingmeadministratively andfor makingita worthwhile stayfor meina

TRIO team.

Besidesmyadvisors,Iamthankfultotherestofmythesisommittee: Prof. Em-

manuel Grolleau, Dr. Jean-Lu Sharbarg, Prof. YvonTrinquet and Prof. Sylvain

Contassot-Vivier, fortheir enouragement,useful omments,andpositiveritiism.

I also like to extend my gratitude to Prof. Y-Q Song, Prof. René Shott and Dr.

Liliana Cuufor their adviesand time.

IamgratefultotheInstitutnationaldereherheeninformatiqueetenautoma-

tique, INRIAof Franefor funding thisresearh.

My gratitude also goes to all the olleagues with whom I worked and shared

suh a pleasant working times, namely: Dr. Robert I Davis, Dr. Reinder J. Bril,

and Dr. Lua Santinelli.

I owe my deepest gratitude to my friends: Ehtesham Zahoor, Atif Mashkoor,

BilelNefzi,andNajetBoughmani;for beingthereformephysially,spiritually,and

morally; wheneverI neededthem.

IalsoowemygratitudetothememeberofTRIOteam,namely: LaureneBenini,

LionelHavet,AurélienMonot,DorinMaxim,andAdrienGuenard;forwhomIoer

myfondest regards for allof thetimewe have passed together.

Lastly, and above all, I wish to thank my family: My parents: Muhammad

Ashraf and Yasmeen Jabeen; and notably to my wife and hildren: Summaiya

Amin, Sarim Shahbaz, and Zuhayr Shahbaz; for supporting me unonditionally

and unpreedentedly. They gave me the hoies I wanted, the time I needed, the

strength I required, the support I wished; they gave me everything I demanded.

Thank you guysfor all ofyour support!

Dawood A.KHAN

Marh13, 2012

Toulouse

1 Introdution 1

1.1 Introdution . . . 1

1.1.1 Timing budget . . . 2

1.1.2 Simulations . . . 3

1.1.3 Analytial models . . . 4

1.2 Stateof theart . . . 5

1.2.1 Simulation. . . 5

1.2.2 Deterministi analyses . . . 6

1.2.3 Compositionalperformane analysis . . . 7

1.2.4 Probabilisti performaneanalysis . . . 8

1.3 Researhquestions andContributions . . . 9

1.4 Thesis outline . . . 10

2 Probabilisti CAN Shedulability Analysis 11 2.1 Introdution . . . 11

2.1.1 CAN Protool. . . 12

2.1.2 Problemdenition . . . 12

2.1.3 Handling aperiodi tra . . . 13

2.2 SystemModel . . . 14

2.3 Modeling aperiodi tra . . . 14

2.3.1 Approximatingarrival proess. . . 15

2.3.2 Errors inapproximation . . . 16

2.3.3 Findingdistribution . . . 17

2.3.4 Threshold basedwork-arrivalfuntion . . . 23

2.3.5 Handling priority . . . 29

2.4 Shedulability analysis . . . 32

2.5 Case study . . . 34

2.6 Summary . . . 39

3 Shedulability analysis with hardware limitations 41 3.1 Introdution . . . 42

3.2 Workingof aCAN ontroller . . . 44

3.2.1 AUTOSARCANdriverimplementation . . . 45

3.2.2 Implementation overhead(opy-time) . . . 47

3.2.3 Single buerwith preemption. . . 48

3.2.4 Dualbuer withpreemption . . . 48

3.2.5 FIFOmessagequeue inaCAN driver . . . 49

3.2.6 CAN ontroller message index. . . 49

3.2.7 Impossibilityto anel messagetransmissions . . . 50

3.3 Systemmodel . . . 50

3.4 Response time analysis: abortable ase . . . 52

3.4.1 Case 1: safefrom any priorityinversion . . . 53

3.4.2 Case 2: messagesundergoing priorityinversion . . . 53

3.5 Optimized implementation and ase-study . . . 54

3.6 Response timeanalysis: non-abortable ase . . . 55

3.6.1 Additional Delay . . . 55

3.6.2 Additional Jitter . . . 60

3.6.3 Responsetime analysis. . . 61

3.7 Comparative Evaluation . . . 64

3.7.1 SAE benhmark . . . 65

3.7.2 Automotive bodynetwork . . . 65

3.8 Summary . . . 67

4 Probabilisti Analysis for Component-Based Embedded Systems 69 4.1 Introdution . . . 70

4.1.1 Deterministi omponent models . . . 71

4.1.2 Probabilisti analysisofreal-time systems . . . 71

4.1.3 Safetyritial systems . . . 72

4.2 Component model . . . 73

4.2.1 Workloadmodel . . . 74

4.2.2 Resouremodel . . . 75

4.2.3 Residual workloadand resoures . . . 76

4.3 Component-based probabilisti analysis . . . 78

4.3.1 Probabilisti interfaes . . . 79

4.3.2 Composability . . . 81

4.3.3 Component systemmetris . . . 83

4.3.4 Shedulability . . . 84

4.4 Safetyguarantees . . . 86

4.5 Case study . . . 89

4.6 Summary . . . 93

5 Summary 95 5.1 Future work . . . 96

5.1.1 Near Future . . . 97

6 Résumé français 99 6.1 perspetivehistorique de systèmesembarqués automobiles(AES) . . 99

6.2 Systèmes embarquésautomobiles . . . 101

6.3 Réseauxde Communiation Automobiles. . . 119

6.4 Exigenes de ommuniationd'AES . . . 120

6.5 Le systèmetemps-réel embarqué automobile . . . 125

6.5.1 Budget temporel . . . 128

6.5.2 simulations . . . 129

6.5.3 Les modèles analytiques . . . 130

6.6 Lesquestionsde reherhe etles ontributions . . . 132

6.7 Résumé . . . 136

6.8 Lestravauxfuturs . . . 139

Bibliography 147

7 Letter and Abstrats 161

7.1 l'autorisation de soutenane . . . 161

7.2 Abstrat: . . . 163

7.3 Résumé: . . . 165

Introdution

Contents

1.1 Introdution . . . 1

1.1.1 Timingbudget . . . 2

1.1.2 Simulations . . . 3

1.1.3 Analytialmodels . . . 4

1.2 Stateof the art . . . 5

1.2.1 Simulation . . . 5

1.2.2 Deterministianalyses . . . 6

1.2.3 Compositionalperformaneanalysis . . . 7

1.2.4 Probabilistiperformaneanalysis . . . 8

1.3 Researhquestionsand Contributions . . . 9

1.4 Thesisoutline. . . 10

1.1 Introdution

Automotive embedded systemsaredistributedarhitetures of omputer-basedap-

pliationswithphysialproesses(mehanial,hydrauli)thattheyhavetoontrol.

The growth in proliferation of omputers (ECU, Eletroni Control Unit) has an

impat on the safety. The inreased use of ECUs in modern automotive systems

hasbroughtmanybenetssuh asthe mergingofhassisontrolsystemsfor ative

safetywithpassive-safety systems 1

. Mostof theautomotive appliationsaresafety

ritial and therefore providing guarantees for these appliations is an important

requirement. Moreover, suh a proliferation has ome with an inreasing hetero-

geneityandomplexityoftheembedded arhiteture. Therefore,thereisagrowing

need to ensure thatautomotive embedded systems have reliability,availabilityand

safety guarantees during normal operation or ritial situations (e.g. airbags dur-

ing ollision), taking into aount harsh environment (heat, humidity, vibration,

eletro-stati disharge ESD andeletro-magneti interferene EMI).

To provide guarantee on safety property, modelbased approahes, and analyt-

ial methods during the design ativity are required. These approahes should be

1

Ativesafetysystemsarethesystemswhihareemployedforrashprevention,whileaspassive

safetysystemsarethesystemswhihtrytomitigatethedamageinarashsituation.

able to modelthese systems,whih areheterogeneous by nature: disrete and on-

tinuoussystems,deterministiandprobabilisti variables. Inpartiular,tovalidate

timingpropertiesimposedbythetimeonstraintsofthephysialsystemsand their

ontrollawsisofutmostimportane. Thedistributionofsuhsystemsinreasesthe

validation ofthese safetyproperties.

Eletroni systems inthe automobiles are required to respond in a preditable

manner, i.e. timely manner. The preditability of these systemsis ensured,among

others, by timing veriation on system models, whih heks if performane re-

quirements likedeadlines, jitters,throughput et. arebeingmet.

The timing onstraints veriation analyses has to be arried out as soon as

possible inthe development life-yle. Moreover,suh analyses maybe mandatory

for ertiation issues.

However, developing timing veriation models an be omplex to build. We

have to nd a trade-o between auray/omplexity/omputing time. First, it is

diulttohaveadetailedmodelattheearlieststepandthereforeroughassumptions

have to be done on thehardware performanes for example. However, suh trade-

os should not over-simplify the models thus making the analyses unsafe for use.

Analytial timing models, whih tend to overlook/oversimplify the system model,

may leadto optimisti results thatmaynot t to theonretesystem.

The automotive embedded systems an be lassied into following ategories

based ontheir timing requirements:

1. Hard: Ahard real-timesystemisanembedded systemwhih doesnot aept

anylateness, asbeing late (missinga deadline)ould resultina atastrophi

event (for example, ar rash when brake does not respond within required

deadline) for suhsystems.

2. Firm: A rm real-time system is an embedded system whih an tolerate

infrequent deadline misses; however, at if the frequeny of deadline misses

inreases it mayresult inaatastrophi event forsuhsystems (forexample,

in the ontrol loops oasional missed message an be tolerated but frequent

missed messagesan ausethe systemto go out ofontrol).

3. Soft: A soft real-time system is an embedded system whih aept deadline

missedwithoutanyatastrophionsequenes;however, attheostdereased

performane (forexample,inmulti-media systemstheperformane dereases

withthe deadline missesanditdoesnot resultina atastrophievent).

Therefore, it is imperative to verify the temporal orretness of the automotive

system, astheyertainly fallinthe above ategories ofreal-time systems.

1.1.1 Timing budget

The automotiveOriginalEquipmentManufaturers(OEMs)deompose theoverall

end-to-end lateny into the timing budget of the individual ECUs, the ommuni-

ation hannels, and then negotiates these timing budgets withthesuppliers. The

OEMs need to assignthese timing budgets to the suppliers. Therefore, theOEMs

mustproperlydeidethetimingbudgetforeahECUandommuniate thespei-

ationattheinitialstageoftheautomotivedevelopment. TheOEMsmayrevisethe

initial timingestimates oftheindividual"timing budget"ofvehiularfuntions, to

ahieve optimalperformaneor ostof the entire vehileasthesuppliers renethe

solution (OEMS may ask suppliers to adjust or improve thetime budget). There-

fore, OEMs should be able to do better estimates for alloating timing budgets at

theinitial stagesof the projets. The OEMs inpratie, therefore, mayarry-over

fromtheexisting(proveninuse)systemswithdomain-speirulestoestimatethe

timingbudgets, like:

1. TheloadonanautomotiveCANnetworkmustnotbehigherthan30perent.

2. A framependingfor transmissionfor more than

30ms

^{isaneled out.}

However, suh an approah has potential problems like being sub-optimal and

beingunsafedesign,withproblemsthatan behard to reprodue andareostlyto

repair later inthedevelopment yle. However, we an use thetiming information

from previous design (of an automotive system)to infer the timing propertiesof a

systemintheearlystage ofdesign, whenvery little timinginformation isavailable

and thus help in better dimensioning of a system. We propose one suh model

inthis thesis, whih uses the probabilisti model of aperiodi tra from previous

developmentrunofavehiletoadjusttheaperioditraonaurrentdevelopment

run ofa vehile.

1.1.2 Simulations

Simulationisatoolforhekingthevalidityofasystem. However,evenifthedesign

passesallthe testssuessfully,itisnot neessarythatthesafetypropertieswill be

met. Inorderto theverifyworst-ase(forsafetyritialsystems),we mustperform

exhaustive simulations of the design. The simulations utilizes a logial model of

system (physial) to imitate state hanges in response to random or deterministi

events at simulated points in time. The system state hanges based on the given

systemdesription. Simulation of a network ould be usedto measure the end-to-

end responsetime of messagesarossthe network. Inpratie softwaresimulations

areusedintheearlystagesofthedevelopment yle. Thesimulationsarealsoused

to validate analytial models : latenies, buer oupation, et. telling us about

how long we stay in the worst-ase situation. Moreover, the simulations are also

performedinonjuntion withtheECUs asthey beome available, HiL (Hardware

intheLoop) 2

,to validatethe system.

However, simulations only annotbe usedto do timing veriation for the sys-

tems with safety and ritiality requirements. The reason being the diulty to

asertain the worst-ase from the simulation traes, as they do not provide any

boundon the performane results.

2

WedonotonsiderothersimulationmethodslikeHiLinthisthesis.

1.1.3 Analytial models

The analytial models ofautomotive systemshave been developed and areusedto

performtimingveriations. Thesemodelsombinetheommuniationonstraints

and message speiations (e.g., ativations) to do timing veriation. The ana-

lytial models of the automotive system often onsider the periodi and sporadi

tasks ativations only. For example,analytial modelsdeveloped for CANareused

to perform timing veriation of the messages on CAN bus based on periodi or

sporadi ativations.

The analytial models have to guarantee that the timing requirements of all

tasks are met, i.e. the ommuniations delay between a sending task queuing a

message,and areeiving taskbeingableto aessthatmessage,mustbebounded.

This total delay is termed the end-to-end ommuniations delay. The end-to-end

ommuniation delay is then used to onlude about thefeasibility of the system.

Therefore, it is of paramount importane, partiularly for safety ritial systems,

that theupperboundreturned bythese analyses isa trueupperbound.

However, some analytial models have been proven to be optimisti and thus

wrong (espeially unpublished omplex ones), [Davis2007℄, and ignore the impat

of hardware limitations and error-proneness of embedded software. Some of the

models do an overestimation, whih is pessimisti for soft real-time automotive

appliations.

Moreover, the timing veriation models fall short in modeling aurately ev-

erything, for example, taking in the aount the queuing poliy used a in devie

driver, opy-time of messagesfrom devie driverto ommuniation hardware, lim-

itedtransmit buersinahardwareet. andunfortunately thestandardsdonotsay

everythingabout this,e.g., AUTOSAR CANdriverspeiation.

Moreover, these analytial models do not haraterize the network tra very

well e.g. aperiodi tra. These analysis models usually rely on periodi or

sporadi tra models for pessimisti analysis, based on ritial-instanes of the

tasks/messagesinordertondtheworst-asetimingpropertiesandtesttheshedu-

labilityrequirementsofthetasks/messages. Evenifitisappropriateinsomespei

appliation areas,this approah doesnotallowto addressmanyoftheappliations

inaheterogeneoussystemlikeautomobiles;beause,whenthearrivaltimesareape-

riodiwithhighvariane, itmayleadto asigniant over-provisioningof resoures

at the design time. Thus for real-time systems (RTS) in whih the task/messages

set exhibit substantial variability in arrivals (aperiodi), it is pratial to develop

anapproahtakinginto aountthe stohastinatureofarrivalsoftasks/messages.

Suh approahes an lead to a drasti redution in the amount of resoure provi-

sioning. Thus leading a system,oneived to beanalyzable intemporaldomain,to

be apotentiallyunsafedesign,whih isunaeptable partiularly for safetyritial

automotive systems.

1.2 State of the art

Timing enables an earlyanalysis of whether a systeman meet the desired timing

requirements, andavoidover-orunder-dimensioningofsystemsandalsosavefrom

unneessaryiterationsinthe development proess. The resultisa shorteneddevel-

opment ylewithinreasedpreditability/timeliness, whihisofgreaterinterestin

safety-ritialsystems.

Today,duringtheautomotivedevelopment proessthedesignersrstlyfouson

thefuntionalbehaviorofthesystemand,therefore,thetemporalpropertiesofthe

systemsmaybe veried late intheproess. Besides, whenthetemporalproperties

areveried, itisusually throughtestingand measurementsand ifatiming error is

deteteditislateintheproess. Therefore,resultinginaostlydesignre-iterations.

Thus, we need the analytial models whih we an usefrom theearlystagesof the

design (not just testingand measurements at theend) to verify timing properties.

Theseanalytialmodelsshouldbedetailedenough(forbothhardwareandsoftware)

to hek thetemporal properties, partiularly forsafety-ritialsystems. There are

various methods for temporal analyses, whih an be broadly grouped into four

ategories basedon the modeling framework they use,and areexplained below.

1.2.1 Simulation

Thesimulationsutilizesalogialmodelofsystem(physial)toimitatestatehanges

in response to random or deterministi events at simulated points in time. The

system state hanges based on the given system desription. In RTS the Disrete

Event simulationisusedto analyze theperformane ofthesystem, for example,in

anetwork tomeasuretheend-to-endresponsetimeofmessagesarossthenetwork.

The transfer time is determined for dierent bus loads, priorities of the messages

and arrangements of the devies. Simulations are often used when an analytial

approah isnot possibleor isomplex and expensive. There arevarious simulation

frameworksavailableforreal-timesystemsandsomeofthemaredesribedhereafter.

Modeling and Analysis Suite for Real-Time Appliations (MAST),

see [Gonzalez Harbour 2001℄ is provides a worst-ase shedulability analysis

for hard timing requirements, and disrete-event simulation for soft timing re-

quirements. In MAST a system representation is analyzable through a set of

tools that have been developed within the MAST suite. These tools desribe a

model for representing thetemporal andlogial elements of real-time appliations.

MAST allows a very rih desription of the system, inluding the eets of event

or message-based synhronization, multiproessor and distributed arhitetures

as well as shared resoure synhronization. MAST urrently inludes only xed

priority sheduling, but, it is oneived as an open model and is easily extensible

to aommodatesheduling algorithms.

Ptolemy, see [Buk2002℄, is another framework whih an provide simulation

and prototyping of heterogeneous systems. The models in Ptolemy are desribed

using objet-oriented software tehnology (C++). Ptolemy has been applied to

networkingand transport,all-proessing andsignaling software, embedded miro-

ontrollers, signal proessing (inluding implementation in real-time), sheduling

of parallel digital signal proessors, board-level hardware timing simulation, and

ombinationsof these.

True-TimeisatoolboxforMATLAB,see[Henriksson2003℄,forsimulatingnet-

worked and embedded real-time ontrol systems. Oneof its main featuresinvolves

thepossibilityofo-simulationoftheinterationbetween thereal-worldontinuous

dynamis and theomputerarhiteture intheformoftaskexeutionandnetwork

ommuniation. Itsupports variousommuniationprotoolsfor bothwireless and

wired networks.

DRTSS, see[Storh 1996℄,is anotherframeworkwhih allows its users to easily

onstrut disrete-event simulators ofomplex, heterogeneousdistributed real-time

systems. The framework allows simulation of initial high-level system designs to

gaininsightintothetimingfeasibilityofthesystem. Whihatlater stagesofdesign

proess an beexpanded into adetailed hierarhial designsfor detailed analysis.

Cheddar,see[Singho 2004℄,isanAdaframeworkwhihprovidestoolstohek

temporal harateristis of real time appliations. The framework is based on the

real time sheduling theory. Cheddar model denes an appliation asa set of pro-

essors, tasks, buers, shared resoures and messages. It hasa exible simulation

enginewhihallowsthedesignertodesribeandrunsimulationsofspeisystems.

The heddarframework isopen and extension an beeasily designed for tools and

simulators.

RTaW-Sim,see[rts ℄,forCANnetworkisane-graineddisreteeventsimulator

providing performane analysis, buer usage, thereby helps to make a orret im-

plementation hoie e.g. queueingpoliy. It hasfeatures to perform fault-injetion

interms offrame transmissionerrors, ECUreboots, loksdrifting.

Besides these frameworks, simulations in RTS have been used to evaluate the

robustness ofa systemforexample, see[Nilsson 2009℄, where Nilssonetal. reated

and simulated attaks in the automotive ommuniations protool FlexRay and

showedthatsuhattaksaneasilybereated. Theseattaksanimpatthesafety

of in-vehilenetwork and leadto a atastrophievent.

However, itis diultto asertain the worst-asefrom thesimulation traesas

they do not provide any bound on the performane results. Thus simulations do

not qualify for heking temporal propertiesof hard real-timesystems.

1.2.2 Deterministi analyses

Theideaofholistishedulingistoextendwell-knownresultsofthelassialshedul-

ingtheorytodistributedsystems. Theseanalysesombinestheshedulabilityanal-

ysesof proessorand ommuniation bus toompute theend-to-end responsetime

in a distributed real-time system. Tindell and Clark in [Tindell 1994a℄ use this

approah to analyze distributed hard real-time system where tasks with arbitrary

deadlines ommuniate bymessage passingand shared data objets andthe nodes

ommuniated via TDMA bus. The developed analysis provides bounds on the

ommuniationdelaysand overheads at the destination proessor.

Theommuniationlinksaddbothhipandboardosts,anddesignersfrequently

underestimate peak load. In [Yen 1995,Yen 1998℄ authors present a holisti anal-

ysis approah for distributed systems where inthey desribea methodology to o-

synthesize ommuniation so as to avoid ommuniation bottlenek in embedded

systems. They use a bus model for ommuniation in an arbitrary topology in a

point-to-point manner.

In[Pop 2002℄,aholistianalysisispresentedforemergingdistributedautomotive

appliationsspeiallydealingwiththeissuesrelatedtomixed,event-triggeredand

time-triggered task sets, whih ommuniate over bus protools onsistingof both

statiand dynamiphases.

However, the problem with holisti sheduling is that it is tailored towards a

partiular ombination of input event model, resoure sharing poliy and om-

muniation arbitration. Therefore, for the large heterogeneous systems it results

in a large and heterogeneous olletion of analyses methods, whih makes holisti

sheduling analysisdiult to useinpratie.

1.2.3 Compositional performane analysis

Inontrasttoholistimethodsthatextendlassialshedulinganalyses,theompo-

sitional analysestehniques aremodular innature (omponents). Theomponents

of a system are analyzed with lassial algorithms and the loal results are prop-

agated in the system through appropriate omponent interfaes relying on event

stream models for propagation between omponents. That isfor eah yle of sys-

tem level ompositional analysis, loal analysis on eah omponent is performed.

The output event models resulting from theloalanalysis of omponents are then

propagated through the omponent interfae to the onneted omponents. The

reeiving omponent uses theoutput event model fromthe previousomponent as

its inputmodel.

Thieleetal. in[Thiele 2000℄presentedModularPerformaneAnalysis(MPA)as

onesuhanalysismethodofRTS.ThemethodusesReal-TimeCalulus,whihisan

extensionofNetworkCalulus[Le Boude 2001℄,toanalyzetheowofeventstreams

through proessing and ommuniation elements of the system. The important

feature of MPA is that it is not limited to only ertain input event models and

theomponentinterfaes, see[Henzinger 2006℄, butanalso speifytheomponent

ompatibilityandrelationships dependingonassumptionsaboutinputevent model

and alloated resoureapaities.

SymTA/S (Symboli Timing Analysis for Systems) is another ompositional

analysisapproah similartoMPA,see[Henia 2005℄. The SymTA/S isbasedonthe

tehnique to ouple loal sheduling analysisalgorithms using event streams. The

eventstreamsdesribethepossibletaskativations. Fortheompositionalanalysis,

the input and output event streams are desribed by standard event models, for

example,aperiodiwithjittereventmodelhavingtwoparameters anbedesribed

as

(P, J )

^{. SymTA/S}ompositionalapproahalsohasanability,likegreedyshapers

inMPA,to adaptthepossibletiming ofevents inanevent stream.

1.2.4 Probabilisti performane analysis

The worst-ase evaluation may not be suient or needed as there are not many

strithardreal-timesystems. Therefore,forthesesystemsprobabilistiperformane

analysesanbeperformed. Themotivation isthatnotmanyappliationsaretime-

ritial, but nonetheless they are sensitive to latenies. For example, for ontrol

appliations the qualityof the ontrols dependsalso on theaverage response time,

besides the deadline, whih needs to be minimized. Moreover, the ativation of

tasksand messagesanbeaperiodi(probabilisti) in ertainsystem. Importantly,

not allof thedesign parameters maybeavailableat theinitial phaseofautomotive

systemdesignandadesigneranstart withaprobabilistimodelofasystemwhih

an provide an important diretion for future phases of the projet. Moreover, for

manysafetyritialsystemthe onstraintsonritialityarerepresentedintermsof

the probability thresholds (e.g. mean-timeto failureprobability).

StohastiNetworkCalulus (SNC),see[Jiang 2008℄,isone suhmethodwhih

fouseson performaneguarantees. It issimilarto networkalulus, a theorydeal-

ing with queuing systems found in omputer networks, but works with stohasti

arrival urves and provides probabilisti guarantees of timing and baklog infor-

mation. Moreover, automotive systems have been analyzed using probabilisti ap-

proah, beause of problem being expliitly probabilisti in nature. For example,

in [Navet2000℄, Navet et al. introdue the onept of worst ase deadline failure

probability(WCDFP),theprobabilitythattoomanyerrorsoursuhthatames-

sage an not meet its deadline. Nolte et al. in [Nolte2001℄ extend the worst-ase

response time analysis for message with random message transmission times due

to bit stung. This analysis depends on the probability distribution of a given

number of stuedbits due to the mehanism in CAN protool, suh that a frame

ontaining a sequene of ve onseutive idential bits are bit-stued to hange

polarities. Gardneretal. in[Gardner 1999℄analyzea stohastixedpriorityRTS

suhthatanoasionalmisseddeadlineisaeptable,butatdereasedperformane.

They present an analysis tehnique inwhih they bound (lower) theperentage of

deadlines that a periodi taskmeets and ompare that withthe lower bound with

simulation results. Diaz etal. in [Díaz2002℄provide a stohastianalysismethod

for general periodireal-time systems,auratelyomputingtheresponsetimedis-

tribution of eah task inthe system, makingit possible to determine thedeadline

miss probability of individual tasks, even for systems with maximum utilization

fator greaterthanone. Bernat etal. in[Bernat 2002℄deviseanapproah for om-

puting probabilisti bound on exeution time by ombining the measurement and

analytial approahes into a model. The method ombines, probabilistially, the

observed worst-ase eets to formulate an exeution-time model of a worst-ase

path ina program.

1.3 Researh questions and Contributions

This thesis address the timing veriation issues for the automotive systems and

providestheanalytialmodelsandimplementation guidelinestoaddresstheseprob-

lemsin asafetyritial automotive environment. We investigate and provide tight

worst-ase bound in a mixed ommuniation paradigmbased on aperiodi (proba-

bilisti) and periodi messages, thus helping in better dimensioning of the systems

at thedevelopment time. We also investigate the impliation of diverse ommuni-

ation ontrollers (when message abortion is not possible) on response time of the

messages that are assumed to be en-queued by the middle-ware-level task before

being exhanged on a CAN network and provide a tight bound on response time

of the messages. We also integrate implementation over-heads, suh asopy-time,

into the shedulability analysis of CAN networks. We also develop a probabilisti

system-levelanalysisforomponentbasedRTSinamixedommuniationparadigm

i.e. havingbothprobabilistianddeterministiarrivals. Mostoftheanalysesdevel-

opedinthisthesisintegratetheoneptoffuntionalsafetybasedonSafetyIntegrity

Levels into response time analysis, inorder to guarantee therequired safetylevels.

Eahhapterprovidesa ase-studywhih isevaluated usingthedeveloped analysis

toprovideanunderstandingaboutimprovementsandinnovationsour analyseshave

broughtabout. Speially,thisthesistriesaddressthefollowingresearhquestion:

•

^{Q1 How to perform mixed} (probabilisti and deterministi) timing analysis of an automotive ommuniation network in order to dimension the system

properly?

Q1aHowto model theaperiodidata probabilistially?

Q1b How to integrate the model of aperiodidata in theshedulability

analysis?

Q1 How to ensure that the analysis guarantees the required level of

safety?

Answer: Weprovideaprobabilistiapproahtomodeltheaperioditraand

integrationofitintoresponsetimeanalysisalongwiththedeterministipart,

modeled by periodi ativations. The approah allows the system designer

to hoose the safety level ofthe analysisbasedon thesystem'sdependability

requirements. Compared to existing deterministi approahes the approah

leadstomorerealisti WCRTevaluationandthusto abetterdimensioningof

the hardwareplatform.

•

^{Q2Howan dierent hardware andsoftware}implementationsaet thetem- poral behaviorinan automotive network?

Q2aHowtointegratetheimplementationover-headsintheshedulability

analysis?

Q2b How to integrate th eet of limited transmission buers in the

shedulability analysis?

Q2 Whatarethe guidelines for deviedriverimplementations?

Answer: Weprovide analysisofthereal-timepropertiesofmessage ina CAN

network having hardware onstraints and implementation over-heads (opy-

time of messages). The overhead, ifnot onsidered, may result ina deadline

violationinurred dueadditional latenies. We explaintheauseofthis addi-

tionallatenyandextendtheexistingCANshedulabilityanalysistointegrate

it. Wealso provide someguidelines thatanbeusefulfor theimplementation

of CANdevie drivers.

•

^{Q3Howanwe perform amixed}(deterministi andprobabilisti)omponent basedperformaneanalysis,for systemdimensioningandomponentreuse,of

an automotive system?

Q3a How to modelthe probabilisti omponent and its interfae?

Q3b How to ompose the mixed (deterministi and probabilisti) om-

ponentstogetherina system?

Q3Howtodotheperformaneanalysisofthismixedomponentsystem?

Q3d How to ensure that the analysis guarantees the required level of

safety?

Answer: We provide an analysis of omplex real-time systems involving

omponent-based design and abstration models. We developed an abstra-

tion whih provides both deterministi and probabilisti models for ompo-

nent interfaes based on urves and probability thresholds assoiated with

those urves, resulting in an analysis for real-time systems whih has both

deterministi and probabilisti omponents, based on an extension of real-

time alulus to probabilisti domain. The analysis an oer either hard or

softreal-time guaranteesaordingto the requirementsandthespeiations

of the system. We also show the exibility of the analysis to ope with the

required safetyritialitylevelofa system.

1.4 Thesis outline

•

^{Chapter 2: Periodi and Aperiodi (mixed) analysis of CAN based on inte-}

grating safetyrequirements.

•

^{Chapter 3: CAN ontroller hardware and software} limitations and modeling theanalysis toinlude thoselimitations fortighterboundsonresponsetime.

•

^{Chapter4: Systemlevelresponsetimeanalysisforomponent basedanalysis,}

in a mixed (probabilisti and deterministi) analysisfor system level perfor-

mane withguarantees for safetyandreal-time onstraints.

•

^{Chapter 5: Givesthe perspetive of thisthesis.}

Probabilisti CAN Shedulability

Analysis

Contents

2.1 Introdution . . . 11

2.1.1 CANProtool . . . 12

2.1.2 Problemdenition . . . 12

2.1.3 Handlingaperioditra . . . 13

2.2 SystemModel . . . 14

2.3 Modeling aperiodi tra . . . 14

2.3.1 Approximatingarrivalproess. . . 15

2.3.2 Errorsinapproximation . . . 16

2.3.3 Findingdistribution . . . 17

2.3.4 Thresholdbasedwork-arrivalfuntion . . . 23

2.3.5 Handlingpriority . . . 29

2.4 Shedulability analysis . . . 32

2.5 Case study . . . 34

2.6 Summary . . . 39

In this hapter a probabilisti approah to model the aperiodi tra and in-

tegration of it into response time analysis is disussed. The approah allows the

system designer to hoose the safety level of the analysis based on the system's

dependabilityrequirements. Comparedtoexistingdeterministiapproahestheap-

proah leads tomore realisti WCRTevaluationand thus to abetterdimensioning

of thehardware platform.

2.1 Introdution

In the eld of real-time systems, methods to assess the real-time performanes of

periodiativities(tasks,messages)have beenextensivelystudied. Responsetimes,

worst-ase or average, and jitters an be evaluated by simulation or analysis for a

wide rangeof sheduling poliies provided thattheativation patternsof thetasks

and messages are well identied. The problem is more intriate for aperiodi a-

tivities sine, inmany pratial ases, itis diult to have a preise knowledge of

theirativationpatternandbeausedeterministiWCRTanalysishasnotbeenon-

eived to handle aperiodi ativities. For example, thearrival pattern of aperiodi

framesinthebodynetworkofa vehileishard topredit, asitisdependentonthe

userinterations. Howeveraperiodiframesofhigherpriorityexhanged amongthe

EletroniControlUnits(ECUs)inthebodynetworkofavehileandelayperiodi

tra. Indeed,most oftentheControllerArea Network (CAN)prioritybus isused

and the aperiodiframes do not neessarilyget the lowest prioritylevels 1

assigned

to them.

2.1.1 CAN Protool

The Controller Area Network (CAN), was developed in the beginning of the 80s

by Bosh. Today CAN is the most widely used network tehnology in the au-

tomotive industry, found in almost all domains. CAN transmits messages in an

event-triggered fashion using deterministi ollision resolution to ontrol aess to

thebus (so alledCSMA/CR).Messagesaretransmitted inframesontaining0to

8 bytes of payload data. These frames an be transmitted at speeds of 10 Kbps

up to 1 Mbps. Eah CAN message has a unique ID value, whih is used for the

bus arbitration. However, CAN ID is also used as themessage priority, suh that

lowervalue of CAN ID indiates higher-priority message and higher-value of CAN

ID indiatelower-priority message. At thestart ofarbitration,eah nodehopingto

senda messagestartsto transmit themessageID (leastsigniant bit rst);While

transmitting theCANIDeahnotalsolistenstothebus(foreahtransmittedbit).

When a node noties azero on the bus whileit transmitted one itbak-o, Whih

impliesa thatsomeother node hashigherprioritymessageto send;thearbitration

an bethought of anAND gatesuh thatifanybitiszero theresultiszero.

2.1.2 Problem denition

Inthishapter, weaddresstheproblemofevaluatingresponsetimeswhenboth pe-

riodiand aperiodiativities aretaken into aount. Ativitiesaretermedframes

in the rest of the hapter, beause the approah will be developed and illustrated

on the CAN bus, but our approah equally holds for tasks. The inrease in the

WCRToftheperiodiframeswhih maybeausedbythehigher priorityaperiodi

framesouldberitialforhardreal-timesystemsasitouldleadtotheviolationof

thedeadlines. Besides,large responsetimes ofaperiodiframesmayjeopardizethe

exeution of a funtionor may even raisesafety onerns insome ases (e.g. head-

lights ashes ina vehile). In addition, low responsiveness is negatively pereived

bythe user. It is worthmentioningthat ativitiesthat areperiodi by esseneare

sometimes implemented inan aperiodi mannerinorder to save resoures.

Whatever the exat approah, one of the main steps is to derive a model of

the arrival patterns for aperiodi ativities, what will be alled in the following

1

Beause ofthe inrementaldesignproess,in-house usagesor onstraintsof theooperation

proessbetweenar-makersandsuppliers,prioritiesontheCANbusdonotneessarilyreetthe

ritiality oftheframes(i.e.,importanefromafuntionalpointofview,deadlineonstraint).

the aperiodi Work Arrival Funtion (WAF). Then, this aperiodi WAF hasto be

integratedinto theresponsetimeanalysis. There arehoweverdiulties:

•

^{obtainingaperiodidata(i.e.,by}measurements or simulation),

•

^{modeling aperiodidata,}

•

integrating themodelinto shedulability analysis.

Whatwearedisussinginthis hapterisnot howto obtaindatabuthowto model

itand integrate itinto shedulabilityanalysis.

2.1.3 Handling aperiodi tra

There aretwo lassialapproahesto handlethe aperioditra:

•

^worst-asedeterministiapproah: aperiodiframesareonsideredasperiodi frameswiththeirperiods equaltotheminimuminter-arrivaltimes,thisisthe

well known sporadi model [Spuri1996℄. However, in many ases, themini-

mum inter-arrival time is so small that the resulting workload is unrealisti,

and oftengreaterthan 100%[Zhang2008℄.

•

^An average-ase probabilisti approah: the aperiodi tra is modeled a- ording to a probabilisti inter-arrivals proess, the next step is then to es-

timate the 'probable' number of arrivals in a given interval of time. This

approah islearlynot suited toreal-timesystemsbeauseitlargely underes-

timatesthearrivalsofaperioditrawhihanourinsmalltimeintervals 2

A basi probabilisti framework wasset for inlusion of aperiodi framesin a on-

trolled manner using a threshold value in [Burns2003℄. This hapter builds upon

this framework and disusses preisely the mehanism of deriving the aperiodi

WAF,aswellasitremovessomeassumptionsplaedin[Burns 2003℄. Inpartiular,

we showthatinour speiontextitisnot neessarythatthedierent streamsof

aperiodi framesaremodeledindividually.

Overview of approah

We do not assume any prior knowledge of the aperiodi frame ativation pattern,

howeverwe assumethatitispossibleto monitorthesystem,or asimulationmodel

of it, and gather data about thearrival times of aperiodi frames. Then, from the

measurements, we build a probabilisti model of the aperiodi inter-arrival times

under the form of an empirial frequeny histogram or a distribution obeying a

losed-form equation whenever it is possible. The next step is to derive a deter-

ministi WAF fromthe probability distributionof theaperiodi frame inter-arrival

times. A general mehanism is provided enabling to derive the deterministi WAF

2

Aordingtothe prinipleoflargedeviations: thesmallertheinterval,thelarger (inpropor-

tion)thedeviationtothemean[Navet2007℄.

a

ρ

^C(mse)

0.5 341 0.760

0.5 878 0.696

0.5 2000 0.760

9 33 0.632

12 256 0.632

(a)Approximatedtrae

a

ρ

^{C (mse)}

0.500 341 0.760

1.250 878 0.696

1.954 2000 0.760

9 33 0.632

12 256 0.632

(b)Atualtrae1

a'

ρ

^{' C' (mse)}

0.5 341 0.760

1.260 878 0.696

1.956 2000 0.760

9 33 0.632

12 256 0.632

()Atualtrae2

Figure2.1: Approximated traeagainst trae1and trae 2.

from theunderlying probabilisti distributions oftheaperioditra evengivenin

form of empirial histograms, whih is worthy in pratie sine aperiodi arrivals

do not neessarily obey a losed-form equation. Another advantage is that the

tehnique is independent of the sheduling and an be used whatever the poliy

is (preemptive, non-preemptive, xedpriority,dynami-priority, et) and whatever

the task model is. All in all, we believe that our proposal oers a better solution

for takinginto aount aperioditra insystems with dependability onstraints,

ompared toworst-aseandaverage aseprobabilisti approahes.

2.2 System Model

The trae of aperiodi events is haraterized by a set

D = E ₁ , E ₂ , ..., E _n

^where

E i

^{is an}

i ^th

^{aperiodi event suh that}

E ₁

^{is reorded before}

E ₂

^{on the bus. The}

events in D are reorded in order of their arrivals on the bus. Eah aperiodi

event is haraterized by a set

E i = { a i , ρ i , C i }

^where

a i

^{is an arrival time (}

a ^′ _i

^is

the estimated arrival time),

ρ i

^{is a priority of the aperiodi frame, and}

C i

^{is the}

worst-ase exeution time of the frame. The length of set D depends on the time

when trae apture was stopped, but it should be suiently large to dedue the

probabilisti modelofinter-arrivals.

2.3 Modeling aperiodi tra

The data used in this work omes from measurements taken on-board of a PSA

vehile but beause of ondentiality reasons we have obsured the harateristis

whih ouldreet about thedesign at PSAPeugeotCitröen.

Whatwasmeasuredarethetimesatwhihtheframesstartedtobetransmitted

0.5 1.0 1.5 2.0 2.5 9.0 9.5 10.0 10.5 11.0 11.5 12.0 12.5 E1

E1 E2

E2 E3

E3

E5

E5

E6

E6 E1

E2

E3 E5 E6

Figure 2.2: Gant hart for trae1: blak arrows are atual release times and red

arrows areobserved arrivaltimesindatatrae.Thebluearrows willbetheapprox-

imatedarrivaltimes.

and not thetimesat whih thetransmissionrequestswere issued. Espeiallywhen

thenetworkisloaded,the twoanbesigniantly dierentbeauseofframestrans-

missionsbeingdelayed byhigher priority frames. Thisould be taken into aount

by studying the busy periods on the bus and onstruting a worst-ase ativation

proess,whih isdisussed insetion2.3.1.

2.3.1 Approximating arrival proess

The modeling proess of the aperiodi tra involves estimating the probabilisti

distribution ofaperiodiinter-arrivalsfrom theaptured datatrae ofa simulation

modelofavehileorfromarealvehile. Theaptureddatatraeofbusativitygives

usthearrivaltimesofframesonthebus,priorities offramesandsize oftheframes.

The diulty in using this aptured data trae lies inthe fat that the measured

arrivaltimeoftheframesonthe busmaynotoinidewiththeatualreleasetimes

of the frames. This requires us to approximate an atual arrival proess from the

aptureddatatrae. The atualarrivaltimefor someframe ian be approximated

bysubtratingthelevel-ibusyperiodseenbytheframe. Thelevel-ibusyperiodseen

by frame ion bus an be easily omputed froma trae. The simple subtration of

thelevel-ibusyperiodgiveustheworst-asearrivalproessoftheaperiodiframes,

whihiswhatisrequired. Theapproximatedarrivalproessfortheaperiodiframes

givesus theworst-asearrivalproesswhihan leadto burstinessinlowerpriority

framesastheyaretheoneswhiharepushedbakwhentheaperioditraarrives.

Assumption:

•

^No inter-framesequene forframe separation. Otherwise allframesafterrst frame willbeequallyshiftedbythree bittime.

0.5 1.0 1.5 2.0 2.5 9.0 9.5 10.0 10.5 11.0 11.5 12.0 12.5 E1

E1 E2

E2 E3

E3

E5

E5

E6

E6 E1

E2

E3 E5 E6

Figure 2.3: Gant hart for trae2: blak arrows are atual release times and red

arrowsareobserved arrivaltimesindatatrae. Thebluearrowswillbetheapprox-

imated arrivaltimes.

x1 x2

a2

0 5 10 15 20

Figure 2.4: Approximation error when approximating the arrival of a frame. The

framearrivesattime

x 1

^{,observedatarrivaltime}

x 2

^{indatatraeand}approximated arrival time isat

a ₂

^.

•

^{The data trae is sorted aording to arrivaltimes then}priorities; suh that iftwo framesarrive atsame timethenthehighestpriorityframe will preede

thelowerone inthetable,whihis natural for aaptured datatrae.

Therefore, for some frame i the level-i busy period seen by it will be equal to the

summation oftransmissiontimeofallhigherpriorityframespreedingthe

i ^th

^frame

indatatrae; seealgorithm 1.

2.3.2 Errors in approximation

When approximating the arrival proess from aptured data traes e.g. arrival

timesoftable2.1,wewillhaveanapproximationerrorfortheapproximatedarrival

proess ifthe atual arrival proess was not theworst-ase arrival proess e.g. for

the traesof gure2.3 and 2.2we will getan approximation error (see gure 2.3.1

for further understanding) asblueand blak arrows do not oinide. Supposethat

an aperiodi event ours at time

x ₁

^{and bus is busy} transmitting the frames of higher priority. Whenthe level-ibusyperiodfor framereleasedattime

x ₁

^isoverit

beginstransmittingattime

x ₂

^{whihisobservedandreordedinadatatrae. When}

approximating theatual arrivaltime (

x 1

^{) of frame fromtheobserved arrivaltime}

from trae (

x ₂

^{) we get a wost-ase arrival timeof}

a ₂

^{for theframe whih is earlier}

than

x ₁

^{and thus we have an error inthe}approximation. The approximationerror

ǫ

^{isgiven by:}

ǫ = x ₁ − a ₂

^{andis diretlydependent uponthelength ofbusyperiod}

seen by the frame as

a ₂ = x ₂ − l

^{,where l is thelength of level-ibusy period. The}

maximumapproximationerrorwill ourwhentheframearrivesneartheobserved

arrivaltime fromtrae (

x ₂ − x ₁ ≈ 0

^{) and thereforemaximum}approximation error is

ǫ = x ₂ − l

^.

However,we arenotonerned bythisapproximation errorasweareinterested

intheworst-asearrivalproess.

2.3.3 Finding distribution

In order to model the inter-arrival times of the aperiodi tra, we rst analyze

some important strutural properties of the data (e.g., linear and non-linear or-

relation) then nd out the probability distribution that best ts our data. The

preseneoflinear andnon-linear dependenies inthedata wouldimpat itsmodel-

ing beause it would imply a departure from the i.i.d. property (independent and

identiallydistribution). Totestthesetwo kindofdependenies,aslassiallydone

inexploratorydataanalysis,wemakeuseofsomevisualonrmatorytests,therun

sequene plot and lag plot,aswell astheauto-orrelation andBDS test (Brok,

Dehert, Sheinkman, see[Brook1996℄).

Run sequene plot

The run sequene plot displays an observed univariate data ina timesequene. It

helpstodetetoutliersandshiftsintheproess. Figure2.5(upper)isarunsequene

plotofourdatatraewherethedatapointsareindexedbytheirorderofourrene.

Theplotindiatesthatdatadoesnothaveanylongtermshiftsinheightsovertime.

Lag plot

Alagplothelpstogainsomeinsightintowhetheradatasetortimeseriesisrandom

or not. Random data should not exhibit any visually identiable struture in the

lag plot. Figure 2.5(lower) is a lag plot of our data trae (here the lag is hosen

equal to 1:

x = X _k+1

^and

y = X k

^,where

X k

^{is the}

k ^th

observation). Sinethe lag plotappears to be strutureless, the randomnessassumption annot be rejeted.

2.3.3.1 Autoorrelation analysis

The autoorrelation analysis detets the existene of serial orrelations in a data

trae. Preisely the orrelation of order k indiates the linear relationship that

may exist between data values separated byk positions. The rst 100 orrelation

oeientsof thedatatrae are showningure 2.6assoiated withthethresholds

Algorithm 1: Algorithm for estimation of worst-ase arrival time for frame

arriving at

a i

^{from aptureddatatrae.}

Input:

a i ,

^data_trae

Output:

a ^′ _i

a i

^{is the} arrival-time of a frame and trae has all aptured

frames

while

!EOF (

^data_trae

)

^do

/*where

j

^and

k

^{are the frame indexes suh that}

j

^and

k

^points

to the frame with arrival time of

a j

^and

a k

^*/

k = i − 1

^;

k

^{points to frame whih arrived before frame}

i

ⁱⁿ

data_trae

j = i

^;

j

^{points to frame}

i

^{in data_trae}

/*

ρ i

^{is the priority of frame with index}

i

^*/

while

ρ _i > ρ _k ∧ k > 0

^do

/*

C k

^{is WCET of}

k ^th

^frame*/

if

a k + C k < a j

^then

/*Sine CAN bus beame idle after

C _k

^was transmitted*/

return

a ^′ _i = a j

end

end

/*Chek the previous frame in the data_trae*/

j = k k = k − 1

end

/*To hek for negative value of

k

^{at the end of trae when no}

estimate for arrival of

a i

^{was found*/}

if

k > 0

^then

a ^′ _i = a k

end

else

a ^′ _i = a i

end

a ^′ _i

^{is Estimated arrival time of}

i ^th

^frame

return

a ^′ _i

Figure 2.5: Visual analysis of aptured data trae. The upper graphi is a run

sequeneplot where thex-axisis the index ofthedata points andthey-axis isthe

timetillthenextaperiodiarrivalexpressedinseonds. Inthelowergraphis,alag

plot, bothaxes indiates the time till thenext aperiodi arrivalinseonds.

Figure2.6: Auto-orrelationof aptured datatrae.

beyondwhihthevaluesarestatistiallysigniant(1%signianelevelhere). The

graphi visualizationoftheorrelationoeients makesitpossibleto evaluatethe

importaneandthedurationofthetemporaldependenies. Here,serialorrelations

intheaperioditra arerelatively limited:

•

^{limited infrequeny: onthe entire aperiodi tra, thereare only 19 signi-}

ant auto-orrelations oeientsuntil alagof 100,

•

^{limited inintensity: thefew signiant} auto-orrelations arebelow0.2 whih is insuient to be usedat endsofpreditions.

These autoorrelations an probably be explained by the fat that the ativation

of ertain funtions of the vehile requires the transmission of several onseutive

frames, but, the instants of ativations of the funtions have small orrelations.

Also, the spike that an be observed around the lag 50 is likely due to a periodi

frame thathasnot been properlylteredout inthedatatrae.

2.3.3.2 BDS analysis

Auto-orrelation has the limitation that it an only test the linear dependeny in

thedata. Inordertotest fornon-lineardependeniesamoregeneral statistialtest

thantheauto-orrelationmustbeused. OnesuhtestistheBDStest[Brook1996℄

whih employs the onept of spatial orrelation from haos theoryto test thehy-

pothesis thatthe values of asequene, inthis hapter inter-arrival times, are inde-

pendent and identially distributed (i.i.d.). Deviation from the i.i.d. ase will be

aused by thenon-stationarityof theproess (e.g.,existene oftrends), or thefat

that therearelinear ornon-linear dependenies inthe data.

Figure2.7: Probabilityplots for 3andidate distributions, fromtop tobottom,the

exponential law, the log-normal lawand theWeibullLaw.

We arriedout theBDS test for various ombinations of its parameters

m

^and

δ

^{(forexample for}

m = 2

^and

δ = 3

^{asreommended bytheauthorsofthetest. For}

ertain ombinations we ould not rejet the hypothesis that the data points are

i.i.d. at the 1%ondene level. The results of auto-orrelation analysisand BDS

testenableustoonludethatitispossibleinourspeiontexttomodeltheape-

riodiinter-arrivaltra bya randomvariableobeying amemory-less probabilisti

distribution withoutdiverging fromreality.

2.3.3.3 Distribution tting

We now need to nd theprobability distribution and its parameters whih models

theexperimental datathemost aurately. Afterhavingdrawn asideertainpossi-

bilitiesforobviousreasons(forexample,thenormallawbeauseitsdensityfuntion

isnotmonotonouslydereasing),wetesteddistributionsidentiedbyadjustingtheir

parameters aordingtothepriniple ofthemaximumoflikelihood(MLE). Speif-

ially,we have suessively onsidered the exponential law, thelog-normal lawand

theWeibulllaw. Theexponential lawwasplausibleaprioritakingintoaount the

dereaseof the density whih one an observeinthedata trae,thetwo otherlaws

havebeen hosenfor their well-knownexibility.

2.3.3.4 Probability plots for visual seletion

Thedistributionofthe observeddataisplotted againstatheoretialdistributionin

suh a way thatthe pointsshould form approximately a straight line. Departures

from this straight line indiate departures from the speied distribution. If the

probability plot is approximately linear, the underlying distribution is lose to the

theoretial distribution. Whatanbeobservedingure2.7isthattheWeibulllaw

is the distribution that best ts the data. This visual onlusion is onrmed by

statistial aeptanetestsdisussed inthe next paragraph.

2.3.3.5 Aeptane test

In previous setion evaluation of the quality of results was done visually. In this

setionweusethestatistialteststoverifytheassumptionthatdatatraefollowsa

partiular distribution. Speially, we are using the

χ ²

^and Kolmogorov-Smirnov

"goodness-o-t tests"[Millard1967,Brumbak1987℄. The best results were ob-

tained usingtheWeibulllaw, followedat somedistanebythelog-normallaw. The

onlusion of the two testsis that one annot rejet theassumption that thedata

followsaWeibulldistributionat asignianelevelof1%. Forabroaddatasample

olleted on a real system, and not artiially generated data, it is a onlusive

result.

Figure 2.8 presents the real data trae and an "artiial" trae generated by

a Weibull law with MLE-tted parameters. It is observed that some "patterns"

presentintherealtraedisappearandthatthesimulatedtraeismorehomogeneous

in time, but overall adequay of the modeling seems good. From the analysis,

arriedout inthissetion, we an onludethatinour speiontext theWeibull

distributionprovidesasatisfatorymodelfortheaperioditrainter-arrivaltimes,

followed bylog-normaland exponential distributions at some distane.

2.3.3.6 Using two-parameter distributions

The hoie of a distribution is often ditated by the nature of the empirial data

whih is often over-dispersed and heterogeneous in pratie. The seletion of a

distribution fromthefamilyofdistributions whiharelikelytomodeltheempirial

data is often governed by the exibility of the distribution to handle dispersion

andheterogeneity. For examplethePoissonandexponentialdistributions aresingle

parameter distribution whih impliitly assumesimple parametri models and lak

in the freedom to adjust the variane independent of the mean, bringing in the

handiap to model the dispersed data. A model with an additional parameter to

take are of dispersion independent of mean may provide a better t. The weibull

andgamma distributionsaretwo-parameterdistributions whih havethisexibility

ofhandlingthevarianeindependentlyfromthemean. Besidesthesetwo-parameter

distributions will onverge to the simple parametri distribution depending on the

values ofthe parameters used. For thesereason intherestof thework,theweibull

distribution will be used.

Figure 2.8: Comparison between the aptured data trae and a random trae gen-

erated bya Weibull modelwithMLE-tted parameters.

2.3.4 Threshold based work-arrival funtion

S(t)

^{is the aperiodi work arrivalfuntion whih givesus thenumber of aperiodi}

frames in a time interval

t

^{and that will be used in the response time analysis.}

S(t)

^{is an inreasing} "stairase" funtion suh that the "jumps" in the funtion orrespond to the arrival of an aperiodi frame. To onstrut this funtion, we

proposeto disretizethe timeand alulate the value taken by

S(t)

^{for eah value}

of

t

^between

1

^and

T

^where

T

^,expressedinmilliseonds,isthelargestvaluethatwe may reasonably require during the omputation of a response time. For example,

one anset

T = 1000

^{ms ifthelargestperiodofativityon thebus (i.e.,thelargest}

busy period)doesnot exeed a seond.

2.3.4.1 Safety threshold

α

^for

S(t)

We denote by

X(t)

^{the stohasti proess whih ounts the number of aperiodi}

frames in time interval

t

^{. For example, in the datatrae whih we studied in the}

preedingsetions, inter-arrivals wouldbeontrolled bya Weibull law. Theidea is

to nd the smallest

S(t) ˆ

^{suh that the} probability of

X(t)

^{introduing aperiodi}

framesequalton islowerthanathresholdvalue

α

^{xedbythedesigner. where n is}

the numberof aperiodiframesintrodued by

S(t)

^{. Formally,we arelookingfor:}

S(t) = min ˆ { S(t) | P r[X(t) ≥ n] ≤ α }

^(2.1)

Figure 2.9: Graphial representation of algorithm for omputation of

S(5)

^{. It on-}

sistsinndingthesmallestvalueofkusingtheCDFoftheinter-arrivaldistribution

aording toequations 2.1 and2.2.

Forexample,ifonesets

α = 0.01

^{itmeansthatinnomorethan}

1%

^ofitstrajetories thestohastiproess

X(t)

^{induesmoreaperioditra than}

S(t) ˆ

^{. If}

X(t)

^models

the real aperiodi tra aurately, the number of aperiodi frames integrated in

the alulation of the response time of a periodi frame will have more than 99

perent hanes to be higher than what eah instane of the frame will undergo.

Of ourse, the hoie of

α

^{depends on the} dependability objetives of SIL(System IntegrityLevel)but

α = 10 ⁻⁴

^{isareasonablevalueintheontext ofabodynetwork}

that willbe onsideredintheexperimentshereafter.

2.3.4.2 Computation of

S(t)

We need a wayto evaluate

P r[X(t) = n] ≤ α

^{at eah time instant}

t

^{. Let}

F n (t)

^be

theCumulative Distribution Funtion (CDF) ofinterarrivals.

P r[X(t) = n] = P r[X(t) ≥ n] − P r[X(t) ≥ n + 1]

^(2.2)

P r[X(t) = n] = F _n (t) − F _n+1 (t)

Two ases arise:

Figure2.10: WAFusing monte-arlo simulations

•

Distribution for whih we have a losed-form expressions and an evaluate

P r[X(t) = n]

^{e.g poisson}distribution.

•

Distribution for whih we have no losed-form expression e.g. weibull distri- bution.

Therstaseiseasytoevaluateusinglosed-formexpressionandfortheseondase

we ouldeitherresortto numerial orsimulation methods to evaluatethe equation

2.1.

2.3.4.3 Graphial illustration

Figure2.9 illustratestheomputation of

S(t)

^{for a speivalueof}

t

^,here

t = 5

^:

S(5) = min ˆ { S(5) | P r[X(5) ≥ n] ≤ α }

^(2.3)

The probability

P r[X(5) ≥ n]

^{an be found using values of}

n = 1, 2, 3, ...

^and

for

t = 5

^{inequation and}terminating whenprobabilityis more than

α

^.

2.3.4.4 Monte-Carlo simulation approah

We do not always have a disrete distribution modeling the data nor a ontinu-

ous distribution suh that equation 2.1 an be evaluated analytially. We need an

alternate method to evaluate equation 2.2 in suh ases. This an be done with

numerial integration tehniques or using Monte Carlo simulation method. The

latter approah is desribed in algorithm 2 where

α

^{is the safety level,}

∆

^{is the}

disrete time step,

θ

^{is the set of parameters of the aperiodi frame arrival distri-}