In this paper, we present a hierarchical model for time predictable task scheduling in edge-cloud computing architecture for industrial cyber-physical systems. Regarding the scheduling problem, we also investigate the common problem-solving approaches and discuss our preliminary plan to realize the proposed architecture. Furthermore, an Integer linear programming (ILP) model is proposed for task scheduling problem in the cloud layer. The model considers timing and security requirements of applications and the objective is to minimize the financial cost of their execution.
The edge-cloud computing continuum effectively uses fog and cloud servers to meet the quality of service (QoS) requirements of tasks when edge devices cannot meet those requirements. This paper focuses on the workflow offloading problem in edge-cloud computing and formulates this problem as a nonlinear mathematical programming model. The objective function is to minimize the monetary cost of executing a workflow while satisfying constraints related to data dependency among tasks and QoS requirements, including security and deadlines. Additionally, it presents a genetic algorithm for the workflow offloading problem to find near-optimal solutions with the cost minimization objective. The performance of the proposed mathematical model and genetic algorithm is evaluated on several real-world workflows. Experimental results demonstrate that the proposed genetic algorithm can find admissible solutions comparable to the mathematical model and outperforms particle swarm optimization, bee life algorithm, and a hybrid heuristic-genetic algorithm in terms of workflow execution costs.
A hybrid cloud is an efficient solution to deal with the problem of insufficient resources of a private cloud when computing demands increase beyond its resource capacities. Cost-efficient workflow scheduling, considering security requirements and data dependency among tasks, is a prominent issue in the hybrid cloud. To address this problem, we propose a mathematical model that minimizes the monetary cost of executing a workflow and satisfies the security requirements of tasks under a deadline. The proposed model fulfills data dependency among tasks, and data transmission time is formulated with exact mathematical expressions. The derived model is a Mixed-integer linear programming problem. We evaluate the proposed model with real-world workflows over changes in the input variables of the model, such as the deadline and security requirements. This paper also presents a post-optimality analysis that investigates the stability of the assignment problem. The experimental results show that the proposed model minimizes the cost by decreasing inter-cloud communications for dependent tasks. However, the optimal solutions are affected by the limitations that are imposed by the problem constraints.
Task offloading is a prominent problem in edge−cloud computing, as it aims to utilize the limited capacityof fog servers and cloud resources to satisfy the QoS requirements of tasks, such as meeting their deadlines.This paper formulates the task offloading problem as a nonlinear mathematical programming model to maximizethe number of independent IoT tasks that meet their deadlines and to minimize the deadline violationtime of tasks that cannot meet their deadlines. This paper proposes two Q-learning algorithms to solve theformulated problem. The performance of the proposed algorithms is experimentally evaluated with respect toseveral algorithms. The evaluation results demonstrate that the proposed Q-learning algorithms perform wellin meeting task deadlines and reducing the total deadline violation time.
Novel production paradigms aim at increasing the efficiency and flexibility of production systems. Nonetheless, traditional industrial infrastructures lack the mechanisms needed to support these new paradigms. One of the main limiting factors is the architecture, which follows the automation pyramid in which subsystems are divided in layers depending on their functionalities. This allowed to meet the timing and dependability requirements of the production subsystems, however at the cost of limiting the exchange of information required to provide increased flexibility to the system. For this reason, in this paper we propose a new industrial architecture with a single network infrastructure to connect all the devices that conform to the industrial systems. On top of that, we design an Automatic Network Configurator to support the automatic configuration of the system. To assess the feasibility of our design and evaluate its performance, we implement the first instance of the architecture capable of supporting changes in the traffic requirements during run-time, i.e., without stopping or disrupting the system's operation. Furthermore, we use the implemented instance to measure the time required for reconfigurations.
Novel industrial applications are leading to important changes in industrial systems. One of the most important changes is the need for systems that are capable to adapt to changes in the environment or the system itself. Because of their nature many of these applications are distributed, and their network infrastructure is key to guarantee the correct operation of the overall system. Furthermore, in order for a distributed system to be able to adapt, its network must be flexible enough to support changes in the traffic during runtime. The Time-Sensitive Networking (TSN) Task Group has proposed a series of standards that aim at providing deterministic real-time communications over Ethernet. TSN also provides centralised online configuration and control architectures which enable the online configuration of the network. A key part in TSN's centralised architectures is the Centralised Network Configuration element (CNC). In this work we present a first implementation of a CNC capable of scheduling time-triggered traffic and deploying such configuration in the network using the Network Configuration (NETCONF) protocol. We also assess the correctness of our implementation using an industrial use case provided by Volvo Construction Equipment.
Contemporary distributed embedded systems in many domains have become highly complex due to ever-increasing demand on advanced computer controlled functionality. The resource reservation techniques can be effective in lowering the software complexity, ensuring predictability and allowing flexibility during the development and execution of these systems. This paper proposes a novel end-to-end resource reservation model for distributed embedded systems. In order to support the development of predictable systems using the proposed model, the paper provides a method to design resource reservations and an end-to-end timing analysis. The reservation design can be subjected to different optimization criteria with respect to runtime footprint, overhead or performance. The paper also presents and evaluates a case study to show the usability of the proposed model, reservation design method and end-to-end timing analysis.
The resource reservation techniques provide effective means to lower the software complexity, ensure predictability and allow flexibility during the development and execution of complex distributed embedded systems. In this paper we propose a new end-to-end resource reservation model for distributed embedded systems. The model is comprehensive in such a way that it supports end-to-end resource reservations on distributed transactions with various activation patterns that are commonly used in industrial control systems. The model allows resource reservations on processors and real-time network protocols. We also present timing analysis for the distributed embedded systems that are developed using the proposed model. The timing analysis computes the end-to-end response times as well as delays such as data age and reaction delays. The presented analysis also supports real-time networks that can autonomously initiate transmissions. Such networks are not supported by the existing analyses. We also include a case study to show the usability of the model and end-to-end timing analysis with resource reservations.
In this paper, we propose a conceptual framework to facilitate the design and development of an automation system in which time-sensitive networking (TSN) is utilized for the backbone network and OPC UA is used for modeling of data exchange over TSN. As the configuration of OPC UA over TSN in a large automation setup can be a challenging task and requires specific expertise, we propose to add an abstract modeling layer that adopts the concepts of model-based development and component-based software engineering to facilitate the development of these systems. The proposed conceptual model can be automatically translated to the OPC UA modeling format. Such a modeling view will significantly reduce the complexity of OPC UA configurations, specially in large automation systems. Another benefit of the proposed framework is that the engineers, who do not have high levels of expertise in OPC UA, will be able to easily configure the OPC UA nodes in the automation system that utilize TSN for backbone communication.
The functionality advancements and novel customer features that are currently found in modern automotive systems require high-bandwidth and low-latency in-vehicle communications, which become even more compelling for autonomous vehicles. In a recent effort to meet these requirements, the IEEE Time-Sensitive Networking (TSN) task group has developed a set of standards that introduce novel features in Switched Ethernet. TSN standards offer, for example, a common notion of time through accurate and reliable clock synchronization, delay bounds for real-time traffic, time-driven transmissions, improved reliability, and much more. In order to fully utilize the potential of these novel protocols in the automotive domain, TSN should be seamlessly integrated into the state-of-the-art and state-of-practice model-based development processes for automotive embedded systems. Some of the core phases in these processes include software architecture modeling, timing predictability verification, simulation, and hardware realization and deployment. Moreover, throughout the development of automotive embedded systems, the safety and security requirements specified on these systems need to be duly taken into account. In this context, this work provides an overview of TSN in automotive applications and discusses the recent technological developments relevant to the adoption of TSN in automotive embedded systems. The work also points at the open challenges and future research directions.
This paper proposes an approach to model switched Ethernet communication within a model- and component-based software development framework for vehicular distributed embedded systems. The paper also presents a method to extract the network timing model from the systems that use switched Ethernet networks. In order to provide a proof of concept, an existing industrial component model and its tool suite, namely RCM and Rubus-ICE respectively, are extended by implementing the modeling technique, the timing model extraction method and response-time analysis of the Ethernet AVB protocol. The extensions to RCM are backward compatible with the modeling and end-to-end timing analysis of traditional in-vehicle networks and legacy (previously developed) vehicular distributed embedded systems. Furthermore, the paper discusses the implementation and test strategy used in this work. Finally, the usability of the modeling approach and implemented timing analysis is demonstrated by modeling and time analyzing a vehicular application case study with the extended component model and tool suite.
Time Sensitive Networking (TSN) is a set of standards developed by the IEEE 802.1 task group to support high-bandwidth and low latency predictable network communication. Configuration of TSN networks is a daunting task as there are several novel features in TSN and numerous possibilities can arise by considering combinations of these features. This letter investigates the impact of various unexplored frame-preemption configurations in TSN networks on the timing behaviours of various traffic classes. These configurations correspond to different combinations of settings in TSN with respect to the credit-based shaper, time-aware shaper, Hold & Release mechanism and frame preemption. The letter provides evaluation of these configurations by means of an analytical discussion and simulation experiments. The results and implications discussed in this letter can serve as useful guidelines for the network designers when configuring TSN networks with regards to the addressed features.
This paper identifies a limitation in the frame preemption model in the TSN standard (IEEE 802.1Q-2018), due to which high priority frames can experience significantly long blocking delays, thereby exacerbating their worst-case response times. This limitation can have a considerable impact on the design, analysis and performance of TSN-based systems. To address this limitation, the paper presents a novel and more efficient frame preemption model in the TSN standard that allows over 90% reduction in the maximum blocking delay leading to lower worst-case response times of high priority frames compared to the frame preemption model used in the existing works. The paper also shows that the improvement becomes even more significant in multi-switch TSN networks. In order to evaluate the effects of preemption, the paper performs simulations by enabling and disabling preemptions as well as enabling and disabling the Hold/Release mechanism supported by TSN. Furthermore, the paper performs a comparative evaluation of the two models of frame preemption in TSN using simulations. The evaluation shows that the maximum response times of high priority frames can be significantly reduced with very small impact on the response times of lower priority frames. The paper also shows the improvement in the maximum response times of higher priority frames using an automotive industrial use case that employs a multi-hop TSN network for on-board communication.
To utilize edge and cloud in real-time industrial applications, communication with the edge and cloud servers should be predictable in timing. However, the predictability of offloading from device to servers cannot be guaranteed in an environment where multiple devices compete for the same edge and cloud resources due to potential server-side scheduling conflicts. To the best of our knowledge, the state-of-the-art lacks a technique for offloading real-time applications from multiple devices to a set of heterogeneous edge/cloud servers. To this end, this paper proposes a centralized resource reservation technique that enables the offloading of real-time applications to the edge and cloud in a predictable time-schedule. The proposed technique enables end-devices to request the server's time for offloadable real-time applications in advance, allowing a designated offloading server that guarantees the tasks' timely execution. Furthermore, the proposed technique is capable of optimizing the reservation scheduling strategy with the goal of minimizing the energy consumption of edge servers while meeting the stringent timing requirements of real-time applications. The results showed that the number of deadline satisfied jobs improved by 65%, and total energy consumption by 3%, compared to the second best algorithm among the ones that have been compared with the proposed algorithm when the number of jobs is changed.
Software design for automotive systems is highly complex due to the presence of strict data age constraints for event chains in addition to task specific requirements. These age constraints define the maximum time for the propagation of data through an event chain consisting of independently triggered tasks. Tasks in event chains can have different periods, introducing over- and under-sampling effects, which additionally aggravates their timing analysis. Furthermore, different functionality in these systems, is developed by different suppliers before the final system integration on the ECU. The software itself is developed in a hardware agnostic manner and this uncertainty and limited information at the early design phases may not allow effective analysis of end-to-end delays during that phase. In this paper, we present a method to compute end-to-end delays given the information available in the design phases, thereby enabling timing analysis throughout the development process. The presented methods are evaluated with extensive experiments where the decreasing pessimism with increasing system information is shown.
Automotive embedded systems are subjected to stringent timing requirements that need to be verified. One of the most complex timing requirement in these systems is the data age constraint. This constraint is specified on cause- effect chains and restricts the maximum time for the propagation of data through the chain. Tasks in a cause-effect chain can have different activation patterns and different periods, that introduce over- and under-sampling effects, which additionally aggravate the end-to-end timing analysis of the chain. Furthermore, the level of timing information available at various development stages (from modeling of the software architecture to the software implementation) varies a lot, the complete timing information is available only at the implementation stage. This uncertainty and limited timing information can restrict the end-to-end timing analysis of these chains. In this paper, we present methods to compute end-to-end delays based on different levels of system information. The characteristics of different communication semantics are further taken into account, thereby enabling timing analysis throughout the development process of such heterogeneous software systems. The presented methods are evaluated with extensive experiments. As a proof of concept, an industrial case study demonstrates the applicability of the proposed methods following a state-of-the-practice development process.
Many industrial embedded systems have timing con- straints on the data propagation through a chain of independent tasks. These tasks can execute at different periods which leads to under and oversampling of data. In such situations, understand- ing and validating the temporal correctness of end-to-end delays is not trivial. Many industrial areas further face distributed development where different functionalities are integrated on the same platform after the development process. The large effect of scheduling decisions on the end-to-end delays can lead to expensive redesigns of software parts due to the lack of analysis at early design stages. Job-level dependencies is one solution for this challenge and means of scheduling such systems are available. In this paper we present MECHAniSer, a tool targeting the early analysis of end-to-end delays in multi-rate cause effect chains with specified job-level dependencies. The tool further provides the possibility to synthesize job-level dependencies for a set of cause-effect chains in a way such that all end-to-end requirements are met. The usability and applicability of the tool to industrial problems is demonstrated via a case study.
Todays automotive embedded systems comprise a multitude of functionalities, many with complex timing re- quirements. Besides task specific timing requirements, such ap- plications often have timing requirements for the propagation of data through a chain of tasks. An important metric for control applications is the data age, which is addressed in this work. The analysis of such systems is non-trivial because tasks involved in the data propagation may execute at different periods, which leads to over and undersampling within one chain. This work presents a novel method to compute worst- and best-case end-to-end latencies for such systems. A second contribution synthesizes job-level dependencies for such task sets in a way that data paths which exceed the age constraint are eliminated. An extensive evaluation is performed on synthetic task sets and the applicability to industrial applications is demonstrated in a case study.
The majority of embedded control systems are modeled with several chains of independently triggered tasks, also known as multi-rate effect chains. These chains have often stringent end-to-end timing requirements that should be satisfied before running the system. MECHAniSer is one of the tools that supports end-to-end timing analysis of such chains. In addition, the tool provides the possibility to synthesize job-level dependencies for these chains such that all end-to-end timing requirements are satisfied. In this paper we showcase an extension of MECHAniSer that supports the analysis of mixed chains that contain a mix of independent and dependent tasks.
Model-based development and component-based software engineering have emerged as a promising approach to deal with enormous software complexity in automotive systems. This approach supports the development of software architectures by interconnecting (and reusing) software components (SWCs) at various abstraction levels. Automotive software architectures are often modeled with chains of SWCs, also called cause-effect chains that are constrained by timing requirements. Based on the variations in activation patterns of SWCs, a single model of a cause-effect chain at a higher abstraction level can conform to several valid refined models of the chain at a lower abstraction level, which is closer to the system implementation. As a consequence, the total number of valid implementation-level models generated by the existing techniques increases exponentially, thereby significantly increasing the runtime of the timing analysis engines and liming the scalability of the existing techniques. This paper computes an upper bound on the activation pattern combinations that may result from a system of cause-effect chains in a given high-level model of the software architecture. An efficient algorithm is presented that traverses only a reduced number of possible combinations of the cause-effect chains, resulting in the timing analysis of significantly lower number of implementation-level models of the software architecture. A proof of concept is provided by conducting a case study that shows significant reduction in the runtime of timing analysis engines, i.e., the timing behavior of the considered system is verified by performing the timing analysis of only 27% of all possible combinations of the cause-effect chains.
Developing automotive software is becoming in- creasingly challenging due to continuous increase in its size and complexity. The development challenge is amplified when the industrial requirements dictate extensions to the legacy (previously developed) automotive software while requiring to meet the existing timing requirements. To cope with these challenges, sufficient techniques and tooling to support the modeling and timing analysis of such systems at earlier development phases is needed. Within this context, we focus on the extension of software component chains in the software architectures of automotive legacy systems. Selecting the sampling frequency, i.e. period, for newly added software components is crucial to meet the timing requirements of the chains. The challenges in selecting periods are identified. It is further shown how to automatically assign periods to software components, such that the end-to-end timing requirements are met while the runtime overhead is minimized. An industrial case study is presented that demonstrates the applicability of the proposed solution to industrial problems.
A majority of multi-rate real-time systems are constrained by a multitude of timing requirements, in addition to the traditional deadlines on well-studied response times. This means, the timing predictability of these systems not only depends on the schedulability of certain task sets but also on the timely propagation of data through the chains of tasks from sensors to actuators. In the automotive industry, four different timing constraints corresponding to various data propagation delays are commonly specified on the systems. This paper identifies and addresses the source of pessimism as well as optimism in the calculations for one such delay, namely the reaction delay, in the state-of-the-art analysis that is already implemented in several industrial tools. Furthermore, a generic framework is proposed to compute all the four end-to-end data propagation delays, complying with the established delay semantics, in a scheduler and hardware-agnostic manner. This allows analysis of the system models already at early development phases, where limited system information is present. The paper further introduces mechanisms to generate job-level dependencies, a partial ordering of jobs, which need to be satisfied by any execution platform in order to meet the data propagation timing requirements. The job-level dependencies are first added to all task chains of the system and then reduced to its minimum required set such that the job order is not affected. Moreover, a necessary schedulability test is provided, allowing for varying the number of CPUs. The experimental evaluations demonstrate the tightness in the reaction delay with the proposed framework as compared to the existing state-of-the-art and practice solutions.
Access to shared memory is one of the main chal- lenges for many-core processors. One group of scheduling strategies for such platforms focuses on the division of tasks access to shared memory and code execution. This allows to orchestrate the access to shared local and off-chip memory in a way such that access contention between different compute cores is avoided by design. In this work, an execution framework is introduced that leverages local memory by statically allocating a subset of tasks to cores. This reduces the access times to shared memory, as off-chip memory access is avoided, and in turn improves the schedulability of such systems. A Constrained Programming (CP) formulation is presented to selects the statically allocated tasks and generates the complete system schedule. Evaluations show that the pro- posed approach yields an up to 21% higher schedulability ratio than related work, and a case study demonstrates its applicability to industrial problems.
Controller Area Network (CAN) and Ethernet network are expected to co-exist in automotive industry as Ethernet provides a high-bandwidth communication, while CAN is a legacy cost-effective solution. Due to the shortcomings of conventional switched Etherent, such as determinism, IEEE Time Sensitive Networking (TSN) task group developed a set of standards to enhance the switched Ethernet technology providing low-jitter and deterministic communication. Considering these two network domains, we investigate various design approaches for a gateway that connects a CAN domain to a TSN domain. We present three gateway forwarding techniques and we develop end-to-end delay analysis methods for them. Via the analysis methods and applying them to synthetic use cases we show that the intuitive existing approach of encapsulating multiple CAN frames into a single Ethernet frame is not necessarily an efficient solution. In fact, we demonstrate several cases where it is preferable to encapsulate only one CAN frame into a TSN frame, in particular when we use a high speed TSN network. The results have a significant impact on developing such gateways as the implementation of the one-to-one frame encapsulation is considerably simpler than other complex gateway-forwarding techniques.
This paper performs a comparative evaluation of various generations of Controller Area Network (CAN), including the classical CAN, CAN Flexible Data-Rate (FD), and CAN Extra Long (XL). We utilize response-time analysis for the evaluation. In this regard, we identify that the state of the art lacks the response-time analysis for CAN XL. Hence, we discuss the worst-case transmission times calculations for CAN XL frames and incorporate them to the existing analysis for CAN to support response-time analysis of CAN XL frames. Using the extended analysis, we perform a comparative evaluation of the three generations of CAN by analyzing an automotive industrial use case. In crux, we show that using CAN FD is more advantageous than the classical CAN and CAN XL when using frames with payloads of up to 8 bytes, despite the fact that CAN XL supports higher bit rates. For frames with 12-64 bytes payloads, CAN FD performs better than CAN XL when running at the same bit rate, but CAN XL performs better when running at a higher bit rate. Additionally, we discovered that CAN XL performs better than the classical CAN and CAN FD when the frame payload is over 64 bytes, even if it runs at the same or higher bit rates than CAN FD.
The Time-Sensitive Network (TSN) amendments and protocols add capabilities on top of standard 802.1 Ethernet for guaranteeing the timeliness of both (isochronous) scheduled traffic (ST) and shaped (audio-video) communication (AVB) in distributed applications. ST streams are guaranteed via an offline computed schedule controlling the time-aware gate mechanism of IEEE 802.1Qbv, while AVB real-time streams are shaped via a credit-based shaper (CBS) and scheduler with lower-priority than ST. Although the two traffic classes use different TSN mechanisms, they are interrelated as the ST traffic class schedule influences the latency of AVB traffic. In this paper, we propose a method for the integration of the ST schedule synthesis with an analysis for the AVB class featuring IEEE 802.1Qbu frame preemption under different configurations to reduce the interference between the two classes. We first present a new worst-case response-time (WCRT) analysis for the AVB traffic class in TSN networks with preemption, considering an arbitrary number of AVB queues and different configurations for the CBS credit behavior. Then, we integrate the creation of ST schedule tables with the schedulability analysis of AVB traffic using a heuristic algorithm featuring frame preemption and a novel routing mechanism aimed at maximizing AVB schedulability. Finally, we evaluate our approach using both real-world and synthetic use cases showing the efficiency both in terms of schedule creation runtime and in terms of increasing the schedulability of lower-priority AVB traffic.
In a distributed system, applications can perform both reads and updates without costly synchronous network round-trips by using Conflict-free Replicated Data Types (CRDTs). Most CRDTs are based on some variant of atomic broadcast, as that enables them to support causal dependencies between updates of multiple objects. However, the overhead of this atomic broadcast is unnecessary in systems handling only independent CRDT objects. We identified a set of use cases for tracking resource usage where there is a need for a replication mechanism with less complexity and network usage as compared to using atomic broadcast. In this paper, we present the design of such a replication protocol that efficiently leverages the commutativity of CRDTs. The proposed protocol CReDiT (CRDT enhanced with intelligence) uses up to four communication steps per update, but these steps can be batched as needed. It uses network resources only when updates need to be communicated. Furthermore, it is less sensit ive to server failures than current state-of-the-art solutions as other nodes can use new values already after the first communication step, instead of after two or more.
Embedded systems typically have limited processing and storage capabilities, and may only intermittently be powered on. After sending data from its sensors upstream, the system must therefore be able to trust that the data, once acknowledged, is not lost. The purpose of this work is to propose a novel solution for replicating data between the upstream nodes in such systems, with a minimal effect on the software architecture. On the assumption that there is no relative order between replicated data tuples, we designed a new replication protocol based on partial replication. Our protocol uses only 2 communication steps per data tuple, instead of the 3 to 12 used by other solutions. We verified its failover mechanism in a proof-of-concept implementation of the protocol using simulated network failures, and evaluated the implementation on throughput and latency in several controlled experiments using up to 7 nodes in up to 5 geographically separated areas, with up to 1000 data producers per node. The recorded system throughput increased linearly relative to both the number of nodes and the number of data producers. For comparison, Paxos showed a performance similar to our protocol when using 3 nodes, but got slower as more nodes were added. The lack of a relative order, in combination with partial replication, enables our system to continue working during network partitions, not only in the part containing the majority of the nodes, but also in any sufficiently large minority partitions.
In the last decade, electronics and software have replaced many mechanical components in vehicles at an unprecedented rate. New emerging technologies have found their way into the vehicular domain,like for instance, ADAS systems. This change brings some particular challenges with it in terms of functionalities, safety and security. Many vehicle distributed functions require hard real-time and secure communication. Therefore, the electrical and electronic (E/E architectures) architectures are in a continuously adapting trend to meet the new standards.The adaptation from a distributed to a domain-centralized architectureis already present. It is crucial to facilitate reuse of system architectural solutions in order to make system development more efficient. Therefore, we propose the use of communication architectural patterns. We present a method to map communication patterns on a certain layer ofabstraction. The method has been evaluated through several industrialuse cases. Furthermore, this work sets precedence for future research and development, as well as future applications of the method.
This paper introduces a novel model-driven methodology for the software development of real-time distributed vehicular embedded systems on single- and multi-core platforms. The proposed methodology discloses the opportunity of improving the cost-efficiency of the development process by providing automated support to identify viable design solutions with respect to selected non-functional requirements. To this end, it leverages the interplay of modelling languages for the vehicular domain whose integration is achieved by a suite of model transformations. An instantiation of the methodology is discussed for timing requirements, which are among the most critical ones for vehicular systems. To support the design of temporally correct systems, a cooperation between EAST-ADL and the Rubus Component Model is opportunely built-up by means of model transformations, enabling timing-aware design and model-based timing analysis of the system. The applicability of the methodology is demonstrated as proof of concepts on industrial use cases performed in cooperation with our industrial partners.
The adoption of model-driven engineering in the automotive domain resulted in the standardization of a layered architectural description language, namely EAST-ADL, which provides means for enforcing abstraction and separation of concerns, but no support for automation among its abstraction levels. This support is particularly helpful when manual transitions among levels are tedious and error-prone. This is the case of design and implementation levels. Certain fundamental analyses (e.g., timing), which have a significant impact on design decisions, give precise results only if performed on implementation level models, which are currently created manually by the developer. Dealing with complex systems, this task becomes soon overwhelming leading to the creation of a subset of models based on the developers experience; relevant implementation level models may therefore be missed. In this work, we describe means for automation between EAST-ADL design and implementation levels to anticipate end-to-end delay analysis at design level for driving design decisions.
The size, complexity and heterogeneity of vehicular software systems has been constantly increasing. As a result, there is a growing consensus on the need to leverage modelbased techniques for automating, thus taming, error-proneness of tedious engineering tasks. Our methodology employs a one-tomany model transformation for generating a set of implementation models from a single design model. Then, it evaluates the appropriateness of each generated model by means of modelbased timing analysis. In this ongoing work, we discuss an enhancement of our methodology where model-based timing analysis is extended for running on a single model with uncertainty.
Models and model transformations, the two core constituents of Model-Driven Engineering, aid in software development by automating, thus taming, error-proneness of tedious engineering activities. In most cases, the result of these automated activities is an overwhelming amount of information. This is the case of one-to-many model transformations that, e.g. in designspace exploration, can potentially generate a massive amount of candidate models (i.e., solution space) from one single model. In our scenario, from one design model we generate a set of possible implementation models on which timing analysis is run. The aim is to find the best model from a timing perspective. However, multiple implementation models can have equally good analysis results. Therefore, the engineer is expected to investigate the solution space for making a final decision, using criteria which fall outside the analysis criteria themselves. Since candidate models can be many and very similar to each other, manually finding differences and commonalities is an impractical and errorprone task. In order to provide the engineer with an expressive representation of models commonalities and differences, we propose the use of modelling with uncertainty. We achieve this by elevating the solution space to a first-class status, adopting a compact notation capable of representing the solution space by means of a single model with uncertainty. Commonalities and differences are thus represented by means of uncertainty points for the engineer to easily grasp them and consistently make her decision without manually inspecting each model individually.
This tutorial focuses on the vehicular domain, which is living a very interesting moment due to the many challenges the domain is experiencing, including autonomy of vehicles, vehicles that are becoming constituent systems in the system-of-systems context and many more. The ever-increasing software complexity in vehicles requires software architecture descriptions, which enable the software developers to compare and relate different products across different vehicle programs, development units, and organisations (in the vehicular ecosystem). Many vehicular functions are constrained by stringent timing requirements. The developers of these functions are required to analyse and verify these requirements at the software architecture level and often very early during the development process [1], [2]. In this context, the tutorial focuses on the design and timing predictability verification of vehicular software architectures for different Electrical and Electronic (E/E) architectures in connected and autonomous vehicles. The key takeaways of the tutorial are: i) an overview of the software development for various vehicular E/E architectures; ii) an overview of state of the art in the area; iii) understanding rudiments and value of timing analysis for this domain; iv) experience an industrial process for architecting and analysing the vehicle software via hands-on practice and demonstration.
The automotive E/E architectures are evolving from the traditional distributed architectures to upcoming consolidated domain architectures and possibly future centralised architectures. This paper demonstrates modelling and timing analysis of real-time embedded systems on contemporary automotive E/E architectures using the Rubus-ICE tool suite. The Rubus concept and tool suite, developed and evolved based on close academic-industrial collaboration, have been used in the automotive industry for over 25 years. The paper also demonstrates recent extensions and discusses proposals to support the modelling and timing analysis of the systems on future E/E architectures.
Fueled by an increasing demand for computational power and high data-rate low-latency on-board communication, the automotive electrical and electronic architectures are evolving from distributed to consolidated domain and centralised architectures. Future electrical and electronic automotive architectures are envisioned to leverage heterogeneous computing platforms, where several different processing units will be embedded within electronic control units. These powerful control units are expected to be connected by high-bandwidth and low-latency on-board backbone networks. This paper draws on the industrial collaboration with the Swedish automotive industry for tackling the challenges associated to the model-based development of predictable embedded software for contemporary and evolving automotive E/E architectures.
Over the last two decades, vehicles have undergone a significant shift, transforming into highly software-intensive systems. Projections indicate that even entry-level vehicles will soon integrate hundreds of millions of lines of code and incorporate numerous electronic control units. To navigate the complexity of these software-intensive systems, there has been a notable shift towards adopting model-driven engineering and specialised modelling languages. Among these languages, the Rubus Component Model has played a crucial role for over 25 years, supporting the development and timing analysis of distributed resource-constrained embedded systems. The enduring success of the Rubus Component Model lies in its responsiveness to end-users' demands and its ability to adapt to technological advancements. Notably, the proliferation of network interface controllers, including controller area network controllers, supporting diverse message-receiving policies like polling and interrupt, represents a significant advancement. However, the implications of these policies on end-to-end delays in distributed systems necessitate explicit modelling and dedicated timing analysis tools.This paper introduces an evolved Rubus Component Model, tailored for model-driven development and timing analysis in distributed embedded systems that utilise network interface controllers with diverse message-receiving policies. Drawing inspiration from a real-world example, the paper introduces new elements and properties in the Rubus Component Model designed to support these policies and facilitate timing analysis. The practical application of these enhancements is demonstrated, and insights are extended to other contemporary modelling languages in the vehicular domain. Beyond bolstering expressiveness, this evolution ensures the timing predictability of distributed embedded systems, aligning seamlessly with the Rubus Component Model's core focus.
This paper presents a model-driven development methodology for automotive real-time embedded systems that is augmented according to realistic but intellectual property free automotive benchmarks. The augmentation correspond to the enrichment of various real-time properties and design decisions in the methodology, including the specification of different activation rates and patterns along embedded software component chains. These chains can be deployed within Electronic Control Units as well as on multiple distributed Electronic Control Units connected by on-board networks. This is achieved by extending the modelling language pillar of the methodology with structural elements and constraints guiding the specification of the activation rates and enforcing the activation patterns in the chains. The proposed extensions automatically discard non-complying activation rates along the chains and aid the engineer to select valid activation rates according to the automotive benchmarks. The extended methodology reduces the complexity of software development in automotive real-time embedded systems.
We discuss the problem of extracting control and data flows from vehicular distributed embedded systems at higher abstraction levels during their development. Unambiguous extraction of control and data flows is vital part of the end-to-end timing model which is used as input by the end-to end timinganalysis engines. The goal is to support end-to-end timing analysis at higher abstraction levels. In order to address the problem, we propose a two-phase methodology that exploits the principles of ModelDriven Engineering and Component Based Software Engineering. Using this methodology, the software architecture at a higher level is automatically transformed to all legal implementation-level models. The end-to-end timing analysis is performed on each generated implementation-level model and the analysis results are fed back to the design-level model. This activity supports design space exploration, modelrefinement and/or remodeling at higher abstraction levels for tuning the timing behavior of the system.
According to the Model-Driven Engineering paradigm, one of the entry requirements when realising a seamless tool chain for the development of software is the definition of metamodels, to regulate the specification of models, and model transformations, for automating manipulations of models. In this context, we present a metamodel definition for the Rubus Component Model, an industrial solution used for the development of vehicular embedded systems. The metamodel includes the definition of structural elements as well as elements for describing timing information. In order to show how, using Model-Driven Engineering, the integration between different modelling levels can be automated, we present a model-to-model transformation between models conforming to EAST-ADL and models described by means of the Rubus Component Model. To validate our solution, we exploit a set of industrial automotive applications to show the applicability of both the Rubus Component Model metamodel and the model transformation.
There are various methodologies that support the extraction of timing models from EAST-ADL design-level models during the development of vehicular embedded software systems. These timing models are used to predict timing behavior of the systems by performing end-to-end timing analysis. This paper presents, for the first time, a comparative evaluation of three methodologies. We present an evaluation framework that consists of several evaluation features. Using the framework, we compare and evaluate the methodologies against each feature. Eventually, the evaluation results can be used as guidelines for the selection of the most suitable methodology with respect to the end-to-end timing behavior of a given vehicular embedded application.
Software in modern vehicles consists of multi-criticality functions, where a function can be safety-critical with stringent real-time requirements, less critical from the vehicle operation perspective, but still with real-time requirements, or not critical at all. Next-generation autonomous vehicles will require higher computational power to run multi-criticality functions and such a power can only be provided by parallel computing platforms such as multi-core architectures. However, current model-based software development solutions and related modelling languages have not been designed to effectively deal with challenges specific of multi-core, such as core-interdependency and controlled allocation of software to hardware. In this paper, we report on the evolution of the Rubus Component Model for the modelling, analysis, and development of vehicular software systems with multi-criticality for deployment on multi-core platforms. Our goal is to provide a lightweight and technology-preserving transition from model-based software development for single-core to multi-core. This is achieved by evolving the Rubus Component Model to capture explicit concepts for multi-core and parallel hardware and for expressing variable criticality of software functions. The paper illustrates these contributions through an industrial application in the vehicular domain.
The vehicular industry has exploited model-based engineering for design, analysis, and development of single-core vehicular systems. Next generation of autonomous vehicles will require higher computational power, which can only be provided by parallel computing platforms such as multi-core electronic control units. Current model-based software development solutions and related modelling languages, originally conceived for single-core, cannot effectively deal with multi-core specific challenges, such as core-interdependency and allocation of software to hardware. In this paper, we propose an extension to the Rubus Component Model, central to the Rubus model-based approach, for the modelling, analysis, and development of vehicular systems on multi-core. Our goal is to provide a lightweight transition of a model-based software development approach from single-core to multi-core, without disrupting the current technological assets in the vehicular domain.
We present a demonstrator for modeling and development of component-based vehicular distributed real-time systems using the industrial model Rubus Component Model (RCM) and its development environment Rubus-ICE (Integrated Component development Environment). It demonstrates various stages during the development process of these systems such as modeling of software architecture, performing timing analysis, automatic synthesis of code from the software architecture, simulation, testing, and deployment.