Timing verification of real­time automotive Ethernet networks: what can we expect from simulation?

Switched Ethernet is a technology that is profoundly reshaping automotive communication architectures as it did in other application domains such as avionics with the use of AFDX backbones. Early stage timing verification of critical embedded networks typically relies on simulation and worst-case schedulability analysis. When the modeling power of schedulability analysis is not sufficient, there are typically two options: either make pessimistic assumptions or ignore what cannot be modeled. Both options are unsatisfactory because they are either inefficient in terms of resource usage or potentially unsafe. To overcome those issues, we believe it is a good practice to use simulation models, which can be more realistic, along with schedulability analysis. The two basic questions that we aim to study here is what can we expect from simulation, and how to use it properly? This empirical study explores these questions on realistic case-studies and provides methodological guidelines for the use of simulation in the design of switched Ethernet networks. A broader objective of the study is to compare the outcomes of schedulability analyses and simulation, and conclude about the scope of usability of simulation in the desi gn of critical Ethernet networks. 1 C o n t e x t a n d o b j e c t i v e s o f t h e s t u d y Ethernet is meant in vehicles not only for the support of infotainment applications but also to transmit time-sensitive data used for the real-time control of the vehicle and ADAS functions. In such use-cases, the temporal behavior of the communication architecture must be carefully validat ed. Early stage timing verification of critical embedded networks typically relies on simulation and worst-case schedulability analysis, which basically consists in building a mathematical model of the worst possible situations that can be encountered at run-time. When the modeling capabilities of schedulability analysis is not sufficient, which given the complexity of today's architectures is in our experience in many practical situations the case (see [Na13,Na14] and § 2.4), there are typically two possibilities. The first option is to make pessimistic assumptions (e.g., modeling aperiodic frames as periodic ones), which is not always possible because for instance it may result in overloaded resources (e.g., link utilization larger than 100%). The second option is to ignore what cannot be modeled (e.g., ignoring transmission errors, aperiodic traffic, etc). Both options are unsatisfactory because they are either inefficient in terms of resource usage or potentially unsafe. In addition, it can happen that schedulability analysis tools provide wrong results, most often because the analysis' assumptions are not met by the actual implementation, or possibly because of numerical issues in the implementation (e.g., if floating point arithmetic is used), or simply because the analysis is flawed (see for instance [Da07]).

[1]  Stephan Merz,et al.  Proof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap , 2014 .

[2]  Nicolas Navet,et al.  Fine-grained Simulation in the Design of Automotive Communication Systems , 2012 .

[3]  Eric Thierry,et al.  An Algorithmic Toolbox for Network Calculus , 2008, Discret. Event Dyn. Syst..

[4]  Michael Glaß,et al.  Formal analysis of the startup delay of SOME/IP service discovery , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Robert I. Davis,et al.  Controller area network (CAN) schedulability analysis for messages with arbitrary deadlines in FIFO and work-conserving queues , 2012, 2012 9th IEEE International Workshop on Factory Communication Systems.

[6]  Marc Boyer,et al.  A simple and efficient class of functions to model arrival curve of packetised flows , 2011 .

[7]  PEGASE - A Robust and Efficient Tool for Worst-Case Network Traversal Time Evaluation on AFDX , 2011 .

[8]  Alan Burns,et al.  Controller Area Network (CAN) schedulability analysis: Refuted, revisited and revised , 2007, Real-Time Systems.

[9]  Marc Boyer,et al.  Integrating end-system frame scheduling for more accurate AFDX timing analysis , 2014 .

[10]  Marc Boyer,et al.  Experimental assessment of timing verification techniques for AFDX , 2012 .

[11]  Cédric Mauclair Une approche statistique des réseaux temps réel embarqués , 2013 .

[12]  Nicolas Navet,et al.  Impact of clock drifts on CAN frame response time distributions , 2011, ETFA2011.

[13]  Stephan Merz,et al.  Certifying Network Calculus in a Proof Assistant , 2013 .

[14]  Alberto Sangiovanni-Vincentelli,et al.  Stochastic Analysis of CAN-Based Real-Time Automotive Systems , 2009, IEEE Transactions on Industrial Informatics.

[15]  Nicolas Navet,et al.  Timing verification of automotive communication architectures using quantile estimation , 2014 .

[16]  Christian Fraboul,et al.  Improving the Worst-Case Delay Analysis of an AFDX Network Using an Optimized Trajectory Approach , 2010, IEEE Transactions on Industrial Informatics.

[17]  Alberto L. Sangiovanni-Vincentelli,et al.  Using Statistical Methods to Compute the Probability Distribution of Message Response Time in Controller Area Network , 2010, IEEE Transactions on Industrial Informatics.

[18]  Nicolas Navet,et al.  Insights on the Configuration and Performances of SOME/IP Service Discovery , 2015 .