Schedulability and end-to-end latency in distributed ECU networks: formal modeling and precise estimation

Embedded control systems in automobiles are typically implemented by a set of tasks deployed on multiple Electronic Control Units (ECUs) communicating via one or more buses like CAN or FlexRay. In the case of safety-critical systems, there are hard real-time bounds on the (i) response times of tasks/messages, and (ii) end-to-end latencies of certain task/message chains. These depend on various factors like the number of tasks (and messages) involved in the processing (and communication) sequence, parameters of these tasks/messages, scheduling policies, communication protocols, clock drifts, etc. Moreover, since the data transfer among tasks/messages is typically via asynchronous buffers that are overwritable and sticky, multiple semantics are possible for end-to-end latency. Hence, precise estimation of response times and end-to-end latencies in embedded systems is a non-trivial problem. In this paper, we propose a model-checking based technique to compute worst-case response times and end-to-end latencies. We consider a distributed system made of preemptively scheduled tasks and non-preemptively scheduled messages. Given a chain in the system, we estimate two different end-to-end latencies --LIFO and LILO-- which are important in automotive domain. From a system description, we automatically synthesize a formal model based on a discrete event simulation formalism called Calendar Automata. It is then model-checked to compute response times and end-to-end latencies. Our technique is more scalable than the existing formal methods based techniques. We have illustrated this technique on reasonably large case-studies from the automotive domain.

[1]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[2]  Alberto L. Sangiovanni-Vincentelli,et al.  Period Optimization for Hard Real-time Distributed Automotive Systems , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[3]  Stephan Merz,et al.  Model Checking , 2000 .

[4]  Zonghua Gu Timing Analysis of Distributed End-to-End Task Graphs with Model-Checking , 2005, EUC.

[5]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[6]  Theo C. Ruys,et al.  Optimal Scheduling Using Branch and Bound with SPIN 4.0 , 2003, SPIN.

[7]  Alberto L. Sangiovanni-Vincentelli,et al.  Loosely time-triggered architectures based on communication-by-sampling , 2007, EMSOFT '07.

[8]  Sherif Abdelwahed,et al.  A Conservative Approximation Method for the Verification of Preemptive Scheduling Using Timed Automata , 2009, 2009 15th IEEE Real-Time and Embedded Technology and Applications Symposium.

[9]  Marcel Verhoef,et al.  System architecture evaluation using modular performance analysis: a case study , 2006, International Journal on Software Tools for Technology Transfer.

[10]  Steve Vestal Formal verification of the MetaH executive using linear hybrid automata , 2000, Proceedings Sixth IEEE Real-Time Technology and Applications Symposium. RTAS 2000.

[11]  Petru Eles,et al.  Analysis and optimization of distributed real-time embedded systems , 2004, ACM Trans. Design Autom. Electr. Syst..

[12]  Wang Yi,et al.  TIMES: A Tool for Schedulability Analysis and Code Generation of Real-Time Systems , 2003, FORMATS.

[13]  Lothar Thiele,et al.  Real-time calculus for scheduling hard real-time systems , 2000, 2000 IEEE International Symposium on Circuits and Systems. Emerging Technologies for the 21st Century. Proceedings (IEEE Cat No.00CH36353).

[14]  Petru Eles,et al.  Holistic scheduling and analysis of mixed time/event-triggered distributed embedded systems , 2002, Proceedings of the Tenth International Symposium on Hardware/Software Codesign. CODES 2002 (IEEE Cat. No.02TH8627).

[15]  Mathai Joseph,et al.  Finding Response Times in a Real-Time System , 1986, Comput. J..

[16]  Alberto L. Sangiovanni-Vincentelli,et al.  Synthesis of Task and Message Activation Models in Real-Time Distributed Automotive Systems , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[17]  Ken Tindell,et al.  ADDING TIME-OFFSETS TO SCHEDULABILITY ANALYSIS , 1994 .

[18]  Shengbing Jiang,et al.  Model checking based analysis of end-to-end latency in embedded, real-time systems with clock drifts , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[19]  Joseph Sifakis,et al.  Decidable Integration Graphs , 1999, Inf. Comput..

[20]  Nico Feiertag,et al.  A Compositional Framework for End-to-End Path Delay Calculation of Automotive Systems under Different Path Semantics , 2008, RTSS 2009.

[21]  Zonghua Gu,et al.  Solving Real-Time Scheduling Problems with Model-Checking , 2005, ICESS.

[22]  Alan Burns,et al.  Controller Area Network (CAN) schedulability analysis: Refuted, revisited and revised , 2007, Real-Time Systems.

[23]  Alberto Sangiovanni-Vincentelli,et al.  Design Space Exploration of Automotive Platforms in Metropolis , 2006 .

[24]  Lothar Thiele,et al.  Composing Functional and State-Based Performance Models for Analyzing Heterogeneous Real-Time Systems , 2007, 28th IEEE International Real-Time Systems Symposium (RTSS 2007).

[25]  Bruno Dutertre,et al.  Modeling and Verification of a Fault-Tolerant Real-Time Startup Protocol Using Calendar Automata , 2004, FORMATS/FTRTFT.

[26]  Alan Burns,et al.  Calculating controller area network (can) message response times , 1994 .

[27]  Wang Yi,et al.  Schedulability analysis of fixed-priority systems using timed automata , 2006, Theor. Comput. Sci..

[28]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[29]  Alberto Sangiovanni-Vincentelli,et al.  Stochastic Analysis of CAN-Based Real-Time Automotive Systems , 2009, IEEE Transactions on Industrial Informatics.