[Show abstract][Hide abstract] ABSTRACT: The European ARTEMIS ACROSS project aims to overcome the limitations of existing Multi-Processor Systems-on-a-Chip (MPSoC) architectures with respect to safety-critical applications. MPSoCs have a tremendous potential in the domain of embedded systems considering their enormous computational capacity and energy efficiency. However, the currently existing MPSoC architectures have significant limitations with respect to safety-critical applications. These limitations include difficulties in the certification process due to the high complexity of MPSoCs, the lacking temporal determinism and problems related to error propagation between subsystems. These limitations become even more severe, when subsystems of different criticality levels have to be integrated on the same computational platform. Examples of such mixed-criticality integration are found in the avionics and automotive industry with their desire to integrate safety-critical, mission critical and non-critical subsystems on the same platform in order to minimize size, weight, power and cost. The main objective of ACROSS is to develop a new generation of multi-core processors designed specially for safety-critical embedded systems; the ACROSS MPSoC. In this paper we will show how the ACROSS MPSoC overcomes the limitations of existing MPSoC architectures in order to make the multi-core technology available to the safety-critical domain.
Euromicro Conference on Digital System Design (DSD); 01/2012
[Show abstract][Hide abstract] ABSTRACT: This paper proposes a SystemC based extension for the modeling of Time-Triggered Architecture (TTA) based real-time embedded systems. The extension called Executable Time-Triggered Model (E-TTM) supports the time-triggered model of computation and provides a time domain deterministic modeling framework based on SystemC. E-TTM can be used from the architectural design phase to sup-port early functional, temporal and dependability assessments. This approach is illustrated with two case studies. The design and Simulated Fault Injection (SFI) of an odometry safety-critical embedded system, and the design and simulation of a real-time control-system integrated with a SystemC-AMS model of the plant.
[Show abstract][Hide abstract] ABSTRACT: This paper proposes a SystemC based extension for the modeling of generic Time-Triggered Architecture (TTA) based safety-critical embedded systems. The extension called Executable Time-Triggered Model (E-TTM) supports the time-triggered model of computation and provides a time domain deterministic modeling framework based on SystemC. E-TTM can be used in the architectural design phase to support early functional, temporal and dependability assessments. The development of safety-critical embedded systems that must satisfy a certain set of timing constraints with an ever-increasing functionality leads to considerable complexity growth. E-TTM tackles the complexity challenge by means of simplification strategies such as abstraction, partition, segmentation and time determinism.
Proceedings of the 2010 Forum on specification & Design Languages, FDL 2010, September 14-16, 2010, Southampton, UK; 01/2010
[Show abstract][Hide abstract] ABSTRACT: This paper deploys end-to-end message checksums for error detection in the time-triggered system-on-chip architecture (TTSoCA). The end-to-end checksums are not only checked at the end, but also intermediately in the communication subsystem of the system-on-chips (SoCs) concurrently with the message transmission in order to isolate faults: if a message transmission error occurs, the goal is to pinpoint whether the fault has originated in an IP core, in the communication subsystem, or in a gateway.
[Show abstract][Hide abstract] ABSTRACT: This paper describes an integrated system architecture for automotive electronic systems based on multicore systems-on-chips (SoCs). We integrate functions from different suppliers into a few powerful electronic control units using a dedicated core for each function. This work is fueled by technological opportunities resulting from recent advances in the semiconductor industry and the challenges of providing dependable automotive electronic systems at competitive costs. The presented architecture introduces infrastructure IP cores to overcome key challenges in moving to automotive multicore SoCs: a time-triggered network-on-a-chip with fault isolation for the interconnection of functional IP cores, a diagnostic IP core for error detection and state recovery, a gateway IP core for interfacing legacy systems, and an IP core for reconfiguration. This paper also outlines the migration from today's federated architectures to the proposed integrated architecture using an exemplary automotive E/E system.
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 08/2009; · 1.09 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: The GENESYS (Generic Embedded System) project is a European research project that aims to develop a cross-domain architecture for embedded systems. The re-quirements and constraints for such an architecture are docu-mented in the ARTEMIS strategic research agenda in the form of seven key challenges. This paper presents the architectural style of GENESYS by listing the key architectural principles, such as: strict component orientation, separation of computa-tion from communication, availability of a common time, hie-rarchical system structure, adherence to message passing, state awareness, fault isolation and integrated resource manage-ment. This paper explains how these architectural principles contribute to solve the seven key challenges in the ARTEMIS strategic research agenda.
2009 IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, ISORC 2009, Tokyo, Japan, 17-20 March 2009; 01/2009
[Show abstract][Hide abstract] ABSTRACT: Dynamic resource management enables a system to dynamically react to changing resource demands or resource availability. It enables better resource utilization, improved dependability, and the enabling of power-aware system behavior. This paper examines the application of dynamic resource management for an integrated time-triggered system architecture for embedded systems, which is designed to support mixed-criticality systems, i.e., systems integrating distributed application subsystems (DASs) with different dependability requirements on the same hardware platform. For such systems a vital characteristic is to achieve encapsulation of the hosted DASs and to provide mechanisms for fault-isolation. The key challenge addressed in this paper is to preserve these system characteristics despite the presence of dynamic resource allocation. To this end, a resource management framework is presented that provides static resource guarantees for DASs having higher dependability requirements, while facilitating efficient resource utilization for less critical DASs.
[Show abstract][Hide abstract] ABSTRACT: The time-triggered system-on-a-chip (TTSoC) architecture enables the realization of mixed-criticality systems using SoCs. The integration of subsystems with different criticality enables massive cost reduction by reducing the overall number of devices and networks (e.g., ECUs in car). To accomplish this goal, the TTSoC architecture offers inherent fault isolation mechanisms that prevent any unintended interference between application subsystems of different criticality. This paper demonstrates these capabilities using an exemplary automotive example with a safety-critical control subsystem and a multimedia subsystem. In the demo application, it is ensured by-construction that any design fault in the multimedia subsystem cannot have any adverse effect on the safety-critical control subsystem.
[Show abstract][Hide abstract] ABSTRACT: It is the objective of the presented System-on-a-Chip (SoC) architecture to provide a predictable integrated execution environment for the component-based design of many different types of embedded applications (e.g., automotive, avionics, consumer electronics). At the core of this architecture is a time-triggered network-on-a-chip for the predictable interconnection of heterogeneous components. A component can be a self-contained computer, including system and application software, an FPGA, or a custom hardware unit. By providing a single uniform interface to all types of components for the exchange of messages, the architecture supports the component-based design of large applications and enables the massive reuse of components. The time-triggered network-on-a-chip offers inherent fault isolation to facilitate the seamless integration of independently developed components, possibly with different criticality levels. Furthermore, mechanisms for integrated resource management support dynamically changing resource requirements (e.g., different operational modes of an application), fault-tolerance, a power-aware system behavior, and the implementation of fault-handling by reconfiguration.
Industrial Electronics, 2008. ISIE 2008. IEEE International Symposium on; 08/2008
[Show abstract][Hide abstract] ABSTRACT: The problem of naming has been extensively studied in the field of distributed systems. However, multi-processor system-on-a-chips (MPSoCs), which are becoming more and more important in the construction of complex embedded systems, exhibit unique challenges with respect to naming. These challenges are induced by the need for dynamic resource management, independent development of IP cores and application subsystems, complexity management during system integration, and support for heterogeneous application domains. The solution proposed for naming in this paper is part of the time-triggered system-on-a-chip (TTSoC) architecture, which is a novel system architecture for MPSoCs. In particular, the developed naming scheme supports the integration of large embedded systems comprising multiple application subsystems (e.g., multimedia, comfort, powertrain in a car), each with its own dedicated domain-specific namespace. Furthermore, the TTSoC architecture provides gateways to support the construction of clusters of multiple SoCs, which creates the need for a naming scheme that establishes a uniform namespace across systems of systems.
Seventh European Dependable Computing Conference, EDCC-7 2008, Kaunas, Lithuania, 7-9 May 2008; 01/2008
[Show abstract][Hide abstract] ABSTRACT: The composition of a large SoC out of pre-validated IP-cores requires an architecture that enables the seamless integration of components, i.e. composability. In this paper we present the five principles of composability that must be supported by any architecture that claims to enable the constructive composition of components. After the introduction of the TTSoC architecture and a description of a prototype implementation we show how this architecture conforms to the principles of composability.
21st Annual IEEE International SoC Conference, SoCC 2008, September 17-20, 2008, Radisson Hotel, Newport Beach, CA, USA, Proceedings; 01/2008
[Show abstract][Hide abstract] ABSTRACT: The ongoing technological advances in the semiconductor industry make Multi-Processor System-on-a-Chips (MPSoCs) more attractive, because uniprocessor solutions do not scale satisfactorily with increasing transistor counts. In conjunction with the increasing rates of transient faults in logic and memory associated with the continuous reduction of feature sizes, this situation creates the need for novel MP- SoC architectures. This paper introduces such an architecture, which supports the integration of multiple, heterogeneous IP cores that are interconnected by a time-triggered Network-on-a-Chip (NoC). Through its inherent fault isolation and determinism, the proposed MPSoC provides the basis for fault tolerance using Triple Modular Redundancy (TMR). On-chip TMR improves the reliability of a MPSoC, e.g., by tolerating a transient fault in one of three replicated IP cores. Off-chip TMR with three MPSoCs can be used in the development of ultra-dependable applications (e.g., X-by-wire), where the reliability requirements exceed the reliability that is achievable using a single MPSoC. The paper quantifies the reliability benefits of the proposed MPSoC architecture by means of reliability modeling. These results demonstrate that the combination of on-chip and off- chip TMR contributes towards building more dependable distributed embedded real-time systems.
Seventh European Dependable Computing Conference, EDCC-7 2008, Kaunas, Lithuania, 7-9 May 2008; 01/2008
[Show abstract][Hide abstract] ABSTRACT: There are many economic and technical arguments for the reduction of the number of Electronic Control Units (EC Us) aboard a car. One of the key obstacles to achieve this goal is the limited composability, fault isolation and error containment of today's single- processor architectures. However, significant changes in the chip architecture are taking place in order to manage the synchronization, energy dissipation, and fault-handling requirements of emerging billion transistor SoCs (systems-on-a-chip). The single processor architecture is replaced by multi-core SoCs that communicate via networks-on-chip (NoC). These emerging multi-core SoCs provide an ideal execution environment for the integration of multiple automotive ECUs into a single SoC This paper presents a model-based software development method for designing applications using these multi-core SoCs.
Software Engineering for Automotive Systems, 2007. ICSE Workshops SEAS '07. Fourth International Workshop on; 06/2007
[Show abstract][Hide abstract] ABSTRACT: The time-triggered System-on-a-Chip (SoC) architecture provides a generic multi- core system platform for a family of composable and dependable giga-scale SoCs. It supports the integration of multiple application subsystems of different criticality levels within a single hardware platform. A pivotal property of the architecture is the integrated error containment, which facilitates modular certification, robustness, and composability. By dividing the complete SoC into physically separated components that interact exclusively by the timely exchange of messages on a time- triggered Network-on-a-Chip (NoC), we achieve error containment for both computational and communication resources. The time-triggered design allows protecting the access to the NoC with guardians that are associated with each component. Based on the protection of the time-triggered NoC with inherent predictability and determinism, the architecture also enables error containment for faulty computational results. These value message failures can be masked using active redundancy (e.g., off-chip and on-chip Triple Modular Redundancy (TMR)) or detected using diagnostic assertions on messages. The design of the error containment mechanisms systematically follows a categorization of significant fault classes that an SoC is subject to (e.g., physical/design, transient/permanent). Evidence for the effectiveness of the error containment mechanisms is available through experimental data from a prototype implementation.
Embedded System Design: Topics, Techniques and Trends, IFIP TC10 Working Conference: International Embedded Systems Symposium (IESS), May 30 - June 1, 2007, Irvine, CA, USA; 01/2007
[Show abstract][Hide abstract] ABSTRACT: Finite state machine (FSM) models are widely used to model the operations of computer systems. Since the basic FSM model is timeless, it is not possible to model within the basic FSM framework system properties that are dependent on the progression of real time, such as the duration of computations or the limited temporal validity of real-time data. To overcome these limitations, efforts have been made to modify the FSM model to include some notion of time. It is the objective of this paper to expand existing work on basic FSMs and timed automata to include the concept of a sparse global time base as a central element of the model. We call such an extended FSM model a periodic finite state machine (PFSM) model. The PFSM model also incorporates the notions of state variables, global time, periodic clock constraints, and time-triggered activities. Thereby, PFSMs enable a concise and intuitive representation of distributed control systems and reduce the gap between a modeled system and its implementation
Tenth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC 2007), 7-9 May 2007, Santorini Island, Greece; 01/2007
[Show abstract][Hide abstract] ABSTRACT: Dual core architectures are commonly used to establish fault tolerance on the node level. Since comparison is usually performed for the outputs only, no precise diagnostic information is available, and error handling comes down to a reset of both cores. The strategy proposed in this paper allows a more fine-grained error handling. It is based on the following steps: (1) Identification of those registers that are actually relevant for recovering the last known correct core state. (2) Protection of these registers by additional comparators. (3) Use of the trap mechanism for recovering a consistent state of the complete core. (4) (Optional) provision of rollback capability for the relevant registers in order to relax the critical path constraints. In the paper these individual steps was discussed and motivated, and put them into context. In many cases the speed-up that was gained for the recovery was sufficient for using a dual core as a fail-operational instead of a fail-silent component with respect to transient faults. Rather than being restricted to a specific processor design our mechanisms can be employed in a wide variety of dual-core architectures
Defect and Fault Tolerance in VLSI Systems, 2006. DFT '06. 21st IEEE International Symposium on; 11/2006
[Show abstract][Hide abstract] ABSTRACT: The abstract should concisely summarize the contents of a paper. Since potential readers should be able to make their decision on the personal relevance based on the ab-stract, the abstract should clearly tell the reader what informa-tion he can expect to find in the paper. The most essential is-sue is the problem statement and the actual contribution of de-scribed work. The authors should always keep in mind, that the abstract is the most frequently read part of a paper. It should contain at least 70 and at most 120 words.
[Show abstract][Hide abstract] ABSTRACT: The abstract should concisely summarize the contents of a paper. Since potential readers should be able to make their decision on the personal relevance based on the abstract, the abstract should clearly tell the reader what information he can expect to find in the paper. The most essential issue is the problem statement and the actual contribution of described work. The authors should always keep in mind, that the abstract is the most frequently read part of a paper. It should contain at least 70 and at most 120 words.
[Show abstract][Hide abstract] ABSTRACT: Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated
and integrated system architectures. This paper describes an integrated system architecture which combines the complexity
management advantages of federated systems with the functional integration and hardware benefits of an integrated approach.
In order to control complexity, the overall functionality is divided into a set of application subsystems, each with dedicated
architectural communication services, allowing developers to act as if they were building an application for a federated architecture.
The introduced architecture builds upon the validated services of a time-triggered core architecture, which provides a physical
network as a shared resource for the communication activities of more than one application subsystem. The communication resources
are encapsulated and multiplexed between application subsystems. In analogy, encapsulated partitions are used to share node
computers among software modules of multiple application subsystems. Architectural encapsulation mechanisms ensure that the
assumptions and abstractions performed in the functional system structuring also hold after combining the different subsystems
on the target platform.
In Abhängigkeit der physikalischen Strukturierung von großen verteilten sicherheitskritischen Echtzeitsystemen können föderierte
und integrierte Systemarchitekturen unterschieden werden. Diese Arbeit beschreibt eine integrierte Systemarchitektur, welche
die Vorteile föderierter Architekturen in Bezug auf Komplexitätsmanagement mit den Vorteilen eines integrierten Ansatzes (d.
h. bessere funktionale Integration und Ressourcenauslastung) vereint. Um die Komplexität des Gesamtsystems zu beherrschen,
erfolgt eine Unterteilung in Applikationssubsysteme, die zudem mit spezifischen Architekturdiensten ausgestattet sind. Insbesondere
werden die Kommunikationsdienste in deren Funktionalität und Zeitverhalten an die jeweiligen Applikationsanforderungen angepasst.
Designer können das System daher in einer Weise entwickeln, wie dies eine föderierte Architektur gestatten würde. Die vorgestellte
integrierte Systemarchitektur basiert auf den validierten Diensten einer zeitgesteuerten Kernarchitektur, wobei das physikalische
Netzwerk eines einzelnen, verteilten zeitgesteuerten Computersystems als gemeinsame Ressource für die Kommunikationsaktivitäten
mehrerer Applikationssubsysteme dient. Die Kommunikationsressourcen werden enkapsuliert und zwischen Applikationssubsystemen
gemultiplext. Ebenso dienen enkapsulierte Partitionen innerhalb von Komponenten der Aufteilung von Komponentenressourcen (z.
B. Prozessorzeit und Speicher) zwischen Softwaremodulen verschiedener Applikationssubsysteme. Die Enkapsulierungsmechanismen
der Architektur auf Netzwerk- und Komponentenebene stellen sicher, dass die im Rahmen der funktionalen Systemstrukturierung
getroffenen Annahmen und Abstraktionen auch nach der Integration der verschiedenen Subsysteme auf der Zielplattform halten.
e & i Elektrotechnik und Informationstechnik 01/2006; 123:83-95.
[Show abstract][Hide abstract] ABSTRACT: System design in DECOS adheres to the model-driven design methodology (MDA) introduced by the Object Management Group (OMG), which enables technology-invariant modeling of distributed embedded applications. This separation of the actual implementation platform and the application functionality is achieved by describing the functionality of the distributed system by so-called Platform Inde-pendent Models (PIMs), which focus on the specification of functionality, perfor-mance, and dependability requirements of the distributed application. It is now the challenge of the software-hardware integration to utilize those technology inde-pendent descriptions of the Distributed Application Subsystems (DASs) to allocate executable units of the distributed application, so-called jobs, on particular hard-ware elements of the distributed platform. For facilitating this software-hardware integration, a description of the hard-ware platform that identifies the target elements of the hardware resources for the allocation of jobs and specifies their characteristics and interrelationship is a mandatory prerequisite. The Hardware Specification Model (HSM) defined in this document defines the rules that have to be observed when describing the available resources of a target platform of the DECOS integrated architecture. Furthermore, it is the scope of this document is to identify a framework that facilitates the capturing of the resource information of DECOS target platforms as well as the integration of this information in the design workflow of the DECOS architecture. An exemplary tool chain, mostly consisting of already existing tools, is presented, which can be utilized for the instantiation of the UML models (i.e. the actual specification of the available resources), for checking the correctness of the generated resource description, and for the transformation into the proposed out-put format. The output format of the hardware resource descriptions defines the interface to the subsequent design steps of the software-hardware integration. The document further elaborates on the identified models by providing an ex-emplary resource description, which partially shows the available resources of a prototype DECOS platform based on TTP/C as the time triggered core communi-cation system.