[Show abstract][Hide abstract] ABSTRACT: The European ARTEMIS ACROSS project aims to overcome the limitations of existing Multi-Processor Systems-on-a-Chip (MPSoC) architectures with respect to safety-critical applications. MPSoCs have a tremendous potential in the domain of embedded systems considering their enormous computational capacity and energy efficiency. However, the currently existing MPSoC architectures have significant limitations with respect to safety-critical applications. These limitations include difficulties in the certification process due to the high complexity of MPSoCs, the lacking temporal determinism and problems related to error propagation between subsystems. These limitations become even more severe, when subsystems of different criticality levels have to be integrated on the same computational platform. Examples of such mixed-criticality integration are found in the avionics and automotive industry with their desire to integrate safety-critical, mission critical and non-critical subsystems on the same platform in order to minimize size, weight, power and cost. The main objective of ACROSS is to develop a new generation of multi-core processors designed specially for safety-critical embedded systems; the ACROSS MPSoC. In this paper we will show how the ACROSS MPSoC overcomes the limitations of existing MPSoC architectures in order to make the multi-core technology available to the safety-critical domain.
[Show abstract][Hide abstract] ABSTRACT: This paper proposes a SystemC based extension for the modeling of Time-Triggered Architecture (TTA) based real-time embedded systems. The extension called Executable Time-Triggered Model (E-TTM) supports the time-triggered model of computation and provides a time domain deterministic modeling framework based on SystemC. E-TTM can be used from the architectural design phase to sup-port early functional, temporal and dependability assessments. This approach is illustrated with two case studies. The design and Simulated Fault Injection (SFI) of an odometry safety-critical embedded system, and the design and simulation of a real-time control-system integrated with a SystemC-AMS model of the plant.
[Show abstract][Hide abstract] ABSTRACT: This paper proposes a SystemC based extension for the modeling of generic Time-Triggered Architecture (TTA) based safety-critical embedded systems. The extension called Executable Time-Triggered Model (E-TTM) supports the time-triggered model of computation and provides a time domain deterministic modeling framework based on SystemC. E-TTM can be used in the architectural design phase to support early functional, temporal and dependability assessments. The development of safety-critical embedded systems that must satisfy a certain set of timing constraints with an ever-increasing functionality leads to considerable complexity growth. E-TTM tackles the complexity challenge by means of simplification strategies such as abstraction, partition, segmentation and time determinism.
[Show abstract][Hide abstract] ABSTRACT: This paper deploys end-to-end message checksums for error detection in the time-triggered system-on-chip architecture (TTSoCA). The end-to-end checksums are not only checked at the end, but also intermediately in the communication subsystem of the system-on-chips (SoCs) concurrently with the message transmission in order to isolate faults: if a message transmission error occurs, the goal is to pinpoint whether the fault has originated in an IP core, in the communication subsystem, or in a gateway.
[Show abstract][Hide abstract] ABSTRACT: This paper describes an integrated system architecture for automotive electronic systems based on multicore systems-on-chips (SoCs). We integrate functions from different suppliers into a few powerful electronic control units using a dedicated core for each function. This work is fueled by technological opportunities resulting from recent advances in the semiconductor industry and the challenges of providing dependable automotive electronic systems at competitive costs. The presented architecture introduces infrastructure IP cores to overcome key challenges in moving to automotive multicore SoCs: a time-triggered network-on-a-chip with fault isolation for the interconnection of functional IP cores, a diagnostic IP core for error detection and state recovery, a gateway IP core for interfacing legacy systems, and an IP core for reconfiguration. This paper also outlines the migration from today's federated architectures to the proposed integrated architecture using an exemplary automotive E/E system.
Preview · Article · Aug 2009 · IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
[Show abstract][Hide abstract] ABSTRACT: The GENESYS (Generic Embedded System) project is a European research project that aims to develop a cross-domain architecture for embedded systems. The re-quirements and constraints for such an architecture are docu-mented in the ARTEMIS strategic research agenda in the form of seven key challenges. This paper presents the architectural style of GENESYS by listing the key architectural principles, such as: strict component orientation, separation of computa-tion from communication, availability of a common time, hie-rarchical system structure, adherence to message passing, state awareness, fault isolation and integrated resource manage-ment. This paper explains how these architectural principles contribute to solve the seven key challenges in the ARTEMIS strategic research agenda.
[Show abstract][Hide abstract] ABSTRACT: Dynamic resource management enables a system to dynamically react to changing resource demands or resource availability. It enables better resource utilization, improved dependability, and the enabling of power-aware system behavior. This paper examines the application of dynamic resource management for an integrated time-triggered system architecture for embedded systems, which is designed to support mixed-criticality systems, i.e., systems integrating distributed application subsystems (DASs) with different dependability requirements on the same hardware platform. For such systems a vital characteristic is to achieve encapsulation of the hosted DASs and to provide mechanisms for fault-isolation. The key challenge addressed in this paper is to preserve these system characteristics despite the presence of dynamic resource allocation. To this end, a resource management framework is presented that provides static resource guarantees for DASs having higher dependability requirements, while facilitating efficient resource utilization for less critical DASs.
[Show abstract][Hide abstract] ABSTRACT: The composition of a large SoC out of pre-validated IP-cores requires an architecture that enables the seamless integration of components, i.e. composability. In this paper we present the five principles of composability that must be supported by any architecture that claims to enable the constructive composition of components. After the introduction of the TTSoC architecture and a description of a prototype implementation we show how this architecture conforms to the principles of composability.
[Show abstract][Hide abstract] ABSTRACT: The time-triggered system-on-a-chip (TTSoC) architecture enables the realization of mixed-criticality systems using SoCs. The integration of subsystems with different criticality enables massive cost reduction by reducing the overall number of devices and networks (e.g., ECUs in car). To accomplish this goal, the TTSoC architecture offers inherent fault isolation mechanisms that prevent any unintended interference between application subsystems of different criticality. This paper demonstrates these capabilities using an exemplary automotive example with a safety-critical control subsystem and a multimedia subsystem. In the demo application, it is ensured by-construction that any design fault in the multimedia subsystem cannot have any adverse effect on the safety-critical control subsystem.
[Show abstract][Hide abstract] ABSTRACT: It is the objective of the presented System-on-a-Chip (SoC) architecture to provide a predictable integrated execution environment for the component-based design of many different types of embedded applications (e.g., automotive, avionics, consumer electronics). At the core of this architecture is a time-triggered network-on-a-chip for the predictable interconnection of heterogeneous components. A component can be a self-contained computer, including system and application software, an FPGA, or a custom hardware unit. By providing a single uniform interface to all types of components for the exchange of messages, the architecture supports the component-based design of large applications and enables the massive reuse of components. The time-triggered network-on-a-chip offers inherent fault isolation to facilitate the seamless integration of independently developed components, possibly with different criticality levels. Furthermore, mechanisms for integrated resource management support dynamically changing resource requirements (e.g., different operational modes of an application), fault-tolerance, a power-aware system behavior, and the implementation of fault-handling by reconfiguration.
[Show abstract][Hide abstract] ABSTRACT: The ongoing technological advances in the semiconductor industry make Multi-Processor System-on-a-Chips (MPSoCs) more attractive, because uniprocessor solutions do not scale satisfactorily with increasing transistor counts. In conjunction with the increasing rates of transient faults in logic and memory associated with the continuous reduction of feature sizes, this situation creates the need for novel MP- SoC architectures. This paper introduces such an architecture, which supports the integration of multiple, heterogeneous IP cores that are interconnected by a time-triggered Network-on-a-Chip (NoC). Through its inherent fault isolation and determinism, the proposed MPSoC provides the basis for fault tolerance using Triple Modular Redundancy (TMR). On-chip TMR improves the reliability of a MPSoC, e.g., by tolerating a transient fault in one of three replicated IP cores. Off-chip TMR with three MPSoCs can be used in the development of ultra-dependable applications (e.g., X-by-wire), where the reliability requirements exceed the reliability that is achievable using a single MPSoC. The paper quantifies the reliability benefits of the proposed MPSoC architecture by means of reliability modeling. These results demonstrate that the combination of on-chip and off- chip TMR contributes towards building more dependable distributed embedded real-time systems.
[Show abstract][Hide abstract] ABSTRACT: The problem of naming has been extensively studied in the field of distributed systems. However, multi-processor system-on-a-chips (MPSoCs), which are becoming more and more important in the construction of complex embedded systems, exhibit unique challenges with respect to naming. These challenges are induced by the need for dynamic resource management, independent development of IP cores and application subsystems, complexity management during system integration, and support for heterogeneous application domains. The solution proposed for naming in this paper is part of the time-triggered system-on-a-chip (TTSoC) architecture, which is a novel system architecture for MPSoCs. In particular, the developed naming scheme supports the integration of large embedded systems comprising multiple application subsystems (e.g., multimedia, comfort, powertrain in a car), each with its own dedicated domain-specific namespace. Furthermore, the TTSoC architecture provides gateways to support the construction of clusters of multiple SoCs, which creates the need for a naming scheme that establishes a uniform namespace across systems of systems.
[Show abstract][Hide abstract] ABSTRACT: There are many economic and technical arguments for the reduction of the number of Electronic Control Units (EC Us) aboard a car. One of the key obstacles to achieve this goal is the limited composability, fault isolation and error containment of today's single- processor architectures. However, significant changes in the chip architecture are taking place in order to manage the synchronization, energy dissipation, and fault-handling requirements of emerging billion transistor SoCs (systems-on-a-chip). The single processor architecture is replaced by multi-core SoCs that communicate via networks-on-chip (NoC). These emerging multi-core SoCs provide an ideal execution environment for the integration of multiple automotive ECUs into a single SoC This paper presents a model-based software development method for designing applications using these multi-core SoCs.
[Show abstract][Hide abstract] ABSTRACT: Finite state machine (FSM) models are widely used to model the operations of computer systems. Since the basic FSM model is timeless, it is not possible to model within the basic FSM framework system properties that are dependent on the progression of real time, such as the duration of computations or the limited temporal validity of real-time data. To overcome these limitations, efforts have been made to modify the FSM model to include some notion of time. It is the objective of this paper to expand existing work on basic FSMs and timed automata to include the concept of a sparse global time base as a central element of the model. We call such an extended FSM model a periodic finite state machine (PFSM) model. The PFSM model also incorporates the notions of state variables, global time, periodic clock constraints, and time-triggered activities. Thereby, PFSMs enable a concise and intuitive representation of distributed control systems and reduce the gap between a modeled system and its implementation
[Show abstract][Hide abstract] ABSTRACT: The time-triggered System-on-a-Chip (SoC) architecture provides a generic multi- core system platform for a family of composable and dependable giga-scale SoCs. It supports the integration of multiple application subsystems of different criticality levels within a single hardware platform. A pivotal property of the architecture is the integrated error containment, which facilitates modular certification, robustness, and composability. By dividing the complete SoC into physically separated components that interact exclusively by the timely exchange of messages on a time- triggered Network-on-a-Chip (NoC), we achieve error containment for both computational and communication resources. The time-triggered design allows protecting the access to the NoC with guardians that are associated with each component. Based on the protection of the time-triggered NoC with inherent predictability and determinism, the architecture also enables error containment for faulty computational results. These value message failures can be masked using active redundancy (e.g., off-chip and on-chip Triple Modular Redundancy (TMR)) or detected using diagnostic assertions on messages. The design of the error containment mechanisms systematically follows a categorization of significant fault classes that an SoC is subject to (e.g., physical/design, transient/permanent). Evidence for the effectiveness of the error containment mechanisms is available through experimental data from a prototype implementation.
[Show abstract][Hide abstract] ABSTRACT: Dual core architectures are commonly used to establish fault tolerance on the node level. Since comparison is usually performed for the outputs only, no precise diagnostic information is available, and error handling comes down to a reset of both cores. The strategy proposed in this paper allows a more fine-grained error handling. It is based on the following steps: (1) Identification of those registers that are actually relevant for recovering the last known correct core state. (2) Protection of these registers by additional comparators. (3) Use of the trap mechanism for recovering a consistent state of the complete core. (4) (Optional) provision of rollback capability for the relevant registers in order to relax the critical path constraints. In the paper these individual steps was discussed and motivated, and put them into context. In many cases the speed-up that was gained for the recovery was sufficient for using a dual core as a fail-operational instead of a fail-silent component with respect to transient faults. Rather than being restricted to a specific processor design our mechanisms can be employed in a wide variety of dual-core architectures