Composing and synchronizing real-time componentsthrough virtual platforms in vehicular systems
Martijn van den Heuvel
System Architecture and Networking (SAN)Department of Mathematics and Computer Science
Eindhoven University of TechnologyThe Netherlands
16th September 2014
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 1 / 32
Thanks to . . .
Promotor and co-promotor:
Prof. Johan J. LukkienDr. Reinder J. Bril
Technical support:
Dr. Mike HolenderskiDr. Erik J. LuitDr. Richard Verhoeven
Research collaboration (MDH):
Dr. Moris BehnamProf. Thomas Nolte
Various M.Sc. students and postgraduates.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 2 / 32
An automotive example
Why this growth of electronic parts?
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 3 / 32
An automotive example: electronic stability program (ESP)
Chip Design Magazine (Jan. 2005)
Increasing number of applications;Extensive networking between them.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 4 / 32
An automotive example: electronic stability program (ESP)
Increasing number of applications, for example: ABS, TCS, ESP;
Extensive networking between them.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 5 / 32
An automotive example: IVDC advances beyond ESP . . .
Adding suspension control and software-based vehicle state estimation:
B. Bonsen, R. Mansvelders, and E. Vermeer.
Integrated vehicle dynamics control using state dependent riccati equations.
In AVEC, Aug. 2010.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 6 / 32
An automotive example: deployment of IVDC advances
4X Local controllers for steering, braking, suspension;
Front and rear IVDC;
1X Global IVDC state estimation and supervisory control.
Local controllers
Supervisory + IVDC
τ1 τ2 . . . τn τ1 τ2 . . . τn
RTOS+middleware
Hardware (CPU: 200 MHz)
Supervisory control IVDC
Network
Legend: Task Virtual processor
Virtual network bus Send or receive messages
– Component composition on central ECU–
(Semi-)independent developed components by various partners!
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 7 / 32
Demo: IVDC with active suspension
Experimental setup:
4X Local controllers for active suspension;
1X Global IVDC and supervisory control.
Our contribution:
Virtualization techniques applied to a central node:
τ1 τ2 . . . τn τ1 τ2 . . . τn
RTOS+middleware
Hardware (CPU: 200 MHz)
Supervisory control IVDC
Network
Legend: Task Virtual processor
Virtual network bus Send or receive messages
– Component composition on central ECU–
Synchronization between independently developed components.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 8 / 32
Demo: active suspension on
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 9 / 32
Demo: active suspension off
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 10 / 32
Demo: active suspension on
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 11 / 32
Hierarchical composition of schedulers for vehicular systems
τ1 τ2 . . . τn τ1 τ2 . . . τn
RTOS+middleware
Hardware (CPU: 200 MHz)
Supervisory control IVDC
Network
Legend: Task Virtual processor
Virtual network bus Send or receive messages
– Component composition on central ECU–Global
Scheduler
localscheduler
Component 0
localscheduler
Component 1
localscheduler
Component n. . .
R1 R2
component: server, set of tasks and local (task) scheduler
server or virtual processor: a CPU budget allocated each period
Tasks, located in arbitrary components, may share resourcesi.e. deal with local and global priority inversion!
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 12 / 32
Resource sharing across components: a closer look
Add a resource arbiter to each scheduler, i.e.,at the task level and at the component level.
GlobalScheduler
localscheduler
Component 0
localscheduler
Component 1
localscheduler
Component n. . .
R1 R2
Tasks may request:1 Access to shared memory:
shared buffers;memory-mapped devices.
2 Operating-system services:
in-kernel: short non-preemptive critical sections;device drivers and other services: mutually exclusive between users.
3 Global limited-preemptive access to the processor:
reduce cache misses;less pipeline flushes.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 13 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.
Transparent synchronization protocols for compositionalreal-time systems.IEEE TII, 8(2):322–336, May 2012.
2 Independent timing analysis ofcomponents and their integration;
M. M. H. P. van den Heuvel, M. Behnam, R. J. Bril, J. J.
Lukkien, and T. Nolte.Opaque analysis for resource sharing in compositionalreal-time systems.In CRTS, pages 3–10, Nov. 2011.
M. M. H. P. van den Heuvel, M. Behnam, R. J. Bril, J. J.
Lukkien, and T. Nolte.Optimal and fast composition of resource-sharingcomponents in hierarchical real-time systems.In RTCSA, Aug. 2014.
3 Scheduling components andcontainment of temporal faults.
M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.
Dependable resource sharing for compositional real-timesystems.In RTCSA, pages 153–163, Aug. 2011.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 14 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.
Transparent synchronization protocols for compositionalreal-time systems.IEEE TII, 8(2):322–336, May 2012.
2 Independent timing analysis ofcomponents and their integration;
3 Scheduling components andcontainment of temporal faults.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 15 / 32
Independent development and integration of components
A programmer’s perspective:
1 resources are shared between tasks, not between components.
2 tasks claim and protect their resources;
Question from integrator to programmer:
Is the resource local or global to a component?Don’t know, don’t care!
Postpone binding of SRP primitives until component integration.P. Lopez Martinez, L. Barros, and J. Drake.
Scheduling configuration of real-time component-based applications.In Reliable Softw. Technology - Ada-Europe, volume 6106 of LNCS, pages 181–195. Springer, 2010.
M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.
Transparent synchronization protocols for compositional real-time systems.IEEE TII, 8(2):322–336, May 2012.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 16 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
2 Independent timing analysis ofcomponents and their integration;
M. M. H. P. van den Heuvel, M. Behnam, R. J. Bril, J. J.
Lukkien, and T. Nolte.Opaque analysis for resource sharing in compositionalreal-time systems.In CRTS, pages 3–10, Nov. 2011.
M. M. H. P. van den Heuvel, M. Behnam, R. J. Bril, J. J.
Lukkien, and T. Nolte.Optimal and fast composition of resource-sharingcomponents in hierarchical real-time systems.In RTCSA, Aug. 2014.
3 Scheduling components andcontainment of temporal faults.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 17 / 32
Independent timing analysis of components
Interface of a component:
period Ps ;
guaranteed budget Qs within each period;
set of RHTs Xsl which defines Xs = maxlXsl.
Analytical perspective:
1 incremental analysis: separate concerns of local and global scheduling;
2 easier analysis: no timing details on global resource sharing;
3 avoid protocol-specific knowledge to compute Qs and Xsl.
Some analyses in literature do not support this independence!
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 18 / 32
The key idea – Specify partial interfaces . . .
Interpretation
Cn may use one resource R` for at most Xn,` time unitssupplied within period Pn.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 19 / 32
The key idea – Specify partial interfaces and merge them
Gained independence:
Detect which resources are shared by others.
Arbitrate shared resources by SRP;
Merge them at composition!Martijn van den Heuvel (TU/e, SAN) 16th September 2014 20 / 32
The key idea – Prune dependencies at composition
Gained independence:
Detect which resources are shared by others.
Merge just remaining candidates!
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 21 / 32
Add an arbiter for shared resources only
Gained independence:
Detect which resources are shared by others.
Arbitrate shared resources by SRP;
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 22 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
2 Independent timing analysis ofcomponents and their integration;
3 Scheduling components andcontainment of temporal faults.
M. M. H. P. van den Heuvel, R. J. Bril, and J. J. Lukkien.
Dependable resource sharing for compositional real-timesystems.In RTCSA, pages 153–163, Aug. 2011.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 23 / 32
Scheduling and containment of temporal faults
Temporal isolation stunned by overrun when a task unwinds:
Legend: critical section normal execution budget arrival
C1
C2
C3
timetet0 t1
No longer a guarantee for:
overrun durations
blocking durations
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 24 / 32
Sources of unpredictable interferences
Global effects of local SRP-based arbitration:
time
RHT
τ1
τ2
τ3
rcsl
hs2l
Rl Rl
Rl
resource ceiling (rcsl):highest priority of any (local) tasksharing resource Rl
What if task τ1 exceeds its WCET?
What if a task (τ2 or τ3) exceeds its critical-section length?
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 25 / 32
Confine temporal faults
What if an interfering task exceeds its WCET?
A solution to prevent an increase of resource-holding times:
Disable local preemptions.
What if a task exceeds its critical-section length?
NO solution to prevent an increase of resource-holding times.
To protect independent components:
Extend SRP with enforced blocking durations.
It is now similar to the protected Immediate-PCP in:
D. de Niz, L. Abeni, S. Saewong, and R. Rajkumar.
Resource sharing in reservation-based systems.In RTSS, pages 171–180, 2001.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 26 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
2 Independent timing analysis ofcomponents and their integration;
3 Scheduling components andcontainment of temporal faults.
M. M. H. P. van den Heuvel, R. J. Bril, J. J. Lukkien, and
T. Nolte.Performance evaluation of analysis methods for arbitratingnonpreemptive resource access in compositional real-timesystems.In VtRES, Sep. 2014.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 27 / 32
Scheduling of resource-sharing components
Budget depletion during a critical section can lead toexcessive blocking times:
Ps Ps
Qs QsBs
Ps
Qs
Solutions:
React upon budget depletion by allowing budget overruns.1 Overrun with payback (OWP): the consumed overrun is subtracted
from the next budget;2 Overrun without payback (ONP): no penalty for overrun.
Prevent budget depletion by checking the remaining budget.1 SIRAP: insert idle time during task execution;2 BROE: delay budget supply.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 28 / 32
Timing analysis of resource-sharing components
synthetic periodic tasks: 8 tasks/component;tasks generated by UUnifast with total utilization of 0.5;random task deadline constraints: [WCETi + α(Pi −WCETi ); Pi ];short non-preemptive critical section.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Rat
io o
f fea
sibl
e sy
stem
s
δ
BROESIRAPIONP
ONP ≈ IOWPOWP
N = 5 components.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Rat
io o
f fea
sibl
e sy
stem
s
Number of components (N)
BROESIRAPIONP
ONP ≈ IOWPOWP
Implicit deadlines (α = 1).
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 29 / 32
Timing analysis of resource-sharing components
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Rat
io o
f fea
sibl
e sy
stem
s
δ
BROESIRAPIONP
ONP ≈ IOWPOWP
N = 5 components.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Rat
io o
f fea
sibl
e sy
stem
s
Number of components (N)
BROESIRAPIONP
ONP ≈ IOWPOWP
Implicit deadlines (α = 1).
SIRAP: no independent analysis of components,i.e., detailed task-level analysis of global resource sharing.
ONP: enables independent analysis of SIRAP, but weak performance.
BROE: weaker composition rules than SIRAP.
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 30 / 32
Challenges for resource sharing across components
Component Cs Resource-supply model
Interface selection
Component Interface Ωs
Admission control
Other components’ interfaces
rejectaccept
Virtual platform of Cs Other virtual platforms
Resource allocation
Global scheduling and global resource arbitration
Component development
(Timing-) Requirements analysis
1 Independent development andintegration of components;
2 Independent timing analysis ofcomponents and their integration;
3 Scheduling components andcontainment of temporal faults.
Current and future challenges:
Mixed criticality:1 deal with uncertain timing specs of tasks;2 graceful degrade functions by enabling/disabling optional ones.
Industrial standards: timing augmented descriptions of components.Martijn van den Heuvel (TU/e, SAN) 16th September 2014 31 / 32
Questions?
Let’s pass the remote . . .
Martijn van den Heuvel (TU/e, SAN) 16th September 2014 32 / 32