taking the right turn with safe and modular solutions for the ...blieb/ae2017/... taking the right...

www.tttech.comwww.tttech.com

Taking the Right Turn with Safe and Modular

Solutions for the Automotive Industry

www.tttech.com

Ayhan Mehmet, Maximilian Rosenblattl, Wilfried Steiner

Software Architect

2016-04-14, GNI, Automotive

A Time-Triggered Middleware for Safety-Critical Automotive Applications

General ADAS Architecture

3

Sensors Preprocessing Fusion Application Actuation

Power

Train

Brake

Steering

...

L3/4 Drive

Pilot

Lane

Assist

Parking

Function X

Map

Fusion

Object

Fusion

e-Horizon

Front Camera

Surround View

Radar

Laser

Ultrasonic, Nano Radar

Central Fusion ECU (Raw Data Processing)

The ADAS Challenges

4

• ADAS need safety and performance

• Demand for high-performance safety-capable µCs

• # Functions > # HW resources

• Demand for integration concept

• Multiple periods

• Demand for Scheduling concept

• End-to-end latency requirements

• Demand for accurate timing model

• OEM`s

• Demand for fast system development

The ADAS Challenges

5

• ADAS need safety and performance

• Demand for high-performance safety-capable µCs







• OEM‘s


www.tttech.com

The Challenge: ADAS Need

Safety and Performance

6

• Sensor processing and data fusion need highest performance levels

• Steering and braking require up to ASIL-D

Today’s automotive safety controllers do not fulfill the

high computing performance and memory

requirements of usual ADAS applications

+

Joining Safety and Performance

Multi-µC-ECU

7

Eth

ern

et

Fle

xR

ay

CA

N

FR

CA

N

(Deterministic)

Ethernet Switch

Automotive

µC

Performance

SoC

Performance

SoC

Performance

SoC

Eth

ern

et

Control,

ASIL C/DFusion,

ASIL B/C/D

Sensor processing,

ASIL A/B, QM

Communication,

Synchronisation

www.tttech.com

Timing/State Supervision

Automotive µC

Autosar OS

BSWMiddle-

ware

MCAL

Performance SoC Performance SoC

RTE RTE

VxWorks Middle-

ware

MCAL

RTE

Linux Middle-

ware

MCAL

RTE

SW

C 1

SW

C 2

SW

C 3

SW

C n

SW

C k

SW

C l… …

Functional Safety

Safe Execution Platform: SEooC acc. ISO 26262

Memory Protection, Communication Protection, Timing and State

Supervision, Diagnostics up to ASIL D

E2E Communication Protection

Memory Protection

The ADAS Challenges

9

ADAS need safety and performance

Demand for high-performance safety-capable µCs







• OEM‘s


www.tttech.com

Time-Triggered Communication,

Deterministic Scheduling

Automotive µC

AUTOSAR

OS

BSW

Middle-

ware

MCAL

Performance SoC Performance SoC

RTE RTE

VxWorks Middle-

ware

MCAL

RTE

Linux Middle-

ware

MCAL

RTE

SW

C 1

SW

C 2

SW

C 3

SW

C n

SW

C k

SW

C l… … …

Jitter- and collision-free communication

Deterministic, collision-free SWC schedule

Deterministic data flows and latencies

Deterministic

Ethernet Switch

www.tttech.com

Integration on an

Event-Based Platform

11

4. Iterative rework until

system runs stable

1. Platform configuration 2. Single SWC test

without consideration

of other SWCs

3. Integration shows

conflicts und collisions

www.tttech.com

Integration Process on a

Time-Triggered Platform

12

1. Platform configuration

and application

scheduling

2. Single SWC test within

configured schedule

3. SWCs are instantly running

together (“composability”)

Parallel integration

accelerates SW

development

Robustness through

clean allocation of

resources

All software runs without

jitter or variation

www.tttech.com

Integration Process on a

Time-Triggered Platform

13

1. Platform configuration

and application

scheduling

2. Single SWC test within

configured schedule

3. SWCs are instantly running

together (“composability”)

Iterations are

avoided

Integration process

massively accelerated

The ADAS Challenges

14



# Functions > # HW resources

Demand for integration concept





• OEM‘s


www.tttech.com

TTA Task Scheduling Model

TR

tAtA tDtD

?timetime

tA: activation pointtD: deadlineTR: runtime; to be allocated

TR < tD - tA

15

www.tttech.com


16

• A Task 𝜏𝑖 is characterized as following

• WCET 𝐶𝑖

• period 𝑇𝑖

• offset (phase) 𝜙𝑖

• deadline 𝐷𝑖

• priority 𝑃𝑖

• CPU affinity 𝐴𝑖

The TTA scheduler solves a variable

assignment problem

0t

𝜙𝑖 𝑇𝑖𝐷𝑖

window of schedulability

≥ 𝐶𝑖

www.tttech.com


𝑖=1

𝑛

𝑇𝑖 = 𝑇𝑅 < 𝑡𝐷 − 𝑡𝐴

tA tD

tA: activation pointtT: trigger pointtD: deadlineT1, T2, …, Tn: allocated CPU timeTR: runtime

T1

time

T2 Tn...

tT

17

www.tttech.com

Soft-TTA Task Scheduling Model

18

Utilizing unused CPU time of dedicated slices is the

key mechanism of the Soft TTA Approach:

SW-C 1Inp

Msg

Out

MsgSW-C 2

Inp

Msg

Out

Msg

slice 1 slice 2

Case 1: SW-C 1

finishes within the

dedicated time window

SW-C 1

Task AInp

Msg

Out

Msg

Karten

fusionOut

Msg

slice 1

SW-C 1

SW-C 1 soft deadline violation

and preemption

Inp

Msg

Out

Msg

Unused CPU time is used by

SW-C 1 at lower priority

slice 2

SW-C 2Case 2: SW-C 1

finishes in leftover time

www.tttech.com

Soft-TTA Task Scheduling Model

𝑇𝑇𝑌𝑃 <

𝑖=1

𝑛

𝑇𝑖 = 𝑇𝑅 < 𝑇𝑊𝐶𝐸𝑇

BBB

tA

tA: activation pointtT: trigger pointtSDL: Soft Deadline (tSDL ≤ tHDL)tHDL: Hard Deadline (tHDL = tD)tD: deadlineT1, T2, …, Tn: allocated CPU time

T1

time

T2 Tn

tT tSDL tD=tHDL

TR: runtimeTWCET: worst case execution timeTTYP: „typical“ execution time

19

The ADAS Challenges

20





Multiple periods

Demand for Scheduling concept



• OEM‘s


www.tttech.com

End-to-End Communication

Latency Guarantees

21

Scheduling of runnables with defined maximal end-to-end latency

Static schedule as timing model allows to compute worst case latency easily

Timing supervision: effective model verification during runtime

Input

runnable

CP

U

RA

M

Fla

sh

Period

Output

runnable

CP

U

RA

M

Fla

sh

Period

runnable

CP

U

RA

M

Fla

sh

Period

runnable

CP

U

RA

M

Fla

sh

Period

Sensor

Actuator

Scheduled Δt ≤ end-to-end latency constraint t

www.tttech.com

E2E Latency Guarantees

Scheduling Perspective

22

Definition: sequence of runnables with a given maximal end-to-

end latency

Static schedule tables allow to easily compute worst case latency

End-to-end latency can be optimized by specifying additional

constraints for involved tasks

Example:Example:

C

A

B

Task A jitters and runs in wrong point of time: set jitter

constraint and/or activation and deadline constraint

Position of Task B and C is acceptable: use activation and deadline constraints to fix them in place

for next task schedule iteration

www.tttech.com

E2E Latency Guarantees

Scheduling Perspective

23

Definition: sequence of runnables with a given maximal end-to-

end latency

Static schedule tables allow to easily compute worst case latency

End-to-end latency can be optimized by specifying additional

constraints for involved tasks

Example:Example:

C

A

B

www.tttech.com

Actual Schedule with End-to-End

Latencies

24

Host A

Host B

The ADAS Challenges

25





Multiple periods

Demand for Scheduling concept

End-to-end latency requirements

Demand for accurate timing model

• OEM‘s


The Challenge

26

Demand for more services

Increased number of ECUs

Growth in sharing software and

functionality between the ECUs

Diversity of the hardware and

communication standards

Re-development of the software

High:

Complexity, development time and cost

The solution

27

Following the AUTOSAR software architecture

standardized

HW-specific

Hardware

AUTOSAR

Application Software

ECU HW

AUTOSAR RTE

SW-C

Microcontroller Abstraction

Basic SW(Transport layer, system services,.. )

AUTOSAR IF

SW-CSW-C

Decoupling of Application SW

from HW

Modularity,

Scalability,

Re-usability, …

www.tttech.com

Conclusions

28

To fulfill the safety and performance requirements of

today’s ADAS systems an integration platform must

support seamless integration of safety- and

performance microcontrollers

A time-triggered architecture explicitly models the

temporal properties of SW-Cs, which supports the

prediction of temporal characteristics of event chains (no

worst-case analysis necessary)

reduction of integration testing efforts (no side-effects

caused by SW-C microtiming, re-use of test results)

Copyright © TTTech Computertechnik AG. All rights reserved.

www.tttech-automotive.com

Vienna, Austria (Headquarters)

+43 1 585 65 38-5000

[email protected]

Germany

+49 841 88 56 47-0

[email protected]

USA

+1 978 933 7979

[email protected]

Japan

+81 52 485 5898

[email protected]

China

+86 21 5015 2925-0

[email protected]

Development Perspective

Good Limitations

Development is a creative process

For defined quality, there have to be limitations

That is the basic idea behind

MISRA

HIS

The V-model (used in ISO26262)

Every development guideline


Good Limitations

Inherent property of limitations in the development

context:

Limited development possibilities draw attention to the

limits and raise additional thoughts early in the

development process


Good Limitations

In a non-TTA system, all software components

together have limited runtime

TTA introduces limited runtime for every single

software component


Typical Questions

Typically, the following questions are raised immediately

by customers, developers, …

What about interrupt load?

What about memory wait states?

What happens when my SW misses the deadline?

etc.


Typical Questions

These problems usually arise late in the

development process

The integration test phase or

The system test phase

TTA forces the developers (SW-C and system) to

think about that early more time for solutions

taking the right turn with safe and modular solutions for the ...blieb/ae2017/... taking the right...

Documents