A Design Framework for End-To-End Timing Constrained Automotive Applications
Paper in proceedings, 2010
In modern cars more and more algorithms are implemented as distributed systems. For example, an ACCSystem (Adaptive Cruise Control) today requires a minimum of 5 ECUs (Electronic Control Units): Engine ECU, Gearbox ECU, Breaking ECU, the MMI-Interface, and an ECU operating the radar system. Mastering the overall timing behaviour of such a distributed system is a fundamental challenge during design. The so-called end-to-end timing from a sensor to an actuator must meet a certain deadline, also claimed by functional safety regulations like IEC 61508 and ISO DIS 26262. In order to fulfil such requirements, the timing on the bus, the ECU-timing, and the timing of the communication controller have to be taken into account.
Control engineering and body electronics are two important domains in automotive systems. Both domains use multi-rate functions and rely on correct end-to-end timing, but they essentially differ in the meaning of end-to-end delays. Control systems that continuously drive external actuators shall ensure that these driving signals do not exceed a maximum age. ’Data age’ is a concept in the heart of control engineering theory. Clearly, if the
same signal is consumed twice, the second consumption is critical because the (unchanged) signal at the time of the second consumption is older. In body electronics, the situation can be very different. In a door lock system, the first arriving signal will command the consuming device to lock the door. Any later signal duplicate can not lock the door ’more’. This shows that there exist at least two different semantics of end-to-end timing. In addition, constraining timing is not always about delays between stimuli and responses.
An important class of constraints deals with the synchronization between either stimuli or responses, respectively. Referring again to the door lock system, the reaction time between button pressed (stimuli) and door locked (response) could typically have a span between fastest and slowest reaction of several hundreds of milliseconds. However, the tolerated difference between when the different doors are locked is perhaps just some tens of milliseconds. There is, consequently, a need for classification of the semantics of end-to-end timing constraints in terms of the treatment of duplicate data and the synchronization of input or output data. Also, when applications are composed of different subsystems, it is important to know how the effects of duplicated or purged signal data propagate over subsystem interfaces and what the net effect of them are on the application itself.
The main goal of the TIMMO project is to define a predictable development process that is able to handle timing in all design phases and able to verify as well as validate the timing behaviour of a real-time system throughout the process.