AUTOSAR How to deal with non-functional properties Andreas L¨
Transcription
AUTOSAR How to deal with non-functional properties Andreas L¨
AUTOSAR How to deal with non-functional properties Andreas L¨oscher Chemnitz University of Technology [email protected] February 26, 2009 product lines and the possibility to detect errors in early design phases. The AUTOSAR is a partnership of main actors of the automotive manufacture industry. Non-functional properties are those that do not affect the result of an application in terms of the calculated data or the value of a signal. Non-functional properties describe the constraints for the applications. In automotive systems, especially cars, timing is one of the most important properties to ensure the correctness of the system. An example are X-ByWire applications. Other properties are resource consumption and real-time capa1 Introduction bility. This work wants to determine how AUTOSAR handles these requirements. The AUTOSAR1 consortium developed a In section 2 an overview of AUTOSAR standard for software components in au- is given and how a defined software comtomotive systems. This was done because ponent (SWC) is realized on an ECU2 of the growth of complexity in the devel- in the development process. The timing opment of electronic systems. Other goals model of AUTOSAR is shown in section are an improved flexibility for modifica- 3. In section 4 the definition of SWCs is tions, better scalability between different discussed and how non-functional properThe AUTOSAR consortium developed a standard for software components in automotive systems. The goals of this standard is, to enable reusability, scaleability of software components and with this lower costs for the development. Important aspects are non-functional properties such as timing, resource consumption and real-time capability, that must take place in automotive applications. In this paper it is discussed how such properties are defined and how these definitions can be complied. 1 Automotive 2 Electronic Open System Architecture 1 Controll Unit Figure 1: AUTOSAR Architecture (from [1]) ties are described. tive system is build and everything that is needed to integrate different software components in a system of networked 2 Overview of AUTOSAR ECUs. It does not provide information on how the software architecture or the AUTOSAR is both a standard for soft- software components are created. The ware architecture in automotive systems software architecture contains an abstract and the partnership of the participat- communication layer, the methodology ing companies. The AUTOSAR consor- and templates to describe every part of tium was founded in 2003 by the first the system such as the used ECUs, the core members BMW, Bosch, Continental, software components, the communication, DaimlerChrysler, Siemens VDO and Volk- etc. swagen. Till 2004 Citro¨en Automobiles S.A., Ford Motor, General Motors, Peugeot Citro¨en Automobiles S.A. and Toy- 2.1 Virtual Functional Bus ota Motor joined the group as core partners. The current version of the standard All components of a system communicate is 3.1 and was released in 2008. The next over the virtual functional bus (VFB). version is expectet to be realeased in 2009. This is an abstract communication enviIn the current schedule for the introduc- ronment that encapsules the real undertion of AUTOSAR it is announced that lying structure. This means that AUfirst modules will be used in 2010. The TOSAR can be used transparent on diffirst compatible ECUs will be installed in ferent platforms such as FLEXRAY and vehicles in 2011 and the introduction of CAN. The SWCs using the VFB are inAUTOSAR in vehicles will take place in dependent from the used hardware archi2012. tecture which results in more flexibility. The given standard includes a method- It provides the software components with ology that describes how an automo- sender-receiver, server-client communica- 2 tion and error handling. The sender-receiver pattern enables a simple information distribution where data from one sender can be received from several receivers or one receiver can receive information from several senders. The transfer of data is logically atomic. The data-type of each sender-receiver interface is known at configuration time. There are two semantics for this pattern. The ”last-is-best” semantic provides only the newest data. In addition to this, an invalidate service is available. A queued semantic is also available, which delivers all sent data in the correct order (FIFO). In the client-server pattern, the server provides a service and the client uses this service. The client starts the communication by requesting a service. The server waits for incoming requests and provides the service or returns an error if it cannot. ponents on specific ECUs in regards of timing and resources. The output of this process is the System Configuration Description. It contains all system information including bus mapping and topology. With this information, executables for every ECUs are created. Such an executable is the whole software that runs on a specific ECU including the Runtime Environment (RTE), Schedule and the software components. The RTE is the implementation of the VFB on a specific ECU. An illustration of the RTE on an ECU is given in figure 1. There are tools that support the whole process of defining software components and creating an appropriate system. Examples of such tools are ASCET [14] and TargetLink [13]. 3 Timing model 2.2 Methodology The timing model of AUTOSAR is called Generic Timing Framework. This framework is based on events. To define a constraint behaviour like a communication, you have to describe the real behaviour of your system and a model which describes the desired behaviour. The model specifies a guarantee or a requirement. If all requirements are fulfilled, the described components should satisfy the model. The integration process of an AUTOSAR system is described in [5]. This methodology shows how the development process from templates to build system takes place. While this is not a complete description or does define responsibilities or roles, it describes a work-product flow and the dependencies of activities inside of it. An overview of the methodology is shown in figure 2. AUTOSAR provides templates as an information exchange format. Defining a system or a component means filling out these templates. To build a system you must define its hardware and software. In addition to that it is needed that you define all constraints that apply. The idea of AUTOSAR is that powerful tools can create a system that fulfills the defined requirements. This process is called Configure System. It maps the Software Com- 3.1 Events An event occurs at a defined time. In normal case, the event is not directly defined by its occurrence time but by a modeled behaviour of its nature. Let us consider that there is an event OpenDoor. The event can occur multiple times with a distinct occurrence time. AUTOSAR defines two event models which are used to model the occurrence time of events. 3 Figure 2: AUTOSAR Methodology (from [1]) RecurringEvent Model The RecurringEventModel is used to model sporadic events. Its attributes are the highest and lowest inter occurrence time. If tlast is the last time an event occurs, its next occurrence is in the interval of [tlast + tlowestIOT , tlast + thighestIOT ]. If thighestIOT is infinite, you can describe a minimal delay for two events and if tlowestIOT is infinite, you can describe a maximal delay. Figure 3: MaxAge Timing Chain Model provides the possibility to describe more complex behaviour in a construct which PeriodicEvent Model To define periodic is called Timing Chains. Timing Chains events, you have to define a period and a consist of many segments from which evjitter. Periodic events do not have to ocery is associated to an event. There also cur exactly after every period. The jitter exists two models for timing chains. The describes this behaviour. AUTOSAR dedifference between timing chain and model fines it as follows. The period describes is the same as for events. intervals. The time between the beginning of an interval and the occurrence of the related event is called delay. It is required that the difference between the maximal MinMaxOneToOne Model The Timing and the minimal delay has to be smaller Chain satisfies this model if its response time (time between activation of the first than the jitter. and last event in the chain) is between the specified minimum and maximum. The 3.2 Timing Chains timing chain has to be activated once for If you were able to use only single events, each occurrence of the stimulus. This you would be very restricted in the de- model is used to describe event driven sysscription of your component. AUTOSAR tems. 4 MaxAge Model This model has one parameter, the maxage. It is used to describe systems, in which events define changes in the state. In many cases it is not necessary that the system reacts to every event, but that the information provided by a component is new enough. If for each activation of the timing chain, the response time is smaller than maxage, the model is satisfied. Additional to this it is required, that every stimulus leads to an activation, or that a later activation of the timing chain can give a response that is within the deadline (maxage) of the stimulus. For an example see Figure 3. system perspective, an AUTOSAR software component can be mapped on an ECU. The description of the interface of the component can be validated against different models. From an ECU perspective it is necessary to know the resource consumption and the execution time of a component, so that a schedule can be build and the resources like memory can be provided. The full description of software components is described in [3]. This work shows only how resources are described and how the execution time of a component can be specified. The templates provide the possibility to define requirements on other components, functionality, compiler, etc. 3.3 Communication The timing parts of communication on the VFB can now be modeled with the timing framework by using Timing Chains. The sender-receiver communication defines two elements for this. The DataElementAvailableonPPort and the DataElementAvailableonRPort event. The difference between these events describes the duration of the communication. The AUTOSAR provides in its templates attributes to specify requirements on the response time. Other attributes, which are considered as further extension of the VFB communication attributes are guarantees as well as requirements for period, jitter and inter occurrence time. The server-client communication pattern can be described in a similar way. 4.1 Resource Consumption The resources of a software component are represented in memory. This can be divided into static allocated memory on implementation and dynamic allocated memory on runtime. The description of statically allocated memory is simple. AUTOSAR allows this for every implementation of a software component and chooses the right one for the mapping. The description of dynamic allocated memory is more difficult. AUTOSAR divides stack and heap memory usage. The stack is used to store temporary data like parameters or local variables. This means that the stack usage is dependent on the depth of the calling hierarchy. AUTOSAR provides some methods to describe the used stack. These methods are WorstCaseStackUsage, MeasuredStackUsage and RoughEstimatedStackUsage. The first is determined analytically. The second one interferes from measures with test patterns. A maximum and a minimum amount of used stack can be defined. The last one is a rough es- 4 Software Components Description Of prime importance is the definition of the behaviour of the software components. This must be done by describing the internal and external specifications. From a 5 Figure 4: AUTOSAR ECU software architecture (from [1]) time, simulated execution time, measured execution time and rough estimated execution time, which work like definitions for the memory usage. Because of the dependency from other specifications, you can describe the context, in which the execution time was achieved. timation. The second type of dynamic allocated memory is heap memory. This describes memory which is explicitly allocated. AUTOSAR provides the same methods to describe the used memory. One problem of heap memory is, that the available memory could be segmented unpropitiously. This means, that even if enough memory is available, it is not accessible. Heap memory as well as stack memory should be used with caution. 5 System Description AUTOSAR provides a template for the system description. Describing the system means filling out the template. The template contains information components of the system and the relations amongst them. This includes hardware and software. Constraints related to communication and mapping can also be described. AUTOSAR supports redundancy at this point. There can be made many con- 4.2 Execution Time The execution time of a software component depends on many different properties of the system. For example the used ECU, the chosen implementation of the software components and the context the component is used. The execution time can be defined as worst case execution 6 straints for redundant components. the system description. The possibilities given here are similar to that of the mapping constraints. Mapping Constraints A fundamental It is possible to define permissible and concept of AUTOSAR is, that SWCs can forbidden communication paths. In adbe developed independently from the used dition to this you can define common ECU hardware. The assignment of comand separate signalpath. These definiponents to ECUs is called mapping. Nevtions describe two or more communicaerless, there may be some SWCs that are tions. Common signalpaths describe sigalready mapped in an earlier phase of the nals that must use the same physical path. system generation process, or other conThe opposite is the separate signalpath. It straints, that must be respected. defines that two or more signals must not AUTOSAR allows to force the mapping take the same physical way. This should of SWCs on ECUs. This can be described be used for redundant communication. in the System Mapping description which is part of the System description. If a specific implementation should be used, it can RTE Resource Estimation An AUbe forced at the same place. A SWC can TOSAR SWC uses the services of the RTE be mapped manually with these specifica- which must be mapped on the ECUs additions. In addition to this it is possible to tionally to the SWCs. Therefor it is necdefine a set of ECUs a SWC must or must essary to describe the resources the RTE needs on every ECU. This is done like it is not be mapped on. A more dynamic definition of con- described in here 4. These specifications straints is the possibility to define clus- are also part of the system description. tered or separated components. Separated components are such, that must not be mapped on the same ECU. This is im- 6 Review and Evaluation portant do ensure that redundant comAUTOSAR provides the possibility to deponents do not fail if the hardware fails. scribe software components and timing The opposite of separated components are behaviour. The discussed question is, clustered components. These must be if the capabilities of description provides mapped on the same ECU. Sometimes it enough information for the design process is important that two or more components of an automotive system in respect to nonare mapped on one ECU to ensure correct functional properties. AUTOSAR gains behaviour. This could be the case if these flexibility and abstraction for the design two components need a fast communicaprocess of software components. It protion. vides a standardized API and interface descriptions so that software components Communication Constraints While the can be exchanged in ways programmers system configuration process, the actual know from Java or C++. The key goals signals between ECUs are calculated. At while developing the standard where not this point it happens that different com- to solve timing problems or other critical munication paths are possible. AU- requirements. The goal was to support inTOSAR allows to specify constraints ac- tegration of software-engineering perspeccording to the communication as part of tive. 7 7 Conclusion The timing model does provide only basic features. There is no possibility to model the timing behaviour of the communication together with the scheduling behaviour. AUTOSAR provides no support for a systematical timing analysis procedure. Not being able doing so, its hard to prove that a built system will work in practise. The templates for describing software components do not provide the possibility to define shared resources. The ussage of shared resources can result in longer execution times which means, that the build schedule may not been correct. AUTOSAR provides a powerful methodology to develop software components for automotive systems. It describe the integration process of software components with respect to scalability, complexity and reliability. It does not provide information about how it should be done in detail, but how the components of a system have to be described so that an successful build process on a specific platform is possible following the methodology. AUTOSAR at the current stage do not provide a proper timing framework. The existing timing framework which is described in [1] is not yet part of the standard and lacks many features which are crucial for the system build process. There are solutions available to this problem. The first would be to define a proper timing framework for AUTOSAR. The need of such a framework has been recognized by the consortium and the standard will be extended further releases. [9] describes a way to extend the given standard with an additional timing framework which is not part of the standard but that provides the missed features. A model for extending AUTOSAR with a more proper timing framework is described in [9]. The TIMMO project is an industry driven complement of AUTOSAR which contains MARTE as Timing Augmented Description Language (TADL). The timing behaviour is described by MARTE which provides many of the features missed in AUTOSAR including a systematical timing analysis procedure on model level. There is also the possibility to describe shared resources and timing behaviour of communications in respect to the schedule of the software components. References In [6] the AUTOSAR consortium pointed high reliability and other safety parameters as one main objective of the standard. The usage of redundancy to reach this objectives are also described in this document. AUTOSAR fullfills this objectives by providing support for redundant components. Various constraints related to this can be specified in the system definition like separated mapping or separated communication paths. This however must be done manually. AUTOSAR itself do not provide an automatism for this. [1] Technical overview 2.2.2. Technical report, AUTOSAR GbR, 2008. [2] Specification of the virtual functional bus 1.0.2. Technical report, AUTOSAR GbR, 2008. [3] Software component template 3.1.0. Technical report, AUTOSAR GbR, 2008. [4] Specification of bsw module description template 1.1.0. Technical report, AUTOSAR GbR, 2008. 8 [5] Autosar methodology 1.2.2. Technical report, AUTOSAR GbR, 2008. 2006. Second International Symposium on, pages 9–10, Nov. 2006. Targetlink product in[6] Autosar main requirements 2.0.5. [13] dSPACE. formation, January 2009. http:// Technical report, AUTOSAR GbR, www.dspace.de/ww/de/gmb/home/ 2008. products/sw/pcgs/targetli.cfm. [7] Specification of the system template Ascet product infor3.0.4. Technical report, AUTOSAR [14] ETAS. mation, January 2009. http: GbR, 2008. //www.etas.com/de/products/ [8] H. Heinecke, W. Damm, ascet_software_products.php. B. Josko, A. Metzner, H. Kopetz, A. Sangiovanni-Vincentelli, and M. Di Natale. Software components for reliable automotive systems. Design, Automation and Test in Europe, 2008. DATE ’08, pages 549–554, March 2008. [9] S. G´erard. H. Espinoza, K. Richter. Evaluating marte in an industrydriven environment: Timmo’s challenges for autosar timing modeling. Design, Automation and Test in Europe, 2008. DATE ’08, March 2008. [10] Marco Di Natale. Virtual platforms and timing analysis: status, challenges and future directions. In DAC ’07: Proceedings of the 44th annual conference on Design automation, pages 551–555, New York, NY, USA, 2007. ACM. [11] P.-E. Hladik, A.-M. Deplanche, S. Faucou, and Y. Trinquet. Adequacy between autosar os specification and real-time scheduling theory. Industrial Embedded Systems, 2007. SIES ’07. International Symposium on, pages 225–233, July 2007. [12] K. Richter. The autosar timing model – status and challenges –. Leveraging Applications of Formal Methods, Verification and Validation, 2006. ISoLA 9