Th.1.A.109:00add Th.1.A.1 to agenda

Download Th.1.A.1

Model-compilation challenges for Cyber-Physical systems (CPS)

Belgacem Ben Hedia - CEA-LIST, France Etienne Hamelin - CEA-LIST, France Sara Tucci - CEA-LIST, France Chokri Mraidha - CEA-LIST, France

There are several ”disconnects” which need to be addressed to provide effective means for engineering Cyber Physical Systems (CPS). One of them is how to construct an optimized application starting from high-level modeling tools and in the same time addressing a new paradigm like mix-criticality, correct-by-design and multi/many cores platforms. We introduce in this position paper a new methodology call’d the model-compilation for Cyber-Physical systems. This methodology introduce new concepts and process and can be seen as a specification that tool editors and developers or CPS application design and development teams can integrate ( instantiate ) in their tool chain or adopt as a development process in goal to construct their CPS application.

Th.1.A.209:30add Th.1.A.2 to agenda

Download Th.1.A.2

Pareto-efficient deployment synthesis for safety-critical applications in seamless model-based development

Sergey Zverlov - fortiss, Germany Maged Khalil - fortiss, Germany Mayank Chaudhary - fortiss, Germany

Increasingly complex functionality in automotive applications demand more and more computing power. As room for computing units in modern vehicles dwindles, centralized ar- chitectures - with larger, more powerful processing units - are the trend. With this trend, applications no longer run on dedicated hardware, but share the same computing resources with others on the centralized platfrom. Ascertaining efficient deployment and scheduling for co-located applications is complicated by the extra constrains which arise if some of them have a safety-critical functionality. Building on our pre-existing design space exploration solu- tion, we integrated safety constraints, such as ASIL and HW failure rates, as well as practical aspects, such as component costs, and extended the approach to allow for multi-criteria optimization. The work was implemented into our seamless model-based research CASE tool AutoFOCUS3 and evaluated using a non-trivial industrial-inspired case study. The solution is capable of synthesizing deployments together with corresponding schedules, which satisfy different safety and resource constraints. The deployments can be included into argumentation structures for a safety case. Moreover, we are not interested in merely valid solutions, but in good ones. We hence developed a multi- objective optimization algorithm, which synthesizes solutions pareto-optimized for safety, resource usage, timing and any other constraints we define. Our approach demonstrates the feasibility and effectiveness of using formal methods to generate correct solutions for safety-critical applications, increasing the confidence and validity of safety cases.

Th.1.A.310:00add Th.1.A.3 to agenda

Download Th.1.A.3

Comparing several candidate architectures (variants) : An Industrial Case Study

Sébastien Madélenat - Thales Research & Technology, France Grégory Gailliard - Thales Communications & Security, France Christophe Labreuche - Thales Research & Technology, France Jérôme Le Noir - Thales Research & Technology, France

In systems and software engineering, the analysis of architectural variants is most of the times subjective and manual. The justication of a variant is seldom based on the assets and the flaws and strengths of the dierent options. Ideally, assessing or comparing several candidate architectures (variants) should be based on some decision criteria { corresponding to a Multi-Criteria Decision Aiding (MCDA) problem. This paper explores the design space of variants for multi-criteria optimization.

Th.1.B.109:00add Th.1.B.1 to agenda

Download Th.1.B.1

Timing-accurate simulation in the design of real-time automotive Ethernet networks

Nicolas Navet - University of Luxembourg, Luxembourg Jan Seyler - Daimler AG, Mercedes-Benz Cars Development, Germany Jörn Migge - RTaW, France

Networking technologies such as AFDX, TTP or TTEthernet have been conceived with the requirement that the temporal behavior of the network must be predictable, if not deterministic, and are thus amenable to worst-case verification with limited pessimism (see [Bo12,Bo14] for AFDX). AUTOSAR-based automotive architectures, based on CAN or Ethernet, are in our experience not as easily analyzable from a timing point of view, because of their complexity, heterogeneous hardware and software components, and because the temporal behaviors of the ECUs and gateways are less constrained. On the other hand, AUTOSAR offers a wide range of configuration options and complex execution mechanisms to support in an efficient manner the numerous requirements of automotive communications, and the scope of what is possible is still increasing with for instance the introduction of SOME IP in AUTOSAR. As a result, schedulability analyses for automotive systems are in our opinion unable today to capture the entire complexity of the system [this will be illustrated on the Autosar SocketAdaptor module] with the risk to be pessimistic and possibly unsafe. In addition, it is acceptable for most automotive functions to tolerate occasional deadline misses and message losses, provided that the risk is well quantified and the functions made robust to these events. These two reasons motivate in our view the use of simulation along with schedulability analysis for the design of automotive systems, as this is explored in this paper. The main shortcoming of simulation is that it does not provide any guarantees on the relevance of the results, and the user remains always unsure about the extent to which simulation results can be trusted. Simulation can lead to wrong results because of mistakes in methodology (e..g, simulation time, number of experiments, improperly handled transient state at the beginning of simulation, etc) or simply because the performance metrics under study are just out-of-reach of simulation. The two basic questions that we aim to study here is what can we expect from simulation? And how to use it properly? This empirical study explores these questions and provides methodological guidelines for the use of simulation in the design of switched Ethernet networks. A broader objective of the study is to compare the outcomes of schedulability analyses and simulation, and conclude about the scope of usability of simulation in the design of critical Ethernet networks.

Th.1.B.209:30add Th.1.B.2 to agenda

Download Th.1.B.2

A Practical Approach to the Simulation of Safety-critical Automotive Control Systems considering Complex Data Flows

Sébastien Dube - Hella, France Mesut Özhan - INCHRON GmbH, Germany Achim Rettberg - Hella, Germany

Embedded systems highly contribute to the efficiency, safety, and usability of our present-day means of transport like cars and airplanes. Due to the possible hazards and risks involved with their operation, safety standards like DO-178C for avionics and ISO 26262 for automotive commend the application of methods and tools according to the state of the art. Functional safety requirements imposed on hardware and software imply the detection of malfunctions and taking corrective actions, before hazards actually occur. As described in cite{BKM2011} one of the key challenges thereby is the prediction and verification of the system's timing behavior. In this paper we describe a model-based approach for real-time simulation focusing on complex end-to-end data flows typically encountered in safety-critical automotive control applications. Based on first-hand experiences gained during the development of an electrical power steering control system, we illustrate how real-time simulation models can be utilized to guide design decisions, and help to achieve safety goals defined at system level. Furthermore, we discuss the issues of response time analysis for dynamic state-dependent data flows considering different semantics for communication in the context of the AUTOSAR standard.

Th.1.B.310:00add Th.1.B.3 to agenda

Download Th.1.B.3

Qualitative simulation and validation of complex hybrid systems

Jean-Pierre Gallois - CEA, France Jean-Yves Pierron - CEA, France

Industrial complex systems need more validation and verification, which is well advanced on discrete systems. For hybrid systems that combine discrete and continuous aspects, these techniques are not yet fully operational. To improve them, the qualitative simulation can be used: it is based on the principle of discretization by partitioning areas of variation of continuous variables, representing the evolution of these variables. It can discretize a system by representing its continuous part which is described by differential equations. If it is coupled with the discrete part of the system, it gives a fully discrete global model on which formal techniques can be applied for the validation process. If differential equations can’t be expressed clearly, it is necessary to establish a qualitative model describing the laws of evolution of continuous variables. A methodology has been established and experimented, to represent variations for continuous variables and causal links between them, and by the way to obtain a mapping of the behaviors of the system for the validation.

Th.1.C.109:00add Th.1.C.1 to agenda

Download Th.1.C.1

Xvisor VirtIO CAN: Fast Virtualized CAN

Jimmy Durand Wesolowski - OpenWide, France Aymen Boudguiga - IRT SystemX, France Anup Patel - Individual researcher, India Julien Viard de Galbert - OpenWide, France Guillaume Scigala - OpenWide, France Matthieu Donain - PSA Peugeot Citroën, France Witold Klaudel - Renault, France

Nowadays, vehicles are embedding more and more electronics in order to support new services such as driver detection, line keeping and automatic cruise control. However, adding electronics makes vehicles more expensive. Fortunately, virtualization, through a hypervisor, reduces the number of embedded chips in vehicle by running different guests, i.e. OS, offering several services on the same board. As the communication between embedded controllers is com- pulsory for vehicles to function, an optimized virtualization of the Controller Area Network (CAN) bus becomes mandatory. CAN bus virtualization is challenging as it has to tackle CAN arbitration mechanism and to provide CAN frame broadcast in a transparent manner. In this paper, we show how VirtIO is adapted in a hypervisor, namely Xvisor, to support CAN driver virtualization, CAN frames priority and CAN communication between guests and external boards

Th.1.C.209:30add Th.1.C.2 to agenda

Download Th.1.C.2

An Experiment on Exploiting Virtual Platforms for the Development of Embedded Equipments

Philippe Cuenot - Continental, France Eric Jenn - IRT Saint-Exupery, France Eric Faure - ASTC, France Nicolas Broueilh - ASTC, France Emilie Rouland - IRT Saint Exupery, France

Virtual engineering methods and tools based on simulation have become a privileged means to re-duce time-to-market and product cost. However, design and verification activities still need to be improved to manage the ever increasing complexity of electronic products and their interactions with heterogeneous environments. In particular, an im-portant challenge is to master the real time proper-ties of the product composed of interacting hard-ware and software components. In this paper we propose a pragmatic approach to use virtual platforms to verify gradually and accurately the properties of a system under design. We illustrate the approach on an example.

Th.1.C.310:00add Th.1.C.3 to agenda

Download Th.1.C.3

QBox: an industrial solution for virtual platform simulation using QEMU and SystemC TLM-2.0

Guillaume Delbergue - GreenSocs, France Mark Burton - GreenSocs, France Christophe Jego - IMS Laboratory, France Bertrand Le Gal - IMS Laboratory - University of Bordeaux, France

As demands for modeling, simulation and exploration tools during SoC conception and development, there is a need for simulated CPU models that work with the other tools in the space. There have been many attempts to build libraries of CPU design models, most notably the Open Virtual Platform project. This work focuses on defining a complete open source SystemC compliant approach with a QEMU based model, which supports almost all current and past CPUs. It enables to have a very large and dynamic open source community with hundreds of developers active over the world. The work makes QEMU available to be used in a standard SystemC (IEEE 1666) based tool environment. This paper address the current state and upcoming features of two CPU virtualizers usable in a SystemC simulation context : QEMU-SC and QBox (QEMU in a Box). It will also examine how these current implementations work, and the limitations they have with respect to SystemC. It will go on to look at recent developments both within QEMU itself. Moreover, the integration between QEMU and a SystemC simulation environment is investigated to improve simulation speed performance and usability of these solutions. Finally this paper will look at forthcoming developments which we hope to put in place.

Th.1.D.109:00add Th.1.D.1 to agenda

Download Th.1.D.1

Safer Marine and Offshore Software with Formal-Verification-Based Guidelines

Florent Kirchner - CEA, LIST, France Franck Sadmi - Bureau Veritas, France Sébastien Flanc - Sirehna, France Lucas Duboc - Bureau Veritas, France Hélène Marteau - Bureau Veritas, France Virgile Prevosto - CEA, LIST, France Franck Vedrine - CEA,LIST, France

In industrial sectors where life-critical safety has historically represented the main concern (e.g. aviation, nuclear energy, railway, etc.), advanced functional safety standards have become a condition to access the market. As safety is their prime concern, these standards are very demanding for the organizations that have to conform to their objectives. For the industrial sectors where safety aspects are less prevalent (e.g. navy, renewable energy, domestic appliances, etc.), best practices of software development are widespread without being gathered in a single document. This is the case within the navy industry. Testing a software system can be complemented with additional activities carried out through its development process (project organisation, specification and refinement of the requirements, V&V activities, etc.). This planned, modular, and rigorous software lifecycle is the basis for the demonstration of a correct software system. Furthermore, recent technologies (less than 15 years) verifying software by analysing its source code have demonstrated their relevance in software product assessment schemes. It is with this dual assessment methodology in mind that the BUREAU VERITAS and CEA LIST partnership has been working on SOFTWARE DEVELOPMENT & ASSESSMENT GUIDELINES. This document provides minimum objectives that should be met by any software system that needs to demonstrate its ability to achieve an expected performance level, thus satisfying common safety concerns.

Th.1.D.209:30add Th.1.D.2 to agenda

Download Th.1.D.2

Development of a safe CPS component: the hybrid parachute, a remote termination add-on improving safety of UAS

Laurent Ciarletta - LORIA INRIA Nancy Grand-Est, France Loïc Fejoz - RealTime-at-Work, France Adrien Guenard - Loria, France Nicolas Navet - University of Luxembourg, Luxembourg

Drones or Unmanned Aerial Vehicles (UAV) have been increasingly spotted on the civilian radars. They are everywhere on the news. Having hundreds or thousands of mostly autonomous UAVs flying in rural but also urban airspaces raises also important safety concerns. Applying the same techniques and guidelines used in the aeronautic industry for the certification of small to middle size (and weight) Unmanned Aerial Vehicle / Systems (UAV / UAS) is not a reasonable path. Indeed, the actual cost of certification applied to every part, every modification and every UAV cannot deliver solutions that would cost a couple thousands of euros which is what can be targeted for general public use. For now, the regulation tends to focus on the responsibility of the drone sector actors with a good part on the operator. So far, the systems are a lot closer to improved RC systems than to downsized airships. But more autonomous UAVs, though still supervised, will require achieving and demonstrating higher safety levels. Alerion is developing a design framework to build tailor-made UAS by the integration of (Secure and) Provably Safe Cyber Physical components. Building on our experience of the safety requirements exemplified in the UAV Outback “Search and Rescue” challenge, we applied this approach to the design of a Smart Hybrid Parachute system. This system is an all in one (hardware and software) add-on to any UAV. It works independently of the UAV’s regular operation and can be triggered either by the operator through a safe, secure and dedicated communication channel or upon the detection of specific error conditions (e.g., hardware or software failures, system out of a validated flight envelope, communication problems). The requirements elicitation phase, the design, simulation with hardware-in-the-loop, and verification of the parachute system has been performed with CPAL, a lightweight model-based design environment for critical systems jointly developed by RTaW and the University of Luxembourg (the complete CPAL development environment and the models of the parachute system will be freely available from http://www.designcps.com). Tests carried out using fault-injection on an hexacopter UAV (reported in the complete paper) show that the parachute system meets its design requirements and provide a cost-effective solution to increase the safety of UAVs.

Th.1.D.310:00add Th.1.D.3 to agenda

Download Th.1.D.3

Towards Resilient Computing on ROS for Embedded Applications

Jean-Charles Fabre - LAAS-CNRS, France Michaël Lauer - Université de Toulouse/LAAS-CNRS, France Matthieu Roy - LAAS-CNRS, France Matthieu Amy - LAAS-CNRS, France William Excoffon - LAAS-CNRS, France Miruna Stoicescu - LAAS-CNRS, France

Systems are expected to evolve during their service life in order to cope with changes of various natures, ranging from fluctuations in available resources to additional features requested by users. For dependable embedded systems, the challenge is even greater, as evolution must not impair dependability attributes. Resilient computing implies maintaining dependability properties when facing changes. Resilience encompasses several aspects, among which evolvability, i.e., the capacity of a system to evolve during its service life. In this paper, we discuss the evolution of systems with respect to their dependability mechanisms, and show how such mechanisms can evolve accordingly. From a component-based approach that enables to clarify the concepts, the process and the techniques to be used to address resilient computing, in particular regarding the adaptation of fault tolerance (or safety) mechanisms, we show how Adaptive Fault Tolerance (AFT) can be implemented with ROS. Beyond implementation details given in the full paper, we draw the lessons learned from this work and discus the limits of this runtime support to implement such resilient computing features in embedded systems.

Th.2.A.111:45add Th.2.A.1 to agenda

Download Th.2.A.1

RTE Generation and BSW Configuration Tool-Extension for Embedded Automotive Systems

Georg Macher - Graz University of Technology, Austria Rene Obendrauf - AVL List GmbH, Austria Eric Armengaud - AVL List GmbH, Austria Eugen Brenner - Graz University of Technology, Austria Christian Kreiner - Graz University of Technology, Austria

Development of dependable embedded automotive systems faces many challenges arising from increasing complexity, criticality, and demand of certifiability on the one hand, to short time-to-market intervals and requirement of a coherent reuse strategy on the other hand. Efficient and consistent development models along the entire development lifecycle needs to be ensured. The challenge, is to ensure consistency of the concept constraints and configurations along the entire product life cycle. So far, existing solutions are still frequently insufficient when transforming system models with higher level of abstraction to more concrete engineering models (such as software engineering models). Aim of this work is to present a model-driven system-engineering framework addon which enables the configurations of basic software components and the generation of a runtime environment layer (RTE; interface between application and basic software) for embedded automotive system, consistent with preexisting constraints and system descriptions. To that aim a tool bridge to seamlessly transfer artifacts from system development level to software development level is described. This enables the seamless description of automotive software and software module configurations, from system level requirements to software implementation and therefore ensures consistency and correctness of the configuration.

Th.2.A.212:15add Th.2.A.2 to agenda

Download Th.2.A.2

From system functional definition to software code

David Lesens - Airbus Defence and Space, France

This paper addresses the classical problem of system to software engineering following a Model Driven Engineering (MDE) approach. Even if this approach is now widely used in the industry, some issues remain: Long term availability of the tools (for projects with duration of several decades), use of standards and Commercial Of The Shelf (COTS) tools versus Domain Specific Language (DSL), different modelling tools for the system and the software, quality and mastering of automatically generated code. This paper shows how it is possible to take simultaneous benefit of COTS (low price), DSL (adapted to specific needs) and in-house tools (which can be maintained for very long periods of time) to develop complex critical systems.

Th.2.B.111:45add Th.2.B.1 to agenda

Download Th.2.B.1

Bounding Resource Contention Interference in the Next-Generation Microprocessor (NGMP)

Javier Jalle - Barcelona Supercomputing Center, Spain Mikel Fernandez - Barcelona Supercomputing Center, Spain Jaume Abella - Barcelona Supercomputing Center, Spain Jan Andersson - Cobham Gaisler, Sweden Mathieu Patte - Airbus, France Luca Fossati - European Space Agency, Netherlands Marco Zulianello - European Space Agency, Netherlands Francisco-J. Cazorla - Barcelona Supercomputing Center / Spanish National Research Council (IIIA-CSIC), Spain

The Space industry, as several other real-time industries, is assessing the use of multicore processors as their main computing platform. While multicore processors bring the potential of integrating several software (mixed-criticality) functions, their use also brings some challenges. In particular, tasks running in multicores may experience high contention delays when accessing multicores' shared resources. This makes that the load that a task puts on shared resources impacts the Execution Time Bounds (ETBs) derived for other corunning tasks. In this paper we focus on the Cobham Gaisler NGMP -- acknowledged as one of the multicore processors currently assessed by the European Space Agency for its future missions -- for which we propose a measurement-based approach to bound contention interference. Given a task $ au$, instead of providing ETBs for the highest contention that any set of corunners can generate -- already shown to be potentially high -- our approach provides bounds that factor in the number of requests contenders generate regardless of how they align with $ au$'s requests. This provides a good balance between ETBs accuracy and independence from the corunners, since our approach only requires controlling the number of requests each task makes to the shared resources. In this paper we focus on the Cobham Gaisler NGMP -- acknowledged as one of the multicore processors currently assessed by the European Space Agency for its future missions -- for which we propose a measurement-based approach to bound contention interference. Given a task T, instead of providing WCET estimates for the highest contention that any set of corunners can generate (which has been already shown to be potentially high), our approach provides bounds that factor in the number of requests contenders generate regardless of how they align with T's requests. This provides a good balance between WCET accuracy and time composability, since it is only required to have the number of requests each task makes to the shared resources.

Th.2.B.212:15add Th.2.B.2 to agenda

Download Th.2.B.2

Predictable composition of memory accesses on many-core processors

Quentin Perret - Airbus Operations S.A.S / ONERA, France Pascal Maurère - Airbus Operations S.A.S, France Eric Noulard - ONERA, France Claire Pagetti - ONERA, France Pascal Sainrat - IRIT, France Benoît Triquet - Airbus Operations S.A.S, France

The use of many-core COTS processors in safety critical embedded systems is a challenging research topic. The predictable execution of several applications on those processors is not possible without a precise analysis and mitigation of the possible sources of interference. In this paper, we identify the external DDR-SDRAM and the Network on Chip to be the main bottlenecks for both average performance and predictability in such platforms. As DDR-SDRAM memories are intrinsically stateful, the naive calculation of the Worst-Case Execution Times (WCETs) of tasks involves a significantly pessimistic upper-bounding of the memory access latencies. Moreover, the worst-case end-to-end delays of wormhole switched networks cannot be bounded without strong assumptions on the system model because of the possibility of deadlock. We provide an analysis of each potential source of interference and we give recommendations in order to build viable execution models enabling efficient composable computation of worst-case end-to-end memory access latencies compared to the naive worst-case-everywhere approach.

Th.2.C.111:45add Th.2.C.1 to agenda

Download Th.2.C.1

Automatic Interleaving for Testing Distributed Systems

Mihal Brumbulli - PragmaDev, France Emmanuel Gaudin - PragmaDev, France

The constantly ever-growing interest for large-scale distributed systems like the Internet of Things imposes many challenges for developers and researchers from many areas. The development of distributed software applications is by no means trivial, and their inherent complexity becomes apparent during testing. Indeed, testing the operation of single isolated nodes does not suffice, because it may be affected by the distribution and inter-communication between nodes. Re-writing a test case to consider distribution is neither efficient nor simple, because concurrency is never easy to implement. In this paper we present an approach that automatically interleaves execution of test cases to simulate concurrency inherent from distribution. We focus on independent test cases that might exhibit a correlation due to distributed interaction. The approach is applied in the context of standard modeling and testing languages, and enables identification of interaction points during test case execution that depend on distribution. The re-execution of the test case is then interleaved at the identified points to account for distribution.

Th.2.C.212:15add Th.2.C.2 to agenda

Download Th.2.C.2

Facing ADAS validation complexity with usage oriented testing

Frédérique Vallée - ALL4TEC, France Laurent Raffaelli - ALL4TEC, France Xavier Rouah - INTEMPORA, France Guy Fayolle - ARMINES, France Philippe De Souza - Civitec, France Matthieu Pfeiffer - Magillem, France Stéphane Géronimi - PSA, France Frédéric Pétrot - TIMA, France Samia Ahiad - Valéo, France

Advanced Driver Assistance Systems (ADAS) validation is a strategic issue, since the use of such systems is becoming widespread in the automotive field. The French research & development project COVADEC, started in the mid-2013 aims to provide methods and technics for cars’ manufacturer and Automotive OEM who face this problems. Once the safety objectives have been specified, this paper presents a novel approach used to automatically generate optimised test cases. To cope with the combinatorial explosion, we have developed an ad hoc random scan Gibbs sampler (RSGS), with converges at geometric speed to the users profile distribution. The obtained test cases can be performed either with simulation or real data. The testing tool chain used for simulation purpose is also described in the paper.

Th.2.D.111:45add Th.2.D.1 to agenda

Download Th.2.D.1

What’s Security Level got to do with Safety Integrity Level?

Jens Braband - Siemens AG, Germany

Recently, reports on IT security incidents related to railways have increased as well as public awareness. For example, it was reported that on December 1, 2011, “hackers, possibly from abroad, executed an attack on a Northwest rail company's computers that disrupted railway signals for two days”. Although the details of the attack and also its consequences remain unclear, this episode clearly shows the threats to which railways are exposed when they rely on modern commercial-off-the-shelf (COTS) communication and computing technology. However, in most cases, the attacks are denial of service attacks leading to service interruptions, but so far not to safety-critical incidents. Many other attacks that have been reported or have been claimed to be possible, could fortunately be shown to be unfounded or were public relation oriented, e. g. a hack of Nuremberg’s automated metro was performed on an unprotected self-made system. What distinguishes railway systems from many critical infrastructures is their inherent distributed and networked nature with tens of thousands of kilometer track length for large operators, or even more. Thus, it is not economical to completely protect against physical access to this infrastructure and, as a consequence, railways are very vulnerable to physical denial of service attacks leading to service interruptions. Another distinguishing feature of railways from other systems is the long lifetime of their systems and components. Current contracts usually demand support for over 25 years and history has shown that many systems, e.g. mechanical or relay interlockings, last much longer. IT security analyses have to take into account such long lifespans. Some of the technical problems are not railway-specific, but are shared by a few other sectors such as Air Traffic Management. Publications and presentations related to IT security in the railway domain are increasing. Some are particularly targeted at the use of public networks such as Ethernet or GSM for railway purposes, while others directly pose the question “Could rail signals be hacked to cause crashes?”. While in railway automation harmonized functional safety standards have been elaborated more than a decade ago, up to now no harmonized international IT security requirements for railway automation exist. A total of 12 standards or Technical Specifications is planned in the IEC 62443 series of standards that cover the topic of IT security for automation and control systems for industrial installations entirely and independently. This series of standards adds the topic of IT security to IEC 61508, which is the generic safety standard for programmable control systems. Up to now, though, IEC 61508 and IEC 62443 have only been loosely coupled. IEC 62443 addresses four different aspects or levels of IT security: – General aspects such as concepts, terminology and metrics: IEC 62443-1-x – IT security management: IEC 62443-2-x – System level: IEC 62443-3-x – Component level: IEC 62443-4-x In IEC 62443, the IT security requirements are grouped into 7 fundamental requirements: 1. Identification and authentication control (IAC) 2. Use control (UC) 3. System integrity (SI) 4. Data confidentiality (DC) 5. Restricted data flow (RDF) 6. Timely response to events (TRE) 7. Resource availability (RA) The SL are defined generically in relation to the attacker type against whom they are to offer protection: SL 1 Protection against casual or coincidental violation SL 2 Protection against intentional violation using simple means with few resources, generic skills and a low degree of motivation SL 3 Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills and a moderate degree of motivation SL 4 Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills and a high degree of motivation This paper starts with a discussion of the normative background, then discusses similarities and dissimilarities of IT security and functional safety, in particular from the point of view of their integrity measures Security Level (SL) from IEC 62443 and Safety Integrity Level (SIL) from EN 50129 for safety systems, respectively. In particular the requirements on SL and SIL are compared, e. g. which SL can be covered by SIL. The major results are • SL and SIL are completely different concepts, e. g. SL is a seven dimensional vector in contrast to the scalar SIL • For safety system it is recommended to take the requirements of SL 1 always into account. • There exists no SL 0 for safety systems • A preliminary proposal for SL profiles has been made in order to master the complexity of potentially 16384 SL vectors A summary is given, which requirements for SL 1 are already covered or not relevant from a safety perspective. Also a more detailed discussion including a comparison with SL2 requirements is presented. Selected references 1. EN 50159 Railway applications, Communication, signaling and processing systems –Safety related communication in transmission systems, September 2010 2. EN 50129 Railway applications, Communication, signaling and processing systems – Safety-related electronic systems for signaling, February 2003 3. IEC 62443: Industrial communication networks - IT security for networks and systems, series of 12 standards (planned), see http://en.wikipedia.org/wiki/Cyber_security_standards 4. DIN V VDE V 0831-104: Electric signaling systems for railways – Part 104: IT Security Guideline based on IEC 62443 (in German), 2015

Th.2.D.212:15add Th.2.D.2 to agenda

Download Th.2.D.2

Applying MILS principles to design connected embedded devices supporting the cloud, multi-tenancy and App Stores

Mark Pitchford - Lynx Software Technologies, United Kingdom of Great Britain and Northern Ireland

The idyll of the Internet of Things is presently overshadowed by concerns over security, and particularly the protection of critical infrastructure. Imagine a car as a gateway device, with many demands on its systems infrastructure. Of course, the manufacturer will be first in the queue, providing software updates to security critical aspects of the vehicle and monitoring its condition. But alongside this core functionality there will also be a host of Apps from the Store to enable and entertain. The navigation service provider, accessing continuously evolving road data. Insurance applications, monitoring probationary drivers to help minimize premiums. Media streamers with the latest movies. Games, advertisements, and a host of other possibilities as yet unrealized. Such a vision of the future can only materialize when secure separation of the tenants can be guaranteed, and when safety critical updates cannot be compromised by the latest game to keep the children happy. Using such vehicle systems as an example, this presentation will discuss the fundamentals of MILS (Multiple Independent Levels of Security/Safety) principles, and how a gateway architecture founded on them can provide the robustness and integrity to ensure that security is never compromised.

Th.3.A.115:00add Th.3.A.1 to agenda

Download Th.3.A.1

Accelerate the Development of Certified Software for Train Control & Monitoring Systems

Franck Corbier - Dassault Systemes, France

The international railway industry is both highly dynamic and safety driven, requiring train manufacturers to speed up the entire development cycle while ensuring quality and safety requirements in order to stay competitive. Modern train transportation systems have ever increasing level of sophistication that relies on embedded electronic equipment and communication networks. Train builders and their suppliers have to develop and deliver high quality services and embedded systems while meeting increasingly stringent certification constraints. Guided by the EN50128 standard, they have applied methodologies and set of tools that provides full business process support that can: • Define and validate the functional requirements of the systems (requirement management); • Design control and safety functions at the train, vehicle and equipment levels (functional design and software architecture); • Design, develop and deploy the software; • Integrate, validate and qualify electronic systems in a progressive integration process; • Easily manage all changes during the life of the product (change, option and variant management); • Train and educate drivers, railway operators and maintenance technicians. Train Control Engineers are facing increased certification constraints since the new 2011 version of the EN50128 standard. The demonstration of the compliance of the software with the related safety rules and criteria (development process, coding rules, defensive code, unitary tests …) costs more and more. This paper will illustrate a model based system engineering approach for the design and the validation of the Control & Monitoring Systems (successfully used on today’s most advanced train OEMs) and propose a new way for the delivery of certified software that comply with the SSIL2 (Software Safety Integrated Level) defined by the EN-50128 standard.

Th.3.A.215:30add Th.3.A.2 to agenda

Download Th.3.A.2

Merging and Processing Heterogeneous Models

Pierre Dissaux - Ellidiss Technologies, France Brendan Hall - Honeywell, United States of America

Model Driven Engineering is now recognized as a way to significantly improve the development process of industrial systems and software. This approach leads to the production of various kinds of models associated to each modelling and verification step of the life cycle. All these concrete models may differ in their abstract definition (meta-model) and in their syntactic expression. Such diversity cannot be easily avoided as each modelling language brings its own specific benefit or is fundamentally associated with a particular tool or technique. However, merging and processing heterogeneous models to support all the required development activities can become a real engineering issue in the context of industrial projects. This paper presents a solution to this problem. The proposed approach is based on the LMP (Logic Model Processing) technology to provide a unique, standardized and easy to process representation of each model that is involved in a given project. Using this solution leads to the realization of a global homogeneous repository from syntactical conversion of each input model, without altering their semantic diversity. It then dramatically facilitates the development of model processing tools, such as model explorations, model verifications and model transformations.

Th.3.B.115:00add Th.3.B.1 to agenda

Download Th.3.B.1

SAVOIR: Reusing specifications to favour product lines

Jean-Loup Terraillon - European Space Agency, Netherlands Savoir Advisory Group - European Space Industry, Netherlands

SAVOIR has taken inspiration from AUTOSAR, although the underlying industrial business model is different. The space community is smaller, the production is based on a few spacecraft per year, and there are industrial policy constraints. Still, there is a need to streamline the production of avionics and improve competitiveness of European industry. Reference architectures, reference specifications and standard interfaces are an efficient mean to achieve the goal. Space agencies and space industry are actively working at developing such reference specifications. Reusing specification is expected to allow reusing products.

Th.3.B.215:30add Th.3.B.2 to agenda

Download Th.3.B.2

A Lean Systems Engineering Approach for the Development of Safety-critical Avionic Systems

Ralf Bogusch - Airbus Defence and Space GmbH, Germany Sabine Ehrich - Airbus Defence and Space GmbH, Germany Roland Scherer - Airbus Defence and Space GmbH, Germany Tobias Sorg - Airbus Defence and Space GmbH, Germany Robert Wöhler - Airbus Defence and Space GmbH, Germany

The strong cost pressure of the market and rigorous safety regulations affect the development of avionic systems. Safety standards like SAE ARP4754A and RTCA DO-178C require high efforts for assuring compliance with applicable airworthiness requirements. Hence, industry is forced to continuously optimize their lifecycle processes and tool environments to facilitate the development of safety-critical systems. In this paper, we report on our experience of adopting lean enablers to systems engineering. The approach covers requirements quality analysis, model-based systems engineering, model-based testing and product family engineering. The experiences are gained from an industrial case study in the aerospace domain.

Th.3.C.115:00add Th.3.C.1 to agenda

Download Th.3.C.1

Debugging Real-Time Systems Requirements with STIMULUS: a Case-Study from the Automotive Industry

Fabien Gaucher - ARGOSIM, France Bertrand Jeannet - ARGOSIM, France

In a typical software project, 40% to 60% of design bugs are caused by faulty requirements that generate costly iterations of the development process as specifications need to be redefined, design and implementation modified accordingly, and then retested. The major reason for this situation is that no practical tool exists for debugging requirements while drafting specification, and the many tools that exist for requirement management and traceability do not address this problem. STIMULUS provides an innovative solution for the early debugging and validation of functional real-time systems requirements. It provides a high-level language to express textual yet formal requirements, and a solver-driven simulation engine to generate and analyze execution traces that satisfy requirements. Visualizing what systems will do enables system architects to discover ambiguous, incorrect, missing or conflicting requirements before the design begins. We demonstrate the use of STIMULUS on the specification of automatic headlights from the automotive industry. We show how this unique simulation technique enables to discover and to fix ambiguous and conflicting requirements, resulting in a clear and executable specification that can be shared among engineers.

Th.3.C.215:30add Th.3.C.2 to agenda

Download Th.3.C.2

Incremental Life Cycle Assurance of Safety-Critical Systems

Julien Delange - Software Engineer Institute, United States of America Peter Feiler - SEI, United States of America Neil Ernst - Software Engineering Institute, United States of America

Actual development methods and tools of Safety-critical systems are relying on loosely coupled languages and tools (requirements specification, architecture design, implementation). Development methods and tools are mostly inadequate and consistency of the development process is done manually, which is costly and error-prone. For example, system architecture depends on requirements but both of them are not formally connected. As actual requirements engineering tools rely on natural language processing they are difficult to process and associate with the actual architecture. Because of inadequate development approaches, 80% of implementation errors are found at system integration but studies have shown that such issues (70% actually) are likely introduced earlier, when defining the system requirements. By adopting better development methods and introducing more verification before integrating and testing components, errors could be discovered and fixed earlier. We argue that by improving requirements specification and adding verification earlier in the development process (even before any implementation efforts), we can then remove many design errors and reduce significantly actual rework efforts. In this paper, we introduce a new method and tools to define requirements, connect them with other development artifact (architecture, code) and verification and validation activities. We show how this tool can be integrated in actual development methods and support automatic assurance of requirements enforcement along the development process.

Th.3.D.115:00add Th.3.D.1 to agenda

Download Th.3.D.1

Aspect-oriented Data and Safety Modeling for Cyber-Physical Systems in Process Automation

Dirk Kuschnerus - Ruhr-Universität Bochum, Germany Attila Bilgic - KROHNE Messtechnik GmbH, Germany Thomas Musch - Ruhr-Universität Bochum, Germany

Cyber-physical systems (CPS) integrate computation with physical processes, enabling the dynamic adaption of systems based on economic and environmental conditions. The adoption of CPS in industrial process automation is impeded by legacy systems with severe functional safety constraints and the need for highly configurable devices. To transfer the benefits of CPS to process automation, the inherent conflict between CPS safety and configurability must be explicitly considered during system design and operation. This paper proposes aspect-oriented modeling of safety and data for CPS in process automation as a baseline for formal consistency monitoring.

Th.3.D.215:30add Th.3.D.2 to agenda

Download Th.3.D.2

Efficient Identification of Safety Goals in the Automotive E/E Domain

Rolf Johansson - SP, Sweden

This paper addresses the problem of how to identify all safety goals for an item in the automotive E/E domain. The paper gives a background on the problem of hazard analysis and risk assessment in general, and for the automotive domain in particular. A key factor for success is to identify all the relevant hazardous events, which task constitutes a paradox. Either the specification of the possible driving situations and the system hazards are done too general and abstract implying a too conservative analysis, or too detailed and specific ending up with an almost infinite list of hazardous events to consider. This paper addresses this paradox by the formulation of a number of rules enabling to reduce the potentially infinite set of candidates of hazardous events to a limited number, still sufficient to cover all safety goals. Besides that it enables solving the paradox of becoming both detailed and limited, it also can be used as a tool for reviewing the completeness of a set of safety goals.

Th.4.A.116:30add Th.4.A.1 to agenda

Download Th.4.A.1

Architecture-led Diagnosis and Verification of a Stepper Motor Controller

Peter Feiler - SEI, United States of America Chuck Weinstock - SEI, United States of America John Goodenough - SEI, United States of America Julien Delange - Software Engineer Institute, United States of America Ari Klein - SEI, United States of America Neil Ernst - SEI, United States of America

This case study shows how an analytical architecture fault-modeling approach can be combined with static analysis techniques to diagnose a time-sensitive design error in a control system and to verify that proposed changes to the system address the problem. The analytical approach demonstrates the value of the SAE Architecture Analysis & Design Language (AADL) standard with its well-defined timing and fault behavior semantics in discovering hard-to-test errors and correcting them early in the life cycle, thereby reducing rework cost. This virtual system integration approach is a key element of an architecture-centric framework for improving the qualification assurance of software-reliant safety-critical systems. In this case study, we investigated an actual stepper-motor system (SMS) that is part of an aircraft engine control system that manages fuel flow by adjusting a fuel valve. The original design was developed and verified in a model-based development environment called SCADE Suite, and an implementation was tested on actual equipment. In some test situations, actual fuel flow did not correspond to the desired fuel flow. The failure was suspected to be due to execution time jitter in the stepper-motor control system, which resulted some steps being missed. A missed steps was not immediately detectable by the controller to take corrective action. Two repairs were proposed to correct the problem, but there was little evidence other than testing that either proposed solution would address the problem of missed steps. We use the same analysis techniques to determine whether the proposed design change addresses the problem. In this paper we focus on the analytical techniques used to diagnose the problem and verify proposed design changes. A full case study report elaborates on how to manage the results of the diagnostic analysis and verification as an assurance case.

Th.4.A.217:00add Th.4.A.2 to agenda

Download Th.4.A.2

Benefits of Model Based System Engineering for Avionics Systems

Thierrry Le Sergent - Esterel Technologies, France François-Xavier Dormoy - Esterel Technologies, France Alain Le Guennec - Esterel Technologies, France

This paper details the way a realistic complex avionics system can be designed in an efficient way using a Model Based System Engineering tool, involving several hundreds of data and ARINC 429 and ARINC 664-P7 messages. The SCADE System Avionics Package comes with the following answers: - User friendly and fully customizable interface thanks to the support of Domain Specific Languages - Clean separation of the Functional, Software and Hardware layers, all relations maintained in a consistent way - Templates for immediate use of standard avionics protocols (ARINC 429, ARINC 664-P7, CAN provided) - Automated generation of all ICDs through powerful “hierarchical tables” that gather information from the model These means are built on top original features that are detailed in this paper; the design of an aircraft Braking System with a COM-MON architecture, 9 sub-systems, 12 partitions, 4 CPU, 2 Switch Cabinet, Dual A/B ARINC 664-P7 network, 14 Virtual Links (VL) that is first presented has demonstrated the efficiency of the tool support.

Th.4.A.317:30add Th.4.A.3 to agenda

Download Th.4.A.3

A Seamless Model-Transformation between System and Software Development Tools

Georg Macher - Graz University of Technology, Austria Harald Sporer - Graz University of Technology, Austria Eric Armengaud - AVL List GmbH, Austria Eugen Brenner - Graz University of Technology, Austria Christian Kreiner - Graz University of Technology, Austria

Development of dependable embedded automotive systems faces many challenges arising from increasing complexity, coexistence of critical and non-critical applications, and the emergence of new architectural paradigms on the one hand, to short time-to-market intervals on the other hand. This situation requires tools to improve efficiency and consistence of development models along the entire development lifecycle. So far, existing solutions are still frequently insufficient when transforming system models with higher level of abstraction to more concrete engineering models (such as software engineering models). Future automotive systems require appropriate structuring and abstraction in terms of modularization, separation of concerns, and supporting interactions between system, and component development. However, refinement of system designs into hardware and software implementations is still a tedious task. The aim of this work is to enhance an automotive model-driven system-engineering framework with software-architecture design capabilities and a model-transformation framework to enable a seamless description of safety-critical systems, from requirements at the system level down to software component implementation in a bidirectional way.

Th.4.B.116:30add Th.4.B.1 to agenda

Download Th.4.B.1

Optimizing Application Distribution on Multi-Core Systems within AUTOSAR

Wenhao Wang - Valeo, France Sylvain Cotard - Valeo, France Benoît Miramond - CNRS/ENSEA/UCP, France Fabrice Gravez - Valeo, France Yael Chambrin - Valeo, France

Multi-core platforms have gained in popularity in nowadays automotive domain. But, even if multi-core architectures are now supported by the AUTOSAR framework, this migration remains a great challenge. First of all, software designers need new methods to fill the gap between application description and tasks deployment. The use of multiple cores has also to remain compatible with real-time and safety design constraints. Finally, developers need tools to assist them in the new steps of the design process. We propose in this paper a partitioning method integrated in the AUTOSAR design flow acting as a decision guide for the distribution of complex and real world control applications onto automotive multi-core systems.

Th.4.B.217:00add Th.4.B.2 to agenda

Download Th.4.B.2

Shared SW development in Multi-Core automotive context

Denis Claraz - Continental Automotive SAS, France Lothar Michel - Audi AG, Germany Ralph Mader - Continental Automotive Germany AG, Germany Torsten Flaemig - Volkswagen AG, Germany

In the last edition of ERTS2, a novel methodology to introduce Multi-Core technology at Continental PowerTrain has been presented. We explained that the PowerTrain domain - in particular the Engine Systems domain - is requiring high computing power combined with tight real time requirements. In this paper we want to focus on the particular use case of shared development, which is becoming a standard on all our developments. In the shared development process, the ECU-SW is build out of bricks from different parties. Apart from third party components (OS, communication layers, ...), the OEM part may range from 5% to more than 50% of the Applicative SW (ASW). This situation was common in single core context, but with multicore technology, there is an increase of architecture complexity, and an increased risk of data integrity failures. Therefore, a dedicated process has to be designed, which will ease the integration and the protection of the SW parts, independantly to each other. This paper aims at presenting the process developped at Continental, and used with Audi. We will present the needs of evolution of standards, like e.g. ASAM-MDX, in order to have a better quality of SW. Finally, we will give an outlook of the future challenges linked to the introduction of multi-core in automotive powertrain domain.

Th.4.B.317:30add Th.4.B.3 to agenda

Download Th.4.B.3

Migration of automotive powertrain control strategies to multi-core computing platforms – lessons learnt

Eric Armengaud - AVL List GmbH, Austria Ismar Mustedanagic - AVL List GmbH, Austria Markus Dohr - AVL List GmbH, Austria Can Kurtulus - AVL Research and Engineering Turkey, Austria Marco Novaro - Ideas and Motion, Italy Christoph Gollrad - AVL Software and Functions GmbH, Germany Georg Macher - Graz University of Technology, Austria

An important acceptance criteria for electric mobility is the capability to efficiently use the energy stored into the cells over the vehicle lifetime. The BMS plays a central role by estimating the state of charge (current energy available) and state of health (degradation due to ageing effects) of the cells. Improvement of the estimation quality has a direct impact on the battery and thus vehicle range. It is the target of the INCOBAT project to improve the BMS system by means of new electronic components, new control strategies and new development methods in order to achieve cost reduction and performance (driving range) increase. In this context, the introduction of multi-core computing platforms aim at providing more computing resources and additional interfaces to answer the needs of new automotive control strategies with respect to computing performances and connectivity (e.g., connected vehicle, hybrid powertrains). At the same time, the parallel execution and resulting resources and timing conflicts require a paradigm change for the embedded software. Consequently, efficient migration of legacy software on multi-core platform, while guaranteeing at least the same level of integrity and performance as for single cores, is challenging. During this paper, the lessons learnt during the migration of the BMS control strategies into the INCOBAT BMS computing platform will be presented.

Th.4.C.116:30add Th.4.C.1 to agenda

Download Th.4.C.1

Taking Static Analysis to the Next Level: Proving the Absence of Run-Time Errors and Data Races with Astrée

Antoine Miné - Sorbonne University, University Pierre and Marie Curie, CNRS, LIP6, France Laurent Mauborgne - AbsInt GmbH, Germany Xavier Rival - École normale supérieure, France Jerome Feret - École normale supérieure, France Patrick Cousot - Courant Institute of Mathematical Sciences, NYU, United States of America Daniel Kästner - AbsInt GmbH, Germany Stephan Wilhelm - AbsInt GmbH, Germany Christian Ferdinand - AbsInt GmbH, Germany

We present an extension of Astrée to concurrent C software. Astrée is a sound static analyzer for run-time errors previously limited to sequential C software. Our extension employs a scalable abstraction which covers all possible thread interleavings, and soundly reports all run-time errors and data races: when the analyzer does not report any alarm, the program is proven free from those classes of errors. We show how this extension is able to support a variety of operating systems (such as POSIX threads, ARINC 653, OSEK/AUTOSAR) and report on experimental results obtained on concurrent software from different domains, including large industrial software.

Th.4.C.217:00add Th.4.C.2 to agenda

Download Th.4.C.2

Bringing SPARK to C developers

Johannes Kanig - AdaCore, France Quentin Ochem - AdaCore, France Cyrille Comar - AdaCore, France

Selecting a language in a safety critical application is often a choice dictated by constraints beyond bare technical merits. Availability of tools or internal resources at the time of decision is often critical. However, once such a choice is made, it is extremely difficult to revert. This is very visible in domain such as avionics or automotive where code bases are sometimes created and maintained over decades. Rewriting software is just not an option. As such, many software teams live with technical choices that can’t be questioned, or marginally. This is notably the case in the world of the C programming language. Its defects are well documented and been known for many years. An entire sector of the tool industry is focused on developing workarounds in the form of code analyzers, coding standards or auto-testing tools. Other languages and environments are known to provide results at lower cost. However, the barrier of entry, software re-writing, is often beyond what is industrially acceptable. In this paper, we will discuss one of these alternatives, the SPARK language. We will describe a framework that allows to gain direct benefits from early investment phases and we will discuss supporting tools currently under development.

Th.4.C.317:30add Th.4.C.3 to agenda

Download Th.4.C.3

Spreading Static Analysis with Frama-C in Industrial Contexts

Stephane Duprat - AtoS, France Victoria Moya Lamiel - AtoS, France Florent Kirchner - CEA, France Loïc Correnson - CEA, France David Delmas - Airbus, France

This article deals with the usage of Frama-C to detect runtime-errors. As static analysis for runtime-error detection is not a novelty, we will present significant new usages in industrial contexts, which represent a change in the ways this kind of tool is employed. The main goal is to have a scalable methodology for using static analysis through the development process and by a development team. This goal is achieved by performing analysis on partial pieces of code, by using the ACSL language for interface definitions, by choosing a bottom-up strategy to process the code, and by enabling a well-balanced definition of actors and skills. The methodology, designed during the research project U3CAT, has been applied in industrial contexts with good results as for the quality of verifications and for the performance in the industrial process.

Th.4.D.116:30add Th.4.D.1 to agenda

Download Th.4.D.1

Property Model Methodology: A First Assessment in the Avionics Domain

Patrice Micouin - Arts et Métiers ParisTech, LSIS, UMR CNRS 7296, France Louis Fabre - Airbus Helicopters, France Pascal Pandolfi - Airbus Helicopters, France

The purpose of this paper is to provide a feedback on the application of a new methodology called Property Model Methodology (PMM) to an avionics domain experiment performed in the Design Office of Airbus Helicopters.

Th.4.D.217:00add Th.4.D.2 to agenda

Download Th.4.D.2

MDX and AUTOSAR Standards for Model Sharing to leverage Tier1 - OEM cooperation in the ECU software development

Stephane Louvet - Robert Bosch GmbH, France Mouham Tanimou - Robert Bosch GmbH, Germany

Software Sharing in automotive embedded software development has continuously grown over the past 10 years and is still getting more importance and attention. An increasing number of car manufacturers develop their own functionalities or their own software Platform in order to communize those functions across several control units supplied by different Tier 1 companies. Main advantages for Software Sharing, as seen by the OEMs, are acceleration of development time and cycle as well as a full flexibility to customize the final product (with introduction of its own software). In order to achieve those goals, OEMs need the ability to test functions in a very early stage of development and continuously along the V-Cycle development up to the final software. Model Based Development is a mean to do this and the tools ASCET from ETAS and Simulink® from MathWorks are widely used the automotive industry. These modeling tools allow OEMs to verify their functions in an early phase using Virtual and/or Rapid Prototyping. The so verified model together with the achieved data specification can then be exchanged with suppliers as an executable specification; this is one face of the medal of what is called “Model Sharing” at Bosch. The other face consists of provision of development environment as well as use of common modeling guidelines and libraries with a common data description standard. Bosch is adapting the Process, Method and Tools to car manufacturers having their own approaches. Use of Standards (e.g. ASAM (MDX, CDF …) AUTOSAR (service libraries, methodology …) as well as standardized interfaces specifications (e.g. as published with AUTOSAR R4.x) can significantly ease labels data management and exchange through a database, as well as exchange of models. A flexible tool chain is hence created, since a “one fits all” approach for all customers is not possible. The use of a standard brings many advantages that are leading to a better cooperation between Tier 1 and OEM. It allows to use standardized tools “on the shelf” for Model Based Development and integration. It allows also an easier connection between the OEM Software-Components and the supplier software. Integration activities can then be foreseen as a so called “continuous integration”. The MDX standard is used at Bosch for years and is supported by the code generation tool chains thanks to a close cooperation with the tool editors. After a description of the generated XML file and the necessary information to be added in the modeling tool, the most important features used during a compilation will be presented. Based on a long experience with OEMs, the advantages of using MDX will be demonstrated, such as message implementation and flow check, as well as information for need of data copies in a context of multi-core ECU. The Software development tools are supporting the AUTOSAR R4.x standard much better than a few years ago. The additional advantages of the AUTOSAR standard in comparison with MDX will be detailed, particularly for the connection between the Application Software Component and the Basic Software. For a better understanding of how AUTOSAR can ease the Model and Software Sharing, the most important features processed during a compilation will be described. The piloting experiences conducted at Bosch have permitted to identify the improvements in the development Process, Method and Tools to be expected. The enhancements measures will be described. The AUTOSAR standard has been introduced in Engine Control Unit Software development at Bosch. The experience shows that a disruptive approach for AUTOSAR introduction is often not suitable. However, the impact of the AUTOSAR standard on modeling patterns can be taken into account in early phases of Process, Method and Tools update for MDX developments. It would allow performing a seamless migration from MDX to AUTOSAR. Model Sharing with MDX standard is currently applied at Bosch for several serial projects and is leading to clear improvements in development efficiency. Bosch is actively working on developments of Model Sharing solutions with AUTOSAR standard and aims to be as efficient as MDX.

Th.4.D.317:30add Th.4.D.3 to agenda

Download Th.4.D.3

A Model-driven and Tool-integration Framework for Whole-vehicle Co-simulation Environment

Lu Jinzhi - kth Royal Institute of Technology, China Dejiu Chen - KTH Royal Institute of Technology, Sweden Martin Törngren - ITM,KTH, Sweden Jad El-Khoury - KTH Royal Institute of Technology, Sweden Frédéric Loiret - KTH, Sweden

Modeling and simulation technologies are widely used throughout the design of a vehicle system, supporting its conceptualization and evaluation. The increasing complexity of such systems emphasizes a number of challenges related to the overall quality management This in particular brings the necessity of integrating various domain physical models that are traditionally based on different formalisms and isolated tools. In this paper, we present the initial concepts towards a model-driven and tool-integration framework for integrating design information and simulation models which is (semi-) automatically managed by simulation services in the development of whole vehicles. This framework will assist designers to control and manage the creation and development of tailored co-simulation environment for the whole vehicle development. We exploit EAST-ADL and other existing state-of-the-art modeling technologies as reference models for a formal system description of requirements, extra-functional constraints, design solutions, , and verification and validation (V&V) cases. Given such a description of system V&V cases, dedicated co-simulation services will be developed to provide the support for automated configuration and execution of simulation tools.