Fr.1.A.109:00add Fr.1.A.1 to agenda

Download Fr.1.A.1
Download Fr.1.A.1 presentation

Selection and evaluation of an embedded hypervisor: application to an automotive platform

Etienne Hamelin - CEA, LIST, France Moha Ait Hmid - CEA, LIST, France Yves Mouafo-Tchinda - CEA, LIST, France Amine Naji - CEA, LIST, France

The advent of multi/many-core SoCs in embedded systems enables the execution of multiple software applications on the same integrated circuit, possibly with heterogeneous requirements in terms of performance, security or safety criticality. A hypervisor can provide a software environment on which programs can run simultaneously as if they were running natively on hardware. Deciding among the numerous available hypervisors, which ones are suitable, and how to configure them, is not an easy task. This paper presents a methodology for selecting an embedded hypervisor for embedded applications consolidation, based on both qualitative and quantitative criteria, then describes how this methodology is applied to the construction of an automotive hardware and software platform.

Fr.1.A.209:30add Fr.1.A.2 to agenda

Download Fr.1.A.2
Download Fr.1.A.2 presentation

Make life easier for embedded software engineers facing complex hardware architectures

Romain Leconte - Space Codesign Europe, France Eric Jenn - Thales Avionics, France Guy Bois - Polytechnique Montreal/Space Codesign Systems, Canada Hubert Guerard - Space Codesign Systems Inc, Canada

The increasingly parallel execution platforms - mixing multi-cores, GPUs, and programmable logic (namely, FPGA) - require new development techniques and technologies to be used efficiently. Software developers are hampered by the complexity of modern SoCs and MPSoCs. In particular, the complexity of the hardware design flow makes the exploitation of FPGAs difficult and expensive, especially in cases where the design space to be explored is large. Therefore, this paper proposes a design flow that offers joint support of both hardware and software flows making life easier to embedded software engineers. It is based on a HW/SW codesign approach where a sequential C code annotated with OpenMP offloading directives is progressively transformed into an FPGA implementation. OpenMP has been selected because it is a widely adopted solution in the high-performance computing domain, but also because work is currently going on to extend its scope to embedded real-time systems. This paper identifies the important properties required in such a flow, demonstrates how they are supported by our workflow, and, finally, presents results of our approach on an image processing function deployed on both Zynq and Cyclone platforms.

Fr.1.B.109:00add Fr.1.B.1 to agenda

Download Fr.1.B.1
Download Fr.1.B.1 presentation

An Assurance Case based on Overarching Properties for a TQL1 Code Generator

M. Anthony Aiello - AdaCore Technologies Inc., United States Cyrille Comar - AdaCore SAS, France José Ruiz - AdaCore SAS, France

In this paper, AdaCore describes the development of an assurance case for the qualification of an automatic code generator called QGen. The assurance case presents the rationale for justifiable confidence that QGen possesses the Overarching Properties of Intent, Correctness and Innocuity — which have been defined by an FAA-led working group seeking to streamline certification — and is therefore fit for use in model-based development of critical avionics components where most of the verification is done through model simulation. By arguing possession of the Overarching Properties rather than satisfaction of the objectives required by DO-330, we focus our assurance on QGen, rather than on the process by which QGen was developed. The assurance case also includes a risk assessment, which further ensures the suitability of our approach to tool qualification by enabling us to focus on the safety impact of the use of QGen and the needs of the development effort in which QGen will be used.

Fr.1.B.209:30add Fr.1.B.2 to agenda

Download Fr.1.B.2
Download Fr.1.B.2 presentation

Efficient fine-grain parallelism in shared memory for real-time avionics

Philippe Baufreton - Safran, France Vincent Bregeon - Airbus, France Keryan Didier - INRIA, France Guillaume Iooss - ENS, France Dumitru Potop Butucaru - INRIA, France Jean Souyris - Airbus France SAS, France

Multi-task/parallel software design methods for critical embedded systems often enforce space and/or time isolation properties, which constrain resource sharing to facilitate the design process. For instance, ensuring that computing cores only interfere with each other during dedicated communication phases largely simplifies the timing analysis of parallel code. The downside of isolation is efficiency loss – longer latencies, smaller throughput, increased memory use. We focus on hard real-time applications (or parts thereof) inside which isolation is not a requirement. We show that, in this case, fine-grain parallelism can be more efficiently exploited without isolation, while still providing the levels of safety and hard real-time guarantees required in critical industrial applications. Resulting implementations allow multiple computations and communications to take place at the same time, provided that interferences can be controlled (which is possible on timing compositional platforms). We demonstrated this approach on two large avionics applications in a dedicated shared memory context, using an automatic parallelization method. Our method provides good parallelization results and, in one context, has reached TRL4.

Fr.1.C.109:00add Fr.1.C.1 to agenda

Download Fr.1.C.1
Download Fr.1.C.1 presentation

Using Generic Software Components for Safety-Critical Embedded Systems - An Engineering Framework

Felix Bräunling - Method Park Engineering GmbH, Germany Robert Hilbrich - Deutsches Zentrum für Luft- und Raumfahrt DLR, Germany Simon Wegener - AbsInt GmbH, Germany Isabella Stilkerich - Schaeffler Technologies AG & Co. KG, Germany Daniel Kästner - AbsInt GmbH, Germany

Modern software development in the automotive domain would be unthinkable without leveraging reusable software components. Such generic software components have to be configured and tailored for each specific target application. Nowadays, complexity has reached a point where developing generic software components and manually adapting each component for each variant in the product family is error-prone and no longer economically feasible. In this article we propose an engineering framework for automated adaptation of generic software components which focuses on temporal and spatial integrity. The framework is built around a generic methodology and leverages specialized software tools to determine an allocation of software components to the resources of an embedded system and to ensure memory integrity. We use a quadcopter example, executed on the Infineon AURIX TC277 processor under the AUTOSAR operating system to illustrate our approach.

Fr.1.C.209:30add Fr.1.C.2 to agenda

Download Fr.1.C.2
Download Fr.1.C.2 presentation

CocoSim, a code generation framework for control/command applications : from Simulink to C

Hamza Bourbouh - NASA Ames/SGT, United States Pierre-Loic Garoche - ONERA, France Thomas Loquen - ONERA, France Eric Noulard - Onera, France Claire Pagetti - ONERA, France

We present here CocoSim, a framework to support the design, code generation_x000D_ and analysis of discrete dataflow model expressed in Simulink. In this work,_x000D_ we focus specifically on the multiperiodic aspect of the framework we_x000D_ propose. Simulink is a toolbox provided by MathWorks in the Matlab tool that_x000D_ enable the design of block diagram models. When considering the discrete_x000D_ subsets of blocks, they are fitted with a synchronous semantics, ie. execution_x000D_ time is neglected while each computation is performed repetitively, eg. every_x000D_ $ts$ seconds. The simple case of a model in which every block is executed at_x000D_ the same rate is well understood and can be efficiently used both for analysis_x000D_ and code generation. However, blocks can individually be fitted with a_x000D_ different execution rate. This leads to complex behaviors able to model_x000D_ computation performed in different threads or even different computers or_x000D_ systems. The analysis or code generation of these multiperiodic models is more_x000D_ challenging. We propose here two different solutions, all provided within our_x000D_ CocoSim framework. A first one provides a faithful code generation into_x000D_ multiple (mono)synchronous components that can be then simulated or embedded_x000D_ in the final platform. The second amounts to encode the multi-synchronous_x000D_ semantics in a pure-synchronous one, enabling the use of model-checker on the_x000D_ initial model. These approaches have been experimented in various settings. We_x000D_ will report experiments feedback.

Fr.1.C.310:00add Fr.1.C.3 to agenda

Download Fr.1.C.3
Download Fr.1.C.3 presentation

Hardware / software / Analog System Partitioning with SysML and SystemC-AMS

Daniela Genius - Sorbonne Université, LIP6, France Ludovic Apvrille - LTCI, Télécom Paris, Institut polytechnique de Paris, France

Model-driven approaches for designing software and hardware parts of embedded systems are generally limited to their digital parts. On the other hand, virtual prototyping and co-simulation have emerged as a promising research topic, but target the modeling levels when partitioning has already been performed. This paper presents a model-driven platform for the partitioning of analog/mixed-signal systems.

Fr.2.A.110:00add Fr.2.A.1 to agenda

Download Fr.2.A.1
Download Fr.2.A.1 presentation

Low Cost High Integrity Platform

Thierry Lecomte - CLEARSY, France David Deharbe - CLEARSY, France Etienne Prun - CLEARSY, France Patrick Peronne - CLEARSY, France Emmanuel Chailloux - Sorbonne Université, France Sylvain Conchon - LRI, France Steven Varoumas - Sorbonne Université, France Denis Sabatier - CLEARSY, France Adilla Susungi - Sorbonne Université, France

Developing safety critical applications often require rare human resources to complete successfully while off-the-shelf block solutions appear difficult to adapt especially during short-term projects. The CLEARSY Safety Platform fulfils a need for a technical solution to overcome the difficulties to develop SIL3/SIL4 system with its technology based on a double-processor and a formal method with proof to ensure safety at the highest level. The formal method, namely the B method, has been heavily used in the railways industry for decades. Using its IDE, Atelier B, to program the CLEARSY Safety Platform ensures a higherlevel of confidence on the software generated._x000D_ This paper presents this platform aimed at revolutionising the development of safety critical systems, developed through the FUI project LCHIP (Low Cost High Integrity Platform).

Fr.2.A.210:30add Fr.2.A.2 to agenda

Download Fr.2.A.2
Download Fr.2.A.2 presentation

CeCar: A platform for research, development and education on autonomous and cooperative driving

Carsten Thomas - HTW Berlin (University of Applied Sciences), Germany Joachim Wegener - Expleo Group, Germany Frank Bauernöppel - HTW Berlin (University of Applied Sciences), Germany Thomas Baar - HTW Berlin (University of Applied Sciences), Germany Heide Brandtstädter - HTW Berlin (University of Applied Sciences), Germany

In this paper, we introduce CeCar as an affordable model-car based platform supporting research, development and education in the field of autonomous and cooperative driving. We present the application-oriented use cases and key platform requirements, and explain the logical and technical architecture of the CeCar platform, alongside with details on the underlying modularity concept. Subsequently, we introduce CeCar application scenarios for the areas research, development and education, and provide relevant application examples. Further, we discuss the CeCar platform concept in comparison with other model-car based education and research platforms, and outline planned future work on the CeCar platform.

Fr.2.B.110:00add Fr.2.B.1 to agenda

Download Fr.2.B.1
Download Fr.2.B.1 presentation

Towards Rebalancing Safety Design, Assessment and Assurance

Emmanuel Ledinot - Thales Research and Technology, France Jean Paul Blanquart - Airbus Defence and Space, France Jean Gassino - IRSN, France Rémy Astier - Rolls-Royce Civil Nuclear, France Philippe Baufreton - Safran Electronics and Defense, France Jean-Louis Boulanger - CERTIFER, France Jean-Louis Camus - ANSYS Esterel Technologies, France Cyrille Comar - AdaCore, France Philippe Quéré - Renault, France Bertrand Ricque - Safran Electronics and Defense, France

Cyber-physical systems have evolved faster than development technologies, which in turn have evolved faster than safety standards, despite periodic revisions. By 2020, a significant cumulative gap exists between development assurance and its perceived effectiveness on safety of the highly complex systems developed nowadays. This paper explores how this gap could be at least partly closed. First, we review new techniques that are emerging from hybrid system research and that might influence verification of system safety in the future, then we discuss some problems in industrial practice of safety assessment and in safety standards. These problems are widely acknowledged in all industrial domains, especially when facing certification of AI-enabled autonomous vehicles (cars, drones, trains, underwater unmanned vehicles etc.). Finally, we propose some orientations to evolve the development assurance standards so that they may facilitate accommodation of these new techniques without adding new assurance requirements to the legacy ones. We advocate a new balance for future assurance that would introduce new structural and behavioural analyses while reducing some aspects of dysfunctional analysis.

Fr.2.B.210:30add Fr.2.B.2 to agenda

Download Fr.2.B.2
Download Fr.2.B.2 presentation

Data & Safety: challenges and opportunities

Hugues Bonnin - Continental, France Olivier Flebus - Continental, France

This article presents our first analysis exploring the relationships of safety and data in the context of improving the safety of road vehicles, which will be connected and more automated in the future. In this context, the usage of data to realize critical functions is more and more common: to augment the perception of the environment (for example: HD maps), or to augment the knowledge needed for more automation (for example: data base of road traffic rules). Data, information and knowledge are not often considered in the state of the art of safety critical systems development. Adopting a data-centric point of view allows to revisit the engineering of the safety of these systems, raising new questions and offering new opportunities. This is our proposition with this paper.

Download Fr.P.2 presentation