

| Document Title             | Recommended Methods and<br>Practices for Timing Analysis and<br>Design within the AUTOSAR<br>Development Process |
|----------------------------|------------------------------------------------------------------------------------------------------------------|
| Document Owner             | AUTOSAR                                                                                                          |
| Document Responsibility    | AUTOSAR                                                                                                          |
| Document Identification No | 645                                                                                                              |

| Document Status          | Final            |
|--------------------------|------------------|
| Part of AUTOSAR Standard | Classic Platform |
| Part of Standard Release | 4.4.0            |

| Document Change History |         |                                  |                                                                                                                                                                                                                                                                                                                                                    |
|-------------------------|---------|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Date                    | Release | Changed by                       | Description                                                                                                                                                                                                                                                                                                                                        |
| 2018-10-31              | 4.4.0   | AUTOSAR<br>Release<br>Management | <ul> <li>Extended section 1.4 to show interaction of AUTOSAR CP and AP concepts</li> <li>Reworked chapter structure for better readability</li> <li>Added description of AUTOSAR CP task states and extended timing parameter table in section 8.1.1.1 and section 8.1.1.2</li> <li>Added chapter 9 including timing tasks and elements</li> </ul> |
| 2017-12-08              | 4.3.1   | AUTOSAR<br>Release<br>Management | Editorial changes                                                                                                                                                                                                                                                                                                                                  |



Г

| 2016-11-30 | 4.3.0 | AUTOSAR<br>Release<br>Management | <ul> <li>Section 1.9 added roles and their benefits from reading this document</li> <li>Section 4.1 introduced function-level Use-cases</li> <li>Some ECU UCs are consolidated in chapter 7</li> <li>New figure for overview of E2E Use-cases is improved (figures 5.1)</li> <li>Improved timing tasks in section 9.1</li> <li>References to methods and properties are consolidated in chapter 8</li> </ul> |
|------------|-------|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2015-07-31 | 4.2.2 | AUTOSAR<br>Release<br>Management | <ul> <li>Section 9.1: introduced basic timing tasks like "Collect Timing Requirement" or "Create Timing Model". Adapted introduction of chapter 8 accordingly.</li> <li>Clarified relation of the timing properties described in section 8.4 to AUTOSAR TIMEX.</li> <li>improved glossary and index</li> <li>New figures for improved overview of use-cases (figures 7.2 and 6.3)</li> </ul>                 |
| 2014-10-31 | 4.2.1 | AUTOSAR<br>Release<br>Management | <ul> <li>Editorial changes only: improvements, corrections and additions.</li> <li>New chapter End-to-End Timing for Distributed Functions;</li> <li>Chapter Properties and Methods for Timing Analysis: additional information and restructuring;</li> <li>Added further use-cases;</li> <li>Added examples, see figures 1.2, 7.1 and 6.1;</li> <li>Added index at the end of the document;</li> </ul>      |
| 2014-03-31 | 4.1.3 | AUTOSAR<br>Release<br>Management | Initial version                                                                                                                                                                                                                                                                                                                                                                                              |



#### Disclaimer

This work (specification and/or software implementation) and the material contained in it, as released by AUTOSAR, is for the purpose of information only. AUTOSAR and the companies that have contributed to it shall not be liable for any use of the work.

The material contained in this work is protected by copyright and other types of intellectual property rights. The commercial exploitation of the material contained in this work requires a license to such intellectual property rights.

This work may be utilized or reproduced without any modification, in any form or by any means, for informational purposes only. For any other purpose, no part of the work may be utilized or reproduced, in any form or by any means, without permission in writing from the publisher.

The work has been developed for automotive applications only. It has neither been developed, nor tested for non-automotive applications.

The word AUTOSAR and the AUTOSAR logo are registered trademarks.



## **Table of Contents**

| 1 | Introduction                                                                                                                                                                                                                                                                                                                                  | 10                                                       |
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|
|   | 1.1Objective1.2Overview1.3Motivation1.4Example1.5Scope1.6Acronyms and Abbreviations1.7Glossary of Terms1.8Use-cases1.9Methodology Roles1.10Document Structure and Chapter Overview                                                                                                                                                            | 10<br>11<br>12<br>12<br>15<br>16<br>17<br>18<br>19<br>21 |
| 2 | Basic Concepts of Timing                                                                                                                                                                                                                                                                                                                      | 24                                                       |
|   | <ul> <li>2.1 Basic Concepts of Real Time Architectures</li> <li>2.1.1 Real Time Architecture Definition</li> <li>2.1.2 Execution and Transmission Times</li> <li>2.1.3 Response Time</li> <li>2.2 Languages for Timing Requirements Specification</li> <li>2.2.1 EAST-ADL / TADL</li> <li>2.2.2 Basic concepts of AUTOSAR TIMEX</li> </ul>    | 24<br>25<br>26<br>26<br>27<br>28                         |
| 3 | Timing Requirements on Design Levels                                                                                                                                                                                                                                                                                                          | 30                                                       |
|   | <ul> <li>3.1 Timing Requirements Decomposition Problem</li> <li>3.2 Hierarchical Timing Description</li> <li>3.3 Methodologies for Timing Requirements Decomposition</li> <li>3.3.1 Functional and Software Architectures Modeling Levels</li> <li>3.3.2 Guidelines for Timing Requirements Decomposition</li> <li>3.4 Conclusions</li> </ul> | 30<br>32<br>34<br>35<br>37<br>38                         |
| 4 | Timing on Functional Level                                                                                                                                                                                                                                                                                                                    | 40                                                       |
|   | <ul> <li>4.1 Overview of Function-level Use-Cases</li> <li>4.2 Function-level use-case "Identify timing requirements for a new feature (vehicle function)"</li> </ul>                                                                                                                                                                         | 41<br>43                                                 |
|   | 4.3 Function-level use-case "Partition a feature (vehicle function) into a function network"                                                                                                                                                                                                                                                  | 44                                                       |
|   | 4.4 Function-level use-case "Map a function network to a hardware com-<br>ponents network"                                                                                                                                                                                                                                                    | 45                                                       |
|   | 4.5 Function-level use-case "From function-level events to observable events"                                                                                                                                                                                                                                                                 | 46                                                       |
| 5 | End-to-End Timing for Distributed Functions                                                                                                                                                                                                                                                                                                   | 48                                                       |
|   | <ul> <li>5.1 Relation to other chapters</li></ul>                                                                                                                                                                                                                                                                                             | 48<br>48                                                 |



|   | 5.3               | E2E use-case "Derive per-hop time budgets from End-to-End timing<br>requirements"5.3.1Main Scenario                                                                                                    | 50<br>50                   |
|---|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|
|   | 5.4               | E2E use-case "Deriving timing requirements from the timing assess-<br>ment of an existing implementation"                                                                                              | 51<br>52                   |
|   | 5.5               | <ul><li>E2E use-case "Specify Timing Requirements for functional interfaces based on Signals/Parameters"</li><li>5.5.1 Main Scenario</li></ul>                                                         | 53<br>54                   |
|   | 5.6               | E2E use-case "Assert timing requirements against guarantees"<br>5.6.1 Main Scenario                                                                                                                    | 55<br>56                   |
|   | 5.7               | mentation"                                                                                                                                                                                             | 56<br>57                   |
| 6 | Timi              | ng for Networks                                                                                                                                                                                        | 59                         |
|   | 6.1<br>6.2<br>6.3 | ExampleOverview of Network Use-casesNW use-case "Integration of new communication"6.3.1Main Scenario6.3.2Alternative Scenario                                                                          | 59<br>60<br>62<br>63<br>64 |
|   | 6.4               | <ul> <li>6.3.3 Performance/Timing Requirements</li> <li>NW use-case "Design and configuration of a new network"</li> <li>6.4.1 Main Scenario</li> <li>6.4.2 Performance/Timing Requirements</li> </ul> | 64<br>64<br>66<br>67       |
|   | 6.5               | NW use-case "Remapping of an existing communication link"6.5.1Main Scenario6.5.2Performance/Timing Requirements                                                                                        | 67<br>68<br>69             |
| 7 | Timi              | ng for SW-Integration on ECU Level                                                                                                                                                                     | 70                         |
|   | 7.1<br>7.2        | ExampleOverview of ECU Use-cases7.2.1Assumptions                                                                                                                                                       | 70<br>71<br>72             |
|   | 7.3               | ECU use-case "Create Timing Model of the entire ECU"7.3.1Characteristic Information7.3.2Main Scenario7.3.3Alternative Scenario                                                                         | 73<br>74<br>74<br>75       |
|   | 7.4               | ECU use-case "Collect Timing Information of a SW-C"7.4.1Characteristic Information7.4.2Main Scenario7.4.3Alternative #1 Scenario                                                                       | 75<br>75<br>75<br>76       |
|   | 7.5               | ECU use-case "Validation of Timing"7.5.1Characteristic Information7.5.2Main Scenario                                                                                                                   | 77<br>77<br>78             |
|   | 7.6               | ECU use-case "Debug Timing"7.6.1Characteristic Information7.6.2Main Scenario                                                                                                                           | 79<br>79<br>79             |



|    | 7.7    | ECU use        | -case "Optimize Timing of an ECU"                | 81  |
|----|--------|----------------|--------------------------------------------------|-----|
|    |        | 7.7.1          | Characteristic Information                       | 81  |
|    |        | 7.7.2          | Main Scenario                                    | 82  |
|    | 7.8    | ECU use        | -case "Optimize Scheduling"                      | 83  |
|    |        | 7.8.1          | Characteristic Information                       | 83  |
|    |        | 7.8.2          |                                                  | 84  |
|    | 7.9    | ECU use        |                                                  | 84  |
|    |        | 7.9.1          |                                                  | 84  |
|    | 7 10   | 7.9.2          |                                                  | 85  |
|    | 7.10   | ECU USE        | -case verify liming Model(s)                     | 85  |
|    |        | 7.10.1         |                                                  | 00  |
| _  | _      | 7.10.2         |                                                  | 00  |
| 8  | Prop   | erties and I   | Methods for Timing Analysis                      | 88  |
|    | 8.1    | General I      | ntroduction                                      | 88  |
|    |        | 8.1.1          | AUTOSAR Classic Platform Operating System        | 90  |
|    | 8.2    | A Simple       | Grammar of Timing Properties                     | 94  |
|    |        | 8.2.1          | Protocol Specifica                               | 98  |
|    | 8.3    | Relations      | between Use Cases, Tasks, Properties and Methods | 99  |
|    | 8.4    | Definition     | and Classification of Timing Properties          | 102 |
|    |        | 8.4.1          | Classification and Relation of Properties        | 102 |
|    |        | 8.4.2          |                                                  | 102 |
|    |        | 8.4.3          |                                                  | 102 |
|    |        | 0.4.4          |                                                  | 104 |
|    |        | 0.4.0          |                                                  | 105 |
|    |        | 0.4.0<br>8 / 7 | SPECIFIC PROPERTY Response Time (CANI)           | 107 |
|    |        | 8/8            | SPECIFIC PROPERTY Response Time (CAN)            | 110 |
|    |        | 849            | GENERIC PROPERTY Transmission Time               | 111 |
|    |        | 8 4 10         | SPECIFIC PROPERTY Transmission Time (CAN)        | 112 |
|    |        | 8 4 11         | SPECIFIC PROPERTY Execution Time                 | 112 |
|    | 8.5    | Definition     | Description and Classification of Timing Methods | 113 |
|    | 0.0    | 8.5.1          | Classification and Relation of Methods           | 113 |
|    |        | 8.5.2          | Overview of regarded Methods                     | 118 |
|    |        | 8.5.3          | GENERIC METHOD Determine Load                    | 119 |
|    |        | 8.5.4          | SPECIFIC METHOD Determine Load (CAN)             | 120 |
|    |        | 8.5.5          | GENERIC METHOD Determine Latency                 | 123 |
|    |        | 8.5.6          | SPECIFIC METHOD Determine Response Time (CAN)    | 125 |
| 9  | Artifa | acts for Tim   | ing Analysis                                     | 129 |
|    | 9.1    | Descriptio     | on of Timing Tasks                               | 129 |
|    | 9.2    | Timing M       | odel Elements                                    | 131 |
|    | 9.3    | Work Pro       | ducts                                            | 132 |
| 10 | Limit  | atione         |                                                  | 12/ |
| 10 | LIIIII |                |                                                  | 104 |
| Α  | Histo  | ory of Const   | traints and Specification Items                  | 135 |



|   | A.1  | 1 Constraint History of this Document related to AUTOSAR R4.1.3 |                                                                |                    |
|---|------|-----------------------------------------------------------------|----------------------------------------------------------------|--------------------|
|   |      | A.1.1                                                           | Changed Constraints in R4.1.3                                  | 135                |
|   |      | A.1.2                                                           | Added Constraints in R4.1.3                                    | 135                |
|   |      | A.1.3                                                           | Deleted Constraints in R4.1.3                                  | 135                |
|   | A.2  | Specifica                                                       | ation Items History of this Document related to AUTOSAR R4.1.3 | <mark>3</mark> 135 |
|   |      | A.2.1                                                           | Changed Specification Items in R4.1.3                          | 135                |
|   |      | A.2.2                                                           | Added Specification Items in R4.1.3                            | 135                |
|   |      | A.2.3                                                           | Deleted Specification Items in R4.1.3                          | 135                |
| В | List | of figures, I                                                   | ist of tables, and index                                       | 136                |



## References

- [1] Methodology AUTOSAR\_TR\_Methodology
- [2] Specification of Timing Extensions AUTOSAR\_TPS\_TimingExtensions
- [3] Explanation of Adaptive Platform Design AUTOSAR\_EXP\_PlatformDesign
- [4] Software Process Engineering Meta-Model Specification http://www.omg.org/spec/SPEM/2.0/
- [5] Embedded Systems Development, from Functional Models to Implementations
- [6] EAST-ADL Model Domain Specification http://www.east-adl.info/Specification.html
- [7] Tool Support for the Analysis of TADL2 Timing Constraints using TimeSquare http://hal.inria.fr/docs/00/85/06/73/PDF/paper.pdf
- [8] Unified Modeling Language: Superstructure, Version 2.0, OMG Available Specification, ptc/05-07-04 http://www.omg.org/cgi-bin/apps/doc?formal/05-07-04
- [9] System Modeling Language (SysML) http://www.omg.org/spec/SysML/1.3/
- [10] UML Profile for Modelling and Analysis of Real-Time and Embedded systems (MARTE) http://www.omg.org/spec/MARTE/1.1/
- [11] Architecture Analysis and Design Language (AADL) AS-5506A http://standards.sae.org/as5506a/
- [12] TIMMO-2-USE
- [13] Specification of Operating System AUTOSAR\_SWS\_OS
- [14] Scheduling algorithms for multiprogramming in a hard real-time environment http://cn.el.yuntech.edu.tw/course/95/real\_time\_os/present paper/Scheduling Algorithms for Multiprogramming in a Hard-.pdf
- [15] Controller Area Network (CAN) Schedulability Analysis: Refuted, Revisited and Revised http://dl.acm.org/citation.cfm?id=1227696
- [16] Pushing the limits of CAN-Scheduling frames with offsets provides a major performance http://www.loria.fr/ nnavet/publi/erts2008 offsets.pdf



[17] Probabilistic response time bound for CAN messages with arbitrary deadlines http://ieeexplore.ieee.org/xpl/abstractAuthors.jsp?arnumber=6176662



## 1 Introduction

This document represents recommended methods and practices for timing analysis and design within the AUTOSAR development process. It is intended for different kinds of readers:

- system, development and test engineers without no or little knowledge of timing analysis
- engineers with general knowledge of timing analysis who want to enhance their understanding of AUTOSAR methodology
- further stakeholders (listed under 1.9)

## 1.1 Objective

During the development of AUTOSAR based systems, a common technical approach for timing analysis is needed to fulfill the AUTOSAR main requirement RS\_Main\_00340. This document describes all major steps of timing analysis needed from the definition and validation of functional timing requirements to the verification of timing requirements on component and system level. Figure 1.1 illustrates the different aspects for timing analysis. Basis for the described methods are AUTOSAR Methodology [1] and AUTOSAR timing extensions [2].





Figure 1.1: Overview of aspects for timing analysis

## 1.2 Overview

The AUTOSAR timing analysis methodology is divided in following parts:

- Decomposition of timing requirements and levels, timing analysis on the functional level
- Timing analysis on function level
- End-to-end timing analysis for distributed functions
- Timing analysis on the network level
- Timing analysis on the ECU level
- Timing properties and methods for timing analysis

For each part, a proposed methodology is presented based using a number of typical real world use-cases. A complete overview of all use-cases is given in section 1.8 on page 18.



## 1.3 Motivation

The increasing number of functions, complexity in E/E Architectures and the resulting requirements on ECUs and communication networks imply increasing requirements on the development process. A central part of the development process is the design of robust and extendible ECUs and network architectures.

In the development of ECUs complexity is introduced through the integration of multiple SW-Cs (constituting various functions) executed in schedulable tasks. The design and verification of the task schedules becomes difficult due to their dependencies on shared resources such as processing cores and memory.

On the network level heterogeneous network types such as CAN, LIN, FlexRay, MOST and Ethernet are used. This makes it hard to ensure robustness, especially when routing between protocols over a gateway takes place. The design of an efficient and robust network architecture and configuration is increasingly difficult. This creates the need for a systematic approach.

These aspects must be addressed in the E/E development process together with additional requirements regarding quality, testability, ability to perform diagnostic services and so on. The overall goal is to achieve sufficient reliability and performance at optimum cost under the requirement of scalability over several vehicle classes. In order to enable integration of additional functions over the life-cycle of a vehicle, the extensibility of an E/E architecture is also very important.

To make optimal technical decisions during the development of E/E architectures and their components it is necessary to have suitable criteria to decide how to implement a function.

One of the most important criteria in the development of current E/E architectures is timing. Many functions are time critical due to their safety requirements. Other functions have certain timing requirements in order to guarantee a high quality (customer) function. These functions often have certain latency and jitter constrains. For distributed functions these constraints consist of several segments of which ECU and network are the two main categories. In order to specify and analyze these timing requirements functional timing chains are important. These are described in more detail in Chapter 3.

## 1.4 Example

The active steering shown in the figure 1.2 demonstrates an end-to-end timing constraint with a real-world AUTOSAR Classic Platform (CP) example. The system consists of sensors, ECUs, buses and an actuator. With the vehicle dynamics model of the car and the active steering function the functional developer defined a maximum reaction time for the outlined chain: 30ms. This becomes a top level end-to-end timing requirement for the system.



This timing requirement then gets decomposed, i.e. it gets sliced into smaller portions T1...T5, one portion for each component of the system. Obviously, ECUs and buses handle many different features with their own timing requirements, all competing for network and computation resources. On an ECU with tasks/interrupts and their runnables, the top level timing requirements are broken down into more fine grained timing requirements and the competition for resources is continued on a lower level.



Figure 1.2: Set-up and end-to-end-timing requirement (red line) from an active steering project.

In this example, the embedded software is developed independently from the later allocation on concrete ECUs, i.e. ICM and ASA in Figure 1.2. First the functionalities that should be covered by the system are defined and subsequently transfered into a software architecture. A possible AUTOSAR software architecture representing the active steering example can be found in Figure 1.3.

The example consist of seven AUTOSAR software components communicating via sender receiver ports. First, the system determines data about the vehicle and environment such as vehicle speed, steering angle, and environmental disturbance (such as yaw rate). This information is provided to the motion arbiter that rates the situation and deduces further activities of the vehicle actuators accordingly. Depending on the input data a deceleration command, an acceleration request, and/or an updated steering direction can be sent to further components.

The executed commands directly influence the wheel speeds and the steering angle. Thereby, the driving program (actuating variable) and the environmental disturbance, e.g. the yaw rate, is controlled. Altogether, software, hardware and environment form a feedback control system. AUTOSAR Classic Platform caters specifically to hard realtime systems like this one.





Observable Location of Event

#### Figure 1.3: Software architecture of the above introduced active steering project.

When considering modern assisted-driving functions, the example above can be extended by adding a collision avoidance system which uses computer vision to recognize obstacles and directs the steering to circumvent them. Recognizing objects from camera images and planning appropriate avoidance trajectories are computationally demanding requirements which are very hard to implement using only AUTOSAR CP. This kind of application is specifically targeted by AUTOSAR Adaptive Platform (AP). This extension adds a second top level end-to-end timing requirement for the system. The collision avoidance system needs to recognize an obstacle and a clear path around it, plan an appropriate trajectory and issue required angle commands to the ASA quickly enough to avoid collision.



Based on the ISO 3888-2 evasive maneuver (Figure 1.4) this results in a TA1-TA2-TA3-T4-T5 decomposition with the TAx components taking place in the AP domain (See Figure 1.5). At 14m/s (roughly 50kph) TA1...TA3 will have a budget of 860ms (12m at 50kph) for object detection, trajectory planning and communication of the first required angle adjustment to the ASA. The requirement of the duration of T4+T5 is 10ms, based on maximum safe steering gradient and vehicle dynamics, in order to fulfill the lane change requirement of ISO 3888-2 within 13.5m of longitudinal movement. Note that both the CP and AP requirements share the same T4 and T5 due to both control loops sharing the same actuator path.







The possible AUTOSAR software architecture representing the extended active steering example can be found in Figure 1.6. A more thorough discussion of the integration of AUTOSAR CP and AP ECUs can be found in Explanation of Adaptive Platform Design [3].



Figure 1.6: Software architecture of the above introduced active steering project.

## 1.5 Scope

This document describes how to implement timing analysis during the development of E/E systems. Similar to [1], this does not include a complete process description but rather a set of practical methods to define timing requirements and how to ensure that



these requirements are met. As stated in [1], the methodology is designed to cover the needs of various AUTOSAR stakeholders:

- Organizations: Methodology is modeled in a modular format to allow organizations to tailor it and combine the methodology within their own internal processes, while identifying points where they interact with other organizations.
- Engineers: Methodology is scoped to allow engineers of various roles quickly find AUTOSAR information that is relevant to their specific needs.
- Tool Vendors: Methodology provides a common language to share among all AUTOSAR members and a common expectation of what capabilities tools should support.

The following topics are addressed:

- Definition of appropriate timing analysis methods including related timing properties for all stages of an AUTOSAR development process without disclosure of company confidential information.
- Definition of requirements for timing analysis methods enabling implementation of appropriate tools.
- Documentation of relevant experience in the area of timing analysis (Network and ECU/software) with relevant use-cases.
- Structuring of timing tasks, timing properties and related methods with regard to use-cases.
- Timing as an enabler for efficient cooperation on a functional level between OEM and tier1.

Delimitation:

- Contents of this document is complementary, and not overlapping, to the contents of the AUTOSAR timing extensions [2]
- Definition of meta models to document timing attributes (e.g. AUTOSAR TIMEX)
- Definition of timing behavior for specific SW-Cs or functions in AUTOSAR.

## 1.6 Acronyms and Abbreviations

| Abbreviation | Meaning                             |  |
|--------------|-------------------------------------|--|
| ASA          | Active Steering Actuator            |  |
| AUTOSAR      | AUTomotive Open System ARchitecture |  |
| BSW          | Basic Software                      |  |
| CAN          | Controller Area Network             |  |
| COM          | Communication module                |  |
| CPU          | Central Processing Unit             |  |
| DES          | Discrete Event Simulation           |  |



| E2E   | End to end                              |  |
|-------|-----------------------------------------|--|
| ECU   | Electrical Control Unit                 |  |
| ID    | Identifier                              |  |
| I/O   | Input/Output                            |  |
| LIN   | Local Interconnect Network              |  |
| NW    | Network                                 |  |
| PIL   | Processor-In-The-Loop                   |  |
| PDU   | Protocol Data Unit                      |  |
| RE    | Runnable Entities                       |  |
| RTE   | Runtime Environment                     |  |
| SW-C  | Software Component                      |  |
| SPEM  | Software Process Engineering Meta-Model |  |
| TD    | Timing Description                      |  |
| TIMEX | AUTOSAR Timing Extensions [2]           |  |
| UC    | Use-Case                                |  |
| UML   | Unified Modeling Language               |  |
| WCET  | Worst case execution time               |  |
| WCRT  | Worst case response time                |  |
| VFB   | Virtual Functional Bus                  |  |

#### Table 1.1: Acronyms and Abbreviations

## 1.7 Glossary of Terms

| Term               | Synonym        | Definition                                                    |
|--------------------|----------------|---------------------------------------------------------------|
| Event-triggered    | Sporadic Frame | A frame that is sent on an event triggered by the application |
| Frame              |                | independent from a communication schedule. The event-         |
|                    |                | triggered sending is limited by a debounce time which         |
|                    |                | specifies the shortest allowed temporal distance between      |
|                    |                | two occurrences.                                              |
| Accuracy           |                | The accuracy is the closeness to the true value. For the      |
|                    |                | worst case of a timing property it describes the maximum      |
|                    |                | overestimation.                                               |
| Execution Time     |                | The execution time is the total time that the function needs  |
|                    |                | to be assigned the resource in order to complete.             |
| Frame              |                | A frame is a data package sent over a communication           |
|                    |                | medium. This element describes the structure of data (OSI     |
|                    |                | layer 2) sent on a channel. For example, a frame on CAN       |
|                    |                | and FlexRay. A commonly used synonym is "message".            |
| Information Pack-  |                | Smallest transmittable information unit on a resource (e.g.   |
| ages               |                | frame).                                                       |
| Interrupt Load     |                | The load of the CPU for servicing interrupts.                 |
| Load               | Utilization    | The load is the total share of time that a resource is used.  |
| Period             |                | The time period between two activation events of the same     |
|                    |                | frame(network) or task(ECU).                                  |
| Response Time      | Latency        | The response time is the time between the activation of a     |
|                    |                | function and its termination as defined in TIMEX [2].         |
| Schedulable Entity |                | A schedulable entity is defining an execution that can oc-    |
|                    |                | cupy time on a CPU or on a network resource. The order        |
|                    |                | of execution is decided by scheduling algorithms. Schedu-     |
|                    |                | lable entities are for example tasks, processes and frames.   |
| Stuff Bit          |                | In CAN frames, a bit of opposite polarity is inserted after   |
|                    |                | five consecutive bits of the same polarity.                   |



| System Parameter  |           | A quantity influencing the timing behavior of the system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Timing Task       |           | A number of steps to accomplish a specific goal (see 8 "Description of Timing Tasks").                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| Timing Constraint |           | A timing constraint may have two different interpretation<br>alternatives. On the one hand, it may define a restriction<br>for the timing behavior of the system (e.g. minimum (max-<br>imum) latency bound for a certain event sequence). In this<br>case, a timing constraint is a requirement which the sys-<br>tem must fulfill. On the other hand, a timing constraint may<br>define a guarantee for the timing behavior of the system.<br>In this case, the system developer guarantees that the sys-<br>tem has a certain behavior with respect to timing (e.g. a<br>timing event is guaranteed to occur periodically with a cer-<br>tain maximum variation). Compare AUTOSAR Timing Ex-<br>tension [2] |
| Timing Method     | Technique | Defines an ordered number of steps to derive particular<br>timing related work products (e.g. timing property, timing<br>model)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Timing Model      |           | A timing model collects all relevant timing information in<br>one single place, typically tool-based. The model can be<br>used to describe the timing behavior or it can be used to<br>generate timing related configuration files.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Timing Property   |           | A timing property defines the state or value of a timing rel-<br>evant aspect within the system (e.g. the execution time<br>bounds for a RunnableEntity or the priority of a task).<br>Thus, a property does not represent a constraint for the<br>system, but a somehow gathered (e.g. measured, esti-<br>mated or determined) or defined attribute of the system.                                                                                                                                                                                                                                                                                                                                            |
| Use-case          | Scenario  | Typical problem, broken down into tasks                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Worst case        |           | The term "worst case" denotes an upper bound on any<br>value a certain property can take during run-time. This is<br>usually different from and may never be smaller than the<br>maximum value observed in the actual system. Typically<br>worst-case values are derived using static analyses based<br>on models of the system.                                                                                                                                                                                                                                                                                                                                                                               |
| Work Product      |           | See SPEM [4].                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |

#### Table 1.2: Glossary of Terms

### 1.8 Use-cases

In order to show the proposed usage of timing analysis methodology a number of realworld use-cases are included in the document.

The use-cases are divided into categories using the same structure as the chapters:

- Timing analysis on the function level (chapter 4)
- End-to-end timing analysis for distributed functions (interface between ECU and network level) (chapter 5)
- Timing analysis on the network level (chapter 6)
- Timing analysis on the ECU level (chapter 7)



| Section | Use-case                             | Page |
|---------|--------------------------------------|------|
| 4.1     | Overview of Function-level Use-Cases | 41   |
| 5.2     | Overview of End-to-End Use-cases     | 48   |
| 6.2     | Overview of Network Use-cases        | 60   |
| 7.2     | Overview of ECU Use-cases            | 71   |

## 1.9 Methodology Roles

This section introduces roles that can benefit from knowledge about the methods presented in this document and will be used in the Timing Analysis Methodology.

| Role              | ECU Integrator                                                              |      |                 |      |
|-------------------|-----------------------------------------------------------------------------|------|-----------------|------|
| Package           | AUTOSAR Root::M2::Methodology::Methodo                                      | logy | Library::Common | Ele- |
|                   | ments::Roles                                                                |      |                 |      |
| Brief Description | Integrates the complete software on an ECU.                                 |      |                 |      |
| Description       | Integrates the complete software on an ECU, which includes generating nec-  |      |                 |      |
|                   | essary code and completing the configuration of all software components and |      |                 |      |
|                   | basic software modules.                                                     |      |                 |      |
| Benefit           | Receives information about how to define standardized timing requirements   |      |                 |      |
|                   | (related to the function) and how to verify them.                           |      |                 |      |
| Relation Type     | Related Element                                                             | Mul. | Note            |      |
| Performs          | TBC                                                                         | 1    | n.A.            |      |

#### Table 1.4: ECU Integrator

| Role              | E/E Architect                                                                   |      |      |  |
|-------------------|---------------------------------------------------------------------------------|------|------|--|
| Package           | Not in the AUTOSAR methodology yet. A part of AUTOSAR System Engineer           |      |      |  |
|                   | Role.                                                                           |      |      |  |
| Brief Description | Defines E/E topology.                                                           |      |      |  |
| Description       | Defines E/E topology.                                                           |      |      |  |
| Benefit           | Receives information about how to evaluate the timing quality of the E/E archi- |      |      |  |
|                   | tecture under timing requirements (resources and timing budgets, high level).   |      |      |  |
| Relation Type     | Related Element                                                                 | Mul. | Note |  |
| Performs          | TBC                                                                             | 1    | n.A. |  |

#### Table 1.5: E/E Architect

| Role              | Function Architect                                                       |   |      |
|-------------------|--------------------------------------------------------------------------|---|------|
| Package           | Not in the AUTOSAR methodology yet.                                      |   |      |
| Brief Description | Defines (high level) timing requirements for the function.               |   |      |
| Description       | Defines (high level) timing requirements for the function.               |   |      |
| Benefit           | Receives information about how to define standarized timing requirements |   |      |
| Relation Type     | Related Flement Mul Note                                                 |   |      |
| Performs          | TBC                                                                      | 1 | n.A. |

#### Table 1.6: Function Architect



| Role              | Function Engineer                                                             |          |                     |  |
|-------------------|-------------------------------------------------------------------------------|----------|---------------------|--|
| Package           | Not in the AUTOSAR methodology yet. Mus                                       | st be ad | dapted from AUTOSAR |  |
|                   | System Engineer Role.                                                         |          |                     |  |
| Brief Description | Defines and decomposes timing requirements.                                   |          |                     |  |
| Description       | Defines timing requirements at system level, decomposition of E2E timing re-  |          |                     |  |
|                   | quirements into local timing requirements and function can be implemented,    |          |                     |  |
|                   | resp. content of the transferred data, makes partition.                       |          |                     |  |
| Benefit           | Receives information on how to define, refine and decompose timing require-   |          |                     |  |
|                   | ment related to the function, E2E etc. under condition of a correct implemen- |          |                     |  |
|                   | tation and test, can reason about the implications of integrating a subsystem |          |                     |  |
|                   | into a vehicle.                                                               |          |                     |  |
| Relation Type     | Related Element                                                               | Mul.     | Note                |  |
| Performs          | TBC                                                                           | 1        | n.A.                |  |

#### Table 1.7: Function Engineer

| Role              | Network Data Engineer                                                      |      |      |  |
|-------------------|----------------------------------------------------------------------------|------|------|--|
| Package           | Not in the AUTOSAR methodology yet.                                        |      |      |  |
| Brief Description | Defines communication matrix, Frames, PDUs, Triggerings, Network Manage-   |      |      |  |
|                   | ment, Routing Matrix, content -> data                                      |      |      |  |
| Description       | Defines communication matrix, Frames, PDUs, Triggerings, Network Manage-   |      |      |  |
|                   | ment, Routing Matrix, content -> data                                      |      |      |  |
| Benefit           | Receives information about the mapping of the function architecture to the |      |      |  |
|                   | communication matrix on networks under timing and resource aspects (Use    |      |      |  |
|                   | cases chapter 4).                                                          |      |      |  |
| Relation Type     | Related Element                                                            | Mul. | Note |  |
| Performs          | TBC                                                                        | 1    | n.A. |  |

#### Table 1.8: Network Data Engineer

| Role              | Software Architect                                                       |      |      |
|-------------------|--------------------------------------------------------------------------|------|------|
| Package           | Not in the AUTOSAR methodology yet.                                      |      |      |
| Brief Description | Refines timing requirements to SW implementation level, decomposition of |      |      |
|                   | timing requirements down to the implementation                           |      |      |
| Description       | Refines timing requirements to SW implementation level, decomposition of |      |      |
|                   | timing requirements down to the implementation                           |      |      |
| Benefit           | Learns how to consider timing and use time budgeting on SW-Cs when map-  |      |      |
|                   | ping runnables to tasks.                                                 |      |      |
| Relation Type     | Related Element                                                          | Mul. | Note |
| Performs          | TBC                                                                      | 1    | n.A. |

#### Table 1.9: Software Architect

| Role              | Software Component Developer                                            |  |  |  |
|-------------------|-------------------------------------------------------------------------|--|--|--|
| Package           | AUTOSAR Root::M2::Methodology::Methodology Library::Common Ele-         |  |  |  |
|                   | ments::Roles                                                            |  |  |  |
| Brief Description | Developer of the software component code.                               |  |  |  |
| Description       | Develops the SW-C internal behavior, which means the code executing the |  |  |  |
|                   | function of a SW-C. He respects the interfaces to other SW-Cs and knows |  |  |  |
|                   | about functional and timing requirements for the function he engineers. |  |  |  |



| Benefit       | Gets in contact what the requirements given<br>nal behavior are used for. With this knowledge<br>verification-friendly and identify requirement co<br>edge he can enhance the requirement set and | for deve<br>he can<br>nflicts.<br>consuli | eloping the SW-C inter-<br>develop the code more<br>Using his system knowl-<br>t other roles. |
|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------------------------------|
| Relation Type | Related Element                                                                                                                                                                                   | Mul.                                      | Note                                                                                          |
| Performs      | TBC                                                                                                                                                                                               | 1                                         | n.A.                                                                                          |

| Role              | Test Engineer                                                                 |                                     |      |  |
|-------------------|-------------------------------------------------------------------------------|-------------------------------------|------|--|
| Package           | Not in the AUTOSAR methodology yet.                                           | Not in the AUTOSAR methodology yet. |      |  |
| Brief Description | Performs measurements and timing related tests.                               |                                     |      |  |
| Description       | Performs measurements and timing related tests.                               |                                     |      |  |
|                   |                                                                               |                                     |      |  |
| Benefit           | Receives information how to carry out timing analysis and verification on the |                                     |      |  |
|                   | system, Information about methods and properties.                             |                                     |      |  |
| Relation Type     | Related Element                                                               | Mul.                                | Note |  |
| Performs          | TBC                                                                           | 1                                   | n.A. |  |

#### Table 1.10: Software Component Developer

#### Table 1.11: Test Engineer

| Role              | Timing Engineer                                                                                                                             |      |      |
|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------|------|------|
| Package           | Not in the AUTOSAR methodology yet.                                                                                                         |      |      |
| Brief Description | Creates timing model, performs timing analysis, proves the timing results against the timing constraints, resp. tools, models.              |      |      |
| Description       |                                                                                                                                             |      |      |
| Benefit           | Receives information on how to model a system and how to carry out timing analysis and verification on the model (using different methods). |      |      |
| Relation Type     | Related Element                                                                                                                             | Mul. | Note |
| Performs          | TBC                                                                                                                                         | 1    | n.A. |

Table 1.12: Timing Engineer

## **1.10** Document Structure and Chapter Overview

This section contains an overview of the document and the chapter contents. Figure 1.1 on page 11 illustrates the different aspects for timing analysis and indicates the chapters in which these will be addressed. In order to show relevance in real world systems, each aspect is described based on one or more typical use-cases, which are linked to Methodology Roles in Chapter 1.9. These use-cases are split into smaller timing tasks. For each of these tasks the necessary timing properties and the corresponding timing methods are presented. These are used to validate the timing and performance constraints typical for the corresponding use-case.

Chapter 1 "Introduction" contains the objective, motivation, scope of the document abbreviations and glossary of terms. Additionally, a list of the use-cases is contained in section 1.8.



Chapter 2 "Basic Concepts of Timing" gives a general overview of timing analyses and introduces the relevant elements and concepts.

Chapter 3 "Timing Requirements on Design Levels" contains a short introduction about the challenge of breaking down functional timing requirements from an abstract user's view to the implementation view of AUTOSAR timing extensions. The problem definition, different approaches and concepts for methodological solutions are introduced.

Chapter 4 "Timing on Functional Level" describes timing-related use-cases for system function analysis and design on functional level. Some use-cases are covering the high-level timing in an early stage of the development while others are dealing with the transition from the functional level to the implementation level. This chapter is intended for E/E Architects and Function Architects.

Chapter 5 "End-to-End Timing for Distributed Functions" introduces the techniques and methodology to reason about the end-to-end timing of distributed functions. They can consist of a locally executed function that uses data from distributed sources (e.g. sensor data) or the computation itself can be distributed. Typical constraints are latency, period and data age. This chapter is intended for E/E Architects, Function Architects and Function Engineers.

Chapter 6 "Timing for Networks" contains use-cases for applying timing analysis at network level, covering scenarios such as extension of an existing network, design of a new network or redesign/reconfiguration of existing network architectures. This chapter is addressed mainly to Network Data Engineers and ECU Integrators.

Chapter 7 "Timing for SW-Integration on ECU Level" contains use-cases for applying timing analysis at ECU level. The chapter covers several use-cases with different levels of abstraction covering the complete development workflow of an ECU ranging from creating a timing model of the entire ECU up to timing optimization. For every use-case the corresponding methods and timing properties are linked. This chapter is addressed mainly to Software Architects and ECU Integrators.

Chapter 8 "Properties and Methods for Timing Analysis" covers the timing tasks, timing properties and the methods derived from the use-cases. Every single method is presented in detail including its classification, description, relation to use-cases, requirements, timing properties, inputs, boundary conditions and its implementation. Some of the methods deliver timing properties as output which can be evaluated by means of timing constraints to check the fulfillment of the timing requirement. Every single timing property is characterized by its classification, description, relation to use-cases, requirements, timing methods, format, (valid) range and implementation. The methods can be grouped in three main groups: simulation, analytical calculation and measurement; whereas the properties can be separated in two main groups: latency-like and bandwidth-like. An overview of the relation between the single methods and the single timing properties respectively is given, but also the interaction between the two is outlined.



In chapter 9 "Artifacts for Timing Analysis" the artifacts (e.g. timing tasks, work products) from the use-cases are collected. Additionally common elements for a timing model and timing-related work products are described.



## 2 Basic Concepts of Timing

## 2.1 Basic Concepts of Real Time Architectures

#### 2.1.1 Real Time Architecture Definition

An E/E architecture is the result of early design decisions that are necessary before a group of stakeholders can collaboratively build a system. An architecture defines the constituents (such as components, subsystems, ECUs, functions, runnables, compilation units ...) and the relevant relations (such as "calls", "sends data to", "synchronizes with", "uses", "depends on" ...) among them. In addition to the above-mentioned structural aspects, a real-time architecture shall provide means to fulfill timing requirements. Like for the system's constituents, real-time architecting consists of decomposing timing requirements and identifying relationships (such as refinement and traceability) among them. In fact, the timing requirements decomposition is a consequence of the structural decomposition where timing requirements are in part inherited by the decomposed units. However, while structural decomposition could be driven by functional concerns, input/output data flows, and/or provided/required services, timing decomposition is a more complex task to achieve. Correct timing requirement decomposition must be locally and globally feasible. Locally each subcomponent's timing properties must fulfill the assigned timing requirements. The design of a real-time software architecture consists of finding a functional decomposition and a platform configuration whose timing properties allow fulfilling local and global timing requirements.

Timing properties are highly dependent on the underlying software and hardware platform resources. Moreover, access to shared platform resources by the decomposed units introduces some overhead (like blocking times or interferences ...). Timing properties will depend on:

- The chosen *placement* (e.g. allocation of functions/components on ECUs);
- The chosen *partitioning* (e.g. grouping of runnables on tasks);
- The chosen *scheduling* (e.g. tasks priority assignment, shared resources access protocol);

In order to assess these architectural choices with regard to timing requirements, timing analysis is necessary. Analysis methods and associated timing properties used for such an assessment can depend on the kind of real-time architecture under consideration (e.g. time-triggered or event-triggered architecture). Chapter 8 details this aspect. Timing analysis can be introduced at the system level as a prediction instrument for the refinement of system functions toward their implementation [5]. Although timing analysis in early development phases requires to make assumptions about the resources of the implementation platform, it constitutes a sound guideline for the decomposition and refinement of timing requirements.

From the application point of view the following two timing properties are particularly important:



- Execution and transmission times;
- Response times.

First introduction of these terms is given below. A more detailed description and classification of these notions is provided in Chapter 8.

#### 2.1.2 Execution and Transmission Times

The execution time of a schedulable entity on a computing resource (e.g. ECU) is the duration taken by the schedulable entity to complete its execution in a continuous way without any consideration of other schedulable entities that are sharing the same computing resource (no suspension/preemption).

Similarly, the transmission time of a signal/message/frame on a communication resource (e.g. bus, network) is the duration taken by the signal/message/frame to transit from its source to its destination without any consideration of other signals/messages/frames transiting on the same communication resource.

An execution/transmission time is a quantitative property that can be described with the following characteristics:

- A statistical qualifier (worst, best, mean/average) representing the bounds of execution/transmission time. This bound could be the upper bound which corresponds to the worst-case execution/transmission time (WCET/WCTT), the lower bound corresponding to the best-case execution/transmission time (BCET/BCTT), or the average-case execution/transmission time (ACET/ACTT) which could be useful for performance analysis. Among these three qualifiers, the WCET is the most commonly used for timing properties verification/validation of real-time systems.
- A *method* (estimation (e.g. simulation), measurement, calculation (static analysis)) denoting the way an execution/transmission time is obtained. The precision of an execution time is highly dependent on its source. For instance, input data used for measurements triggers specific branches of the function/program which impacts the measured execution time value. For that reason, measurements can only provide average execution time or a distribution of execution times. To obtain execution time upper bound, static analysis techniques are employed (abstract interpretation, model checking ...).
- An Accuracy (see Glossary of Terms). The accuracy of the evaluated WCET/WCTT depends on many factors among which the level of details of the software (instruction level) as well as the level of details of the execution/communication resource (like cache mechanisms). This latter could provide elements of unpredictability like branch prediction mechanisms that could affect the WCET analysis by making it more complex to achieve and too pessimistic. In order to avoid overdesigning execution platforms, and in order to allow accurate response



time analysis (see the following subsection) WCET/WCTT analysis should provide safe but accurate WCETs/WCTTs.

Sometimes, a WCET/WCTT can be a requirement to satisfy, especially at the very low levels of abstraction once the ECUs, network and deployment are fixed. However, in the very upper levels of abstraction, timing requirements usually refer to end-to-end response time bounds defined in the following subsection.

#### 2.1.3 Response Time

The response time of a schedulable entity is the time duration taken by the schedulable entity to complete its execution. Unlike for execution time, the response time takes into account other schedulable entities that are sharing the same execution/communication resource. Hence, the response time of a schedulable entity comprises its execution time and additional terms induced by the concurrent access to shared resources (blocking times, jitters...). See Chapter 8 for more details.

An end-to-end response time is a response time in which several schedulable entities are involved. These schedulable entities form a chain. First schedulable entity of the chain is called the *source* schedulable entity and the last one is called the *sink* schedulable entity. The end-to-end response time is the elapsed time until the sink schedulable entity of the chain terminates its execution.

Like an execution time, a response time is a quantitative property that can be described with the following characteristics:

- A *statistical qualifier* (worst, best and mean/average). The worst-case response time (WCRT) is the upper bound usually computed by timing analyses to assess timing requirements fulfillment. A more detailed definition of statistical qualifier is given in Chapter 8.
- A *method* (estimation, measurement, calculation (static analysis)) denoting the way a response time is obtained. Methods for response time determination are given in Chapter 8.
- An *Accuracy* (see Glossary of Terms). The accuracy of a WCRT is highly dependent on the accuracy of the Worst Case Executions Times of the executable entities that are involved in the chain.

## 2.2 Languages for Timing Requirements Specification

The AUTOSAR methodology is based on the AUTOSAR language and its timing extensions. AUTOSAR is the language for the software implementation levels but not applicable at the functional levels (analysis and design). Therefore, in order to ensure a complete model-based approach for timing requirements decomposition, a complementary modeling language for functional levels has to be used. EAST-ADL2 [6]



and its timing extension TADL2 [7] allow functional levels specification with precise timing models. Moreover, TADL2 and AUTOSAR Timing extensions are sharing the same base concepts which may facilitate the translation of timing requirements from the functional level to the AUTOSAR level (where timing requirements are expressed with TIMEX).

Therefore, EAST-ADL / TADL is briefly presented as an example of modeling language for the support of the functional levels of a methodology for timing requirements decomposition.

#### 2.2.1 EAST-ADL / TADL

EAST-ADL is an Architecture Description Language (ADL) for automotive embedded systems, developed in several European research projects. It is designed to complement AUTOSAR with descriptions at higher level of abstractions. Aspects covered by EAST-ADL include vehicle features, functions, requirements, variability, software components, hardware components and communication.

TADL2 (Timing Augmented Description Language) language concepts can be used in specific steps of the GMP methodology to describe timing information. TADL2 allows the specification of timing constraints that may express the following timing properties/requirements:

- Execution time (Worst-case, Best-case, Simulated, Measured)
- End-to-end Latency
- Sampling Rates
- Time Budget
- Response Time
- Communication Delay
- Slack
- Repetition pattern
- Synchronization
- ...

TADL2 base concepts are quite equivalent to those of AUTOSAR TIMEX presented in the following section.



#### 2.2.2 Basic concepts of AUTOSAR TIMEX

According to [2], the primary purpose of the timing extensions is to support constructing embedded real-time systems that satisfy given timing requirements and to perform timing analysis/validations of those systems once they have been built.

The AUTOSAR Timing Extensions provide a timing model as specification basis for a contract based development process, in which the development is carried out by different organizations in different locations and time frames. The constraints entered in the early phase of the project (when corresponding solutions are not developed yet) shall be seen as extra-functional requirements agreed upon by the development partners.

This way the timing specification supports a top-down design methodology. However, due to the fact that a pure top-down design is not feasible in most of the cases (e.g. because of legacy code), the timing specification allows the bottom-up design methodology as well.

The resulting overall specification (AUTOSAR Model and Timing Extensions) shall enable the analysis of a system's timing behavior and the validation of the analysis results against timing constraints. Thus, timing properties required for the analysis must be contained in the timing augmented system model (such as the priority of a task, the activation behavior of an interrupt, the sender timing of a PDU and frame etc.). Such timing properties can be found all across AUTOSAR. For example the System Template provides means to configure and specify the timing behavior of the communication stack. Furthermore the execution time of executable entities can be specified. In addition, the overall specification must provide means to describe timing constraints. A timing constraint defines a restriction for the timing behavior of the system (e.g. bounding the maximum latency from sensor sampling to actuator access).

Timing constraints are added to the system model using the AUTOSAR Timing Extensions. Constraints, together with the result of timing analysis, are considered during the validation of a system's timing behavior, when a nominal/actual value comparison is performed.

The AUTOSAR Timing Extensions provide some basic means to describe and specify timing information: timing descriptions, expressed by events and event chains, and timing constraints that are imposed on these events and event chains. Both means, timing descriptions and timing constraints, are organized in timing views for specific purposes. By and large, the Timing Extensions serve two different purposes. The first is to provide timing requirements that guide the construction of systems which eventually will satisfy those timing requirements. The second purpose is to provide sufficient timing information to analyze and validate the temporal behavior of a system.

The remainder of this section describes the main concepts defined in the AUTOSAR Timing Extensions.



#### 2.2.2.1 TIMEX Work Products

The following part decribes the different TIMEX Work Products to provide a general overview on them. Further, much more detailed descriptions are given in [2] Chapter 2 (Timing Extensions Overview)

**Events**. The notion of Event is used to describe that specific observable events occur in a system and also at which locations in this system the occurrences are observed. These are related to predefined Event types and are used to specify different actions (eg. Read/Write data to ports, Send/Receive data via network, Start/Terminate executables ...).

**Event Chains** specify a causal relationship between two Events. For example Event B occurs if and only if Event A occurred before.

**Timing Constraints imposed on Events.** Event Triggering Constraint imposes a constraint on the occurrences of an Event in a temporal space (periodic, sporadic, specific pattern).

**Timing Constraints imposed on Event Chains.** Event triggering constraints are used to specify a reaction or age, e.g the maximum distance of two following events. Latency and synchronization timing constraints specify that a stimuli or response event must occur within a given time interval (tolerance) to be said to occur simultaneous and synchronous respectively.

Additional Timing Constraints. AUTOSAR Timing Extensions provide Timing Constraints which are imposed on Executable Entities, namely the Execution Order Constraint and Execution Time Constraint.



## **3** Timing Requirements on Design Levels

The decomposition of timing requirements is a primary concern for the design and analysis of a real-time system. At the beginning of the system design process, timing requirements are expressed at the level of the customer functionality identified in the specification. The development of the customer functionality requires its decomposition into small and manageable components. This decomposition activity called architecting implies also a decomposition of timing requirements attached to the decomposed functionality. This chapter gives an overview of the proposed approach for the decomposition of timing requirements.

## 3.1 Timing Requirements Decomposition Problem

Mastering timing requirements is one key success factor for the development and integration of state of the art automotive E/E-systems. Timing requirements should be monitored continuously during the complex development process of a vehicle, and further shall be reused and communicated for the re-use of functions or components to other vehicle projects: timing requirements have to be described systematically and carefully. The required level of detail can vary from timing constraints for high level customer related features at the vehicle level, over timing requirements for the control of a power amplifier for a particular actuator, to ECU-internal timing for data synchronicity of software functions on a multi-core microcontroller at the operational level.

As illustrated in Figure 3.1, the development process follows the well-known Vmodel, which describes a systematic and staggered top-down approach from system specifications to system integration. On the left branch process steps of specification are described, implementing decomposition from an entire E/E-system to single components. The base of the V describes implementation and associated test procedures. Following the right branch of the V testing and integration procedures up to vehicle system integration can be read in bottom up order.





# Figure 3.1: Application of timing analysis in a development process according to the V-model

According to these basic steps of an automotive OEM development process, requirements shall be traceable in any process step. This means that timing requirements shall be identifiable and traceable from a requirements specification via a supplier's performance specification to a test and integration documentation (protocols). As far as E/E-processes are concerned this means that timing requirements shall resist the process transformation between two companies like OEM an tier1-supplier and further down to tier2 and 3 suppliers. This can only be achieved by using a standardized system of description and methodology, referencing the model artifacts that are generally exchanged between development partners.

The AUTOSAR Timing Extensions (TIMEX) [2] based on the AUTOSAR System Template, represents the standardized format for exchange of a system description within an AUTOSAR compliant software development process. In addition TIMEX is an optional component which does not imply changes in the AUTOSAR System Template. The concept of the observable event, which occurs or can be observed in a referenced modeling artifact e.g. a RTE-port, allows specifying observation points and sequences of events in causal order (event chains) with additional timing constraints on them. The TIMEX concept is assumed to meet all use-cases of describing temporal behavior in an AUTOSAR system by means of timing requirements.

Unfortunately the OEM development process does not start with AUTOSAR. AUTOSAR only represents an implementation view for some software components, but not a view on higher level functional concepts that can comprise non software



functions. Currently requirements are described in natural language at the very beginning of the process. These requirements have to be "formalized" in a non-natural language in order to assess them and allow their decomposition. The assessment of timing requirements should be done as early as possible in the development process. To enable this at system/functional level, a system/functional modeling language is needed. This language must provide concepts for functions design modeling and must also provide a formal way to capture and decompose timing requirements during the functional design.

Several approaches based on Architecture Description Languages (ADLs) could be used to fill the gap between requirements specification in natural language and the implementation phase modeled in AUTOSAR. We can cite UML-based [8] Architecture Description Languages: SysML [9] (UML specialization for System Modeling) and MARTE [10] (UML specialization for Modeling and Analysis of Real-Time end Embedded systems). Other approaches that are more domain specific like AADL [11] for aerospace or EAST-ADL [6] for automotive also exist. The choice of the appropriate system/functional level modeling language depends on the internal OEMs' processes. However, there are some general timing related criteria that are important to consider:

- A support for hierarchical timing requirements process;
- The ease of mapping the decomposed timing requirements to AUTOSAR TIMEX model artifacts that constitutes today the exchange format between the OEM and its suppliers.

In the following section an approach based on all these ideas and concepts is drawn which shall give orientation to implement a hierarchical timing requirements process in the own organization and also, in the end, enables the exchange of AUTOSAR TIMEX compliant model artifacts.

## 3.2 Hierarchical Timing Description

During the early design phase of an automotive development process the architecture discussion is about high level customer related functions. These functions can be detailed in functional "cause and effect" or "activity" chains, which from a temporal view can be budgeted - justified by customer's experience. The functional quality and thus technical effort dedicated to the customer's experience is a business decision of a company.

One example is the reaction time from pressing a button to a reaction, which varies between simply switching (rear window heating) and controlling a motion (e.g. seat or mirror adjustment). The other example is a powertrain or chassis control function which can cause inconveniences like bucking during shifting or braking.

From methodological and technical view timing analysis is a tool to assure the



desired temporal behavior during the mapping of a functional network to a component network as depicted on Figure 3.2.



Figure 3.2: Mapping of a function network to a component network

Once the major timing budgets for customer related functions are defined and a distribution of functional parts to hardware components is done <sup>1</sup>, a more detailed temporal view of a networking architecture can be made. This allows a first assessment of the feasibility of the function distribution in terms of performance and timing. This process can iteratively be refined during further process steps to obtain more precise analysis results.

For further understanding, it can be assumed that each function in Figure 3.3 is contained in the compositional scope of an AUTOSAR SW-C, where it is represented as an AUTOSAR runnable entity, shortly often named "Runnable". Other mapping strategies can also be considered. Regardless of the chosen strategy, the mapping is usually constrained by the functional design choices made at the functional level for timing requirements assessment. For instance, a feasibility test based on the computation of the load (utilization) of each hardware resource (ECUs, buses), is based on a given allocation of functions on hardware resources. This allocation has to be taken into account for the mapping of functions to AUTOSAR SW-Cs in order to avoid the mapping of two functions that are allocated on distinct ECUs on the same AUTOSAR SW-C.

<sup>&</sup>lt;sup>1</sup>In an AUTOSAR development process a software component (SW-C) is defined with a scope local to the hardware component it is mapped on. It contains a functional contribution to the vehicle function with a system wide scope.





# Figure 3.3: Iterative and hierarchical top down budgeting of timing requirements corresponding to response times

Moreover, in many cases timing demands of physical processes, e.g. the start-up and transient oscillation behavior of electrical actuators, consume more than a few microseconds and thus have to be considered carefully. In a first step the overall timing budget can be split in component-internal and networking parts. As soon as the entire network communication and the type of network are known, the WCRT-analysis of a network can quantify the worst case timing demand for network communication. As shown in the picture above, this divides the overall timing budget in networking budgets and timing budgets for allocation in components (usually ECUs).

This can be enough for an OEM if the development and integration of the component is entirely done by a supplier. In practice a more detailed view considering the timing behavior of a basic software stack and the functions itself is required. Likewise functional relations are more complex, which induces a more complex analysis. During further analysis steps the end to end timing path or chain of functions can be refined following the concepts of Figure 3.3. In the following section we introduce methodologies that provide support for the general process described.

## 3.3 Methodologies for Timing Requirements Decomposition

As previously stated, the AUTOSAR methodology covers the implementation phase of the process of E/E systems development. However, timing requirements are introduced at the very beginning of the development cycle in the form of textual



descriptions by OEMs. An extension of the AUTOSAR methodology is then needed to cover the system/functional architecture design phases where the first functional decompositions and timing requirements decomposition must occur. In fact, one of the most challenging activities in the development of systems is determining a system's dimensioning in early phases of the development - and the most difficult one is the phase before transitioning from the functional domain to the hard and software domain.

Primarily, two questions must be answered. Firstly, how much bandwidth shall the networks provide in order to ensure proper and timely transmission of data between electronic control units; and secondly, how much processing performance is required on an electronic control unit to process the received data and to execute the corresponding functions. As a matter of fact, these questions can only be completely answered when the system is implemented, including a mapping of signals to network frames and first implementations of functions that are executed on the electronic control units. The reason for this is that one needs to know how many bits per second have to be transmitted and how many instructions shall be executed.

An important aspect that impacts the decisions taken during the task of specifying system dimensions is timing. Especially, information about data transmission periods, execution rates of functions, as well as tolerated latencies and required response times provide a framework for performing a first approximation of network and ECU dimensions. This framework allows to continuously refine the system dimensioning during system development when more details about the system's implementation are becoming available. The basic idea is to abstract from operational parameters obtained during the implementation phase, like for example measured or simulated execution times of functions, and use them on higher levels of abstraction respectively earlier development phases. And, for new functions as a workaround for missing execution time, an activity called Time Budgeting allows the specification of so called time budgets to functions.

The remainder of this section defines the levels that will be considered for timing requirements decomposition. Then, some generic methodological guidelines will be given for conducting timing requirements refinement between these levels.

#### 3.3.1 Functional and Software Architectures Modeling Levels

Prior to the AUTOSAR software architecture levels, we can consider two functional architecture modeling levels defined in [6] that are of interest for timing requirements:

• The *Functional Analysis level* which is centered on a logical representation of the system's functional units to be developed. Typically based on the inputs of automatic control engineering, system design at this level refines the vehicle level sys-



tem feature specification by identifying the individual functional units necessary for system boundary (e.g., sensing and actuating functions for the interaction with electromechanical subsystems) and internal computation (e.g. feedback control functions for regulating the dynamics of these subsystems). The design focuses on the abstract functional logic, while abstracting any SW/HW based implementation details. Through an analysis level system model, such abstract functional units are defined and linked to the corresponding specifications of requirements (which are either satisfied or emergent) as well as the corresponding verification and validation cases.

• The Function Design level provides a logical representation of the system functional units that are now structured for their realizations through computer hardware and software. It refines the analysis level model by capturing the bindings of system functions to I/O devices, basic software, operating systems, communication systems, memories and processing units, and other hardware devices. Again, through a design level system model, the system functions, together with the expected software and hardware resources for their realizations, are defined and linked to the corresponding specifications of requirements (which are either satisfied or emergent) as well as the corresponding verification and validation cases. Moreover, the creation of an explicit design level system model promotes efficient and reusable architectures, i.e. sets of (structured) HW/SW components and their interfaces, hardware architecture, for different functions. The architecture must satisfy the constraints of a particular development project in automotive series production.

The AUTOSAR methodology (see [1] for a general introduction) provides several well defined process steps, and furthermore artifacts that are provided or needed by these steps. Figure 3.4 provides a simplified overview of the AUTOSAR methodology, using the Software & Systems Process Engineering Metamodel notation (SPEM) [4], focusing on the process phases which are of interest for the use of the timing extensions. These represented steps and artifacts are grouped by boundaries in the five following views:

- VfbTiming deals with timing information related to the interaction of SwComponentTypes at VFB level.
- *SwcTiming* deals with timing information related to the SwcInternalBehavior of AtomicSwComponentTypes.
- *SystemTiming* deals with timing information related to a System, utilizing information about topology, software deployment, and signal mapping.
- *BswModuleTiming* deals with timing information related to the BswInternal-Behavior of a single BswModuleDescription.
- *EcuTiming* deals with timing information related to the EcucValueCollection, particularly with the EcucModuleConfigurationValues.


Further details of these timing views are given in [2]. For each of these views a special focus of timing specification can be applied, depending on the availability of necessary information, the role a certain artifact is playing and the development phase, which is associated with the view.



# Figure 3.4: SPEM Process model from AUTOSAR Methodology for system design process

## 3.3.2 Guidelines for Timing Requirements Decomposition

The Generic Methodology Pattern (GMP) developed in the TIMMO-2-USE project [12] is an example of a process that defines generic steps for timing requirements refinement. Theoretically, those generic steps are applicable at every level defined in the previous section (including the AUTOSAR levels). Basically, at each abstraction level, GMP takes as input timing requirements and after a sequence of steps gives as output refined timing requirements. GMP defines six main steps. Some of them have been merged in the following short description:

• *Step1 - Create Solution*: describes the definition of the architecture without any timing information. This step can consist in a refinement of an already existing architecture coming from the upper level. Timing requirements shall guide the creation or revision of a solution.



- Step2 Attach Timing Requirements to Solution: describes the formulation of timing requirements in terms of the current architecture. This can imply a transformation of timing requirements coming from the previous level, in order to be compliant with the timing model of the current level of abstraction. For instance in the AUTOSAR SwcTiming view a timing requirement can be modeled with a timing constraint attached to events or event chains.
- Step 3 Create, Analyze and Verify Timing Model: describes the definition of a formalized model for the calculation of specific timing properties of the current architecture. In this step relevant timing analysis methods can be applied to verify timing requirements against calculated timing properties (e.g. maximal load for a bus). If timing requirements are not verified by timing properties resulting from the analysis, the previous steps shall be iterated until a satisfactory solution is found.
- Step 4 Specify and Validate Timing Requirements: describes the identification of mandatory timing properties and their promotion to timing requirements for the next level.

Chapter 8 contains timing properties and methods of interest for each use-cases described in chapter 4, chapter 5, chapter 6 and chapter 7 to ensure correct timing requirements decomposition.

Timing constraints are added to the system model using the AUTOSAR Timing Extensions. Constraints, together with the result of timing analysis, are considered during the validation of a system's timing behavior, when a nominal/actual value comparison is performed.

## 3.4 Conclusions

To apply timing requirements decomposition in a comprehensive way several conditions have to be fulfilled:

- All basic terms shall be unified. This means a term like WCRT has the same meaning and comprehensive understanding all over the industry.
- The structure of describing timing aspects shall be unified. For this need AUTOSAR TIMEX delivers an appropriate approach for the implementation driven perspective of AUTOSAR. It does not apply to higher levels of abstraction, because as soon as no AUTOSAR concepts like Software Components and Runnable exist, there is no meaning.
- The methodological approach for introducing timing analysis in a timing aware development process shall not be reduced to the definition of TIMEX artifacts referring to AUTOSAR system template artifacts. Additionally information of higher abstraction levels in earlier design phases shall be transferred to AUTOSAR mod-



eling without loosing exactness. This requires reference points valid within all phases and levels of abstraction.

• The methodology shall meet the needs of large scale organizations. This means the methodology shall be applicable tailor-made to the processes ruling a particular large scale organization.

The elements presented in this chapter allow a formal timing requirement decomposition described in the top level active steering example introduced in Chapter 1.



## 4 Timing on Functional Level

This chapter describes timing-related use-cases for system function analysis and design on functional level. Some use-cases are covering the high-level timing in an early stage of the development while others are dealing with the transition from the functional level to the implementation level.

The design of a functionality requires its decomposition into function blocks. This decomposition must include an activity of decomposition of its timing requirements ending with an assignment of coherent timing requirements to function blocks.

Timing and load requirements are further split up when the function blocks are assigned to actual hardware and the communication technology is chosen. Finally the requirements have to be considered when runnables/triggers are designed on the implementation level and verified when the hardware specification is known.



Figure 4.1: Decomposition of functions

The main goal during modeling and decomposition of functions from a timing perspective is to define the timing requirements on a functional analysis level and to refine and meet the requirements on the design and implementation levels.

The following use-cases partly refer to the active steering example from chapter 1.4, see also figure 1.2 for an example overview and figure 1.3 for the Software Architecture.

Relation to other chapters Chapter 3 describes the decomposition of Timing Requirements in more detail. Chapter 5, 6 and 7 contain use-cases for E2E, Network and ECU use-cases. Chapter 8 contains timing properties and methods of interest for all use-cases.

Links to explanations of the used timing expressions



- Load, see section 8.4
- Functional Analysis Level and Function Design Level, see section 3.3.1

## 4.1 Overview of Function-level Use-Cases

| Section | Use-case                                                                                    | Page |
|---------|---------------------------------------------------------------------------------------------|------|
| 4.2     | Function-level use-case "Identify timing requirements for a new feature (vehicle function)" | 43   |
| 4.3     | Function-level use-case "Partition a feature (vehicle function) into a function network"    | 44   |
| 4.4     | Function-level use-case "Map a function network to a hardware<br>components network"        | 45   |
| 4.5     | Function-level use-case "From function-level events to observable events"                   | 46   |

#### Table 4.1: List of Function-level specific use-cases





#### Figure 4.2: Use-case Diagram: Function-level



# 4.2 Function-level use-case "Identify timing requirements for a new feature (vehicle function)"

In the following use-case, a new feature, which is a vehicle function, is introduced to an existing functional architecture.

| Goal In Context:       | Identify timing requirements related to a new feature (vehicle function).           |
|------------------------|-------------------------------------------------------------------------------------|
| Brief Description:     | A new feature (vehicle function) is introduced. The objective of this use-case      |
|                        | is to identify timing requirements of the new feature (vehicle function). The       |
|                        | purpose of timing requirements is to be able to verify that the timing of the       |
|                        | feature fulfills its functional needs.                                              |
|                        | For this the feature (vehicle function) is investigated thoroughly to identify tim- |
|                        | ing critical event chains and establish constraints/bounds on acceptable tim-       |
|                        | ing.                                                                                |
|                        | Timing requirements could be for example the maximum tolerable delay from           |
|                        | changes in the sensor values to changed stimulus to actors. In example              |
|                        | 1.4 the feature (vehicle function) "active steering" would come with a timing       |
|                        | constraint that "the maximum delay between changes in the yaw rate sensor           |
|                        | until electric motor stimulus is changed must be below 30ms"                        |
|                        | Ideally these timing constraints are formulated in a formal fashion (like in Deli-  |
|                        | events as precisely as possible, and they should be independent of any actual       |
|                        | implementation (i.e. do not refer to specific runnables or frames)                  |
|                        |                                                                                     |
| Scope:                 | Functional Architecture - Functional Analysis Level                                 |
| Frequency:             | During function development                                                         |
| Precondition:          | The vehicle function is sufficiently specified to allow reasoning about accept-     |
|                        | able timing, ideally through experiments or meaningful modeling or functional       |
|                        | simulation.                                                                         |
| Success End Condition: | All timing requirements related to this vehicle function are known.                 |
| Failed End Condition:  | Some timing requirements could not be established, therefore not being              |
|                        | testable later, opening the risk of integration problems.                           |
| Actor(s):              | Timing Engineer, "Function Architect"                                               |

Table 4.2: Characteristic Information of "Identify timing requirements for a new feature (vehicle function)" use-case





Figure 4.3: SPEM process model for Function-level use-case "Identify timing requirements for a new feature (vehicle function)"

# 4.3 Function-level use-case "Partition a feature (vehicle function) into a function network"

In the following use case the feature (vehicle function) is refined and represented as a "function network" which is a set of function blocks and their interfaces. The function network represents all parts of the feature (vehicle function) that need to be executed on the vehicle's E/E-platform.

| Goal In Context:       | Refine a feature (vehicle function) into a function network.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | A feature (vehicle function) is usually a rather high-level specification of the intended behavior. In order to facilitate an efficient work on the following work steps, a more formal specification is required.<br>For this the feature (vehicle function) is partitioned into function blocks and their interfaces (i.e. later implemented as RTE calls or inter-ECU communication). This is called the "function network".<br>The timing requirements identified in Use Case 4.2 are associated with the function blocks and interfaces wherever possible. |
| Scope:                 | Functional Architecture - Functional Design Level                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Frequency:             | During function development                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Precondition:          | The feature (vehicle function) and its timing requirements is known. The prin-<br>cipal logic of the feature is known.                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Success End Condition: | Feature is successfully decomposed in function blocks. Interfaces between function blocks are defined and consistent.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Failed End Condition:  | Feature cannot be decomposed in function blocks consistently.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Actor(s):              | Timing Engineer, Function Engineer, E/E Architect                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

Table 4.3: Characteristic Information of "Partition a feature (vehicle function) into a function network" use-case





Figure 4.4: SPEM process model for Function-level use-case "Partition a feature (vehicle function) into a function network"

## 4.4 Function-level use-case "Map a function network to a hardware components network"

In the following use-case an abstraction of the vehicle's E/E architecture in the form of a network of hardware components is added to the functional architecture model.

| Goal In Context:       | Specify a mapping of a function network to a hardware components network                                                     |
|------------------------|------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | A functional network is specified. Timing requirements for each function and                                                 |
|                        | function chains are also specified.                                                                                          |
|                        | A hardware network (network of hardware components such as ECUs and                                                          |
|                        | their interconnection) specification abstracting the E/E architecture is avail-                                              |
|                        | able.                                                                                                                        |
|                        | This use-case consists in finding a mapping of the function network to the                                                   |
|                        | hardware network, and the goal is that this mapping is compliant with timing requirements of the feature (vehicle function). |
|                        | Function blocks that already exist as part of other functions, or whose inter-                                               |
|                        | faces are reused shall be checked for consistency and may need to be revised.                                                |
|                        | A meaningful constraint is to assume that a function block is mapped to exactly                                              |
|                        | one hardware component.                                                                                                      |
| Scope:                 | Functional Architecture - Functional Design Level                                                                            |
| Frequency:             | During function partitioning                                                                                                 |
| Precondition:          | A function network with timing requirements for each function is specified. A                                                |
|                        | hardware network is available (ideally in the form of a model with hardware                                                  |
|                        | component's main characteristics).                                                                                           |
| Success End Condition: | Each function block and its interfaces are mapped to hardware components.                                                    |
|                        | The early evaluation of the mapping satisfies timing and load requirements.                                                  |
| Failed End Condition:  | Some functions could not be mapped to hardware components, or the map-                                                       |
|                        | ping evaluation does not satisfy timing and load requirements, opening the risk                                              |
|                        | of overload problems.                                                                                                        |
| Actor(s):              | Timing Engineer, Function Engineer, E/E Architect                                                                            |



Table 4.4: Characteristic Information of "Map a function network to a hardware components network" use-case



Figure 4.5: SPEM process model for Function-level use-case "Map a function network to a hardware components network"

## 4.5 Function-level use-case "From function-level events to observable events"

The following use-case deals with the transition from the vehicle's functional level to the implementation-level of software functions.

| Goal In Context:   | From functional architecture to software architecture.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description: | This use-case deals with the transition from a functional / logical architecture to an implementation architecture.<br>During this transition, an activity consisting in mapping function blocks (functions that are not further decomposed at the functional level) to AUTOSAR runnables must be achieved. There are multiple mapping scenarios: a function block can be mapped to one or several runnables, and one runnable can be the "host" of several functions. This mapping must satisfy function communication, triggering and timing specifications. All these specification elements must be mapped to the software (AUTOSAR) level. Each function must be mapped to a runnable, each runnable must have an RTE event that conforms to the triggering events of the function(s) it hosts. Aditionally the resulting graph of runnables must satisfy functions communication needs.<br>Observable events in the implementation are identified that correspond to the constraints defined for function blocks in their interfaces.<br>Typically, function blocks will be implemented by runnables and function interfaces will be implemented by RTE ports or network frames. Thus, the runnable start will correspond to the start of the respective function block. |
| Scope:             | Functional Design Level - Software level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |



| Frequency:             | During transition from functional level to software level.                    |
|------------------------|-------------------------------------------------------------------------------|
| Precondition:          | A functional architecture is specified. Functions are decomposed in function  |
|                        | blocks. A functional graph made of function blocks is available. Triggering   |
|                        | events with their timing requirements are specified for each function.        |
| Success End Condition: | Each function block is mapped to a runnable and the resulting graph of        |
|                        | runnables conforms to the functional graph in terms of reachability. RIE      |
|                        | events are specified for each runnable consistent with their mapped functions |
|                        | triggering events.                                                            |
| Failed End Condition:  | Some functions could not be mapped to runnables, and/or the resulting graph   |
|                        | of runnables is incompatible with the functional graph which can cause func-  |
|                        | tions communication implementation problems.                                  |
| Actor(s):              | Timing Engineer, Function Engineer, Software Architect                        |

Table 4.5: Characteristic Information of "From function-level events to observable events" use-case



Figure 4.6: SPEM process model for Function-level use-case "From function-level events to observable events"



## 5 End-to-End Timing for Distributed Functions

This chapter introduces use-cases to reason about the end-to-end timing of distributed functions. As a distributed function, we consider

- a function that executes locally but requires data from sensors or functions communicated over the network. In this case there exists at least an assumption about the maximum age of the data or
- a function that consists of several computation steps that are performed on different ECUs, connected via dedicated or shared buses. In this case event chains often exist with overall latency or periodicity constraints.

Most automotive functions today are distributed functions.

## 5.1 Relation to other chapters

This chapter is related to the other parts of this document as follows:

- Chapter 3 introduces the terminology of a function, what a function is, and informally discusses how an end-to-end timing requirement can be decomposed into timing requirements for each involved resource. Further, Use-cases on function level are treated in this chapter.
- Chapter 4 contains use cases on function level.
- Chapter 6 and 7 discuss use cases related to timing analysis on individual resources.
- Chapter 8 defines timing properties and how to derive these for individual resources and schedulables. The relevant timing properties (in particular the load of a resource and the latency of a schedulable) are introduced in Definition and Classification of Timing Properties.

Furthermore, the chapter (and the other chapters) is related to the AUTOSAR Timing Extensions [2], as it allows to derive the guarantees or assert the constraints specified therein.

## 5.2 Overview of End-to-End Use-cases

This chapter describes the following use-cases listed in Table 5.1.

| Section | Use-case                                                                                                | Page |
|---------|---------------------------------------------------------------------------------------------------------|------|
| 5.3     | E2E use-case "Derive per-hop time budgets from End-to-End timing requirements"                          | 50   |
| 5.4     | E2E use-case "Deriving timing requirements from the timing<br>assessment of an existing implementation" | 51   |



| Section | Use-case                                                            | Page |
|---------|---------------------------------------------------------------------|------|
| 5.5     | E2E use-case "Specify Timing Requirements for functional interfaces | 53   |
|         | based on Signals/Parameters"                                        |      |
| 5.6     | E2E use-case "Assert timing requirements against guarantees"        | 55   |
| 5.7     | E2E use-case "Trace-based timing assessment of a distributed        | 56   |
|         | implementation"                                                     |      |

#### Table 5.1: List of use-cases related to end-to-end timing



Figure 5.1: Use-case Diagram: E2E



# 5.3 E2E use-case "Derive per-hop time budgets from End-to-End timing requirements"

This use-case specifies the work flow for function(s) owners on how to decompose endto-end timing requirements in order to derive and specify per hop time budgets (e.g. define local time budgets for functions(s) for each execution node and communication bus they are distributed).

This use-case becomes relevant when a customer functionality is identified in the specification. This functionality is decomposed into a set of functions that have to be integrated into an existing E/E network. An end-to-end timing requirement is identified for these functions and time budgets for each segment of the end-to-end chain have to be derived. A suitable syntax to store this and related properties in provided by the AUTOSAR Timing Extensions [2].

| Goal In Context:       | Specify time budgets for each ECU and communication network on which function(s) participating in an end-to-end timing requirement are distributed.                                                                                                                                                                                                                                                                                                                                                                                                  |
|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | This use case requires that an end-to-end timing chain specifying a function<br>or a set of functions with an end-to-end timing requirement is specified. More-<br>over, functions participating in the end-to-end timing chain are decomposed in<br>sub-functions that are allocated to ECUs interconnected with communication<br>networks. Based on end-to-end timing requirements, this use case derives<br>time budgets for each sub-function (segment of the end-to-end timing chain)<br>allocated to an ECU and each involved network segment. |
| Scope:                 | E2E                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Frequency:             | Whenever a new distributed function has to be implemented                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Precondition:          | An end-to-end timing chain (with a function decomposition) with an end-to-end timing requirement is available.                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Success End Condition: | A time budget has been found for each sub-function (segment) of the end-to-<br>end timing chain and the sum of the budgets are not exceeding the end-to-end<br>timing requirement.                                                                                                                                                                                                                                                                                                                                                                   |
| Failed End Condition:  | Some time budgets could not be derived or the sum of the found time budgets exceeds the end-to-end timing requirement.                                                                                                                                                                                                                                                                                                                                                                                                                               |
| Actor(s):              | Timing Engineer, Function Engineer, Network Data Engineer, ECU Integrator.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |

# Table 5.2: Characteristic Information of E2E use-case "Derive per-hop time budgets from End-to-End time requirements"

## 5.3.1 Main Scenario

A systematic approach for this use case is depicted in figure 5.2. The following steps typically apply:

 A distributed functionality is identified and decomposed into a set of manageable functional components (functions). An end-to-end timing requirement is identified from the specification (or established from experiments). A suitable property to describe the end-to-end timing requirement is given by GENERIC PROPERTY Latency which can be determined in the context of *Task Collect Timing Requirements* in Table 9.1.



- 2. The function owner decomposes the function and distributes the sub-functions (functional contributions of components) on a network of ECUs. This results in an allocation of functions on computation and communication resources.
- 3. Optionally, the ECU responsible and the bus responsible persons are asked for an estimation of the required processing time (estimated timing guarantees). A suitable method is GENERIC METHOD Determine Latency either via implementation-based timing analysis (Table 9.8) or model-based timing analysis (Table 9.7).
- 4. Time budgets for each sub-function are derived from the end-to-end timing requirement, if possible respecting the estimated per hop timing.
- 5. A verification of the found time budgets with respect to the end-to-end timing requirement is performed.

See also related sub-use-case: NW use-case "Integration of new communication".



Figure 5.2: SPEM process model for E2E use-case "Derive per-hop time budgets from End-to-End timing requirements"

# 5.4 E2E use-case "Deriving timing requirements from the timing assessment of an existing implementation"

This use-case specifies the work flow for function(s) or system owners to derive timing requirements (e.g. deadlines, end-to-end timing) for a system under development from a previous timing assessment of an existing implementation. This may be applied at early phases in the design process for a new build system where timing requirements can not be derived by the analysis-based/simulation-based timing assessment



due to e.g. an incomplete system / missing functions, a not existing/specified hardware platform or a missing setup for timing assessments. Moreover this use-case may be applied in case of the migration from a single-core platform to a multi-core platform to where as the timing requirements derived from an existing single-core implementation may be applied to the multi-core implementation of this system. Further possible application are the migration from one network type to another or replacement of an old hardware by a new one. The goal of this use case is that the timing behavior of the system under development sufficiently corresponds to the timing behavior of the existing implementation (i.e. timing is identical or better).

The AUTOSAR Timing Extensions (TIMEX) [2] represent a suited grammar to formalize the description of timing constraints.

| Goal In Context:       | Specification of timing requirements for systems under development based on<br>timing assessments of existing implementations (early in the design process<br>without knowledge and access of the final and complete system implementa-<br>tion and behavior). |
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | This use-case describes the deriving of timing requirements for a system un-<br>der development from timing assessments of an existing implementation of<br>this system or parts of this system.                                                               |
| Scope:                 | E2E, NW, ECU                                                                                                                                                                                                                                                   |
| Frequency:             | Whenever an existing function has to be implemented on a new system.                                                                                                                                                                                           |
| Precondition:          | The function(s) or system owner has conducted (or access to) a timing as-<br>sessment of an existing implementation of the system under development                                                                                                            |
| Success End Condition: | The timing requirements derived from a timing assessment of an existing im-<br>plementation are mapped and applied to a system under development                                                                                                               |
| Failed End Condition:  | The timing requirements derived from a timing assessment of an existing im-<br>plementation could not be accessed, mapped and/or applied to a system un-<br>der development                                                                                    |
| Actor(s):              | Timing Engineer, Function Engineer, Test Engineer.                                                                                                                                                                                                             |

Table 5.3: Characteristic Information of this E2E use-case

## 5.4.1 Main Scenario

A systematic approach for this use case is depicted in figure 5.3. The following steps typically apply:

- 1. The function(s) owner has access to or performs a timing assessment of an existing implementation of the system. A suitable property to describe the end-to-end timing requirement is given by GENERIC PROPERTY Latency which can be determined using GENERIC METHOD Determine Latency (for timing assessment of the existing implementation) in the context of *Task Perform Implementationbased Timing Analysis* in Table 9.8.
- 2. The function(s) owner derives the timing requirement and maps/applies it to the system under development. See *Task Collect Timing Requirements* in Table 9.1.



See also related sub-use-cases: NW use-case "Remapping of an existing communication link", ECU use-case "Collect Timing Information of a SW-C" and ECU use-case "Create Timing Model of the entire ECU".



Figure 5.3: SPEM process model for E2E use-case "Deriving timing requirements from the timing assessment of an existing implementation"

## 5.5 E2E use-case "Specify Timing Requirements for functional interfaces based on Signals/Parameters"

This use case specifies the work flow for function owners (e.g. of a distributed function), to derive and specify the relevant timing-related properties and requirements in order to consider its communication in the vehicle networking.

| Goal In Context:       | To specify precisely the requirements of a function with respect to the required                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                        | data communication over the vehicle network                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Brief Description:     | I his use case requires dedicated reasoning about the timing requirements of                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                        | a specific function. The function owner identifies for each signal/parameter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                        | (i.e. the data to be communicated over the network) the expected cycle time                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        | the and later of the answer the table and the second of th |
|                        | jitter and latency. To ensure that the requirement is not over-specified the                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                        | requirements are reviewed by the network designer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Scope:                 | E2E, NW                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Frequency:             | Whenever the communication requirements of a function changes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Precondition:          | The function owner has partitioned the end-to-end timing constraints for the                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                        | involved signals into ECU-internal timing requirements and network-related                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|                        | timing requirements (see also Use Case 6.3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Success End Condition: | The function's timing requirements have been considered in an explicit signal/-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                        | parameter request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Failed End Condition:  | The function's timing requirements could not be translated to a signal/param-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                        | eter request (e.g. because they are not known).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Actor(s):              | Timing Engineer, Function Engineer, Network Data Engineer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

#### Table 5.4: Characteristic Information of this E2E use-case

The signal/parameter request shall contain the following information

- the name of the signal/parameter
- the size of the signal/parameter
- the receivers of the signal/parameter as a list of ECUs and/or software components
- the maximum tolerated age of the signal when transmission is completed on the target network.



- the expected update frequency of the signal/parameter
- the accepted jitter for the transmission of the signal/parameter
- a short description of the related functionality

From these values, typically, a signal-to-frame (parameter-to-package) mapping will be derived. In case of designing a CAN configuration, the requesting function owner receives the following parameters for consideration in ECU development:

- the name of the frame
- the transmission property (e.g. periodic)
- the frames cycle time (if relevant)

This information then becomes part of the AUTOSAR System Description.

#### 5.5.1 Main Scenario

This use case typically consists of the following steps:

- 1. The function owner specifies a signal/parameter request that (if so implemented) enables a correct operation of the function.
- 2. The network designer investigates the signal/parameter request and reviews its content for completeness and adequacy. Indications for non-adequate signal/parameter requests may be if the maximum tolerated age is smaller than the update frequency or if an update frequency of less than the period of the involved tasks is requested. In case of such irritations, the network designer and the function owner iterate until an adequate request has been identified. Related to this step are the methods listed in Table 8.36 and the properties listed in Table 8.12.
- 3. The network designer documents and files the signal/parameter request.
- 4. (in the following, the network designer will consider the signal/parameter request to find a suitable signal-to-frame (parameter-to-package) mapping and routing entry for the signal)

See also related sub-use-case: NW use-case "Integration of new communication"





Figure 5.4: SPEM process model for E2E use-case "Specify Timing Requirements for functional interfaces based on Signals/Parameters"

## 5.6 E2E use-case "Assert timing requirements against guarantees"

This use-case compares the timing properties derived by analysis of the actual design ("guarantees") to the system's specification ("requirements").

The best outcome of this use case is if the requirements are fulfilled by the guarantees. Otherwise, either requirements need to be relaxed or the guarantees have to be improved (e.g. by reconfiguration of the system).

| Goal In Context:       | Assess whether the timing of a specific implementation adheres to the timing requirements.                                                                                                                                                                        |
|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | This use case establishes the comparison of the analysis results of the actual implementation ("guarantees") to the intended behavior as specified ("requirements").                                                                                              |
| Scope:                 | ECU, NW, E2E                                                                                                                                                                                                                                                      |
| Frequency:             | Whenever timing requirements or timing guarantees change.                                                                                                                                                                                                         |
| Precondition:          | All relevant timing requirements and timing guarantees must be known, any timing requirement that has not been quantified and listed specifically will not be considered in the evaluation.                                                                       |
| Success End Condition: | It is known whether all timing requirements are fulfilled by the current imple-<br>mentation. Best outcome is if the requirements are fulfilled by the guarantees.<br>Otherwise, either requirements need to be relaxed or the guarantees have to<br>be improved. |
| Failed End Condition:  | Some timing requirements could not be asserted, possibly because the lack of corresponding timing guarantees.                                                                                                                                                     |
| Actor(s):              | Timing Engineer, Test Engineer.                                                                                                                                                                                                                                   |

#### Table 5.5: Characteristic Information of this E2E use-case



#### 5.6.1 Main Scenario

A systematic approach for this use case is depicted in figure 5.5. The following steps typically apply:

- 1. Establish known timing requirements (Task "Collect Timing Requirements"), for example according to E2E use-case "Deriving timing requirements from the timing assessment of an existing implementation".
- Establish best known guarantees provided by evaluation of the implementation according to ECU use-case "Validation of Timing" and similar procedures for network and end-to-end timing (Task "Perform Model-Based Timing Analysis" and Task "Perform Implementation-based Timing Analysis"). Related to this steps are the methods listed in Table 8.36, the generic methods described in Section 8.5 and the properties listed in Table 8.12.
- 3. The guarantees, requirements and the comparison of the two are reported (Task "Verify Timing (Requirement)").



Figure 5.5: SPEM process model for E2E use-case "Assert timing requirements against guarantees"

## 5.7 E2E use-case "Trace-based timing assessment of a distributed implementation"

Whether for understanding, debugging or verifying the timing behavior of a distributed system, tracing of the relevant buses and ECUs (hereafter referred to as subsystems) significantly simplifies timing analysis.

This is even more true if the traces from the various subsystems can be aligned (i.e. synchronized) in order to show cross-subsystem timing effects of event chains such



as cross-core communication in a multi-core system, data-buffering-effects when an ECU send/receives data to/from a communication network or even complete end-toend timing scenarios.

| Goal In Context:       | Understand, debug and verify the timing behavior of a distributed implemen-<br>tation.                                                                                                                                                                                                                                                                                                                                                                        |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | Tracing observes the real system. For dedicated events such as a start of a task or the presence of a certain message on a bus, time stamps together with event information is placed in a trace buffer which can later be used to reconstruct and analyze the observed scenario. For details, see Measurement and Tracing. For analyzing cross-subsystem timing effects, it becomes necessary to synchronize the traces from all of the relevant subsystems. |
| Scope:                 | E2E, ECU, NW                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Frequency:             | Whenever timing information about the actual implementation are needed                                                                                                                                                                                                                                                                                                                                                                                        |
| Precondition:          | Existing and executable system, accessible subsystems. Tracing tools have to be in place, licensed and integrated into the system for the test engineer to use.                                                                                                                                                                                                                                                                                               |
| Success End Condition: | Tracing performed and data (=traces) ready for analysis; if necessary, traces from different subsystems (cores, ECUs, buses) are aligned, i.e. synchronized.                                                                                                                                                                                                                                                                                                  |
| Failed End Condition:  | No or not all relevant scheduling entities could be traced or traces could not be aligned (i.e. synchronized)                                                                                                                                                                                                                                                                                                                                                 |
| Actor(s):              | Timing Engineer, Test Engineer.                                                                                                                                                                                                                                                                                                                                                                                                                               |

#### Table 5.6: Characteristic Information of this E2E use-case

## 5.7.1 Main Scenario

A systematic approach for this use case is depicted in figure 5.6. The following steps typically apply:

- 1. The timing expert/test engineer prepares the measurement and the system under test (tools, software...).
- 2. The timing expert/test engineer performs a correlated (i.e. synchronized) tracing of an existing implementation of the system under consideration. See *Task Perform Implementation-based Timing Analysis* in Table 9.8. Related methods and properties are GENERIC METHOD Determine Latency, GENERIC METHOD Determine Load, GENERIC PROPERTY Latency and GENERIC PROPERTY Load.
- 3. The timing expert/test engineer checks the quality of the traces and if quality is sufficient.

See also related sub-use-cases: ECU use-case "Collect Timing Information of a SW-C", ECU use-case "Validation of Timing" and ECU use-case "Verify Timing Model(s)".





Figure 5.6: SPEM process model for E2E use-case "Trace-based timing assessment of a distributed implementation"



## 6 Timing for Networks

This chapter outlines timing use-cases related to automotive network communication. The ECU related timing aspects covered by Chapter 7 may have direct or indirect impact on the network timing.

In an automotive communication network the timing behavior is mainly described by the communication matrix which contains the communication frames/package with the protocol and timing specific parameters (e.g. payload, IDs, frame triggering parameters).

Depending on the amount of traffic to be transmitted on the network and the communication protocol, a network may or may not satisfy given timing requirements such as maximum latency of frames or a given bus load threshold. In general, the network architect must define the parameters such that the timing requirements are fulfilled.

The use-cases described in this chapter present problems and solutions related to the design of communication networks. Typical terms used in this chapter are:

- Load, see section 8.4
- Latency, see section 8.4
- Response Time, see section 8.4

## 6.1 Example

In Chapter 1, an example of a system with end-to-end timing requirements was given, see figure 1.2 on page 13. On the network, the end-to-end timing requirements are influenced by the network configuration and the scheduling of the network components, mainly buses and gateways, see figure 6.1. The use-cases in this chapter refer to this example.





Figure 6.1: Focus of this chapter: bus timing in networks

## 6.2 Overview of Network Use-cases

The network use cases cover two cases:

- 1. Introducing new communication into an existing network (which already has a stable topology)
- 2. Establishing a new communication network (where the topology is not yet defined)

Both use-cases require understanding the timing properties as a first step. A common example for such a property is the response time of a network message. Properties are defined as either a constraint or requirement as described in chapter 8.2.0.4.

Based on the identified timing properties, the timing requirements of the existing (or to be designed) network have to be collected and assessed (see figure 6.2).

Next step is to use these properties in order to build or extend a timing model. The timing model is required in order to verify the timing properties before start of implementation and to compare the implementation against the specification. Collected results from this step form the timing verification report.



This process can and should be executed iteratively to advance from verification to validation.

The detailed use-cases are listed in Table 6.1. A generic approach for adressing the use-cases and dividing them in smaller tasks is depicted in figure 6.2. For a detailed description of the tasks, please refer to chapter 9.1.



Figure 6.2: Generic SPEM process model for NW use cases

| Section | Use-case                                                  | Page |
|---------|-----------------------------------------------------------|------|
| 6.3     | NW use-case "Integration of new communication"            | 62   |
| 6.4     | NW use-case "Design and configuration of a new network"   | 64   |
| 6.5     | NW use-case "Remapping of an existing communication link" | 67   |

Table 6.1: List of network specific use-cases



Figure 6.3: Use-case Diagram: Timing Analysis for Network



## 6.3 NW use-case "Integration of new communication"

This use-case focuses on integrating new communication into an existing automotive network.

| Goar in Context:       | Feasible integration of new communication into an existing networked archi-<br>tecture.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | Considering an E/E automotive architecture consisting of several ECUs con-<br>nected via buses, it is required to integrate additional communication into the<br>network, such that the legacy communication and the new communication ful-<br>fil the timing requirements. For example, the new communication is additional<br>sensor data transmitted over the network from the <i>yaw rate sensor</i> to the <i>ASA</i> -<br>ECU, as shown in figure 1.2 on page 13. The maximum latency of the new<br>sensor data on the network bus must not exceed 100ms. The buses on which<br>the new communication must be integrated may implement different commu-<br>nication protocols (e.g. CAN, LIN, Flexray, etc.). The communication on each<br>bus is specified by a communication matrix containing the PDUs/frames with<br>their protocol specific parameters and the communication behavior (timing pa-<br>rameters). |
| Scope:                 | System, System Timing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| Frequency:             | Regular                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Precondition:          | For the new communication following properties are defined:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                        | <ul> <li>The size of the communication signals (SW-C Template / GenericStruc-<br/>tureTemplate).</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                        | <ul> <li>The transmitter and receiver nodes / system mapping</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        | • The PDU/Frame timing/triggering                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                        | <ul> <li>Required bandwidth</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|                        | Additionally, for the communication on the network a set of timing requirements is known:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                        | Maximum bus load on each bus                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                        | • Maximum latency (e.g. response times, routing times) for each PDU/Frame                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                        | Furthermore, a specification of the communication paradigm for the existing<br>bus controllers is available, e.g. the CAN controller sends CAN-frames with<br>different identifiers via a queue (priority ordered or FIFO), while different in-<br>stances of the same frame are sending via a register (always send the newest<br>frame instance). It is assumed that the current network configuration satisfies<br>the timing requirements.                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Success End Condition: | The new communication was completely defined and the timing requirements are satisfied.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Failed End Condition:  | The new communication cannot be defined without violating at least one timing requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Actor(s):              | Timing Engineer, Network Data Engineer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

#### Table 6.2: Characteristic Information of NW UC "Integration of new communication"



#### 6.3.1 Main Scenario

For the sake of clarity following notations are used: the existing E/E architecture consists of several ECUs (ECU1, ECU2, etc.) connected via multiple communication buses (denoted Bus1, Bus2, etc.) and one or multiple gateways. The new communication that has to be integrated into the existing network is assigned to a distributed function denoted F. F consists of multiple Software Components (SW-Cs) which are mapped on one or multiple ECUs. Each SW-C has its own communication interfaces through which it sends or receives information, i.e. communication signals packet in PDUs/frames.

This use case typically consists of the following steps:

- 1. The network architect maps the new communication to the existing PDUs/frames according to the timing parameters defined in the specification of F and the sender-receiver relation between the SW-Cs of F.
- Depending on the links between the SW-Cs of F it might be necessary to additionally route PDUs/frames between different buses within the network. This happens when the SW-Cs of F are mapped to ECUs that are connected to different buses, e.g. on ECU1 on Bus1 and on ECU2 on Bus2, see also Task "Create Implementation".
- 3. Analysis 1: The bus load analysis describes the average use of the bus bandwidth. It therefore has to consider the additional traffic generated by the new communication. The bus load analysis must be applied to each bus affected by the new communication and requires the data size and the average timing of the PDUs/frames. The output of the analysis is the timing property GENERIC PROPERTY Load obtained with the timing method GENERIC METHOD Determine Load or specific for CAN buses the timing property SPECIFIC PROPERTY Load (CAN) obtained with the timing method SPECIFIC METHOD Determine Load (CAN). The bus load property is used to initially approve the traffic on each communication bus. The present value of the timing property load obtained for every single bus is compared to the maximum acceptable load on that bus. For typical requirements for the bus load see section 6.3.3. If the bus load exceeds the communication is not schedulable.
- 4. Analysis 2: In order to validate the network after integrating the new communication, latency requirements have to be also verified on each bus for all PDUs/frames of the legacy and of the new traffic. The latency analysis applies timing methods to compute the timing properties of the PDUs/frames under the resource sharing protocol. The results of the analysis are timing properties such as:
  - response times (including the blocking times due to arbitration) of the PDUs/frames GENERIC PROPERTY Latency obtained with the timing method GENERIC METHOD Determine Latency or specific for CAN buses the timing property SPECIFIC PROPERTY Response Time (CAN) obtained with the timing method SPECIFIC METHOD Determine Response Time (CAN) or



• the jitter of the PDUs/frames.

The values of the timing properties are compared to the defined requirements and to the previous values of the timing properties. For typical requirements of the PDU/frame response times see section 6.3.3.

5. Analysis 3: In case that the PDUs/frames associated to the new communication are routed by one or more gateways, the routing times are relevant for the end-to-end timing. The routing time analysis of the routed PDUs/frames provides the delay values due to routing engine. These usually consist of buffering delay and arbitration delay. The results of the routing time analysis are the routing response times, the blocking times due to buffering and arbitration, or the memory requirements for buffering. The values obtained for these properties are compared to the defined requirements. For typical requirements of the routing times see section 6.3.3.

## 6.3.2 Alternative Scenario

At step #1 of the main scenario, if the new communication exceeds the size of the unused space in the existing PDUs/frames, new PDUs/frames are defined according to the timing parameters of the signals. The impact of the new traffic on the existing communication must be minimized. The methodology continues with Step 2 in the Main Scenario.

#### 6.3.3 Performance/Timing Requirements

The maximum load on each bus shall not exceed a certain bound.

For each frame/PDU, the worst-case response time shall not exceed a certain bound, for example given by the timing requirements. Typically, the cycle time of the frame is used as a bound on the worst-case response time. Otherwise there is a risk for data loss.

Routing times in gateways have to be short. Typically, for each frame/PDU the routing time shall only contribute a minor part to the overall delay. The concrete value depends on the specific functional requirements.

## 6.4 NW use-case "Design and configuration of a new network"



| Goal In Context:       | Design and feasible integration of a (domain specific) network into existing automotive platform architecture. Possible variants:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                        | <ul> <li>New design of the (on-board network) (total automotive network);</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|                        | • Replacement of an existing partial network by a new partial network under use of unaltered legacy ECUs (beside the network connectors). This network is connected to the residual on-board network by a gateway.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Brief Description:     | Regarding an existing E/E automotive architecture consisting of several ECUs connected via several legacy networks, it is required to design and to integrate a new designed network (e.g. our active steering example, compare see figure 1.2). The new designed network shall be connected to the residual on-board network via a gateway (for instance to the body or the infotainment domain). Therefore the intra-communication within the new network and the inter-communication between different networks have to be considered. Further, this new network shall be stable extensible in a-priori predictable way, i.e. it shall be possible to analyze the network with respect to all present and future timing requirements. The new network implements a communication protocols (e.g. CAN, LIN, Flexray, etc.) and possesses sufficient bandwidth to cover all communication matrix containing the PDUs/frames/packages with their protocol specific parameters and the communication behavior (timing parameters). |
| Scope:                 | System, System Timing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Frequency:             | Regular                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Precondition:          | For the new communication following properties are defined:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                        | <ul> <li>The size of the communication signals (SW-C Template / GenericStruc-<br/>tureTemplate).</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                        | <ul> <li>The transmitter and receiver nodes / system mapping</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                        | <ul> <li>The PDU/frame/package timing/triggering</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                        | <ul> <li>Required bandwidth</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                        | <ul> <li>The residual on-board network including gateways and communication<br/>matrix</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                        | Additionally, a set of timing requirements is defined for the communication on the network:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                        | Maximum load on each network                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                        | <ul> <li>Maximum latency (e.g. response times, routing times) for each PDU/frame/package</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                        | Furthermore, a specification of the communication paradigm for the existing network controllers is defined, e.g. the CAN controller sends PDUs/frames with different identifiers via a queue (priority ordered or FIFO), while different instances of the same PDU/frame are sending via a register (always send the newest PDU instance). It is assumed that the current (residual) on-board network configuration satisfies the timing requirements.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Success End Condition: | The communication on the new (partial) network was completely defined and the timing requirements of the on-board network are satisfied.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Failed End Condition:  | The new communication cannot be defined without violating at least one timing requirement of the on-board network.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Actor(s):              | Timing Engineer, Network Data Engineer, E/E Architect                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |



#### Table 6.3: Characteristic Information of NW UC "Design and configuration of a new network"

#### 6.4.1 Main Scenario

This use case typically consists of the following steps:

- 1. The network architect chooses an appropriate network technology to fulfill the communication requirements of the new functions. The consequences for the residual system have to be considered because many ECUs should not be altered if possible.
- 2. The network architect defines and/or designs the connection point(s) to the residual on-board network (via transparent gateways).
- 3. The system architect connects the ECUs to the new network and partitions the functions onto these ECUs.
- 4. The network architect collects the data size and the timing requirement for the communication according Task "Collect Timing Requirements".
- 5. The network architect maps the new traffic according to the timing information and the transmitter/receiver relation.
- 6. Depending on the sender/receiver relation it might be necessary to additionally route PDUs/frame on several networks and gateways.
- 7. The network architect creates an analyzable timing model using Task "Create Timing Model".
- 8. Different types of model-based analysis Task "Perform Model-Based Timing Analysis" shall be carried out:
  - (a) Analysis 1: Load analysis determines the average and the maximum use of the network bandwidth and the input buffer of the ECUs. The load analysis must consider the total traffic on the new partial network and on the legacy on-board network as well. Thus, the result of a load analysis, which applies a timing method GENERIC METHOD Determine Load, is the timing property load GENERIC PROPERTY Load. Specifically for CAN buses, the timing method SPECIFIC METHOD Determine Load (CAN) provides as a result the timing property SPECIFIC PROPERTY Load (CAN). The timing property load is used to initially approve the chosen function mapping and architecture and if the new infrastructure is sufficient to cover the communication requirements in general. The present value of the timing property load for every single network is compared to the maximum acceptable load for this network.
  - (b) Analysis 2: A detailed latency analysis of all PDUs/frames/packages and every communication relations on the networks is necessary. A timing method



such as GENERIC METHOD Determine Latency yields timing properties such as GENERIC PROPERTY Latency and GENERIC PROPERTY Response Time or, specifically for CAN buses the timing property SPECIFIC PROPERTY Response Time (CAN) obtained with the timing method SPE-CIFIC METHOD Determine Response Time (CAN). Other timing properties such as the jitter or the blocking time are of interest and require corresponding timing methods. Every communication relation has to fulfil its corresponding latency requirement.

- (c) Analysis 3: In order to consider the ECU influence and the total communication the event chain / the routing time analysis of the PDUs/frames/package has to be considered. This leads to the new timing properties which have to be investigated, e.g. routing response times, blocking times and buffer requirements.
- 9. Optimization of the design of the new network subject to the requirement to reduce resource needs, to increase system stability and robustness and to allow easily future extensions.

## 6.4.2 Performance/Timing Requirements

The maximum load on each bus shall not exceed a certain bound.

For each frame/PDU, the worst-case response time shall not exceed a certain bound, for example given by the timing requirements. Typically, the cycle time of the frame is used as a bound on the worst-case response time.

Routing times in gateways have to be short. Typically, for each frame/PDU the routing time shall not exceed 10% of the cycle time of the frame.

## 6.5 NW use-case "Remapping of an existing communication link"

This use-case focuses on remapping an existing communication link within an existing network.

| Goal In Context:   | Validate the communication on the network after reconsidering the mapping of an existing communication link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description: | Assuming an E/E automotive architecture that contains ECUs connected via<br>one or more buses, it is required to remap an existing communication link<br>to a new resource within the network (e.g.mapping the motor control signal<br>from CAN to FlexRay assuming that the electric motor is directly connected to<br>FlexRay, see figure 1.2). The buses within the network may implement differ-<br>ent communication protocols (e.g. CAN, LIN, Flexray). The communication on<br>each bus is specified by a communication matrix containing the PDUs/frames<br>with their protocol specific parameters and the communication behavior (tim-<br>ing parameters, e.g. 10ms maximum latency for the motor control signal). |
| Scope:             | System, System Timing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Frequency:         | Regular                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |



| Precondition:          | The signals describing the communication link is known and included in the communication matrix. Additionally, for the communication on the network is defined a set of timing requirements:                                                                                                                                                                                                                                                                              |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                        | <ul> <li>Maximum bus load on each bus</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                        | <ul> <li>Maximum latency (e.g. response times, routing times) for each com-<br/>munication frame.</li> </ul>                                                                                                                                                                                                                                                                                                                                                              |
|                        | Furthermore, the specification of the communication paradigm for the existing<br>bus controllers is available. For example, the CAN controller sends CAN mes-<br>sage frames with different identifiers via a queue (priority ordered or FIFO),<br>while different instances of the same frame are sent via a register (always<br>send the newest instance of the frame).<br>It is assumed that the current network configuration satisfies the timing re-<br>quirements. |
| Success End Condition: | The communication on the network after function remapping fulfils the timing requirements. The communication matrix needs to be updated.                                                                                                                                                                                                                                                                                                                                  |
| Failed End Condition:  | The communication on the network after function remapping cannot be de-<br>fined without violating at least one timing requirement.                                                                                                                                                                                                                                                                                                                                       |
| Actor(s):              | Timing Engineer, Network Data Engineer                                                                                                                                                                                                                                                                                                                                                                                                                                    |

#### Table 6.4: Characteristic Information of NW UC "Remapping of an existing communication link"

## 6.5.1 Main Scenario

For the sake of clarity following notations are used: the communication link to be remapped is currently assigned to Bus1. The resource that will host the communication link after remapping is denoted Bus2.

This use case typically consists of the following steps:

- 1. The network architect identifies the PDUs/frames on Bus1 assigned to the communication link. These must be transmitted on Bus2 after remapping the communication link.
- 2. The PDUs/frames assigned to the communication link and additionally required by other links on Bus1 must be routed on Bus2 after remapping the communication link to Bus2. Otherwise, in case that these PDU/frame are not required by other nodes at Bus1, one may decide to remove them from Bus1.
- 3. The PDU/frames moved or copied to Bus2 should preserve the parameters of the communication protocol defined for Bus1, in order to ensure the function compatibility with the different architecture variants.
- 4. PDUs/frames required by the communication link at Bus2 and that are not originating at Bus2 need to be routed/transmitted to Bus2.
- 5. Analysis 1: The bus load analysis describes the average use of the bus bandwidth. The analysis has to consider the additional traffic on Bus2 after remapping the communication link to Bus2. The analysis requires the data size and



the average timing of the PDUs. The output of the analysis which applies a method GENERIC METHOD Determine Load or, SPECIFIC METHOD Determine Load (CAN) for CAN buses, is the static bus load captured by a timing property GENERIC PROPERTY Load or, SPECIFIC PROPERTY Load (CAN). The bus load property is used to initially approve the traffic on Bus2. Optionally, one can carry out bus load analysis on Bus1 to determine the freed performance slack after remapping the communication link to Bus2. The value of the timing property load obtained for every single bus is compared to the maximum acceptable load on that bus. For typical requirements for the bus load see section 6.5.2. If the bus load exceeds the communication is not schedulable.

- 6. Analysis 2: In order to validate the communication on the network after remapping the communication link to Bus2, the latency requirements of the PDUs/frames on Bus2 must be verified. The latency analysis of the PDUs/frames computes the timing properties of the PDUs/frames under the resource sharing protocol. The results of the analysis, which applies a timing method GENERIC METHOD Determine Latency or SPECIFIC METHOD Determine Response Time (CAN) for CAN buses, are timing properties response times of the PDUs/frames such as GENERIC PROPERTY Latency / GENERIC PROPERTY Response Time or SPECIFIC PROPERTY Response Time (CAN) in case of CAN buses. Other timing properties such as the jitter of the PDUs/frames or the blocking times due to arbitration are of interest and require corresponding timing methods. The values of the timing properties are compared to the specified requirements. For typical requirements of the PDU/frame response times see section 6.5.2.
- 7. Analysis 3: In case that the PDUs/frames required at Bus2 are routed by one or more gateways, the routing times are relevant for the end-to-end timing. The routing time analysis of the routed PDUs/frames provides the delay values due to routing engine. These usually consist of buffering delay and arbitration delay. The results of the routing time analysis are the routing response times, the blocking times due to buffering and arbitration, or the memory requirements for buffering. The values obtained for these properties are compared to the specified requirements. For typical requirements of routing times see section 6.5.2.

## 6.5.2 Performance/Timing Requirements

The maximum load on each bus shall not exceed a certain bound.

For each frame/PDU, the worst-case response time shall not exceed a certain bound, for example given by the timing requirements. Typically, the cycle time of the frame is used as a bound on the worst-case response time.

Routing times in gateways have to be short. Typically, for each frame/PDU the routing time shall not exceed for example 10% of the cycle time of the frame.



## 7 Timing for SW-Integration on ECU Level

This chapter outlines use-cases relevant for software integration into a single ECU with respect to timing issues. Network related aspects are covered by chapter 6 and have only an indirect impact on the timing on the ECU level. On the ECU level, the scheduling of tasks and interrupts together with the execution times of the various code fragments define the timing behavior of the overall software for this specific ECU. Depending on the scheduling and the execution times, given deadlines are met or missed. The use-cases in this chapter help to solve problems or tasks which are related to scheduling and/or execution times.

Although speaking of "ECU-level", it is important to bear in mind a single ECU can come with multiple processors each of which comes with its own scheduling. Even multiple cores on one processor are seen more and more often [13]. However, the principles in this chapter still remain valid and can be reflected on each "scheduling entity" (=core).

Typical terms used in this chapter are:

- Execution Time (e.g.: CET, BCET, WCET..), see section 2.1 and 8.4.
- CPU-Load , see section 8.4.
- Interrupt Load, see section 8.4.
- Response Time, see section 8.4.
- Latency, see section 8.4.

## 7.1 Example

In the introduction a top-level-example for timing is given in figure 1.2 on page 13. The ECU-level deals with a fragment of the top-level-example, namely the scheduling aspects and code execution aspects of the ECUs involved, see figure 7.1. The use-cases of this chapter will refer to this example.





Figure 7.1: Focus of this chapter: scheduling and code execution time inside ECUs

## 7.2 Overview of ECU Use-cases

This chapter describes the use-cases listed in Table 7.1. Figure 7.2 gives an overview.

| Section | Use-case                                             | Page |
|---------|------------------------------------------------------|------|
| 7.3     | ECU use-case "Create Timing Model of the entire ECU" | 73   |
| 7.4     | ECU use-case "Collect Timing Information of a SW-C"  | 75   |
| 7.5     | ECU use-case "Validation of Timing"                  | 77   |
| 7.6     | ECU use-case "Debug Timing"                          | 79   |
| 7.7     | ECU use-case "Optimize Timing of an ECU"             | 81   |
| 7.8     | ECU use-case "Optimize Scheduling"                   | 83   |
| 7.9     | ECU use-case "Optimize Code"                         | 84   |
| 7.10    | ECU use-case "Verify Timing Model(s)"                | 85   |





Figure 7.2: Use-case Diagram: Timing Analysis for ECU

## 7.2.1 Assumptions

If not otherwise stated the following assumptions hold true for all use-cases described in this chapter:

1. The ECU Extract for a specific ECU is available including the ECU Extract content for System Timing.


- 2. The VFB View (SW-C Template, hierarchy of SW-Cs) of all SW-Cs mapped onto the specific ECU is available.
- 3. SW-C descriptions are available
- 4. The interaction takes place between one OEM and one tier1 supplier
- 5. All SW-Cs including C source code and object files are available.
- 6. All required BSW modules are available including C source code, object files and ECU configuration.
- 7. RTE can be generated
- 8. The contents of this chapter deal solely with the subject matter timing analysis. The assumption made is that any "system" subject to timing analysis is valid from the functional point of view.

Different phases/use-cases in the development of a vehicle system shall be considered, which are described in the following subsections.

# 7.3 ECU use-case "Create Timing Model of the entire ECU"

This section describes how to generate a timing model for a complete ECU. The difficulties to describe the use-case in a unique manner are justified by the fact that since the OEM and the Tier1 use different abstraction levels and semantics, their views on this use-case differ. Especially if they work during different phases in the development process, this effect is reinforced.

Nevertheless, some basic assumptions are valid for all levels of granularity and all development phases.

In the context of the example shown in figure 7.1 on page 71, the creation of timing model means to build up an abstract representation of the timing behavior of the ECU as the system under observation.

As a matter of fact, the creation of a timing model of the entire ECU is one of the important steps to gain a complete system understanding. All other use cases can be seen as somehow connected use-cases, since the existence of a timing model is a precondition in order to execute the steps in other use-cases.

A timing model of an ECU collects all timing data such as timing requirements (Task "Collect Timing Requirements"), timing measurements (SPECIFIC PROPERTY Execution Time, GENERIC PROPERTY Latency) and also timing relevant configuration data (such as RTE or BSW configuration) and can be used in other use-cases as well. Or in other words: Without the existence of a timing model it is hardly possible to handle the following use-cases.



Depending on the development phase, the timing model can be based mainly on assumptions and requirements (requirement timing model) or mainly based on measurements and existing configuration information. Ideally, both views are accessible in one model.

# 7.3.1 Characteristic Information

| Goal In Context:       | Collect all relevant timing information for a selected ECU or rather timing model                                            |
|------------------------|------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | Collect all relevant timing information for an ECU and create a                                                              |
|                        | timing model of the entire ECU                                                                                               |
| Scope:                 | ECU                                                                                                                          |
| Frequency:             | On request                                                                                                                   |
| Precondition:          | Knowledge about basic functionality of the ECU and basic un-<br>derstanding about the functional requirements of the ECU and |
|                        | the application domain                                                                                                       |
| Success End Condition: | Valid timing information                                                                                                     |
| Failed End Condition:  | n.a.                                                                                                                         |
| Actor(s):              | Function Engineer, Software Architect, Timing Engineer                                                                       |

#### Table 7.2: Characteristic Information of ECU UC "Create Timing Model of the entire ECU"

#### 7.3.2 Main Scenario

A systematic approach for this use case is depicted in figure 7.3. The following steps typically apply:

- 1. The ECU responsible person collects all available timing data for the specific ECU (Task "Collect Timing Requirements", SPECIFIC PROPERTY Execution Time).
- 2. Checking of the collected data.
- 3. Add the retrieved timing data to timing model (Task "Create Timing Model").
- 4. The use-case ends with ECU timing model. The timing information will be usable for further work, e.g. Task "Perform Model-Based Timing Analysis".



# Figure 7.3: SPEM process model for ECU use-case "Create Timing Model of the entire ECU"

An appropriate tool chain is required. Such a tool chain must be able to import and export the artifacts generated from different tools during the complete development cycle.



## 7.3.3 Alternative Scenario

Due to the different levels of granularity and different phases different scenario extensions are possible. In concrete cases the timing expert must choose the matching scenario.

# 7.4 ECU use-case "Collect Timing Information of a SW-C"

In section 7.3, the creation of a timing model is described. Collecting timing information is required in order to build up a timing model. In this use-case, collecting timing information of a specific SW-C is described. For the example shown in figure 7.1 on page 71, this could mean getting information about a specific SW-C inside the ECU "ASA", e.g. its maximum execution time (SPECIFIC PROPERTY Execution Time).

## 7.4.1 Characteristic Information

| Goal In Context:       | Collect all relevant timing information a selected SW-C |
|------------------------|---------------------------------------------------------|
| Brief Description:     | Collect all relevant timing information for a SW-C      |
| Scope:                 | SW-C for a specific target                              |
| Frequency:             | On request                                              |
| Precondition:          | Knowledge about basic functionality of the SW-C         |
| Success End Condition: | Valid timing information                                |
| Failed End Condition:  | n.a.                                                    |
| Actor(s):              | Software Architect                                      |

 Table 7.3: Characteristic Information of ECU UC "Collect Timing Information of a SW Component"

#### 7.4.2 Main Scenario

A systematic approach for this use case is depicted in figure 7.4. The following steps typically apply:

- 1. The use-case begins when the responsible SW-C person begins the collection of timing information which is usually triggered by the request of the ECU Integrator
- 2. The SW-C responsible person collects all available timing data for the specific SW-C and collects them in a timing model for SW-C scope.
  - Some estimation about previous and similar project, methods, see section 8.5
  - Runtime measurements on runnable level and below, methods, such as Processor-In-The-Loop Simulation (PIL) or Static Worst Case Execution Time Analysis see section 8.5



- Timing requirements for this SW-C (Task "Collect Timing Requirements") based on functional requirements, for instance
  - Trigger events
  - Latencies
  - Jitters
  - Execution orders
  - Relations to safety-relevant requirements
- The following methods can be used to collect relevant properties (e.g. GENERIC PROPERTY Load, Interrupt Load, SPECIFIC PROPERTY Execution Time, GENERIC METHOD Determine Latency)
  - Tracing
  - Scheduling Analysis
  - Scheduling Simulation
- 3. Add retrieved timing data to timing model (part of Task "Create Timing Model").
- 4. The use-case ends with SW-C timing information. The timing information will be usable for SW-C integration in the overall system.



Figure 7.4: SPEM process model for ECU use-case "Collect Timing Information of a SW-C"

# 7.4.3 Alternative #1 Scenario

At step #2 of the main scenario the sub-steps can be carried out in arbitrary order or might be skipped. The justification for skipping can be missing information at this specific phase in time.



# 7.5 ECU use-case "Validation of Timing"

In this use case the objective is that this system satisfies a given set of timing constraints, for example "from sensor to actuator".

# 7.5.1 Characteristic Information

| Goal In Context:       | Validate the timing of a defined system                                                                                                                                                                                                                                                               |
|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description:     | Validate the timing to ensure the functionality of the system and<br>that all given timing constraints are fulfilled. The validation of the<br>timing can be conducted via various timing analysis methodolo-<br>gies, e.g.:                                                                          |
|                        | <ul> <li>response time analysis</li> </ul>                                                                                                                                                                                                                                                            |
|                        | <ul> <li>schedulability analysis</li> </ul>                                                                                                                                                                                                                                                           |
|                        | <ul> <li>runtime measurement comparison</li> </ul>                                                                                                                                                                                                                                                    |
|                        | The selection of timing analysis method depends on the de-<br>manded level of accuracy and the type of timing constraint that<br>should be verified. The timing model, describing the necessary<br>timing behavior of a functionality, can vary as well depending on<br>the system model granularity. |
| Scope:                 | ECU                                                                                                                                                                                                                                                                                                   |
| Frequency:             | Whenever the decision has been taken to validate the timing of<br>the existing system. Exemplary triggers to start the timing valida-<br>tion can be:                                                                                                                                                 |
|                        | <ul> <li>adding, removing or modifying the SW-C to ECU mapping</li> </ul>                                                                                                                                                                                                                             |
|                        | <ul> <li>modification of the internal behavior of a SW-C</li> </ul>                                                                                                                                                                                                                                   |
|                        | <ul> <li>reconfiguration of the system schedule e.g. changing process priorities</li> </ul>                                                                                                                                                                                                           |
|                        | <ul> <li>updating the bus communication further information in<br/>chapter 6</li> </ul>                                                                                                                                                                                                               |
| Precondition:          | The following preconditions must be fulfilled to execute the de-<br>scribed use-case on the level of ECU:                                                                                                                                                                                             |
|                        | <ul> <li>The mapping of runnable entities to task, RTE and OS configuration are available and valid.</li> </ul>                                                                                                                                                                                       |
|                        | <ul> <li>The SW-Cs that are mapped to the ECU which is the sub-<br/>ject of timing analysis.</li> </ul>                                                                                                                                                                                               |
|                        | <ul> <li>Definition of relevant timing constraints, which should be satisfied.</li> </ul>                                                                                                                                                                                                             |
|                        | <ul> <li>Timing model adapted to the granularity of the available system model.</li> </ul>                                                                                                                                                                                                            |
| Success End Condition: | Timing analysis indicates that the timing constraints are fulfilled in                                                                                                                                                                                                                                |
|                        | all system states. All relevant documentation has been updated.                                                                                                                                                                                                                                       |



| Failed End Condition: | Neither of the applied timing analysis methodologies indicate that<br>all timing constraint are satisfied. Timing measurement compari-<br>son indicates that at least one timing constraint is violated. |
|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Actor(s):             | ECU Integrator, Timing Engineer                                                                                                                                                                          |

#### Table 7.4: Characteristic Information of ECU UC "Validation of timing"

# 7.5.2 Main Scenario

A systematic approach for this use case is depicted in figure 7.5. The following steps typically apply:

- 1. The use-case begins with the decision to execute Task "Perform Model-Based Timing Analysis" or Task "Perform Implementation-based Timing Analysis" for a specific system. This is usually done after modifying the SW-C behavior or changing the system configuration.
- 2. The actor of the UC conducts timing analysis as described in section 8.5
- 3. The actor executes the Task "Verify Timing (Requirement)" and concludes whether all timing constraints are fulfilled (e.g GENERIC PROPERTY Load, SPE-CIFIC PROPERTY Execution Time, GENERIC METHOD Determine Latency, Interrupt Load) or at least one is violated.
- 4. If all constraints are fulfilled, the actor approves the work products as valid. Approved work products are:
  - the 9.10 and 9.10
  - the model of the analyzed system
  - the 9.10

In case at least one constraint is violated, the typical procedure is described in ECU use-case "Debug Timing".



Figure 7.5: SPEM process model for ECU use-case "Validation of Timing"



# 7.6 ECU use-case "Debug Timing"

Whenever an ECU shows sporadic system crashes, data inconsistencies or unexpected overload scenarios, delays or jitters, a timing issue could be the cause of the problem. Tracking the problem down with conventional debug methods can be very painful and time consuming. This is also true even if a certain problem is very obviously related to timing.

Before any problem can be *solved*, it has to be understood. This is what timing debugging is about: understanding a timing problem that is present on a real ECU. Once the problem is understood, the solution finding and solving follows, see section 7.7 ECU use-case "Optimize Timing of an ECU" on page 81. This use-case focuses on debugging the timing of a single ECU, e.g. the ASA shown in figure 7.1 on page 71.

| Goal In Context:       | Understand a (timing) problem and isolate the cause of the prob-                                                          |
|------------------------|---------------------------------------------------------------------------------------------------------------------------|
|                        | lem.                                                                                                                      |
| Brief Description:     | Using dedicated timing debugging methods (see chapter 8), de-                                                             |
|                        | bug a problem and find out, if it is a timing problem. If so, track                                                       |
|                        | down the cause of the problem so that it is completely under-                                                             |
|                        | stood. This makes solving the problem possible in a next step.                                                            |
| Scope:                 | ECU                                                                                                                       |
| Frequency:             | Whenever a not trivial problem is detected in the ECU.                                                                    |
| Precondition:          | A running system                                                                                                          |
| Success End Condition: | Problem understood, cause of the problem isolated. Artifacts: set                                                         |
|                        | of test conditions that can reproduce the problem, documentation                                                          |
|                        | describing the problem, e.g. schedule traces                                                                              |
| Failed End Condition:  |                                                                                                                           |
|                        | <ul> <li>problem not understood or</li> </ul>                                                                             |
|                        | <ul> <li>problem is not caused by faulty timing or</li> </ul>                                                             |
|                        | <ul> <li>problem is not reproducible or based on the data of previous occurrences not sufficiently analyzable.</li> </ul> |
| Actor(s):              | Timing Engineer, ECU Integrator                                                                                           |

# 7.6.1 Characteristic Information

#### Table 7.5: Characteristic Information of ECU UC "Debug Timing"

# 7.6.2 Main Scenario

A systematic approach for this use case is depicted in figure 7.6. The following steps typically apply:

- 1. The use-case begins when the actor is confronted with a timing problem or a problem that directly affects the timing behavior on a real ECU (Task "Create Implementation").
- 2. Set up a test environment in which timing debugging can take place.



- (a) If the failure cause can be provoked in a reliable manner use the real system for timing debugging (step 4).
- (b) If it can't an iterative approach is necessary:
  - Obtain as much information about the environment and circumstances of the timing problem from the original reporter, e.g. log files, telemetry, HW and SW data sheets.
  - Build a test setup and define the set of test conditions based on this information.
  - Run tests to provoke the failure cause. If this succeeds, continue with step 4.
  - If the failure cause could not (yet) be provoked, get more information from the original reporter.
  - Analyze and minimize the differences between your test setup and the real environment in which the timing problem occured.
  - If time, money or other budgets for the analysis are depleted exit the use case and either report 'could not reproduce (CNR)' or continue with step 3 (not recommended).
  - Otherwise continue with step 'Run tests to provoke the failure cause'.
- 3. If the iterative approach fails but CNR is not accepted by one or more stakeholders create theoretical failure models using the data of previous occurrences (Task "Perform Implementation-based Timing Analysis") and techniques like Ishikawa diagrams (also called fishbone diagrams). This approach incurs a huge amount of work and little focus on the (as yet unknown) failure cause. It should be considered a last resort if CNR is not acceptable.
- 4. Debug and analyse the timing behavior to identify the cause of the problem. Dedicated timing analysis methods (e.g. trace-based, see Task "Perform Implementation-based Timing Analysis") and section 8.5) can be used for this purpose.
- 5. Isolate the problem.
- 6. In a next step, the problem can be fixed using the set of test conditions that can reproduce the failure (see ECU use-case "Optimize Timing of an ECU").





Figure 7.6: SPEM process model for ECU use-case "Debug Timing"

# 7.7 ECU use-case "Optimize Timing of an ECU"

The main idea behind this use-case is to optimize the timing behavior of a working ECU. Sometimes the resource consumption is higher than expected or it is required to integrate further SW-C into the ECU. Optimization is also requiered if timing problems have been identified and now need to be patched.

Different performance key indicators are possible:

- load balancing (distribute load on time axis, load balancing over different cores)
- minimize systematically response times, jitters etc.
- reduce number of preemptions (and thus reduce OS overhead)
- reduce number of migration (and thus reduce migration overhead)
- reduce resource consumption (inter-core communication, memory (buffer sizes), load)
- reduce number of scheduling interrupts
- reduce waiting times

See also chapter timing properties 8.

Sub-use-case(s): ECU use-case "Optimize Scheduling" and ECU use-case "Optimize Code".

# 7.7.1 Characteristic Information

| Goal In Context: | Remove timing violations (optimize resource consumption, data |
|------------------|---------------------------------------------------------------|
|                  | consistency, reduce jitter,) or minimize resource consumption |



| Brief Description:     | Based on timing requirements, while taking all timing constraints                                                                                    |
|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
|                        | into account the overall timing architecture for an ECU is opti-                                                                                     |
|                        | mized                                                                                                                                                |
| Scope:                 | ECU                                                                                                                                                  |
| Frequency:             | Whenever a timing violation is detected in the ECU, an additional                                                                                    |
|                        | functionality is added/expected or existing functionality is modi-                                                                                   |
|                        | fied                                                                                                                                                 |
| Precondition:          | A running system and/or ideally a useful system description (timing-model)                                                                           |
| Success End Condition: | Found a better solution which fulfills all timing and resource re-<br>quirements (even with additional functionality if applicable). Arti-<br>facts: |
|                        | New Schedule                                                                                                                                         |
|                        | Updated Timing model                                                                                                                                 |
|                        | Optimized code                                                                                                                                       |
|                        | New memory layout                                                                                                                                    |
|                        | New code generator options                                                                                                                           |
|                        | New compiler options                                                                                                                                 |
| Failed End Condition:  | No solution found                                                                                                                                    |
| Actor(s):              | Timing Engineer, ECU Integrator                                                                                                                      |

#### Table 7.6: Characteristic Information of ECU UC "Optimize Timing of an ECU"

# 7.7.2 Main Scenario

A systematic approach for this use case is depicted in figure 7.7. The following steps typically apply:

- 1. The use-case begins when the main-actor becomes aware of timing violations or the need to add more functionality into an already heavily loaded system. This can be conducted after executing Task "Perform Implementation-based Timing Analysis" and Task "Verify Timing (Requirement)".
- 2. Analyze the current system (validate the timing of the system, see ECU use-case "Debug Timing") and find hot-spots . These are situations in the schedule, where either timing requirements or resource consumption constraints are violated already or would be if more load was added.
- 3. Definition of the optimization goal(s) on a per hot-spot basis.
- 4. Analysis of available options in order to relax the hot-spots. These options can include modification of the scheduling configuration by ECU use-case "Optimize Scheduling" (including the runnable to task mapping, the runnable sequence/order inside tasks, the allocation of task to different cores, the partitioning of tasks into smaller entities for load balancing, the change of priorities/offsets/recurrences of task) and/or code optimization in ECU use-case "Optimize Code" (including the re-mapping of data to memory). For each option, continue with the corresponding sub-use-case.



- 5. The actor performs a trade-off analysis to weight the different possibilities for the optimization of the timing and its impact on the system
- 6. The actor decides for a modification and changes the timing-model/the code of the system
- 7. The actor validates the timing of the ECU by doing Task "Verify Timing (Requirement)"



8. Verification against optimization goal

Figure 7.7: SPEM process model for ECU use-case "Optimize Timing of an ECU"

# 7.8 ECU use-case "Optimize Scheduling"

The main idea behind this use-case is the optimization of an existing schedule of a working ECU with a defined goal such as "remove local overload" or "reduce response time of task xyz".

# 7.8.1 Characteristic Information

| Goal In Context:       | Fulfill predefined optimization goal                                 |
|------------------------|----------------------------------------------------------------------|
| Brief Description:     | Find a modified schedule configuration which fulfills the goal with- |
|                        | out causing new timing violations or violates resource constraints   |
| Scope:                 | ECU                                                                  |
| Frequency:             | Whenever a timing violation is detected in the ECU, an additional    |
|                        | functionality is added/expected or existing functionality is modi-   |
|                        | fied                                                                 |
| Precondition:          | A running system and/or ideally a useful system description          |
|                        | (timing-model)                                                       |
| Success End Condition: | Found a modified schedule configuration which fulfills the goal      |
|                        | without causing new timing violations. Artifacts:                    |
|                        | • New Schedule, better than the original schedules with re-          |
|                        | spect to a specific timing properties, see chapter 8.4               |
|                        | Updated Timing model                                                 |
|                        |                                                                      |



| Failed End Condition: | No solution found               |
|-----------------------|---------------------------------|
| Actor(s):             | Timing Engineer, ECU Integrator |

#### Table 7.7: Characteristic Information of ECU UC "Optimize Scheduling"

## 7.8.2 Main Scenario

This use-case typically consists of the following steps:

- 1. The use-case begins when the actor is confronted with a certain optimization goal regarding the scheduling
- Analysis of available options e.g. modification of the runnable to task mapping, the runnable sequence/order inside tasks, the allocation of task to different cores, the partitioning of tasks into smaller entities for load balancing, the change of priorities/offsets/recurrences of task (Task "Perform Model-Based Timing Analysis" or Task "Perform Implementation-based Timing Analysis")
- 3. The actor performs a trade-off analysis to weight the different possibilities for the optimization of the schedule and its impact on the system (Task "Verify Timing (Requirement)")
- 4. The actor decides for a solution and modifies the timing-model/code of the system.
- 5. The actor validates the timing of the ECU by conducting response time analysis, scheduling analysis or measurements ((Task "Perform Model-Based Timing Analysis" or Task "Perform Implementation-based Timing Analysis")
- 6. Verification against optimization goal (Task "Verify Timing (Requirement)")

# 7.9 ECU use-case "Optimize Code"

Since the code and the deployment of code has a huge impact on timing, different optimization activities can be performed. The scope of the optimization can be different (memory, run-time, safety, re-usability, easy to understand, etc.), however in the scope of this document, the optimization scope is limited to timing effects. But it has to take into account, that such timing optimization influence other aspects of the system, such as memory or reusability and that such optimization is constrained by safety or security aspects

# 7.9.1 Characteristic Information

| Goal In Context:   | Optimize the code with respect to timing. Typically: minimize the WCET, the average execution time or both. |
|--------------------|-------------------------------------------------------------------------------------------------------------|
| Brief Description: | Based on timing requirements optimize the overall timing archi-<br>tecture for an ECU                       |



| Scope:                 | ECU                                                              |
|------------------------|------------------------------------------------------------------|
| Frequency:             | Whenever a timing optimization in the ECU is needed.             |
| Precondition:          | Code available (ideally compilable, linkable and executable on   |
|                        | the target platform)                                             |
| Success End Condition: | Found a better code whith respect to timing. Possible artifacts: |
|                        | Optimized code                                                   |
|                        | New memory layout                                                |
|                        | New code generator options                                       |
|                        | New compiler options                                             |
|                        |                                                                  |
| Failed End Condition:  | No solution found                                                |
| Actor(s):              | Software Component Developer                                     |

Table 7.8: Characteristic Information of ECU UC "Optimize Code"

# 7.9.2 Main Scenario

This use-case typically consists of the following steps:

- 1. The use-case begins when the actor determines to optimize a certain code fragment (a task, an interrupt, a runnable, a function or part of a function) usually after doing either Task "Perform Model-Based Timing Analysis" or Task "Perform Implementation-based Timing Analysis"
- 2. Definition of optimization goals, e.g. reduction of core execution time, reduction of time spent under interrupt lock
- 3. Analysis of available options, e.g. different compiler options, code refactoring or implementing a different algorithm
- 4. Modification, pick at least one of the options and implement it
- 5. Verification of the functional behavior, e.g. run unit test
- 6. Verification against optimization goal by executing Task "Perform Implementationbased Timing Analysis"

# 7.10 ECU use-case "Verify Timing Model(s)"

Any model based design or verification process must undergo a model check to make sure, the model represents reality with respect to the relevant properties.

Example 1: a perfect static code analysis tool for WCET calculation on code level can easily produce wrong results (false positives!) when not configured correctly.

Example 2: a perfect static scheduling analysis tool for WCRT calculation on ECU level can easily produce wrong results (false positives!) when the real ECU suffers an operating system bug.



In both examples, the models and the model based algorithms might be absolutely correct but still they produce false positive results. In other words: a software might pass model based verification and still show drastic timing defects.

# 7.10.1 Characteristic Information

| Goal In Context:       | Verify that a model based method reflects the real system with respect to the relevant properties. |
|------------------------|----------------------------------------------------------------------------------------------------|
| Brief Description:     | Based on methods which profile the behavior of the real ECU/the                                    |
|                        | real code, the results of the model based approach gets cross-                                     |
|                        | checked.                                                                                           |
| Scope:                 | ECU or code                                                                                        |
| Frequency:             | Once model based approaches are added while the real sys-                                          |
|                        | tem is available or when the real system becomes available and                                     |
|                        | model based approaches are used already. Afterwards, the cross                                     |
|                        | check should be done again at least for major software releases                                    |
|                        | of the system's software.                                                                          |
| Precondition:          | A running system or executable code or code fragments                                              |
| Success End Condition: | A comparison of measured/traced timing properties with the tim-                                    |
|                        | ing properties provided by the model based approach shows the                                      |
|                        | model based approach generates plausible results.                                                  |
| Failed End Condition:  | Measurement/tracing uncovered timing behavior beyond the                                           |
|                        | worst case results proclaimed by the model based approach.                                         |
| Actor(s):              | Timing Engineer                                                                                    |

#### Table 7.9: Characteristic Information of ECU UC "Verify Timing Model(s)"

#### 7.10.2 Main Scenario

This use-case typically consists of the following steps:

- 1. The use-case begins when model based approaches become available and the real system is or becomes available. Typically, this will happen in either of two set-ups: for an existing system, model based approaches are added or model based approaches are used in an early development phase and the (real) system becomes available.
- 2. Produce the timing properties with the model based approach, e.g. WCET or WCRT, see also Task "Perform Model-Based Timing Analysis"
- 3. Measure or trace the comparable timing properties with the real system, e.g. max. CET or max. RT, see also Task "Perform Implementation-based Timing Analysis"
- 4. Compare the model based results with the measured or traced results. All the "worst case" results produced by the model based approaches must be "worse" than the observed results. For comparing timing properties, see also Task "Verify Timing (Requirement)".



- 5. The use-case ends. However, this approach cannot guarantee the correctness of the model, because the test vectors the measurements were based on were not covering a case which would have uncovered a problem with the model. But at least it provides an additional and very important check.
- 6. Methods: see section 8.5
  - Tracing
  - PIL

**AUTOSAR** 

# 8 **Properties and Methods for Timing Analysis**

# 8.1 General Introduction

This section describes the general relations between timing use-cases (see chapters 4, 5, 6 and 7) and timing tasks (9). The timing properties and the timing methods are specified in details in this chapter.

The timing use-cases (for example section 6.4) presented in the former chapters (related to function level, ECU, network, or end-to-end views) usually consist of several smaller steps (listed under "main scenario" in each use case). Some of these steps are fundamentally related to timing and reappear in several use cases. We call these steps "timing related tasks" and outline them in more detail in Section 9.1.

One particularly important timing-related task is *Perform Timing Analysis*, which can be performed based on the design configuration (as in Task "Perform Model-Based Timing Analysis") or based on an observation of the actual implementation (as in Task "Perform Implementation-based Timing Analysis"). These timing related task can again comprise a "timing method" (see Section 8.5, which specifies in more detail how to solve this task, i.e. through simulation or static analysis.

The inputs (e.g. "the communication matrix" or "measured core execution times") for the timing methods arise from the system specification or from observing the real system. Some of the methods deliver timing properties as an output (e.g. "worst case response time of the transmitted message") which can be evaluated against timing constraints (for example the function may require that the frame transmission is completed in less than 10ms) during the timing task Task "Verify Timing (Requirement)".

Important, but out of scope in this document is the implementation of timing methods and timing properties in tools. The approach and the timing terminology are illustrated in Figure 8.1 and 8.2.

Also important, but out of scope in this document is the concept of Logical Execution Time (LET). If an application uses the LET paradigm, each Executable Entity - which shall execute within a LET interval - has to be mapped with help of TIMEX [2] correspondingly. Further, timing analysis techniques have to be employed to ensure that all Executable Entities - which are mapped to a LET interval - terminate within the LET interval.





Figure 8.1: Illustration of hierarchy between use cases, timing properties, and timing methods (and related sections).



Figure 8.2: The interplay between different timing methods, timing properties and constraints



# 8.1.1 AUTOSAR Classic Platform Operating System

## 8.1.1.1 OSEK/AUTOSAR CP OS task states

AUTOSAR OS uses the scheduling concept as defined by OSEK (see "Operating System Specification 2.2.3" for details). OSEK defines task-states for two different conformance classes, BCC (Basic Conformance Class) and ECC (Extended Conformance Class). The corresponding task-state diagrams are shown in figures 8.3 and 8.4.



Figure 8.3: Task states and transitions as defined by AUTOSAR OS BCC



Figure 8.4: Task states and transitions as defined by AUTOSAR OS ECC

# 8.1.1.2 Timing parameters

Figure 8.5 shows the principle timing parameters of a task that determine its real-time behavior within a system and table 8.1.1.2 defines the symbols used. Note that the color used to indicate a task's current state at a given point in time corresponds to the color used for this state in figure 8.4.





Figure 8.5: Timing parameters visualised in a trace (all related to TASK B)

| ID | Abr. | Name                                              | Description                                 |  |  |  |  |  |
|----|------|---------------------------------------------------|---------------------------------------------|--|--|--|--|--|
| 1  | IPT  | initial pending time                              | from activation to start                    |  |  |  |  |  |
| 2  | CET  | core execution time                               | execution time not including any pre-       |  |  |  |  |  |
|    |      | (computation time)                                | emptions or "waiting" time                  |  |  |  |  |  |
| 3  | GET  | gross execution time                              | execution time including all preemp-        |  |  |  |  |  |
|    |      |                                                   | tions and "waiting" time                    |  |  |  |  |  |
| 4  | RT   | response time                                     | from activation to termination              |  |  |  |  |  |
| 5  | DL   | dead line                                         | max. allowed response time                  |  |  |  |  |  |
| 6  | DT   | delta time                                        | from start to start ("measured period")     |  |  |  |  |  |
| 7  | PER  | period                                            | from activation to activation (period not   |  |  |  |  |  |
|    |      |                                                   | as measured but as configured)              |  |  |  |  |  |
| 8  | ST   | slack time "remaining" run-time: from termination |                                             |  |  |  |  |  |
|    |      |                                                   | to activation (tasks) or start (interrupts) |  |  |  |  |  |
| 9  | NST  | net slack time                                    | "potential additional" run-time: the ST     |  |  |  |  |  |
|    |      |                                                   | minus all CET blocks of any TASKs or        |  |  |  |  |  |
|    |      |                                                   | ISRs with higher priority during the ST     |  |  |  |  |  |
| 10 | JIT  | jitter                                            | deviation of delta time from period (not    |  |  |  |  |  |
|    |      |                                                   | shown in the figure)                        |  |  |  |  |  |
| 11 | PRE  | Preemption time                                   | time a task is preemted by higher pri-      |  |  |  |  |  |
|    |      |                                                   | ority task(s) (not shown in the figure)     |  |  |  |  |  |
| 12 | CPU  | CPU load                                          | fraction of CPU time spent non-             |  |  |  |  |  |
|    |      |                                                   | idle (usually reported in percent) (not     |  |  |  |  |  |
|    |      |                                                   | shown in the figure)                        |  |  |  |  |  |

## **Timing information**



# 8.1.1.3 Comments on AUTOSAR OS ECC

Typically, AUTOSAR OS tasks get started and then terminate at some point in time. This is absolutely mandatory for tasks of the AUTOSAR OS basic conformance class (BCC) and should also be the case for AUTOSAR OS extended conformance class (ECC) tasks.

However, there *are* set-ups with tasks that do *not* terminate but rather loop, using WaitEvent for scheduling. This is often true for RTE tasks being generated by the RTE configuration environment. See listing 8.1 for an example. Rather than having two periodical BCC tasks – e.g. Main\_Task\_5ms calling CanTp\_MainFunction and CanXcp\_MainFunction as well as Main\_Task\_10ms calling CanNm\_MainFunction and CanSM\_MainFunction – the RTE configurator generates a non terminating ECC task and adds a second level of scheduling being controlled by WaitEvent and SetEvent.

#### Listing 8.1: Non terminating ECC task using events for scheduling

```
1 TASK(Main_Task)
2 {
3
     EventMaskType ev;
4
     for(;;)
5
6
     {
       (void)WaitEvent( Rte_Ev_Cyclic2_Main_Task_0_10ms |
7
                            Rte_Ev_Cyclic2_Main_Task_0_5ms
                                                                   );
8
9
       (void)GetEvent(Main_Task, &ev);
10
11
12
       (void)ClearEvent(ev & ( Rte_Ev_Cyclic2_Main_Task_0_10ms |
                                 Rte_Ev_Cyclic2_Main_Task_0_5ms
                                                                       ));
13
14
       if ((ev & Rte_Ev_Cyclic2_Main_Task_0_10ms) != (EventMaskType)0)
15
16
       {
         CanNm MainFunction();
17
         CanSM_MainFunction();
18
19
       }
20
       if ((ev & Rte_Ev_Cyclic2_Main_Task_0_5ms) != (EventMaskType)0)
21
22
       {
         CanTp_MainFunction();
23
         CanXcp_MainFunction();
24
       }
25
26 }
```

We will not elaborate on all the disadvantages of this approach at this point but we have to address non-terminating ECC tasks and allow timing analysis also for this case. The previous definition of the CET e.g. fails. For terminating tasks (BCC as well as ECC), the CET was defined as the sum of all "running" states between the start and the termination of the task. Obviously, the CET becomes infinite if the task does not terminate.

Figure 8.6 resembles figure 8.5 but now Task B is a non-terminating ECC task. Whoever implemented the task would expect the timing properties to be computed for



one "round" of the endless-loop. The gap between two subsequent rounds reflects a pseudo suspended state for Task B and thus is visualized with transparency added to the waiting state in figure 8.6.

Since the loop might include the usage of "regular" events, we now have to distinguish such "regular" events and their corresponding WaitEvent call from the events used for scheduling and *their* corresponding WaitEvent call.



Figure 8.6: Timing parameters related to TASK B (here a non-terminating ECC task)

Listing 8.2 is derived from listing 8.1. Comments have been added for explanation and to indicate when the task changes its state. Additionally, the task now also has a "regular" event Can\_Ev\_TriggerSM\_Main\_Task. The scheduling situation shown in figure 8.6 corresponds to listing 8.2.

#### Listing 8.2: Non terminating ECC task using events for scheduling

```
TASK(Main_Task)
1
2
  {
    // Task starts here
3
    EventMaskType ev;
4
5
    for(;;) // non-terminating ECC task
6
7
       // Task "ends" here (in fact it will switch to waiting)
8
      // the following WaitEvent call is a "scheduling" WaitEvent
9
       (void)WaitEvent( Rte_Ev_Cyclic2_Main_Task_0_10ms |
10
```



```
11
                            Rte_Ev_Cyclic2_Main_Task_0_5ms
                                                                   );
       // Task "starts" here again (in fact it returned from waiting)
12
13
       (void)GetEvent(Main_Task, &ev);
14
15
       (void)ClearEvent(ev & ( Rte_Ev_Cyclic2_Main_Task_0_10ms |
16
                                 Rte Ev Cyclic2 Main Task 0 5ms
17
                                 Can_Ev_TriggerSM_Main_Task
                                                                  ));
18
19
       if ((ev & Rte_Ev_Cyclic2_Main_Task_0_10ms) != (EventMaskType)0)
20
21
       {
         CanNm_MainFunction();
22
       // the following WaitEvent call is a "regular" WaitEvent
23
         (void)WaitEvent( Can_Ev_TriggerSM_Main_Task );
24
         CanSM_MainFunction();
25
       }
26
27
28
       if ((ev & Rte_Ev_Cyclic2_Main_Task_0_5ms) != (EventMaskType)0)
29
       {
         CanTp_MainFunction();
30
         CanXcp_MainFunction();
31
       }
32
33 }
```

The recommended task configuration for the same set-up is shown in listing 8.3. For each period – here 5ms and 10ms – it uses a dedicated task. Whenever possible, the task should be a BCC1 task. All tasks terminate.

#### Listing 8.3: Recommended configuration using a separate task per period

```
1 TASK(Main_Task_10ms) // ECC
2 {
       CanNm_MainFunction();
3
       // the following WaitEvent call is a "regular" WaitEvent
4
       (void)WaitEvent( Can_Ev_TriggerSM_Main_Task );
5
       CanSM_MainFunction();
6
       TerminateTask();
7
  }
8
9
  TASK(Main_Task_5ms) // BCC1
10
11 {
12
       CanTp_MainFunction();
       CanXcp_MainFunction();
13
       TerminateTask();
14
15 }
```

# 8.2 A Simple Grammar of Timing Properties

In order to avoid repeating similar definition of timing properties and methods in the following sections, this document follows a generic approach. Timing properties are described with supporting placeholders, such as for example "<schedulable>" and



"<resource>". A "<resource>" can be e.g. a "CPU" or a "CAN bus", and a "<schedulable>" can be e.g. the corresponding "RunnableEntity", "BswSchedulableEntity" or "frame".

Not all combinations of such terms lead to relevant/valid definitions. Therefore the actual instances are listed with the definitions. For reasons of practicality, the document however presently does not formalize the placeholder structure into a complete and consistent grammar (but such refinement may be possible in future releases).

# 8.2.0.1 Resources and Schedulables

<Resources> are needed to execute <schedulables>. They can schedule between several <schedulables> over time, based on an online or offline scheduling scheme. <Resources> have the capability to compute, store, transmit or receive information.

<Resources> can be divided in two categories: <unary resources>, which can execute only one <schedulable> at any given time and <multi resources> which can execute multiple <schedulables> in parallel.

A <schedulable> computes, stores, or transmits information on a <resource>. In order to make progress it must be assigned the <resource> in the scheduling process.

| <resource></resource>       |                                     |
|-----------------------------|-------------------------------------|
| <unary resource=""></unary> | Allowed <schedulable></schedulable> |
| CAN bus segment             | CAN frame                           |
| Single-Core CPU             | Task                                |
| FlexRay Segment             | FlexRay frame                       |
| Ethernet Link               | Ethernet message                    |
| LIN bus                     | LIN frame                           |
| <multi resource=""></multi> |                                     |
| Switched Ethernet-Network   | Ethernet message                    |
| Multi-Core CPU              | Task                                |

 Table 8.1: Resource Overview

# Note: <Multi Resources> are not covered by any of the present definitions in the document.

The timing of a schedulable is defined by its <activate> and its <terminate> events. The <activate> is the moment in time at which the <schedulable> becomes ready to perform its operation, and the <terminate> is the moment in time when it is finished.

A <schedulable> may contain <subschedulables> to differentiate between different operations.

| <schedulable></schedulable>      | Allowed <subschedulable></subschedulable> |  |  |  |
|----------------------------------|-------------------------------------------|--|--|--|
| Processor Task (equivalent: ISR) | Runnable, BSW function                    |  |  |  |
| OS-Function                      | RunnableEntity, BswSchedulableEntity      |  |  |  |
| CAN frame                        | PDU, Signal                               |  |  |  |

#### Table 8.2: Allowed Schedulable



## 8.2.0.2 Method of Derivation

The different timing properties can be derived with various methods, while not every property can be properly derived with every method (but often approximated). For example, during simulation, the message load can be observed, but it is difficult to derive the real worst-case latency. For the purpose of this document, we differentiate between the following methods (see for more details in section 8.5:

| <timingmethod></timingmethod> | Explanation                           |
|-------------------------------|---------------------------------------|
| Analysis                      | Computation or theoretical estimation |
|                               | of the value of the timing property   |
| Simulation                    | Simulation of a system to determine   |
|                               | the temporal development of the value |
|                               | of the timing property                |
| Measurement                   | Measurement of a target to determine  |
|                               | the temporal development of the value |
|                               | of the timing property                |

#### Table 8.3: Method of Derivation

# 8.2.0.3 Statistical Qualifier

Many timing properties can be tailored to different <Statistical Qualifiers>. For example, one may be interested in the average latency of a message in one case and in the maximum latency in another (for example if it is a time critical message as e.g. the total time in the active steering example). Base to do this is to determine the temporal development of the latency over the time by means of e.g. the simulation and to derive the relevant quantities like the average latency. This can be more generalized to the determination of the temporal development of an arbitrary quantity ("'x-over-Time"') and to derivation of the distribution and its momenta.

For this reason, the following <Statistical Qualifiers> are introduced:

| Method       | <statistical qualifier=""></statistical> | <statistical qualifier=""><br/>derived quantity</statistical> |
|--------------|------------------------------------------|---------------------------------------------------------------|
| Analysis     | Best-Case                                |                                                               |
|              | Worst-Case                               |                                                               |
| Simulation / | Distribution / X-over-time               | Minimum                                                       |
| Measurement  |                                          |                                                               |
|              |                                          | Maximum                                                       |
|              |                                          | Average                                                       |
|              |                                          | Standard deviation                                            |

#### Table 8.4: Different Types of Timing Methods and the resulting Statistical Qualifiers

The x-over-time and the distribution depend on the related timing method, the input parameters and the boundary conditions. In contrast, the analysis approach delivers the timing property as a single value (e.g. worst-case). The (best-)worst-case denotes the state of the system with the (minimum) maximum system requirement, sometimes



overestimated by the applied algorithm. However, the (minimum) maximum represents the actual observed value of the timing property here in this context.

# 8.2.0.4 Constraint Type

Finally, in accordance with the definition in TIMEX, the actual value of the timing property can be interpreted as a requirement (a priori to an analysis) or the worst-case can be regarded as a guarantee for the system specification (a posteriori to an analysis).

| <constrainttype></constrainttype> |  |  |
|-----------------------------------|--|--|
| Requirement                       |  |  |
| Guarantee                         |  |  |

Table 8.5: ConstraintType

Figure 8.7 sketches the interplay between the value of the timing property (and its development over time and its distribution) and the constraints. The value of the timing property results from the timing method. Some of the Statistical Qualifiers are indicated on the left hand side of the distribution. Here, the guarantee results from the worst case analysis of the timing property of interest (in more general case defined in the performance specification) whereas the external requirement (defined in the requirement specification) for this timing property cannot be fulfilled in this case.



Figure 8.7: The figure illustrates the relation between the timing method, the timing property, the constraint and qualifiers (see text for more details). Here, the actual implementation does not fulfill the requirement.



## 8.2.1 Protocol Specifica

#### 8.2.1.1 CAN

In order to define properties for the CAN bus the following definitions are used:

| A CAN frame consists of |                                 |  |  |  |  |  |
|-------------------------|---------------------------------|--|--|--|--|--|
| Header                  | Standard 19 bit Extended 37 bit |  |  |  |  |  |
| Payload                 | 08 byte                         |  |  |  |  |  |
|                         | (CAN-FD 064 byte)               |  |  |  |  |  |
| Stuff bits              | 019                             |  |  |  |  |  |
|                         | (Extended 025) bit              |  |  |  |  |  |
| Footer                  | 25 bit                          |  |  |  |  |  |
| Inter frame space       | 3 bit                           |  |  |  |  |  |

#### Table 8.6: Definition length parameter for a CAN

Summing up all parameters together yields the frame length/time ( $l_{frame}/t_{frame}$ ). Thus,the general CAN properties and parameters are given by:

| Scheduling    | Static Priority Non-Preemptive  |  |  |  |  |
|---------------|---------------------------------|--|--|--|--|
| Activation    | Periodic and/or event triggered |  |  |  |  |
| ID (priority) | Standard 00x7FF                 |  |  |  |  |
| Speed         | Standard 100 1000 KBaud         |  |  |  |  |
| Frame length  | Standard 47130 bit              |  |  |  |  |

#### Table 8.7: Definition general parameter for a CAN

For the application of the generic description to the CAN bus the following relations are applied:

| Generic parameter           | Actual value                                                             |
|-----------------------------|--------------------------------------------------------------------------|
| <resource></resource>       | CAN bus segment                                                          |
| <schedulable></schedulable> | CAN frame                                                                |
| <activate></activate>       | Event TDEventFrame.frameQueuedFor Transmission on sender ECU             |
| <terminate></terminate>     | Event TDEventFrame.frameTransmittedOnBusbetween network and receiver ECU |

#### Table 8.8: Relation between the general and the CAN specific parameters

# 8.2.1.2 Activation

| Frame                 | Definition                                              |
|-----------------------|---------------------------------------------------------|
| Periodic Frame        | A frame that is activated periodically with period de-  |
|                       | fined by the "cycle time"                               |
| Event-Triggered Frame | A frame that is activated sporadically by an external   |
|                       | event.                                                  |
| Mixed Frame           | A frame that is activated by the passing of the period  |
|                       | or an external event. Different concepts on treating    |
|                       | the periodic part exist (i.e. resetting of the periodic |
|                       | timer on arrival of sporadic events).                   |



#### Table 8.9: Definitions of the frame activation

More complex activation pattern for frames in the scope of Autosar can be defined. Furthermore, OEM specific transmission modes exist.

# 8.3 Relations between Use Cases, Tasks, Properties and Methods

| UC                                                                                               | Task                               |                              |                            |                                            |                                                     |                                    |
|--------------------------------------------------------------------------------------------------|------------------------------------|------------------------------|----------------------------|--------------------------------------------|-----------------------------------------------------|------------------------------------|
|                                                                                                  | Task "Collect Timing Requirements" | Task "Create Implementation" | Task "Create Timing Model" | Task "Perform Model-Based Timing Analysis" | Task "Perform Implementation-based Timing Analysis" | Task "Verify Timing (Requirement)" |
| Function-level use-case "Identify timing requirements for a new feature (vehicle function)" (43) | x                                  |                              | x                          | x                                          |                                                     |                                    |
| Function-level use-case "Partition a feature (vehicle function) into a function network" (44)    | x                                  |                              | x                          |                                            |                                                     | x                                  |
| Function-level use-case "Map a function network to a hardware components network" (45)           | x                                  |                              | x                          | x                                          |                                                     | x                                  |
| Function-level use-case "From function-level events to observable events" (46)                   |                                    | x                            | x                          |                                            | х                                                   | x                                  |
| ECU use-case "Create Timing Model of the entire ECU" (73)                                        | х                                  |                              | х                          |                                            |                                                     |                                    |
| ECU use-case "Collect Timing Information of a SW-C" (75)                                         | х                                  |                              | х                          | х                                          | х                                                   |                                    |
| ECU use-case "Validation of Timing" (77)                                                         |                                    |                              |                            | х                                          | х                                                   | х                                  |
| ECU use-case "Debug Timing" (79)                                                                 | х                                  | х                            |                            |                                            | х                                                   | x                                  |
| ECU use-case "Optimize Timing of an ECU" (81)                                                    |                                    | х                            |                            |                                            | х                                                   | х                                  |
| ECU use-case "Optimize Scheduling" (83)                                                          |                                    | х                            | х                          | х                                          | х                                                   | x                                  |
| ECU use-case "Optimize Code" (84)                                                                |                                    | х                            |                            |                                            | х                                                   | x                                  |
| ECU use-case "Verify Timing Model(s)" (85)                                                       | х                                  |                              | х                          | х                                          |                                                     | х                                  |
| NW use-case "Integration of new communication" (62)                                              |                                    | x                            | х                          | х                                          | х                                                   | х                                  |
| NW use-case "Design and configuration of a new network" (64)                                     | х                                  | x                            | х                          | х                                          | х                                                   | х                                  |
| NW use-case "Remapping of an existing communication link" (67)                                   | х                                  | x                            | х                          | х                                          | х                                                   | x                                  |
| E2E use-case "Derive per-hop time budgets from End-to-End timing requirements" (50)              | x                                  |                              |                            |                                            |                                                     |                                    |

99 of 141



 $\triangle$ 

| UC                                                                                                        |   | Task |  |   |   |     |  |  |
|-----------------------------------------------------------------------------------------------------------|---|------|--|---|---|-----|--|--|
| E2E use-case "Deriving timing requirements from the timing assessment of an existing implementation" (51) | x |      |  | x | x |     |  |  |
| E2E use-case "Specify Timing Requirements for functional interfaces based on Signals/Parameters" (53)     | x | x    |  |   |   |     |  |  |
| E2E use-case "Assert timing requirements against guarantees" (55)                                         |   |      |  | х | х | х   |  |  |
| E2E use-case "Trace-based timing assessment of a distributed implementation" (56)                         |   |      |  |   | x | (x) |  |  |

Table 8.10: Overview about Relation between UCs and Tasks



| UC                                                                                                        | F                     | Proper                   | ty                               |                               | Met                                  | thod                             |                                               |
|-----------------------------------------------------------------------------------------------------------|-----------------------|--------------------------|----------------------------------|-------------------------------|--------------------------------------|----------------------------------|-----------------------------------------------|
|                                                                                                           | GENERIC PROPERTY Load | GENERIC PROPERTY Latency | SPECIFIC PROPERTY Execution Time | GENERIC METHOD Determine Load | SPECIFIC METHOD Determine Load (CAN) | GENERIC METHOD Determine Latency | SPECIFIC METHOD Determine Response Time (CAN) |
| Function-level use-case "Identify timing requirements for a new feature (vehicle function)" (43)          |                       | x                        | x                                |                               |                                      | x                                |                                               |
| Function-level use-case "Partition a feature (vehicle function) into a function network" (44)             |                       | x                        | x                                |                               |                                      | x                                |                                               |
| Function-level use-case "Map a function network to a hardware components network" (45)                    | x                     | x                        | x                                | x                             |                                      | x                                |                                               |
| Function-level use-case "From function-level events to observable events" (46)                            |                       |                          | х                                |                               |                                      | х                                |                                               |
| ECU use-case "Create Timing Model of the entire ECU" (73)                                                 |                       |                          | x                                |                               |                                      |                                  |                                               |
| ECU use-case "Collect Timing Information of a SW-C" (75)                                                  | x                     |                          | x                                | х                             |                                      |                                  |                                               |
| ECU use-case "Validation of Timing" (77)                                                                  | x                     |                          |                                  | х                             |                                      | х                                |                                               |
| ECU use-case "Debug Timing" (79)                                                                          | x                     | х                        | x                                | х                             |                                      | х                                |                                               |
| ECU use-case "Optimize Timing of an ECU" (81)                                                             | İ                     |                          | x                                |                               |                                      | х                                |                                               |
| ECU use-case "Optimize Scheduling" (83)                                                                   | x                     |                          | x                                | х                             |                                      | х                                |                                               |
| ECU use-case "Optimize Code" (84)                                                                         |                       |                          | x                                |                               |                                      |                                  |                                               |
| ECU use-case "Verify Timing Model(s)" (85)                                                                |                       |                          |                                  |                               |                                      | х                                |                                               |
| NW use-case "Integration of new communication" (62)                                                       | x                     | х                        |                                  | х                             | х                                    | х                                | х                                             |
| NW use-case "Design and configuration of a new network" (64)                                              | х                     | х                        |                                  | х                             | х                                    | х                                | х                                             |
| NW use-case "Remapping of an existing communication link" (67)                                            | х                     | х                        |                                  | х                             | х                                    | х                                | х                                             |
| E2E use-case "Derive per-hop time budgets from End-to-End timing requirements" (50)                       |                       | x                        | x                                |                               |                                      |                                  |                                               |
| E2E use-case "Deriving timing requirements from the timing assessment of an existing implementation" (51) |                       |                          | x                                | x                             |                                      | x                                | x                                             |
| E2E use-case "Specify Timing Requirements for functional interfaces based on Signals/Parameters" (53)     | x                     | x                        | x                                |                               |                                      |                                  |                                               |
| E2E use-case "Assert timing requirements against guarantees" (55)                                         | x                     | х                        | x                                | х                             | x                                    | х                                | x                                             |
| E2E use-case "Trace-based timing assessment of a distributed implementation" (56)                         | x                     | x                        | x                                | x                             | x                                    | x                                | x                                             |

Table 8.11: Overview about Relation between UCs, used Properties and applied Methods



# 8.4 Definition and Classification of Timing Properties

## 8.4.1 Classification and Relation of Properties

The properties can be grouped in two main fields: capacitive (<resource> capacity) and latency property (<schedulable> latency). Capacitive properties are the ratio of the capacity requirement by the <schedulables> to the capacity of the <resource>. Latency properties are the delays of <schedulables> due to the schedule (priority schema) on the common used <resource>.

| NW/ECU  | Group    | Name                         |
|---------|----------|------------------------------|
| Generic | Capacity | subsection 8.4.3             |
| NW      | Capacity | SPECIFIC PROPERTY Load (CAN) |
| Generic | Latency  | subsection 8.4.5             |
| Generic | Latency  | subsection 8.4.6             |
| NW      | Latency  | subsection 8.4.7             |
| Generic | Latency  | subsection 8.4.9             |
| Generic | Latency  | subsection 8.4.10            |
| ECU     | Latency  | subsection 8.4.11            |

# 8.4.2 Overview of regarded Timing Properties

| Table 8.12: Overview about the here | e described | I Timing Properties |
|-------------------------------------|-------------|---------------------|
|-------------------------------------|-------------|---------------------|

# 8.4.3 GENERIC PROPERTY Load

#### 8.4.3.1 Scope and Application

| Name                               | Load                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description                        | The load is the total share of time that a set of <schedulables> oc-<br/>cupies a <single resource="">. If the time for the occupation is calcu-<br/>lated it can exceed the available resource time (overload). In the<br/>practical realization using simulation or measurement this sce-<br/>nario cannot occur. But, if the transmission load of all <schedula-<br>bles&gt; exceeding 100% (amount of send requests) is not buffered<br/>the required to transmit information can be lost or overridden.</schedula-<br></single></schedulables> |
| Application                        | The property supports the estimation of the resource needs in ECUs and gateways and of the network, respectively.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| Assumptions and Preconditions      | <ul> <li>The time of the occupation for every individual <schedula-<br>ble&gt; is known.</schedula-<br></li> <li>The partition for the total communication amount in indi-<br/>vidual <schedulables> is done.</schedulables></li> </ul>                                                                                                                                                                                                                                                                                                             |
| Relation to AUTOSAR specifications | There is no reference in TIMEX (n/A); indirect reference to ATU-<br>OSAR System Template and BSW Module Description by speci-<br>fying ExecutionTime of an ExecutableEntity with the class<br>ResourceConsumption.                                                                                                                                                                                                                                                                                                                                  |



#### Table 8.13: Scope, Application and Relation

## 8.4.3.2 Interface

| Notation                                           |              | $L(t, t_{window},)$                          |
|----------------------------------------------------|--------------|----------------------------------------------|
| Possible <statistical qualifiers=""></statistical> | All          | which were mentioned in the introduction     |
| Parameters                                         | $t_{window}$ | The size of the time interval over which the |
|                                                    |              | load is determined.                          |
|                                                    |              | Recommended value: large but finite value    |
|                                                    | t            | The end of the time interval over which the  |
|                                                    |              | load is determined. This parameter is re-    |
|                                                    |              | quired for load-over-time analysis.          |
|                                                    |              | Default value: not specified                 |
| Range                                              |              | 0 to 100% (0 infinity for calculation)       |

Table 8.14: Interface



Figure 8.8: Illustration of the relation of the actual occupation and the load over time. The load  $L(t, t_{window})$  is the average of the occupation over the interval  $t_{window}$  till the point in time t.

# 8.4.3.3 Expressiveness

The "load" indicates the overall utilization of a given <single resource>. A small load is better for stable operations due to safety and extensibility reasons. However, it shows that the <single resource> is not fully utilized, possibly missing opportunities for cost-optimization. On the other hand the remaining free resources can be used for future extension and therefor are intentionally reserved.



From perspective of real-time applications and schedulable with timing constraints, the expressiveness of load is limited. A load value below 100% allows deducing the guarantee that eventually every instance of each <schedulable> will be scheduled and executed on the <resource>. However, the completion time of a schedulable may be larger than its period or any given deadline.

Actually, the correlation to the <schedulable's> worst-case response time is small. Depending on the schedule there are examples with high load and small over-all response times and with low (but highly variable) load and high over-all response time. (compare latency, timing property worst-case response/execution time).

In [14], it was shown that given only periodic <schedulables> with deadlines equal to their periods, all <schedulable> will be serviced before their deadline if the load is smaller than 69% (independent <schedulables>). However, in practice, the presence of sporadically activated <schedulables> avoids a direct applicability of this statement.

# 8.4.4 SPECIFIC PROPERTY Load (CAN)

## 8.4.4.1 Scope, Application

| Name              | Bus Load (CAN)   |
|-------------------|------------------|
| Super Property    | subsection 8.4.3 |
| Belonging Methods | subsection 8.5.4 |

#### Table 8.15: Scope, Application, and Relation

The share of time can be calculated from the <activate> and <terminate> for the target measurement/simulation and from the frame length (see subsubsection 8.2.1.1) for analysis and the activation pattern (see subsubsection 8.2.1.2).

#### 8.4.4.2 Interface

The Bus load (CAN) is an instance of the property subsection 8.4.3 with the parameters described in Table 8.7 and 8.8.

Depending on the activation patterns, the following CAN loads are differentiated:

| Periodic load | The share of time that the set of periodic frames occupies the bus.                                                    |
|---------------|------------------------------------------------------------------------------------------------------------------------|
| Total load    | The share of time that all frames (periodic and event-triggered, including the mixed-triggered frames) occupy the bus. |

# Table 8.16: Different kinds of Bus Load of a CAN Segment depending on the frame activation



#### 8.4.4.3 Expressiveness

During run time, the CAN bus and the transmitted frames typically exhibit dynamic behavior:

- frame periods may slightly fluctuate from the specified cycle time (jitter and drift)
- the number of stuff bits depend on the actual payload
- the frame may not always carry the same amount of payload with each transmission

Depending on the selected <Statistical Qualifier> (i.e. average, maximum, ...) the properties of the CAN configuration may need to be interpreted differently due to this dynamism.

# 8.4.5 GENERIC PROPERTY Latency

## 8.4.5.1 Scope and Application

| Name        | Latency                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | The latency is the amount of time between the <activate> of<br/>the first <schedulable> (it is ready to transmit on/occupy a <re-<br>source&gt;) in a sequence of <schedulables> and the <end> of the<br/>last <schedulable> (freed from the occupation) in the list. This<br/>includes scheduling effects.<br/>If not noted otherwise, the latency refers to the processing time<br/>for one single event or one complete traversal of all <schedula-<br>bles&gt; ones.<br/>Depending on the timing property of interest and the nature of an<br/>application, two types of latency (also called "'semantics"') can<br/>be distinguished: the reaction time latency, which is the amount<br/>of time of the first reaction to a change in the input, and the data<br/>age latency, which is the amount of time that a that a certain<br/>input data may be processed before updated input values are<br/>available. See AUTOSAR Timing Extensions (TIMEX) [2] Laten-<br/>cyConstraint for details.</schedula-<br></schedulable></end></schedulables></re-<br></schedulable></activate> |
| Αρριιcation | the rescheduling in ECUs, gateways and of the network, respec-<br>tively. The property can be used for computation of the real-time<br>slack of the system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |



| Assumptions & Preconditions        | For each <resource> is known:</resource>                                                                                                                             |
|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                    | <ul> <li>The access schema/arbitration strategy like bus protocol<br/>or OS scheduling</li> </ul>                                                                    |
|                                    | <ul> <li>All occupation of a <resource> is error free, i.e. every<br/>utilization by the <schedulable> takes place exactly once.</schedulable></resource></li> </ul> |
|                                    | For each individual <schedulable> is known</schedulable>                                                                                                             |
|                                    | <ul> <li>The priority of the <schedulables></schedulables></li> </ul>                                                                                                |
|                                    | The repsonse times                                                                                                                                                   |
|                                    | The triggering/activation schema including any send delay                                                                                                            |
|                                    |                                                                                                                                                                      |
| Relation to AUTOSAR specifications | TIMEX defines the LatencyTimingConstraint of a TimingDe-<br>scriptionEventChain.                                                                                     |

#### Table 8.17: Scope, Application, and Relation

# 8.4.5.2 Interface

| Notation                                           |              | $T(t, t_{window}, X)$                            |
|----------------------------------------------------|--------------|--------------------------------------------------|
| Possible <statistical qualifiers=""></statistical> |              | All in the introduction mentioned                |
| Parameters                                         | X            | The information package for which to com-        |
|                                                    |              | pute the response time                           |
|                                                    | $t_{window}$ | The size of the time interval over which the la- |
|                                                    |              | tency is determined, i.e. the temporal interval  |
|                                                    |              | of a trace in which the latency is determined.   |
|                                                    |              | Default value: INF                               |
|                                                    | t            | The beginning or end of the time interval over   |
|                                                    |              | which the latency is determined. This param-     |
|                                                    |              | eter is required for X-over-time analysis.       |
|                                                    |              | Default value: not specified                     |
| Range                                              |              | 0 to infinity                                    |

#### Table 8.18: Interface

# 8.4.5.3 Expressiveness

For every hop (element) of the sequential <schedulable> list the latency per hop of the <schedulable> measures the temporal delay for its utilizations of related <single resource>. A small latency is better for stable functional operations due to safety and extensibility reasons. However, it shows that at least a part of the <resources> are not fully utilized if the latency is too small against the end-to-end deadline, possibly missing opportunities for cost-optimization. Nevertheless the latency must be smaller than the end-to-end deadline, otherwise information loss may occur. If a considerable part of <schedulables> misses their deadlines for one of the <single resource> it has not enough capacity or the schedule is not sufficiently good.



Errors during a transmission or an execution of <schedulable> may lead to a retransmission/re-execution of specific <schedulable> which increases both the load and the latency.

The worst-case of the latency can be derived by model based formal analysis methods such as presented in [15]. By this, the latency property is conservatively computed.

The worst-case of the latency can be approximated by simulation, albeit only optimistically. The related transmission/execution requests and transmission/ execution complete events can be randomly generated and observed. The maximum of the observed values is an optimistic approximation of the worst-case latency.

When the property is derived using different methods (especially simulation/analysis and measurement) the following must be true (WC abbreviates worst case) considering only one element of the sequential <schedulable> list:

 $WC \ Latency_{Analysis}(<$ Schedulable> $) \ge WC \ Latency_{Simulation}(<$ Schedulable> $) and WC \ Latency_{Analysis}(<$ Schedulable> $) \ge WC \ Latency_{Measurement}(<$ Schedulable>)

# 8.4.6 GENERIC PROPERTY Response Time

# 8.4.6.1 Scope and Application

| Name                        | Response Time                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description                 | The response time is the special case of the latency concerning<br>only one single <schedulable>, i.e. is the amount of time be-<br/>tween the <activate> of the <schedulable> and the <end> of the<br/><schedulable>.This includes scheduling effects of a concurrent<br/>access to a shared <resource>. One can distinguish between a<br/>static priority pre-emptive access (in case of OSEK and other op-<br/>erating systems) and a static priority non-pre-emptive access (in<br/>case of CAN and most other networking systems).<br/>The response time of a <schedulable> is equal to its subsec-<br/>tion 8.4.9 or subsection 8.4.11 in the case where the resource<br/>is exclusively available to this <schedulable>. In the presence<br/>of multiple <schedulables> that are ready at the same time, the<br/>resulting response times are defined by the actual schedule.</schedulables></schedulable></schedulable></resource></schedulable></end></schedulable></activate></schedulable> |
| Assumption and Precondition | For each periodic and for each mixed activation the following is known:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                             | Period                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                             | Reference clock (optional)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                             | Offset to reference (optional)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|                             | For each event triggered and for each mixed activation the follow-<br>ing is known:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                             | <ul> <li>Event model of sporadic events including minimum arrival time</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |



| Relation to AUTOSAR specifications | TIMEX defines the Response Time as LatencyTimingConstraint |
|------------------------------------|------------------------------------------------------------|
|                                    | of a TimingDescriptionEventChain.                          |

#### Table 8.19: Scope, Application, and Relation

#### 8.4.6.2 Interface

The is a part of the property subsection 8.4.5 with the following parameters:

| Generic parameter           | Actual value                       |
|-----------------------------|------------------------------------|
| <resource></resource>       | Single <resource></resource>       |
| <schedulable></schedulable> | Single <schedulable></schedulable> |

#### Table 8.20: Relation between the general latency and the response time

| Notation  | $T_{Response}(t, t_{window}, <$ schedulable X>, <schedulables>)</schedulables> |                                                          |
|-----------|--------------------------------------------------------------------------------|----------------------------------------------------------|
| Parameter | <schedulable x=""></schedulable>                                               | The <schedulable> for which to compute the</schedulable> |
|           |                                                                                | response time.                                           |
|           | <schedulables></schedulables>                                                  | The remaining <schedulables> interacting</schedulables>  |
|           |                                                                                | with <schedulable x="">.</schedulable>                   |

#### Table 8.21: Interface

#### 8.4.6.3 Expressiveness

The expression of the response time as defined is limited in some sense:

1. In the case of a large number of non-harmonic time bases, analysis time can grow beyond acceptable times. In this case, some offset relations can be ignored during analysis which may slightly decrease accuracy.

# 8.4.7 SPECIFIC PROPERTY Response Time (CAN)

#### 8.4.7.1 Scope and Application

| Name        | Frame response time (CAN)                                                                                                                                                                                                                                                                |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | The property provides the total time from when a frame is ready<br>to send ( <activate>, i.e. placement of the frame in an output<br/>message buffer of the CAN driver) until a frame is completely<br/>transmitted over a bus (<end>, i.e. usually leading to a Rx IRQ</end></activate> |
|             | on a receiving ECU).                                                                                                                                                                                                                                                                     |
| Application | The property allows assessing the communication delay of a tim-<br>ing critical frame. The property can be used for computation of<br>the real-time slack (available bandwidth after accommodating all<br>frames specified in the communication matrix).                                 |


| Assumptions and Precondition       | It is assumed, that                                                                                                                                                                        |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                    | <ul> <li>all communication on the bus is error free, i.e. every trans-<br/>mission takes place exactly once.</li> </ul>                                                                    |
|                                    | <ul> <li>of all frames in a network that are ready to send, the CAN<br/>bus always selects the one with the lowest CAN-ID for<br/>transmission.</li> </ul>                                 |
|                                    | For each frame on the bus, the following is known:                                                                                                                                         |
|                                    | • Frame length including stuff bits                                                                                                                                                        |
|                                    | CAN-ID                                                                                                                                                                                     |
|                                    |                                                                                                                                                                                            |
| Relation to AUTOSAR specifications | TIMEX defines the LatencyTimingConstraint of a Tim-<br>ingDescriptionEventChain. The TimingDescription-<br>EventChain for the response time of a CAN frame can be de-<br>fined as follows: |
|                                    | • stimulus event: TDEvent-<br>Frame(TDEventType=frameQueuedForTransmission)                                                                                                                |
|                                    | <ul> <li>response event: TDEvent-<br/>Frame(TDEventType=frameTransmittedOnBus).</li> </ul>                                                                                                 |

#### Table 8.22: Scope, Application and Relation

#### 8.4.7.2 Interface

The Response Time (CAN) is an instance of the property subsection 8.4.6.

| Notation  | $T_{Response}(t,t_{window},frame X)$ |                                                         |
|-----------|--------------------------------------|---------------------------------------------------------|
| Parameter | frame X                              | The frame for which to compute the response time.       |
|           | stuff bits                           | The number of stuff bits to be assumed during analysis. |

#### Table 8.23: Interface

#### 8.4.7.3 Expressiveness

The expression of the response time for CAN as defined is limited in some sense:

- 1. Due to internal buffer structure, some CAN controllers may not be able to always provide the frame with the lowest CAN-ID (highest priority) that is ready to send to the bus arbitration. This can lead to a priority inversion with potentially larger response times than as defined by this property.
- 2. It is difficult to measure latency in target setups. While it is easy to identify the transmission complete events by probing the bus, the point in time when a frame becomes ready to send is more difficult (black box measurement). One option is to estimate the time by checking the bus busy time before the transmission



complete event. Another option is to combine an ECU internal trace with the network trace using a reference time base.

These constraints are in part relaxed by current research such as [16], [17].

### 8.4.8 SPECIFIC PROPERTY Response Time (ECU)

#### 8.4.8.1 Scope and Application

| Name                               | Response time of a runnable entity (ECU)                                                                                                                                                                                                                                                                                                                                                     |
|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description                        | The property provides the total time between activating a runnable entity through termination of this runnable entity occur-<br>rence. That time span includes all times when the state is ac-<br>tive ( <running>) or passive (<ready>) until the execution is com-<br/>pleted.</ready></running>                                                                                           |
| Application                        | The property allows assessing whether the reaction times of<br>runnable executions are inside of an allowed time frame. This<br>time frame usually contains a minimum and maximum border de-<br>fined by a multi-dimensional time, which is the AUTOSAR ele-<br>ment to annotate time in various units. From the response time<br>no additionally information, such as load, can be derived. |
| Assumptions and Precondition       | It is assumed, that                                                                                                                                                                                                                                                                                                                                                                          |
|                                    | <ul> <li>all runnable state transitions can be analyzed.</li> </ul>                                                                                                                                                                                                                                                                                                                          |
|                                    | <ul> <li>full AUTOSAR name including namespace for every<br/>runnable of interest</li> </ul>                                                                                                                                                                                                                                                                                                 |
| Relation to AUTOSAR specifications | TIMEX does provide timing description events for the element of<br>runnable entities in the SW-C timing view. In the following a way<br>to analyze the reaction time, which is the notation in AUTOSAR<br>TIMEX for what is called response time in this document, is pre-<br>sented:                                                                                                        |
|                                    | • stimulus event: TDEvent-<br>Frame(TDEventType=runnableEntityActivated) - refer-<br>encing the runnable entity of interest                                                                                                                                                                                                                                                                  |
|                                    | <ul> <li>response event: TDEvent-<br/>Frame(TDEventType=runnableEntityTerminated) - ref-<br/>erencing the runnable entity of interest</li> </ul>                                                                                                                                                                                                                                             |



#### 8.4.8.2 Interface

The Response Time (ECU) is an instance of the property subsection 8.4.6.

| Notation  | $T_{\text{Responses}}(t, t_{\text{avindow}}, \text{runnable entity X})$ |                                              |
|-----------|-------------------------------------------------------------------------|----------------------------------------------|
|           | – nesp                                                                  | Jonse (*, * window, * en menere en en grief) |
| Parameter | runnable entity X                                                       | The runnable entity for which to compute the |
|           |                                                                         | response time.                               |
|           | event chain                                                             | The event chain used for analyzing the reac- |
|           |                                                                         | tion time.                                   |



#### Table 8.25: Interface

#### 8.4.8.3 Expressiveness

The expression of the response time for runnable entites in ECUs as defined can contain further information:

- 1. It provides information about the point in time of activating the execution context, usually the OsTask, until the runnable entity itself is executed.
- 2. Using the reaction time for runnable entities enables to analyze the reaction time of server runnables inside of client server interfaces.
- 3. To describe the reaction time of an OsTask, the above mentioned event can be used as well. By referencing the last called runnable entity of a task the reaction time of the runnable entity becomes equivalent to the OsTask reaction time it is mapped to.
- 4. The reaction time is highly depending on the task scheduling inside of the ECU. In order to find the reason for a certain reaction time further analysis have to be performed.

#### 8.4.9 GENERIC PROPERTY Transmission Time

#### 8.4.9.1 Scope and Application

| Name                               | Transmission time                                                                                                                                                                                                                                                                                                          |
|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description                        | The property is the special case of the response time without con-<br>cerning any scheduling effects. The property provides the pure<br>time for transmitting a <schedulable> on a single <resource><br/>without considering any other <schedulable> on this <resource>.</resource></schedulable></resource></schedulable> |
| Relation to AUTOSAR specifications | There is no direct constraint related to transmission times defined<br>in TIMEX. However the transmission time could be defined sim-<br>ilar to the ExecutionTimeConstraint by using Frame or PDU as<br>referenced ExecutableEntity.                                                                                       |

#### Table 8.26: Scope, Application, and Relation

#### 8.4.9.2 Interface

The Transmission Time is a part of the property subsection 8.4.6 with the following parameters:

| Generic parameter           | Actual value                       |
|-----------------------------|------------------------------------|
| <resource></resource>       | Single <resource></resource>       |
| <schedulable></schedulable> | Single <schedulable></schedulable> |

#### Table 8.27: Relation between the general latency and the transmission time



| Notation  | $T_{Response}(t, t_{window}, <$ schedulable X>) <schedulable x="">The <schedulable> for which to compute the<br/>transmission time</schedulable></schedulable> |  |
|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Parameter |                                                                                                                                                                |  |
|           |                                                                                                                                                                |  |



#### 8.4.10 SPECIFIC PROPERTY Transmission Time (CAN)

#### 8.4.10.1 Scope and Application

| Name                               | Transmission time (CAN)                                           |
|------------------------------------|-------------------------------------------------------------------|
| Assumptions and Precondition       | For each frame on the bus, the following is known:                |
|                                    | • Frame length including stuff bits                               |
| Relation to AUTOSAR specifications | There is no specific property for the transmission time in TIMEX. |
|                                    | The definition of subsection 8.4.9 can be applied directly.       |

#### Table 8.29: Scope, Application, and Relation

#### 8.4.10.2 Interface

The Transmission time (CAN) is an instance of the property subsection 8.4.9 with the parameters described in Table 8.8.

| Notation  | $T_{Transmission}(t, t_{window}, \text{frame X})$ |                                                            |
|-----------|---------------------------------------------------|------------------------------------------------------------|
| Parameter | frame X                                           | The frame for which to compute the transmis-<br>sion time. |
|           | stuff bits                                        | The number of stuff bits to be assumed during analysis.    |

#### Table 8.30: Interface

#### 8.4.11 SPECIFIC PROPERTY Execution Time

#### 8.4.11.1 Scope and Application

| Name              | Execution Time (ET)                                                 |  |
|-------------------|---------------------------------------------------------------------|--|
| Description       | The execution time indicates a time required for a certain com-     |  |
|                   | putation. In this context a computation can be a runnable, a sub-   |  |
|                   | function or just a sequence of commands.                            |  |
| Goal              | This property is a required input information for run time budget-  |  |
|                   | ing and the ECUs schedule feasibility.                              |  |
| Assumptions       | The execution time is deterministic.                                |  |
| Relation to TIMEX | TIMEX defines an ExecutionTimeConstraint of an Exe-                 |  |
|                   | cutableEntity. The subsection 8.4.11 as defined above cor-          |  |
|                   | responds to the executionTimeType "'gross"', i.e. calls to external |  |
|                   | functions are included.                                             |  |



#### Table 8.31: Scope, Application, and Relation

#### 8.4.11.2 Interface

The Execution Time is a part of the property subsection 8.4.6.

|   | Output | The scalar result value is usually stated in micro-, milli- or |  |
|---|--------|----------------------------------------------------------------|--|
|   |        | nanoseconds.                                                   |  |
| I | Range  | 0 to infinity                                                  |  |

#### Table 8.32: Interface

#### 8.4.11.3 Expressiveness

For hard real-time systems an important statistical qualifier (also see subsubsection 8.2.0.4) is the worst case execution time (WCET) that is required to complete a certain computation. The WCET is an indicator for resource consumption usually a predefined value must be reached or derived. To predict and proof the correct software execution the WCET is an important property. In practice it is recommended to use different timing methods to determine the WCET in order to gain the confidence of the result. These methods are static, dynamic and hybrid approaches. If it is not possible to determine the WCET in the field an upper safe limit needs to be used as equivalent. Based on the worst case execution time of several computations one or more WCRT (worst-case response time) might be determined which in most cases are more relevant.

For section 7.9 next to the WCET the average execution time can be interesting. Huge differences between the both of them or the average execution time and the maximum execution time usually indicate optimization potential.

### 8.5 Definition, Description and Classification of Timing Methods

#### 8.5.1 Classification and Relation of Methods

Roughly, the methods can be grouped in three main fields: simulation, analytical calculation and measurement. Another criterion to distinguish methods is to consider the origin of the data: model-based or measurement-based. This classification is closely related to the moment in which stage of the timing process the method can carry out (in the specification phase or verification phase).



#### 8.5.1.1 Analytical calculation

Static Code Analysis works on the source code or binary code level of an executable software or part of it. A distribution of subsection 8.4.11 is determined. Therefore the call graph and the instruction sequence is reconstructed and analyzed. A lower limit for the BCET (best case execution time) and the upper bound for the WCET (worst case execution time) is calculated for a given code fragment (e.g. a function) by applying subsubsection 8.2.0.3. Beside the software that should be analyzed, symbol information and annotations for additional constraints (e.g. build options, range of input values, integration/hardware specific constraints) must be provided. Any real core execution time is guaranteed to be within this interval, as long as this fragment is not interrupted. Furthermore, any data present only at run-time (e.g. upper bounds on the loop iterations and the content of dynamic function pointers) has to be provided manually in the form of additional annotations. For a proper static code analysis the target hardware behavior must be known in detail (e.g. access time for different memory areas, caching, and so forth). In modern systems the behavior model can be guite complex and therefore limitations regarding the results precision may occur. The results of static code analysis should be validated with the results from alternative methods described in section 8.5.

**Scheduling analysis** Based on the model of a certain scheduler (e.g. a certain RTOS), scheduling analysis tools take minimum/maximum core execution times and an application model as input and provide e.g. the guaranteed WCRT. This allows checking whether any deadlines will be missed under the given conditions. For each task's and interrupt's worst case, a trace is generated allowing to analyze the run time situation under which it occurs. The execution times fed into the analysis can be either budgets, estimations, or outputs from other tools, e.g. statically analyzed BCET/WCET or traced/measured data. Thus, scheduling analysis allows to verify new concepts without implementing them as an advandage. Furthermore existing concepts can be amended for concept verification or solution space exploration.

**Network analysis** Network analysis for a single network segment computes the worstcase response time for each frame/package transferred via the network. This is usually possible based on the same type of design data that is needed to configure the connected ECUs (e.g. AUTOSAR System Extracts). The main information is the (gross) size of each frame/package (e.g. based on the size of the contained signals/parameters and the protocol header), the frame's transfer properties (i.e. its cycle time or debounce time of external triggers), and of course the transmission speed of the network. The analysis takes conflicts on the networks and synchronization between frames into account when computing the worst-case response times. This basic result can be aggregated into a complete timing profile for a bus or gated network. In case of highly dynamic timing behavior network analysis can be mixed with measurement-based approaches by replacing model-based design data with event traces from actual measurements.

**Compositional analysis** Compositional analysis allows to consider an activity chain consisting of different <schedulable> on different <resources>. It adds the chained response time of different <schedulable> on one <resource> in a first step and then



the response time of the resources. If a worst case consideration is made, this method can be very conservative as in reality the probability of a worst case response time on several chained resources is by far lower than the probability of a single resource worst case, which by itself is conservative.

#### 8.5.1.2 Simulation

In general, a simulation needs enough runs (simulation time) to ensure a statistical relevance of the results and to cover the parameter space of all degrees of freedom (e.g. the jitter of the send requests, the sending arrangement of the frames).

**Code simulation** Code simulators simulate the execution of given binary code for a certain processor. A wide variety of code simulators exist. Simple instruction set simulators provide very limited information about the execution time whereas complex simulators consider also pipeline- and cache-effects. To achieve reliable WCET information from a code simulator, it has to be embedded into a test environment which actually causes the worst case to be simulated.

**Scheduling simulation** Scheduling simulators provide similar functionality as the scheduling analysis. Instead of calculating the results, they simulate run time behavior. The observed timing information and generated traces are the main output. If the worst case scenarios are simulated, the observed response times will equal the WCRTs. Some simulators allow task definitions in C language so that complex applications models are supported while offering a specification language well known to automotive engineers.

**Network simulation** Network simulation is the technique of predicting the actual timing of a bus segment or network of segments based on models of the actual configurations. These models are typically derived from the same design data is needed to configure the connected ECUs (e.g. AUTOSAR System Extracts). The main information is the size of each frame/package (e.g. based on the size of the contained signals/parameters and the protocol header), the frame's transfer properties (i.e. its cycle time or debounce time of external triggers), and of course the transmission speed of the network. The network simulator is specific to a particular network protocol and will typically create random traffic within the bounds specified by the model data and unroll specific schedules. These schedules can be investigated with respect to resulting frame response times, network load and so on. As another kind of network simulation the remaining bus simulation is not a timing specific method, but many timing issues like arbitration latency, jitter, high load behaviour, etc. can be carried out on a real physical layer for experimental purposes. As a result other simulation methods can be verified.

**Processor-In-The-Loop Simulation (PIL)** is used to determine timing properties like subsection 8.4.11 or subsection 8.4.3 of a specific software system. Therefore the compiled software will be executed in the embedded target processor on an evaluation board, a prototype hardware or the actual ECU. In order to be able to execute the software correctly the required run-time environment will be simulated. The simulation platform stimulates and calls the software under investigation. During the execution the



required output data is captured. The output data is analyzed to derive the required timing properties. To carry out a PIL the analyzable executable (e.g. elf file) and input vectors for stimulation must be provided. The results of the PIL simulation should be validated with the results from alternative methods described in section 8.5.

The input stimuli vector which will be used for the PIL needs to stimulate the software in a way that the highest physically possible code coverage is reached. The quality of the input stimuli vector shall be shown in a separate "input stimuli vector acceptance test" which proofs an appropriate coverage. The accuracy of the result strongly depends on the quality of the input stimuli vector.

The tracing solution which captures the output data must have the capability to measure the execution time between defined profiling points. Profiling points define the start and end point for the measurement.

| Referencing Use-cases              |                                       |
|------------------------------------|---------------------------------------|
|                                    | • section 7.4                         |
|                                    | section 7.5                           |
|                                    | section 7.7                           |
|                                    | section 7.8                           |
|                                    | section 7.9                           |
| Referencing Timing Properties      |                                       |
| The foreigning Thinking Troperties |                                       |
|                                    | <ul> <li>subsection 8.4.11</li> </ul> |
|                                    | subsection 8.4.3                      |
|                                    | subsection 8.4.6                      |
|                                    |                                       |

#### Table 8.33: Relation

**Discrete-Event-Simulation (DES)** is used to simulate the dynamic behavior of the system. It models the operation of a system as a discrete sequence of events in time. Each event occurs at a particular instant in time and marks a change of state in the system. The method can be applied whenever a timing model of the system is available. The results of this method are timing properties of the system. A Table 9.10 of the system must be available and the accuracy of the result strongly depends on the quality of the input model.

| Referencing Use-case |             |
|----------------------|-------------|
|                      | section 7.4 |
|                      | section 7.3 |
|                      | section 7.5 |
|                      | section 7.8 |
|                      |             |



| Referencing Timing Properties |                    |  |
|-------------------------------|--------------------|--|
|                               | subsection 8.4.6   |  |
|                               | • subsection 8.4.3 |  |
|                               | subsection 8.4.11  |  |
|                               |                    |  |

#### Table 8.34: Relation

**Hardware-In-The-Loop Simulation (HIL)** can be used to determine timing properties like subsection 8.4.6 or subsection 8.4.3 of a specific ECU software.

To carry out a HIL simulation the software must be integrated to the actual ECU. The ECU is connected to a so called Hardware-In-The-Loop simulator which is able to simulate car's environment that is required for the proper functionality of the ECU. During the simulation the desired output data is captured. The output data is analyzed to derive the required timing properties.

The input stimuli vector needs to stimulate the ECU software in a way that the highest physically possible code coverage is reached. The accuracy of the result strongly depends on the quality of the input stimuli vector.

The tracing solution must have the capability to measure the execution time between defined profiling points. Profiling points define the start and end point for the measurement.

| Referencing Use-case          | <ul><li>section 7.4</li><li>section 7.5</li></ul>            |
|-------------------------------|--------------------------------------------------------------|
| Referencing Timing Properties | <ul> <li>subsection 8.4.6</li> </ul>                         |
|                               | <ul><li>subsection 8.4.3</li><li>subsection 8.4.11</li></ul> |



#### 8.5.1.3 Measurement and Tracing

**Measurement on ECU level** Timing measurement is often based on hook routines which are invoked by the RTOS. The real system is analyzed and the observed timing information is provided.



**Measurement on Network level** The timing measurement is done by special hardware connected to the hardware of the real network. Depending on the protocol and the applied measurement device the time stamp is imprinted at different point in time during the transmission of the relevant <schedulable>. The accuracy is given by the tracing device and shall fulfill the sampling theorem.

**Tracing** observes the real system. Tracing means persistent recording of measurement data streams. This can be recording of discrete events or sampled and quantized data from time contiguous sources in combination with a time stamp. For dedicated events, time stamps together with event information is placed in a trace buffer. The selection of events can be very fine grained like for flow traces which allow reconstructing the execution of each machine instruction or coarse grained like when tracing scheduling related events only. Tracing can base on instrumentation (i.e. software modification) or on special tracing hardware. Traces can be visualized and analyzed offline, e.g. for debugging purposes. Different kinds of timing information can be extracted from a trace. Sometimes an implicit protocol overhead has to be included for the correct computation (e.g. stuff bits for load computation on CAN).

#### 8.5.1.4 Determination of the Comparability of the Different Methods

Comparing analysis on one hand and simulation/measurement on the other hand the loads shall be coincident in the long-time limit (under identical boundary conditions). The difference vanishes if all parameters are chosen in the same manner. In general, the simulation and the observation yield an optimistic approximation in the same manner depending on the sample/probe size (measurement/simulation time).

In order to compare the results of different methods (especially simulation/analysis and measurement) a check that all <schedulables> are contained in the output is highly recommended.

#### 8.5.2 Overview of regarded Methods

|         | -       |                  |
|---------|---------|------------------|
| NW/ECU  | Group   | Name             |
| Generic | Load    | subsection 8.5.3 |
| NW      | Load    | subsection 8.5.4 |
| Generic | Latency | subsection 8.5.5 |
| NW      | Latency | subsection 8.5.6 |

The fields for all methods are analysis, simulation and measurement.

#### Table 8.36: Overview of regarded Methods



#### 8.5.3 GENERIC METHOD Determine Load

#### 8.5.3.1 Scope and Application

| Description | The method yields the load (distribution) over a defined time in- |
|-------------|-------------------------------------------------------------------|
|             | terval.                                                           |
| Reasoning   | The method supports the estimation of the resource needs in       |
|             | ECUs, gateways and of the network, respectively.                  |

#### Table 8.37: Scope and Application

#### 8.5.3.2 Classification

| System           | NW / ECU                            |
|------------------|-------------------------------------|
| Applied Protocol | CAN / FlexRay / OSEK / AUTOSAR etc. |
| Approach         | Analysis / Simulation / Measurement |

#### Table 8.38: Classification

#### 8.5.3.3 Relation

| Requirements                   | Interface input and boundary conditions (see Table 8.40)                                                                                                                                                                                                |
|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Process Steps                  | The method shall be applied during the following process steps:                                                                                                                                                                                         |
|                                | <ul> <li>Verification of a software implementation / of data defini-<br/>tion and of the configuration of communication networks</li> </ul>                                                                                                             |
|                                | <ul> <li>Requirement analysis for further development</li> </ul>                                                                                                                                                                                        |
|                                | <ul> <li>Resource optimization during development phase</li> </ul>                                                                                                                                                                                      |
| (Pre) Timing Property          | Depending on implementation this method requires the tim-<br>ing properties transmission time and/or execution time of all<br><schedulables> on the considered <resource> (e.g. subsec-<br/>tion 8.4.9 and subsection 8.4.11)</resource></schedulables> |
| Belonging Post Timing Property | subsection 8.4.3                                                                                                                                                                                                                                        |

#### Table 8.39: Relation

#### 8.5.3.4 Interface



| Input                                                             | The method requires parameters such as:                                                                                                                                                                                                                                                                     |
|-------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                   | <ul> <li><schedulables> (e.g. tasks/frame/PDUs) with their over-<br/>all times (transmission time, execution time), their activa-<br/>tion pattern (e.g. periodic/cyclic, sporadic) and potentially<br/>other parameters (e.g. stuff-bits in case of CAN Bus com-<br/>munication)</schedulables></li> </ul> |
|                                                                   | <ul> <li>Transmission/execution speed of the regarded <single re-<br="">source&gt; (e.g. CAN bus speed or processor speed)</single></li> </ul>                                                                                                                                                              |
|                                                                   | <ul> <li>Model of the spontaneous occurrence of <schedulable><br/>(e.g.event-triggered frames) / approximation of the occur-<br/>rence of the spontaneous events</schedulable></li> </ul>                                                                                                                   |
|                                                                   | <ul> <li>Scheduling/priority rules on the <resource></resource></li> </ul>                                                                                                                                                                                                                                  |
| Boundary condition, Set-<br>tings and Variants, Pre-<br>condition | <ul> <li>Environmental states (like driving states)</li> </ul>                                                                                                                                                                                                                                              |
| Output                                                            | The result of this method is the load on a <resource> (NW/ECU) captured by the timing property subsection 8.4.3.</resource>                                                                                                                                                                                 |

#### Table 8.40: Interface

#### 8.5.3.5 Implementation

The implementation of the method for deriving the load of a network or of an ECU depends on the considered approach, namely analysis, simulation or measurement. Implementation details can be found in the corresponding specific methods.

#### 8.5.4 SPECIFIC METHOD Determine Load (CAN)

#### 8.5.4.1 Scope and Application

| Brief Description | The method yields the load (distribution) on a CAN bus over a defined time interval. |
|-------------------|--------------------------------------------------------------------------------------|
| Reasoning         | The method supports the determination of the resource needs of a CAN network.        |

#### Table 8.41: Scope and Application

#### 8.5.4.2 Classification

| System           | NW                                  |
|------------------|-------------------------------------|
| Applied Protocol | CAN                                 |
| Approach         | Analysis / Simulation / Measurement |

#### Table 8.42: Classification



#### 8.5.4.3 Relation

| Requirements                   | Interface input (see Table 8.44)                                                          |
|--------------------------------|-------------------------------------------------------------------------------------------|
| Process Steps                  | The method shall be applied during the following process steps:                           |
|                                | <ul> <li>Verification of data definition and of the configuration of a CAN bus</li> </ul> |
|                                | <ul> <li>Requirement analysis for further development</li> </ul>                          |
|                                | Resource optimization during development phase                                            |
| (Pre) Timing Property          | The method requires the subsection 8.4.10 of all frames on the                            |
|                                | considered CAN bus.                                                                       |
| Belonging Post Timing Property | subsection 8.4.4                                                                          |

Table 8.43: Relation

#### 8.5.4.4 Interface

The specific method Determine Load (CAN) is an instance of the subsection 8.5.3.

| Input  | The method requires the CAN parameters defined in 8.7 and 8.8. |
|--------|----------------------------------------------------------------|
| Output | The result of this method is the load on a CAN bus captured by |
|        | the subsection 8.4.4.                                          |

#### Table 8.44: Interface

#### 8.5.4.5 Limitation in Application

At the moment, there is no established treatment for the spontaneous occurrence of event-triggered frames. Therefore, a unified model or activation pattern for the spontaneous occurrence has to be applied in order to achieve comparable results between different configurations.

A general treatment for the calculation of stuff-bits is missed. Therefore, different assumptions regarding the number of stuff bits shall be considered, i.e. a minimal, an average and a maximal number of stuff-bits.

#### 8.5.4.6 Implementation

#### 8.5.4.6.1 Analysis

The method for deriving the bus load for a CAN bus by analysis is based on mathematical formulas. These formulas can be implemented in a tool which supports the import of input parameters, the calculation of the load values and the export of the results.



The method has to enable the calculation of optimistic (best-case), average and pessimistic (worst-case) bus load values. For that purpose, different assumptions regarding the number of stuff-bits shall be implemented, i.e. a minimum number (for the optimistic approach), an average number, and a maximum number (for the pessimistic approach). Furthermore, different models of the event-triggered frame activation patterns shall be supported. The derivation of the load by analysis takes into the consideration the cyclic events with their periods and the spontaneous events with an event model. For example, the spontaneous events can be modeled with their debounce times as a "cycle" or with their maximum occurrence rate. Depending of the pessimistic or optimistic approach the calculation can estimate the upper bound with the lower limit of the period or with a specified period for the latter one.

The formula to calculate the bus load includes the pessimistic/optimistic approach depending on estimation of the stuff-bits for the analysis (see the formula for the stuff bits below, for CAN frames with 29-Bit Identifier there are deviations). The CAN parameters are given in 8.6.

$$t_{frame} = t_{stuff bits(frame)} + (47 + 8 * payloadlength(frame)[Byte]) * \tau_{Bit}$$
(8.1)

$$L(t_{frame}, t_{cycle(frame)}, payloadlength(frame)) = \sum_{frame} \frac{t_{frame}}{t_{cycle(frame)}}$$
(8.2)

Whereas payload length (in Byte) is the length of the data part of the CAN frame,  $t_{bit}$  is the time for the transmission of one bit,  $t_{cycle}$  is the specified period.

This approach estimates the bus load generated by the periodic messages on a bus during an infinitely long time window ( $t_{window}$  is infinity, the present point in time *t* does not play any role). The time for a frame is maximized due to a conclusion of all possible stuff bits. The event-triggered frames are neglected.

For CAN, different assumptions for stuff bits shall be implemented (minimal, average, maximal). Depending on the implemented approach, the calculation shall include a minimum (optimistic approach), an average or a maximum (pessimistic approach) number of stuff-bits. For each frame the following calculation formula for the maximal stuff-bit time shall be used. The average number of stuff-bit time can be derived by dividing by 2.

$$t_{\text{stuff bits(frame)}} = \left\lfloor \frac{34 + 8 * payloadlength(frame)[Byte]}{4} \right\rfloor * \tau_{Bit}$$
(8.3)

#### 8.5.4.6.2 Simulation

Every frame is simulated with its individual activation pattern (periodic, event triggered or mixed activation). Furthermore even for event triggered frames, different models for their activation patterns shall be supported. Different payloads may lead to different



numbers of stuff bits which have to be considered for the computation of the frame time. In the simulation all frames try to access the network at their trigger points in time, but only the frame with the highest priority (lowest ID) gains the access to the bus. Regarding a temporal averaging interval  $t_{window}$  the bus load is given as a ratio of the time for the sending of all frames to this interval:

$$L(t_{frame}, t_{window}, t) = \sum_{frame \in t_{window}} \frac{t_{frame}}{t_{window}}$$
(8.4)

where  $t_{frame}$  is the time for each individual frame.

#### 8.5.4.6.3 Measurement

The formula to calculate the bus load for CAN from a measurement is equal to the formula of the simulation and given by:

$$L(t_{frame}, t_{window}, t) = \sum_{frame \in t_{window}} \frac{t_{frame}}{t_{window}}$$
(8.5)

 $t_{frame}$  is again the time for each individual frame. The result is strongly dependent on the averaging (measurement) interval  $t_{Window}$ . In the short time the limes of the load can reach 100%. Important is to include the stuff bit overhead for the correct computation of the frame time and therefor of the load.

### 8.5.5 GENERIC METHOD Determine Latency

#### 8.5.5.1 Scope and Application

| Brief Description | The method yields the latency of <schedulables> when executed</schedulables> |
|-------------------|------------------------------------------------------------------------------|
|                   | on <resources>.</resources>                                                  |
| Reasoning         | The method supports the estimation of the resource needs in                  |
|                   | ECUs and gateways and of the network, respectively.                          |

#### Table 8.45: Scope and Application

#### 8.5.5.2 Classification

| System           | ECU / Network                       |
|------------------|-------------------------------------|
| Applied Protocol | CAN / FlexRay / OSEK / AUTOSAR etc. |
| Approach         | Analysis / Simulation / Measurement |

#### Table 8.46: Classification



#### 8.5.5.3 Relation

| Requirements            | Interface input, see Table 8.48.                                                                                                                                                                                                                         |
|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Process Steps           | The method shall be applied during the following process steps:                                                                                                                                                                                          |
|                         | <ul> <li>Verification of an software implementation / of data defini-<br/>tion and of the configuration of communication networks</li> </ul>                                                                                                             |
|                         | <ul> <li>Requirement analysis for further development</li> </ul>                                                                                                                                                                                         |
|                         | Resource optimization during development phase                                                                                                                                                                                                           |
| (Pre) Property          | Depending on implementation this method requires the tim-<br>ing properties transmission time and/or execution time of all<br><schedulables> on the considered <resource> (e.g. subsec-<br/>tion 8.4.9 and subsection 8.4.11).</resource></schedulables> |
| Belonging Post Property | subsection 8.4.5                                                                                                                                                                                                                                         |

#### Table 8.47: Relation

#### 8.5.5.4 Interface

|                                                                   | -                                                                                                                                                                                                                                                                                       |
|-------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Input                                                             | The method requires parameters such as:                                                                                                                                                                                                                                                 |
|                                                                   | <ul> <li>Implementation of the software, analyzable executable<br/>(e.g. elf file), input vectors for stimulation a.s.o.</li> </ul>                                                                                                                                                     |
|                                                                   | <ul> <li><schedulables> (e.g. tasks/frame/PDUs) with their over-<br/>all times (transmission time, execution time), their activa-<br/>tion pattern (e.g. periodic/cyclic, sporadic) and other pa-<br/>rameters (e.g. stuff-bits in case of CAN communication)</schedulables></li> </ul> |
|                                                                   | <ul> <li>Scheduling/priority rules (e.g. preemptive, non-<br/>preemptive, mixed-preemptive) on the <resource></resource></li> </ul>                                                                                                                                                     |
|                                                                   | <ul> <li>Transmission/execution speed of the regarded <resource><br/>(e.g. CAN bus, processor speed)</resource></li> </ul>                                                                                                                                                              |
|                                                                   | <ul> <li>Model of the spontaneous occurrence of <schedulables><br/>(e.g. event triggered frames) / Approximation of the occur-<br/>rence of the spontaneous events</schedulables></li> </ul>                                                                                            |
| Boundary condition, Set-<br>tings and Variants, Pre-<br>condition | <ul> <li>Environmental states (like driving states)</li> </ul>                                                                                                                                                                                                                          |
| Output                                                            | The result of this method are timing properties of type latency subsection 8.4.5 for all <schedulables> (frames/tasks) on a <resource> (NW/ECU).</resource></schedulables>                                                                                                              |

#### Table 8.48: Interface



#### 8.5.5.5 Implementation

The implementation of the method for deriving the latencies of <schedulables> on <resource> (i.e. networks or ECUs) depends on the considered approach, namely analysis, simulation or measurement. Implementation details can be found in the corresponding specific methods.

#### 8.5.6 SPECIFIC METHOD Determine Response Time (CAN)

#### 8.5.6.1 Scope and Application

| Brief Description | The method yields the response time of a frame when transmitted on a CAN bus. |
|-------------------|-------------------------------------------------------------------------------|
| Reasoning         | The method supports the determination of the resource needs of a CAN bus.     |

#### Table 8.49: Scope and Application

#### 8.5.6.2 Classification

| System           | Network                             |
|------------------|-------------------------------------|
| Applied Protocol | CAN                                 |
| Approach         | Analysis / Simulation / Measurement |

#### Table 8.50: Classification

#### 8.5.6.3 Relation

| Requirements            | Interface input, see Table 8.52.                                                                                                                                              |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Process Steps           | The method shall be applied during the following process steps:                                                                                                               |
|                         | <ul> <li>Verification of data definition and of the configuration of the<br/>CAN bus</li> </ul>                                                                               |
|                         | <ul> <li>Requirement analysis for further development</li> </ul>                                                                                                              |
|                         | Resource optimization during development phase                                                                                                                                |
| (Pre) Property          | Depending on implementation this method requires the timing properties transmission time of all frames on the considered CAN bus (SPECIFIC PROPERTY Transmission Time (CAN).) |
| Belonging Post Property | subsection 8.4.5                                                                                                                                                              |

#### Table 8.51: Relation

#### 8.5.6.4 Interface

The specific method Determine Response Time (CAN) is an instance of the subsection 8.5.5.



| Input                                                             | The method requires parameters such as defined in 8.6, 8.7 and 8.8, i.e.:                                                                      |
|-------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                   | <ul> <li>The length / transmission time of all frames, their activation<br/>pattern (e.g. periodic/cyclic, sporadic) and stuff-bits</li> </ul> |
|                                                                   | <ul> <li>Execution speed of the CAN bus</li> </ul>                                                                                             |
|                                                                   | <ul> <li>Model of the spontaneous occurrence of event triggered<br/>frames</li> </ul>                                                          |
| Boundary condition, Set-<br>tings and Variants, Pre-<br>condition | <ul> <li>Environmental states (like driving states)</li> </ul>                                                                                 |
| Output                                                            | The result of this method is the response time of an individual frame on a CAN bus captured by the subsection 8.4.7.                           |

Table 8.52: Interface

#### 8.5.6.5 Limitation in Application

At the moment, there is no established treatment for the spontaneous occurrence of event-triggered frames. Therefore, a unified model or activation pattern for the spontaneous occurrence has to be applied in order to achieve comparable results between different configurations and between the applied approaches i.e. analysis/simula-tion/measurement.

#### 8.5.6.6 Implementation

The implementation of the method for deriving the response time for CAN depends on the considered approach, namely analysis, simulation or measurement.

#### 8.5.6.6.1 Analysis

The method for deriving response times for a CAN bus by analysis is based on mathematical formulas. These formulas can be implemented in a tool which supports the import of input parameters, the calculation of the individual frame response times and the export of the results.

The method has to enable the calculation of optimistic (best-case), average and pessimistic (worst-case) response time values. For that purpose, different assumptions regarding the number of stuff-bits shall be implemented, i.e. a minimum number (for the optimistic approach), an average number, and a maximum number (for the pessimistic approach). Furthermore, different models of the event-triggered frame activation patterns shall be supported. The derivation of the response times by analysis takes into the consideration the cyclic events with their periods and the spontaneous events with



an event model. For example, the spontaneous events can be modeled with their debounce times as a "cycle" or with their maximum occurrence rate. Depending of the pessimistic or optimistic approach the calculation can estimate the upper bound with the lower limit of the period or with a specified period for the latter one.

Typical model elementes required for deriving response times for CAN buses by analysis are: (i) the underlying scheduling policy, for CAN buses this being SPNP (Static Priority Non-Preemptive), (ii) for each CAN frame, the priority given by the CAN frame identifier, the frame length (see 8.6, 8.7) and the activation pattern (see 8.9) and (iii) the CAN bus speed (e.g. 100kBaud)( see table 8.7).

Based on these elements a formal analysis method, as for example presented in [15], computes response times for frames transmitted on CAN buses.

#### 8.5.6.6.2 Simulation

Every frame will simulate with its activation (periodic, event triggered or mixed). In the simulation all frames try to access the network at their trigger points in time. If the simulated network is occupied by another frame the frame in question is delayed at least as long the virtual occupation lasts. Further, the blocking time is so long as the frame in question has a lower priority than all other frames tried to transmit at the same time. The response time is given by the difference of the point in time of the completed transmission and of the point in time of the send request.

#### 8.5.6.6.3 Measurement

The measurement of the response time of the individual frame is only possible if the actual point in time for the send request is known. Thus, a correlated measurement with a common time base of the internal processes inside the ECU and on the network is necessary. One gets a distribution of the response time for each frame.

#### 8.5.6.6.4 General remarks

The analysis, the simulation and the measurement should be implemented in a similar way. All boundary condition shall be revealed. Different algorithms can be applied as long as the results are identical under identical conditions. Any approximation shall be signalized and the parameter for the cut-off shall be open.

The frames shall be implemented with different deviation from the specified period in case of cyclic activation. Different possibilities for modeling event-triggered activation patterns shall be supported. For the response time analysis, one has to take into consideration the cyclic events with their periods and the spontaneous events with an event model. E.g. the spontaneous events can be modeled with their debounce times as a "cycle" or with their maximum occurrence rate. Depending of the pessimistic or



optimistic approach the calculation of the response time can estimate the upper bound with the lower limit of the period or with a specified period for the latter one.

#### 8.5.6.7 Determination of the Comparability of the Different Methods

Comparing analysis on one hand and simulation/measurement on the other hand the values of simulation/measurement for the response time shall be approach the analysis results in the long-time limit (under identical boundary conditions). Depending on the analysis method the difference should be small. In general, the simulation and the observation yield an optimistic approximation in the same manner depending on the sample/probe size (measurement/simulation time).

In order to compare the results of different methods (especially simulation/analysis and measurement) a check that all frames are contained in the output is highly recommended.



## 9 Artifacts for Timing Analysis

This chapter gives an overview of the artefacts (e.g. timing tasks, work products) from the use-cases. Additionally common elements for a timing model and timing-related work products are described.

## 9.1 Description of Timing Tasks

This section introduces timing tasks that have to be performed in order to accomplish the use-cases described in chapter 5, 6 and 7. Timing tasks are generic descriptions of typical operations that can be performed with different scope (i.e. an entire ECU or an individual software component).

| Activity          | Collect Timing Requirements                                                     |
|-------------------|---------------------------------------------------------------------------------|
| Brief Description | Collect Timing Requirements                                                     |
| Description       | Collect the known timing requirement from the specification documents. If nec-  |
|                   | essary, find timing requirements in discussions/interviews with function owners |
|                   | and system architects. Derive new timing requirements from traces, measure-     |
|                   | ments and experiments.                                                          |
| Relation Type     | Related Element                                                                 |
| Consumes          | Function specification document, timing analysis report (optional)              |
| Performed by      | Timing engineer, function engineer and system engineer                          |
| Produces          | Timing Requirements Document (TIMEX Extract) (see table 9.10)                   |

#### Table 9.1: Task "Collect Timing Requirements"

| Activity          | Create Implementation                                                                                                                                                                                                                                                                    |
|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description | Create implementation of actual system                                                                                                                                                                                                                                                   |
| Description       | The system is implemented according to the specification. If an existing imple-<br>mentation is available, this task can also be a manipulation or extension of the<br>existing implementation. In both cases available timing requirements should<br>be considered as soon as possible. |
| Relation Type     | Related Element                                                                                                                                                                                                                                                                          |
| Consumes          | Existing implementation (optional), timing requirements (optional)                                                                                                                                                                                                                       |
| Performed by      | Timing engineer, network engineer, system engineer                                                                                                                                                                                                                                       |
| Produces          | Implementation                                                                                                                                                                                                                                                                           |

#### Table 9.2: Task "Create Implementation"

| Activity          | Create Timing Model                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|-------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description | Create analyzable timing-model                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Description       | The model parameters are derived from timing-related information. Incom-<br>plete information is estimated or generated based on synthesis-rules. Addi-<br>tional assumptions/operation scenarios/boundary conditions are documented.<br>If an existing timing model is available, this task can also be a manipulation<br>or extension of the existing timing model. In a model based development en-<br>vironment, the creation of a timing model can be used to elaborate different<br>realization alternatives before taking the effort of implementation. In this case,<br>timing requirements should be considered if possible. |



| Relation Type | Related Element                                                  |
|---------------|------------------------------------------------------------------|
| Consumes      | Existing timing model (optional), timing requirements (optional) |
| Performed by  | Timing engineer, network engineer, system engineer               |
| Produces      | Timing Model (see table 9.10)                                    |

#### Table 9.3: Task "Create Timing Model"

| Activity          | Decompose                                                                     |
|-------------------|-------------------------------------------------------------------------------|
| Brief Description | Decompose a higher level architecture element into lower level architecture   |
|                   | elements                                                                      |
| Description       | Decompose a higher level architecture element (e.g. feature) into lower level |
|                   | architecture elements (e.g. functions).                                       |
| Relation Type     | Related Element                                                               |
| Consumes          | High level architecture element                                               |
| Performed by      | E/E architect, function architect                                             |
| Produces          | Low-level architecture elements                                               |

#### Table 9.4: Task "Decompose"

| Activity          | Define Timing                                                                      |
|-------------------|------------------------------------------------------------------------------------|
| Brief Description | Define timing parameters and requirements                                          |
| Description       | In this task, the relevant timing parameters (e.g. latency) are identified for the |
|                   | considered level (e.g. feature) and requirement are defined for those.             |
| Relation Type     | Related Element                                                                    |
| Consumes          | Architecture element                                                               |
| Performed by      | Timing engineer, network engineer, function engineer, function architect           |
| Produces          | Timing Requirement (see table 9.10)                                                |

#### Table 9.5: Task "Define Timing"

| Activity          | Мар                                                                         |
|-------------------|-----------------------------------------------------------------------------|
| Brief Description | Map an element to component                                                 |
| Description       | Map an element (like a function or a task) to a hardware or software compo- |
|                   | nent.                                                                       |
| Relation Type     | Related Element                                                             |
| Consumes          | Element                                                                     |
| Performed by      | Software architect, E/E architect, Function architect                       |
| Produces          | Mapping                                                                     |

#### Table 9.6: Task "Map"

| Activity          | Perform Model-Based Timing Analysis                                           |
|-------------------|-------------------------------------------------------------------------------|
| Brief Description | Derive timing properties by performing timing analysis of the timing model    |
| Description       | Based on the timing model, analyze the timing (e.g. by simulation or static   |
|                   | analysis; see Analytical calculation on page 114) and derive the timing prop- |
|                   | erties.                                                                       |
| Relation Type     | Related Element                                                               |
| Predecessor       | Create Timing Model                                                           |
| Consumes          | Timing model                                                                  |
| Performed by      | Timing engineer, software architect, integrator or test engineer              |



| Produces | Timing Analysis Report (see table 9.10) with timing properties according to |
|----------|-----------------------------------------------------------------------------|
|          | Definition and Classification of Timing Properties on page 102              |

#### Table 9.7: Task "Perform Model-Based Timing Analysis"

| A ativity         | Devision Invalormentation Deced Timing Analysis                                    |
|-------------------|------------------------------------------------------------------------------------|
| Activity          | Perform implementation-based liming Analysis                                       |
| Brief Description | Gain timing properties by observing the actual implementation                      |
| Description       | Set up the environment (e.g. HIL or car) for the device to be analyzed. As the     |
|                   | set of test conditions (stimulation model) can strongly influence the timing be-   |
|                   | havior, it is an essential part of the test environment and it has to be described |
|                   | precisely if reproducability is required. Measure/trace the observable events      |
|                   | and derive the timing properties. See Measurement and Tracing on page 117.         |
| Relation Type     | Related Element                                                                    |
| Predecessor       | Create Implementation                                                              |
| Consumes          | Implementation, set of test conditions (stimulation model)                         |
| Performed by      | Timing engineer, software architect, integrator or test engineer                   |
| Produces          | Timing Analysis Report (see table 9.10) with timing properties according to        |
|                   | Definition and Classification of Timing Properties on page 102                     |

#### Table 9.8: Task "Perform Implementation-based Timing Analysis"

| Activity          | Verify Timing                                                                                                                                                                      |
|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Brief Description | Verify adherence of timing requirements against timing properties                                                                                                                  |
| Description       | Compare the timing requirements to the results of the timing analysis (timing properties). Generate a report that documents which timing requirements are fulfilled and which not. |
| Relation Type     | Related Element                                                                                                                                                                    |
| Predecessor       | Collect Timing Requirements, Perform Timing Analysis                                                                                                                               |
| Consumes          | Timing Document (TIMEX Extract) (see table 9.10), Timing Analysis Report (see table 9.10)                                                                                          |
| Performed by      | Timing engineer                                                                                                                                                                    |
| Produces          | Timing Verification Report (see table 9.10)                                                                                                                                        |

Table 9.9: Task "Verify Timing (Requirement)"

### 9.2 Timing Model Elements

This section gives an overview of typical information neccessary for a timing model. In general the type of information depends on the target architecture and different model elements, e.g. an ECU needs different artefacts to be configurable. The following graphic shows common artefacts on ECU and network level.





Figure 9.1: Overview of common elements relevant for a timing model

### 9.3 Work Products

This section introduces timing-related work products that are the outcome of or input to the use-cases described in chapter 5, 6 and 7.

| Name of Work Product                         | Description                                                                                                                                                                                                              |
|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Timing Requirements Document (TIMEX Extract) | A document containing an explicit set of<br>timing-related requirements. This document<br>may be included e.g. in a specification doc-<br>ument handed from an OEM or Tier-1 to a<br>supplier.<br>The document includes: |
|                                              | <ul> <li>a) timing-requirements related to the func-<br/>tionality (e.g. reaction time to driver ac-<br/>tion)</li> </ul>                                                                                                |
|                                              | <ul> <li>b) timing-requirements related to the plat-<br/>form (e.g. load constraints for all ECUs<br/>to meet safety margins)</li> </ul>                                                                                 |
| E/E Architecture Model                       | A model representation of the networks, gate-<br>ways and ECUs                                                                                                                                                           |
| Feature                                      | Feature is a customer vehicle function                                                                                                                                                                                   |



| Functional Architecture    | A model representation of the set of intercon-<br>nected function blocks (function network). It<br>is a result of the feature decomposition.                            |
|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Implementation             | A realization of the specification.                                                                                                                                     |
| Mapping                    | Assignment of an element (like a function or a task) to a hardware or software component.                                                                               |
| Test Conditions            | Test parameters generally used to provoke a failure                                                                                                                     |
| Timing Model               | A model representation of the system that<br>is sufficiently complete to analyze the timing<br>properties of the system e.g. through simula-<br>tion or formal methods. |
| Timing Analysis Report     | A document summarizing the timing proper-<br>ties of the system. It can consolidate both<br>measurement-based as well as model-based<br>timing properties.              |
| Timing Verification Report | A document that contains an overview over all<br>timing requirements contained in the system<br>and in how far they are fulfilled by the current<br>implementation.     |

Table 9.10: Timing-related Work Products



## 10 Limitations

Note that subsection 8.1.1 AUTOSAR Classic Platform Operating System contains content that was part of CONC\_628. As CONC\_628 was not validated for the AUTOSAR Classic Platform release 4.4.0, this content is added as draft to the current AUTOSAR release.



#### **History of Constraints and Specification Items** Α

#### A.1 Constraint History of this Document related to AUTOSAR R4.1.3

#### A.1.1 Changed Constraints in R4.1.3

No constraints were changed in this release.

#### A.1.2 Added Constraints in R4.1.3

No constraints were added in this release.

#### A.1.3 Deleted Constraints in R4.1.3

No constraints were deleted in this release.

#### A.2 Specification Items History of this Document related to AUTOSAR R4.1.3

#### A.2.1 Changed Specification Items in R4.1.3

No specification items were changed in this release.

#### A.2.2 Added Specification Items in R4.1.3

No specification items were added in this release.

#### A.2.3 Deleted Specification Items in R4.1.3

No specification items were deleted in this release.



## **B** List of figures, list of tables, and index

## **List of Figures**

| 1.1 | Overview of aspects for timing analysis                                   | 11 |
|-----|---------------------------------------------------------------------------|----|
| 1.2 | Set-up and end-to-end-timing requirement (red line) from an active        |    |
|     | steering project.                                                         | 13 |
| 1.3 | Software architecture of the above introduced active steering project     | 14 |
| 1.4 | ISO 3888-2 "elk test" schematic overview                                  | 14 |
| 1.5 | Active steering project augmented by camera based obstacle avoidance      |    |
|     | (AUTOSAR Adaptive Platform).                                              | 15 |
| 1.6 | Software architecture of the above introduced active steering project     | 15 |
| 3.1 | Application of timing analysis in a development process according to the  |    |
|     | V-model                                                                   | 31 |
| 3.2 | Mapping of a function network to a component network                      | 33 |
| 3.3 | Iterative and hierarchical top down budgeting of timing requirements cor- |    |
|     | responding to response times                                              | 34 |
| 3.4 | SPEM Process model from AUTOSAR Methodology for system design             |    |
|     | process                                                                   | 37 |
| 4.1 | Decomposition of functions                                                | 40 |
| 4.2 | Use-case Diagram: Function-level                                          | 42 |
| 4.3 | SPEM process model for Function-level use-case "Identify timing re-       |    |
|     | quirements for a new feature (vehicle function)"                          | 44 |
| 4.4 | SPEM process model for Function-level use-case "Partition a feature       |    |
|     | (vehicle function) into a function network"                               | 45 |
| 4.5 | SPEM process model for Function-level use-case "Map a function net-       |    |
|     | work to a hardware components network"                                    | 46 |
| 4.6 | SPEM process model for Function-level use-case "From function-level       |    |
|     | events to observable events"                                              | 47 |
| 5.1 | Use-case Diagram: E2E                                                     | 49 |
| 5.2 | SPEM process model for E2E use-case "Derive per-hop time budgets          |    |
|     | from End-to-End timing requirements"                                      | 51 |
| 5.3 | SPEM process model for E2E use-case "Deriving timing requirements         |    |
|     | from the timing assessment of an existing implementation"                 | 53 |
| 5.4 | SPEM process model for E2E use-case "Specify Timing Requirements          |    |
|     | for functional interfaces based on Signals/Parameters"                    | 55 |
| 5.5 | SPEM process model for E2E use-case "Assert timing requirements           |    |
|     | against guarantees"                                                       | 56 |
| 5.6 | SPEM process model for E2E use-case "Trace-based timing assess-           |    |
|     | ment of a distributed implementation"                                     | 58 |
| 6.1 | Focus of this chapter: bus timing in networks                             | 60 |
| 6.2 | Generic SPEM process model for NW use cases                               | 61 |
| 6.3 | Use-case Diagram: Timing Analysis for Network                             | 61 |
| 7.1 | Focus of this chapter: scheduling and code execution time inside ECUs     | 71 |
| 7.2 | Use-case Diagram: Timing Analysis for ECU                                 | 72 |
|     |                                                                           |    |



| 7.3 | SPEM process model for ECU use-case "Create Timing Model of the                |     |
|-----|--------------------------------------------------------------------------------|-----|
|     | entire ECU"                                                                    | 74  |
| 7.4 | SPEM process model for ECU use-case "Collect Timing Information of             |     |
|     | a SW-C"                                                                        | 76  |
| 7.5 | SPEM process model for ECU use-case "Validation of Timing"                     | 78  |
| 7.6 | SPEM process model for ECU use-case "Debug Timing"                             | 81  |
| 7.7 | SPEM process model for ECU use-case "Optimize Timing of an ECU" .              | 83  |
| 8.1 | Illustration of hierarchy between use cases, timing properties, and timing     |     |
|     | methods (and related sections)                                                 | 89  |
| 8.2 | The interplay between different timing methods, timing properties and          |     |
|     | constraints                                                                    | 89  |
| 8.3 | Task states and transitions as defined by AUTOSAR OS BCC                       | 90  |
| 8.4 | Task states and transitions as defined by AUTOSAR OS ECC                       | 90  |
| 8.5 | Timing parameters visualised in a trace (all related to TASK B)                | 91  |
| 8.6 | Timing parameters related to TASK B (here a non-terminating ECC task)          | 93  |
| 8.7 | The figure illustrates the relation between the timing method, the timing      |     |
|     | property, the constraint and qualifiers (see text for more details). Here,     |     |
|     | the actual implementation does not fulfill the requirement.                    | 97  |
| 8.8 | Illustration of the relation of the actual occupation and the load over time.  |     |
|     | The load $L(t, t_{window})$ is the average of the occupation over the interval |     |
|     | $t_{window}$ till the point in time $t$ .                                      | 103 |
| 9.1 | Overview of common elements relevant for a timing model                        | 132 |
|     |                                                                                |     |

## **List of Tables**

| 1.1  | Acronyms and Abbreviations                                                   | 17 |
|------|------------------------------------------------------------------------------|----|
| 1.2  | Glossary of Terms                                                            | 18 |
| 1.3  | List of all use-cases in this document                                       | 19 |
| 1.4  | ECU Integrator                                                               | 19 |
| 1.5  | E/E Architect                                                                | 19 |
| 1.6  | Function Architect                                                           | 19 |
| 1.7  | Function Engineer                                                            | 20 |
| 1.8  | Network Data Engineer                                                        | 20 |
| 1.9  | Software Architect                                                           | 20 |
| 1.10 | Software Component Developer                                                 | 21 |
| 1.11 | Test Engineer                                                                | 21 |
| 1.12 | Timing Engineer                                                              | 21 |
| 4.1  | List of Function-level specific use-cases                                    | 41 |
| 4.2  | Characteristic Information of "Identify timing requirements for a new fea-   |    |
|      | ture (vehicle function)" use-case                                            | 43 |
| 4.3  | Characteristic Information of "Partition a feature (vehicle function) into a |    |
|      | function network" use-case                                                   | 44 |
| 4.4  | Characteristic Information of "Map a function network to a hardware          |    |
|      | components network" use-case                                                 | 46 |



| 4.5  | Characteristic Information of "From function-level events to observable    |     |
|------|----------------------------------------------------------------------------|-----|
|      | events" use-case                                                           | 47  |
| 5.1  | List of use-cases related to end-to-end timing                             | 49  |
| 5.2  | Characteristic Information of E2E use-case "Derive per-hop time bud-       |     |
|      | gets from End-to-End time requirements"                                    | 50  |
| 5.3  | Characteristic Information of this E2E use-case                            | 52  |
| 5.4  | Characteristic Information of this E2E use-case                            | 53  |
| 5.5  | Characteristic Information of this E2E use-case                            | 55  |
| 5.6  | Characteristic Information of this E2E use-case                            | 57  |
| 6.1  | List of network specific use-cases                                         | 61  |
| 6.2  | Characteristic Information of NW UC "Integration of new communication"     | 62  |
| 6.3  | Characteristic Information of NW UC "Design and configuration of a new     |     |
|      | network"                                                                   | 66  |
| 6.4  | Characteristic Information of NW UC "Remapping of an existing commu-       |     |
|      | nication link"                                                             | 68  |
| 7.1  | List of ECU specific use-cases                                             | 72  |
| 7.2  | Characteristic Information of ECU UC "Create Timing Model of the entire    |     |
|      | ECU"                                                                       | 74  |
| 7.3  | Characteristic Information of ECU UC "Collect Timing Information of a      |     |
|      | SW Component"                                                              | 75  |
| 7.4  | Characteristic Information of ECU UC "Validation of timing"                | 78  |
| 7.5  | Characteristic Information of ECU UC "Debug Timing"                        | 79  |
| 7.6  | Characteristic Information of ECU UC "Optimize Timing of an ECU"           | 82  |
| 7.7  | Characteristic Information of ECU UC "Optimize Scheduling"                 | 84  |
| 7.8  | Characteristic Information of ECU UC "Optimize Code"                       | 85  |
| 7.9  | Characteristic Information of ECU UC "Verify Timing Model(s)"              | 86  |
| 8.1  | Resource Overview                                                          | 95  |
| 8.2  | Allowed Schedulable                                                        | 95  |
| 8.3  | Method of Derivation                                                       | 96  |
| 8.4  | Different Types of Timing Methods and the resulting Statistical Qualifiers | 96  |
| 8.5  | ConstraintType                                                             | 97  |
| 8.6  | Definition length parameter for a CAN                                      | 98  |
| 8.7  | Definition general parameter for a CAN                                     | 98  |
| 8.8  | Relation between the general and the CAN specific parameters               | 98  |
| 8.9  | Definitions of the frame activation                                        | 99  |
| 8.10 | Overview about Relation between UCs and Tasks                              | 100 |
| 8.11 | Overview about Relation between UCs, used Properties and applied           |     |
|      | Methods                                                                    | 101 |
| 8.12 | Overview about the here described Timing Properties                        | 102 |
| 8.13 | Scope, Application and Relation                                            | 103 |
| 8.14 | Interface                                                                  | 103 |
| 8.15 | Scope, Application, and Relation                                           | 104 |
| 8.16 | Different kinds of Bus Load of a CAN Segment depending on the frame        |     |
|      | activation                                                                 | 104 |
| 8.17 | Scope, Application, and Relation                                           | 106 |
| 8.18 | Interface                                                                  | 106 |



| 8.19 | Scope, Application, and Relation                               | 108 |
|------|----------------------------------------------------------------|-----|
| 8.20 | Relation between the general latency and the response time     | 108 |
| 8.21 | Interface                                                      | 108 |
| 8.22 | Scope, Application and Relation                                | 109 |
| 8.23 | Interface                                                      | 109 |
| 8.24 | Scope, Application and Relation                                | 110 |
| 8.25 | Interface                                                      | 111 |
| 8.26 | Scope, Application, and Relation                               | 111 |
| 8.27 | Relation between the general latency and the transmission time | 111 |
| 8.28 | Interface                                                      | 112 |
| 8.29 | Scope, Application, and Relation                               | 112 |
| 8.30 | Interface                                                      | 112 |
| 8.31 | Scope, Application, and Relation                               | 113 |
| 8.32 | Interface                                                      | 113 |
| 8.33 | Relation                                                       | 116 |
| 8.34 | Relation                                                       | 117 |
| 8.35 | Relation                                                       | 117 |
| 8.36 | Overview of regarded Methods                                   | 118 |
| 8.37 | Scope and Application                                          | 119 |
| 8.38 | Classification                                                 | 119 |
| 8.39 | Relation                                                       | 119 |
| 8.40 | Interface                                                      | 120 |
| 8.41 | Scope and Application                                          | 120 |
| 8.42 | Classification                                                 | 120 |
| 8.43 | Relation                                                       | 121 |
| 8.44 | Interface                                                      | 121 |
| 8.45 | Scope and Application                                          | 123 |
| 8.46 | Classification                                                 | 123 |
| 8.47 | Relation                                                       | 124 |
| 8.48 | Interface                                                      | 124 |
| 8.49 | Scope and Application                                          | 125 |
| 8.50 | Classification                                                 | 125 |
| 8.51 | Relation                                                       | 125 |
| 8.52 | Interface                                                      | 126 |
| 9.1  | Task "Collect Timing Requirements"                             | 129 |
| 9.2  | Task "Create Implementation"                                   | 129 |
| 9.3  | Task "Create Timing Model"                                     | 130 |
| 9.4  | Task "Decompose"                                               | 130 |
| 9.5  | Task "Define Timing"                                           | 130 |
| 9.6  | Task "Map"                                                     | 130 |
| 9.7  | Task "Perform Model-Based Timing Analysis"                     | 131 |
| 9.8  | Task "Perform Implementation-based Timing Analysis"            | 131 |
| 9.9  | Task "Verify Timing (Requirement)"                             | 131 |
| 9.10 | Timing-related Work Products                                   | 133 |

# Index

Accuracy, 17 Analysis Bus load, 63, 68 Compositional, 114 Functional, 36 Routing time, 64, 69 Scheduling, 114 Static Code, 114 Trade-off, 83 Arbitration delay, 64, 69 Architecture, 24 ASA, 16 AUTOSAR, 16

BSW, 16 BSW Modules, 73 Bus load analysis, 63, 68

CAN, 16 Capacitive Property, 102 Code Execution, 70 COM, 16 Communication matrix, 59 Compositional Analysis, 114 CPU, 16

Data Inconsistencies, 79 DES, 16, 116

E2E, 17 EAST-ADL, 32 ECU, 17 Configuration, 73 Extract, 72 ECU-level, 70 Event-triggered Frame, 17 Execution Time, 17, 25 Extract

#### ECU, 72

Frame, 17 Function Design, 36 Functional Analysis, 36

Gateway, 65

Hot-spots, 82

I/O, 17 ID, 17 Inconsistencies Data, 79 Information Packages, 17 Integration ECU-level, 70 Network-level, 59 New communication, 62 Software, 70 Interrupt Load, 17

Latency Property, 102 LIN, 17 Load, 17 Load balancing, 81

MARTE, 32 Measurement, 117 Measurements Runtime, 75 Model Timing, 73 Modules BSW, 73

Network Simulation, 115 NW, 17

Object file, 73 Optimization Code, 84



Scheduling, 83 Timing, 81

PDU, 17 Period, 17 PIL, 17, 75 Processor-In-The-Loop Simulation, 75

RE, 17 Real-time Architecture, 24 Response Time, 17, 26 Role, 19 Routing time analysis, 64, 69 RTE, 17 Runtime Measurements, 75 Schedulable, 95 Schedulable Entity, 17 Scheduling, 83 Analysis, 114 Simulation, 115 Software Integration, 70 **SPEM**, **17** Sporadic System crashes, 79 Static Code Analysis, 114 Statistical Qualifier, 96 Stuff bit, 17 SW-C, 17, 75 SysML, 32 System crashes, 79 System Parameter, 18

#### TD, **17**

TIMEX, 17, 31 Timing Behavior, 73 BswModule, 36 Constraint, 18 Debugging, 79 ECU, 36 Method, 18 Model, 18, 73, 85 Optimization, 81 Property, 18 SW-C, 36, 75 System, 36 Task, 18 Validation, 77 VFB, 36 Tool chain, 74 Tracing, 118 Trade-off Analysis, 83 Transmission Time, 25 UC, 17 UML, 17 Use-case, 18 Use-cases, 18

ECU, 71 End-to-End Timing, 48 Network, 60

V-model, 30 Validation, 77 VFB, 17, 73

WCET, 17, 75 WCRT, 17 Work Product, 18 Worst case, 18 Worst-Case Execution Time, 26 Worst-Case Response Time, 26 Worst-Case Transmission Time, 26