

# Timing Analysis on Complex Real-Time Automotive Multicore Architectures

Mircea Negrean Simon Schliecker Rolf Ernst



Institute of Computer and Network Engineering



Technische Universität Braunschweig

## Automotive challenges



- Requirements of automotive E/E platforms and architectures
  - Sufficient computing power and communication bandwidth
  - Avoid unnecessary over-dimensioning of computing resources
  - Low cost
- ➔ Find sweet spot between maximum performance and minimum costs
- Requirements of automotive OEMs (for certification)
  - Analytical proof:
    - That systems correctly work under maximum load
    - Sufficient resource availability at any time

## → Formal performance verification techniques

- During different system design phases
- For final product to increase SIL (safety integrity level) compliance



#### Outline

- Abstractions for the analysis of real-time systems
- Multicore architectures
- Timing implications and countermeasures
- Formal analysis method
- Conclusion



## Outline

- Abstractions for the analysis of real-time systems
- Multicore architectures
- Timing implications and countermeasures
- Formal analysis method
- Conclusion



## Software Timing Hierarchy



5

# Local Scheduling Analysis

• Single core task execution (classical model)



• Single core task execution (with shared resources)





## Model Task Activation as "Event Streams"

• Response Time Analysis requires traffic models:





## **Component Performance Analysis**



 Output event model of one processor becomes input event model of successor → compose multiple local analyses into system level analysis





Abstractions for the analysis of real-time systems

#### Multicore architectures

- Timing implications and countermeasures
- Formal analysis method
- Conclusion



## **Multicore Architectures**

• Expected in near future automotive designs

#### **Current distributed system**

- All accesses to local resources
- Bus communication clearly specified and systematic

#### **Multicore system**

- Accesses to local and shared resources
- Complicated, interleaved and less systematic communication timing



#### → Complex impact on timing





- Abstractions for the analysis of real-time systems
- Multicore architectures
- Timing implications and countermeasures
- Formal analysis method
- Conclusion



# Task Execution in Multicore

Single core task execution (with shared resources)



• Multicore task execution with shared resources



- Mapping to multicore architectures changes timing
  - Leads to new timing dependencies between applications!



## Software Timing Hierarchy





#### Countermeasures

#### Orthogonalize resources

- Introduce schedulers that give upper bounds on interference independently of competing streams
- At least perform traffic shaping
- $\rightarrow$  imposes strict hardware guidelines
- $\rightarrow$  protection from partially false system specification
- $\rightarrow$  prone to over-provisioning (not so much in hard real-time setups)
- Use formal analysis that covers dynamism
  - Find realistic upper bounds on application behavior
  - Provide formulas and analysis methods matching actual system
  - $\rightarrow$  requires comprehensive knowledge of hardware behavior to set up analysis
  - $\rightarrow$  requires safe assumptions about behavior of the software
  - $\rightarrow$  allows considering dynamic schedulers and load

#### • Mix of the above





- Abstractions for the analysis of real-time systems
- Multicore architectures
- Timing implications and countermeasures
- Formal analysis method
- Conclusion



## Formal Analysis Method - Example

- Response Time Analysis for multiprocessor systems (DATE2009)
  - Set of "m" processor systems  $\rightarrow$  each with its own SPP scheduling
  - Static set of tasks  $\tau = {\tau_1, \tau_2, ..., \tau_n}$ 
    - statically mapped on the "m" processors
  - Unique priority space across processors
    - Priority  $(\tau_1)$  > Priority  $(\tau_2)$  > ... > Priority  $(\tau_n)$
  - Set of shared resources
    - Local and global
    - Arbitration according to MPCP
- $\rightarrow$  Evolutionary extension of

**OSEK-AUTOSAR** scheduling

#### Matches design practice in automotive domain





## **Response Time Analysis**

- Worst-case response time  $R_i$  of a task  $\tau_i$  on a processor with SPP
  - Task own execution
  - Interference due to higher priority local tasks
  - Blocking time when accessing shared resources





## Types of Blocking - according to MPCP

- Local blocking time 
  Indirect preemption delay
- Direct blocking time 
  Local preemption delay









## **Derivation of Shared Resource Latencies**

Concept → Use event model concept to capture resource traffic



• Possible upper bounds derivation:

Bound 1:  $\tilde{\eta}_{1}^{+}(\Delta t) = \eta_{1}^{+}(\Delta t + R_{1}) \cdot n_{1}$ Bound 2:  $\tilde{\eta}_{1}^{+}(\Delta t) = \left[\frac{\Delta t}{d_{srr}}\right]$ 

• Direct blocking time of task  $\tau_5$ :

 $\boldsymbol{B}_{5,direct}(\boldsymbol{R}_5) = \widetilde{\eta}_1^+(\boldsymbol{R}_5) \cdot \boldsymbol{\omega}_1^{\boldsymbol{G}_1}$ 

 $\varpi_{\!_1}^{{}_{G_1}}$  - Time duration when  ${}_{G_1}$  is blocked by  $\tau_5$ 



## Multiprocessor Response Time Analysis

• Couple local scheduling analysis with the blocking time analysis

$$\left| R_{i} = \eta_{i}^{+}(R_{i}) \cdot C_{i} + \sum_{\forall \tau_{j} \in hpl(\tau_{i})} \eta_{j}^{+}(R_{i} + R_{j}) \cdot C_{j} + B_{i}(R_{i}) \right|$$

#### Analysis issues:

 Critical instance scenario not valid due to possible self-suspension of higher priority tasks

 $\rightarrow$  compute response times top-down (higher priority first)

- B<sub>i</sub>(R<sub>i</sub>) depends on the load imposed by other tasks, but their response time has possibly not been calculated
  - → Iterative computation of tasks WCRT until general convergence
  - →For lower priority tasks use a load derivation that is independent of WCRT



## Applicability

 Modeling and Analysis of multiprocessor systems implemented in SymTA/S (Symbolic Timing Analysis for Systems)







- Abstractions for the analysis of real-time systems
- Multicore architectures
- Timing implications and countermeasures
- Formal analysis method
- Conclusion



## Conclusion

- Mapping ECU functions on multicore impacts function timing due to shared resources → Cross-processor interference
- New scheduling and analysis algorithms are available for multicore
  - Compatible to system level analysis (DATE 2009)
  - Can work with incomplete and estimated task sets

Use formal analysis methods to:

- Optimize performance and cost:
  - In early design stages to guide towards optimal design choices
  - Refine input data **during design process** to provide verification strength guarantees for final product
- Achieve compliance to safety standards





#### **Questions ?**



## Bibliography

- [1] Negrean, M., Schliecker, S., and Ernst, R. "Response-Time Analysis of Arbitrarily Activated Tasks in Multiprocessor Systems with Shared Resources." In *Proceedings of Design, Automation and Test in Europe Conference (DATE), Nice, France* (April 2009).
- [2] Schliecker, S., Rox, J., Negrean, M., Richter, K., Jersak, M., and Ernst, R. "System Level Performance Analysis for Real-Time Automotive Multi-Core and Network Architectures." *IEEE Transactions on Computer Aided Design* (July 2009).
- [3] Richter, K., Jersak, M., and Ernst, R. "Learning Early-Stage Platform Dimensioning From Late-Stage Timing Verification." In *Proceedings of Design, Automation, and Test in Europe (DATE), Nice, France,* (April 2009).
- [4] Schliecker, S., Negrean, M., Nicolescu, G., Paulin, P., and Ernst, R. "Reliable Performance Analysis of a Multicore Multithreaded System-On-Chip." *Proceedings of the 6th International Conference on Hardware/Software Codesign and System Synthesis (CODES-ISSS), Atlanta, GA* (October 2008).

