Schedulability and end-to-end latency in distributed ECU networks: formal modeling and precise estimation

Embedded control systems in automobiles are typically implemented by a set of tasks deployed on multiple Electronic Control Units (ECUs) communicating via one or more buses like CAN or FlexRay. In the case of safety-critical systems, there are hard real-time bounds on the (i) response times of tasks/messages, and (ii) end-to-end latencies of certain task/message chains. These depend on various factors like the number of tasks (and messages) involved in the processing (and communication) sequence, parameters of these tasks/messages, scheduling policies, communication protocols, clock drifts, etc. Moreover, since the data transfer among tasks/messages is typically via asynchronous buffers that are overwritable and sticky, multiple semantics are possible for end-to-end latency. Hence, precise estimation of response times and end-to-end latencies in embedded systems is a non-trivial problem. In this paper, we propose a model-checking based technique to compute worst-case response times and end-to-end latencies. We consider a distributed system made of preemptively scheduled tasks and non-preemptively scheduled messages. Given a chain in the system, we estimate two different end-to-end latencies --LIFO and LILO-- which are important in automotive domain. From a system description, we automatically synthesize a formal model based on a discrete event simulation formalism called Calendar Automata. It is then model-checked to compute response times and end-to-end latencies. Our technique is more scalable than the existing formal methods based techniques. We have illustrated this technique on reasonably large case-studies from the automotive domain.