Methods and Tools for End-to-End Latency Analysis and Optimization of a Dual-Processor Control Module 2012-01-0029

Automotive HW/SW architectures are becoming increasingly complex to support the deployment of new safety, comfort, and energy-efficiency features. Such architectures include several software tasks (100+), messages (1000+), computational and communication resources (70+ CPUs, 10+ buses), and (smart) sensors and actuators (20+). To cope with the increasing system complexity at lowest development and product costs, highest safety, and fastest time to market, model-based rapid-prototyping development processes are essential. The processes, coupled with optimization steps aimed at reducing the number of software and hardware resources while satisfying the safety requirements, enable reduction of the system complexity and ease downstream testing/validation efforts. This paper describes a novel model-based design exploration and optimization process for the deployment of a set of software tasks on a dual-processor control module implementing a fail-safe strategy. The fail-safe strategy is realized by a primary and a secondary path, implemented as two separate chains of software tasks executing on two separate processors communication via a SPI (Serial Peripheral Interface) bus. The dual-processor module must satisfy two requirements: first, the latency of the primary path must be bounded to guarantee a safe real time response to changes in the environment; second, the difference between the primary and the secondary path latencies must be bounded to guarantee no data inconsistency occurs (e.g, stale data). In this work, we apply a design exploration and optimization process, based upon a synergetic use of different timing analysis and optimization methods (for example, worst case, probabilistic, and model-checking) and tools, to compute the latency of the paths, and the corresponding latency differences. We also optimize the design (using genetic algorithms) with respect to the specified timing constraints by changing task offsets and priorities. It is not the objective of this paper to demonstrate that the implemented strategy is indeed a fail-safe strategy that addresses the safety goal of the system. Also, the dual-core dual-path strategy does not address malfunctioning in both cores due to a clock failure. In this paper, we take the strategy as a given and propose methods and tools that aid designers in finding the desired trade-offs between satisfaction of the latency constraints and efficient usage of the hardware resources.