EN 
DE From the state of the art to new developments
Authors: Lukas Osinski, Jürgen Mottok, Laboratory for Safe and Secure Systems (LaS³), Center for Digitalization.Bavaria (ZD.B)
Contribution – Embedded Software Engineering Congress 2018
The research project "Multi-Core Safe and Software-intensive Systems Improvement Community" addressed the challenges posed by heterogeneous multi-/many-core architectures in the automotive and avionics sectors through a holistic approach. The holistic solution concept developed reflects the consideration of the various levels of hardware-software co-design. In addition to providing solutions to current problems, the project primarily contributed to the efficient use of heterogeneous multi- and many-core systems.
1 Introduction
The research consortium Multi-Core Safe and Software-intensive Systems Improvement Community (FORMUS)3IC) from the field of information technology made an important contribution in the years 2015-2018 to the use of secure heterogeneous parallel hardware platforms.
The FORMUS³IC research consortium involves six universities (Regensburg University of Applied Sciences, Friedrich-Alexander University Erlangen-Nuremberg, Munich University of Applied Sciences, Amberg-Weiden University of Applied Sciences, Ingolstadt University of Applied Sciences, Nuremberg Institute of Technology Georg Simon Ohm), and eight companies (Airbus Defence & Space GmbH, AUDI AG, Continental Automotive GmbH, Elektrobit Automotive GmbH, Infineon Technologies AG, iNTENCE automotive electronics GmbH, Timing-Architects Embedded Systems GmbH, XKrug GmbH) demonstrate its relevance along the value chain. The project is funded by the Bavarian Research Foundation and has a total budget of approximately €4 million.
Six technical work packages (TP2, …, TP6) address different research questions, develop solutions, and demonstrate feasibility in a demonstrator (TP7). The research questions identified and pursued in the first project year were explored in greater depth in the second year, and the development of solutions continued in the third year. The following achievements of the individual FORMUS³IC sub-projects are briefly listed below:
- Architectural description and time simulation: Architectural description extended to ADLs and corridor scheduling specified.
- Functional safety and verification: A high-performance fault tolerance concept has been developed, and investigations into lightweight cryptographic primitives have been carried out.
- Model refinement / Hardware-level simulation and reconstruction: Processor models created for hardware-level analysis
- Parallelization techniques and patterns: Catalog of parallelization patterns created and effects on scheduling described.
- Communication: Communication protocol for the redundancy network determined and prototype implemented.
- Reference architecture (demonstrator): Three hardware platforms and their HW/SW architecture defined.
Figure 1 (see. PDF): Technical work packages of the FORMUS³IC research consortium
Following a discussion of the initial situation in 2015 at the project's start in Chapter 2, Chapter 3 presents an exemplary discussion of the project result regarding functional safety from sub-project 3 (TP3). Chapter 4 will then provide a summary and an outlook.
2 State of the art
The discussion of the state of the art is conducted separately for each topic area.
2-1 Architectural Description Language EAST-ADL
EAST-ADL, short for Electronics Architecture and Software Technology – Architecture Description Language [1], is a domain-specific architecture description language for the model-based development and description of embedded E/E system and software architectures in a standardized format, with a particular focus on the automotive domain [2]. The language was designed in close alignment with the established automotive standard and utilizes its linguistic features to implement one of the four EAST-ADL abstraction levels. In this sense, EAST-ADL can also be seen as an extension of the implementation-oriented AUTOSAR view, supplementing it with additional, higher abstraction levels. EAST-ADL was originally developed within the framework of the European research project ITEA EAST-EEA [3] and subsequently further developed in various European research projects, most recently in the context of the FP7 projects ATESST and ATESST2 [4] as well as MAENAD [5], which specifically addressed the requirements of modern electric vehicles.
2-2 Scheduling
At the heart of every multitasking operating system lies the implemented scheduling algorithm. This determines which program part has which priority at any given time. Based on this prioritization, the program parts are then executed during system execution. Depending on the objective of the implemented scheduling algorithm, various strategies have become established. The first priority protocol for multi-processor environments was presented by Rajkumar et al. in [6]. Modern synchronization protocols allow nested resource requests. This was first implemented in the "Flexible Multiprocessor Locking Protocol" (FMLP) by Block et al. [7]. This protocol is suitable for both static and dynamic scheduling, but still generates many priority inversions. Both the synchronization protocols by Brandenburg and Anderson [8] and that by Ward and Anderson [9] allow the nested use of semaphores, but only for static priority assignments or those fixed during the processing of a task instance. Both protocols are based on passive waiting. The protocol by Brandenburg et al. The proposed FMLP was extended by Alfranseder et al. in [10]. This extension divides the critical sections of the synchronization protocol into an uninterruptible and an interruptible part. This reduces the number of priority inversions for specific task sets. Based on the short resource requests of the FMLP protocol, Alfranseder et al. in [11] extend the priority protocol of the OSEK operating system, thus enabling the use of OSEK on multi-core platforms. In [12], Wieder and Brandenburg present a comprehensive overview and analysis of various types of active-wait-based synchronization protocols. The approach presented in [13] builds on the Stack Resource Protocol and uses software transactional memory mechanisms to avoid deadlocks and priority inversions.
2-3 Information Security
However, the year 2015 clearly demonstrated that the Internet of Things, which manufacturers are eager to embrace, presents a variety of challenges. Charlie Miller and Chris Valasek garnered the most attention with their Jeep Cherokee hack. They demonstrated how they were able to gain control of this type of vehicle via the internet and subsequently remotely control virtually all functions that the driver can activate in the car, such as the windshield washer, ventilation, and stereo system. They were even able to stop the vehicle (see [14]). Other manufacturers, such as Nissan and BMW, have also revealed, and continue to reveal, that their vehicles are currently not adequately protected against hacking attacks.
The attacks ranged from unauthorized access to confidential vehicle data (in the case of Nissan, see [15]) to unauthorized unlocking of the vehicle via the internet (in the case of BMW, see [16]). The consequences of such hacks, especially those staged for maximum media impact, are usually costly recalls or the deactivation of connectivity services – a side effect is also damage to the respective manufacturer's image. That neither the aforementioned attacks nor the aforementioned car manufacturers are isolated cases is demonstrated by a report from US Senator Edward J. Markey (Massachusetts) from February 2015: Regarding "connected cars," suitable security functions are evidently lacking to protect the driver against hacking attacks that either take control of the vehicle or collect driver-specific and thus personal data in order to exploit it (see [17]).
2-4 Functional Safety
Safety standards (e.g., automotive: ISO 26262, avionics: DO-178B) already propose various diagnostic and monitoring techniques for the functional safety of embedded systems. The challenge lies in identifying, developing, and applying suitable procedures and methods for fault detection and handling for the different use cases and fault patterns of an automotive system. The introduction of redundancy through different software channels or a channel of specially coded software (specific encoding of data and instructions) is referred to as Safely Embedded Software (SES) [18] and is inspired by the Vital Coded Processor approach [19]. The simplest approach to obtaining a redundant channel is to duplicate the original instructions and data.
However, the resulting simple redundancy means that common cause failures cannot be detected, as they occur in both channels. Raab et al. [18] showed that the use of SES leads to a 44-fold increase in runtime compared to the original version using standard methods. The authors note that their method is a proof of concept and that there is still potential for improving runtime. In the work of Braun [20], coded processing was compared to a parallel system. This demonstrated better long-term performance of the coded processing approach. The reduced error probability with appropriately chosen coded processing makes it possible to use COTS (components-off-the-shelf) to save costs, while maintaining the system's reliability.
Braun also proposes a Software Rejuvenation Model in which SES is supplemented by Partial Rejuvenation [21]. By applying Markov models, an improvement in the Mean Time To Failure (MTTF) of more than a factor of 1000 could be demonstrated. An important advantage of SES is that it can be implemented in the problem-oriented programming language C and that it can also detect certain errors that can be introduced by the compiler [22]. In addition to Braun et al., a research group from the TU Dresden spin-off SIListra is also working on the topic of coded processing. This research group is developing a compiler that automatically transforms C-based applications according to the principles of coded processing and can detect hardware errors [23]. For the verification of, for example, safety measures, the automotive safety standard ISO 26262 proposes the fault injection method [19]. This can also be applied to diagnostic and monitoring techniques such as the SES approach, e.g., through a model-based simulation environment based on the Monte Carlo principle.
2-5 Multi- and Many-Core Simulation Environments for General Purpose Processors
This topic focuses on identifying design tools and suitable embedded architectures that exhibit a high degree of heterogeneity and are specifically tailored to the needs of the automotive industry. Simulating such heterogeneous architectures is a crucial tool, as a synthesized hardware design often does not yet exist. This chapter provides an overview of existing multi- and many-core simulators and assesses their suitability for the project. Three criteria are important for this assessment. These criteria are (i) the Simulation performance, (ii) the Availability of processor models for embedded and low-power processors and (iii) the possibility to, Energy requirements and computing power to evaluate. Table 1 shows a summary comparison of the simulation environments evaluated below.
|
Simulation environment |
Multi-core and many-core simulations are possible. |
Simulation performance |
Availability of models for energy measurements |
Availability of embedded processor models |
|
Graphite |
Yes |
Medium to high |
Yes |
No |
|
Sniper |
Yes |
High |
Yes |
No |
|
SoCLib |
Yes |
Slow to medium |
Yes |
Medium |
|
HORNET |
Yes |
Slow to medium |
Yes |
A MIPS model |
|
gem5 |
Yes |
Slowly to high |
Yes |
High |
|
QEMU |
Yes |
Very high |
No |
Low |
|
Original packaging |
Yes |
Very high |
Yes |
Very high |
Table 1: Comparison of simulation environments
2-6 Parallelization Techniques and Patterns in C++
Despite a long-term decline in its adoption rate, C++ is currently the third most widely used programming language after C and Java (according to the Tiobe Index [24]). Since C++11, the language has offered a range of features for developing parallel code, including threads, memory models, asynchronous execution (async), and thread-local memory. The upcoming version, C++17, will include refinements and parallel algorithms. By 2020, all forms of intra-node parallelism, such as SIMD, multicore CPU, and GPU, should be natively supported by C++. OpenMP will then be fully integrated into C++, eliminating the need for OpenMP instructions [25]. C++11 introduced concurrent programming to the C++ standard for the first time. The key constructs for this are briefly described below [26]. The C++14 standard differs from C++11 primarily through bug fixes and minor improvements.
The `std::thread` library provides an interface for threads. Threads can be created and managed as usual. The runtime library maps the threads to the operating system. Synchronization mechanisms, such as `join()`, are also provided.
To share resources, appropriate objects are provided, such as mutex, as well as appropriate functions, such as lock().
Parallel execution in C++11 is simplified by using promises / futures, which allow the results of concurrent executions to be merged.
Further simplification is achieved through the use of `async`. This allows asynchronous function calls to be initiated, which are executed concurrently. The essential parameters and shared data are passed to the call. The result is then retrieved later as a future event. This allows the runtime environment to freely determine the time and location of function execution.
The programmer can initiate calculations using futures and async, which can then be executed in parallel by the C++ runtime environment. Only when the result is needed are the execution strands merged. C++ has been extended with mechanisms that enable the creation of non-blocking data structures. For example, the `atomic` package of the standard library contains various atomic operations, such as `std::atomic::fetch_add`.
The C++ version C++17 is implemented as a "major release" with significant new features: An important aspect will be the provision of parallel versions of some algorithms from the standard library, such as sort or for_each. The degree of parallelization can be set via a parameter. Future extensions will include SIMD-based parallelization as well as the ability to influence the vector order of evaluation.
2-7 Redundancy concepts in avionics
In the civil sector, the architecture of the Airbus A320, A330, and A340 series [27], as well as that of the Boeing 777 [29], were long considered quasi-standards. The Federated Architecture approach was followed in this context. A typical feature of this approach is that the overall system is divided into individual systems – often also called Line Replaceable Units (LRUs) [28]. Each of these LRUs is responsible for a specific task and consists of its own processor and memory. These are interconnected via special data buses designed for high-security applications, such as MIL-STD-1553B or ARINC 429. However, these buses are specific to the avionics industry and are not provided by the microcontrollers themselves, but must be implemented using separate components – which in turn negatively impacts size, weight, and power consumption. These can either be standalone I/O boards that are plugged into the computer, or FPGAs that are located on the computer board itself.
3 Functional safety (from TP3) as an exemplary project result
The software-based Combined Redundancy (CoRed) [30] approach for single-core systems was used as a starting point for the further development of the monitoring concept. CoRed combines the redundant execution of applications (processes) in the form of Triple Modular Redundancy (TMR) with arithmetic coding to overcome the reliability bottleneck of majority decision-makers.
TMR is a widely used pattern for implementing fault tolerance, particularly in hardware. Three identical elements perform the same operation, and the correct result is then determined by majority vote. Besides the ability to detect errors, this approach offers the advantage of identifying the faulty element. It also contributes to system availability, as masking (majority vote) allows system execution to continue despite an erroneous result. However, a critical point of failure in TMR is the majority vote itself. Therefore, this component must meet high reliability requirements. These reliability requirements can be met in hardware implementations, for example, through hardened circuits. In a purely software-based solution—as in the case of CoRed—arithmetic coding can be used to increase reliability.
In the CoRed approach, application processes are replicated and executed sequentially on a single kernel, followed by a coded majority vote. Upon entering the process, the previously arithmetically coded data is decoded to minimize the execution time losses caused by coded operations. After the tasks are completed, the data is arithmetically coded again and made available to the subsequent coded majority vote (process). During the time when data is processed uncoded within the application tasks, the redundant execution of the application processes ensures error detection. The majority vote itself is executed on arithmetically coded data to enable error detection within the decision-making process and its correction through backward correction.
The effectiveness of the CoRed approach – particularly the coded majority vote – has been demonstrated through simulation-based fault injection experiments. However, disadvantages arise from the need for partial virtualization, run-to-completion semantics, difficulties in meeting real-time guarantees due to backward correction and sequential process execution, and the lack of coverage for permanent errors due to the single-core approach. Furthermore, the use of AN-BD coding and the associated complex management of B and D signatures leads to increased error susceptibility in the management logic outside the majority process.
Figure 2 (see. PDF) – Methods for online monitoring [31]
3-1 Fault Tolerance Architecture
The further development of the original approach included, among other things, the following points:
- Parallel execution of replicas (process and majority decision) on separate cores to reduce response time
- Introduction of multiple majority decision-makers with singular output (hierarchy) to eliminate backward correction and reduce response time
- Optimization of arithmetic coding by
- Elimination of necessary redundancy in the static B signature
- Elimination of the D-signature and the associated complex and error-prone administrative logic
- Integration of floating-point numbers
- Introduction of application-level reconfiguration strategies to increase availability
The use of arithmetic coding at the source code level increases execution times because all operations must be performed in the coded domain and complex signatures must be calculated at runtime. In contrast, the current monitoring concept uses arithmetic coding only to safeguard critical error points, such as majority voting or memory allocation. By decoding the data at the beginning of process execution, the costs associated with arithmetic coding can be reduced to a negligible level, and response time can be significantly improved. Furthermore, the selective use of coding allows for the integration of floating-point numbers within the processes. By eliminating the redundancies of the static B-signature and the management logic of the D-signature, the implementation of this concept in an industrial environment no longer requires (certified) tool support.
Many concepts only consider transient errors. Although the error rate for permanent errors is significantly lower than for transient errors, we include them in our analysis. Executing replicated processes on different cores can already make a small contribution to the detection of permanent errors on homogeneous systems, but this effect is amplified by the use of heterogeneous systems. Furthermore, the parallel execution of process replicas improves the system's response time and thus promotes real-time capability. Replicating majority decision-makers and executing them on different cores eliminates the previously necessary backward correction. Should a majority decision fail, one of the correct decision-makers takes over the output of the correct result. To ensure the singular output of majority decisions, the output order is regulated by a hierarchy. After a majority decision fails, different reconfiguration strategies are executed depending on the system design (static/dynamic). These strategies ensure that defective components are isolated and the replicas are moved to healthy components.
To verify the monitoring concept, fault injection experiments with data and control flow errors were performed on an Infineon AURIX TriCore TC27x running ERIKAOS 2.7. An uncoded and an optimized arithmetically coded majority vote were used. The experiments were conducted with different input values to achieve complete branch coverage. Data errors (DF) were simulated by injecting transient 1-bit errors during read access to the used registers. Control flow errors (CFF) were injected by manipulating the program counter. The results of the experiments were categorized as follows:
- Masked: Error had no impact on program execution
- Detected:
- Coding: The error was detected through coding.
- Trap: Error triggered a hardware exception
- OS: Error detected by the operating system
- No result (KE): An error was detected, but no clear result could be determined.
- Unrecognized Data Error (UD): Error was not detected
As can be seen from the results in Table 2, the injected errors in the uncoded majority vote lead to a significant number of undetected data errors. When data errors are injected, 12% of the originally injected errors go undetected. Nearly identical behavior is observed when control flow errors are injected, with approximately 13% of the errors going undetected. In contrast, no undetected data errors occur in the coded variant.
Table 2 (see. PDF) – Results of fault injection (data and control flow errors) – Comparison of uncoded and coded majority decisions
The prototype currently under investigation features comprehensive error detection mechanisms that should even detect the failure of an entire core. However, limitations exist that prevent it from fully meeting the requirements of a universally applicable software solution for fault detection.
Currently, the prototype is limited to processing integer values in majority voting, as integrating floating-point numbers into the existing majority decision safeguard is not trivial. While no coded numbers are used during task execution, the majority decision safeguard relies on combinatorial comparisons of coded variables and parameters, as well as signatures. Consequently, an extension is needed to integrate floating-point numbers into the existing safeguard mechanisms.
In addition to the extension to include floating-point numbers, the masking process should also become more variable. Currently, only a relatively rigid majority decision is possible. This, in turn, places requirements on the input data; for correctness, it must have identical values. This assumption is likely to be difficult to achieve in practice, especially when using diverse redundant sensors, as variance in the sensor characteristics, for example, must be assumed.
To account for this variability, the masking process is currently being further developed. Various masking algorithms are being used that do not rely solely on absolute values to make valid decisions and take into account different tolerances regarding the input data. The configuration options are designed to allow the majority decision to be adapted to the specific application and its environmental conditions, thus covering a wide range of theoretical use cases.
3-2 Fault Injection Platform for Multi-Core Systems
A crucial step in the development cycle of reliable systems is the validation of their properties in the presence of random, permanent, or transient hardware faults. Safety guidelines for the design, development, verification, and validation of safety-critical automotive systems (e.g., ISO 26262) identify fault injection as a suitable method for validating the correct and effective implementation of functional and technical safety mechanisms.
Currently publicly available fault injection platforms could not be used due to several limitations, including the following:
- Lack of connectivity for Infineon TriCore or ARM systems
- Lack of mechanisms to reduce the error space and thus the experiment duration
- Long experiment runtimes due to the use of JTAG debuggers with limited functionality and performance.
- The need to adapt development tools of industry partners due to the use of, for example, LLVM.
- Lack of possibility for injection onto real hardware (simulation approaches)
- Necessity of source code manipulation (so-called fault seeding)
Due to these limitations, the decision was made to develop a standalone platform for injecting permanent and transient hardware faults onto multicore systems. The developed PyFI (Python-based Fault Injection) backend allows – by utilizing the API of the iSystem iC5000 on-chip analyzer – the injection of permanent and transient faults at the instruction set level (data/instructions) during runtime, thus generating the desired fault symptoms (data/control flow errors) at the application level.
Figure 3 (see. PDF) – Phases and modules of Fault Injection [32]
PyFI extends the Fault Injection architecture proposed by Hsueh et al. [33] and divides the experiment execution into three phases: Pre-Injection Analysis, Fault Injection Campaign and Post-Injection Analysis.
During the pre-injection phase, the application undergoes both static (disassembled ELF file) and dynamic (runtime behavior) analysis. Depending on the experiment configuration, a database of faults to be injected is created. Subsequent reduction of the fault space significantly shortens the experiment runtime in advance, for example, by removing all fault locations that are registers whose contents are overwritten with each instruction execution (inject-on-read). During the campaign (fault injection campaign), the previously generated fault locations are processed, and the system behavior (traps, timeouts) and system state are recorded using the on-chip analyzer. Finally, in the post-injection analysis, the experiment recordings are evaluated, and the desired metrics are calculated.
4 Summary and Outlook
The impact of the technical sub-projects (TP2, …, TP6) in the overall FORMUS³IC perspective can be described by the following results:
Adapted exchange formats (TP2) – Contribution to the development process
Adapted exchange formats (AUTOSAR, EAST-ADL) for heterogeneous multi- and many-core systems—as pursued within FORMUS³IC subproject 2—enable efficient, tool-based business processes in the development of multi-core architectures for OEMs and suppliers; this leads to cost-effective systems. Furthermore, by supporting the description of parallelism, guidelines for practical application are created, resulting in increased development efficiency while simultaneously enabling better maintainability and reusability.
Additions to the AUTOSAR Standard (TP2) – Contribution to the development process and architecture
Several extensions to the AUTOSAR standard have been developed because classic AUTOSAR uses static priority assignment. Aisle scheduling is one example of such an extension.
Gang Scheduling with Efficient Task Management (TP2) – Contribution to Real-Time Architecture
The scheduling concept was therefore extended for Global EDF based on an implementation adapted for gang scheduling. This extension enables good scalability for global scheduling. Reusing this concept is possible.
Increasing information security (TP2) – Contribution to reliability
The RES library was developed. A vulnerability analysis and hardening were carried out. Reuse of the developed information security concept is possible.
High Automotive Security Integrity Level (ASIL) with safety concept (TP3) – contribution to the architecture
A fault redundancy concept has been developed for applications in the areas of powertrain, combustion engine control, transmission control, and domain controllers, meeting the highest real-time requirements for application software (maximum response time). This enables efficient fault detection and correction.
New Fault Injection Concepts for Microcontrollers (TP3) – Contribution to Hardware Product
Contribution to the new Fault Injection platform at Infineon.
Further development of the ADAS framework XKLAF (TP4)
For the development of ADAS software, the industrial project partner XKRUG offers the XKLAF Rapid Prototyping Platform as a virtual control unit based on x86 or ARM for vehicle use under AUTOSAR, on which the software components (SWC) for the later series control unit are developed.
The findings of the project will directly inform XKLAF's product development for future universal control units, enabling OEMs and TIER1s to integrate functional development into test vehicles and evaluate it in real time.
New development tools for semiconductor manufacturers (TP4) – Contribution to the toolchain
The results of this sub-project also have a decisive influence on the partner Infineon for the future provision of tools for software development with the AURIX microcontroller. Specifically, a detailed investigation was conducted regarding the suitability of the models for the AURIX and the SPU accelerator core under Platform Architect, in the form of stress tests with signal-intensive algorithms.
New sensor fusion algorithms (TP4) – Contribution to reliable algorithms
Newly developed sensor fusion algorithms for person detection from camera data and signal preprocessing have revealed important insights for future applications of the AURIX in ADAS applications. This includes, among other things, the efficient implementation of a Kalman filter and a memory-optimized variant of the DBSCAN method on a TriCore core.
Timing analysis methods for ARM and GPU architectures (TP4) – Contribution to runtime analysis
Using example code provided by FAU for TA for radar signal processing and for processing optical camera data, reliable statements about the runtime for ARM and GPU architectures were determined using measurements on the Nvidia Drive PX 2 development board.
Supercore Pattern and Task Parallelism (TP5) – Contribution to the Architecture of Parallel Heterogeneous Platforms
The architectural concepts discovered for multicore processors, GPUs and FPGAs are of great importance to Audi and Continental and help in the further development of software architectures for future platforms.
High-reliability redundancy architecture for autonomous air taxis (TP6) – Contribution to the architecture for small, autonomously operating aircraft
Providing a reliable redundancy architecture implemented exclusively with available onboard peripherals. This eliminates the need for additional hardware such as ASICs or FPGAs, which are typically used to implement redundancy functionality. In addition to reduced product costs for the hardware to be developed, this also results in savings in space, performance, and weight.
Quadruplex architecture as a reference (TP6) – Contribution to Fail-Operational Architectures
The reuse of a cost-effective implementation of triplex or quadruplex systems for automotive and transportation systems becomes possible.
Website of the FORMUS³IC research project
thanksgiving
This publication was supported by the Bavarian Research Foundation, joint project FORMUS3IC ”Multi-Core safe and software intensive Systems Improvement Community”, grant number AZ-1165-15.
References
[1] Electronic Architecture and Software Technology – Architecture Description Language, EAST-ADL Association, https://www.east-adl.info, 2015.
[2] P. Cuenot, P. Frey, R. Johansson, H. Lönn, Yiannis Papadopoulos, M.-O. Reiser, A. Sandberg, D. Servat, R. Tavakoli Kolagari, M. Törngren, M. Weber. The EAST-ADL Architecture Description Language for Automotive Embedded Software, Model-Based Engineering of Embedded Real-Time Systems, Springer Berlin Heidelberg, 2010.
[3] EAST-EAA partners, EAST-EEA – Electronic Architecture and Software Technology – Embedded Electronic Architecture, https://itea3.org/project/east-eea.html, 2015.
[4] ATESST consortium, Advanced Traffic Efficiency and Safety through Software Technology, https://www.atesst.org, 2015.
[5] MAENAD consortium, Model-based Analysis & Engineering of Novel Architectures for Dependable Electric Vehicles, https://www.maenad.eu, 2015.
[6] R. Rajkumar, Real-Time Synchronization Protocols for Shared Memory Multiprocessors, IEEE, 1990.
[7] A. Block, H. Leontyev, BB Brandenburg, JH Anderson, A Flexible Real-Time Locking Protocol for Multiprocessors, IEEE, 2007.
[8] BB Brandenburg, JH Anderson, The OMLP Family of Optimal Multiprocessor Re-al-Time Locking Protocols, Springer, 2013.
[9] BC Ward, JH Anderson, Supporting Nested Locking in Multiprocessor Real-Time Systems, IEEE, 2012.
[10] M. Alfranseder, M. Deubzer, B. Justus, J. Mottok, C. Siemers, An Efficient Spin-Lock Based Multi-Core Resource Sharing Protocol, IEEE, 2014.
[11] M. Alfranseder, M. Mucha, S. Schmidhuber, A. Sailer, M. Niemetz, J. Mottok, A Modified Synchronization Model for Dead-Lock Free Concurrent Execution of Strongly Interacting Task Sets in Embedded Systems, IEEE, 2013.
[12] A. Wieder, BB Brandenburg, On Spin Locks in AUTOSAR: Blocking Analysis of FIFO, Unordered, and Priority-Ordered Spin Locks, IEEE, 2013.
[13] A. Barros, LM Pinho, PM Yomsi, Non-preemptive and SRP-based fully-preemptive scheduling of real-time software transactional memory, Elsevier, 2015.
[14] R. Eikenberg. Hackers remotely control Jeep Cherokee, Heise Security, https://heise.de/-2756331, 2015.
[15] T. Hunt. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs, https://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html, 2016.
[16] D. Spaar. Car, open up! Security gaps in BMW's ConnectedDrive, Heise c't 05/2015, p. 86, https://heise.de/-2536384, 2015.
[17] E. J. Markey. Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, https://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity2.pdf, 2015.
[18] P. Raab, S. Kraemer, J. Mottok, H. Meier, S. Racek. Safe software processing by concurrent execution in a real-time operating system. In Proceedings of 16th International Conference on Applied Electronics, pages 315 – 319, September 2011.
[19] ISO26262: Road Vehicles – Functional safety, International Organization for Standardization, 2011
[20] J. Braun, D. Geyer, and J. Mottok. Alternative measure for safety related software. ATZelektronik, 04/2012:40-43, August 2012. ISSN 1862-1791.
[21] J. Braun, J. Mottok, C. Miedl, D. Geyer, and M. Minas. Increasing the reliability of single and multicore systems with software rejuvenation and coded processing. In Proceedings of the Automotive Safety & Security 2012 Conference in Karlsruhe, ISBN 978-3-88579-604-6, pages 163-178, November 2012.
[22] J. Braun, J. Mottok, C. Miedl, D. Geyer, and M. Minas. Capability of single hardware channel for automotive safety applications according to ISO 26262. In Proceedings of the 17th IEEE International Conference on Applied Electronics 2012 (AE2012) in Pilsen, ISBN 978-80-261-0038-6, pages 41-45, September 2012.
[23] M. Suesskraut, U. Schiffel, A. Schmitt, C. Fetzer. White paper: Encoding Compiler and Encoded Processing. 2011.
[24] „Tiobe,“ [Online]. Available: https://www.tiobe.com/tiobe_index. [Accessed 09 05 2016].
[25] Codeplay: Wong, Michael, „Towards Massive Parallelism for C++ and OpenMP (aka Heterogeneous device/Accelerator/GPGPU/FPGA): the future of Parallel Programming Models,“ in ARCS 2016, Nuremberg, 2016.
[26] B. Stroustrup and Langenau, Frank, A Tour through C++, Carl Hanser Verlag, 2015.
[27] BRITXE, Dominique ; TRAVERSE, Pascal: Airbus A320/A330/A340 Electrical Flight Controls – A Family Of Fault-tolerant Systems (1993).
[28] MOIR ; IAN ; SEABRIDGE ; ALLAN ; JUKES ; MALCOLM: CIVIL AVIONICS SYSTEMS. Second Edition, 2013.
[29] YC (BOB) YEH: Triple-Triple Redundant 777 Primary Fight Computer. In: Aerospace Applications Conference, 1996. Proceedings., 1996 IEEE 02/1996 (1996).
[30] U. Schiffel, „Hardware error detection using AN-codes,” 2010.
[31] TLRMJM Lukas Osinski, „Challenges and Opportunities with Embedded Multicore Platforms,“ ERTS, 2018.
[32] TLMSJM Lukas Osinski, „PyFI – Fault Injection Platform for Real Hardware,“ ARCS Workshop 2018, 2018.
[33] MTTIR Hsueh, Fault Injection Techniques and Tools, Computer, Vol. 40, 1997.
authors
Lukas Osinski M.Sc. (lukas.osinski@oth-regensburg.de) is pursuing his doctorate in the field of functional safety for multi- and many-core systems within the FORMUS³IC project at the Laboratory for Safe and Secure Systems (LaS³) of the OTH Regensburg. His research focuses particularly on software methods for fault-tolerant systems.
ZD.B1-Research Professor Dr. Jürgen Mottok (juergen.mottok@oth-regensburg.de), project manager, teaches computer science at OTH Regensburg. His teaching areas are software engineering, programming languages, real-time systems, functional safety, and IT security. He is the scientific director of the Laboratory for Safe and Secure Systems (LaS³, https://www.las3.de) in Regensburg, second vice-chairman of the Bavarian Cluster of IT Security and Safety, an advisor to the Automotive Forum for Security Software Systems, an advisor to ASQF Safety, a member of the steering committee of the East Bavarian regional group of the German Informatics Society (Gesellschaft für Informatik), organizer of the Software Engineering Didactics Working Group of Bavarian Universities, chairman of the Association for Teaching Software Engineering (LeSE eV), and project manager of the research projects VitaS³, PetS³, PeCall, S³OP, S³EMO, AMALTHEA, AMALTHEA4public, ES³M, FORMUS³IC, ZeloS³, FraLa, S³CORE, and EVELIN, all of which feature cooperative doctoral programs. Prof. Dr. Jürgen Mottok serves on the program committees of numerous scientific conferences. He is a recipient of the Award for outstanding teaching, which was awarded by the Bavarian State Ministry for Science, Research and the Arts in 2010. On December 4, 2015, Prof. Dr. Jürgen Mottok was awarded the „Award for outstanding achievements in cooperation between business and science“ awarded.
1Center for Digitalization Bavaria (ZD.B) Seybothstrasse 2, 93053 Regensburg
Multicore – our training & coaching
Do you want to bring yourself up to date with the latest technology?
Then find out more here MircoConsult offers training courses/seminars/workshops and individual coaching on the topic of multicore/microcontrollers.
Training & coaching on the other topics in our portfolio can be found here. here.
Multicore – Expertise
Valuable expertise on the topic of multicore/microcontrollers is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
