Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper describes an integrated system architecture, which combines the complexity management advantages of federated systems with the functional integration and hardware benefits of an integrated approach. In order to control complexity, the overall functionality is divided into a set of application subsystems, each with dedicated architectural communication services, allowing developers to act as if they were building an application for a federated architecture. The introduced architecture builds upon the validated services of a time-triggered core architecture, which provides a physical network as a shared resource for the communication activities of more than one application subsystem. The communication resources are encapsulated and multiplexed between application subsystems. In analogy, encapsulated partitions are used to share node computers among software modules of multiple application subsystems. Architectural encapsulation mechanisms ensure that the assumptions and abstractions performed in the functional system structuring also hold after combining the different subsystems on the target platform.

Keywords: The DECOS architecture is an integrated architecture that builds upon the validated services of a timetriggered network, which serves as a shared resource for the communication activities of more than one application subsystem. In addition, encapsulated partitions are used to share the computational resources of Electronic Control Units (ECUs) among software modules of multiple application subsystems. This paper investigates the benefits of the DECOS architecture as an electronic infrastructure for future car generations. The shift to an integrated architecture will result in quantifiable cost reductions in the areas of system hardware cost and system development. In the paper we present a current federated Fiat car E/E architecture and discuss a possible mapping to an integrated solution based on the DECOS architecture. The proposed architecture provides a foundation for mixed criticality integration with both safety-critical and non safety-critical subsystems. In particular, this architecture supports applications up to the highest criticality classes (10 −9 failures per hour), thereby taking into account the emerging dependability requirements of by-wire functionality in the automotive industry. real-time systems, system architectures, automotive electronics, communication networks, legacy systems, dependability, component-based integration

Reduced time–to–market in spite of increasing the system’s functionality, reuse of software on different hardware platforms, and the demand for performing validation activities earlier in the development phase raise the need for revising the state–of–the–art development methodologies for distributed embedded systems. The Model Driven Architecture is a design methodology addressing these emerging requirements. Developing embedded systems according to this model-based paradigm requires a platform-independent representation of the functionality of the application as well as a precise model of the targeted hardware platform. In this paper we introduce a meta-model for capturing the resources of hardware platforms realizing the DECOS architecture, which is an integrated time-triggered architecture aimed at the development of distributed embedded systems. Furthermore, we present a tool chain based on this meta-model that speeds up the modeling process and reduces the likelihood of human errors by facilitating the reuse of hardware building blocks from libraries. 1.

Abstract — Integrated architectures in the automotive and avionic domain promise improved resource utilization and enable a better tactic coordination of application subsystems compared to federated systems. In order to support safety-critical application subsystems, an integrated architecture needs to support fault-tolerant strategies that enable the continued operation of the system in the presence of failures. The basis for the implementation and validation of fault-tolerant strategies is a fault hypothesis that identifies the fault containment regions, specifies the failure modes and provides realistic failure rate assumptions. This paper describes a fault hypothesis for integrated architectures, which takes into account the collocation of multiple software components on shared node computers. We argue in favor of a differentiation of fault containment regions for hardware and software faults. In addition, the fault hypothesis describes the assumptions concerning the respective frequencies of transient and permanent failures in consideration of recent semiconductor trends. 1

Abstract. In present-day electronic systems, application subsystems from different vendors and with different criticality levels are integrated within the same hardware. Hence, encapsulation of these subsystems is required in the temporal as well as in the spatial domain. Partitioning Operating Systems (OSs) are employed to allow shared access of applications to critical resources within an integrated system. In this paper we will discuss fundamental properties of partitioning OSs and compare features of existing solutions. Thereby, we will investigate on LynxOS which is a partitioning OS according to ARINC653, on Tresos, a partitioning OS in accordance with AUTomotive Open System ARchitecture (AUTOSAR), as well as on two prototypical partitioning OS realizations that have been implemented within the Dependable Embedded

Abstract. Complex embedded computer systems can encompass multiple application subsystems, such as a multimedia, a powertrain, a comfort and a safety subsystem in the in-vehicle electronic system of a typical premium car. Information exchanges between these application subsystems are essential to realize composite services that involve more than one application subsystem and to reduce redundant computations and sensors. A major challenge is to resolve the property mismatches at the interfaces between application subsystems, such as incoherent naming, divergent syntax, or different communication protocols. Also, fault isolation capabilities are required to prevent common mode failures induced by the propagation of faults between application subsystems. The contribution of this paper is a formal specification of gateways that contain structured collections of time-sensitive variables associated with timing information (called real-time databases) in order to separate the application subsystems. The formal specification can serve as a basis for automatic code generation or formal verification. 1

Abstract — The DECOS architecture provides a framework for integrating multiple application systems within a single distributed computer system. Since the DECOS architecture aims at applications in the automotive, avionic, and industrial control domain, including applications up to the highest criticality level, the design and development process of DECOS-based integrated computer systems is of utmost importance. Within the DECOS project a model-based development process is devised which aims at enabling a reduced time-to-market in spite of increasing the system’s functionality, the reuse of application software on different instantiations of the DE-COS platform, and performing validation activities earlier in the development phase of integrated computer systems. In this paper we outline the overall model-based development process of integrated computer systems based on the DECOS architecture with a strong focus on the modeling of the DECOS execution platform. Additionally, we present a novel graphical model editor based on GME for capturing the execution platform in the model-based development process. 1

Distributed integrated architectures in the automotive and avionic domain result in hardware cost reduction, dependability improvements, and improved coordination between application subsystems compared to federated systems. In order to support safety-critical application subsystems, a distributed integrated architecture needs to support fault-tolerance strategies that enable the continued operation of the system in the presence of failures. The basis for the implementation and validation of faulttolerance strategies are realistic fault assumptions, which are captured in a fault hypothesis. This paper describes a fault hypothesis for distributed integrated architectures, which takes into account the sharing of the communication and computational resources of a single distributed computer system among multiple application subsystems. Each node computer serves for the execution of multiple jobs. In analogy, the communication network interconnecting the node computers has to support message exchanges of more than one application subsystem. Using a generic system model of a distributed integrated architecture, we argue in favor of a differentiation of fault containment regions for hardware and software faults. Based on these fault containment regions, we discuss the failure modes, the failure rates, the maximum number of failures, and the recovery intervals. In particular, the fault hypothesis describes the assumptions concerning the respective frequencies of transient and permanent failures in consideration of recent semiconductor trends.

Integrated architectures in the automotive and avionic domain promise improved resource utilization and enable a better coordination of application subsystems compared to federated systems. An integrated architecture shares the system’s communication resources by using a single physical network for exchanging messages of multiple application subsystems. Similarly, the computational resources (e.g., memory, CPU time) of each node computer are available to multiple software components. In order to support a seamless system integration without unintended side effects in such an integrated architecture, it is important to ensure that the software components do not interfere through the use of these shared resources. For this reason, the DECOS integrated architecture encapsulates application subsystems and their constituting software components. At the level of the communication system, virtual networks on top of an underlying time-triggered physical network exhibit predefined temporal properties (i.e., bandwidth, latency, latency jitter). Due to encapsulation the temporal properties of messages sent by a software component are independent from the behavior of other software components, in particular from those within other application subsystems. This paper presents the mechanisms for temporal partitioning of communication resources in the DECOS integrated architecture. Furthermore, experimental evidence is provided in order to demonstrate that the messages sent by one software component do not affect the temporal properties of messages exchanged by other software components. Rigid temporal partitioning is achievable, while at the same time meeting the performance requirements imposed by present-day automotive applications and those envisioned for the future (e.g., X-by-wire). For this purpose, we use an experimental framework with an implementation of virtual networks on top of a TDMA-controlled Ethernet network.

This paper describes a model-based development process for safety-critical embedded real-time systems that are based on the DECOS integrated architecture. The DECOS architecture guides system engineers in the development of complex embedded real-time systems by providing a framework for integrating multiple application systems within a single distributed computer system. This integration is supported by a model-based development process which enables the reuse of application software on different instantiations of the DECOS platform, performing validation activities earlier in the development phase, and a reduced time-to-market in spite of increasing system functionality. For this purpose, model-based development in DECOS distinguishes between the capturing of the application functionality in a platform-independent model and the specification of the characteristics of the execution platform in the platform model. In this paper, we focus on the modeling of the execution platform and present a novel graphical model editor based on GME for specifying the DECOS execution platform. A platform meta-model expressed using UML and OCL constrains developers in such a way that the ensuing system becomes more dependable, maintainable and supports composability. Model-based design; Integrated architectures; Embedded real-time systems 1.