Optimizations of an Application-Level Protocol for Enhanced Dependability in FlexRay

DATE 2009 1

Optimizations of an Application-Level Protocol for Enhanced Dependability in FlexRay

Wenchao Li1, Marco Di Natale2, Wei Zheng1, Paolo Giusto3,

Alberto Sangiovanni-Vincentelli1, Sanjit A. Seshia1

1UC Berkeley 2Scuola Superiore S. Anna

3General Motors

DATE 2009 2

Introduction

[IMG: www.autofieldguide.com]

DATE 2009 3

CAN vs. FlexRay

FlexRay- Capable of 10 Mbps

communication- Time-triggered and

event-triggered communication

- Reliable- Clock

Synchronization- Clique Detection- Bus Guardian

CAN- Max 1 Mbps;- Protocol overhead of

> 40%;- Contention resolved

by priority.- Acknowledgment

and retransmission when message is corrupted

DATE 2009 4

Motivation

The current error-management scheme instructs the receiver to discard a corrupted frame.

Need for application-level protocol for enhanced dependability, such as an acknowledgement-retransmission scheme which exists in CAN.

DATE 2009 5

Challenge

The main challenge of implementing the fault recovery scheme is finding available transmission time in slots that can be used for acknowledgment and retransmission.

DATE 2009 6

Agenda

Introduction Motivation

Preliminaries and Related Work Tool Flow and MILP Formulation

Case Study Conclusion

DATE 2009 7

FlexRay

[FlexRay Specification v2.1]

DATE 2009 8

FlexRay

[FlexRay Specification v2.1]

DATE 2009 9

Related Work

Schedulability analysis of the FlexRay communication protocol [Pop’08]

Embedded System Design for Automotive Applications [Sangiovanni-Vincentelli’07]

NO previous work on optimizing FlexRay schedule for fault-tolerance.

DATE 2009 10

Objective

We define Fault Recovery Rate (FRR) as

the percentage of faulty messages guaranteed to be retransmitted before their deadlines.

Objective: maximize FRR

How: optimize remaining static slot assignments to ECUs to allow placement of acknowledgements and retransmissions in static slots on top of an existing schedule.

DATE 2009 11

Agenda

Introduction Motivation

Preliminaries and Related Work Tool Flow and MILP Formulation

Case Study Conclusion

DATE 2009 12

Tool Flow

Schedule

Schedule with recovery allocation

Optimized Acknowledgment

and Retransmission Scheme

Task Graph

FlexRay Scheduler

1st: Optimize FRR

2nd: Optimize allocation

DATE 2009 15

Assumptions

Hard Real Time Constraints Fixed Schedule

minimum changes to the existing subsystems. Fault Hypothesis:

Fault Mode: fault can behave inconsistently to different ECUs;

Fault Arrival Rate*: one per application cycle; Acknowledgments are represented as a single bit. Delay in CRC/adapter is not modeled Error on messages is uniformly random

DATE 2009 16

Assumptions

Fault rate data in CAN is used to understand the challenges in FlexRay

Bit Error Rate (BER) for CAN [Ferreira’04]

Benign: 3 £ 10-11

Normal: 3.1 £ 10-9

Aggressive: 2.6 £ 10-7

Without a fault-tolerant mechanism, the number of errors per hour can be between 0.22 and 1.

If one error per cycle is masked, the number of errors per hour is between 3 £ 10-8 and 4.86 £ 10-1.

DATE 2009 17

MILP Formulation

Parameters: ECUs E: {ECUi} Messages Mi: {wi, msi, mci, di, sei, dei} Number of cycles nc, number of slots ns

Schedule matrix ns £ nc

Variables*: Message Mi: {fi, rsi, rci, asij, acij} Static slot Si: ownij

DATE 2009 18

MILP Formulation II

Some Constraints: Acknowledgments are placed iff the original

message is protected against faults

8 i, j : {1 · i · nm, j 2 dei} and M is large enough constant

fi · asij · M £ fi

fi · acij · M £ fi

DATE 2009 19

MILP Formulation III

Retransmissions must follow acknowledgments

8 i s.t. 1 · i · nm, 8 j 2 dei,

(fi ! (asi + (aci – 1)ns · rsij + (rcij – 1)ns))

Corresponding linear inequality is:

asij + (acij-1)ns – ri – (ri – 1)ns · M(1 – fi)

DATE 2009 20

MILP Formulation IV

Two-stage optimization 1st: optimize the fault recovery rate.

maximize: fi

2nd: optimize the placement of acknowledgement and retransmission such that latency is minimized.

8 i minimize: rsi + (rci – 1) £ ns

DATE 2009 21

Agenda

Introduction Motivation

Preliminaries and Related Work Tool Flow and MILP Formulation

Case Study Conclusion

DATE 2009 22

Case Study I A real schedule for an x-by-

wire application configuration from General Motors: 10 ECUs, 22 static slots, 8 cycles, 78 messages, 56 tasks.

DATE 2009 23

Case Study II

Optimal fault recovery rate is 55.1% (43/78 messages)

vs. 40.8% (random slot assignment) vs. 33.3% (no using unassigned slots)

Placements of acknowledgments and retransmissions can be optimized in a greedy fashion after slot assignments are optimized.

DATE 2009 24

Discussion

Recovery rate changes as the load increases.

DATE 2009 25

Conclusion

A MILP formualation for implementing an application-level acknowledgment and retransmission scheme in FlexRay.

Drawbacks: Works on top of an existing schedule Works only on the static segment Limited configuration change.

DATE 2009 26

Ongoing Work

Extend it to handle different criticalities on messages

Reschedule for more vacancies Combine this with a scheduling

formulation Dynamic window Lift fault tolerance analysis to control

algorithm

DATE 2009 27

Acknowledgment Hellman Family Faculty Fund Gigascale Systems Research Focus Center ArtistDesign network of Excellence STREP project COMBEST

DATE 2009 28

Q & A

Thank you!