D.4.7 [Operating Systems]: Organization and Design; D.2.3 [Software Engineering]: Coding Tools and Techniques

The number of embedded systems in the automotive domain has grown signi cantly in recent years. This trend is also strongly supported by the ongoing replacement of traditional mechanical systems with modern embedded systems. This enables the deployment of more advanced control strategies, thus providing added values for the customer and more environment friendly vehicles. At the same time, the higher degree of integration and the safety-criticality of the control application raises new challenges. Evidence of correctness of the di erent applications, both in the time domain and value domain, possibly running on the same computing platform, has to be guaranteed. In parallel, new computing architectures with services integrated in hardware require new software architectures and safety concepts.

Safety standards such as ISO 26262 [ 8 ] for road vehicles have been established to provide guidance during the development of safety-critical systems. These standards rely on risk identi cation and mitigation strategies. They target early hazard identi cation as well as solid counter measure speci cation, implementation and validation along the entire product life cycle. One challenge in this context is to provide evidence of consistency, correctness, and completeness of system speci cations over di erent work-products along the entire product development process. This is a required basis for the development of dependable systems. Moreover, the consolidation of the system speci cation enables early bug nding and thus support reducing the costs for bug xes and late re-design.

To handle these issues, model-based development supports the description of the system under development in a more structured way, enables di erent views for di erent stakeholders, di erent levels of abstraction, and central source of information.

The contribution of this paper is to bridge the existing gap between model-driven system engineering tools and software engineering tools for automotive real-time operating systems (RTOS). More especially, the approach makes use of existing high level control system information in SysML format to generate the con guration of automotive real-time operating systems in a standardized OSEK Implementation Language le format (OIL les) [ 14 ]. Information from the control system (such as control strategies) can thus be mapped to a con guration at software level (e.g., required interfaces to other SW components, allocation to a CPU respectively to a task). The goal is to support a consistent and traceable renement, as required by ISO 26262 standard, from the early concept phase to individual con gurations of the RTOS.

The document is organized as follows: Section 2 presents an introduction to OSEK/VDX and OSEK OIL. Then, modelbased development and integrated tool chains, as well as the base tool-chain for this approach are presented in Section 3. In Section 4 a description of the proposed approach for the generation of RTOS con guration les according to OIL standard is provided. An application and evaluation of the approach is presented in Section 5. Finally, this work is concluded in Section 6 with an overview of the presented approach.

The German OSEK consortium (German abbreviation for open systems and their interfaces for electronics in motor vehicles) was founded in 1993 by several German automotive companies. VDX (Vehicle Distributed eXecutive) was the French pendant from the French car manufacturers' side, which regrouped the OSEK/VDX consortium in 1994.

OSEK/VDX is an open standard for speci cations for embedded real-time operating systems (RTOS), designed to provide a standard software architecture for the various electronic control units (ECUs), and partially standardized in ISO 17356 [ 7 ].

The work of the OSEK/VDX consortium is today continued by the AUTOSAR consortium [ 1 ], which is based on OSEK/VDX speci cations. To describe the con guration of an OSEK RTOS the OSEK implementation language les (OIL) is intended to be used. These les can be generated manually or via con guration tools. OIL les include all object containers and information required to con gure the RTOS of one speci c ECU. 2.1

As mentioned previously, the OIL les inherit a normalized description language for OS con guration and related objects. OIL les are commonly used in the automotive domain to con gure the real-time operating systems of individual ECUs. This is frequently done manually, due to the simple human readable structure of OIL les and the lack of tools supporting an automated information exchange. OIL les typically consist of implementation speci c de nitions, which are closely related to the hardware (ECU) in use and specify the OIL object with all their possible attribute properties.

Due to the introduction of multi-core real-time systems and the awareness of safety-criticality of such systems, tool support and automation of OIL generation becomes increasingly relevant. An example of safety-related con guration parameters contained in the OIL le are shared task resources or task priorities. 2.2

To our knowledge most development frameworks do not include a tool for automatic OIL le generation from prior information of previous development stages at a higher abstraction level. Nevertheless, within this work tool information for commercial tools has been omitted due to nonexhaustiveness of such an overview and the fact that this information can be found up-to-date on the respective website (e.g., Vector OIL Con gurator or GOB - GUI based OIL Builder).

Most frameworks either require manual generation of OIL les by the developer, or they provide a dedicated graphical user interface for support and guidance while generating the OIL le. Figure 1 shows a comparison of the same OIL le in typical editor view and in a guided graphical representation within an Eclipse-based development framework. Many available OIL le con gurators provide such a representation of the OIL information. They thus provide guidance to minimize con guration failures, but do not reduce workload or speed up the generation of OIL les. Also the import of prior available information is very limited.

SmartOSEK's visual designer [ 17 ] makes use of a DSL (domain speci c language) approach. The visual designing tool enables modeling of applications in a graphical way and automatic generation of OIL les. The main drawback of this approach is the missing availability to feedback information into the model.

Most OIL con gurators focus on generating OIL les at software development level, such as in the work of Koester et al. [ 10 ]. The main disadvantage here is that prior information of previous development phases cannot be used for timing analysis or have to be transferred manually.

Kim et al. [ 9 ] suggest a lightweight AUTOSAR software platform and additional extensions of OSEK OIL les. The presented approach focuses on adding extensions to OIL les, rather than supporting automated generation of OIL les.

The work of Yang et al. [ 16 ] presents a conversion of UML models into OSEK/VDX models for simulation and optimization of the system design. The authors claim that by converting UML representations into OSEK/VDX models productivity can be improved, correctness of development artifacts can be ensured more easily, and documentation can be provided with less e ort and better quality.

Gu et al. [ 5 ] focus on the description of automated mechanisms for generating application codes and seamless integration of models for software development, but do not provide methods of the transformation of UML and OSEK artifacts.

This section provides a brief overview of model-based development (MBD) tools and related works, as well as the basic MBD framework of the presented approach. Again a tool overview of commercial tools has been omitted due to non-exhaustiveness and easy up-to-date online access of such information on the respective website (e.g., Enterprise Architect, Artisan Studio, EB studio, PREEvision). 3.1

Fabbrini et al. [ 3 ] provide an overview of software engineering in the European automotive industry and present tools, techniques and countermeasures to prevent faults. This work highlights the importance of tool integration and modelbased development approaches.

Broy et al. [ 2 ] mention model-based development as the best approach to manage the large amount of information and complexity of modern embedded systems. The authors also illustrate why seamless solutions have not been achieved so far, mention commonly used solutions, and problems that arise by using an inadequate toolchain (e.g. redundancy, inconsistency and lack of automation). This work presents basic ideas and concepts of MBD, but not detailed solutions.

The work of Holtmann et al. [ 6 ] also highlights process and tooling gaps between di erent development process steps. A model-based development process is presented which conforms with the process reference model of Automotive SPICE. With this use-case the authors highlight the lack of automation for artifact traceability and missing guidelines for model selection at varying abstraction levels. The work exposes two important gaps: First, missing links between system level tools and software development tools. Second, inconsistency and redundant information, due to various very speci c tools and a lack of automated information transfer.

Giese et al. [ 4 ] also highlight the step from system design to software design as critical. System design models have to be correctly transferred to the software engineering model, and later changes must be kept consistent.

The work of Quadri and Sadovykh [ 15 ] presents approaches for novel model-driven techniques and new tools supporting design, validation, and simulation. The authors highlight the possibility of high level model analysis for schedulability and use a subset of UML and SysML for their approach. However, con guration of real-time operating systems accounting for timed resource constraints is not addressed in this work. 3.2

A brief overview of the model-based development toolchain in use and the related preliminary work for the toolchain of the proposed approach is given in this section. The prototype of our toolchain, proposed by Mader [ 13 ], is a speci c implementation of a tool-independent and languageindependent methodology to support continuous safety analyses of system architecture development according to ISO 26262 [ 8 ].

The basic concept behind this framework is to have a consistent information repository as central source of information. The toolchain allows di erent engineering domains to work on one model which provides traces between di erent artifact types, and ensures timeliness of data. Extension for the modeling tool (Enterprise Architect r) ensure seamless and consistent transition of information between the repository and various adequate special-purpose tools (such as OS con gurators). This approach also inherits an organizational switch from document-centric development approaches to a seamless model-based development approach. For a more detailed overview of the concept and toolchain as a whole see [ 12 ]. 4.

The contribution proposed in this paper is an extension of the previously mentioned framework towards RTOS con guration. The contribution (see also highlighting in Figure 3) comprises the following aspects:

UML modeling framework extension: Enhancement of the software UML pro le for visualization and processing of OSEK OIL les. To enable con guration of the OSEK OS by prior available constraints.

OIL le generator : An extractor which automatically generates OIL les from existing information at system development level. This ensures consistency of the speci cation and implementation for the RTOS. OIL le importer : The importer supports round-trip engineering by re-importation of information updates from OIL les.

This proposed extension is a constituent of the proposed toolchain in [ 12 ] to close the gap between system-level development at abstract UML-like representations and RTOS con guration at software-level. This bridging extends the work presented in [ 11 ] on basic software level, guarantees consistency of information due to the single source of information principle, and shares information more precisely and accurately. The approach minimizes redundant manual information exchange between tools and also takes IS0 26262 requirements (especially traceability) and constraints into account.

Figure 3 shows the conceptual overview of the tool-chain and highlights the OS con guration part. As can be seen from the gure, a lack of tool support for information transfer between system development tools and basic software development tools exist, which has been reduced by the proposed approach. The tight linking of the independent system development and OS con guration tools, to a seamless model-based development toolchain interacting via OIL les, further allows the inclusion of additional tools, such as scheduling analysis tools, seamlessly into the toolchain. 4.1

The UML pro le add-on allows a graphical visualization and processing of OSEK OIL objects. Figure 2 shows a cutout of the pro le. This additional information enables the mapping of tasks to a speci c core and clear arrangement of dependencies and shared resources in terms of multi-core development. Furthermore, the pro le o ers an intuitive graphical way of generating OSEK OS con gurations and highlighting functionality for safety-related software tasks and resources. This enables the possibility of a traceable automatic OIL le con guration generation, which inherits increasing signi cance in terms of safety-critical system development according ISO 26262 and traceability. Note that this pro le has been integrated in the existing framework described in Section 3.2. Consequently, the system description can be re ned down to the operating system, thus improving architecture consistency over skills boundaries (such as systems and software engineering). 4.2

The second part of the approach is an exporter capable of exporting the RTOS con guration available from the SysML model to an OIL le. The exporter generates OIL les enriched with the available system and safety development artifact traces (such as required ASIL of task implementation). Most state-of-the-art software development frameworks are able to con gure the RTOS according to the speci cations within such an OIL le. Consequently the use of this exporter additionally improves communication of the (safety) context to the software experts into their native development tools, thus improving the consistency of the product development. Furthermore, the toolchain is capable of multi-core or multi-system development, therefore the generation of OIL le is selectable for individual cores. 4.3

The third part of the approach is the import functionality add-on for the system development tool. This functionality enables bidirectional update of representation in the system development tool and the software development tool. This ensures consistency between system development artifacts and changes done in the software development tool. The importer also implies an overview of changes between database and re-imported OIL le. This o ers the possibility of selective database updates and supports impact analysis (as part of the change management process). Finally, the importer enables reuse of available RTOS con gurations, guarantees consistency of information, and thereby shares information more precisely and less ambiguously. Figure 4 shows a Screenshot of the import, selective update, and di erence highlighting functionality.

This section demonstrates the application of the introduced approach. The application of this approach inherits a tool change for the con guration of the RTOS, from text editor or software development framework to a graphical representation within the system development tool. Nevertheless, this tool change does not a ect the work of the basic software developer in negative ways, but o ers a signi cant bene t for development of safety-critical software in terms of traceability and replicability of development decisions.

With the improvements presented in this paper the extra facility of mapping SW task to dedicated ECU cores and their required resources enables the possibility to unambiguously visualize dependencies and analyze scheduling variants at early development phases. Furthermore, safetyrelated software artifacts can be explicitly highlighted and dependencies linked in an graphical way.

To provide a comparison of the improvements of our approach we selected a simpli ed multi-core use-case solely consisting of tasks, alarms, counters, OS, CPU, and application modes. Other OIL objects have been omitted because of the variable multiplicity of these objects (such as resources of a task). An overview of OIL objects within our use-case is given in Table 1.

This amounts to a total of 20 OIL objects and 46 relations between the elements. This small example already indicates that relations between the elements increase quickly and become confusing. To overcome this issue the model-based development approach o ers the possibility to hide speci c relations.

It might be argued that this approach does not reduce the workload or speed up the generation of OIL les signi cantly, due to the high number of relations that need to be established. However, the approach provides guidance to minimize con guration failures. Additionally, it supports round-trip engineering features, which split workloads among di erent development phases and thus simplies reuse. Table 2 compares the proposed solution with other approaches presented in Section 2.2 and discusses different improvement indicators. The labels for categorizations are: + o supported or positive e ects not supported or negative e ects possible or no e ects

In terms of safety-critical development and reuse the presented approach supports crucial additional features, such as round-trip engineering by tool-supported information transfer between separated tools and links to supporting safetyrelevant information. Furthermore, the approach eliminates need of manual generation of OIL les without adequate syntax and semantic checking support, ensuring reproducibility, and traceability argumentation. 6.

An important challenge for the development of safetycritical real-time automotive systems is to ensure consistency of the safety relevant artifacts (e.g., safety concepts, requirements and con gurations) over the development cycle. This is especially challenging due to the large number of skills, tools, teams and institutions involved in the development. This work presents an approach to bridge tool gaps between an existing model-driven system and safety engineering framework and RTOS con guration tools, based on domain standard OSEK. The implemented tool extension transfers artifacts from system development tools to software development frameworks for RTOS con guration, thereby creating traceable links across tool boundaries, and relying on standardized OSEK OIL exchange les. The main bene ts of this enhancement are: improved consistency and traceability from the initial design at the system level down to the single CPU con guration, as well as a reduction of error-prone manual work. Further improvements of the approach include the progress in terms of reproducibility and traceability of safety-critical arguments, con gurations for software development, and support of multi-core system development.

The authors would like to acknowledge the nancial support of the "COMET K2 - Competence Centers for Excellent Technologies Programme" of the Austrian Federal Ministry for Transport, Innovation and Technology (BMVIT), the Austrian Federal Ministry of Economy, Family and Youth (BMWFJ), the Austrian Research Promotion Agency (FFG), the Province of Styria, and the Styrian Business Promotion Agency (SFG).

Furthermore, we would like to express our thanks to our supporting project partners, AVL List GmbH, Virtual Vehicle Research Center, and Graz University of Technology. Improvement Indicators OIL syntax and semantic checks Reuse Speed-up Distribution of con guration activities Automated con guration from available information Additional (safety) constraints (such as ASIL indicator, requirements) Consistency, correctness, and completeness checks Round-trip engineering support and bi-directional update features Traceability of decision making process Multi-core systems + + o + + + + + + +