Embedded electronic control systems are strong innovation drivers for the automotive industry. The number of embedded systems has signi cantly grown in recent years and novel multi-core computing platforms are even stronger innovation drivers. This technology enables more advanced control strategies and increase the degree of integration and complexity of such systems. Nevertheless, safety-critical system development according industry standard ISO 26262 [ 6 ] has to be ensured.

The issues appearing in this context are manifold. Safety-critical system development according automotive standards requires safety conception along the whole development process, starting from initial development to nal decommissioning of the product. Safety is a system-wide, cross-domain feature which needs to be considered in each development step by each involved department. Therefore the classical `divide & conquer' approach of the automotive domain has to be reconsidered.

Secondly, the automotive safety standard introduces additional development artifacts, constraints, and a standardized development process. However, automotive related organizations already have their own (safety) processes in place, certi ed and process-skilled employees, therefore they are unwilling or unable to migrate their process quickly. Instead, the required safety activities need to be integrated within the existing process and tool landscape.

As third, a conceptual change from document-centric development approaches to model-based development (MBD) approaches needs to be forced to ensure required traceability, maintainability, reuse, and certi ability of development decisions and products [ 2 ].

The second main focus, multi-core systems, includes equivalent open issues. Currently methodologies and tools supporting safety-critical development of multi-core systems are yet hardly available. Also industry standards, like AUTOSAR [ 1 ], are currently not covering the multi-core related challenges. Main rising challenges in this context, beside traceability issues, are parallelization of state-of-the-art software architectures and tracing of dependencies and bottlenecks of multi-core systems. Side-e ects and unintended correlations need to be traced and tackled with adequate methodologies to ensure freedom from interference for safety-critical applications.

Figure 1 illustrates the identi ed open issues and relevant problem domain of this PhD thesis.

We propose to extend the existing model-based development approach (further details see [ 8 ]) with a model representation of the hardware in use, an AUTOSAR aligned model for software development, and a hardware-software interface according to ISO 26262. Furthermore, this tool-chain is enhanced by extractors automatically generating system and electronic control unit (ECU) con guration les from existing information at system development level. This proposed approach closes the gap, also mentioned by Giese et al. [ 3 ] and Holtmann et al. [ 5 ], between system-level development at abstract UML-like representations and software-level development modeling tools (e.g. Matlab Simulink/Targetlink). Closing this gap creates a seamless tool-chain from initial requirements (coming from a requirement management tool), through de nition of safety concepts and software architectures (in a model-based development environment), to nal decisions in code implementation in compliance with automotive safety standards. 2

The related works for this thesis is manifold. Therefore, this section solely focus on related funding projects. Other related publications tackle solely parts of the project aims and have therefore been omitted due to page limitations.

The SAFE project1 objective is to enhance methods for de ning safety goals and de ne development processes complying with the new ISO26262 standard for functional safety in automotive electrical and electronic systems. Di erent to this project we are not focusing on collaboration of automotive companies. Furthermore, the focus of this project is put on extending AUTOSAR architectural models for supporting ISO 26262 product development at concept phase (part 3 of ISO 26262). In contrast to this, we focus on part 4 and 6 of the ISO 26262 norm (system- and software development).

The AMALTHEA project2 focus is on development of an open source development platform with common data models and interfaces. Therefore, the focus of a common data model for safety critical system development and interfaces for supporting the data exchange between development tools is similar to ours, but we also consider automatic checking for safety-related and multi-core related constrains (such as execution order e ects on timings and supporting ASIL decomposition features). In addition, we also intend to assemble a collection of patterns to be applied for safety-critical multi-core system development.

The Model-based analysis and engineering of novel architectures for dependable electric vehicles (MAENAD) project 3 focuses similar topics but in relation to pure electric vehicles and based on EAST-ADL2. In di erence to this project, we also focus on automated techniques for constraint checking of multi-core features and automated transfer of information between special purpose software tools (such as RTOS con gurators or RTE generators).

The project SPES XT4 also focus on methodology and integration of development tools within a seamless tool-chain. Other than this project, we solely focus on the automotive domain, therefore we aim to achieve a methodology more specialized for the needs of the automotive domain, but in contrast to the SPES XT project, we deal with the topics of safety-criticality and multi-core systems more detailed than this project. 1 http://safe-project.eu/ 2 http://amalthea-project.org/ 3 http://www.maenad.eu/ 4 http://spes2020.informatik.tu-muenchen.de/spes xt-home.html

The CESAR project [ 12 ] proposes cost-e cient methods and processes for the development of safety relevant embedded systems. Integrated tool chains are moving the engineering disciplines together and provide traceability along the development process. Main focus of the proposed tool chains in CESAR are related to systems and safety engineering. The introduced multi-domain approach, European cross-sectoral standard reference technology platform (RTP), provides meta-models and methods. But for less abstract development phases the RTP needs to be more speci c and re ned to tighter couple inter-operations between di erent tools. 3

The approach relies on automotive system model representation and tool bridges based on domain standard exchange formats (such as AUTOSAR XML [ 1 ] or OSEK/VDS OIL les [ 11 ]). Therefore it is possible to import existing AUTOSAR components, interface con guration and timing constraints (AUTOSAR R4:0) into the system model. Figure 2 shows the conceptual overview of the approach, and highlights the bridging approach on tool level. As can be seen in this gure several independent tools are linked via speci c interfaces (highlighted in yellow) to a seamless development tool chain, using the system model representation a common source of information.

Furthermore, the automatic export of component containers and their interconnections is possible, which links the software architecture designed in SysML to the software development tool (e.g. Matlab/Simulink) and closes the gap between system development tools and functional software development tools. We also take into account automotive constraints (especially traceability requirements) and close the existing tool gap between basic software con guration tools, operating systems (OS), and scheduling tools.

Automotive OS do not have dynamic scheduling parts, therefore all OS settings are static and can be speci ed during the development phase. The available information from system development can be exported and used to integrate OS and scheduling tools to automatically generate a distribution of tasks onto cores. Our approach therefore also helps to specify tasks with their priority, duration, and safety-criticality, the mapping of tasks to cores, generate task activation policies, and support speci cation of task resources, alarms, and interrupts.

An additional advantage for multi-core systems is based on the de nition of the software architecture in our system development environment and the automatic con guration of safety drivers, BSW, and RTE, which can be generated from the SysML representation. Within this environment the allocation of software components to cores can be changed and supported more easily via automatic approaches, e.g. collection of safety-relevant software on one speci c core or a switch to static work balancing between cores. In addition, tasks, inter-core communications, and synchronizations can be investigated at this higher abstraction level, and resource bottlenecks can be minimized earlier. Furthermore, di erent compilers, linkers, and even development or con guration tools can be SYSTEM MODELING TOOL SystemRequirements

SafetyRequirements

SystemArchitecture SWArchitecture HWArchitecture

MODEL ADDON

ASW.mdl SIMULINK TOOL-BRIDGE

AUTOSAR Description Files SWC

Description AUTOSAR TOOL-BRIDGE

RTE.c RTE CONFIGURATION

SoftwareDevelopmentTool

SafetyDriver.c APPLICATION SOFTWARE SWC.c

RUNTIME ENVIRONMENT

The work status of to-date for the tool integration is also mentioned in Table 1. The status of the basic methodologies for the bridging approach and traceability solution is ahead of the numbers mentioned for the tool implementation in Table 1. The methodology for integrating all required information into the model-based system development database is done, except of minor changes.

The integration of application software departments is based on the de nition of the SW architecture within the system development tool. This information is then transferred either via the AUTOSAR aligned exchange methodology (based on ARXML les) or via API directly to the special purpose tools of application software developers.

The generation of dedicated HW safety feature drivers and the mapping between software modules (ASW to ASW as well as ASW to BSW) is done directly via .c and .h les. The methodology for BSW con guration is also based on direct insert of C structs within .c and .h les. For the OS con guration the methodology bases on the OSEK/VDX OIL approach, which is also a domain standard.

Other tool bridgings, such as the test environment or the requirement management tool, also need to rely on domain standard exchange formats or are required to implement an API to interchange with the system modeling tool. The contributions of this PhD thesis are on one hand to provide method descriptions and tool prototypes to integrate the required automotive safety activities within the existing process and tool landscape of our industrial project partner. On the other hand, we aim to provide a pattern catalog as guidance for safetycritical system development with multi-core systems and an use-case example for training purpose. As a third we aim to improve or de ne (if not available) basic methodologies for multi-core system development and parallelization of state-of-the-art software architectures, tracing of dependencies and side-e ects. Parts of the tool-chain have already been published: { Bridging Automotive Systems, Safety and Software Engineering by a Seamless Tool

Chain, ERTS2014, Feb 2014 [ 8 ] { Automated Generation of AUTOSAR Description File for Safety-Critical Software

Architectures, Informatik2014, Sept 2014 [ 7 ] { Automated Synchronization of System Architecture and Automotive Real-time Operating Systems, Embedded Operating Systems, Nov 2014 [ 9 ]

An initial approach towards collection of pattern for automotive safetyrelated system development has also been published: { Pattern-Based Automotive Safety Cases: An Industrial Case Study, EuroPloP,

July(Dec) 2014 [ 10 ] { SAHARA - A Security-Aware Hazard and Risk Analysis Method, DATE Conference, Mar 2015, currently pending 6

Evaluation for the contribution has to be done in several steps, because of the varying contribution levels. These measures will be compared to the numbers of previously available tool-chains and methods based on an automotive usecase. To evaluate the tool prototypes the following performance indicators can be investigated: { number of generated con gurations { number of additional information transferred between tools { number of information lost by forward and backward model update { speedup in time { number of automatically generated documentations

Performance indicators for the evaluation of the methodologies are: { number of automatic generated artifact traces { number of traceable relations between initial requirement and nal implementation { number of automatic constraint checks { useability evaluation with use-case { relevance feedback of pattern from engineers { impact analysis of supported information from engineers { speedup in training time { acceptance of publications at domain speci c conferences 7

This section concludes the paper with an overview of the current project status and progress. A rough overview was already given in Section 4 and can be seen for the tool implementations in Table 1.

The approaches for software model transfer based on AUTOSAR les (published in [ 7 ]) is currently under rework and evaluation by master student thesis. The OS con guration tool bridging is also currently in evaluation at our industrial project partner (published in [ 9 ], depicted in Figure 2 - OS Con guration). Furthermore, the software model transfer via tool API (see Figure 2 - SIMULINK Tool-Bridge), BSW con gurator (see Figure 2 - Model BSW Con guration), and RTE con gurator (Figure 2 - RTE Con guration) are currently in development together with student with automotive background. The integration of the test environment of our industrial partner is in coordinated development together with the partner. Other open points will be addressed this years fall. An rst test run of the whole tool prototypes is expected for begin of next year. The rst quarter of the upcoming year is then planed for further improvement of the approach. The whole thesis is intended to be nished till next years fall.