A Code Generation Framework for Distributed Real-Time Embedded Systems

Mario Bambagini, Marco Di Natale
{mario.bambagini, marco.dinatale}@sssup.it
Scuola Superiore Sant’Anna Pisa, Italy

Abstract—Modeling languages and tools, including Simulink, Scicos, SysML and the Eclipse Modeling Framework (EMF), bring the promise of an improved quality and productivity in the development of embedded systems and software. Unfortunately, none of these modeling languages, taken individually, is capable of fulfilling all the needs in the development of complex distributed embedded applications, from the modeling, analysis and validation stages to the automatic generation of the implementation. Overall, their strengths and weaknesses are somewhat complementary and an integrated approach could be the most promising solution. In this paper, we present a framework for integrated code generation in complex real-time distributed systems, where MBD approaches are used for the analysis and the generation of the functional (or behavioral) part, and MDA approaches (SysML/EMF) are used for modeling the execution platform, the task model and the deployment of functions onto the platform resources. This paper presents a meta-model for the description of execution platforms and an open-source code generation framework, based on the selected mapping of the functional components on the chosen platform.

I. INTRODUCTION

The functional complexity of modern embedded systems is rapidly growing and distributed systems with time constraints are today typical of automotive, avionics and control systems. In these cases, the planning of the functional deployment and the efficient use of platform resources is crucial.

The use of models for the analysis of the system properties, the documentation of the design decisions and possibly the automatic generation of the software implementation is an industrial reality, backed by several commercial products. Two approaches are today emerging. The Model-Based Design approach (MBD) prescribes models based on a formal Model of Computation, or at least with a formally defined executable semantics. This allows the simulation of the functional model and possibly also the verification of the model properties by model checking. A synchronous (reactive) execution model is assumed by these tools. Automatic generation of an implementation is also typically provided. Examples of such tools are Simulink, Scicos and SCADe.

The Model-Driven Architecture (MDA) initiative from OMG, in contrast, originated from the object-oriented software community and, rather than focusing on a formal semantic backing and analysis capabilities, places emphasis on generic but extensible models, managing structural complexity and supporting the automatic generation of implementations for the structural part (declaration and creation of systems and subsystems, communication and synchronization objects). MDA puts emphasis on meta-meta-modeling capabilities, languages for the transformation of models into other models (M2M) and models into text (M2T). In particular, MDA recommends a development flow in which a Platform Independent Model (PIM) is developed first, and then a Platform-Specific Model (PSM) is created from it by model-to-model transformations when the execution platform and the functional deployment are defined. The PSM allows the generation of an implementation that is executable on the given platform. The separation of the (functional) PIM model from the platform model and the PSM allows to improve software portability and reuse.

The MBD methodology lacks in the capability of modeling architectures, as well as computation and communication delays that depend on the platform. Available commercial code generators provide implementations only for code to be deployed on a single CPU or, to a limited degree, for time-triggered distributed systems. Often, the designer needs to provide an implementation for an execution platform which is not time-triggered, adding custom-developed communication code and performing the application partitioning by hand.

On the other hand, MDA offers high flexibility in the definition of domain-specific models, including tasks, resources and execution platforms. Moreover, MDA allows to define functional deployment models and include model-to-model and model-to-code transformations that may ease the generation of communication and tasks code. The behavioral semantics of the languages recommended by the OMG for the MDA (including UML and SysML) is incompletely specified, so simulations and verifications on those models are tool-specific and often characterized by a limited scope.

The framework presented in this paper aims at bridging the gap between the two approaches. The starting point is the synchronous model of the application functions, developed in Simulink (in the MBD fashion). A meta-model based on the Eclipse EMF has been designed as a superset of the Simulink meta-model to allow the import of the functional model, and also provides modeling concepts to define the execution platforms and to deploy the function components onto the platform resources.

Our framework assumes that the functional model consists of a set of functions that can only be activated at events belonging to a periodic stream. While this may seem a limitation, code can only be generated by Simulink models when a fixed-step solver is used to integrate the continuous parts. In this case, all functional blocks (i.e.: function-activated blocks) are activated at multiples of the system base period.

The framework includes a deployment verification engine that can verify if the deployment solution, provided by the user, preserves the synchronous semantics of the MBD model. In case the deployment results in additional computation or...
communication latency (beyond the synchronous model assumptions), it provides methods for the worst-case evaluation of the delays that should be added to the synchronous model. In addition, the framework includes a code generation facility, based on the Acceleo plug-in [10], that, based on the platform and deployment models, generates the communication code and the code of the tasks. This infrastructure code is then linked with the behavioral code generated starting from the functional blocks of the Synchronous Reactive (SR) model to construct the application.

The development steps, which are covered by our framework and outlined in Figure 1, are summarized as follows.

1) **Functional model**, defined in Simulink and then exported in an XML format to the Eclipse/EMF framework;
2) **Platform selection**, allows the designer to select the hardware and software resources and the resource management policies in the system architecture. The architecture is completed by the software platform stack, including the Real-time Operating System(s) or RTOS, device drivers and communication stacks with an optional middleware. Platform services are accessed using a standardized API;
3) **Mapping**, provides the definition of the mapping of the functional components onto the computation and communication resources of the platform. As a result of this step, the following stages are enabled;
4) **Performance analysis** for estimating the quality of the designed solution with respect to time (and checking schedulability);
5) **Code generation** for the automatic generation of the code implementation from the models. The (platform-independent) behavioral code is generated using the Simulink Coder tool [11] by Mathworks, while the (platform-dependent) communication, synchronization and tasking code is generated from the EMF framework using OMG standard languages and open-source tools. Ensuring a consistent code generation requires tool synchronization and exchange of information;
6) **Back-annotation**. The definition of the platform and the mapping of the functions onto it allows the evaluation of the communication and computation delays. These delays (evaluated in the worst-case or with stochastic analysis methods) can be backannotated on the functional model creating another model that can be analyzed by simulation to evaluate the performance impact of the platform selection and function-to-platform mapping.

In addition to the generation of the communication and synchronization code, the Eclipse-based framework is also in charge of generating the code which provides the configuration of the operating system(s) and the drivers.

**Organization of the paper**: Section II presents the tool framework. Section III describes the plug-ins, focusing on the code generation process. Section IV shows an example of code generation. Finally, Section V ends the paper with the concluding remarks and a discussion of the future work.

A. Related work

In agreement with modern development methodologies [12][8][1], Model-Driven Architecture (MDA) recognizes system development as a multi-stage effort, in which a set of required functions, defined in an abstract or Platform Independent Model (PIM) are deployed, possibly automatically, onto an execution architecture. The result of this step is a Platform Specific Model (PSM). The term Model-Based Design (MBD) indicates a slightly different approach and especially a different set of models and tools (considered as competing or alternative with respect to those used in an MDA process). While MDA originated from the move of a fundamentally software-oriented community (object-oriented design) towards system-level modeling and embedded systems development, MBD is very popular in the development of control-oriented functions and originated from the domain of control engineering and systems engineering. As such, MBD languages are usually based on a restricted but formal syntax and semantics, with an underlying Model of Computation (MoC) based on mathematical rules. A Synchronous Reactive semantics (SR) [13] is the foundation of the most popular tools such as Simulink and SCADE. It has been proposed [14][15][16], that future trends in model engineering will encompass the definition of integrated design flows exploiting complementarities between UML or SysML and Matlab [17]. Matlab/Simulink provide a stronger semantics characterization of the modeling language and the possibility of modeling the controlled system as a continuous-time system of differential equations. The MBD languages allow for the simulation of the controller-plant interactions and verification capabilities. The OMG is currently enriching UML and SysML with a set of more formal action languages, including fUML and Alf. However, these languages are still not fully established in the practice and supported by tools (the Alf 1.0 specification is of February 2011) and do not allow for the modeling of physical systems and continuous-time systems (they are still oriented to the software components).

The combination of the two models (SysML and Simulink) requires the capability of model-to-model transformations and integration of heterogeneous models. These operations are today often performed by hand, motivated by the fact that proprietary modeling languages, such as Simulink, lack a publicly accessible meta-model [14]. The matching between functional and execution architectures is advocated by many in the academic community (examples are the Y-cycle [18] and the Platform-Based Design PBD [19]) and in the industrial domain (the AUTOSAR automotive standard [20] is probably the most relevant recent example) as a way of obtaining modularity and separation of concerns between functional specifications and their implementation on a target platform. In this way, true portability of functionality and full reuse of
both the functional components and the execution platform systems can be achieved. The OMG similarly proposed the MDA development, in which a PIM is transformed into a PSM, although without an explicit separation between the execution architecture modeling and the mapping of functions to architecture. Examples of methods tools and case studies in the domain-specific languages for the platform entities either by to large-scale embedded systems include the development of structure arises from the mapping. Approaches that are tailored to the transformation of a PIM into a PSM are in [21]. In reality, very few examples exist for the application of the proposed methodology to the mapping of complex functionality to a distributed embedded system, in which a messaging and task structure arises from the mapping. Approaches that are tailored to large-scale embedded systems include the development of domain-specific languages for the platform entities either by the creation of specialized profiles of a standard language, such as the MARTE profile [22] built on top of UML or the EAST-ADL language [23]. Code generation and integration of heterogeneous models are not among the goals of these projects. Similarly, the generation of code from a PSM is mostly limited to customization of a specific operating system or communication (middleware) layers. As for the model-to-model transformations and heterogeneous models integration, several approaches, methods, tools and case studies have been proposed. Several approaches (examples are GME [24] and Metropolis [25]) propose the use of a general meta-model as an intermediate target for the model integration. Also, the Eclipse modeling framework [26] provides support for meta-model specifications through its ECore meta-meta-modeling language [9]. Model-to-model transformation engines are available for the Eclipse environment including ATL [27] and QVT [26].

Raghav et al. [28] and Hugues et al. [29] proposed two similar MDA methods for describing the functional behavior according to a reference architecture and then comparing the deployed system with respect to the reference to check whether the performance (delay) target is guaranteed. Although the performance is checked against scheduling delays, there is no clear separation of the functional and platform designs.

Contributions of the paper:
The proposed framework bridges the gap between the MBD and MDA approaches. A meta-model is defined to represent the functional model, the deployed architecture and the mapping information. The functional and architectural models evolve independent from each other. Only the mapping model establishes a connection between them, indicating where the functional components are allocated on and how data is exchanged. A code generation facility is provided for the automatic generation of the task, communication and synchronization code. The performance is evaluated by estimating communication delays and task scheduling delays and then simulating the behavior of the system for the selected platform option.

Among the cited commercial and research frameworks, those that provide a clear separation of the functional and platform models (such as AUTOSAR, GME, Metropolis or the ATESST/EAST-ADL framework) typically do not provide a code generation path for distributed implementation based on open source tools and open standards (such as the Eclipse EMF). Other proposed frameworks do not allow the merger of synchronous models into an MDA architecture model (with enough information to support flow preservation) but strictly follow the MDA approach. Examples are the open source Papyrus and Topcased frameworks.

Other projects focus on the modeling infrastructure and the capability of modeling timed events (TIMMO/TIMMO2 [30]) with (at least until now) no support for code generation. Compared with other projects that put emphasis on the code generation infrastructure (such as GeneAuto [31] or ProjectP [32]), we aimed at the use of Ecore meta-models and standard model-to-text transformations; we provide support for modeling distributed execution platforms (missing in GeneAuto) and the corresponding code generation stages for network communication.

II. Modeling Framework

The proposed framework covers aspects related to the creation, analysis, and deployment of the models. Except for the commercial tools for functional modeling (Simulink), all of the project meta-models, editors and code generators have been developed as a set of plug-ins of the freely-available Eclipse EMF. EMF provides not only the capability to define meta-models, but also tools for the automatic generation of Java classes, model serialization (in XMI) and factories, as well as simple tree-based model editors. The following section focuses on the definition of the meta-models that have been proposed to represent the platforms, the function-to-platforms and mapping models. The code generation capability, built on the model-to-text Acceleo generation engine, is described in Section III. The tools for the timing analysis and the model back-annotation are under development.

The meta-model is divided in three main packages: Functional, Platform, consisting of a Library and System Architectural sub packages, and Mapping. For the sake of simplicity, links among the packages are not shown in the figures, and will be explained only when needed.

The functional meta-model, depicted in Figure 2, represents the PIM and is designed to be as general as possible to accommodate imports from different modeling tools. It consists of a net list of functional subsystems (or components), and the constraints on their execution (derived from the semantics of the functional model or annotated after their import), including their activation events, the execution order and the timing constraints. Because of the need to connect the code generated in Eclipse/EMF starting from the platform mapping model with the code generated by the Simulink RTW/EC tool-chain, a set of rules has been adopted which defines the smallest unit of execution in the functional model. In our case, the smallest unit corresponds to a Simulink (non virtual) subsystem executing at a single rate. The Mathworks code generator is instructed to generate a (C-language) Step function, implementing the state update and the output update part of the model blocks inside the subsystem.

When imported in our functional meta-model, the net list is composed by the following elements:

- **Proc**, representing an active object offering a set of functions in a provided interface with a mandatory Step function plus the initialization and termination operations, and several required interfaces consisting of the Read and Write methods from/to the input/output ports;
- **Var**, a passive object matching the concept of a logical connection between Procs or the interface object between a Proc and the controlled system (an I/O interface). It is equivalent to a Simulink signal connection between two functional subsystems of the controller or between a controller subsystem and the controlled plant;
• **Trigger**, events commanding the execution of **Proc Steps**.

The constraints include **TimeConstraint** specifications, which may be either activation events assumptions (periods or minimum inter-arrival times) or deadline constraints, as applied to method invocations paths (represented by **EventPath**, **Path** and **Event** concepts).

---

**Fig. 2.** The meta-model for the description of the functional subsystems.

The execution platform meta-model, shown in Figure 3, defines the hardware and software resources available in the system. The execution platform model needs to be modular and to support the concept of component libraries.

The main architectural elements that are used by the execution architecture designer are the followings:

- **Embedded Control Unit** (ECU), which is a set of electronic boards, connected through communication links;
- **Board**, which may host several **Controllers** and **Devices**;
- **Controller**, which may include several **Cores** and **Peripherals**;
- **Core**, representing a computational unit;
- **Peripheral**, representing an electronic component which extends the Controller’s functionalities;
- **Devices**, which represent I/O devices using a set of peripherals. So far, the meta-model supports buttons, touch screens, leds, lcd displays and servo motors. Communication units belong to a special class of devices, handled separately;
- **Real-Time Operating System** (RTOS), which may run on **Cores**.

The platform meta-model is completed by the project-specific definitions, as shown in Figure 4, showing the elements of the hardware and software architecture deployed for supporting the execution of the functions in one specific project instance. The main entities at this level are ECU instances (**ECUDeployment**), with the RTOSs executing on them (**RTOSDeployment**) and the communication buses (**Bus**). Each **Bus** object references the connected ECUs and the associated communication devices.

Figure 5 shows a screenshot of the developed Eclipse plug-in which defines the platform execution model out of the library components.

Once the system execution architecture is defined, a mapping model associates functional elements to tasks and then tasks to the (HW) processing elements, following the schema of Figure 6. The communication signals of the functional view are mapped (when needed) to messages and in turn, messages onto the physical links of the execution platform.

The task is the unit of concurrent execution that can run on one of the system cores, under the control of an operating system. The information about which RTOS hosts a specific task is handled by an association between the **Task** objects...
(Figure 6) and the RTOSDeployment (Figure 4). The Step methods of the functional subsystems are executed in the context of one of the task defined in the mapping model. More precisely, a list of ProcMaps, sorted according to an execution order, belongs to each task. Each ProcMap refers to the appointed Proc’s method (the connection between ProcMap in Figure 2 and Method in Figure 6 is not shown). Moreover, designers must specify all the information concerning task times (such as period and deadline) and scheduling (priority and reserved stack). The mapping of the functional subsystems (Procs) into tasks is subject to constraints and validation.

VarMap, the second important class of the Mapping package, concerns the mapping of Vars (representing communication or I/O links, depending on the mapping). As shown in Figure 1, VarMap is a generic interface and four possible derived classes are instantiable: VarDevice is used to map custom devices to real devices and the other three to model all the possible communication scenarios according to the placement of the methods of Pros into tasks. IntrTaskVar communication takes place when two communicating pros are mapped into the same task (implemented using variables local to the task). IntTaskVar communication occurs between two tasks on the same Core. In this case, a suitable protection mechanisms for shared resources, provided by the operating system (part of the platform model) is used. The most complex case happens when the communication needs to be established between two remote tasks executing on different cores, or processors, connected by either an intra-chip network, a field bus or another network. An IntECUVar mapping object is automatically generated to represent this kind of communication, linking a Var to a specified portion of a Frame. Frames are periodic communication messages which are exchanged between two nodes through a shared bus.

III. CODE GENERATION PROCESS

Clearly, given the variety of the available hardware and basic software standards, it is impractical for us to define library objects for all the possible execution platforms. Currently, the generation of the code is focused on the OSEK/VDX (now AUTOSAR) operating system standard \[33\] (the library is of course extensible, as long as the definitions comply with the presented meta-model). The generator uses the standard OSEK objects (e.g. task, alarm, counter and mutex) and supports the OSEK/AUTOSAR API.

In this section, we provide information on the main Acceleo code generation templates for the system configuration, tasks, communications, and I/O code.

A. System configuration

In OSEK, the OIL (OSEK Implementation Language) \[34\] declarations are used to configure the operating system structures and objects according to the tasks and the shared resources. OSEK is a standard for single-processor systems. Therefore, the code generation process will need to generate one set of OIL declarations for each core. The OIL description of an OSEK application consists of a set of OIL objects, characterized by attributes and references which can be divided in three macro areas: operating system, task and resource definitions. Figure 4 shows the code generation script that is used to generate the first part, concerning the operating system configuration, which specifies:

- Locations of the header files;
- Source files, for creating the binary executable file. More precisely:
  - Functional files, containing the functional subsystem methods (previously generated by RTW/EC from the Simulink model);
  - Driver files, containing the custom device drivers;
  - Task files, containing the task settings and their bodies with the invocations of the functional methods and the middleware read/write operations;
  - Buses files, containing the configuration of the communication stacks of all the buses. Moreover, this file configures the middleware tasks for the implementation of the remote communication;
- Information about boards, controllers and cores, and the configuration of the scheduler for each core.

In the task configuration part of the OIL file, shown in Figure 5 periodic tasks are declared. A unique shared counter is defined as a base for all the alarms, which in turn provide the activation of the periodic tasks. For each task, a dedicated alarm object is defined. The task declaration specifies its (static) priority, preemptability, stack memory requirements and the resources it uses. For each frame, a middleware task and its relative alarm are added to handle the communication.

Another set of declarations is used to define the required shared resources for each node as shown in Figure 6. The OSEK resource in question corresponds to an immediate priority ceiling (pseudo) semaphore protecting the critical sections (identified by a pair of matching calls: GetResource and ReleaseResource). Shared resources are generated for all the communications that occur between functional subsystems mapped onto different tasks belonging to the same operating system. Additional Resources are needed to protect communication buffers as they are the interface between the application and the communication middleware for the objects mapped into network messages.
OS myOs {
  /* Library includes */
  CFLAGS = "-I\{lib.sourcePath/}/inc";
  /* Functional code includes */
  [for (task: Task | cg.mapping.tasks)]
    [if (task.location=rtos)]
      [for (procMap: ProcMap | task.procs)]
        let proc : Proc = procMap.proc.owner
        CFLAGS = "-I\{cg.functional.sourcePath/}/" +
          "\{cg.functional.prefix/}\" +
          "\{proc.name/}\{cg.functional.postfix/}"
        [/let]
    [/if]
  [/for]
  /* Boards */
  [for (board : Board | ecu.ecu.boards)]
    [if (board.name='flex_motionboard')]
      EE_OPT = '__USE_MOTIONBOARD__';
      BOARD_DATA = EE_FLEX {
        USELEDS = TRUE;
      };
    [/if]
  [/for]
  /* Controllers and cores */
  [for (board : Board | ecu.ecu.boards)]
    [for (controller : Controller | board.controllers)]
      [if (rtos.location.name.strcmp(controller.name)=0)]
        [for (core: Core | controller.cores)]
          MCU_DATA = [core.name/] {
            MODEL = [controller.name/];
            [/for]
          };
          CPU_DATA = [core.name/] {
            MODEL = [controller.name/];
            [/for]
          };
      [/if]
    [/for]
  [/for]
  /* Tasks and ALARMS */
  [for (task : Task | cg.mapping.tasks)]
    [if (task.location.toString().strcmp(rtos.toString() )=0)]
      TASK [task.name/] {
        PRIORITY = [task.scheduling.priority/];
        [/if]
      };
    [/for]
    ALARM ALARM_[task.name/] {
      COUNTER = "SHARED_TASK_COUNTER";
      ACTION = ACTIVATETASK { TASK = [task.name/]; };
    };
  [/for]
  /* RESOURCES */
  [for (varMap : VarMap | cg.mapping.vars)]
    [if (varMap.eClass().name='InterTaskVar')]
      let var : InterTaskVar = varMap
      RESOURCE = [var.mutex.name/];
    [/if]
    [for (frame : Frame | cg.mapping.frames)]
      RESOURCE = [frame.mutex.name/];
    [/for]
  [/for]
}

Fig. 7. Part of the Acceleo script for generating the kernel configuration of the OSEK/OIL file.

Fig. 8. Part of the Acceleo script for generating the ALARM and TASK objects of the OSEK/OIL file.

Fig. 9. Part of the Acceleo script for generating the RESOURCE objects of the OSEK/OIL file.
OIL declarations are complemented by the corresponding application configuration files. As shown in Figure 10, this configuration code contains the timer interrupt handler, the hardware configuration function and the program entry point (main function) for each core. The system configuration is implemented by the function system_init, which invokes the initialization function for all the buses to which the node is connected and for all the ECUs. The main function calls the initializing functions, setting the system base rate and configuring each alarm to activate the corresponding periodic task. Finally, it enters an infinite loop.

```c
/* System Timer Interrupt */
ISR2__(T1Interrupt)
{
    clean_T1_interrupt_flag();
    CounterTick(SHARED_TASK_COUNTER);
}

/* System Initialization Function */
void system_init(void)
{
    /* ------ Network components initialization ------ */
    for (bus : Bus | cg.architecture.busses)
    {
        if (node.ecu=ecu)
            [bus.name/]
        [/if]
    [/for]
    
    /* -------------- Procs ------------ */
    for (task : Task | cg.mapping.tasks)
    {
        [task.timeInstance.activation.round()=0]
            [task.name/]
        [/for]
    [/for]
}

/* Main function */
int main(void)
{
    /* Initialize system */
    system_set_timer(SYSTEM_KHZ);
    system_init();
    /* Start periodic tasks */
    tasks_start();
    /* Background activity here */
    for (;;) ;
    return 0;
}
```

Fig. 10. Script for the timer interrupt, initialization code and task activation.

B. Tasks

The tasks code is generated as a sequence of calls to the step methods of the functional subsystems mapped into it, as shown in Figure 11. Calls are sequentialized according to the mapping order, which must be consistent with the partial order of execution specified by the semantics of the functional model. Each invocation of the step method is preceded/followed by the middleware read/write functions implementing the functional data flows.

Tasks activations are performed by the RTOS, as configured through the OSEK system call SetRealAlarm by the tasks_start function.

```c
/* TASKs Definition */
for (task : Task | cg.mapping.tasks)
    [if (task.location.toString().strcmp(rtos.toString())=0)]
        TASK([task.name/])
    [/for]
for (procMap : ProcMap | task.procs)
    [if (methodRef.called=procMap.proc)
        [if (varMap.var=methodRef.called.owner)
            resolve_READ_CONNECTION_[methodRef.caller.owner.name/]()]
        [/if]
    [/for]
[/for]
/* Start periodic tasks */
for (task : Task | cg.mapping.tasks)
    [if (task.timeInstance.activation.round()=0)]
        [if (methodRef.owner=task)
            SetRelAlarm(ALARM_[task.name/])
        [/if]
    [/for]
/* System Initialization Function */
void tasks_start(void)
{
    /* Start periodic tasks */
    for (task : Task | cg.mapping.tasks)
        [if (task.location.toString().strcmp(rtos.toString())=0)]
            [if (methodRef.owner=task)
                SetRelAlarm(ALARM_[task.name/])
            [/if]
        [/if]
    [/for]
    
    /* Task Initialization Function */
    void tasks_start(void)
    {
        for (task : Task | cg.mapping.tasks)
            [if (task.location.toString().strcmp(rtos.toString())=0)]
                [if (methodRef.owner=task)
                    SetRelAlarm(ALARM_[task.name/])
                [/if]
            [/if]
        [/for]
    [/for]
}
```

Fig. 11. Accelio script for generating tasks’ body and task configuration.

C. Buses

The code implementing the distributed communication, for which the generation template is (partly) shown in Figure 12, is divided into two main scopes: communication management and initialization.

Communications among nodes are handled through a middleware layer that hides the details of the physical communication link. Functional communication is mapped into Frames. Each frame makes use of a shared memory buffer (protected by a mutex) and a periodic task which either sends or receives data (the operation depends on the direction of the link).

Communication initialization is achieved generating an initialization method "(bus name) Init" for each bus used by the ECU, which configures all the transceivers accessing the bus. The same function initializes the frame data structures and configures the periodic middleware tasks which forwards frames through the network.

D. Communication and Synchronization (Glue code)

The code implementation of the middleware read/write functions, representing the communication links (Vars), depends on the task and core mapping of the blocks at the two endpoints of the communication.
IntraTaskVar

When the Var mapping is an instance of IntraTaskVar, the access functions execute simple read/write operations to the shared variable. If the endpoints are located on different processors, read and write accesses to the shared variable are protected by instructions to get/release the relative Resource to prevent race conditions. The last case, which occurs when the sender and the receiver are on different processors (InterECUVar), is handled by reading/writing the assigned area of the message frame buffer. To avoid race conditions when accessing the middleware frame buffer, memory accesses are protected using a middleware resource.

```c
unsigned char buffer['\['/\]MAX_PAYLOAD_SIZE\]'/
memset(buffer, ' ', MAX_PAYLOAD_SIZE);
memcpy (buffer,&(CG_BUFFER_[var.frames.name]/\['\['/\]\[var.varPos/\]\]'/
memcpy (&(CG_BUFFER_[var.frames.name]/\['\['/\]\[var.varPos/\]\]'/
```

For each communication Var connecting a data signal element mapped on the system platform, the Acceleo script, reported in Figure 13, can generate three different implementations. When the Var mapping is an instance of IntraTaskVar, the access functions execute simple read/write operations to a shared variable. If the endpoints are located on different processors, read and write accesses to the shared variable are protected by instructions to get/release the relative Resource to prevent race conditions. The last case, which occurs when the sender and the receiver are on different processors (InterECUVar), is handled by reading/writing the assigned area of the message frame buffer. To avoid race conditions when accessing the middleware frame buffer, memory accesses are protected using a middleware resource.

```c
extern char CG_BUFFER_[var.frames.name]/\['\['/\]'
GetResource\([variable.mutex.name]/\]
GetRelAlarm(ALARM_FRAME_[frame.name]/, \[frame.activation/\], \[frame.period/\]*SYSTEM_TICK_MS/2/)
SetRelAlarm(ALARM_FRAME_[frame.name]/, \[frame.activation/\], \[frame.period/\]*SYSTEM_TICK_MS/)
GetResource\([variable.mutex.name]/\]
ReleaseResource\([variable.mutex.name]/\]
```

Fig. 12. Acceleo script for generating bus and communication management.

Fig. 13. Acceleo script for generating middleware read/write functions.
Three different execution platforms have been defined for our case study (Figure 15), corresponding to centralized and distributed implementations of the control application.

The first configuration consists of a Motion ECU, running a Simulink model for the simulation and validation of the control application. In this case, only the controller is mapped into a single ECU, while the control is executed remotely.

The second configuration consists of a Motion ECU providing access to the custom devices using three tasks. The subsystems implementing the control are mapped on one ECU, while the I/O subsystems on the other. The generation process creates four read and write function pairs, implemented as accesses to two frames sent over the wireless communication channel. The ball position (X and Y) is placed in the frame sent to the controller. The desired angles for the plate motors defined by the controller, are mapped into a reply frame. Overall, not a single line of C code has been written in all cases and the Simulink model was unchanged every time it was redeployed into a new architecture. The mapping phase corresponds to stage (3) in Figure 1.

The third configuration, the distributed scenario, which contains two Motion ECUs, analyzes the effect of the communication jitter and packet losses. On each ECU, tasks execute with a period equal to 50ms. The subsystem implementing the control is mapped on one ECU and the I/O subsystems on the other. The generation process creates four read and write function pairs, implemented as accesses to two frames sent over the wireless communication channel. The ball position (X and Y) is placed in the frame sent to the controller. The desired angles for the plate motors defined by the controller, are mapped into a reply frame. Overall, not a single line of C code has been written in all cases and the Simulink model was unchanged every time it was redeployed into a new architecture. The mapping phase corresponds to stage (3) in Figure 1.

The distributed scenario, which contains two Motion ECUs, analyzes the effect of the communication jitter and packet losses. On each ECU, tasks execute with a period equal to 50ms. The subsystem implementing the control is mapped on one ECU and the I/O subsystems on the other. The generation process creates four read and write function pairs, implemented as accesses to two frames sent over the wireless communication channel. The ball position (X and Y) is placed in the frame sent to the controller. The desired angles for the plate motors defined by the controller, are mapped into a reply frame. Overall, not a single line of C code has been written in all cases and the Simulink model was unchanged every time it was redeployed into a new architecture. The mapping phase corresponds to stage (3) in Figure 1.

D. Performance evaluation

Figure 15 shows the measured error in the position of the ball with the three execution platform (and mapping) options starting from an initial offset of 12cm from the center, and compares it with the results of a zero-delay Simulink model. Errors are expressed in terms of distance (meters) between the plate center and the actual ball position.

When all subsystems are local and mapped into a single platform, the performance is very close to the simulation data. The 3-tasks model introduces additional sampling delays and a slower dynamics. The distributed architecture presents an even worse performance as bringing the ball to the center takes a longer time. Moreover, the system suffers of marked oscillations due to communication jitters and packet losses.

Although the fourth step in Figure 1 concerns mostly an offline analysis of the PSM model, also the online evaluation of the performance can be considered as part of step (4).
and the accuracy of the performance prediction.

In order to enhance the simulation effectiveness and scheduling delays and back-annotate the Simulink model, the framework assists in the automatic execution platforms and the mapping of MBD-developed functionalities on them. The framework includes the capability of estimating communication and synchronization activities. Future developments will have the capability of estimating communication and scheduling delays and back-annotate the Simulink model with them, in order to enhance the simulation effectiveness and the accuracy of the performance prediction.

V. Conclusion

This paper presents a framework for the modeling of execution platforms and the mapping of MBD-developed functionalities on them. The framework assists in the automatic generation of tasks and middleware layer that implements the communication and synchronization activities. Future developments will have the capability of estimating communication and scheduling delays and back-annotate the Simulink model with them, in order to enhance the simulation effectiveness and the accuracy of the performance prediction.

REFERENCES


