Computing Robustness of FlexRay Schedules to Uncertainties in Design Parameters Arkadeb Ghosal, Haibo Zeng General Motors Research {arkadeb.ghosal,haibo.zeng}@gm.com Marco Di Natale Scuola Superiore SantAnna marco@sssup.it Yakov Ben-Haim Technion - Israel Institute of Technology yakov@techunix.technion.ac.il Abstract—In the current environment of rapidly changing in- vehicle requirements and ever-increasing functional content for automotive EE systems, there are several sources of uncertainties in the definition of EE architecture design. This is also true for communication schedule synthesis where key decisions are taken early because of interactions with the suppliers. The possibility of change necessitates a design process that can analyze schedules for robustness to uncertainties, e.g., changes in estimated task durations or communication load. A robust design would be able to accommodate these changes incrementally without changes in the system scheduling, thus reducing validation times and increasing reusability. This paper introduces a novel approach based on the info-gap decision theory that provides a systematic scheme for analyzing robustness of schedules by computing the greatest horizon of uncertainty that still satisfies the performance requirements. The paper formulates info-gap models for potential uncertainties in schedule synthesis for a distributed automotive system communicating over a FlexRay network, and shows their application to a case study. I. I NTRODUCTION Rapid change in electronic control features in automotive systems introduces uncertainties in design decisions. This is especially true for the early-binding design process when critical decisions are made under the following uncertainties: (1) system requirements are captured prior to significant design and development, (2) the architecture needs to be developed sufficiently in advance to be available at the right production time frame, and (3) an architecture is projected to be reused across multiple implementations, and different features to cut down cost. Uncertainties in the system or feature set may cause signifi- cant redesign down the life cycle of the system. To avoid such a situation, a system designer needs to estimate the robustness of a design to uncertainties; the most prevalent techniques for such analyses are max-min or sensitivity analysis. Sensitivity studies the variation of the output due to changes in input; the goal is to identify the inputs which cause substantial change in output in contrast to those which cause minor change. Min-max or worst-case analysis chooses a design which minimizes the maximum loss at a specified level of uncertainty. In this paper, we discuss the use of the info-gap methodology [3] to evaluate design decisions based on their ability to tolerate uncertainty. Info-gap differs from the above techniques in (1) allowing unbounded horizon on uncertainty, (2) enabling exploration of structural or functional uncertainty, and (3) analyzing the design decisions across different regions of uncertainty and thus enabling the final decision to reflect the best possible robustness according to requirements. A critical problem for any distributed system is the syn- thesis of communication schedules. The choice is made by considering time constraints/metrics (e.g., latency), or exten- sibility/uncertainty metrics (e.g., utilization). When used for schedule selection, the info-gap technique does not necessarily choose one schedule; it provides different schedules for different ranges of uncertainty. This necessitates trend analysis to understand the zone of uncertainty, and the performance constraints of the system. The system model under study is an electronic control system implemented on a distributed architecture communicating over a FlexRay network. In this paper, we use the info-gap technique for eval- uating robustness to uncertainty in the payloads of messages transmitted over the network. The technique can be extended for uncertainties in dependency (read-write relation between tasks and messages), number of tasks and messages, period (rate of task execution, or message transmission), and topology (mapping of tasks to hosts and messages to channels). We next introduce references to work in the area of schedul- ing subject to uncertainty or sensitivity analysis. Section II presents an overview of the info-gap technique, and compares it with min-max and sensitivity analysis. Section III discusses a system model that uses a FlexRay network and the schedule synthesis problem. Section IV describes in detail the formu- lation and construction of info-gap models for uncertainty in the length of messages. Section V discusses a representative schedule synthesis problem. Section VI summarizes the key aspects and discusses the next steps. A. Related work The literature on FlexRay scheduling, scheduling extensi- bility and sensitivity analysis in real-time systems is rich. Sensitivity analysis was studied for priority-based scheduled distributed systems [11], with respect to end-to-end deadlines. In [10] a design optimization heuristics-based algorithm for mixed time-triggered and event-triggered systems was pro- posed. In [5], task allocation and priority assignment were defined with the purpose of optimizing the extensibility with respect to changes in task computation times; the proposed solution was based on simulated annealing. In [7], [9], [8], a generalized definition of extensibility on multiple dimensions