This paper introduces the project Scale4Edge. The project is focused on enabling an effective RISC-V ecosystem for optimization of edge applications. We describe the basic components of this ecosystem and introduce the envisioned demonstrators, which will be used in their evaluation.

Fault coverage analysis and fault simulation are well-established methods for the qualification of test vectors in hardware design. However, their role in virtual prototyping and the correlation to later steps in the design process need further investigation. We introduce a metric for RISC-V instruction and register coverage for binary software. The metric measures if RISC-V instruction types are executed and if GPRs, CSRs, and FPRs are accessed. The analysis is applied by the means of a virtual prototype which is based on an abstract instruction and register model with direct correspondence to their bit level representation. In this context, we analyzed three different openly available test suites: the RISC-V architectural testing framework, the RISC-V unit tests, and programs which are automatically generated by the RISC-V Torture test generator. We discuss their tradeoffs and show that by combining them to a unified test suite we can arrive at a 100% GPR and FPR register coverage and a 98.7% instruction type coverage.

Die Werkzeugdemonstration des QEMU Timing Analyzers (QTA) stellt eine Erweiterung des quelloffenen CPU Emulators QEMU zur Simulation von Softwareprogrammen und deren Worst-Case Zeitverhaltens vor, das durch eine statische Zeitanalyse vorher aus dem Softwareprogramm extrahiert wurde. Der Ablauf der Analyse gliedert sich in mehrere Schritte: Zunächst wird für das zu simulierende Binärprogramm eine WCET-Analyse mit aiT durchgeführt. Im Preprocessing des aiT-Reports wird daraufhin ein WCET-annotierter Kontrollflussgraph erzeugt. Dabei entsprechen die Knoten im Kontrollflussgraph den aiT-Blöcken und die Kanten dem jeweiligen Worst-Case-Zeitverbrauch, um das Programm im aktuellen Ausführungskontext vom Quell- bis zum Zielblock laufen zu lassen. Nach dem Preprocessing werden Binärprogramm und der zuvor erzeugte, zeitannotierte Kontrollflussgraph von QEMU geladen und gemeinsam simuliert. Die Implementierung des QTA basiert auf der Standard TGI Plugin API (Tiny Code Generator Plugin API), die seit Ende 2019 mit QEMU V4.2 verfügbar ist. Dieses API erlaubt die Entwicklung von versionsunabhängigen QEMU-Erweiterungen. Die QEMU-QTA-Erweiterung wird zum Zeitpunkt der Werkzeugdemonstration inklusive des ait2qta-Preprozessors unter github.com im Quellcode frei verfügbar sein. Die Demonstration geht von einer existierenden aiT-Analyse eines für TriCore© kompilierten binären Softwareprograms aus, erläutert das Kontrollflusszwischenformat und zeigt die zeitannotierte Simulation der Software.

Fault effect simulation is a well-established technique for the qualification of robust embedded software and hardware as required by different safety standards. Our article introduces a Virtual Prototype based approach for the fault analysis and fast simulation of a set of automatically generated and target compiled software programs. The approach scales to different RISC-V ISA standard subset configurations and is based on an instruction and hardware register coverage for automatic fault injections of permanent and transient bitflips. The analysis of each software binary evaluates its opcode type and register access coverage including the addressed memory space. Based on this information dedicated sets of fault injected hardware models, i.e., mutants, are generated. The simulation of all mutants conducted with the different binaries finally identifies the cases with a normal termination though executed on a faulty hardware model. They are identified as a subject for further investigations and improvements by the implementation of additional hardware or software safety countermeasures. Our final evaluation results with automatic C code generation, compilation, analysis, and simulation show that QEMU provides an adequate efficient platform, which also scales to more complex scenarios.

Embedded systems require a high energy efficiency in combination with an optimized performance. As such, Bit Manipulation Instructions (BMIs) were introduced for x86 and ARMv8 to improve the runtime efficiency and power dissipation of the compiled software for various applications. Though the RISC-V platform is meanwhile widely accepted for embedded systems application, its instruction set architecture (ISA) currently still supports only two basic BMIs.We introduce ten advanced BMIs for the RISC-V ISA and implemented them on Berkeley's Rocket CPU [1], which we synthesized for the Artix-7 FPGA and the TSMC 65nm cell library. Our RISC-V BMI definitions are based on an analysis and combination of existing x86 and ARMv8 BMIs. Our Rocket CPU hardware extensions show that RISC-V BMI extensions have no negative impact on the critical path of the execution pipeline. Our software evaluations show that we can, for example, expect a significant impact for time and power consuming cryptographic applications.

In diesem Artikel stellen wir eine Methode zur nicht-invasiven dynamischen Speicher- und IO-Analyse mit QEMU für sicherheitskritische eingebettete Software für die RISC-V Befehlssatzarchitektur vor. Die Implementierung basiert auf einer Erweiterung des Tiny Code Generator (TCG) des quelloffenen CPU-Emulators QEMU um die dynamische Identifikation von Zugriffen auf Datenspeicher sowie auf an die CPU angeschlossene IO-Geräte. Wir demonstrieren die Funktionalität der Methode anhand eines Versuchsaufbaus, bei dem eine Schließsystemkontrolle mittels serieller UART-Schnittstelle an einen RISC-V-Prozessor angebunden ist. Dieses Szenario zeigt, dass ein unberechtigter Zugriff auf die UART-Schnittstelle frühzeitig aufgedeckt und ein Angriff auf eine Zugangskontrolle somit endeckt werden kann.

This paper presents an approach for analog fault effect simulation automation based on random fault selection with a high fault coverage of the circuit under test by means of fault injection and simulation based on advanced sampling techniques. The random fault selection utilizes the likelihood of the fault occurrence of different electrical components in the circuit with a confidence level. Defect models of different devices are analyzed for the calculation of the fault probability. A case study with our implemented tool demonstrates that likelihood calculation and fault simulation provides means for efficient fault effect simulation automation.

This paper presents the design flow of using sampling technique for fault injection on sche- matic level. The parameters used in the docu- ment to calculate the likelihood could be modi- fied by using more realistic data from the fab. With the help of the fault simulator, the whole design flow of the fault effect simulation can be realized automatically.

Electronic systems, like they are embedded in road vehicles, have to be compliant to functional safety standards like ISO 26262 [1], which limit the impacts of malfunctions for safety critical systems. ISO 26262, for instance, defines different safety levels for road vehicles, which require different means and measures for a safety compliant system and its development process like risk analysis and fault effect simulation. For fault effect simulation it is important to investigate the impact of physical and hardware related effects to the correct function of a system. This article first studies code and model mutations for fault injection in the context of fault effect simulation through different system abstraction levels. It demonstrates how high level mutations correlate to bit flips of software binaries by examples from the TriCore™ instruction set and finally presents a virtual platform based implementation for automated injection of bit flip based mutations into software binaries. Experimental results demonstrate the efficiency of the implemented approach.

The design of safety critical systems requires an efficient methodology for an effective fault effect simulation for analog and digital circuits where analog fault injection and fault effect simulation is currently a field of active research and commercial tools are not available yet. This article begins by discussing fault injection strategies for analog circuits applied on a case study with two topologies of a Voltage Controlled Oscillator (VCO). In the second part it performs on the basis of the example of a Wireless Sensor Network (WSN) node, how far different mixed level implementations with Verilog-A and SPICE can affect the simulation time and points out which component consumes the major part of the simulation time.

Energy efficiency drives the development of more and more complex low-power designs. Based on dynamic power management techniques, multiple voltage islands as well as a huge amount of power states are specified that have to be tested carefully. In this context, low-power design should start at an early stage using state-of-the-art system-level modeling and simulation techniques. However, there is neither a programming language nor any modeling standard that reflects variable power together with its functional side effects in a well-suited abstract manner. To overcome this limitation, we present a modeling approach on top of SystemC TLM to capture low-power design characteristics at electronic system-level. We demonstrate the usability by means of an existing open-source low-power design. The experimental results show that appropriate TLM instrumentation cause only minimal simulation overhead, but offer sufficient details to identify common low-power design errors.

Intelligent automotive electronics significantly improved driving safety in the last decades. With the increasing complexity of automotive systems, dependability of the electronic components themselves and of their interaction must be assured to avoid any risk to driving safety due to unexpected failures caused by internal or external faults. Additionally, Virtual Prototypes (VPs) have been accepted in many areas of system development processes in the automotive industry as platforms for SW development, verification, and design space exploration. We believe that VPs will significantly contribute to the analysis of safety conditions for automotive electronics. This paper shows the advantages of such a methodology based on today's industrial needs, presents the current state of the art in this field, and outlines upcoming research challenges that need to be addressed to make this vision a reality.

This paper presents an advanced eight levels spanning SystemC based virtual platform methodology and framework - referred to as HeroeS 3 - providing smooth application to platform mapping and continuous co-refinement of a virtual prototype with its physical environment model. For heterogeneity support, various SystemC extensions are combined covering continuous/discrete models of computation and different communication abstractions, such as analog mixed-signal models, abstract RTOS/HAL/middleware models, TLM bus models, and QEMU wrappers. We enable dependability assessment by Fault Effect Modeling (FEM) at the virtual prototype in order to avoid risking physical injury or damage. Also, simulation results are deterministic and can be evaluated interactively or offline. We apply FEM to both the physical environment model and the different abstractions of the virtual prototype. Currently, we focus on sensor failures and application control flow errors.

The ever-increasing complexity of heterogeneous electronic systems demand for intensified abstraction and automation efforts to improve design, verification and validation productivity, especially in earlier phases of system engineering. Within the verification activity various metrics can be applied to determine functional correctness or the overall progress. Here, a supporting verification methodology defining high-level verification planning down to the actual metric code development is essential. Moreover, an advanced assistance for the designer, such as a tooling infrastructure to automatize and accelerate the metric code implementation, is needed to minimize the influence of errorprone manual coding. In this article we present a single-source verification metric code-generation methodology for improved coverage automation. We determine (i) a suitable metric model for model-based capture of verification metrics as well as (ii) an assisted model-based processing and generation flow of the verification environment and metric skeletons. We apply our method to a SystemC case-study, in doing so, targeting metric code implementation productivity and consistency enhancement.

Zur Sicherstellung hoher Zuverlässigkeits- und Fehlertoleranzwerte von Schaltungen und ganzen Systemen finden vermehrt Test- und Verifikationsmethoden Anwendung die einen virtuellen Prototypen (VP) des Systems bereits frühzeitig im Entwurfsablauf einem Stresstest unterziehen. Hierbei werden speziell für die Domäne relevante Fehlerinjektoren verwendet (Digital, Mixed-Signal, Mechanik) die anhand von Fehlermodellen geeignete Testfälle erzeugen und in das System über Stimuli bzw. direkt injizieren. Jede effektive Anwendung einer Methode bedingt jedoch auch das Vorhandensein einer zugrundeliegenden Methodik. In diesem Beitrag wird die System Verification Methodology (SVM) vorgestellt werden, eine universell einsetzbare und erweiterbare Infrastruktur zur Beschreibung von Testumgebungen auf Basis der SystemC Sprache und Simulationskernels.

In this paper, we present an efficient approach to virtual platform modeling for TriCore-based SoCs by combining fast and open software emulation with IEEE-1666 Standard SystemC simulation. For evaluation we consider Infineon's recently introduced AURIX processor family as a target platform, which utilizes multiple CPU cores operating in lockstep mode, memories, hierarchical buses, and a rich set of peripherals. For SoC prototyping, we integrate the fast and open instruction accurate QEMU software emulator with the TLMu library for SystemC co-verification. This article reports our most recent efforts of the implementation of the TriCore instruction set for QEMU. The experimental results demonstrate the functional correctness and performance of our TriCore implementation.

Faced with increasing demands on energy efficiency, current electronic systems operate according to complex power management schemes including more and more fine-grained voltage frequency scaling and power shutdown scenarios. Consequently, validation of the power design intent should begin as early as possible at electronic system-level (ESL) together with first executable system specifications for integrity tests. However, today's system-level design methodologies usually focus on the abstraction of digital logic and time, so that typical low-power aspects cannot be considered so far. In this paper, we present a high-level modeling approach on top of the SystemC/TLM standard to simulate power distribution and voltage based implications in a "loosely-timed" functional execution context. The approach reuses legacy TLM models and prevents the need for detailed lock-step process synchronization in contrast to existing methods. A case study derived from an open source low-power design demonstrates the efficiency of our approach in terms of simulation performance and testability.

In the electronic system development, energy consumption is clearly becoming one of the most important design concerns. From the system level point of view, Dynamic Power Management (DPM) and Dynamic Voltage and Frequency Scaling (DVFS) are two mostly applied techniques to adjust the tradeoff between the performance and power dissipation at runtime. In this paper, we study the problem of combined application of both techniques with regard to hard real-time systems running on cluster-based multi-core processors. To optimize the processor energy consumption, a heuristic based on simulated annealing with efficient termination criterion is proposed. The experiment results show that the proposed algorithm outperforms the existing approaches in terms of the energy reduction.

In this paper we present an approach for the self reconfiguration of distributed micro-controllers for increased fault tolerance. Based on a modified distributed system topology utilizing a time division multiple access (TDMA) protocol, i.e., Flex Ray, we present a self-organized distributed coordinator concept which performs the self-reconfiguration in the case of node failures. We introduce a distributed coordinator, which utilizes redundant slots in the Flex Ray communication schedule and combines messages in configured protocol frames and slots to avoid a complete bus restart. As such, the self-reconfiguration is realized by means of predetermined information about resulting changes in the communication dependencies and (re-)assignments determined in the design phase. To retrieve the necessary information, we present an analytical approach, which determines a combined solution for the initial configuration and all possible reconfigurations for the remaining nodes of the Flex Ray network in case of node failures. Hence, through this method we can design self-reconfiguring network-based systems enabling the handling of node failures for an increased fault tolerance.

This paper proposes a quality driven, simulation based approach to functional design verification, which applies mainly to IP-level HDL designs with well specified test instruction format and is evaluated on a soft microprocessor core MB-LITE [5]. The approach utilizes mutation analysis as the quality metric to steer an automated simulation data generation process. It leads to a simulation flow with two phases towards an enhanced mutation analysis result. First in a random simulation phase, an in-loop heuristics is deployed and adjusts dynamically the test probability distribution so as to improve the coverage efficiency. Next, for each remaining hard-to-kill mutant, a search heuristics on test input space is developed to iteratively locate a target test, using a specific objective cost function for the goal of killing HDL mutant. The effectiveness of this integrated two-phase simulation flow is demonstrated by the results with the MB-LITE microprocessor IP.

SystemC is a versatile C++ based design and verification language, offering various mechanisms and constructs required for embedded systems modeling. Using the add-on SystemC Verification Library (SCV) elemental constrained-random stimuli techniques may be used for verification. However, SCV has several drawbacks such as lack of a functional coverage facility supporting coverage collection on RTL and TLM models. In this article we present a functional coverage library which implements parts of the IEEE 1800-2005 SystemVerilog standard capturing functional coverage throughout the design and verification process, and allows to facilitate coverage-driven verification in SystemC.

UML profiles like SysML and MARTE have been a major research topic in electronic system design, but are mainly applied for specification and analysis in early design phases. High-Level Synthesis (HLS), however, addresses the physical implementation aspect of electronic systems, and thus leads to different requirements on the accuracy of models. For this, modular interfaces are a novel object-oriented synthesizable technique to overcome the conflict between a higher degree of abstraction and necessary details for further synthesis. In this paper, we present our approach to use SysML as an adequate modeling language for modular interfaces and C/C++/SystemC-based HLS. We extended SysML with annotations for synthesizable SystemC and high-level synthesis constraints and implemented a code generation scheme to achieve design flow automation. Based on the SysML editor Artisan Studio and an industrial case study, we demonstrate the applicability of SysML as a retargetable front-end for HLS design flows.

Mutation analysis is a powerful tool for white-box testing of the verification environment in order to produce dependable and higher quality software products. However, due to high computational costs and the focus on high-level software languages such as Java mutation analysis is not yet widely used in commercial design flows targeting embedded (software) systems. Here the industry is modeling both hardware and related software parts at higher levels of abstraction, called virtual prototypes, to accelerate parallel development and shorten time-to-market. In this paper we propose a mutation testing verification flow for SystemC based virtual prototypes that may not rely on source code only but on annotated basic blocks and enables mutant creation at assembler level to heavily reduce execution costs and equivalence mutants likelihood.

In this paper we present an approach for the configuration and reconfiguration of FlexRay networks to increase their fault tolerance. To guarantee a correct and deterministic system behavior, the FlexRay specification does not allow a reconfiguration of the schedapproachule during run time. To avoid the necessity of a complete bus restart in case of a node failure, we propose a reconfiguration using redundant slots in the schedule and/or combine messages in existing frames and slots, to compensate node failures and increase robustness. Our approach supports the developer to increase the fault tolerance of the system during the design phase. It is a heuristic, which, additionally to a determined initial configuration, calculates possible reconfigurations for the remaining nodes of the FlexRay network in case of a node failure, to keep the system working properly. An evaluation by means of realistic safety-critical automotive real-time systems revealed that it determines valid reconfigurations for up to 80% of possible individual node failures. In summary, our approach offers major support for the developer of FlexRay networks since the results provide helpful feedback about reconfiguration capabilities. In an iterative design process these information can be used to determine and optimize valid reconfigurations.

UML is widely applied for the specification and modeling of software and some studies have demonstrated that it is applicable for HW/SW codesign. However, in this area there is still a big gap from UML modeling to SystemC-based verification and synthesis environments. This paper presents an efficient approach to bridge this gap in the context of Systems-on-a-Chip (SoC) design. We propose a framework for the seamless integration of a customized SysML entry with code generation for HW/SW cosimulation and high-level FPGA synthesis. For this, we extended the SysML UML profile by SystemC and synthesis capabilities. Two case studies demonstrate the applicability of our approach.

Today, mobile and embedded real time systems have to cope with the migration and allocation of multiple software tasks running on top of a real time operating system (RTOS) residing on one or several processors. For scaling of each task set and processor configuration, instruction set simulation and worst case timing analysis are typically applied. This paper presents a complementary approach for the verification of RTOS properties based on an abstract RTOS-Model in SystemC. We apply IEEE P1850 PSL for which we present an approach and first experiences for the assertion-based verification of RTOS properties.

Safety-critical automotive systems must fulfill hard real-time constraints for reliability and safety. This paper presents a case study for the application of an AUTOSAR-based language for timing modeling and analysis. We present and apply the Timing Augmented Description Language (TADL) and demonstrate a methodology for the development of a speed-adaptive steer-by-wire system. We examine the impact of TADL and the methodology on the development process and the suitability and interoperability of the applied tools with respect to the AUTOSAR-based tool chain in the context of our case study.

Today we can identify a big gap between requirement specification and the generation of test environments. This article extends the Classification Tree Method for Embedded Systems (CTM/ES) to fill this gap by new concepts for the precise specification of stimuli for operational ranges of continuous control systems. It introduces novel means for continuous acceptance criteria definition and for functional coverage definition.

Refinement of untimed TLM models into a timed HW/SW platform is a step by step design process which is a trade-off between timing accuracy of the used models and correct estimation of the final timing performance. The use of an RTOS on the target platform is mandatory in the case real-time properties must be guaranteed. Thus, the question is when the RTOS must be introduced in this step by step refinement process. This paper proposes a four-level RTOS-aware refinement methodology that, starting from an untimed TLM SystemC description of the whole system, progressively introduce HW/SW partitioning, timing, device driver and RTOS functionalities, till to obtain an accurate model of the final platform, where SW tasks run upon an RTOS hosted by QEMU and HW components are modeled by cycle accurate TLM descriptions. Each refinement level allows the designer to estimate more and more accurate timing properties, thus anticipating design decisions without being constrained to leave timing analysis to the final step of the refinement. The effectiveness of the methodology has been evaluated in the design of two complex platforms.

In this article, we present a flexible simulation environment for embedded real-time software refinement by a mixed level cosimulation. For this, we combine the native speed of an abstract real-time operating system (RTOS) model in SystemC with dynamic binary translation for fast Instruction Set Simulation (ISS) by QEMU. In order to support stepwise RTOS software refinement from system level to the target software, each task can be separately migrated between the native execution and the ISS. By adapting the dynamic binary translation approach to an efficient but yet very accurate synchronization scheme the overhead of QEMU user mode execution is only factor two compared to native SystemC. Furthermore, the simulation speed increases almost linearly according to the utilization of the task set abstracted by the native execution. Hereby, the simulation time can be considerably reduced by cosimulating just a subset of tasks on QEMU.

In this paper we present new concepts to resolve ECU (Electronic Control Unit) failures in FlexRay networks. Our approach extends the FlexRay bus schedule by redundant slots with modifications in the communication and slot assignment. We introduce additional backup nodes to replace faulty nodes. To reduce the required memory resources of the backup nodes, we distribute redundant tasks over different nodes and propose the migration of tasks to the backup node at runtime. We investigate different solutions to migrate the redundant tasks to the backup node by time-triggered and event-triggered transmissions.

It's wide application in the area of software engineering, UML is still not fully accepted for other engineering domains like for electronic systems design. The main obstacle is due to a major gap in the design flow between UML-based modeling and verification. To overcome this gap, we introduce a UML profile for synthesizable SystemC and C and present its implementation in the context of the advanced SysML modeling environment of ARTiSAN Studio. We demonstrate how to customize Studio for SystemC/C comodeling so that it can serve as a verification and synthesis front-end.

The main obstacle for the wide acceptance of UML and SysML in the design of electronic systems is due to a major gap in the design flow between UML-based modeling and SystemC-based verification. To overcome this gap, we present an approach developed in the SATURN project which introduces UML profiles for the co-modeling of SystemC and C with code generation support in the context of the SysML tool suite ARTiSAN Studio®. We finally discuss the evaluation of the approach by two case studies.

We introduce a structured methodology for the generation of executable test environments from textual requirement specifications via UML class diagrams and the application of the classification tree methodology for embedded systems. The first phase is a stepwise transformation from unstructured English text into a textual normal form (TNF), which is automatically translated into UML class diagrams. After annotations of the class diagrams and the definition of test cases by sequence diagrams, both are converted into classification trees. From the classification trees we can finally generate SystemVerilog code. The methodology is introduced and evaluated by the example of an Adaptive Cruise Controller.

Many heterogeneous embedded systems, for example industrial automation and automotive applications, require hard-real time constraints to be exhaustively verified - which is a challenging task for the verification engineer. To cope with complexity, verification techniques working on different abstraction levels are best practice. SystemC is a versatile C++ based design and verification language, offering various mechanisms and constructs required for embedded systems modeling. Using the add-on SystemC Verification Library (SCV) elemental constrained-random stimuli techniques may be used for verification. However, SCV has several drawbacks such as lack of functional coverage. In this paper we present a functional coverage library that implements parts of the IEEE 1800-2005 SystemVerilog standard and allows capturing functional coverage throughout the design and verification process with SystemC. Moreover, we will demonstrate the usability of the approach with a case study working on a CAN bus model written in SystemC.

In this paper we present an approach to increase the fault tolerance in FlexRay networks by introducing backup nodes to replace defect ECUs (Electronic Control Units). In order to reduce the memory requirements of such backup nodes, we distribute redundant tasks over different nodes and propose the distributed coordinated migration of tasks of the defect ECU to the backup node at runtime. This approach enhances our former work in, where we extended the FlexRay bus schedule by redundant slots to consider changes in the communication/slot assignment and investigated and evaluated different solutions to migrate the redundant tasks to the backup node using the static and/or dynamic segment of the communication cycle for transmissions. We present the approach of distributed coordination for migration and communication instead of additional dedicated coordinator nodes to further increase the fault tolerance. With this approach we improve the safety of FlexRay networks by avoiding a possible single point of failure due to a dedicated coordinator node also minimizing the necessary time needed for a reconfiguration after an ECU failure. Furthermore, we reduce the overhead within the communication and the demand for additional hardware components.

Seamless HW/SW codesign flows support early verification of hardware and Hardware-dependent Software (HdS) like drivers, operating systems, and firmware. For early estimation and verification, the application of SystemC in combination with Instruction Set Simulators and Software Emulators like QEMU is widely accepted. In this article, we present an advanced design flow for HW, (RT)OS and HdS refinement and verification with focus on the transition from abstract RTOS verification to full system RTOS/HdS emulation. In the context of assertion-based verification, we introduce a set of generic real-time properties which can be reused and verified at different abstraction levels and discuss their application. The properties are presented by the means of IEEE standard PSL assertions which are applied for mixed SystemC/HdS models.