You are on page 1of 59

ESI Research Agenda on Embedded Systems Engineering

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 2 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

TABLE OF CONTENTS
1 2 MANAGEMENT SUMMARY.............................................................................. 5 STATE-OF-THE-ART, TRENDS AND CHALLENGES ...................................... 7
2.1 2.2 2.3 2.4 2.5 Underlying technological trends .......................................................................................... 7 High-tech systems.............................................................................................................. 8 The challenge of Embedded Systems Engineering .............................................................. 9 Industrial trends................................................................................................................ 11 European context ............................................................................................................. 12

STRATEGY OF ESI......................................................................................... 15
3.1 Structure of the field ......................................................................................................... 15
3.1.1 Application domain categories ........................................................................................................... 16 3.1.2 System objectives .............................................................................................................................. 17 3.1.3 Methodology ....................................................................................................................................... 17 3.1.4 Integrated perspective........................................................................................................................ 18

3.2 Research organization...................................................................................................... 18


3.2.1 Industry as laboratory......................................................................................................................... 19 3.2.2 Preparatory research and technology transfer.................................................................................. 20

ESI RESEARCH APPLICATION DOMAINS AND GENERALISATION........... 23


4.1 Introduction ...................................................................................................................... 23 4.2 Professional systems........................................................................................................ 23
4.2.1 Industrial sector .................................................................................................................................. 23 4.2.2 Relation to system objectives ............................................................................................................ 24

4.3 High-volume products....................................................................................................... 25


4.3.1 Industrial sector .................................................................................................................................. 25 4.3.2 Relation to system objectives ............................................................................................................ 26

4.4 High-integrity, safety-critical embedded systems ............................................................... 28


4.4.1 Industrial sector .................................................................................................................................. 28 4.4.2 Relation to system objectives ............................................................................................................ 29

4.5 Domain generalization: Embedded System engineering .................................................... 29

SYSTEM OBJECTIVES................................................................................... 33
5.1 Introduction ...................................................................................................................... 33 5.2 Performance .................................................................................................................... 33
5.2.1 Introduction ......................................................................................................................................... 33 5.2.2 Problem statement ............................................................................................................................. 34 5.2.3 Existing solutions................................................................................................................................ 35 5.2.4 ESI research on performance ............................................................................................................ 36 5.2.5 Expected results and timeline ............................................................................................................ 39 5.2.6 References ......................................................................................................................................... 40

5.3 Reliability ......................................................................................................................... 42


5.3.1 Introduction ......................................................................................................................................... 42 5.3.2 Problem statement ............................................................................................................................. 43 5.3.3 Existing solutions................................................................................................................................ 44 5.3.4 ESI research on reliability .................................................................................................................. 45 5.3.5 Expected results and timeline ............................................................................................................ 46 5.3.6 References ......................................................................................................................................... 48

5.4 Evolvability....................................................................................................................... 49
5.4.1 Introduction ......................................................................................................................................... 49 5.4.2 Problem statement ............................................................................................................................. 49 5.4.3 Existing solutions................................................................................................................................ 51

Released 2006, Embedded Systems Institutes

Page 3 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.4.4 ESI research on evolvability............................................................................................................... 51 5.4.5 Expected results and timeline ............................................................................................................ 53 5.4.6 References ......................................................................................................................................... 54

6 A. B.

STATUS AND FURTHER DEVELOPMENT .................................................... 55 PROJECT MASTERPLANNING...................................................................... 57 COVERAGE PLANNED RESULTS BY PLANNED PROJECTS ..................... 59

Released 2006, Embedded Systems Institutes

Page 4 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

MANAGEMENT SUMMARY

Research challenge: The overall mission of the Embedded Systems Institute (ESI) is to advance industrial innovation and academic excellence in embedded systems engineering for high-tech systems. Within this general mission the research challenge of ESI is formulated as the challenge to raise embedded system design from a craft to a scientifically based engineering discipline. The proposed research agenda fits ideally with the scope of existing European platforms and programs in embedded systems research.

Structure of the field: To provide the necessary focus and emphasis ESI research considers three application domain categories, viz. those of professional systems, high-volume products, and high-integrity, safety-critical embedded systems. In this structured context the research concentrates on models and methods for the analysis and design of high-tech embedded systems, with a particular emphasis on performance, reliability and evolvability aspects.

Instruments: ESI intends to develop a unique collaborative research ecosystem between industry and academia in which industry as laboratory projects play a central role. To enable such projects and secure the role of prospective, longer term research, they are complemented by preparatory research projects.

Research agenda: For each of the application domain categories the relevant aspects of the performance, reliability, and evolvability system objectives are identified. Subsequently, the expected outputs in terms of milestones for modeling and analysis and embedded systems synthesis related to each of the system objectives are listed for the next four years, together with some indications for the period beyond that.

Resources: The majority of proposed research activities can be funded from available research grants, and almost all proposed research activities for the next 4 years can be funded from research grants that are expected to become available within the next half year. The human resources that are required for the activities of the coming 4 years fall within the projected growth path for ESI of 12 Research Fellows by the end of 2006. In particular, the start of three preparatory research projects is anticipated in the coming year. If corresponding funding is granted, as currently expected, their commencement is scheduled for July 1, 2006.

Status: This document constitutes the first edition of the ESI research agenda. As such it forms the basis for the current portfolio of ESI research projects. It also provides the starting point for a further development of ESI research planning in interaction with ESI partners in academia and industry, in particular with the founding partners of ESI. A first revision of the agenda resulting from such consultations is expected by July 1, 2006. Further revisions will be carried out on (at least) a yearly basis.

Released 2006, Embedded Systems Institutes

Page 5 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 6 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

2 2.1

STATE-OF-THE-ART, TRENDS AND CHALLENGES Underlying technological trends

Twenty-five years ago approximately 50,000 computers existed in the whole world; today there are an estimated 140 million and that does not count the embedded processors inside cars, printers, cell-phones, or medical systems (these processors alone represented an 18 billion dollar business in 2005)1. No matter what metric you choose - mips per processor chip, bits per memory chip, cost per mip, cost per byte of memory, or transistors per chip - performance has increased by a factor of 100 every 10 years for the past three decades (Moores Law) - see Figure 1.1. The effects of these developments in the semi-conductor industry have caused a massive penetration of Information and Communication Technology (ICT) into consumer, communication, automotive, and professional markets. The ever-increasing power and miniaturization of hardware has made it possible to embed intelligence in the form of software into all sorts of existing and new products and services, with a potentially unlimited range of applications from transportation to health care, and from general broadcasting to electronic banking.

Figure 2-1: IC transistor count as a measure of system complexity Example: Television Only a couple of years ago, a television was a device that accepted an analog broadcast format (e.g. PAL or NTCS) that was displayed on an analog screen. Nowadays, a television is rapidly growing into a system accepting many digital formats as input and providing users with a variety of applications for a richer viewing experience. Input is received via a range of broadcast formats or via personal devices such as cameras, PDAs or audio equipment.

http://www.electronics.ca/PressCenter/articles/98/1/Worldwide-Embedded-Controller%7B47%7DProcessor-MarketGrowing-6%25-In-2005-To-$18-Billion

Released 2006, Embedded Systems Institutes

Page 7 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

The display has become digital and the television has been connected to the Internet. This enables a range of new applications such as video on demand, web browsing, and interactive TV. The result is new applications that may themselves collaborate and converge for a richer user experience.

Looking forward, we see technology shifting from the era of microelectronics, where semiconductor devices are measured in microns (1 millionth of a meter), to the new era of nanoelectronics where they will shrink to dimensions measured in nanometers (1 billionth of a meter). This will make electronics applications even more pervasive than today, and allow more intelligence and greater interactivity to be built into many more everyday items, bringing embedded technology to virtually every aspect of our lives. Two main underlying trends can be distinguished, often referred to as More Moore and More than Moore. The first one represents the drive to continue fulfilling Moores Law and extrapolate the current trend of Figure 1.1 into the future, where it will have to resolve challenges that derive from operating close to the molecular scale and the problem of heat dissipation. The More than Moore trend is aiming at the integration in silicon of processors, sensors, actuators, and communication functions, yielding completely integrated systems at unprecedented dimensions of miniaturization.

2.2

High-tech systems
To advance industrial innovation and academic excellence in embedded systems engineering for high-tech systems.

The stated overall mission of ESI is:

Accordingly, ESI research efforts are concentrated on issues related to the design and implementation of high-tech systems. These systems are characterized by the large scale and tightly coupled integration of heterogeneous (and often intelligent) components and enabling technologies. Examples of high-tech components are ICs, intelligent sensors, controllers and mechatronic components. Enabling technologies include the methods to design or processes to manufacture ICs or other technology components, as well as tools, methods, and techniques for programming and design. It is important to observe that high-tech systems may not operate in isolation, but are often used in combination with other systems to realize an overarching function or business process. Such larger systems are also referred to as systems of systems. Examples would be a digital television that is integrated into the digital home, or a medical diagnostic device that is embedded into the hospital workflow environment or ecosystem. While the designs of advanced components and associated enabling technologies are important and have a major influence on the design and engineering of high-tech systems, these are not the primary focus of ESI research. Instead, ESI is concentrating its research on design and engineering of high-tech systems characterized by the closely coupled interaction of complex, heterogeneous, and often intelligent components. Examples of such high-tech systems are lithography scanners, medical scanning systems, printers, televisions, mobile phones, defense systems and automobiles.

Released 2006, Embedded Systems Institutes

Page 8 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

System-of-Systems

Enabling High-tech Systems Technologies (Intelligent) Components


Figure 2-2: High-Tech Systems as ESI domain There is a significant need for know-how in incorporating the multi-disciplinary aspects of hightech systems, addressing integrated system views, and making the interdependencies between the various disciplines and technologies explicit and manageable. ESI research will deliver this know-how within the domain of embedded systems engineering. This scientific area is extremely diverse, has industrial competitive implications, has a need for greater academic and theoretical underpinnings, and is insufficiently covered by existing research institutes or academic groups.

2.3

The challenge of Embedded Systems Engineering

Effective and reliable exploitation of the tremendous potential of trends described above requires new ways to deal with the ever widening system design gap, i.e. the fact that the available models and methods for designing high-tech systems and for leveraging and applying new component level technologies in these systems are not able to keep up with the exponential growth of real capabilities at the component level and potential capabilities at all levels above. We cite Lynn Conway in her Foreword to Wayne Wolfs textbook on embedded systems2: Digital system design has entered a new era. At a time when the design of microprocessors has shifted into a classical optimization exercise, the design of embedded computing systems in which microprocessors are merely components has become a wide-open frontier. Wireless systems, wearable systems, networked systems, smart appliances, industrial process systems, advanced automotive systems, and biologically interfaced systems provide a few examples from across this new frontier. Driven by advances in sensors, transducers, microelectronics, processor performance, operating systems, communications technology, user interfaces, and packaging technology on the one hand, and by a deeper understanding of human needs and market possibilities on

Wayne Wolf, Computers as Components Principles of Embedded Computing System Design, Morgan Kaufmann Publishers, 2001.

Released 2006, Embedded Systems Institutes

Page 9 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

the other, a vast new range of systems and applications is opening up. It is now up to the architects and designers of embedded systems to make these possibilities a reality. However, embedded system design is practiced as a craft at the present time. Although knowledge about the component hardware and software subsystems is clear, there are no system design methodologies in common use for orchestrating the overall design process, and embedded system design is still run in an ad hoc manner in most projects. The research challenge of ESI is in harmony with the idea articulated in the last paragraph: to raise embedded system design from a craft to a scientifically based engineering discipline. To analyze the nature of this challenge we must consider the structure of embedded systems more closely. Embedded systems can be thought as being made up of the following parts3: Embedded software. Computing devices (processors, memories, busses, etc) that execute the software. Interface devices (sensors, actuators, etc) with which the software communicates, and that connect to the physical world.

The components above can, of course, again be decomposed into a number of parts or subcomponents. The embedded software, for example, could be decomposed into lower level application software on the one hand and integrating software on the other, i.e. software that is used to link and control the different parts and components. The focus of the research at the ESI is on embedded systems design and engineering: How can a system (or, actually, its specification, constraints, concerns, etc) be decomposed into subsystems, and subsequently -- how can subsystems be integrated into a complete system in the larger context of business and technology applications. Software in embedded systems is different from, for example, desktop application software due to two major reasons: Embedded systems are multi-technology. They contain software components, electronic components, mechanical components, and antennas for example. Embedded systems interact with physical environments that pose all sorts of constraints on them, and that are subject to all sorts of uncertainties, changes, and failures.

The first item is often phrased as heterogeneity: embedded systems operate in a heterogeneous environment and they are realized by the integration of many different disciplines. Each of these disciplines may use a different language, may have a different mindset, may address different concerns and system objectives. Also, the different implementation and realization characteristics - hardware, software, mechanics, sensors, communication, control type and data flow type of specifications, ... - impose difficulties on the whole design process - different models, different tolerances, calibration issues, interfaces, .... How to combine models and methods from these different domains or disciplines is an unsolved problem. Consequently, any sort of simulation, prediction of properties and design (like partitioning the functionality) is difficult because

S. Heath, Embedded Systems Design, Newness, 1997.

Released 2006, Embedded Systems Institutes

Page 10 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

modularity and principles of abstraction as known within the individual domains are no longer applicable across these disciplines. The second item points to the fact that much of the complexity in embedded software is caused by the interaction with physical phenomena. This results, for example, in concerns about different qualities, such as real-time constraints, other temporal concerns, memory usage, power dissipation, size, weight, fault tolerance and maintainability. Such qualities have to be distributed over the subsystems and their interfaces in a reliable and robust way. Due to uncertainties about the environments in which the systems have to operate, it is often impossible to specify the intended behaviours of the systems precisely. The need for multi-disciplinary approaches in design of systems is widely recognized. For instance, in control technology it is recognized that: It will be important to create larger, multi-disciplinary centers that join control, computer science, and communications and to train engineers and researchers who are knowledgeable in these areas. Industry involvement will be critical for the eventual success of this integrated effort, and universities should begin to seek partnership with relevant companies4. The Embedded Systems Institute focuses its research on multi-disciplinary system design. As such, the ESI is one of the main contributors to the emerging research field called Embedded Systems Engineering, an academically rigorous research area that lifts embedded system design from an ad-hoc craft to a genuine scientific discipline.

2.4

Industrial trends

According to its mission ESI must carry out research that advances industrial innovation in embedded systems engineering for high-tech systems. To do this we must consider the main systems engineering challenges that beset the high-tech industry. These challenges are in addition to the more generic requirements of a mature discipline for embedded systems engineering, such as notations, methods, techniques and tools for specification, design, implementation, analysis and validation that can deal with the heterogeneity and complexity of embedded systems. Some specific and selected challenges are related to the following trends: Feature integration: new systems are developed by adding new features to the existing feature baseline. Such additions may cause unwanted and unpredictable emergent system properties resulting from undesirable feature interaction. This may in turn threaten the integral system reliability and affect its performance characteristics. System openness: high-tech systems are increasingly becoming integrated into their application environment, creating systems of systems. This trend calls for increasing system openness. For example, medical imaging equipment is being integrated into the larger context of hospital patient handling and patient information processes. A high-tech system can no longer be seen as a stand-alone entity. This creates significant challenges

Richard M. Murray, Karl J. Astrom, Stephen P. Boyd, Roger W. Brockett, Gunter Stein. Future directions in control in an information-rich world. IEEE Control Systems Magazine, 2003, p. 20-33.

Released 2006, Embedded Systems Institutes

Page 11 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

since the larger business context or business workflow environment is more susceptible to unforeseen behavior and external stimuli. This may in turn compromise the (future) reliability and performance of the high-tech system. Need for reuse: the combination of usually very complicated designs of high-tech systems with the needs for shorter time to market and flexible diversification of products to meet the changing needs of markets and individual customers can only be addressed by design methods that support the re-use of assets at all levels of abstraction: code, components, designs and interfaces, and engineering paradigms. The corresponding quality that must be nurtured is the evolvability of a design or product (family).

2.5

European context

The research agenda of ESI has been developed with keeping in mind the available embedded system roadmaps and the activities for shaping the European Research in the context of the FP7 calls for proposals. In particular, references should be made to the PROGRESS (PROGram for Research on Embedded Systems & Software) Roadmap 2002, to the ARTIST Roadmap for Research and Development in Embedded Systems Design, the dependability roadmap for the information society AMSD (Appendix A: Trends in Dependable Embedded Systems), the European technology platform ARTEMIS (Advanced Research & Technology for Embedded Intelligence in Systems) for shaping FP7 in Embedded Systems, as well as the Technology Roadmaps of the ITEA and MEDEA+ EUREKA programs. To guide the R&D efforts in the European context, application domains have been identified in the above programs and roadmaps that are both technologically challenging and meet broad societal needs. They all require the engineering of high-technology systems that integrate intelligent embedded components to realize their required behavior. For example, the ARTEMIS technology platform identifies the following Industrial Research Priorities: Reference designs and architectures, addressing composability, dependability and security and high-performance embedded computing. Seamless connectivity and middleware, addressing middleware architectures, ubiquitous networks and interconnectivity of embedded systems, self-configuration and self-organization. Methods and tools, addressing design tools, management of the design process, tool and procedure interoperability, systematic traceability, verification & validation and product line development.

In addition to these the second ITEA Roadmap also identifies, amongst others, the following system and software engineering challenges: evolutionary systems, system architecture trade-off analysis, HW/SW co-design, cross-cutting concerns, software architecture re-use, model-based development and self-organizing software systems. The research agenda of ESI concentrates on models and methods for analysis and design of high-tech embedded systems with a particular emphasis on performance, reliability and evolvability aspects. Based on the needs of industry, a particular emphasis is taken on the multidisciplinary nature of application domains such as mechatronics, medical systems and consumer

Released 2006, Embedded Systems Institutes

Page 12 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

electronics. Therefore, the ESI research takes a specific angle in the European research landscape and, at the same time, fits ideally to the scope of existing European platforms and research programs.

Released 2006, Embedded Systems Institutes

Page 13 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 14 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

STRATEGY OF ESI

The ESI strategy is to conduct research at the intersection of academic/scientific rigor and industrial relevance/applicability. Within this overarching goal, the more specific domain of hightech systems provides the necessary focus and emphasis for the Institute. An intent of ESI is to develop a collaborative ecosystem with industrial sponsors and academic collaborators where organizational boundaries are blurred and problems in the form of researchable statements and inquiry transfer naturally from the industrial domain to the academic and research domain. While research results in the form of methods, practices, and heuristics flow back to the industrial setting with the intent of developing superior products and systems. This intent is captured in the notion of industry as laboratory concept discussed later in this chapter, and this is also what makes ESI unique within the discipline of embedded systems engineering.

3.1

Structure of the field

The ESI focus on high-tech systems includes a bewildering variety of embedded technology domains. Figure 3.1 below demonstrates the differences that exist between various domains in terms of the product characteristics given in Table 3.2. The entries are only indicative of the domains and open to debate for particular products.

Digital Lithography Television System

Medical Systems

Mobile Phones

Automotive Systems

Digital Printers

Military Systems

Trade Life Lead Time Volume Costs Feature Extension

Medium Short Very High Very Low Growing

Long Short Low High Medium

Very Long Medium Low High High

Very Short Very Short Very High Very Low High

Very Long Long Very High Medium Growing

Long Medium Medium Medium Low

Long Long Low High Growing

Figure 3.1. Variety of embedded product domains. Figure 3.1 provides an overview of different product domains and exemplifies the need for tailoring the research to suit their unique needs and requirements. It is likely that the design methods and practices relevant for products with a (very) short trade life and development lead time (e.g. mobile phones) may be different from those most suited to products with a (very) long trade life and development lead time (e.g. military systems). Differences may also be induced by variations in other product and system aspects, such as safety and criticality, security, performance, etc.

Released 2006, Embedded Systems Institutes

Page 15 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Characteristic Trade Life Lead Time Volume Costs Feature Extension

Explanation For what period does a released product remain in the market? What is the characteristic of the product development lead time and the pressure on the release date? What is the product shipment volume? What is the pressure on the product cost? How many product features are or will be available?

Table 3.2. Product classification categories.

3.1.1

Application domain categories

The diversity of the embedded systems and products domains requires that these domains be analyzed for patterns and common characteristics with the intent of formulating a small number of representative categories. These categories simultaneously display the necessary coherence to serve as subjects for the research in embedded systems engineering. The three broad and representative domain categories, together with their characteristics and illustrative examples, guiding the ESI research agenda are identified in Table 3.3.
Application domain category Characteristics High-tech product examples

Professional systems

low-volume, high-performance, high cost, physical/mechanical interaction with environment, medium safety, reliability, security high-volume, low-cost, economic criticality very long life-time, safety-critical, adverse environmental conditions

Medical Systems, Office printers & copiers, Electron microscopes, Automated material handling systems,

High-volume products

Digital TV, Cell-phones, Automotive infotainment. Avionics & aerospace systems, Automotive control systems, Military systems

High-integrity, safety-critical embedded systems

Table 3.3. Primary application domain categories for ESI research.

Examples of application domain categories that are currently not a primary focus of ESI, but are of interest because they intersect with the above categories and thus form a basis for collaboration with other research partners, are the technological aspects of systems-on-chip (Holst Centre) and communication infrastructures (Telematica Institute).

Released 2006, Embedded Systems Institutes

Page 16 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

3.1.2

System objectives

Given the clear articulation of the relevant and representative application/product categories (Table 3.3) guiding the ESI research agenda, it is also necessary to identify the principal system properties of interest. This will continue to sharpen the research agenda and associated deliverables. In this regard, ESI focuses on the technical aspects of products and systems, as opposed to process, organization, or other soft factors that may also play a major role in practical systems design. Consistent with the concentration on integral system design ESI concentrates on the following three cross-cutting system properties: 1. Performance Theory and methods to predict, analyze, realize and improve the performance characteristics of embedded high-tech systems. In this context, the notion of performance includes the consideration of constraints regarding hard and soft real-time behavior, use of resources, optimization of cost functions, etc. 2. Reliability Theory and methods to predict, analyze, realize and improve the reliable operation of a high-tech system. Here, reliability is used in a holistic sense and includes finer aspects such as conformance to specification (or correctness), robustness (against variations in environment behavior), and dependability (fault and exception tolerance). 3. Evolvability Theory and methods for the creation of designs that can be easily modified or extended through the re-use of available design assets within an environment of evolving technologies, market dynamics, and customer expectation. In this context, design assets includes the notion of product families, generic system components, common product platforms, etc.

3.1.3

Methodology

To provide a scientific basis for an engineering discipline embedded systems engineering (a challenge formulated in the previous chapter), it is required to introduce scientifically informed methods for modeling, analysis, and synthesis of high-tech embedded systems. This then, along with the application domain categories and system objectives, becomes the third dimension within an integrated research agenda. This methodological dimension is represented by the following categories: 1. Modeling & analysis methods Theory, notations, methods, and tools for the conception, representation, and elaboration of designs at different levels of abstraction including support for analysis, refinement and validation on the basis of such design models. 2. Embedded system synthesis methods Theory, methods, and tools will be assessed and developed for the design of new systems together with updated systems as modifications or extensions of legacy products and systems. This approach constitutes a paradigm shift from a purely component-oriented view of system synthesis, where a system might be developed by coupling together existing and similar components. In this context, synthesis includes a diversity of

Released 2006, Embedded Systems Institutes

Page 17 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

components and subsystems that are modified from existing assets or newly developed and integrated into a larger system. The components or subsystems referred to here could be complex systems in their own right, and given the huge potential for interaction, the possibility of undesirable emergent behavior is real and must be addressed. Accordingly, system behavior must be analyzed during design, while also considering it in the run time environment.

3.1.4

Integrated perspective

Figure 3.4 then represents the integrated space bounded by the three dimensions discussed in the previous three sections. These dimensions provide the contextual setting for the research at ESI. Accordingly, each of these aspects is not addressed in isolation but rather the interplay between these three dimensions provides the necessary richness to the research agenda. Relevant and interesting intersections are explored further in various research projects. System objectives

performance reliability evolvability

Application domain category Professional systems High-volume systems High-integrity safety-critical systems Modeling & analysis Embedded systems synthesis Methodology

Figure 3.4. ESI embedded systems engineering research space.

In terms of Figure 3.4 ESI research can be globally characterized as the identification of technically and industrially coherent regions in this three dimensional space, the development of sound embedded system engineering techniques based upon this identification, and the determination of the scopes of effectiveness of the developed techniques.

3.2

Research organization

The research challenge of the Embedded Systems Institute is to raise embedded systems engineering from a craft to a scientifically based engineering discipline. For the research in embedded systems engineering to have industrial relevance, it must address and account for the

Released 2006, Embedded Systems Institutes

Page 18 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

realistic constraints regarding resources and scalability within an industrial context. This is facilitated by the concept of Industry as laboratory embraced by ESI.

3.2.1

Industry as laboratory

The central research instrument to achieve our objectives is inspired by the approach of Colin Potts in software-engineering research, who introduced the concept of Industry-as-Laboratory. We quote 5: And as we celebrate 25 years of software engineering, it is healthy to ask why most of the research done so far is failing to influence industrial practice and the quality of the resulting software. []. The problem stems from treating research and the involvement of industry in applying the research as separate, sequential activities. This phased approach to software-engineering research, which I call research-then-transfer, leads to laboratory research that often fails to address significant problems []. Recognizing these problems, some significant voices are being raised in favor of a complementary research approach, which I call industry-as-laboratory. In this approach, researchers identify problems through close involvement with industrial projects, and create and evaluate solutions in an almost indivisible research activity. []. In the industry-as laboratory approach, a case study a real system-development project that exhibits the problems of interest becomes a way to obtain knowledge and appreciate its significance. It doesnt just demonstrate research results; it produces them.

The Industry-as-Laboratory research is a powerful and differentiating research concept and instrument that sets ESI apart from other institutes in the area of embedded systems engineering. It is carried out via collaborative research projects in which industrial and academic partners collaborate as partners with a notion of shared success. In this manner, the implicit industrial know-how and daily practices are coupled to the academic fundamental know-how and the academic freedom to explore. The ESI research projects deploy real industrial cases. Industry is a direct beneficiary of the embedded systems engineering methods developed in the context of such cases. This is particularly true since the research projects at ESI aim to develop proof of concept for the methods and practices. At the same time such projects can access new scientific know-how developed by academia. Moreover, by exercising actual industrial cases, the academic partners obtain valuable insights into significant problems of industrial relevance that can be the subject of academic research with the objective of developing innovative solutions. This in turn leads to the enhancement of the body of knowledge relating to embedded systems engineering. The underlying cycles of industrial and academic innovation in embedded systems engineering are depicted in Figure 3.5. It should be noted that the cycles are not fully synchronous: a typical industrial innovation cycle would take one or two years, whilst an academic cycle could take four years or more.

Colin Potts, Software-Engineering Research Revisited, IEEE Software, Vol.19, No. 9, September 1993, pp. 19-28.

Released 2006, Embedded Systems Institutes

Page 19 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Industry Industry

Industrial Industrial Problem Problem

New practical New practical ESE Methods ESE Methods

PROJECT PROJECT Industry as Laboratory Industry as Laboratory

Expert Expert Know-how Know-how

New ESE New ESE Research Research

Academia Academia

Figure 3.5 Industrial and academic knowledge cycles

3.2.2

Preparatory research and technology transfer

Experience shows that there can be a considerable gap between relevant academic research and the potential use of this research in an industry-as-laboratory setting. To determine the applicability and scalability of new approaches under industrial constraints, the methods and techniques involved must have some minimal maturity in terms of proven potential for applicability, accessibility, tooling, documentation, etc. This calls for smaller, preparatory research projects that translate the more fundamental research results into methods and techniques that can be used in later industry-as-laboratory projects. To some extent such projects already exist in the Dutch and European research landscape as STW, Progress, and IST projects. On topics of strategic importance, however, ESI cannot be dependent on the spontaneous dynamics of the Dutch and European research landscape, and must carry out such research under its own responsibility. Although industry-as-laboratory projects are in some sense closer to industry than to academia, their results in terms of proofs-of-concept in themselves do not guarantee the successful transfer of these concepts and related ideas and technology to industry. This requires, as follow-up, more specific and focused technology transfer projects. The implementation of such projects is not really concerned with research itself, and may include such diverse activities as courses, process redesign, instrumentation, transfer of people as knowledge carriers, etc. As such they are not part of the research agenda itself, but may be sources of feedback for future research. Figure 3.6 gives an overview of the various activities and their interrelation, in which the arrows denote the directions of the flows of scientific knowledge and feedback information.

Released 2006, Embedded Systems Institutes

Page 20 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

preparatory research preparatory research preparatory research preparatory research

academia

industry industry industry as as as laboratory laboratory laboratory

transfer transfer transfer

industry

feedback
Figure 3.6 ESI knowledge production and transfer instruments.

Both preparatory research projects and industry-as-laboratory projects are collaboration instruments in which academic and industrial partners, as well as other knowledge institutes can participate. Substantial industrial involvement is a requirement for industry-as-laboratory type activities, whereas the industrial role in preparatory research projects can be smaller, but should nevertheless be there to improve chances of later applicability. As preparatory research typically will affect industrial practice through industry-as-lab and subsequent transfer type projects, they are naturally suited for medium and long-term prospective research themes.

Released 2006, Embedded Systems Institutes

Page 21 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 22 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

4 4.1

ESI RESEARCH APPLICATION DOMAINS AND GENERALISATION Introduction

Within the domain of high-tech systems, the research efforts of ESI are geared towards the study of the following three application domains that together represent the first dimension of the ESI research agenda: Professional systems High-volume products High-integrity, safety-critical embedded systems

Within these three application domain categories, many challenging and multi-disciplinary design questions exist for the three system objectives: performance, reliability, and evolvability. These three system objectives together represent the second dimension of the ESI research agenda. The third and final dimension being that of methodologies, and ESI will address methodologies for the synthesis and analysis of embedded system designs at various levels of abstraction. While these three dimensions provide the necessary focus to the research efforts within ESI, the research results are expected to have a wider applicability. Research conducted within the preferred domains with an emphasis on a selected set of critical system objectives will be leveraged to distill concepts, methods, frameworks, and heuristics that have broader applicability. In so doing, ESI intends to realize its objective of making a significant contribution towards the establishment of embedded systems engineering as an academic discipline. The following sections provide further discussion and clarification of the three primary application domain categories, and then describe ESIs efforts to generalize results and create a framework for the field of Embedded Systems Engineering.

4.2
4.2.1

Professional systems
Industrial sector

The category of professional systems comprises products such as medical systems (e.g. MRI, CT and X-Ray imaging equipment), wafer scanners, electron microscopes, PCB population machines, and high-speed digital printing equipment. Typical companies operating in this sector are Assembleon, ASML, FEI, Philips Medical Systems, and Oc. Their products and markets share some common characteristics from the point of view of ESI research: Low-volume: Only small to medium size series are sold of every generation of a product. This makes the development effort and customer support a significant part of the business equation. Furthermore, prudent re-use of technology and know-how over product generations is essential for efficiencies relating to development cost and time High-performance: Customers of professional systems select products almost entirely on performance or price/performance ratio. Hence these systems need to be highly optimised with regard to performance to be successful in the market.

Released 2006, Embedded Systems Institutes

Page 23 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

High cost: The combination of low-volume and high-performance characteristics implies a generally high cost of purchase and ownership. Accordingly, these products tend to be capital intensive. Long life-time: High acquisition costs are justified on the basis of long operational lifetimes for these products. This may imply a need for product upgrades in the field during their operational life to keep up with the changes in the environment within which they operate and interact (e.g. hospital information system for an X-ray imaging system). Significant physical/mechanical interaction with environment: Professional systems create their system functions and added value through a range of sensors (imaging, tactile, force, etc.) and actuators (robots/motion control of patient tables/ PCBs). Achieving accurate, predictable, and reliable operation in a varying environment is a key challenge for these systems. Medium safety, reliability, security requirements: Generally speaking, professional systems need to satisfy medium levels of safety, reliability and security requirements, i.e. as such a system freeze or shutdown is sufficient for safety, and reliability expresses itself through high system uptime.

Organizations manufacturing professional systems rely increasingly on a wealth of domain knowledge and experience built up over many years in many different disciplines (e.g. mechanics, electronics, software engineering, IC design, sensor design, and control theory) and their proper integration. This knowledge is a key technical asset of organizations that manufacture professional systems. However, in its full scope, only a few, very experienced, key technical persons (i.e. the system architects) have achieved a thorough overview and understanding of technologies and their inter-relations in such professional systems in the context of the appropriate domain. These few people have the ability to moderate and make appropriate design trade-offs between various disciplines. Market trends in the professional systems domain show increasing complexity, reducing time-tomarket, and a move towards system-openness. Professional systems are becoming highly dependent on software modules. This may reflect an increasing level of intelligence and complexity associated with such systems, and this in turn results in a continuous increase in the development effort and maintenance/upgrading effort of professional systems. The domain of professional systems can use significant improvements in development methodologies, processes, and supporting tools to manage and respond to these trends.

4.2.2

Relation to system objectives

Performance Performance is a key differentiating factor for professional systems. Increasingly performance demands a multi-disciplinary design and multi-objective trade-offs (e.g. power, cost, accuracy, speed) to create highly optimised products that are successful in the market. State-of-practise is that these trade-offs are decided based on implicit, internalized experience of system architects. With increasing complexity, multi-disciplinary performance analysis and design methods represent an important breakthrough for such systems to achieve the necessary levels of cost and time efficiencies. This will require a collaborative endeavour that combines the domain and intrinsic knowledge of the architects with the latest developments in modelling and simulation techniques. The optimized design of such systems is an open question, and ESI with

Released 2006, Embedded Systems Institutes

Page 24 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

its industrial and academic collaborators is uniquely positioned to contribute to this problem that has significant industrial relevance, whilst requiring a committed academic response. Reliability Operating on the edge of what is technologically feasible, while involving the integration of the latest advances in multiple disciplines makes professional systems, such as wafer scanners, increasingly complex. This growth of complexity has resulted in large, often geographically dispersed, development rd teams. Another development characteristic of such systems is the increasing involvement of 3 party content, mostly in the form of software modules. These trends may cause unwanted emergent system properties resulting from unproven technology and undesirable feature interaction, both threatening the integral reliability of the system. Whereas reliability from a hardware perspective is relatively well understood (e.g. FMEA, faulttree analysis), this is not the case for software and methods for integral system reliability analysis and prediction. There is a real need within this domain for the development of better methods and tools for modeling, analyzing, and predicting system reliability, without hampering time-tomarket. Evolvability Professional systems have a long in-service life-time expectation, often exceeding 10 years. Two levels of system evolvability are essential to support long term customer use and operations, while also allowing product innovation. These are: System level evolvability: to support field upgrades, and system adaptations in response to a changing operational environment, and Architecture level evolvability: to support short product innovation cycles, without requiring complete and cost-prohibitive redesigns

A main challenge with the evolvability of professional systems is the design of key functional components that give architectural flexibility to support a diversity of products for different applications. Solutions to such research questions will have the added benefit of allowing the integration of component and subsystem technology roadmaps into the product development or upgrade process.

4.3
4.3.1

High-volume products
Industrial sector

The High-Volume Electronics (HVE) market is mostly targeted at the consumer as the end-user of the product. It comprises products such as cell phones, televisions, DVD players and recorders, (digital) cameras, portable gaming equipment, and mp3 players. From the perspective of embedded technology, the origins of this market date back to the eighties, with the large-scale introduction of micro controllers in HVE products such as TVs and VCRs. Whereas this introduction was intended to be a mere replacement of control logic

Released 2006, Embedded Systems Institutes

Page 25 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

implemented in digital circuits, it caused an unprecedented and opportunistic featurization of these devices based on the (perceived) inherent software flexibility and adaptability. Many other (interrelated) developments, driven by Moores law and its variants, have also influenced the HVE market. These include storage and communication technology, such as the introduction of PCs into the homes, the digitization and compression of audio, speech and images, the introduction of the mobile phone, the advent of the Internet and the associated service industry, and so forth. The current landscape of HVE, from a business and technological viewpoint is influenced by these developments. Boundaries between traditional businesses have become blurred. As an example, telecom providers are intervening in the broadcast market with TV over ADSL and computer suppliers are providing highly fashionable products supported by services, such as Apple with its iPod and iTunes. In this fast changing landscape, in which digital electronics, software, communication, content and services have become intricately intertwined, business has become highly competitive and dynamic, with very fast innovation cycles, and rapid intake of new technologies and advances in existing technologies. Nevertheless, legacy qualities related to consumer devices, such as extreme fit-for-purpose, low cost, high reliability and availability have to be maintained. Given the ESI focus on embedded systems engineering, two types of companies are of most interest: CE companies such as Philips CE, Nokia and Samsung CE together with platform providers such as Philips Semiconductors, ST and Infineon. The embedded systems architecture responsibility for many such products is often shared between the CE company and the platform providers. HVE products and their markets share some common (interrelated) characteristics from the point of view of ESI research. These are: High-volume: High-volume products are mass-produced with manufacturing runs in the millions. Due to the increasing NRE cost per silicon process technology step, chip volumes have to increase to remain affordable. Low-cost: The high-volume product market, and notably the consumer electronics market is a cutthroat market, with thin product margins, and steep cost-down curves. High feature integration: Products are not single purpose anymore, but integrate functionality from other products where possible. A cell phone is additionally a camera, an address book, and a voice recorder. A television can play MP3 songs, display still pictures, connect to a variety of peripherals, and obtain content from service providers. Extremely fast innovation cycles: As the functionality increase in many HVE products is directly related to the opportunities provided by the steep technology curves, innovation cycles have become extremely short, often less than 1 year.

4.3.2

Relation to system objectives

Performance High-volume products often share selected and key performance issues. Low energy usage is of utmost importance in mobile devices. Image quality may be a key differentiating factor in the

Released 2006, Embedded Systems Institutes

Page 26 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

television products. With the extremely high level of feature integration and systems-on-chip concepts in these products, such performance issues become multi-disciplinary design questions: How to create algorithms and approaches to run application at varying speed to conserve energy, yet maintain acceptable performance as perceived by a user? How to split up image quality improvements over hardware and software components?

Such performance questions need to be addressed by holistic performance analysis and prediction methods that can analyze and predict the impact of such trade-offs. Furthermore approaches that allow synthesis of systems with required performance characteristics have to be developed. Reliability Reliability in HVE may be viewed from two different perspectives. First, there is the key economic driver originating from the users appreciation or perception of product reliability and quality. High availability, possibly at the cost of performance, is an important aspect. Secondly, there is the more traditional notion of reliability, in the sense of absence of faults, exhibiting predictable behavior and so on, that is of importance in the Business-to-Business relation inherent in the supply of platforms to system integrators. Maintaining reliability levels of the past have become extremely difficult, due to the everincreasing product size and complexity caused by the rapid increase in functionality and features, and the high integration levels required for cost reduction. This challenge is complicated by the fact that the analysis concepts, techniques and tools must fit within the low-cost constraints of HVE. As such, options as hardware redundancy and derating may not be feasible. Further, the notion of perceived product reliability may require us to venture in the cognitive domain to better understand the development of such perceptions on the part of the user. Evolvability High-volume products have a decreasing life-time, often less than 1 year as exemplified by the cell phone market. To sustain viable product innovation in a high-volume market with increasing complexity and feature integration, evolvability at the architectural and manufacturing levels is important: Architecture level: This supports short innovation cycles and steep cost-down curves, without requiring complete and cost-prohibitive redesigns, and Manufacturing level: This supports a fast changeover of production of next generation products without requiring a lengthy retooling and redesign of manufacturing plants.

The central aspect of high-volume product evolvability relates to integration. It must allow key functional components to be designed that allow architectures to be formulated to support rapid creation of product increments, and their manufacturing lines, from one generation to the next, while maintaining relevant system properties, such as performance and reliability. Developing solutions in response to such research questions will have the added benefit of allowing component and subsystem technology roadmaps to be cost effectively integrated into the product development and manufacturing process.

Released 2006, Embedded Systems Institutes

Page 27 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

4.4
4.4.1

High-integrity, safety-critical embedded systems


Industrial sector

The category of high-integrity, safety-critical embedded systems comprises products such as military systems, automotive safety and control systems (e.g. Adaptive Cruise Control, ABS, drive-by-wire), avionics and aerospace systems (e.g. flight-control systems). Typical companies operating in this sector are Airbus, Boeing, Bosch, Honeywell Aerospace, Rockwell Collins, Siemens VDO, Thales, and many car manufacturers such as BMW, DC, GM, Ford, Honda, Nissan etc. which act as systems integrators. Their products and markets share some common characteristics from the point of view of ESI research: Priority on safety: For high-integrity, safety-critical embedded systems, occurrence of a system failure could lead to injury or loss of human life. Hence these systems must be designed for continued safe operation even when some of their components fail. Typically this is achieved by a rigorous hazard analysis, and risk mitigation through redundancy in hardware, software, and through logic and dynamic product behavior relating to rollover, reconfiguration, and sometimes even development teams. Predictable performance: Customers of high-integrity, safety-critical embedded systems, notably military systems, write quantitatively formulated performance requirements into the purchase contract, and have these proven by means of system acceptance tests. Very long life-time: High-integrity, safety-critical embedded systems, notably airplanes or military systems, typically have a very long life-time, where the total cost of ownership is determined in large part by the cost of operations, maintenance, and systems evolution. Harsh environmental conditions: High-integrity, safety-critical embedded systems often operate under stressing conditions exposed to vibrations, shocks, extreme temperature variations (e.g. -40 to +85 C).

The development of high-integrity, safety-critical embedded systems is often dominated by nonfunctional requirements, i.e. usability, safety, reliability, time, and cost. In comparison with functional requirements, non-functional requirements are more difficult to understand, to estimate (impact and ramifications), and to validate (without interacting with the final and complete system). This makes it difficult to assess different system architectural options and alternatives. Many of high-integrity, safety-critical embedded systems are designed as a cooperation of several (often networked) subsystems. As a consequence, modifying or enhancing system level functionality may imply changes in several subsystems, requiring a broad range of skills and an appreciation for the big picture. Moreover, as equipment is produced and maintained by different, often specialized, vendors, systems integrators are faced with varying levels of product visibility, subcontracting processes, schedules, and costs. While these systems, particularly in the military domain, once drove the electronics industry, they are today consumers of the technologies developed for commercial applications. The impact is significant. While these systems have long operational lives, their constituent and commercial components have short lives with obsolescence being a major concern. Technology refreshment approaches must be developed and implemented to address these asynchronous lifecycles.

Released 2006, Embedded Systems Institutes

Page 28 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Such approaches often require system modifications and upgrades, and then re-testing and validation to ensure safe operations. The drive for cost and time reduction during development makes COTS (Commercial-Off-TheShelve) solutions very attractive. Such cost advantages during development can be quickly lost if longer term issues relating to sustainability are not simultaneously considered. To support this trend in high-integrity, safety-critical embedded systems, significant improvements are needed in the methodologies that support achieving predictable performance for such systems, and rapid assessment validation of the systems dependability in light of the rapid evolution of components and subsystems.

4.4.2

Relation to system objectives

Performance For High-integrity, safety-critical embedded systems, system performance should be predictable. Hence methods and techniques are needed that can analyze and predict key system performance indicators, and design approaches that ensure the predictability or constancy of system performance to ensure continued safe operation Reliability Traditional methods for achieving safety properties originate from hardware-dominated systems. Software-intensive embedded systems require new approaches. Here there is a definite need to develop constructive and analytical methods for ensuring safety. Integrity concept, i.e. selfawareness of the degree of correct functioning, system partitioning, duplication, and redundancy concepts for safe systems all require multi-disciplinary methods to reason about the safety of the complete product. Evolvability High-integrity, safety-critical embedded systems have a very long in-service life-time expectation, often measured in decades. In this respect they are even more extreme than the professional systems category and greater attention is needed for the following two levels of evolvability: System level: to support field upgrades, and adaptations in response to a changing operational environment, and Architecture level: to support short innovation cycles in component technology, without requiring complete and cost prohibitive redesigns.

The key to evolvability for high-integrity, safety-critical systems is the design of functional components that allow architectures to be formulated to create sustainable products optimized for different applications over long operational lives without compromising safety.

4.5

Domain generalization: Embedded System engineering

Systems Engineering began to evolve as a branch of engineering during the late 1950s. During this time both the race to space and the race to develop missiles with nuclear warheads were considered essential. Extreme pressure was placed on the military services and their

Released 2006, Embedded Systems Institutes

Page 29 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

development teams to develop, test, and bring these systems in operation. Tools and techniques were developed to support both mission success and project management. Engineering management evolved and standardized the use of specifications, interface control, documents, design reviews, and formal change control. The advent of the computer permitted extensive simulation and evaluation of systems, subsystems, and components; thus accurate synthesis of system elements and design trade-offs became possible. Many lessons were learned from project difficulties and system failures. These lessons led to innovations in practices in all phases of high-tech product development, including all phases of engineering, procurement, manufacturing, testing and quality control. One driving force for these innovations was the attainment of high system reliability. In its present and still evolving form, Systems Engineering integrates elements of many disciplines such as system modeling and simulation, decision analysis, project management and control, requirements development, software engineering, operations research, risk management, etc. Systems Engineering is an overarching discipline, providing the tradeoff analyses and integration between system elements to achieve the best overall product and/or service. It is much more an engineering focus than a management discipline and has a very quantitative basis, involving tradeoff, optimization, selection and integration of the products of many other engineering disciplines. During the early design phase of a system the architect is confronted with many challenges. Understand the system purpose to create an appropriate design. Create an overview of all relevant functional and system properties. Obtain a deep understanding of the mutual dependencies between properties that have high impact on system design. Design the system structure, such that the system will exhibit the intended behavior. This includes validating early that, once implemented, the actual behavior will indeed be the intended behavior. Understand the design limitations, and the critical system strengths and weaknesses. This will help the architect to deal with the many late changes confronted during system realization, ranging from new or changed functional and performance requirements, to unavailability of components, sub-systems or technology.

Design studies show that in the early design phase, solution-conjectures direct the process of problem understanding, and thus the insight into the problem and the creation of the design evolve simultaneously. This implies that the architect faces the aforementioned challenges simultaneously. In this phase most of the decisions made by the architect are based on intuition built over years of experience. Only very few, if any, explicit approaches, methods and means are available to support the architect in these early design phases. Note that it is our conviction that even with appropriate approaches, methods and means for the systems within the ESI research scope, poor designers

Released 2006, Embedded Systems Institutes

Page 30 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

still will create poor designs 6. However, the work of good designers could be improved by creating methods and means to obtain earlier and better insights into the consequences of choices and decisions. This would create improved structuring principles and communication to facilitate better understanding of the system by others, allowing for better peer reviews . While the primary research challenge of ESI with regard to developing a scientific basis for embedded systems engineering is actualized through a number of specific research objectives within a selected number of domains, one critical intent is to generalize research findings to the overall discipline of embedded systems engineering. Specifically, opportunities for the following activities will be actively sought and implemented: Generalize the findings and results obtained in one or more of the primary application domains into a widely applicable systems engineering method. Understand and formalize, to the extent possible, an increase in the systems architects understanding of the design problem. Improve the quality of early design decisions. This is reflected through clear communication, understanding, and predictability of results, and foreseeing the impact of changes. Increase the appropriateness and the understandability of a specific design with respect to the relevant functional and system properties. Develop frameworks and patterns for the development of a taxonomy of system types, domain types, and associated methods and practices. ESI is uniquely positioned to do this. The result will be a better and pragmatic understanding of system complexity, and a harmony between the type of system being developed and the methods being applied to its development. .

Lindsay Parker, A Fool with a Tool is still a Fool!, White Paper HP, 2001, http://www.parallon.com/a_fool_with_a_tool_is_still_a_fool.pdf

Released 2006, Embedded Systems Institutes

Page 31 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 32 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5 5.1

SYSTEM OBJECTIVES Introduction

Having analyzed the relation between the application domain categories and the system objectives of performance, reliability, and evolvability in the previous chapter, the more detailed planning of the research will now be presented along the dimension of these objectives. For each of them we will present the ESI research program in terms of expected results and a timeline, while relating them to the other two dimensions of the integrated perspective presented in chapter 3, viz. the methodology and application domain category dimensions. Here, the expected results are formulated in terms of their scientific and technical contents, but they will be made available through standard means of academic and industrial communication in the form of articles in international scientific journals, conference contributions, (invited) presentations, technical reports, etc. A general problem of the realization of all the different system objectives is that they are nearly always interrelated, and their interference creates tensions and a need for trade-offs in designs. E.g., adding the necessary error recovery, diagnoses, tracing, etc. to warrant reliability and robustness may lead to large performance deviations. Similarly, adding more genericity to a design in order to improve evolvability is often disadvantageous with respect to the performance. There exist many relevant qualities and constraints, and it is not always easy to select the most important tensions. Moreover, at design time one has to deal with a large number of uncertainties, which make it very difficult to support well-founded trade-offs. This observed interdependence also implies that at the level of the research agenda the planned activities should also be seen as activities across the different system objectives, not being exclusive to just the objective under which they are listed.

5.2
5.2.1

Performance
Introduction

Performance plays an important role in all disciplines involved in the design of high-tech systems, such as electrical engineering, mechanical engineering and software engineering. According to a study on quality attributes [1], typical performance concerns are latency (how long does it take to respond to an event) and throughput (the number of events responses completed over a given time interval). Other performance indicators concern resource utilization and buffer occupancy. Furthermore, performance of an embedded control system is evaluated with respect to accuracy of tracking a set point, disturbance regulation, or reduction of the effects of parameter variations (page 664 in [2]). Design of high-tech products incorporates the performance requirements either as a constraint or an optimization criterion. Performance indicators are among the most important ones of a high-tech product, as they are often a key selling factor.

Released 2006, Embedded Systems Institutes

Page 33 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Examples of system performance requirements: Number of papers that can be copied per minute shall be 80. Number of wafers that can be illuminated per hour shall be 75. An incoming image must be decoded and presented on the screen every 20 ms. The accuracy of printing (overlay) is 1 mm. Notice that these examples actually refer to very simple cases in which indictors are clearly measurable. Even though performance seems to be of a very quantitative nature, often it is not. In addition, multiple (conflicting) requirements often have to be taken care of simultaneously, as is demonstrated with the following example: The device must decode and present an incoming image on the screen every 20 ms with an acceptable user-perceived image quality. The device is battery-powered and may weigh at most 100 grams. Also requirements are not always strict. If the above mentioned device can realize a twice as good image quality at the cost of a total weight of 105 grams, this might turn out to be acceptable as well.

5.2.2

Problem statement

Next to heterogeneity and the interaction with other system qualities as mentioned in Section 2.3, we mention here other key problems that make it difficult to design products with the required performance. Dynamism and adaptivity: difference between the worst- and average case is increasing Performance estimation and implementation techniques, such as scheduling policies, are often based on worst case computation times. Drawbacks of product design based on worst case behavior are over-dimensioning and large costs. Especially, since the difference between worst case and average case is increasing, e.g., because systems become more dynamic and there are large differences between computations depending on the input. One source of dynamism is that the openness and networking of many systems cause an increased user interaction (think of one person copying at a copier, while another tries to print a document that is sent over a network). An example of the variability of the input is the processing of a video stream that depends on the pictures displayed; how many objects there exist, the amount of movement in the background, etc. Another source of differences between average and worst case can be found in hardware optimizations, such as pipelining and caching that cause differences in execution times (jitter) and decrease predictability. Moreover, miniaturization in hardware leads to product variability and inherent unpredictability. The increasing dynamic character of high-tech systems urges increasing application of adaptive on-line scheduling techniques and dynamic load balancing, at the cost of considerable overhead and complexity. Although aimed at performance improvement on one hand, both the overhead and complexity may endanger the system performance on the other.

Released 2006, Embedded Systems Institutes

Page 34 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Prediction and realization: it is difficult to anticipate performance during the design process The issues mentioned so far cause problems for the realization of appropriate performance. Design techniques aiding in achieving the required performance are therefore indispensable. In addition, some of the issues make it extremely difficult to predict the system performance during the design process, in order to make proper design decisions. This is especially profound in the early stages of the development. Inadequate design choices might lead to a valueless product due to a poor performance/cost ratio. Observe that, since many system details are unknown or uncertain during design, we cannot expect exact quantification of these qualities. As a consequence, it is important to look for techniques that allow reasonable performance prediction early in the design process. Obtaining such techniques is a challenging but important task, since they provide a suitable basis for making good design choices that will not be regretted later. The techniques, however, should be light-weight, in the sense that they satisfy the industrial constraints of quick and easy application by industrial engineers to a number of possible designs. Appropriate design methods and tools aiming at system realization while taking performance requirements into account, become important later in the design process.

5.2.3

Existing solutions

In summary, realization of desired performance in high-tech systems must consider the following challenges: Heterogeneity Interactions with other system qualities Dynamism and adaptivity Performance prediction and realization Each particular challenge is already addressed in a specific scientific area. For instance, hybrid systems theory [3] deals with heterogeneity by combining continuous physical behavior with discrete-event control algorithms. Heterogeneity is also found in the domain of streaming, where dataflow models are combined with discrete-even control models [4]. Interaction among different system qualities is addressed in [5]. Adaptive resource and quality of service (QoS) management techniques are developed to tackle dynamism in the streaming applications [6]. Modular performance analysis (MPA) is used for predicting the performance of concurrent tasks mapped onto heterogeneous hardware platforms [7]. For prediction of worst-case motion control performance, control algorithms are developed based on dynamical models of the motion systems and models of uncertainties (parasitic dynamics and disturbances) affecting these systems [8]. Finally, time triggered architecture is a technique to design and realize real-time distributed application [9]. Most of the existing techniques target only particular challenges from the list above, rather than several of them together. Therefore, achievement of the desired performance in a high-tech product incorporates the use of many techniques that are often only weakly related to each other due to domain specific formalisms. Some of these techniques are even not suited for the problems of industrial complexity. Diversity, limitations and complexity in use of the existing techniques impede their wider acceptance in industry.

Released 2006, Embedded Systems Institutes

Page 35 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.2.4

ESI research on performance

To facilitate achievement of performance requirements in high-tech systems, ESI is developing methodologies for performance prediction and realization design that cover the abovementioned challenges in an integral and unified way. The focus will be on model-based approaches, both for analysis and design using industrial case studies to calibrate the methodologies for practical applicability.

Modeling & analysis The development of system engineering approaches to identify the most important tensions and conflicts between the various performance indicators and other system qualities. Modelling and analysis should focus on these important issues and support the decision making in the design. A starting point for ESI is the approach outlined in [5]. Exploration of different existing formalisms for performance modeling and analysis and their tool support. In particular those that match the selected design and synthesis approaches (see next paragraph). Investigate advantages and disadvantages. o In the context of performance evaluation for digital control architectures the evaluation will start with studying the state-of-the-practice ranging from back-ofthe-envelope estimates to Rate Monotonic Analysis [23]. From an academic point of view Modular Performance Analysis [7], POOSL [19, 20], UPPAAL [21l], will form starting points. For streaming applications the integration of event-driven models and data flow models will be investigated to capture and understand the effects of sporadic events (e.g. additional user requests) interfering with ongoing dataflow computations. The approaches in [4, 10] present initial strategies. Moreover, formalisms will be developed to reason about both worst-case and stochastic behaviour and to predict the impact on end-to-end performance metrics. Starting points are given in [11, 12]. Development of feedback control mechanisms [2, 8] for optimal resource and Quality-of-Service (QoS) management, minimizing the probability of deadline misses and loss of quality and optimizing energy consumption. In the setting of mechatronic and robotic systems, hybrid systems theory [3] is a promising scientific research line that addresses functional collaboration of motion control engineering [8], digital control architecture for real-time implementation [17, 18], continuous- and discrete-time dynamical system behaviors in sampled-data systems [2], switching of operation modes, variable delays in acquiring sensory information, physical interaction with environment, etc. The real industrial impact of various scientific hybrid approaches will be evaluated on mechatronic and robotic systems.

Discrete-event modeling approaches implemented in, e.g., process algebra [13] and TORX [14], as well as mixed (continuous- and discrete-time and event-driven) modelling in Matlab/Simulink [15], can be used for early analysis of test and integration (T&I) phases of product development. Given approaches enable model-based validation and

Released 2006, Embedded Systems Institutes

Page 36 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

verification of different T&I activities: selection, sequencing, and execution of tests; selection and sequencing of integration steps. Model-based analysis also allows early prediction of performance for the integrated system and reveals obstacles for performance realization of the overall system. Merits of various modelling approaches will be evaluated within industrial case-studies on T&I of professional systems. Apply the existing design and modeling approaches to selected industrial problems. Important will be to investigate if the approaches will work within industrial timing and human resource constraints. Identify for each of the available analysis approaches amongst others: o o o o In which situations they are applicable / effective and in which they are not. How accurate their predictions are with respect to reality. How they handle the uncertainty present in early design phases. What information should be available to apply the approach and how to instantiate the models (via measuring or a priori knowledge) so that they are close to the real system under study?

From the lessons learned, modify the existing techniques or come up with new techniques to satisfy the industrial applicability constraints and cover a broad range of industrial situations. In the end this should lead to modeling and analysis methodologies that will consist of modeling formalisms (languages), analysis techniques, and tools together with a method (recipe / procedure / plan of steps and guidelines) that indicates how and in which order to apply the languages, techniques and tools. The techniques will range from hard scientific techniques (e.g. modular performance analysis [7], feedback control systems analysis [2, 8], etc.) to softer methods like threads of reasoning, budgeting and key-driver analysis (see e.g. [5]).

Embedded systems synthesis Develop multi-disciplinary design methodologies to support all design stages of professional and high-volume systems. The synthesis methodology will be complementary to the modeling and analysis techniques which proved to be effective in the modeling and analysis research. Also iterative use of the successful modelling formalisms and analysis techniques will be part of the embedded systems design methodology (e.g. budget-based design). The methodologies will be established by exploration of (existing) design and synthesis approaches and mechanisms. General approaches like [5] on system level and (monodisciplinary) techniques for subsystems like feedback control design [2, 8], time triggered design architectures [9], synchronous dataflow specifications for streaming applications [22] are typical examples of design techniques that will be included and extended. Advantages and disadvantages - depending on the application (domain) and on the design phase - will be investigated. Focus will be on adaptivity (on-line monitoring and feedback mechanisms) and composability (interference-free composition techniques).

Released 2006, Embedded Systems Institutes

Page 37 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Existing tool support for the application of these formalisms and techniques will be considered. Typically the general approaches like [5] should be made more concrete and tailored to the specific application domain and the subsystem design methods should be part of the larger methodology or should be generalized. One aspect that receives particular attention is that synthesis of a complex heterogeneous system is based on decomposition and composition: to facilitate product development and realization, a system level design is decomposed into a set of designs for system parts; the system is composed by integration of parts that are physically realized. While developing these parts, realizing them and integrating into the system, various testing activities take place to validate designs and realizations, as well as to evaluate system performance and reliability. Fault diagnostics and fault fixing are additional components of test and integration phases that help realization of performance and reliability specifications. These phases can be optimized by model-based designs that employ tools, such as [13], TORX [14], Matlab/Simulink [15], and Lydia [16]. Early model-based integration, time-optimal model-based designs of integration and testing phases, automated model-based execution of tests, and automated model-based fault diagnostics will be elements of the ESI research on prediction and realization of both the system performance and reliability. Design methods that allow for more testable designs are another topic of ESI research.

Case studies The purpose of the industrial case studies is twofold. They should build up insight in the performance issues, the (typical) trade-offs and the impact of performance problems in the industrial practice. The case studies will be used to show the effectiveness of the methodologies in terms of performance prediction and realization on one hand and industrial applicability within reasonable time and limited human resources on the other.

Collecting relevant case studies is an important aspect of the research approach, and the focus will be on professional systems and high-volume products. Initial focus will be on (sub)system level design for: Digital control architectures in which performance issues are related to responsiveness (responding to an event within a certain time period) within costs constraints and for all relevant scenarios that the applications are used (use cases). Streaming applications that are faced with extremely varying bit rates and encoding/decoding effort depending on the complexity of the audio/video stream, the complexity of the compression, and on the required quality. Despite increasing and more open interaction with the environment, performance should still be warranted. Mechatronic and robotic motion systems where the performance, in terms of throughput and (positioning) accuracy, strongly depends on the interaction among various disciplines.

Released 2006, Embedded Systems Institutes

Page 38 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.2.5
1/2006

Expected results and timeline

1. A first rough design method supported by models and techniques in the application domain of copiers (professional systems) 2. First results on MPA and Poosl for performance evaluation of digital control architectures. 3. Results of first case-studies on improving test and integration of wafer scanners based on the application of , Matlab/Simulink, TorX and Lydia. 1/2007 1. A design methodology consisting of a reasoning method using the key driver technique, threads of reasoning, etc. This reasoning method is supported by the following modelling and analysis techniques validated in the copier domain: a. Budget-based design (for power usage) b. Extended performance evaluations techniques for digital control architectures c. Kinematic and dynamic models for motion part.

2. Several case studies from the printer domain illustrate the effectiveness and the use of the techniques. Guidelines describe which of the selected modelling and analysis techniques to use in which situations. 3. Identification of suitable case studies in embedded streaming applications. 4. State-of-the-art reports on potential combinations of dataflow, event-driven and stochastic models and possible feedback mechanisms for QoS in streaming applications. 5. State-of-the-art algorithms implemented in and Matlab/Simulink for early-model based integration and performance prediction of wafer scanners and flexible implementation of TORX and Lydia within ASML. 1/2008 1. The copier-oriented design methodology is extended to other professional systems. In this broader application context more supporting models with industrial relevance are developed. 2. Start of a preparatory research project for mechatronic motion systems exploiting hybrid systems theory. An eye towards testing & integration for which the physical interaction can be combined with the event-driven models to improve the accuracy of the early model-based integration. 3. For streaming applications determine suitable models and feedback combinations that fit the industrial setting. 4. Performance prediction and realization methodology based on application of , Matlab/Simulink, TORX and Lydia for analysis, design and execution of test and integration phases in production of professional systems.

Released 2006, Embedded Systems Institutes

Page 39 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

1/2009 1. Develop analysis techniques for streaming applications incorporating the dynamical and stochastic nature (to analyze worst versus average case). 2. Select industrial test cases for mechatronic motion and robotic systems. 3. Inventarize modeling and analysis techniques from the hybrid systems theory [3] with high (practical) potential for the selected industrial case studies. An emphasis will be on combining models of computations / techniques / methods of different disciplines. 1/2010 1. Set-up a broad analysis and design methodology for embedded streaming applications with a proof-of-concept on industrial case studies. 2. Apply selected hybrid systems modelling and analysis techniques for the selected mechatronic case studies and evaluate their industrial applicability. 3. General test and integration methodology for professional systems supported by unified mathematical formalism and implemented in a prototype tool that enables early performance prediction and time-efficient performance realization.

2010 and beyond 1. An overview of effective analysis and synthesis techniques from hybrid systems theory with their strengths and weakness. Guidelines describe in which cases which techniques perform well. These techniques can be embedded in the high-level design methodologies and are illustrated with convincing industrial case studies. 2. A complete industrial design methodology for performance in the case of digital control architectures in various applications domains. 3. A general design methodology for professional systems and high-volume systems combining the methodologies for embedded streaming applications, digital control architectures and copiers. The methodology will be supported by the effective techniques from hybrid systems theory and coupling of models of computation as identified in the ESI research.

5.2.6

References

[1] M. Barbacci, M. Klein, T. Longstaff, C. Weinstock, Quality Attributes, Technical Report CMU/SEI-95-TR-021, 1995. [2] G.F. Franklin, J.D. Powell, A. Emami-Naeini, Feedback control of dynamic systems, Addison-Wesley, 1995 [3] A.J. van der Schaft, J.M. Schumacher, An Introduction to Hybrid Dynamical Systems, Springer Lect. Notes in Control and Information Sciences, Vol. 251, Springer-Verlag, London, 2000, p. xiv+174.

Released 2006, Embedded Systems Institutes

Page 40 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

[4] S. Neuendorffer and E. A. Lee, Hierarchical reconfiguration of dataflow models, in Proc. Second ACM-IEEE International Conference on Formal Methods and Models for Codesign, 2004. [5] G. Muller. CAFCR: A multi-view method for embedded systems architecting; balancing genericity and specificity. PhD Thesis Delft University of Technology, 2004. http://www.gaudisite.nl/ThesisBook.pdf. [6] C. Prez, M. Rutten, L. Steffens, J. van Eijndhoven, and Paul Stravers, Resource reservation in shared-memory multiprocessors SOCs in Dynamic and Robust Streaming in and between Connected Consumer-Electronic Devices, Springer, 2005. [7] L. Thiele, S. Chakraborty, and M. Naedele, Real-time calculus for scheduling hard realtime systems, in Proceedings of ISCAS, Geneva, May 2000. [8] M. Steinbuch and M.L. Norg, Advanced motion control, European Journal of Control, Vol. 4, No. 4, pp. 278-293, 1998. [9] Hermann Kopetz, Real-time systems design principles for distributed embedded applications. Dordrecht : Kluwer Academic Publishers, 1997. [10] M. Geilen and T. Basten. Reactive Process Networks. In Proceedings of the International Conference On Embedded Software, pp. 137-146, 2004. [11] Y. Liu, C. Tham, and Y. Jiang. A stochastic network calculus. Technical report, ECECCN-0301, Dept. of Electrical and Computer Engineering, National University of Singapore, November 2003. [12] A. Burns, G. Bernat, I. Broster, A Probabilistic Framework for Schedulability Analysis, Proceedings of the Third International Embedded Software Conference, EMSOFT, 2003. [13] D.A. van Beek, K.L. Man, M.A. Reniers, J.E. Rooda, and R.R.H. Schiffelers, Syntax and semantics of timed chi, Computer Science Reports 05-09, Technische Universiteit Eindhoven, March 2005. [14] J. Tretmans and E. Brinksma, TorX : Automated model based testing, in Proc. of European Conference on Model-Driven Software Engineering, 2003. [15] http://www.mathworks.com/ [16] A.J.C. van Gemund, The Lydia approach to Diagnostic Systems Modeling, Tech. Rep. No. PDS-2002-004, Parallel and Distributed Systems Group, Fac. of Electrical Engineering, Mathematics, and Computer Science, Delft University of Technology, Dec., 2002, 32 pp. [17] J. Bate, McDermid, P. Nightingale, Establishing timing requirements for control loops in real-time systems, Microprocessors and Microsystems 27 (2003), pp. 159-169. [18] L. Sha, T. Abdelzaher, K.-E. Arzen, A. Cervin, T. Baker, A. Burns, G. Buttazo, M. Caccamo, J. Lehoczky, A.K. Mok, Real-time scheduling theory: a historical perspective, Real-time systems 28 (2004), pp. 101-155. [19] Jeroen P.M. Voeten. Performance Evaluation with Temporal Rewards. Performance Evaluation 50, pp. 189--218, 2002. [20] Theelen, B.D.; Voeten, J.P.M.; Kramer, R.D.J.. Performance Modelling of a Network Processor using POOSL. In: A. Engbersen (Ed.), Journal of Computer Networks, Vol. 41, Nr. 5, pp. 667-684, ISSN 1389-1286, April 2003, Elsevier Science, Amsterdam (The Netherlands).

Released 2006, Embedded Systems Institutes

Page 41 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

[21] http://www.uppaal.com/ [22] S. Bhattacharyya, P. Murthy, and E. Lee. Synthesis of embedded software from synchronous dataflow specifications. J. VLSI Signal Process. Syst.,21(2):151-166, 1999. [23] M. Klein et al., A Practitioners Handbook for Real-Time Analysis: Guide to RateMonotonic Analysis for Real-Time Systems, Kluwer, Academic Publishers, Boston, July, 1993.

5.3
5.3.1

Reliability
Introduction

Customers have clear and simple expectations of the reliability of a product: a product is expected to perform its advertised and implied function over its expected lifetime. In EC member states, the expected life-time of a consumer product is even a part of implicit warranty legislation: when a product fails within the expected lifetime, a customer has rights to a refund of the part of the product price proportional to the unconsumed expected life-time. The scope of ESI research in reliability is theory and methods to predict, analyze, realize and improve the reliable operation of a system. Here, reliability is used in a wider sense and includes finer aspects such as conformance to specification (or correctness), robustness (against variations in environment behavior), and dependability (fault- and exception-tolerance). Some aspects can be quantified, for instance, the probability that the system satisfies a specific set of requirements during a specific time period under specific operating conditions, mean time between failure (MTBF), mean time to failure (MTTF), and availability. Observe that a system might have a different reliability for different sets of requirements, different time periods, and different conditions. Aviienis et. al. [1] provide a good overview of relevant concepts and methods in the area of reliability (in their overview more generally defined as dependability). Examples of system reliability requirements The reliability that a TV will switch on within 2 seconds, assuming power and temperatures between -30 C and +40 C, during 10 years is 0.98. For flight control systems it is required that catastrophic failure conditions have a -9 probability in the order of 10 for one flight-hour. This means, for instance, that with 500 airplanes at 4 operational hours per day for 20 years, the reliability of having no catastrophic failure during the entire operational life of all airplanes of that type is -9 (205003654) 0.985 (see [5]). (110 ) The reliability that a pacemaker will be able to provide stimuli during 7 years is 0.95. The MTBF of an operational wafer scanner is 160 hours. The availability requirement for a harbor radar vessel surveillance system is max. 4hrs/year down time.

Released 2006, Embedded Systems Institutes

Page 42 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.3.2

Problem statement

High-tech products continually evolve to include more functionality through increased intelligence (innovation), often in combination with increased integration (cost and size reduction). Both these trends increase the complexity of the design, the development, and the production of such systems, which in turn endangers their reliability. A systems resultant reliability is impacted by reliability aspects of all disciplines implemented in this system: e.g. electrical engineering, mechanical engineering, software, sensor and actuator design, etc. In the following, we mention key problems that make it difficult to design and maintain products with an adequate level of reliability. Market trends: increasing integration levels, decreasing time-to-market. Maintaining reliability levels of the past have become extremely difficult, due to the everincreasing complexity of the product caused by the rapid increase in functionality as well as features, and the high integration levels required for cost price reduction. This trend is amplified by the need, in a global market, to support many product variations and configurations simultaneously. A commonly known experience factor is that, given a constant design and development process, the number of faults7 in software is usually proportional to the size of the code. Given the decrease in product life-time and hard, market-driven deadlines for product release, there is limited time to debug a product before it is released. Hence, advanced techniques are needed to remove as much faults as possible in a limited period of time. Moreover, there is a need for testing the system components in an early phase of their development, in order to discover reliability issues at the earliest convenience and gain more time for reliability improvements before the shipment date. Reaching higher reliability levels with first releases decreases the costs of achieving the required reliability after the first shipment. Whereas reliability from a hardware perspective is relatively well understood (e.g. FMEA, faulttree analysis), on software and total system perspective methods for integral reliability analysis and prediction are not yet available. Here the high-tech industry has a huge need for methods and techniques to maintain, and keep predictable, the reliability of their products without hampering time-to-market. Customer-perception of reliability In high-volume products the key economic reliability driver originates from the user appreciation of a products reliability. To be successful in these cutthroat markets, both product cost itself and the cost-of-non-quality (e.g. product returns) must be minimized. High availability of the product, possibly at the cost of performance qualities, is an important aspect in this part. The challenge in the development of such products hence is to ensure a satisfactory userperceived reliability level using concepts, techniques and tools that fit within the low-cost targets of high-volume products. This excludes usage of traditional solutions such as hardware

Here, the standardized terminology [1] is followed: an error is a part of the system state which may lead to a failure, which is a deviation from the system requirements; a fault is the cause of an error.

Released 2006, Embedded Systems Institutes

Page 43 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

redundancy. An additional challenge is to judge the reliability as perceived by a user, which requires intimate understanding of the users rationale when judging whether a product is reliable or not. System openness The added value of high-tech products more and more depends on external content providers (e.g. TV and electronic TV guide /Teletext, Car Navigation Systems and Traffic Information). This system/external content combination opens up the possibility of interaction faults: faults originating outside the system boundary, injected through a system interface and inducing errors in the system during use. Finally, the interaction with the physical world, which is typical for hightech systems, easily leads to faults if disturbances originating from physical environment are not taken into account properly.

5.3.3

Existing solutions

Most work to date on reliability has been driven by the high-integrity, safety critical embedded systems industry. Large gains have been achieved with better controlled development processes (e.g. CMM [2], CMMI [3] as process outside the scope of ESI). On product design level, with product cost made subservient to reliability, a large number of methods and techniques have been developed to achieve guaranteed reliability levels suitable for this category of products. In development of such systems, a general constraint is that a central design authority has control over the design of the system and its decomposition in, possibly networked, sub-systems (e.g. [6] [7]). These currently existing reliability techniques have their price, in the sense that they require significant redundancy: more CPU time during execution, or more hardware, or more software. To assure product reliability, exceedingly high development effort, time and cost is needed. This is challenged by current market trends that demand shorter time-to-market, a focus on cost reduction, and requirements for long-term maintenance and product upgrades. Even the highintegrity, safety-critical embedded systems category is affected by these trends. Compounding these trends, increasingly products become connected, thus increasingly need to be exposed to an unbounded environment (an environment lacking a central design authority [8]) to obtain necessary external information to perform its system functionality. Hence, a careful balance must be preserved between the techniques used for reliability and other constraints and requirements such as shorter time to market, minimal costs, and highperformance. Here a clear gap exists between the current, hardware dominant, reliability techniques and the needs of the high-tech industry facing the trends mentioned before and typical constraints on costs, performance, and design time. This makes it extremely difficult to maintain a satisfactory level of reliability. Thus, to engineer reliability into software intensive high-tech systems, novel, cost-effective techniques are needed to cope with this changing landscape.

Released 2006, Embedded Systems Institutes

Page 44 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.3.4

ESI research on reliability

The ESI research on reliability concentrates on (where possible) employing existing, or (when needed) developing new or modified reliability methods and techniques in order to address industrial reliability problems in the application domains of interest to ESI. The aim is to find out what methods and techniques are suitable in which problem domain. This includes the consideration of the trade-off between reliability and other requirements, such as functionality, costs, and performance. NB: ESI will neither address organizational issues nor improvements of either production or development processes related to reliability. In general, the ESI research on reliability will address both modeling & analysis techniques and synthesis methods. The following lists provide an overview of ESIs research plans in both areas and list the case studies considered. Modeling & analysis Explore properties of existing reliability methods and techniques (e.g. [4] [7] [10] [11]) in terms of how they affect other system qualities. Distinguish formalisms for modeling of systems behaviors that are relevant for reliability and risk analysis. In particular, develop methods to analyze software intensive systems, both at SW architecture and source code level, with respect to reliability and relevant failure scenarios. Develop (multi-disciplinary) methods and techniques adequate for both reliability analysis and reliability prediction based on models (based on e.g. [7] [11]). Formulate criteria for quantifying costs of different reliability techniques. Formulate criteria for the choice of reliability test methodologies applicable at the system level and at the level of subsystems. Develop methods and techniques that enable identification and modeling of userperceived impact of failures (extending the high-contrast-customer-test concept [18]). Devise criteria for estimating cost of failures and the impact of run-time error correction strategies. Embedded system synthesis Develop in-product reliability-enhancing methods and techniques that have a low cost and are suitable for the high-tech systems domain (inspired by [15] [16]). In particular, develop techniques to give a system awareness that its customer-perceived behavior is or is likely to become erroneous (cf. [17] for awareness of mechanical reliability issues). In addition create methods that provide a system with an in-product error prevention/correction strategy in line with customer expectations. Extend existing model-based techniques for automated reliability testing, test generation, and fault diagnosis (e.g. [12] [13]), to make them adequate for handling complex professional systems and multi-disciplinary trade-offs. Develop methods and techniques for robust co-operation in open, heterogeneous systems coalitions (proposed in [8] [14]), i.e. collaborating, networked systems of different vendors.

Released 2006, Embedded Systems Institutes

Page 45 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Case studies Selected case studies will be chosen to get insight into reliability problems hampering the hightech systems industry. Subsequently these case studies are used as the proving ground to firstly validate the proposed extensions or new reliability methods and techniques against industrialscale problems, and secondly to understand their effectiveness when deployed in an industrial context and with industrial market-pressures. In the professional systems category, a wafer scanner will be used as a case study for reliability techniques with the aim for a significant reduction of lead time and cost in the integration and test phase of professional systems, while maintaining or improving product quality (i.e. reliability, functionality and performance). In the high-volume products category, a digital TV will be used as a case study for reliability techniques with the aim to create methods and techniques to achieve high userperceived reliability, fitting within the low-cost targets of the high-volume product market. For preparatory research purposes, co-operative driving in the automotive domain is a selected as a case study representing a mix of high-volume and safety-critical systems. This case study will investigate the impact of system openness and the reliability techniques need for networked information gathering and decision making in an open, unbounded and heterogeneous environment

More case studies will be added in the next years as needed to address the range of applications domains of reliability research at ESI.

5.3.5
1/2006:

Expected results and timeline

1. Initial results on using system compositional models in strategies for optimal selection and sequencing of tests, automatic test generation and execution, and automatic fault diagnosis with the aim to reduce test-time reduction during production of professional systems, without compromising system reliability, performance and functionality. 2. Initial results on reduction of time spent on integration of professional systems by means of model-based strategies (e.g. based on matlab models) for early system integration and optimal sequencing of integration steps, without compromising system reliability, performance and functionality. 1/2007: 1. Consolidated, state-of-the-art model-based strategies for reduction of time spent on test and integration of professional systems, without compromising system reliability, performance and functionality. 2. Software architecture reliability analysis method based on fault trees and failure scenarios to identify failure-prone components. First architectural concepts to promote reliability in software intensive systems.

Released 2006, Embedded Systems Institutes

Page 46 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

3. Results of high-contrast-consumer-test type experiments to estimate user perceived impact of failures in the high-volume product domain. First concepts of awareness for several dominant, high-impact failures 4. Understanding of needs and requirements for robust collaboration and decision making in the case study domain of co-operative driving. 1/2008: 1. Selection criteria to support the choice of reliability test methodologies for the system and the subsystems. 2. Understanding of effective in-product awareness indicators for early warning of emerging reliability issues in high-volume products. First concepts for low-cost hardware support options for such indicators. 3. Source code analysis techniques based on software exploration techniques [19] to distil high-priority problem hotspots having external impact. 4. First concepts for robust information amalgamation strategies and time-constrained decision making strategies in an open, unbounded environment. 1/2009: 1. Architectural concepts and techniques to create system awareness: i.e. monitor system conformance to customer expectations. Run-time error detection and diagnosis strategies for low-cost, high-volume products. 2. A validated user perceived failure severity model guiding prioritisation of in product system awareness and prevention/correction strategies. 3. Synergetic integration of model-based strategies for automatic system testing and diagnosis. Consideration of real-time aspects in these strategies. 1/2010: 1. Overview of relevant reliability methods and techniques for the application domain categories of ESI. 2. Validated methods for robust information amalgamation strategies and information exchange elements, and time constrained decision strategies under uncertainty and partial information in an open, unbounded environment, supported by a proof-of-concept. 2010 and beyond: 1. Reliability models and techniques supporting systems composition, i.e. construction of products by predominantly integrating pre-existing systems and components from external parties. 2. Reliability concepts supporting ubiquitous computing, i.e. invisible, decentralized computing devices that support everyday life activities. Such devises require impromptu interoperability capabilities, awareness of locality, cultural and social aspects, and must be capable of handling and resolving ambiguities.

Released 2006, Embedded Systems Institutes

Page 47 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

5.3.6

References

[1] A. Aviienis, J.-C. Laprie, B. Randell, C. Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Trans. on Dependable and Secure Computing, Vol. 1, No. 1, pp. 11-33, 2004. [2] Mark C. Paulk, Charles V. Weber, Bill Curtis, Mary Beth Chrissis, Capability Maturity Model: Guidelines for Improving the Software Process, ISBN: 0201546647, 1995. [3] Mary Beth Chrissis; Mike Konrad; & Sandy Shrum, CMMI: Guidelines for Process Integration and Product Improvement, ISBN: 0-321-15496-7, 2003. [4] D. Stamatis, Failure mode and effect analysis: FMEA from theory to execution Milwaukee, Wisconsin, ASQC Quality Press, 1995. [5] Lorenzo Strigini, Software Reliability, Safety-Critical Mailing List Archive, 18 June 1997. [6] Michael R. Lyu, editor: Software Fault Tolerance, John Wiley & Sons, 1995. [7] Michael R. Lyu, editor: Handbook of Software Reliability Engineering, IEEE Computer Society Press, McGraw-Hill, ISBN 0-07-039400-8, 1996. [8] R. J. Ellison, D. Fisher, R. C. Linger, H. F. Lipson, T. A. Longstaff, and N. R. Mead: Survivable Network Systems: An Emerging Discipline, Software Engineering Institute Technical Report No. CMU/SEI-97-TR-013, November 1997. [9] A. Ganek, T. Corbi, The dawning of the autonomic computing era, IBM systems journal, Volume 42, Number 1, 2003. [10] A. Zarras, V. Issarny, Assessing Software Reliability at the Architectural Level, Proc. of th the 4 Intl Software Architecture Workshop, June 2000, Limerick, Ireland. [11] L.Dobrica, E.Niemela, A survey on software architecture analysis methods, IEEE Trans. on Software Engineering, Vol. 28, No. 7, pp.638-654, July 2002. [12] J. de Kleer, A. Mackworth and R. Reiter, Characterizing diagnoses and systems, Artificial Intelligence, vol. 56, 1992, pp. 197-222. [13] J. Pietersma, A. van Gemund and A. Bos, A model-based approach to fault diagnosis of embedded systems, Proc. of the 10th ASCI conference, June 2004, pp. 189-196. [14] O. Raz, M. Shaw. "An Approach to Preserving Sufficient Correctness in Open Resource th Coalitions", 10 Intl Workshop on Software Specification and Design (IWSSD'00), 2000. [15] D. Patterson et al., Recovery-Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies, UC Berkeley Computer Science Technical Report UCB//CSD-02, 2002. [16] M. Shaw, Everyday Dependability for Everyday Needs, Keynote speech at the 13 IEEE Intl Symposium on Software Reliability Engineering, 2002.
th

[17] B. Larder, An analysis of HUMS vibration diagnostic capabilities, 53rd Annual Forum of the American Helicopter Society, Virginia Beach, 1997.

Released 2006, Embedded Systems Institutes

Page 48 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

[18] J. Boersma, G. Loke, Y. Lu, A. Brombacher, H. Loh, "Reducing product rejection via a High Contrast Consumer Test", European Safety & Reliability (ESREL) Conference, Vol. 1: pp. 191-193, 2003. [19] L. Moonen, Exploring Software Systems, Proc. of the Intl Conference on Software Maintenance (ICSM)", 2003.

5.4
5.4.1

Evolvability
Introduction

For most markets in the area of embedded systems, there is a clear trend towards shorter innovation cycles and significant price-erosions after new product introduction into the marketplace. Accordingly, there is an imperative to simultaneously push new product and features to the market while also responding to evolving customer expectations with new applications and product improvements. Further, this must be done in a cost effective and time efficient manner. One approach is to first develop flexible, adaptable, and evolvable architectures and components, and to then leverage these assets as the necessary platforms for innovative market response. Similarly, it is important to avoid the blind alleys that result from rigid and brittle architectures and legacy configurations that become a handicap when one has to compete with new competitors that enter the market from different markets or technology angles. The general aim is to improve system evolvability, i.e. the ability to evolve easily in response to technology evolution, competition evolution, and customer expectation evolution. The Software Engineering Institute of Carnegie Mellon University defines evolvability as the ease with which a system or component can be modified to take advantage of new software or hardware technologies. The global marketplace requires a continuous stream of industrial products in a highly dynamic market. Our research is targeted on methods and techniques that facilitate this aspect of product development.

5.4.2

Problem statement

During the operational life of an embedded system there is a continuous stream of requests for changes in response to changing operational requirements, changing business process flows, and changing customer expectations. These potential changes, together with some specific examples, are discussed next:

An extension of the system functionality. For example, adding MP3 functionality to a TV or a new application feature to an MRI scanner. An update to a relevant technology. In this context, the technology can either be domain specific or generic. An example of a domain specific technology update is a next generation wavelength in a wafer scanner. An example of a change in a generic technology could include a CPU update, or and updated to the operating system (e.g. switch from a unique home grown operating system to a real-time operating system). A change to the physical interface with the system. An example includes change in a television from the analogue screen to the digital screen, or in a car from individual

Released 2006, Embedded Systems Institutes

Page 49 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

instruments to a single LCD screen that incorporates all vehicle telematics. Such changes can have consequences throughout the complete system.

A change in the system context characteristics. Increasingly, systems are evolving from standalone platforms into an integrated nodes within a complex information network that in turn facilitates an integrated business workflow. For example, the MRI scanner is gradually integrated into a hospital work flow, a wafer scanner becomes integrated into an integrated IC fab process, and a car becomes integrated into a traffic control system. A change in the human user applications. For example, the MRI scanner is no longer a system to provide images. It has entered the operating room of hospitals, requiring different operating characteristics.

Responding to the above changes can often involve expensive and time consuming product and system modifications. While systems and products are often designed with future changes in mind, the actual required changes may be inconsistent with the forecasts. It is impossible to foresee and accommodate any change that any stakeholder of the system can think of and propose anytime in the future, and hence, it is unavoidable that sometimes drastic, noncontinuous modifications are needed. Henceforth, changes that lead to discontinuities in system development, typically because they require,extensive architectural, system, and component modifications are called disruptive changes. A few examples of such disruptive changes are:

A change in the type of motors used inside a printer/copier. As an example, changing from DC motors to stepper motors for economic reasons clearly affects the control software, but may also impact power management, error detection and system recovery. This change may lead to undesirable resonance which necessitates a considerable more detailed and accurate understanding of the mechanical loads. A change in processor technology, costs of memory, and flexibility requirements may lead to the adaptation of a streaming-based architecture towards a more data-centric approach with loosely coupled components. A change in a TV from an analogue screen to a digital screen seems a local change at the component but this seemingly simple change has a strong impact on all components involving image enhancement.

It is often difficult to foresee the consequence of disruptive changes. For instance, existing system characterizations and design models may ignore system aspects that turn out to be crucial for the successful application of new technology. Furthermore, decisions have to be taken about the amount of re-use of existing components. A trade-off has to be made between ad-hoc software changes and modifications, and a more fundamental paradigm shift in the architecture. Underestimating the impact of changes is one concern. This may lead to other unexpected problems, schedule and cost driven workarounds with long term implications, unclear structure, and architectural mismatches. The short term orientation to problem solving may end of creating bigger problems for the future. Another typical problem with upgrading or modifying a system or product is a non-uniform treatment of common system concepts (such as logging, error checking and handling, fault isolation, calibration, simulation mode, monitoring, and configuration). Such concepts are persistent throughout the system, and non-uniform approaches to such mundane concepts is

Released 2006, Embedded Systems Institutes

Page 50 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

often scattered throughout the code. A change in policy relating to one of these concepts may affect multiple parts within the system, and may be cost and time intensive. There may be the additional challenge where the implementation may not be consistent with architectural intent, and the gap may not be well documented as is often the case. This just adds to system modification and upgrade impedance.

5.4.3

Existing solutions

In the software domain there are a number of techniques to evaluate and improve the evolvability of large systems. Scenario-based evaluation techniques like SAAM and ATAM [1] can be used to assess the evolvability of a design. Such approaches can also be extended to address strategic scenarios [2]. This can lead to a system architecture that is flexible and facilitates future requirements requiring improved evolvability. A variety of imperatives relating to modularity and decoupling, separation of concerns, and the clear articulation of system interfaces (internal and external) become important. As an example, internal research at NOKIA resulted in the identification of a comprehensive list of such imperatives. This has been documented as part of an artefact called the Architecture Evaluation Framework (AEF) developed by the NOKIA Research Center. Architects and engineers have also formulated techniques such as objectorientation, refactoring, component-based designs [4], design patterns, and architectural patterns [5] to provide greater implementation consistency and uniformity, thereby reducing the risk associated with evolving the system or product. Greater formality in the assessment and improvement of system evolvability, supported by metrics and measures, is of prime relevance and importance [6]. This research could have a more general impact on the discipline of embedded systems engineering. Within the control domain, modelling, sensitivity analysis, robustness for variations and model uncertainty are established tools [7][8], but they are usually applied without taking the impact on the software realization into account.

5.4.4

ESI research on evolvability

While a number of solutions mentioned above are typically mono-disciplinary in nature, a system-wide assessment of change impacts and its treatment at the system level will require a more multi-disciplinary approach. This is consistent with the ESI research approach and intent. This system objective is rich in its potential to allow meaningful collaboration between academic rigor and industrial pragmatism. Evolvability is not often a standalone concern, but is interdependent on the other system objective of interest performance and reliability. The study of the likely disruptive changes over a systems operational life are of particular concern and interest, where we can investigate the application of various techniques to explore the proper design and development response to a variety of necessary system changes. In general, we address both modeling & analysis techniques and synthesis methods.

Modeling & analysis Research on the analysis of evolvability includes:

Released 2006, Embedded Systems Institutes

Page 51 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

The use of system engineering approaches to predict the impact of system changes, e.g. determine key system drivers, make the key change drivers explicit, and identify tensions and conflicts [9]. Investigate and validate methods to evaluate evolvability of embedded systems, including metrics [6] and scenario-based techniques [2]. Model-based analysis; produce models of new or changed parts, validate the models, study the interaction with existing parts, develop guidelines for the required level of detail, and investigate the combination of models from different disciplines, such as simulating coupled models from different disciplines [10]. Identification of cross cutting concerns that affect evolvability. Study whether such concerns can be automatically weaved into a model of the basic functionality [11][12]. Investigate the impact of changes in two directions: bottom-up, when e.g. a hardware component is changed, and top-down when requirements change. Study the use of tracing techniques [3] and the analysis of sensitivity and robustness [7][8] at the system level.

Embedded system synthesis Research on the construction of evolvable embedded systems includes the following topics: Improving evolvability through a more uniform treatment of system concepts (such as logging, error handling, calibration, simulation mode, monitoring, and configuration). This includes new methods for architecting, analyzing, and implementing systems according to an 'aspect-oriented' philosophy [11]. Explore the effectiveness of component-oriented architectures [4] to alleviate the likely impact of potentially disruptive changes by increasing cohesion between system parts. Study the characterisation of essential component properties, e.g. performance, supported by measurements. Devise architectural patterns [5] or product line architectures [14] that are capable of dealing with future changes. Methods to select control topologies with minimal sensitivity to changes. Develop a framework for the migration from an exiting architecture toward a more evolvable one.

Case studies Since this is a relatively un-explored field of research in the context of embedded systems, especially concerning disruptive changes, we focus on a few application domains and start with domain-specific techniques. As a starting point we consider two lines of case studies, selected from medical applications, lithography, and digital printers:

Streaming-based cases where changes are, for instance, induced by fast evolving hardware technology, such as processors, memory improvements, and network topologies.

Released 2006, Embedded Systems Institutes

Page 52 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Control-based cases, especially focusing on the impact of changes in sensors, actuators, and control topology on the entire system.

5.4.5
1/2006:

Expected results and timeline

1. First results on code-level weaving of simple aspects in lithography applications 2. Identification of suitable case studies in various application domains 1/2007: 1. Characterisation of evolvability and disruptive changes based on case studies, classification of reasons for changes and proposal for measuring and evaluating evolvability improvements 2. Results of experiments with multi-disciplinary modeling methods to assess the impact of changes 3. An evaluation of the application of aspect-oriented techniques in lithography 4. Results of applying requirements engineering, management and tracing techniques to deal with potentially disruptive changes in embedded system development 1/2008: 1. Assess relative evolvability of various architectures 2. Methodology to measure and evaluate evolvability, definition of metrics 3. Proposal for aspect-oriented modeling 4. Identification of disruptive changes 5. Techniques to structure systems such that less changes will be disruptive 6. Preliminary guidelines about how to select a control topology which is robust against changes 1/2009: 1. Techniques to predict the impact of disruptive changes systematically 2. Develop system architectures that enable functionality to be added whilst minimizing the impact to the rest of the system. This should consider maintaining safety, throughput, reliability, ease of use and rapid introduction into the marketplace 3. Requirements engineering, management and tracing techniques that are particularly aimed at dealing with potentially disruptive changes in embedded system development. 1/2010 1. Techniques to define a migration path from existing architecture to a more evolvable architecture 2. Overview of modeling & analysis techniques to deal with changes

Released 2006, Embedded Systems Institutes

Page 53 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

3. Overview of constructive techniques that improve evolvability, including insight in the trade-off with other system qualities Results after 2010 are difficult to predict because evolvability is a rather immature research topic in the area of embedded systems. Hence the current research has an exploratory character and should provide a solid basis for decisions about future research directions after 2010.

5.4.6
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10]

References
L. Bass, P. Clements, R. Kazman. Software Architecture in Practice. Second Edition, Addison Wesley, 2003 M. Ionita. Scenario-based System Architecting. PhD thesis, Technical University of Eindhoven, 2005 B. Ramesh, C. Stubbs, T. Powers and M. Edwards. Requirements Traceability Theory and practice. Annals of Software Engineering 3, 397-415, 1997 C. Szyperski. Component Software. Addison-Wesley, 2002 B.P. Douglas. Real-Time Design Patterns: Robust Scalable Architecture for Real-Time Systems. Addison Wesley, 2003 N. Fenton, S.L. Pfleeger. Software Metrics. Thomson, 1996 Marcel J. Sidi. Design of Robust Control Systems: From Classical to Modern Practical Approaches. Krieger Pub Co, 2001 Kemin Zhou, John C. Doyle. Essentials of Robust Control. Prentice Hall, 1997 G. Muller. CAFCR: A Multi-view Method for Embedded Systems Architecting; Balancing Genericity and Specificity. PhD thesis, Technical University of Delft, 2004 J. Hooman, N. Mulyar, L. Posta. Coupling Simulink and UML Models. Proc. Symposium FORMS/FORMATS, Formal Methods for Automation and Safety in Railway and Automotive Systems, B. Schnieder and G. Tarnai (eds.), pp. 304 - 311, 2004 R. E. Filman, T. Elrad, S. Clarke, M. Aksit. Aspect-Oriented Software Development. Addison-Wesley, 2005 S. Clarke, R. J. Walker. Generic Aspect-Oriented Design with Theme/UML. In [11], pp. 425-458, 2005 T. Elrad, O. Aldawud, A. Bader. Expressing Aspects Using UML Behavioral and Structural Diagrams. In [11], pp. 459-478, 2005 C. Atkinson,et al. Component-Based Product Line Engineering with UML. AddisonWesley, 2002

[11] [12] [13] [14]

Released 2006, Embedded Systems Institutes

Page 54 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

STATUS AND FURTHER DEVELOPMENT

This document constitutes the first edition of the ESI research agenda. As such it forms the basis for the current portfolio of ESI research projects (see Appendix A). It also provides the starting point for a further development of ESI research planning in interaction with ESI partners in academia and industry, in particular with the founding partners of ESI. A first revision of the agenda resulting from such consultations is expected by July 1, 2006. Further revisions will be carried out on (at least) a yearly basis. The majority of proposed research activities can be funded from available research grants, and almost all proposed research activities for the next 4 years can be funded from research grants that are expected to become available within the next half year (see Appendix B). The human resources that are required for the activities of the coming 4 years fall within the projected growth path for ESI of 12 Research Fellows by the end of 2006. In particular, the start of three preparatory research projects (Concerto, HADES, Impact) is anticipated in the coming year. If corresponding funding is granted, as currently expected, their commencement is scheduled for July 1, 2006.

Released 2006, Embedded Systems Institutes

Page 55 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 56 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

A. PROJECT MASTERPLANNING

Released 2006, Embedded Systems Institutes

Page 57 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

Released 2006, Embedded Systems Institutes

Page 58 / 59

Research Agenda Version: 7.11- 2005-10712 March 1, 2006

B. COVERAGE PLANNED RESULTS BY PLANNED PROJECTS


The Table below indicates the relation between planned results and the planned projects listed in Appendix B.

Performance 2006 1 BODERC 2 BODERC 3 TANGRAM 2007 1 BODERC 2 BODERC 3 HADES 4 HADES 5 TANGRAM 2008 1 unassigned 2 unassigned 3 HADES 4 TANGRAM

Reliability 1 TANGRAM 2 TANGRAM

Evolvability 1 IDEALS 2 DARWIN, IMPACT

1 TANGRAM 2 TRADER 3 TRADER 4 CONCERTO

1 IDEALS, DARWIN, IMPACT 2 IMPACT 3 IDEALS 4 DARWIN, IMPACT

1 unassigned 2 TRADER 3 TRADER 4 CONCERTO

1 DARWIN, IMPACT 2 IDEALS, DARWIN, IMPACT 3 IDEALS 4 IMPACT 5 IMPACT 6 IMPACT

2009

1 HADES 2 unassigned 3 unassigned

1 TRADER 2 TRADER 3 unassigned 1 unassigned 2 CONCERTO

1 IMPACT 2 IDEALS, DARWIN, IMPACT 3 IMPACT 1 IDEALS, DARWIN, IMPACT 2 IDEALS, DARWIN, IMPACT 3 IDEALS, DARWIN, IMPACT

2010

1 HADES 2 unassigned 3 unassigned

2010+

1 unassigned 2 unassigned 3 unassigned

1 unassigned 2 unassigned

Released 2006, Embedded Systems Institutes

Page 59 / 59