IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 28, NO.
7, JULY 2009 937
Guest Editorial
Challenges and Solutions in the Development
of Automotive Systems
UTOMOTIVE systems are today the epitome of distrib-
A uted complex embedded systems and, as such, offer an
ideal domain to inspire research in methodologies and tools, as
well as a rich test case for embedded system developers.
The overall size of the software that is embedded in automo-
biles today is in the millions of lines of code, and it is forecast
to significantly increase to accommodate additional functional
content, from powertrain and chassis control, to infotainment.
In addition to sheer software size, the complexity of automotive
systems is constantly growing due to tight requirements for
increased safety and performance, reduced pollution, and over-
all efficiency. Cost and time-to-market pressure pose additional
burden to the designers for achieving an efficient use of system
resources. Alongside the appetite for consumer electronics and
communication devices that the car buyers are demonstrating,
there is also a growing concern about the number of lives
that are lost in our roads due to accidents. Both in the U.S.
and Europe, regulatory pressures on safety are evident. Safety
concerns are a major driving force for automakers.
To cope with these problems, major advances are required at
all levels in the architecture stack of automotive systems, from
innovative chip architectures and sensors, to new standards
for communications, to methods, tools, and standards for the
development of middle-ware and application-level software
components.
One such advance is a fundamental shift in architecture de-
sign that is taking place. Today’s automobile electronic systems
are based on the concept of federated architecture, where each
function is deployed to an autonomous electronic control unit
(ECU), which is developed as a black-box integrated subsystem
by Tier-1 suppliers. Because of the increased complexity and
distribution of active-safety and future safety-critical functions,
including by-wire systems, and the interdependence of these
functions that gives rise to unexpected and undesired emerging
behaviors, systems are becoming very difficult to test and
validate. Furthermore, there is limited understanding of how
to control the nonfunctional behavior of interacting modules,
including timing and reliability properties emerging from the
composition. Last but not least, the number of ECUs and
busses is growing to unreasonable levels due to the need of ac-
commodating new functionalities in the federated architecture
paradigm, causing cost and reliability problems.
This situation has interested the automotive industrial sector
to look at integrated architectures, in which software compo-
Digital Object Identifier 10.1109/TCAD.2009.2024982
0278-0070/$25.00 © 2009 IEEE
nents can be supplied from multiple sources, integrated on the
same hardware platform or physically distributed and possibly
moved from one CPU to another without loss of functional
and time correctness and providing a guaranteed level of reli-
ability. This shift decouples software design from the hardware
platform and provides opportunities for the optimization of ar-
chitecture configuration, increased extensibility, flexibility, and
modularity. ECUs can physically be integrated, with significant
cost and dependability benefits and a reduction in the number of
communication wires and connection harnesses. The possibility
of defining components (subsystems) at higher levels of ab-
straction and with well-defined interfaces also allows separation
of concerns and improves modularity and reusability.
Methods and tools are needed for the design–time analysis
of the result of the system-level integration, including the
verification of safety constraints and, in general, the capability
of predicting system-level functional, reliability, and timing
properties.
To discuss these trends and to provide a glimpse at the future
of automotive systems, we organized a full special day at the
DATE 08 Conference.1 This Special Section on Automotive
Systems collects some of the presentations given at the special
day. The papers in this Special Section address several problems
in the architecture stack, from physical (sensor device) designs,
to software architectures, to methods and tools for timing and
performance analysis.
At the level of the physical architecture, IC technology
allows the development of ICs with an unprecedented degree of
integration. Higher computational speeds and multicore tech-
nologies are already readily available to architecture designers
and will be even more so in the future. IC technology is
also offering sensors with capabilities and prices unthinkable
a few years ago. Intelligent sensors are needed to measure all
kinds of environmental conditions that have an effect on the
safety of passengers and drivers, whereas wireless technology
is removing barriers to their layout and to the possibility of
retrofits.
The tire is one of the most important components of the vehi-
cle from many aspects—handling, fuel consumption, comfort,
and safety—and yet, it still remains one last crucial component
of the car that is intrinsically passive. A first step in making it a
richer component has been the introduction of tyre-pressure-
monitoring systems. The paper by Coleri et al. describes an
1 Special Day on Automotive, Proceedings of Design, Automation, and Test
in Europe (DATE 2008), Munich, Germany, April 2008.
938 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 28, NO. 7, JULY 2009
integrated solution that leverages advances in sensors and wire-
less communication to make tires intelligent, using devices
placed inside the tire to enable collection of data on the dynam-
ics of the vehicle with unprecedented precision and allowing
the development of sophisticated controls. The challenges of
placing electronic components inside a tire are daunting, but
the payoffs are invaluable. Many technical problems have to
be addressed and solved to reach this goal, from miniaturized
sensors’ technologies, to microelectronics, packaging, energy
scavenging and management, radio technologies, mechanical
engineering, data processing, modeling, control systems, chem-
ical engineering, and physics.
The paper by Obermaisser et al. addresses the architecture
shift from federated to integrated systems and discusses the
development of components and subsystem integration for safe
and predictable systems. The focus is on the concepts of en-
capsulation, fault isolation, and error containment, both at the
functional and temporal levels.
This is probably the hottest topic in automotive systems
development today. The establishment of an infrastructure
based on standardized interfaces for software components that
allows open interoperability, modularity, scalability, transfer-
ability, and reusability of functions is very important, so that
AUTOSAR, a worldwide development partnership including
almost all players in the automotive domain electronics supply
chain, has been created with the purpose of developing an open
industry standard.
The AUTOSAR project has been focused on the concepts
of location independence, standardization of interfaces, and
portability of code. However, the definition of a component-
based design methodology for complex systems, as character-
ized by functional and nonfunctional properties, assumptions,
and constraints, requires formal models and languages for the
definition of the components’ contracts. The component model
must guarantee that a component property is preserved across
integration (i.e., composability) and must allow one to deduce
global properties (of the composed object) from the properties
of its components (i.e., compositionality).
To this objective, there are technical and business challenges
to overcome. In particular, from the technical point of view, the
sharing of safety-critical and hard real-time software requires
substantial improvements in design methods and technology.
Several issues need to be solved for function partitioning and
subsystem integration, including time predictability, that is,
the capability of predicting the system-level timing behavior
(latency and jitter) resulting from the synchronization between
tasks and messages, and dependability with fault containment,
both at the functional and timing levels.
In the future scenario, in which application tasks from mul-
tiple Tier-1 suppliers are integrated into the same ECU, lever-
aging the standardization of interfaces allowed by AUTOSAR,
and protecting the tasks of each IP from the functional and
timing errors of other IPs will be of fundamental importance.
Timing isolation is therefore required to provide for additional
separation of concerns and protection.
New system-level modeling and analysis methods and tools
are needed not only for predictability and composability when
partitioning end-to-end functions at design time and later at
system integration time, but also for providing guidance and
support to the designer in the evaluation and selection of the
electronics and software architectures.
Architecture evaluation and selection is a vital stage with
a tremendous impact on the cost, performance, and quality
of a vehicle. It is typically performed years in advance of
subsystem development and integration. In this stage, models
of the functions and of the possible solutions for the physical
architecture need to be defined and matched to evaluate the
quality and select the best possible hardware platform with
respect to performance, reliability, and cost metrics and con-
straints. For timing-related metrics (including end-to-end la-
tency, signal jitter, and bus/CPU utilization), the schedulability
analysis theory can provide the formal evaluation of the worst-
case timing behavior.
Careful timing analysis is also required to avoid timing faults
when scheduling tasks and messages either by priority or in a
time-triggered scheduling environment, provided an estimate of
the worst-case execution times (WCETs) of all application tasks
and operating system services is available.
In the context of (worst-case) timing analysis, a number of
additional issues need to be considered.
Extensibility and (to some degree) tolerance with respect
to unexpectedly large resource requirements from tasks and
messages that are allowed by priority-based scheduling comes
at the price of additional jitter and latency and lack of timing
isolation.
Future applications, including safety critical (x-by-wire) and
active safety, need shorter latency and time determinism (re-
duced jitter) because of increased performance. The current
model for the propagation of information, based on communi-
cation by periodic sampling among nonsynchronized nodes has
very high latency in the worst case, and a large amount of jitter
between the best-case and the worst-case delays. In these de-
signs, time determinism is typically disrupted, and the applica-
tion must be able to tolerate the large latency caused by random
sampling delays. In a time-triggered system, the scheduling of
the tasks and messages can be arranged in such a way that
latency and jitter are controlled and are possibly much shorter.
One of the major downsides of priority-based scheduling of
resources is that faulty high-priority computation or commu-
nication flows can easily obtain the control of the ECU or the
bus, subtracting time from lower priority tasks or messages. In
the future scenario, in which application tasks from multiple
Tier-1 suppliers are integrated into the same ECU, leveraging
the standardization of interfaces allowed by AUTOSAR, timing
isolation will be required to provide for separation of concerns
and protection.
Time-based schedulers, including those supported by the
FlexRay and OSEKTime standards, force context switches on
the ECUs and the assignment of the communication bus at
predefined points in time, regardless of the outstanding requests
from the tasks for computation and communication bandwidth.
Therefore, they are better suited to provide temporal protection,
except that the enforcement of a strict time window for execu-
tion and communication requires a much better capability of the
designer in predicting the WCETs of tasks so that the execution
window can appropriately be sized, and guardians are needed
IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 28, NO. 7, JULY 2009
to ensure that an out-of-time transmission will not disrupt the
communication flow on the bus.
The paper by Wilhelm et al. focuses on methods for the
determination of upper bounds for the execution times of all
the tasks of the system. These upper bounds are commonly
called WCETs. The determination of the WCET of software
is an increasingly complex problem due to the use of processor
components such as caches, pipelines, and all kinds of specula-
tion, which make the execution time of an individual instruction
locally unpredictable. Such execution times may vary between
a few cycles and several hundred cycles.
The paper by Wilhelm et al. presents a solution based on
the combination of static program analysis with integer linear
programming. The method has successfully been used to de-
termine precise upper bounds on the execution times of real-
time programs. The tools based on it are in routine use in the
aeronautics and automotive industries. They are accepted as
validated tools for time-critical applications by the European
Airworthiness Authorities and have been used in the certifica-
tion of several time-critical subsystems of the Airbus A380.
The paper also discusses the integration of timing analysis
tools with other tools, possible extensions to the basic WCET
analysis of sequential task code, including the determination
of context-switch costs and modus-specific timing analysis,
alternative approaches, and, finally, a set of design guidelines
for architecture selection and program coding targeted at guar-
anteeing the computation of safe bounds on the computa-
tion time.
Finally, the paper by Schliecker et al. provides insights on
worst-case system-level end-to-end timing analysis of func-
tions. The paper discusses the needs that led to the recent
introduction of a timing model in the release 4.0 of AUTOSAR
and summarizes recent results in compositional performance
analysis, which can be exploited to analyze automotive net-
worked systems. Due to their low computational cost com-
pared with simulation, these methods can be applied to design
space exploration in a complex automotive supply chain. The
resulting tools and methods can even be used to optimize the
robustness of an architecture, which is important to handle
updates and to extend its lifetime.
These tools and methods have indeed been used to improve
the quality of automotive system and component designs, even
for cars that are already in production. The authors discuss the
consequences of the shift in the verification process caused
by the use of more formal models for the (traditionally con-
servative) automotive industry and conclude that a very good
place to start are the early design phases, where analytical
approaches based on estimated values have always been used.
939
There, the necessary data of process timing and communication
can be captured, and later refined throughout the development
process. This approach requires new measurement and profiling
techniques and nicely fits with the methods and tools proposed
in the third paper of this issue.
In conclusion, it is our hope that readers find the research and
application results presented in this Special Section exciting.
We are sure that the modeling and analysis techniques that are
being developed for automotive systems will not only continue
to develop and flourish for years to come but will also have
a profound impact on other application domains that involve
distributed real-time systems.
We would like to express our sincere thanks to the reviewers
for this Special Section. Most of them have been involved
in two or three rounds of reviews for each paper, dedicating
their time to ensure that this issue contains high-quality papers.
Last but not least, we are grateful to the Editor-in-Chief,
Prof. S. Sapatnekar for his timely, continuous, and precious
assistance during all the stages of this project.
I. P APER L IST
Title: The Tire as an Intelligent Sensor
Authors: Sinem Coleri Ergen, Alberto Sangiovanni-
Vincentelli, Xuening Sun, Riccardo Tebano, Sayf Alalusi,
Giorgio Audisio, and Marco Sabatini
Title: From a Federated to an Integrated Automotive
Architecture
Authors: Roman Obermaisser, Christian El Salloum, Bernhard
Huber, and Hermann Kopetz
Title: Memory Hierarchies, Pipelines, and Buses for Future
Architectures in Time-Critical Embedded Systems
Authors: Reinhard Wilhelm, Daniel Grund, Jan Reineke, Marc
Schlickling, Markus Pister, and Christian Ferdinand
Title: System Level Performance Analysis for Real-Time Auto-
motive Multi-Core and Network Architectures
Authors: Simon Schliecker, Jonas Rox, Mircea Negrean, Kai
Richter, Marek Jersak, and Rolf Ernst.
ALBERTO SANGIOVANNI-VINCENTELLI, Guest Editor
Department of Electrical Engineering and
Computer Sciences
University of California
Berkeley, CA 94720 USA
MARCO DI NATALE, Guest Editor
Scuola Superiore Sant’Anna
56127 Pisa, Italy
940 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 28, NO. 7, JULY 2009

Alberto Sangiovanni-Vincentelli (F’82) received the “Dottore in Ingegneria” degree (summa

cum laude) in electrical engineering and computer science from the Politecnico di Milano,
Milano, Italy, in 1971.
In 1980–1981, he spent a year as a Visiting Scientist with the Mathematical Sciences
Department, IBM T. J. Watson Research Center, Yorktown Heights, NY. In 1987, he was a
Visiting Professor with the Massachusetts Institute of Technology, Cambridge. He has held a
number of Visiting Professor positions with Italian Universities, including the Politecnico di
Torino, Torino, Italy; the Universita’ di Roma, La Sapienza, Rome, Italy; the Universita’ di
Roma, Tor Vergata, Rome; the Universita’ di Pavia, Pavia, Italy; the Universita’ di Pisa, Pisa,
Italy; and Scuola Superiore Sant’Anna, Pisa. He was a cofounder of Cadence and Synopsys, the
two leading companies in the area of electronic design automation. He is currently the Chief
Technology Adviser of Cadence. He is a member of the Board of Directors of Cadence and
the Chair of its Technology Committee, UPEK, a company he helped spinning off from ST
Microelectronics, Sonics, and Accent, an ST Microelectronics–Cadence joint venture he helped founding. He was a member
of the HP Strategic Technology Advisory Board and is a member of the Science and Technology Advisory Board of General
Motors and of the Scientific Council of the Tronchetti Provera foundation and of the Snaidero Foundation. He is a member of
the Advisory Board of Walden International, Sofinnova, and Innogest Venture Capital funds and a member of the Investment
Committee of a novel VC fund, Atlante Ventures, by Banca Intesa/San Paolo and of Finlombarda Next Fund. He is the founder
and Scientific Director of the Project on Advanced Research on Architectures and Design of Electronic Systems (PARADES), a
European Group of Economic Interest. He is a member of the High-Level Group, of the Steering Committee, of the Governing
Board, and of the Public Authorities Board of the EU Artemis Joint Technology Initiative. He is a member of the Scientific Council
of the Italian National Science Foundation (CNR) and a member of the Board of Directors of CNR Rete Ventures. He is currently
the Edgar L. and Harold H. Buttner Chair of Electrical Engineering and Computer Sciences with the University of California,
Berkeley, where he has been on the faculty since 1976. He is the author of more than 800 papers, 15 books, and three patents in
the area of design tools and methodologies, large-scale systems, embedded systems, hybrid systems, and innovation.
Prof. Sangiovanni-Vincentelli is a member of the National Academy of Engineering, which is the highest honor bestowed
upon a U.S. engineer. He was the recipient of the Distinguished Teaching Award from the University of California in 1981,
the worldwide IEEE Graduate Teaching Award (a Technical Field Award for “inspirational teaching of graduate students”) in
1995, and the Aristotle Award from the Semiconductor Research Corporation in 2002. He was also the recipient of numerous
research awards, including the Guillemin–Cauer Award in 1982–1983, the IEEE Darlington Award in 1987–1988 for the best
paper bridging theory and applications, two awards for the best paper published in the IEEE TRANSACTIONS ON CIRCUITS
AND S YSTEMS and IEEE T RANSACTIONS ON C OMPUTER-A IDED D ESIGN OF I NTEGRATED C IRCUITS AND S YSTEMS , five
Best Paper Awards and one Best Presentation Award at the Design Automation Conference, and other best paper awards at the
Real-Time Systems Symposium and the VLSI Conference. In 2001, he was the recipient of the Kaufman Award of the Electronic
Design Automation Council for “pioneering contributions to EDA.” In 2008, he was the recipient of the IEEE/RSE Wolfson James
Clerk Maxwell Medal “for groundbreaking contributions that have had an exceptional impact on the development of electronics
and electrical engineering or related fields” with the following citation: “For pioneering innovation and leadership in electronic
design automation that have enabled the design of modern electronics systems and their industrial implementation.”

Marco Di Natale (M’03) received the Ph.D. degree from Scuola Superiore Sant’Anna, Pisa,
Italy, in 1991.
He started working in the automotive field in the late 1990s, on the development of an OSEK-
compliant real-time operating systems for muticore platforms, in cooperation with Magneti
Marelli and ST Microelectronics. In 2006, he worked with the General Motors bay area labora-
tories in California and then with General Motors R&D, Warren, MI, where he was a Technical
Lead in the area of architecture exploration and evaluation until 2007. He is currently a member
of the EU ADAMS Project Automotive Expert Group. He was a visiting Researcher with the
University of California, Berkeley, in 2006 and 2008. He is currently an Associate Professor with
Scuola Superiore Sant’Anna, where he was the Director of the Real-Time Systems (ReTiS) Labo-
ratory from 2003 to 2006. He has been a researcher in the area of real-time systems and embedded
systems for more than 15 years, being the author or coauthor of more than 80 scientific papers.
Prof. Di Natale has served as an Associate Editor of the IEEE TRANSACTIONS ON
COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS and is currently on the Editorial Board of the IEEE
TRANSACTIONS ON INDUSTRIAL INFORMATICS. He has served as a Program Committee Member and has been an organizer of
tutorials and special sessions for the main conferences in the area, including the Real-time Systems Symposium, the IEEE/ACM
Design Automation Conference (DAC), the Design Automation and Test in Europe, and the Real-Time Application Symposium, in
which he also served as the Track Chair. In 2006, he was selected by the Italian Ministry of Research as the national representative
in the mirror group of the ARTEMIS European Union Technology platform. He was the recipient of three Best Paper Awards.