Tu.1.A.111:30add Tu.1.A.1 to agenda

Download Tu.1.A.1
Download Tu.1.A.1 presentation

Real-Time Semantic Segmentation of Aerial Images Using an Embedded U-Net: A Comparison of CPU, GPU, and FPGA Workflows

Julien Posso - Polytechnique Montreal, Canada Hugo Kieffer - IRT Saint Exupery - Viveris Technologies, France Nicolas Menga - IRT Saint Exupery - Airbus Defence and Space, France Omar Hlimi - IRT Saint Exupery, France Sébastien Tarris - IRT Saint Exupery - Viveris Technologies, France Hubert Guerard - Space Codesign Systems, Canada Guy Bois - Polytechnique Montreal - Space Codesign Systems, Canada Matthieu Couderc - IRT Saint Exupery - Airbus Defence and Space, France Eric Jenn - IRT Saint Exupery, France

This study introduces a lightweight U-Net model optimized for real-time semantic segmentation of aerial images, targeting the efficient utilization of Commercial Off-The-Shelf (COTS) embedded computing platforms. We maintain the accuracy of the U-Net on a real-world dataset while significantly reducing the model's parameters and Multiply-Accumulate (MAC) operations by a factor of 16. Our comprehensive analysis covers three hardware platforms (CPU, GPU, and FPGA) and five different toolchains (TVM, FINN, Vitis AI, TensorFlow GPU, and cuDNN), assessing each on metrics such as latency, power consumption, memory footprint, energy efficiency, and FPGA resource usage. The results highlight the trade-offs between these platforms and toolchains, with a particular focus on the practical deployment challenges in real-world applications. Our findings demonstrate that while the FPGA with Vitis AI emerges as the superior choice due to its performance, energy efficiency, and maturity, it requires specialized hardware knowledge, emphasizing the need for a balanced approach in selecting embedded computing solutions for semantic segmentation tasks.

Tu.1.A.212:00add Tu.1.A.2 to agenda

Download Tu.1.A.2
Download Tu.1.A.2 presentation

Exploring Neural Network Architectures for Satellite Imagery on FPGA devices

Jean-Baptiste Chaudron - EMBRYA, France Jacques Gatard - EMBRYA, France

Today, Artificial Intelligence (AI) solutions are deployed for various applications in several technological domains. Deep Learning (DL) methods, especially, Artificial Neural Networks (ANN) are considered for space systems to provide new perspectives for complex earth observation or space exploration missions that request in-orbit data processing. However, the inherent complexity of such algorithms in terms of arithmetic operations and associated memory usage limits their integration on on-board components and, usually, requires special accelerator entities dedicated to perform such tasks. For space systems, due to limitations on energy availability, Field Programmable Gate-Array (FPGA) devices are usually preferred over more power-consuming Graphical Processing Units (GPU). Nonetheless, the design and implementation processes are more complex for FPGA and must be carefully analyzed. In this paper, we describe our approach from initial prototyping to implementation for an industrial test-case about satellite imagery: the Airbus Ship Detection Challenge (ASDC). We discuss the applications considerations for classification and semantic segmentation and describe a set of selected ANN architectures together with the training environment. We conduct an evaluation strategy to select small and efficient architectures that provide good trade-off in terms of accuracy and performance. Finally, we detail optimization techniques and experiment on-board performances of our EMBRYA's Enki core-ip on a selection of FPGA based embedded devices.

Tu.1.B.111:30add Tu.1.B.1 to agenda

Download Tu.1.B.1
Download Tu.1.B.1 presentation

Runtime Performance Evaluation of a Non-Preemptive Cooperative Multithreading Framework Through Tracing

Lea Jungmann - German Aerospace Center (DLR), Germany Zain A. H. Hammadeh - German Aerospace Center (DLR), Germany Jan Sommer - German Aerospace Center (DLR), Germany Daniel Lüdtke - German Aerospace Center (DLR), Germany

In the aerospace and automotive domains, there is a trend to delegate more tasks to embedded software using sophisticated algorithms and machine learning-based solutions. Due to this trend, the complexity of embedded software is growing rapidly, and classical performance analysis, such as static worstcase execution time analysis, cannot scale with this complexity without reporting prohibitively over-approximated upper bounds. In this paper, we present a tracing-based performance analysis for data flow space applications. The paper demonstrates how traces are utilized to extract arrival curves, minimum distance functions, and execution times. Additionally, debugging information is extracted and presented graphically. Our tracing-based performance analysis may cause an overhead on the extracted timing properties, e.g. worst-case execution time, bounded by 6.5%. The paper showcases the proposed tracing-based analysis on a space application.

Tu.1.B.212:00add Tu.1.B.2 to agenda

Download Tu.1.B.2
Download Tu.1.B.2 presentation

A Novel Heuristic Framework for Offline IMA Schedule Generation for Multicore Platforms

Alexandre Esper - Capgemini Engineering, Porto, Portugal, Portugal Jatin Arora - CISTER, ISEP, Porto, Portugal, Portugal Geoffrey Nelissen - Eindhoven University of Technology, Eindhoven, the Netherlands, Netherlands Eduardo Tovar - CISTER, ISEP, Porto, Portugal, Portugal

Ensuring temporal predictability is one of the most important factors while designing applications for the avionics domain. Consequently, time-triggered scheduling (TT) is prevalent in safety-critical systems because TT scheduling is more predictable as the schedule is constructed at design time and is enforced at run-time. This allows system designers to determine the precise timing of each event, which is particularly important, for instance, in the design of control systems. Among others, one of the most important challenges of solutions implementing TT scheduling of IMA applications is scalability, since the next-generation avionics systems must be able to handle an increasingly large number of applications running on top of their embedded multi/many-core platforms. The existing approaches are efficient for smaller problems, but do not scale well when the search space becomes large. To fill this gap, this paper proposes a novel scheduling heuristic framework for the next-generation avionics systems, which can efficiently generate the schedule for a large number of ARINC-653 compliant IMA applications running on top of multi/many core platforms. The experimental results reveal that the proposed framework can outperform the state-of-the-art by improving the schedulability ratio up to 46\% even for the threshold timeout limit, i.e., the maximum time allowed to find a solution, of 4 hours.

Tu.1.C.111:30add Tu.1.C.1 to agenda

Download Tu.1.C.1
Download Tu.1.C.1 presentation

Specifying network switches using the P4 language: lessons learned

Marc Boyer - ONERA, France Julien Brunel - ONERA, France Pierre-Julien Chaine - Airbus, France Valentin Kretzschmar - Airbus, France Pierre Roux - ONERA, ISAE, France

Developing embedded network switches requires some exchanges between the aircraft manufacturer and the equipment manufacturer. Currently, this is done through requirements that are written in natural language (e.g., in English). The provider then prototypes and manufactures the hardware based on those requirements. In this paper, we will investigate a way to formalize, at least part of, those requirements. This would enable the customer to perform some kind of consistency checks on the requirements as well as refnements from high level expectations to more precise requirements. The formalization could also help the manufacturer to better satisfy its customer needs. Finally, this could enable both parties to better test the resulting product. We evaluate the P4 switch-programming language to fulfill this formalization role.

Tu.1.C.212:00add Tu.1.C.2 to agenda

Download Tu.1.C.2
Download Tu.1.C.2 presentation

Yet another experience on TSN tools interoperability for critical embedded networks

Philippe Cuenot - Continental Automotive France, France Quentin Bailleul - IRT Saint-Exupéry, France Thierry Ledier - Virtualité Réelle, France Damien Fruchard - Airbus Defence and Space, France Massimo Barbero - Thales Alenia Space, France

The introduction of Ethernet into critical embedded applications opens new needs to master and secure network development and deployment. While Ethernet is well known Information Technology (IT) brick and case by case deployed in the industry, Time-Sensitive Networking (TSN) complements have only recently emerged in aerospace and automotive industries to meet the real-time, reliability, and availability requirements of those systems. The complexity and diversity of TSN mechanism enforce the use of specialized tools to assist the network engineer for the design, configuration and deployment of the network parameters. On the other hand, IETF has proposed Yet Another Next Generation (YANG) modeling language for interoperability in configuration and monitoring of various network devices. In this paper, we propose to revisit and complement those standard YANG model in order to enable tool interoperability, with the aim of providing these complements as open source. The benefit of the proposed YANG model will be demonstrated on a TSN industrial use case with a set of tools ranging from network design and configuration to deployment on a Proof of Concept (PoC) platform.

Tu.2.Po.114:00add Tu.2.Po.1 to agenda

Download Tu.2.Po.1

Acceleration of Embedded Reasoning in Symbolic AI

Youssef Amari - LAAS-CNRS, France Florence De-Grancey - Thales, France Matthieu Roy - LAAS-CNRS, France Hélène Waeselynck - LAAS-CNRS, France

Current advances in Artificial Intelligence (AI) technologies pave the way to consider new services to assist aircrew, possibly in embedded systems. Symbolic AI reasoning provides both opportunities and challenges for these services. On the one hand, symbolic AI provides proven and explainable results. On the other hand, recent studies showcase that those reasoning methodologies suffer from long and unpredictable execution times, and high memory consumption. Such limitations currently refrain the use of this approach in embedded systems. The objective of this thesis work is to explore ways to deploy such reasoning in embedded architectures focusing on optimisations and benchmarking.

Tu.2.Po.214:05add Tu.2.Po.2 to agenda

Download Tu.2.Po.2
Download Tu.2.Po.2 presentation

How to efficiently handle real world ECU traffic in MICROSAR Adaptive

Johannes Hötzer - Vector Informatik GmbH, Germany Christoph Schmutzler - CARIAD SE, Germany Julian Maidl - Vector Informatik GmbH, Germany Daniel Dausend - Vector Informatik GmbH, Germany Matthias Traub - Vector Informatik GmbH, Germany Markl Patrick - Vector Informatik GmbH, Germany

The software-de?ned vehicle (SDV) enables continuously updated software defined features. This increasing demand of new features requires a high-performance computing platform (HPC) and a hierarchical system structure based on a zonal-oriented architecture approach. The communication of the different types of ECUs (sensor/actuators, zonals, HPCs) are realized with various communication technologies like LIN, CAN and Ethernet. The processing of the messages in these kinds of heterogeneous networks is different: In the signal world, data is commonly processed cyclically, the POSIX-based HPC world is often event driven. The different message sizes and the processing behavior led to the situation that even extremely powerful multi-core ECUs are not capable to receive all data via Ethernet and processes it in time. In this paper we discuss the backgrounds and show measures to efficiently utilize POSIX based systems. We start from currently used message size distributions and send frequencies of real ECUs and optimize the system. We also show general limitations of POSIX systems and especially microkernels. For the measurements we use an Renesas R-Car H3 Board running QNX and the MICROSAR Adaptive middleware. By systematically optimizing we reduced the CPU usage from 81.6% to 24.9% in total.

Tu.2.Po.314:10add Tu.2.Po.3 to agenda

Download Tu.2.Po.3
Download Tu.2.Po.3 presentation

Optimal PMP+OR onboard Controls for Multiple Electrified Automotive applications

Mariano Sans - Vitesco Technologies France, France

Intensive developments in new electrified automotive applications, including new or complex components as Power Electronics, Bi-directional Chargers, Switchable Batteries, Fuel Cells, etc., in the purpose of Energy Management, Battery Management, Thermal Management, etc., not forgetting LCA constraints, lead more and more to high dimensional inputs/outputs and multi-criteria optimization challenges. Model-based Optimal Control technics are described, based on the PMP (Pontryagin’s principle), applied on predictive scenarios, with innovative adaptations to consider physical non-linearities, multi-level constraints, saturations on values and gradients, frequency limitations, self-calibration of tuning parameters, self-adaptation of internal models, and real-time triggering of strategies according to disturbances. A specific discussion is proposed in case of high number of integer and non-integer manipulated variables in the given system to optimize. Optimal combination of controls may then be calculated thanks to an appropriate mix of PMP algorithms combined with OR (Operational Research) solvers, for linear, quadratic or non-Linear criteria and constraints. Several applications are presented, giving promising performances, using potentially real-time compliant algorithms patented by Vitesco Technologies, able to include some global long-term optimization of LCA and TCO criteria.

Tu.2.Po.414:15add Tu.2.Po.4 to agenda

Download Tu.2.Po.4
Download Tu.2.Po.4 presentation

Towards Compact Surface Languages for Specific Modelling Aspects in EAST-ADL

Imad Berrouyne - Mälardalen University, Sweden Alessio Bucaioni - Mälardalen University, Sweden Federico Ciccozzi - Mälardalen University, Sweden Henrik Lönn - Volvo Group Truck Technology, Sweden

The EAST-ADL is an Architecture Description Language for automotive embedded systems. It offers a comprehensive modelling solution for an integrated system, addressing diverse aspects including but not limited to variability, timing, and safety. Nevertheless, the challenge lies in the intricate nature of specifying these aspects. Both because the expressiveness adds complexity to syntax and semantics and because they are intertwined with the foundational concepts within the EAST-ADL. In this paper, we propose an approach to inject these aspects using a constraints-based surface language. Such a language offers a compact and optional description layer for annotations of the EAST-ADL.

Tu.2.Po.514:20add Tu.2.Po.5 to agenda

Download Tu.2.Po.5
Download Tu.2.Po.5 presentation

Development and Evaluation of a Prototyping Platform for the Simulation, Transmission, and Real-Time Analysis of Realistic AUTOSAR Security Event Traffic

Thomas Bitterlich - T-Systems International GmbH, Germany Maximilian Engelsberger - Vector Informatik GmbH, Germany Grit Pientka - T-Systems International GmbH, Germany

The contribution proposes a new approach of a prototyping platform simulating realistic AUTOSAR security event traffic, based on real-world attack patterns. Furthermore, their transmission between Fleethead- and SIEM-cloud systems, and their analysis within backend security services and in real-time is investigated. This advances the evaluation of technical realizations of automotive Intrusion Detection Systems (IDS), helps to gain new insights with the handling of realistic attack scenarios, and thus enables the gradual realization of the UNECE R155 regulation.

Tu.2.Po.614:25add Tu.2.Po.6 to agenda

Download Tu.2.Po.6
Download Tu.2.Po.6 presentation

Timing Architecture Model for Embedded Systems Anomaly Detection

Peter Heller - OTH Regensburg, Germany Jürgen Mottok - OTH Regensburg, Germany

By using execution timing behaviour to discover anomalies, embedded systems can be monitored at various architectural layers. Different methods for deducing sane system execution behaviour based on available event or timing data are proposed in the current literature about security-related anomaly detection of embedded systems. With our work, we evaluate several strategies and discuss problems with accessible metrics and architectural components used for feature development. An embedded system's architecture layers serve as the basis for a common classification scheme that makes it possible to combine timing- and event-based metrics into a single timing architecture layer model. Then, using metrics and architecture components, our suggested model is applied to several anomaly detection techniques and utilized to compare existing methods. Our mapping leads us to the conclusion that most detection models are restricted to single system layers (i.,e., communication or application code) and use a small number of accessible architecture levels. Our existing model allows us to combine various time and event metrics, but we also want to develop new features for embedded anomaly detection that can be used across all system layers (code, scheduling and communication).

Tu.2.Po.714:30add Tu.2.Po.7 to agenda

Download Tu.2.Po.7
Download Tu.2.Po.7 presentation

Signal integrity challenges of complex high-speed serial links up to 25 Gbps in an aeronautic environment

Soazig Le Bihan - THALES AVS/ IMS Laboratory, France Dubois Tristan - IMS Laboratory, France Jean-Baptiste Begueret - IMS Laboratory, France Marc Gatti - THALES AVS, France Adil El Abbazi - THALES AVS, France

Developments in printed circuit technologies have evolved over the years, enabling increased circuit density and finer engravings. This progression has also led to higher data rates, increased clock speeds, reduced switching times, and lower power consumption, all within increasingly limited spaces. Signal integrity (SI) is a crucial aspect in the design of electronic boards, as multiple factors can impact signal quality, including signal attenuation, impedance matching, crosstalk, and jitter. Signal attenuation arises from dielectric and conductive losses, which must be carefully considered in the analysis of signal integrity. Therefore, a more precise approach is necessary to model these effects in simulation, taking into account the actual structure of the printed circuit board (PCB), its anisotropic properties, and frequency-dependent characteristics. SI analysis should no longer consider the dielectric as homogeneous and the copper as a flat surface. Moreover, analyzing and optimizing every potential discontinuity has become an essential part of SI analysis as it can result in reflection and insertion losses along the trace. As the optimization of the PCB has reached its physical limits, equalization techniques need to be used. Finally, the measurement will serve as a reference for validating the reliability of simulation results, including electrical parameters like Dk and Df or roughness surface. This will validate stackups, routing designs, and high-speed link configuration parameters depending on each protocol and data rate but also build confidence in simulation results for future designs. Several boards are currently being developed for military and civil aerospace projects, incorporating high-speed links (Serdes with Ethernet) up to 25 Gbps and very high densities, while operating under severe environmental conditions (EMC, thermal, vibration…).

Tu.2.Po.814:35add Tu.2.Po.8 to agenda

Download Tu.2.Po.8
Download Tu.2.Po.8 presentation

The Security Analysis of a BLE Connected Health Device

Paul L. R. Olivier - LAAS-CNRS, France Florent Galtier - LAAS-CNRS, France Guillaume Auriol - LAAS-CNRS, Universit ?e de Toulouse, INSA, France Vincent Nicomette - LAAS-CNRS, Universit ?e de Toulouse, INSA, France

IoT devices represent a prime target for security threats. Unfortunately, effective security practices are not widespread as they should be, in particular concerning the health sector. This paper conducts a security analysis of a connected blood pressure monitor, revealing six significant vulnerabilities. We carry out four attack scenarios to highlight the dangers they pose to its users.

Tu.2.Po.914:40add Tu.2.Po.9 to agenda

Download Tu.2.Po.9
Download Tu.2.Po.9 presentation

Towards Designing a Cybersecurity Testbed for Critical Industrial Control Systems

Benedikt Pletzer - Laboratory for Safe and Secure Systems, OTH Regensburg, Germany Juergen Mottok - Laboratory for Safe and Secure Systems, OTH Regensburg, Germany

The rising threat of cyberattacks on industrial control systems results in an increasing demand for cheaper and more capable defense mechanisms. Our research group is therefore concerned with the development of distributed intrusion detection systems (IDS) for industrial control systems, implementing a defense in depth approach. Developing machine learning based IDS solutions is dependent on the availability of training data as well as a test environment. A common solution for these requirements are cybersecurity testbeds. This work-in-progress paper concerns the construction of a cybersecurity testbed also suited for the development of IDS with a holistic approach to monitoring information technology (IT) and operational technology (OT) networks of critical infrastructure and industries.

Tu.2.Po.1014:45add Tu.2.Po.10 to agenda

Download Tu.2.Po.10
Download Tu.2.Po.10 presentation

Predictive Maintenance and Control of Memory for Availability in Safety Systems

Ashish Kumar - NXP Semiconductors, India Zbynek Mynar - NXP Semiconductors, Czechia Arjun Muddaiah - NXP Semiconductors, India

Memory management and availability of memory is critical for safe functioning of automotive or industrial systems. The advent of autonomous systems makes availability a critical element to achieve fail-operational state. Such complex and critical systems need to adhere to functional safety standards. Predictive maintenance and control are important aspects which helps to achieve it. This paper will discuss the current state-of-the-art of memory management and present two new possible architectures to ensure memory availability without any impact to the system.

Tu.2.Po.1114:50add Tu.2.Po.11 to agenda

Download Tu.2.Po.11
Download Tu.2.Po.11 presentation

Integrating operator’s cognitive profile for dynamic and human-centric adaptation of industrial processes

Eric Armengaud - Armengaud Innovate GmbH, Austria Yayoi Sakaki - Project Ipsilon B.V., Netherlands Rosen Dimov - Emotion3D GmbH, Austria Thomas Novak - University of Applied Sciences Upper Austria, Austria Aldo Sorniotti - Politecnico di Torino, Italy Yasumi Ito - University of Yamanashi, Japan

After several decades of automation (robotics, machine learning, AI) targeting to remove the “weaknesses” of the human, the re-integration of the human at the core of the creation process is seen as a key aspect to combine ingenuity and experience from the human together with the accuracy, speed and capability to manage large complex set of data from the robot / from the software. While solutions for human-machine interaction and for operator monitoring do exist, to the best of the author’s knowledge none of the solution is able to create a cognitive profile of the operator (capability of the operator to assess a complex situation and correctly react in a timely manner) and adapt its behavior accordingly. In this paper, we introduce the Ipsilon Cognitive Personality, enabling the computation of a cognitive profile of the operator assessing possible declining sensory perceptions, processing capabilities, cognitive dysfunctions associated with dementia-causing comorbidities. Further, we combine this approach with state-of-the-art operator monitoring systems to shift from attention monitoring toward prediction of risky operation. Finally, we discuss how this combined approach can be used in automotive domain to improve cooperative, connected and automated mobility.

Tu.3.A.115:00add Tu.3.A.1 to agenda

Download Tu.3.A.1
Download Tu.3.A.1 presentation

Perspectives on ML Safety Assurance

Emmanuel Ledinot - THALES Research & Technology, France Jean Gassino - IRSN, France Amina Mekki-Mokhtar - ANSYS, France Philippe Quere - STELLANTIS, France Franck Serratrice - RENAULT, France Damien Chabor - KronoSafe, France Philippe Baufreton - SAFRAN, France Cyrille Comar - AdaCore, France Joseph Machrouh - THALES LAS, France

AI-ML suffers from a reliability glass ceiling effect, roughly estimated around ~10-2 error/inference that makes it incompatible with safety-criticality by several orders of magnitude. Safety nets, ML and Software development assurance would overcome this gap so that no real concern would be at stake indeed. We propose a conjectural explanation to the reliability plateauing phenomenon based on a geometric approach to approximant adjustment and to ML verification coverage practices compared critical system and software verification practices. We argue that process-based ML assurance, software assurance and safety monitors alone will not overcome the reliability barrier. Drawing from Topological Data Analysis (TDA) and set-based control verification, we propose to supplement data-science point-based verification with volume-based verification in order to meet 10-5 error / inference, as a minimum. We outline the rationale of a new research field we coin as (U)HR-ML for (Ultra) Highly Reliable Machine Learning, at the confluence of TDA, set-based non-linear control, statistics on manifolds, and ML safety assurance

Tu.3.A.215:30add Tu.3.A.2 to agenda

Download Tu.3.A.2
Download Tu.3.A.2 presentation

A study of an ACAS-Xu exact implementation using ED-324/ARP6983

Christophe Gabreau - Airbus, France Marie-Charlotte Teulieres - AIRBUS PROTECT, France Eric Jenn - IRT SAINT EXUPERY, France Augustin Lemesle - CEA, France Dumitru Potop Butucaru - INRIA, France Floris Thiant - IRT SYSTEM X, France Lucas Fischer - DATAKALAB, France Mariem Turki - IRT Saint Exupery, France

This paper studies the exact implementation of the ACAS-Xu ML models (designed using Machine Learning technique) on several hardware platforms while ensuring some properties: ML model full semantics description, memory footprint optimisation, integer representation, formal verifiability. Certification aspects are also addressed using the EUROCAE/SAE joint group WG-114/G-34 current draft of the future standard ED-324/ARP6983 for embedding ML technology in aeronautical systems.

Tu.3.A.316:00add Tu.3.A.3 to agenda

Download Tu.3.A.3
Download Tu.3.A.3 presentation

On the Feasibility of EASA Learning Assurance Objectives for Machine Learning Components

Florence de Grancey - THALES, France Sébastien Gerchinovitz - IRT Saint Exupéry & Institut de Mathématiques de Toulouse, France Lucian Alecu - Continental, France Hugues Bonnin - Continental, France Joseba Dalmau - IRT Saint Exupéry, France Kevin Delmas - ONERA, France Franck Mamalet - IRT Saint Exupéry, France

Despite the significant success of using Machine Learning (ML) in numerous industrial applications, how to integrate these technologies in safety-critical contexts poses many challenging questions. Several industrial and academic research groups, as well as various standardization committees are actively working to provide (partial) answers to these questions. In this document, we focus on one such initiative led by the EASA, which proposes a series of guidelines and requirements to develop ML-based systems for critical applications in the aviation domain. In this paper we investigate whether these requirements can be satisfied when using ML to solve a relatively simple regression task, that of building a neural network surrogate of the International Geomagnetic Reference Field (IGRF) model. Though we acknowledge all the structuring efforts towards the ambitious certification goal, our analysis pinpoints several important issues with some of these guidelines, such as ambiguous definitions, prohibitive computational costs, or currently very limited theoretical guarantees. Our analysis compels us to remain cautious about the various general recommendations proposed for designing trustworthy ML components for safety-critical systems. These conclusions call for the academic and industrial communities concerned by "Trustworthy AI" to strengthen their collaboration and pursue the research efforts necessary to address the existing challenges and establish sound methodologies for building safe ML-based applications.

Tu.3.B.115:00add Tu.3.B.1 to agenda

Download Tu.3.B.1
Download Tu.3.B.1 presentation

Performance and confidence in feasibility analysis of real-time multi-core distributed systems

Etienne Hamelin - Universite Paris-Saclay, CEA, LIST, F-91120, Palaiseau, France, France Alexandre Berne - Universite Paris-Saclay, CEA, LIST, F-91120, Palaiseau, France, France Paul Dubrulle - Alkalee, France Myrhal Boudiaf - Universite Paris-Saclay, CEA, LIST, F-91120, Palaiseau, France, France

With the trend towards software-defined vehicles, the scale and complexity of automotive software application is increasing rapidly, so that classical timing analysis methods become hardly practical. This paper proposes a new method, where a system model, formalized in an abstract multi-rate dataflow model of computation, is defined into a precedenceconstrained scheduling problem. We characterize, and extend where needed, several schedulability analysis techniques to tackle this problem, and we demonstrate its use in the exploration of partitioning choices.

Tu.3.B.215:30add Tu.3.B.2 to agenda

Download Tu.3.B.2
Download Tu.3.B.2 presentation

Towards the Certification of Hybrid Architectures: Analysing Interference on Hardware Accelerators through PML

Benjamin Lesage - Onera, France Frédéric Boniol - Onera, France Kevin Delmas - Onera, France Adrien Gauffriau - Airbus, France Alfonso Mascarenas-Gonzalez - Onera, France Claire Pagetti - Onera, France

The mergence of Deep Neural Network (DNN) and machine learning-based applications paved the way for a new generation of hybrid hardware platforms. Hybrid platforms embed several cores and accelerators in a small package. To satisfy to Size, Weight and Power (SWaP) constraints however, them embed a limited set of resources. Certifying such platforms for aeronautical systems requires the identification of applicable standards, and within each the relevant objectives. Existing standards may not explicitly mention hybrid architectures, or accelerators, but their objectives may still apply. This paper presents an overview of the standards applicable to the certification of hybrid platforms and an early mapping of their objectives to said platforms. In particular, we consider how the classification of AMC20-152A for airborne electronic hardware for airborne applies to hybrid platforms. We also consider AMC20-193 for multi-core platforms, and how the definition fits different types of accelerators. Through the scope of the PHYLOG methodology, we consider the characterisation of hybrid platforms, their classification, their resources, and their interferences.

Tu.3.C.115:00add Tu.3.C.1 to agenda

Download Tu.3.C.1
Download Tu.3.C.1 presentation

Onchip Traffic Injection to Counteract Timing Side-Channel Attacks

Francisco Fuentes - Barcelona Supercomputing Center, Spain Sergi Alcaide - Barcelona Supercomputing Center, Spain Raimon Casanova - Universitat Autònoma de Barcelona, Spain Jaume Abella - Barcelona Supercomputing Center (BSC), Spain

Security has become a major concern in the last decade, specially with the increment of low-level attack vectors present in COTS MPSoCs. Safety-relevant systems are not an exception, and they are also exposed to security concerns. Side-channel attacks (SCAs) in general, and cache-based SCAs in particular, have gained prominent importance due to the proliferation of cache memories for increased performance. However, there are a plethora of such attacks and effective countermeasures are needed for all of those. This paper investigates the effectiveness of using hardware traffic injectors to counteract those attacks with the aim of assessing to what extent those injectors can be effective. In particular, we consider the SafeTI, an open source traffic injector we developed, and assess to what extent attack-specific traffic patterns can defeat Bernstein's SCA targeting an AES-128 encryption process in a space-relevant platform based on Frontgrade Gaisler's IP.

Tu.3.C.215:30add Tu.3.C.2 to agenda

Download Tu.3.C.2
Download Tu.3.C.2 presentation

Approach for High-Performance Random Number Generators for Critical Systems

Pascal Hammer - OTH Regensburg, Germany Veronika Krause - OTH Regensburg, Germany Tobias Probst - OTH Regensburg, Germany Jürgen Mottok - OTH Regensburg, Germany

In times of digitalization, the encryption and signing of sensitive data is becoming increasingly important. These cryptographic processes require large quantities of high-quality random numbers. Which is why a high-performance random number generator (RNG) is to be developed. For this purpose, existing concepts of RNGs and application standards are first analyzed. The proposed approach is to design a physical true random number generator (PTRNG) with a high output of random numbers. Based on this, the development begins with the analog part of the RNG, the noise signal source and a suitable amplifier for the analog noise signal. Therefore, a special noise diode from Noisecom and an amplifier from NXP were chosen and analyzed in different measurements. From the results of the measurements, it can be concluded that both components are suitable for use in the RNG.

Tu.3.C.316:00add Tu.3.C.3 to agenda

Download Tu.3.C.3
Download Tu.3.C.3 presentation

Considering the Aeronautics Cyber-Security Standards for Multi-Core Platforms

Anthony Fernandes Pires - ONERA, France Julien Brunel - ONERA, France Kevin Delmas - ONERA, France

New complex functions are emerging for avionic systems. These new functions ask for high performance computing, which mean the need to embed new type of hardware such as hybrid architectures integrating multi or many-core processors. However, these processors are often Commercial Off-The-Shelf and suffer a lack of documentation and predictability. In the all-connected trend of today digital world, these issues can lead to new security vulnerabilities exploitable by malicious people. In the context of the PHYLOG 2 research project aiming at defining a certification framework for multi-core platforms, we study the aeronautics standards ED-202A/DO-326A and ED-203A/DO-356A about airworthiness security. The objective is to take into account these standards at the level of the multi-core processors in order to ensure the compliance of security assessment and development for certification. We present our review and understanding of the standards and their projection at the level of multi-core platforms. In addition, we describe our application on a use case and report our feedback.

Tu.4.A.117:00add Tu.4.A.1 to agenda

Download Tu.4.A.1
Download Tu.4.A.1 presentation

Assurance Cases to face the complexity of ML-based systems verification

Vincent Mussot - IRT Saint Exupéry, France Eric Jenn - Thales Avionics, France Florent Chenevier - Thales, France Ramon Conejo - IRT Saint Exupéry, France Yassir Id-Messaoud - IRT System-X, France Jean-Loup Farges - Onera, France Anthony Fernandes Pires - Onera, France Florent Latombe - OBEO, France Stephen Creff - IRT System X, France

The verification and validation of AI-based systems raise new issues that are not easily addressed by existing practices and standards. We think that this gap is actually an opportunity to introduce new practices and establish a clearer and more formal link between the engineering activities and artefacts, the expected properties of the system, and the verification and validation evidence. Therefore, in this paper, we describe and illustrate an approach integrating (i) the definition and modelling of an AI-based system engineering workflow, (ii) the identification of the trustworthiness properties, and (iii) the argumentation demonstrating the satisfaction of these properties. This approach is centred on the model of Assurance Cases, a semi-formal representation of argumentation which supports the claim of system trustworthiness. In addition, we present supporting tools for this formalism that enable the automatic production of Verification and Validation plans for specific properties of AI-based systems.

Tu.4.A.217:30add Tu.4.A.2 to agenda

Download Tu.4.A.2
Download Tu.4.A.2 presentation

Uncertainty in Assurance Case Template for Machine Learning

Yassir Id Messaoud - IRT System-X, France Jean-Loup Farges - Onera and IRT System-X, France Eric Jenn - IRT Saint Exupéry, France Vincent Mussot - IRT Saint Exupéry and IRT System-X, France Anthony Fernandes Pires - Onera and IRT System-X, France Florent Chenevier - Thales AVS and IRT System-X, France Ramon Conejo Laguna - IRT Saint Exupéry and IRT System-X, France

A product to be certified follows a design, implementation, verification and validation cycle. At the beginning of the cycle, the product owner only relies, for the verification and validation aspects, on an Assurance Case (AC) template that provides choices in a tree structure. The difficulty for making decisions among choices is high when the product is based on a new technology with a large number of approaches with different levels of readiness, as it is the case for robust Machine Learning (ML). In those cases an uncertainty assessment can be useful for making a judgment about the opportunity of using a specific approach. Based on recently published results on uncertainty elicitation and propagation in Goal Structuring Notation models of AC, the work presented here justify and implements an uncertainty assessment based simultaneously on qualitative and quantitative uncertainty modeling. Moreover, it proposes an elicitation method allowing simultaneous capture of qualitative and quantitative uncertainty and an analysis of uncertainty modeling and propagation on AC templates. Finally, it demonstrates the approach with an use case related to robustness of ML models. The result of this research will be integrated in the Capella system engineering environment.

Tu.4.B.117:00add Tu.4.B.1 to agenda

Download Tu.4.B.1
Download Tu.4.B.1 presentation

Separation of functional and time interferences concerns for efficient AMC 20-193 compliance

Damien Chabrol - ASTERIOS Technologies, France Jean Guyomarc'H - ASTERIOS Technologies, France Fabien Siron - ASTERIOS Technologies, France Guillaume Phavorin - ASTERIOS Technologies, France Sam Thompson - Rapita Systems Ltd, United Kingdom Eric Jenn - IRT Saint Exupéry, France François Thurieau - Safran Electronics & Defense, France

Safety-critical real-time systems must comply with stringent certification requirements, including temporal ones. Failure to comply with those temporal requirements may contribute to the system failure. Therefore, timing considerations, such as response times, are of the foremost importance for such systems. As the use of multi-/many-core hardware platforms is becoming inevitable in the avionics industry, due to the increasing computing performance required by modern embedded systems, integration activities are getting more and more complex. Increasing concurrency and parallelism exacerbates integration issues and introduces new challenging problems. To answer those challenges, certification authorities have issued guidelines, referenced as A(M)C 20-193, describing some objectives to fulfill for multi-/many-core integration. The present paper describes how a time-aware approach, based on the Synchronous Logical Execution Time paradigm (sLET), makes the design and integration of A(M)C 20-193 compliant safety-critical multi-/many-core systems easier by separating functional and time interferences concerns.

Tu.4.B.217:30add Tu.4.B.2 to agenda

Download Tu.4.B.2
Download Tu.4.B.2 presentation

Reducing End-to-End Latencies of Multi-Rate Cause-Effect Chains in Safety Critical Embedded Systems

Luiz Maia - University of Kaiserslautern-Landau, Germany Gerhard Fohler - University of Kaiserslautern-Landau, Germany

The Logical Execution Time (LET) model has deterministic timing and data-flow properties, which simplify the computation of end-to-end latencies of multi-rate cause-effect chains. However, the LET model results in pessimistic end-to-end latencies since it abstracts the underlying platform and scheduling choices. In this paper, we propose a method to reduce end-to-end latencies of multi-rate cause-effect chains applying the LET model, by considering knowledge of the schedule in later design phases of safety critical embedded systems. Our method shortens and shifts the communication intervals of the LET model. If needed, e.g., for legacy reasons, our method can be applied to a subset of tasks only. We evaluate our work based on automotive benchmarks and synthetic task sets. We compare our results with previous work and the LET model. The experiments show significant reductions of maximum reaction time and data age values.

Tu.4.C.117:00add Tu.4.C.1 to agenda

Download Tu.4.C.1
Download Tu.4.C.1 presentation

Security by Default - CHERI ISA Extensions Coupled with a Security-Enhanced Ada Runtime

Paul Butcher - AdaCore, United Kingdom Daniel King - AdaCore, United Kingdom Johannes Kliemann - AdaCore, Germany

In an age where security breaches and cyberattacks have become increasingly prevalent, the need for robust and comprehensive security mechanisms within embedded real-time systems is paramount. For the 2024 Embedded Real-Time Systems Conference (ERTS), AdaCore presents a research paper on "Security by Default," which combines CHERI ISA extensions implemented within an Arm Morello development board with a security-enhanced Ada runtime. This paper introduces an innovative approach that utilizes a combination of memory safe hardware and memory safe software to enhance security in embedded real-time systems while satisfying regulatory objectives outlined in standards like the "Airworthiness Security Process Specification" (DO-326A/ED-202A [1] [2]).

Tu.4.C.217:30add Tu.4.C.2 to agenda

Download Tu.4.C.2
Download Tu.4.C.2 presentation

Problems and New Approaches for Crypto-Agility in Operational Technology

Tobias Frauenschläger - LaS³, OTH Regensburg, Germany Jürgen Prof. Dr. Mottok - LaS³, OTH Regensburg, Germany

In recent years, cybersecurity has also become relevant for Operational Technology (OT). Critical systems like industrial automation systems or transportation systems are faced with new threats, and therefore require the implementation of thorough security measures. Regulations further mandate the deployment and regular verification of these security measures. However, OT systems differ from well-known systems of classic Information Technology (IT), such as mission times spanning decades, infrequent updates only during on-site maintenance, or diverse devices with varying support for security measures. The growing field of crypto-agility examines approaches to integrate security measures in an agile and flexible way, making updates easier and, therefore, encouraging a more frequent deployment of them. This paper contributes to this research field in the context of secure communication in two ways. We first examine the current state of crypto-agility by providing an overview of existing measures for OT systems. Then, we propose a new architecture concept with different deployment approaches to integrate security measures in a crypto-agile way. Based on a security library with a generic interface and a flexible proxy application, our architecture is capable of securing both new OT systems and existing ones via retrofit.

Download PhD Dissertation Award - Analysis of Algorithmic and computational Aspects of Deterministic Network Calculus
Download Tu.SPO Sponsor Presentation Aerospace Valley
Download Tu.SPO Sponsor Presentation AMPERE