Real-Time Systems for Autonomous Vehicles: Why WCET and Timing Analysis Matter for Self-Hosted CI Pipelines

Hook: Your CI Pipeline Passed — But Did You Prove It Meets Deadlines?

As automotive and robotic stacks become software-defined, meeting timing budgets is no longer a QA checkbox — it is a safety requirement. Teams building embedded control software can compile, unit-test, and package artifacts in a self-hosted CI pipeline in minutes. But without integrated WCET and timing analysis, those artifacts may still miss hard deadlines on the vehicle. This article explains why worst-case execution time matters, what modern tools like RocqStat bring to the table (and how Vector's acquisition in early 2026 changes the landscape), and—most importantly—how to integrate timing verification into self-hosted CI using Docker, Kubernetes, Proxmox and systemd runners.

Why WCET and Timing Analysis Matter in 2026

Industry trends in late 2025 and early 2026 have accelerated timing verification requirements:

• Vector Informatik's acquisition of StatInf's RocqStat in January 2026 signaled consolidation of timing analysis into mainstream code-testing toolchains (see Automotive World, Jan 2026).
• Automotive software is increasingly complex (AUTOSAR Classic + Adaptive, more ML inference on MCU/edge), raising timing variability across processors and accelerators.
• Regulatory and certification pressures (ISO 26262, cybersecurity standards) push teams to provide evidence that tasks meet deadlines under worst-case conditions.

Put simply: passing unit tests is necessary but not sufficient when a missed interrupt or a cache-induced stall can lead to a safety incident. You need verified timing margins and an auditable pipeline that enforces them.

WCET Basics — Practical, Not Academic

Worst-case execution time (WCET) is the upper bound on how long a piece of code can take to execute on a target platform under given assumptions. WCET is essential for scheduling, resource allocation, and safety proofs. There are two broad approaches:

• Static analysis: Analyze the binary and CPU model to compute a safe bound (usually conservative).
• Measurement-based / probabilistic analysis: Collect execution-time measurements under varied inputs and environments, then use statistical models to estimate a bound with a specified confidence level (pWCET).

Modern automotive workflows combine both: static analysis provides conservative guarantees; measurement-based analysis provides practical insight and can be combined with pWCET approaches to tighten bounds for certification evidence.

What RocqStat Brings — And Why the Vector Deal Matters

RocqStat (StatInf) has been known for advanced timing analysis and probabilistic WCET estimation. Vector's move to integrate RocqStat into VectorCAST indicates a push toward a unified verification environment that couples functional testing with timing assurance. For engineering teams that self-host toolchains, this matters because it means:

• Toolchain consolidation: timing analysis can be invoked alongside unit and integration tests with consistent artifact formats.
• Stronger traceability: timing reports can be linked to test cases and requirements in VectorCAST workflows.
• Faster innovation: continued development of statistical timing techniques inside a mature vendor ecosystem.

Whether you adopt RocqStat directly or a similar timing tool, the integration pattern into CI is what makes timing verification effective.

Design Principles for CI-based Timing Verification

Before we dive into implementation, follow these design principles so CI timing checks become robust and maintainable:

1. Reproducible execution environment: Pin toolchain images, use immutable container images, and version hardware-in-loop (HIL) firmware.
2. Separation of concerns: Keep build, functional test, and timing analysis stages separated but linked via artifacts.
3. Deterministic sampling: Where possible, use deterministic RT kernels (PREEMPT_RT, Zephyr) or cycle-accurate simulations for measurement.
4. Traceability and artifacts: Store raw traces, analyzed histograms, and WCET reports as artifacts for audits.
5. Fail-fast gates: Enforce timing thresholds as pipeline gates with clear remediation paths (flaky tests, CPU contention, configuration drift).

Self-hosted Infrastructure Options

Common self-hosting topologies for embedded dev teams:

• Docker on dedicated CI servers — simple, good for unit tests and simulation-based timing.
• Kubernetes with GPU/FPGA nodes — orchestrate scaling and isolate measurement workloads; run privileged pods for hardware access via device plugins.
• Proxmox or KVM VMs — run isolated runners with attached debug hardware (JTAG, ETM) through PCI passthrough.
• systemd runners on bare-metal — use systemd-nspawn or systemd services to start self-hosted CI agents with allocated CPU isolation for deterministic measurements.

Which to choose? Use containers for repeatability, VMs for hardware passthrough guarantees, and bare-metal runners when tracing and minimal jitter are critical.

Practical CI Integration: A Pattern You Can Copy

Below is a practical CI pipeline pattern that can be implemented in GitLab CI, GitHub Actions (self-hosted runners), or Jenkins. The pipeline stages are:

1. checkout + cross-compile
2. unit & integration tests (hosted simulator)
3. measurement harness run (simulator or hardware)
4. timing analysis (RocqStat / static tool)
5. gate and artifact publish

Example: GitLab CI (self-hosted runner on Proxmox)

Summary of the flow:

1. Runner runs in a Proxmox VM with CPU pinning and a PCI passthrough USB/JTAG adapter.
2. Docker-in-Docker & pinned toolchain image builds the binary.
3. Measurement is performed by flashing the device and capturing ETM trace via OpenOCD or Lauterbach script.
4. RocqStat (or a CLI-compatible timing tool) consumes traces and emits a WCET report artifact.

High-level GitLab CI job (pseudocode):

stages:
  - build
  - test
  - measure
  - wcet

build:
  stage: build
  image: 'registry.company.com/ci/cross-toolchain:2026-01'
  script:
    - make clean && make TARGET=stm32 -j$(nproc)
  artifacts:
    paths: ['build/artifacts']

test:
  stage: test
  image: 'registry.company.com/ci/sim:renode-2026'
  script:
    - renode run tests/test_timing.res --log=renode.log
  artifacts:
    paths: ['renode.log']

measure:
  stage: measure
  tags: ['hardware']  # restrict to runner with instrumented HW
  script:
    - ./scripts/flash_and_trace.sh build/artifacts/firmware.bin /dev/ttyUSB0 traces/session1
  artifacts:
    paths: ['traces/*']
    expire_in: 30d

wcet-analysis:
  stage: wcet
  image: 'registry.company.com/ci/rocqstat:latest'
  script:
    - rocqstat analyze --input traces/session1 --target stm32 --output reports/wcet.json
    - cat reports/wcet.json
  artifacts:
    paths: ['reports/*']
    when: always
  allow_failure: false
  rules:
    - if: '$CI_COMMIT_TAG'
      when: always
  

Note: replace rocqstat analyze with your tool's actual CLI. The pattern carries across CI systems.

Hardware-in-the-Loop and Deterministic Measurement

Measurements are only meaningful if the execution context matches the target environment. Practical tips:

• Use CPU isolation (cpu isolation mask / taskset) and disable background daemons on runners.
• Prefer PREEMPT_RT or RTOS on the target for reduced jitter; capture kernel config in artifact metadata.
• Use hardware tracing (ARM CoreSight ETM / PTM) instead of software timers when precise cycle counts are required; store raw trace streams.
• Instrument and randomize inputs to build a representative dataset for pWCET; ensure trace coverage meets behavioral expectations.

Simulators and Emulators: When They Help and When They Lie

Simulators like QEMU and Renode are invaluable for early-stage timing work, but be cautious:

• QEMU's timing fidelity varies by architecture and peripheral modeling; do not use it for final WCET claims on real hardware.
• Renode provides better deterministic peripheral simulation for many MCU scenarios and integrates well in CI for wide coverage runs.
• Cycle-accurate models or vendor-supplied simulators deliver higher-fidelity timing but are slower — use them for final validation runs in nightly pipelines.

Making Timing Analysis Reproducible

Reproducibility is the backbone of confidence and certification. Implement these practices:

• Pin container images with digest hashes (not tags).
• Commit hardware firmware and bootloaders to the same repo or an artifact registry with immutable versions.
• Record runner host kernel versions, CPU microcode, and BIOS/UEFI versions in the report metadata.
• Use reproducible build systems (Bazel, Nix) where feasible to avoid toolchain-induced variation.

Gating: How to Fail a Build When WCET Is Exceeded

Successful pipelines must fail clearly when timing requirements are violated. Define pass/fail criteria:

• Hard deadline: task WCET must be <= specified deadline.
• Safety margin: require WCET <= deadline * 0.8 or a required headroom per requirements.
• Confidence threshold for pWCET: e.g., pWCET@10^-9 must be under deadline for ASIL-D claims.

Implement an automated verifier job to parse the WCET report and set pipeline status. Example pseudocode:

wcet_threshold=5000  # microseconds
measured_wcet=$(jq '.wcet_us' reports/wcet.json)
if [ "$measured_wcet" -gt "$wcet_threshold" ]; then
  echo "WCET violation: $measured_wcet > $wcet_threshold"
  exit 2
fi
  

Trace Storage, Visualization and Long-Term Evidence

Timing verification is as much about long-term evidence as it is about the immediate pass/fail. Store and surface artifacts:

• Raw traces and parsed events (ETM, trace timestamps).
• WCET reports (JSON, HTML) and the inputs used for measurement.
• Dashboards: push metrics to Prometheus and build Grafana panels for WCET trends per commit/branch.
• Artifact retention policy: longer retention for release branches and tags (required for audits).

Security, Access Control and Compliance

Timing data and hardware access are sensitive. Follow these rules:

• Use strong RBAC on self-hosted runners and artifact repositories.
• Isolate hardware-access runners from general CI to reduce attack surface.
• Encrypt artifacts at rest and use signed artifacts where possible.
• Record all accesses to HIL rigs in audit logs for compliance.

Case Study: From Flaky Timing to Stable Release

Example scenario from a mid-sized robotic company (anonymized):

1. Symptom: sporadic missed deadlines in a motion-control loop only visible on end-to-end HIL tests.
2. Action: integrated measurement stage into nightly CI that performed 1000 randomized inputs on a pinned hardware runner.
3. Tooling: Renode used for wide coverage; ETM traces captured for failing cases; RocqStat-style analysis used to compute pWCET distribution.
4. Result: discovered that a lowspeed USB logging daemon on the CI host caused periodic interrupts that shifted phase. Fixing host configuration and adding CPU isolation eliminated the outliers. WCET distribution tightened by ~18%.

This shows how a tight CI loop with timing analysis reduces root cause time and prevents regressions from entering release branches.

Advanced Strategies: Containerized Timing Tools and Device Plugins

When running timing tools in Kubernetes:

• Use device plugins to expose hardware trace devices into pods (/dev/ttyUSB*, PCI passthrough).
• Run privileged pods only on a dedicated node pool labeled for measurement; use PodSecurityPolicies to restrict capabilities.
• Persist artifacts via a PVC backed by object storage (S3/MinIO) and register reports in a metadata DB for search.

Vendor Tool Integration: VectorCAST + RocqStat

Vector's integration plan for RocqStat into VectorCAST (announced Jan 2026) points to a future where timing analysis and software testing share a single workflow. For teams on a self-hosted path:

• Plan for tight integration: expect artifacts like test logs and timing traces to be cross-referenced in a unified report.
• Design CI jobs to produce VectorCAST-compatible artifacts (where applicable) to ease migration when vendor integrations are available.
• Continue to use open pipelines: even as vendor tools consolidate, you retain control and transparency by keeping measurement and artifacts in self-hosted storage.

Checklist: What to Implement First (Immediate 30/60/90 Day Plan)

1. 30 days: Create a measurement job in CI using a simulator (Renode/QEMU) and collect basic timing histograms. Pin images and document runner configs.
2. 60 days: Add a hardware runner with CPU isolation and one HIL test case that captures ETM/trace for a critical task. Publish artifacts to a secure store.
3. 90 days: Automate WCET analysis (static or probabilistic) and gate on timing thresholds. Integrate metrics into dashboards and enable long-term retention for release artifacts.

Common Pitfalls and How to Avoid Them

• Relying only on simulated timing: always validate on representative hardware before release.
• Undefined runner environments: use immutable images and record host metadata in reports.
• No artifact retention policy: you’ll lose audit trails; store nightly WCET reports for at least one release cycle.
• Adding timing checks only on main branch: run them earlier (merge requests) to find regressions fast.

Future Predictions (2026 and Beyond)

Given the Vector + RocqStat move and 2025–2026 trends, expect:

• Stronger vendor-led workflows combining static verification, unit testing, and timing analysis into single UIs.
• Wider adoption of probabilistic WCET (pWCET) methods in industry specifications, with clearer guidance on confidence levels for certification artifacts.
• Open-source tooling (Renode, OpenOCD, perf) improving integrations for CI pipelines to make timing verification accessible to smaller teams.

Actionable Takeaways

• Integrate timing checks into CI early: add a measurement stage even if it’s simulator-based at first.
• Make runs reproducible: pin images, record host metadata, and keep artifacts immutable.
• Use hardware runners: for final verification use a dedicated runner with hardware tracing and CPU isolation.
• Gate builds on WCET: set clear pass/fail criteria and fail fast on regressions.
• Prepare for vendor integrations: produce artifacts that align with tools like VectorCAST and RocqStat to ease future migration.

"Timing safety is becoming a critical part of software verification workflows." — industry signals from Vector's 2026 acquisition activity

Final Thoughts and Call to Action

WCET and timing analysis are no longer optional add-ons for embedded teams building safety-critical systems. With vendor consolidation in 2026 and better CI tooling, teams have the technical and operational means to shift-left timing verification into the same self-hosted pipelines they trust for builds and tests. Start small with simulator-based timing jobs, add robust hardware runners, and enforce gating with clear thresholds. Store traces, maintain reproducibility, and design pipelines that produce auditable evidence for certification.

Ready to get practical? Clone our reference repo with Docker images, sample GitLab CI jobs, and a Renode-based timing harness adapted for ARM Cortex-M targets. Deploy it on a Proxmox node or a Kubernetes test pool and run your first WCET report in under an hour. If you want the repo link and step-by-step starter scripts, click through to our toolkit or contact us for an on-site CI review and proof-of-concept.

Related Reading

• Breaking Down Operational Silos: How Sony Unified TV and Streaming Teams
• Sleep, Temperature & Nutrition: How Food Choices Influence Nighttime Biometrics Used in Fertility Apps
• How to Start and Scale a Small-Batch Bike Accessory Brand: A Practical Playbook
• Using PowerShell to Orchestrate LLM File Tasks Safely on Windows
• Live Shopping for Jewelers: How to Use Bluesky, Live Badges & New Social Features