Real Time Behavior of Data in Distributed Embedded Systems

REALTIME BEHAVIOR OFDATA

IN DISTRIBUTED EMBEDDEDSYSTEMS

∗

TANGUY LE BERRE, PHILIPPE MAURAN, GÉRARD PADIOU, PHILIPPE QUÉINNEC

†

Abstrat. Nowadays,embeddedsystemsappearmoreandmoreasdistributedsystemsstruturedasasetofommuniating

omponents. Therefore,they show a less deterministiglobal behavior than entralized systemsand their designand analysis

mustaddressbothomputationandommuniationshedulinginmoreomplexongurations. Weproposeamodelingframework

enteredondata. Morepreisely,theinterations betweenthe dataloatedinomponentsareexpressedintermsofaso-alled

observation relation. Thisabstrationisarelationbetweenthevaluestakenbytwovariables,asoure andanimage,wherethe

imagegetspastvaluesofthesoure. Weextendthisabstrationwithtimeonstraintsinordertospeifyandanalyzetheavailability

oftimelysoundvalues.

Theformaldesriptionoftheobservation-basedomputationmodelisstatedusingtheformalismoftransitionsystems,where

realtimeishandledasadediatedvariable.Asarstresult,thisapproahallowstofousonspeifyingtimeonstraintsattahed

todata and topostpone taskand ommuniation sheduling matters. Atthislevel of abstration, the designerhas to speify

timepropertiesabout the timelineof data suh as theirfreshness, stability, lateny...As aseond result,a veriation of the

globalonsistenyofthespeiedsystemanbeautomatiallyperformed.Theveriationproessanstarteitherfromthetimed

properties(e.g.theperiod)ofdatainputsorfromthetimedrequirementsofdataoutputs(e.g.thelateny). Lastly,ommuniation

protoolsandtaskshedulingstrategiesanbederivedasarenementtowardsanatualimplementation.

Keywords: realtimedata,distributedsystems,veriation

1. Introdution. DistributedRealTimeEmbedded(DRE)systemsareinreasinglywidespreadand

om-plex. Inthisontext, wepropose amodelingframework enteredondatato speifyand analyzethereal time

behaviorofthese DRE systems. Morepreisely,suh systemsarestruturedastime-triggeredommuniating

omponents. Instead of fousing on the speiation and veriationof time onstraints upon omputations

struturedasaset of tasks,wehooseto onsider data interationsbetween omponents. Theseinterations

areexpressedintermsofanabstrationalledobservation,whihaimsatexpressingtheimpossibilityforasite

tomaintainaninstantknowledgeofothersites. Inthispaper,weextendthisobservationwithtimeonstraints

limitingthetime shiftindued bydistribution. Starting from this modeling framework,the speiationand

veriationofrealtimedatabehaviorsanbearriedout.

Inarststep,weoutlinesomerelatedworkswhihhaveadoptedsimilarapproahesbutindierentontexts

and/ordierentformalframeworks.

Then, we desribe the underlying formal system used to develop our distributed real time omputation

model, namelystatetransition systems. Inthis formalframework,wedeneadediatedrelationalled

obser-vationtodesribedatainterations. An observationrelationdesribesaninvariantpropertybetweenso-alled

soureandimage variables. Informally,atanyexeutionpoint,thehistoryoftheimagevariableisasub-history

ofthesourevariable. Atually,thesoureisanarbitrarystateexpression. Anobservation abstratsthe

rela-tionbetweentheinputsandtheoutputsofaommuniationprotoolorbetweentheargumentsandtheresults

ofaomputation.

Toexpresstimed propertiesonthevariablesandtheirrelation, weextendtheframework soastobeable

todesribethetimeline ofstatevariables. Therefore,for eah statevariable

x

,its timeline, anabstration of

itstime behavior, is introdued in terms of anauxiliary variable

x

ˆ

whih reords itsupdate instants. Then, realtime onstraintsondata, forinstane periodiityorsteadiness, areexpressed byrelating thesedediated

variables andthe urrent time. These auxiliaryvariables are also used to restritthe time shiftbetweenthe

soureandtheimageofanobservation: thesemantisoftheobservationrelationisextendedtoallowtorelate

thetimebehaviorofasoureand ofanimagebyexpressingdierentproperties,suhasthetimelagbetween

theurrentvalueoftheimageanditsorrespondingsourevalue.

The real time onstraintsabout data behavioran be speiedby means of these timed observations as

illustratedin anautomotivespeedontrolexample.

Lastly, wedisuss the possibilityto hek the onsistenyof a speiation stated in terms of timed

ob-servations. Aspeiationisonsistentifandonlyiftheveriationproessanonstrutorretexeutions.

∗

Anearlierversionofthispaperwaspresentedatthe3rdReal-TimeSoftwareWorkshop,RTS2008,inWisla,Poland,Otober20,

2008.

†

Université de ToulouseIRIT, 2, rue Charles Camihel, 31071 Toulouse, FRANCE {tleberre, mauran, padiou,

However, the target systemsare potentially inniteand anequivalentnite statetransition systemmust be

derivedfromtheinitialonebeforeveriation. Thefeasibilityofthistransformationisbaseduponassumptions

aboutniteboundsofthetimeonstraints.

2. StateoftheArt. Weareinterestedinsystemssuhassensorsnetworks. Ourgoalistoguaranteethat

theinputdatadispathedtoproessingunitsaretimelysounddespitethetimeshiftintroduedbythetransitof

data. Mostapproahestakentohektimedpropertiesofdistributed systemsarebasedonstudyingthetimed

behavior oftasks. Forexample,workssuh as[10℄proposeto inlude thetimed propertiesof ommuniation

inlassialshedulinganalysis.

Ourapproah isstate-basedand notevent-based. Weexpressthetimed requirementsassafetyproperties

that mustbesatisedinall states. Thedenition ofthese properties donotreferto theeventsofthesystem

andisonlybasedonthevaluesofthesystemvariables. Wedepartfromshedulinganalysisbyfousingonthe

variablesbehaviorandnotonsideringthetasksandrelatedsystemevents. Ourintentistoallowthedeveloper

to give a moredelarativestatement of the system properties, easier to write and less error-prone. Indeed,

reasoningaboutstateprediatesisusuallysimplerthanreasoningaboutasetofvalidsequenesofevents.

Othersapproahesbasedonvariablesaremainlyrelatedtotheeldofdatabases. Forexample,thevariables

semantisandtheirtimedvaliditydomainareusedin[12℄tooptimizetransationshedulingindatabases. Our

work stands at a higher level sine we propose to give an abstrat desription of the system in terms of a

speiationofrelationsbetweendata. Forinstane, ourframeworkanbeusedtohektheorretnessofan

algorithm with regards to the agingof the variables values. It analso beused to speify a systemwithout

knowingitsimplementation.

Similarworks use temporal logito speifythesystem. Forexample, in [2℄, OCL onstraintsare used to

denethetemporalvaliditydomainofvariables. AvariationofTCTLisusedtohekthesystem

synhroniza-tionandpreventavaluefrombeingusedoutofitsvaliditydomain. Thisworkalsodenestimedonstraintson

thebehaviorand therelationsbetweenappliation variables,but theserelationsaredened using eventssuh

asmessagesendingwhereasourdenitionsarebasedonthevariablevalues.

In [9℄, onstraintsbetweenintervals during whih state variables remain stable are dened by means of

Allen's linear temporal logi. In other words, this approah also usesan abstration of thedata timelines in

termsofstabilityintervals. However,theonstraintsremainlogialanddonotrelatetorealtime. Nevertheless,

theauthorsexpettoapplythis approahintheontextofautonomousembeddedsystems.

Using a semantis based on state transition system, we give a framework whih aims at desribing the

relationsbetweenthedatain asystem,andspeifyingtherequiredtimedpropertiesofthesystem.

3. Theoretial settings.

3.1. State Transition System. Models used in this paperare basedon statetransition systems. Our

work usestheTLA+formalism[7℄,but thispaperdoesnotrequireanypriorknowledgeof TLA+. A state is

anassignmentofvaluestovariables. Atransitionrelation isaprediateonpairsofstates. Atransitionsystem

isaouple(set of states,transition relation). A step is apair ofstateswhihsatises thetransition relation.

Anexeution

σ

isanyinnitesequeneofstates

σ

0

σ

1

. . . σ

i

. . .

suhthattwoonseutivestatesformastep. We

note

σ

i

→

σ

i+1

thestepbetweenthetwoonseutivestates

σ

i

and

σ

i+1

.

Atemporalprediateisaprediateonexeutions;wenote

σ

|

=

P

whentheexeution

σ

satisestheprediate

P

. Suhaprediateisgenerallywrittenin lineartemporallogi. Astateexpression

e

(inshort,anexpression)

isaformulaonvariables;thevalueof

e

inastate

σ

i

isnoted

e.σ

i

. Thesequeneofvaluestakenby

e

duringan

exeution

σ

isnoted

e.σ

. A stateprediate isaboolean-valuedexpressiononstates.

3.2. IntroduingTime. Weonsiderrealtimepropertiesofthesystemdata. Todistinguishthemfrom

(logial)temporalproperties,suhpropertiesarealled timed properties. Timeis integratedin ourtransition

system in a simple way, as desribed in [1℄: time is represented by a variable

T

taking valuesin an innite

totallyordered set,suh as

N

or

R

+

.

T

isan inreasingand unbound variable. Thereis no onditiononthe

density of time, and moreover, it makes no dierene whether time is ontinuous ordisrete (see disussion

in [8℄). However, asan exeution is asequene of states, the atual sequene of values takenby

T

during a

given exeutionis neessarilydisrete. This is thedigitallok viewofthe real world. Notethat werefer to

Anexeutionanbeseenasasequeneofsnapshotsofthesystem,eahtakenatsomeinstantoftime. We

requirethatthere are enough snapshots,that isthat no variableanhavedierent valuesatthe sametime

andsoin thesamesnapshot. Anyhangein thesystemimpliestimepassing.

Denition3.1 (Separation) Anexeution

σ

isseparatedif andonlyif for anyvariable

x

:

∀

i, j

:

T.σ

i

=

T.σ

j

⇒

x.σ

i

=

x.σ

j

Inthefollowing,weonsideronlyseparatedexeutions. Thisallowstotimestamphangesofvariablesand

ensuresaonsistentomputationmodel.

3.3. Cloks. Letusonsideratotallyorderedsetofvalues

D

,suhas

N

or

R

+

. Alokisa(sub-)

appro-ximationof asequeneof

D

values. Wenote

[

X

→

Y

]

theset of allfuntions whose domainis

X

and whose rangeisanysubsetof

Y

.

Denition3.2 (Clok) Alok

c

isafuntion in

[

D → D

]

suhthat:

•

itneveroutgrowsitsargumentvalue:

∀

t

∈ D

:

c

(

t

)

≤

t

•

itismonotonouslyinreasing:

∀

t, t

′

_{∈ D}

_:

_{t < t}

′

_⇒

_c

₍

_t

₎

_≤

_c

₍

_t

′

₎

•

Itislively:

∀

t

∈ D

:

∃

t

′

∈ D

:

c

(

t

′

)

> c

(

t

)

Theprediate

clock

(

c

)

istrue ifthe funtion

c

isalok.

Inthefollowing,loksare usedto haraterizethe timed behaviorof variables. Theyare dened onthe

valuestakenbythetimevariable

T

,toexpressatimedelayedbehavior,aswellasontheindiesofthesequene

ofstates,to expressalogialpreedene.

4. Speiation of Data Timed Behavior. Weintrodueheretherelationandpropertiesused inour

frameworktodesribethepropertiesthatmustbesatisedbyasystem. Ourapproahisstate-basedandgives

the relation that must be satised in all states. We dene the observation relation to desribe the relation

betweenvariables. Awayto desribethetimed behaviorofvariables,thatis propertiesofthehistoryofdata,

is introdued. Wethen extendthe observation relationto enablethe expression of timed onstraints on the

behaviorof system variables linked by observations. For that purpose we dene prediates whih bind and

onstraintrelevantinstantsofthetimelineofthesoureandtheimageofanobservation. Theseprediatesare

expressedasboundsonthedierenebetweentworelevantinstants.

4.1. The ObservationRelation. Wedeneanobservationrelationonstatetransitionsystemsasin[5℄.

The observation relation is used to abstrat a value orrelation between variables. Namely, the observation

relation statesthat the valuestaken byonevariable arevalues previouslytaken by another variable orstate

expression.

Inthebasiase,theobservationrelationbindstwovariables,thesoure

x

and theimage

‘

x

,and denotes that the history of the variable

‘

x

is a sub-history of the variable

x

. The relation is dened by a ouple

< source, image >

andtheexisteneof atleast alok that denesforeahstatewhih oneof theprevious

valuesof the soure is takenby the image. This denition is atually given to allow any stateexpression (a

formulaonvariables)asthesoure 1

. Theformaldenition is:

Denition4.1 (Observation) The variable

‘

x

is an observation of the state expression

e

in exeution

σ

:

σ

‘

x

≺·

e

i:

∃

c

∈

[

N

_→

N

_{] :}

_clock

₍

_c

₎

_{∧ ∀}

_i

_{: ‘}

_x.σ

_i

₌

_e.σ

_c(i)

1

1

X

0

1 2

3

4

5 6

7

8

9

1

2

4

1

1

2

3 3

3

4

6

`X

1 1

2 3 3

5

6

7

i

0

1 2

3

4

5 6

7

8

9

c(i)

0 0

0

0

3 4 4

5

6

8

Fig.4.1.TheObservationRelation

Thisrelation statesthat anyvalueof

‘

x

isapreviousvalueof

e

. Due tothepropertiesoftheobservation lok

c

,

‘

x

is assigned

e

values in aordane with the hronologial order. Moreover,

c

always eventually inreases, so

‘

x

is always eventually updated with a new value of

e

. Figure 4.1 shows an example of an observationrelationbindingtwovariables

x

and

‘

x

.

The observation an be used to abstrat ommuniation in a distributed system, as well as to abstrat

omputations:

•

Communiationonsistsin transferringthevalueofaloal variableto aremoteone. Communiation

timeand lakofsynhronizationreatealagbetweenthe soureandtheimage, whih ismodeledby

remote

≺·

local

.

•

In state transition systems, an expression

f

(

X

)

models an instantaneous omputation. By writing

y

≺·

f

(

X

)

, wemodel thefat that aomputation takes time and that the valueof

y

is basedon the value of

X

at the beginning of the omputation. Here

X

an be a tuple of variables, aording to

the arityof

f

: given

X

=

h

x

1

, . . . , x

n

i

, theobservation

σ

|

= ‘

x

≺·

f

(

X

)

means that

∃

c

∈

[

N

→

N

] :

clock

(

c

)

∧ ∀

i

: ‘

x.σ

i

=

f

(

x

1

.σ

c(i)

, . . . , x

n

.σ

c(i)

)

. Asthesamelokisused,allvaluesoftheinputs(

X

) arereadat thesametime,implyingasynhronousbehavior.

Additionalobservationrelationsanbeintroduedtomodelanasynhronousreadingoftheinputs. For

instane,

‘

a

≺·

a,

‘

b

≺·

b, c

≺·

f

(‘

a,

‘

b

)

models a system where

a

and

b

are independently read (the rst twoobservations),andthen

c

isomputedthroughafuntion

f

.

Notethattheobservationdenitiondoesnotrefertorealtimeandonlymodelsanarbitrarydelayinterms

ofstatesequenes. Realtimepropertieswillnowbeintrodued.

4.2. The Timeline of Variables. Inordertostatepropertiesaboutthetimed behaviorofavariable

x

,

wewanttobeabletoreferto thelasttime

x

wasupdated. These arealledtheupdate instantsandform its

timeline

x

ˆ

. Thedenitionof

x

ˆ

isbasedonthehistoryofthevaluestakenby

x

andapturestheinstantswhen eahvalueof

x

appeared,e.g. thebeginningof eahourrene.

Denition4.2 (timeline) For a separated exeution

σ

and avariable

x

, the variable

x

ˆ

is the timeline of

x

andisdenedby:

∀

i

: ˆ

x.σ

i

=

T.σ

min

{

j

|∀

k

∈

[j..i]:

x.σ

i

=x.σ

k}

Thetimeline

ˆ

x

is builtfrom thehistoryof

x

valuesand isasequeneofupdateinstants. Foravariable

x

and astate

σ

i

, theupdate instant of

x

in

σ

i

is dened asthevalue takenby thetime

T

at the earlieststate

whenthevalue

x.σ

i

appearedandontinuouslyremainedunhangeduntilstate

σ

i

.

x.

σ

T.

σ

1

...

x.

σ

1

T.

σ

i

...

T.

σ

j

...

T.

σ

k

x.

σ

i

x.

σ

j

x.

σ

k

T.

σ

j-1

T.

σ

k-1

T.

σ

i-1

Fig.4.2.Graphof

x

ˆ

When

x

isupdatedanditsvaluehangesthenthevalueof

x

ˆ

isalsoupdated. Converselyif

x

ˆ

hangesthen

x

isupdated. Thispropertyallowsusto relyexlusivelyonthevaluesof

x

ˆ

tostudy thetimed propertiesof

x

. Wealsodenetheinstant

N ext

(ˆ

x

)

thatreturns,ateahstate,thenextvalueof

x

ˆ

andthusthenextinstant whenthevalueof

x

isupdated,i.e. theinstantwhentheurrentvaluedisappears. If

x

isstable atastate

σ

i

(nonewupdate),then

N ext

(ˆ

x

)

.σ

i

= +

∞

.

Asintheaseofsourevariableversussoureexpression,thedenitionofatimeline

x

ˆ

,whihisgivenfora variable

x

, isatuallyvalidforastateexpression. Forthesakeof larity,wewilloneagaintalkofvariables

wherestateexpressions ouldequallybeusedin theremainderofthissetion.

4.3. Behavior of Variables. Thetimeline

x

ˆ

is used todesribethetimed behaviorof avariable

x

. In thispaper,wefousonspeikindsofvariables. Weexpeteahvalueofeahvariabletoremainunhanged

foraboundednumberoftimeunits. Wewantto beabletoexpresstheminimumandthemaximumduration

betweentwoonseutiveupdates. Thisallowsto desribetwobasibehaviors: asporadivariable keepseah

valueforaminimumduration,andontheontrary,alivelyvariable hasto beupdatedoften,novalueanbe

keptlongerthanagivenduration. Thesepropertiesareformulatedbyboundsonthedierenebetween

x

ˆ

and

N ext

(ˆ

x

)

, using apropertyalled

Steadiness

applied toavariable. These boundsdenote howlongeah value of

x

anbekept.

Denition4.3 (Steadiness) The steadiness ofavariable

x

inthe range

[

δ,

∆]

isdenedby:

σ

x

{

Steadiness

(

δ,

∆)

}

,

∀

i

:

δ

≤

N ext

(ˆ

x

)

.σ

i

−

x.σ

ˆ

i

<

∆

Denition4.4 (Periodiity) Avariable

x

isperiodiof period

P

with jitter

J

andphase

φ

i:

σ

x

{

P eriodic

(

P, J,

Φ)

}

,

x

{

Steadiness

(

P

−

2

J, P

+ 2

J

)

}∧

∀

i

:

∃

n

∈

N

_{: ˆ}

_x.σ

_i

_∈

_[

_φ

₊

_nP

₋

_{J, φ}

₊

_nP

₊

_J

_]

Suhavariableisupdatedaroundallinstants

φ

+

nP

. Notethat

J

mustverify

J < P/

4

toensurethatthe variableisupdatedoneandonlyoneperperiod.

4.4. TimedObservation. Weusetheoneptoftimelinetoextendtheobservationrelationwithtimed

harateristis. Thetimedonstraintsthatextendtheobservationmustapturethelatenyintroduedbythe

observation andthetimeline ofthesouretoproduethe timelineoftheimage. Wedene aset ofprediates

ontheinstantsharaterizingthesoureandtheimagetimelinesandtheobservationlok. Formally,atimed

observationisdened asfollows:

Denition4.5 (Timed Observation) A timed observation is dened as an observation satisfying a set of

prediates.

σ

‘

x

≺·

e







P redicate

1

(

δ

1

,

∆

1

)

,

P redicate

2

(

δ

2

,

∆

2

)

,

. . .







,

∃

c

∈

[

N

_→

N

_{] :}

_clock

₍

_c

₎

_∧

∀

i

: ‘

x.σ

i

=

e.σ

c(i)

∧

P redicate

1

(

c, δ

1

,

∆

1

)

∧

P redicate

2

(

c, δ

2

,

∆

2

)

. . .

Theprediatesthatanbeusedto desribethetimed propertiesoftherelationbetweentwovariablesarethe

followingones:

Denition4.6 Givenavariable

‘

x

andastateexpression

e

suhthat

σ

‘

x

≺·

e

witha

clock c

∈

[

N

→

N

]

,the prediates are:

Lag

(

c, δ,

∆)

,

δ

≤

‘ˆ

x.σ

i

−

ˆ

e.σ

c

(

i

)

<

∆

Stability

(

c, δ,

∆)

,

δ

≤

N ext

(ˆ

e

)

.σ

c

(

i

)

−

e.σ

ˆ

c

(

i

)

<

∆

Latency

(

c, δ,

∆)

,

δ

≤

T.σ

i

−

e.σ

ˆ

c

₍

i

₎

<

∆

M edium

(

c, δ,

∆)

,

δ

≤

T.σ

i

−

T.σ

c

(

i

)

<

∆

F reshness

(

c, δ,

∆)

,

δ

≤

T.σ

c

(

i

)

−

e.σ

ˆ

c

(

i

)

<

∆

F itness

(

c, δ,

∆)

,

δ

≤

N ext

(ˆ

e

)

.σ

c

(

i

)

−

T.σ

c

(

i

)

<

∆

Whennolower(resp. upper)boundissigniant,

0

(resp.

+

∞

)shouldbeused.

These prediates have to be true at every state and every instant. The denition of an observation is

donebystatingwhihprediates mustbesatised. Sofar, thisset hasbeensuienttoexpress thedierent

behaviorsthatwehadto analyze,but itanbeextended.

•

Prediate Lag is used to bound the duration between anupdate of thesoure and an update of the

image. Anupperboundstatesthat,whentheimageisupdated,itmustbeupdatedwithanexpression

ofsourethatwasupdatedinareenttime. Alowerboundstatesthatwhenthereisanupdateofthe

soure,thenewvalueannotbeusedto update theimagebefore thelowerboundhaselapsed.

•

Prediate Lateny bound in eah state the time elapsed sinethe assignment of the image's urrent

valueonthesoure.

•

Prediate Stability is used to lter soures valuesdepending on their duration. For examplewean

eliminatetransientvaluesandkeepsporadiones,ortheontrary.

•

Theobservationlokand thedierene

i

−

c

(

i

)

givethelogialdelayintroduedbytheobservation. Prediate Medium bounds the temporal delay related to this logialdelay. So thebounds state that

there must exist alogialdelayinduing atemporal delay satisfyingthe bounds, i. e. in eah state,

there must beoneprevious statesothat thetime elapsedsinethat stateis below thisupper bound

andabovethelowerbound andsothattheimage'surrentvaluewasassignedonthesoure. A lower

Fig.5.1.CruiseControlSystem

•

PrediatesFreshnessandFitnessareusedtodeneintervalsoftime,relativetotheupdateinstants,that

theobservationlokispreventedtorefer. SothelogialdelaythatsatisestheprediateMediummust

referto aninstantthat satisesthe Freshnessand Fitness prediates. An upperbound on Freshness

prevents states where the value of the soure is not fresh anymore to be referred. For example, a

onjuntionofMedium andFreshnessprediatesstatesthat theurrentvalueoftheimagemusthave

been available onthe sourereentlyand that it wasstill fresh at these instants. Ontheontrary, a

lowerbound onFreshnessdenotesanimpossibilityto aessavaluejust afteritsassignment. Fitness

allowsorforbidsthestatesdependingonthetimeremaininguntilthesourevalueisupdated. Alower

bound preventsto refertoastatewhere thevalueisabouttobeupdated.

Notethat,atthebeginningofanexeution,someprediatessuhas

M edium

annotbesatised. Inorder

toaddressthisproblem,thetimed prediatesdonothavetobesatisedininitialstates. Theimagevaluesare

replaedbyagivendefaultvalue. Thisextensionissimilartothefollowedby operator

→

inLustre[6℄.

5. Speifyinga Systemin Terms ofTimed Observations.

5.1. A Brief Desription. As anexample,weonsiderasimplied arruiseontrolsystem. Thegoal

ofsuhasystemisto ontrolthethrottleandthebrakesinordertoreahand keepagiventargetspeed. The

systemisomposedofseveralinteratingomponents(seeFigure 5.1):

•

aspeedmonitor,whihomputestheurrentspeed,basedonasensorountingwheelturns;

•

thethrottleatuator,whihontrolstheengine;

•

thebrakes,whihslowdownthear;

•

theontrolsystemwhihhandlesthespeeddependingontheurrentandthehosenspeed;

•

aommuniationbuswhih linksthedeviesandtheontrolsystem.

Theenvironment,thedriver,andtheengineinuenethespeedofthear. Onetheruiseontrolisativated

andatargetspeedishosen,theontrolsystemanhooseeithertoaeleratebyinreasingthevoltageofthe

throttleatuatorortodeeleratebydereasingthisvoltageandbyusingbrakes. Inorderto ensureareative

behavior,eahommandissuedbytheruiseontrolsystemmustbearriedoutwithin agiventimelimit.

Eah omponent usesand/or produesdata. We useobservationsto speifythe systemand haraterize

orretexeutions.

5.2. Data and Observations. Firstly,wedenethestatevariablesoftheruiseontrolsystem,andwe

bindthesevariablesusingobservationrelations.

Thespeedmonitoromputesthevaluesofavariable

speed

,andthesevaluesaresenttotheontrolsystem

asavariable

‘

speed

. Weexpressthisasanobservation

‘

speed

≺·

speed

.

Thehoiesoftheontrolsystemarebasedontheurrentspeedandmorepreiselyonthevalueof

‘

speed

. Twofuntionsareusedtoomputethevaluesusedasinputsbythebrakesandbythethrottleatuator. Usingthe

- variables behaviors:

speed

{

Steadiness

(

δ

1

,

+

∞

)

}

throttle

{

Steadiness

(

δ

2

,

+

∞

)

}

brake

{

Steadiness

(

δ

3

,

+

∞

)

}

- ommuniations:

‘

speed

≺·

speed

{

M edium

(

δ

4

,

+

∞

)

}

‘

throttle

≺·

throttle

{

M edium

(

δ

4

,

+

∞

)

}

‘

brake

≺·

brake

{

M edium

(

δ

4

,

+

∞

)

}

- omputations:

throttle

≺·

control

1(‘

speed

)

{

M edium

(

δ

5

,

+

∞

)

}

brake

≺·

control

2(‘

speed

)

{

M edium

(

δ

6

,

+

∞

)

}

- omplete proessing hains:

‘

throttle

≺·

control

1(

speed

)

{

Latency

(0

,

∆)

}

‘

brake

≺·

control

2(

speed

)

{

Latency

(0

,

∆)

}

Fig.5.2. SystemSpeiation

5.3. Requirements and Properties. Weexpress therequirementsand knowntimed propertiesof the

system,andwestatethemasharateristisofthesystemvariablesandobservations. Theseharateristisare

givenin Figure5.2.

Thespeedisomputedusingtheratioofthenumberofwheelturnstotheelapsedtime. Aminimumtime

is required to produe asigniantresult. Thus, there must be aminimum time

δ

1

between eah update of

speed

. Also, due to shedulingonstraints, there mustbea minimumtime

δ

2

(respetively

δ

3

) betweeneah

omputationandupdate, of

throttle

(respetively

brake

).

Eah ommuniationonthe bustakesaminimum transittime, regardlessofthe ommuniatingprotool

that is hosen. Prediate

M edium

(see Denition 4.6) is used to dene a lower bound on the observations

expressing ommuniation. Similarly, werepresentthe minimumomputation time offuntions

control

1

and

control

2

,bymeansofprediate

M edium

.

Weexpet eah datato be usedsoon enoughafter eah update. More preisely, wewant eah ommand

issuedto thebrakeortothethrottle tobebasedonfreshvaluesofthespeed. Thus, werequiretheomplete

proessinghainto beompletedin ashort enoughtime.

Aompositionofobservationsisanobservation,forexampleif

y

≺·

x

and

z

≺·

f

(

y

)

then

z

≺·

f

(

x

)

[5℄. Weuse thispropertytodenetheproessinghains relating

‘

throttle

and

‘

brake

to

speed

,via

′

_speed

asobservations,

whih enables us to express the requirements on the duration of the proessing hains as upper bounds of

Latency

prediates (seeDenition 4.6) on theseobservations. Note that, although the

Latency

upper bound

(

∆

)istheonlyupperbound giveninthesystemspeiation,itimpliitlysetsupperbounds onthe

M edium

and

Steadiness

harateristisoftheotherobservationsandvariablesofvalidexeutions.

5.4. CaseStudyAnalysis. Thegoaloftheanalysisistoprovethatthespeiationisonsistentandthat

thereisat leastoneexeutionsatisfyingtherequirements. Inourexample,anonemptysetofvalidexeutions

ensurestheavailabilityoftimelysound values. Fromthisset, weandeduetherequiredupdatefrequenyof

the

speed

variable. Forexample,wehektheexisteneofamaximumtimeaeptablebetweeneahupdate.

We analyzethe admissiblevalues ofthe

M edium

to dedue theommuniation andomputation times that

arepermitted. Then,wedeterminethepossiblevaluesoftheobservationloksinthestatesorrespondingto

thetimeline oftheimage. These valuesgivetheinstantsat whihthevaluesofthesoure areaughtandso,

forexampletheinstantswhenamessagemustbesentorwhenaomputationmuststart.

Foralltheseproperties,ahoiemustbedone. Forexample,hoosingasetofexeutionsmayalleviatethe

boundsonommuniationtimebutthenredue theinstantswhenthemessagemustbesent.

6. SystemAnalysis. Wegivehereproperties ofourframeworkbasedonobservationsin order toarry

outananalysis. Asystemspeiedwithobservationrelationsmustbeanalyzedtohektheonsistenyofthe

disretizingtime: i.e. thevaluestakenbytime

T

arein

N

. Fordisussionaboutthelossofinformation using

disretetimeinsteadofdensetimeanddefendingourhoie,see[8℄forexample.

6.1. Feasibility of a Speiation. Given a speiation based on our framework, the value of

T

is

unbounded and we have no restrition on the values that an be taken by variables. Therefore the system

denedbythespeiationisinnite. Nevertheless,weanbuildanitesystemequivalenttothespeiation

for the timed properties studied with this framework. This allowsus to model-hekthe onsisteny of the

speiation in a nite time. Here are the main priniples of this proof. The denition of a nite system

bisimilarto theoriginaloneisbasedontwoequivalenerelations.

Sinethesopeofthisframeworkistohekthesatisfationoftimedrequirements,wefousontheauxiliary

variables usedto desribethetimeline ofeah appliation variable. We denea systemwhere only variables

denotinginstants are kept, i. e. the variable desribing the timelines and the observation loks. The states

and transitionsof the systemaredened by thevalues ofthese variables and thesatisfationof observations

and variables properties. Allowed states and transitions do not depend on the values that an be taken by

eahvariablebut ontheinstantsdesribingtheirtimeline andontheobservationloks. Thus, whenwebuild

asystemwhere onlythese instantsareonsidered,wedonotlose oraddanyharateristisaboutthetimed

behaviorofthesystem. Wedeneanequivalenewheretwostatesareequivalentifandonlyiftheobservation

loksandthetimelinevariablesareequal. Thisequivaleneisusedtobuildabisimilarityrelationbetweenthe

speiedsystemandtheonebuiltupononlytheinstants.

Theseond reasonpreventingto onsider abounded number ofstatesis thelak ofbound ontime. The

valuesofthetimelinesand observationloksarealso unbounded. Inorder toredue thepossiblevaluesthat

anbetakenbythesystemvariablesdenotinginstants,wedeneasystemwhereallvaluesoftheinstantsare

stored modulo the length of an analysis interval. Wedenote this numberas

L

.

L

must be arefully hosen,

greaterthantheupperboundsonthevariables

Steadiness

andtheobservations

Latency

harateristisandit

hasto beamultipleofthevariableperiods.

Suhanumber

L

onlyexistsifallvariablesandobservationshaveupperboundedharateristis. Whenthe

soureofanobservationisboundedandsoistheobservation,suhaboundisdeduedfortheimage. Restriting

the behaviorby expeting variables to be frequently updated and the shift introdued by distribution to be

bounded seemsonsistentforsuhrealtimesystems.

Inthesystemdenedbythespeiation,transitionsarebasedondierenesbetweentheinstants

hara-terizingthevariabletimelines. Thesedierenesannotexeedthehosenlength

L

. Thus,foreahstate,ifthe

valueofthetime

T

isknownandifthevaluesoftheothervariablesareknownmodulo

L

,thenforeahvariable

there is only one possible real value that an be omputed using the value of

T

. Consequently, onsidering

thelokvaluesmodulo thislengthdoesnotaddorremoveanybehavioroftheoriginalsystem. Wedenean

equivalenewheretwostatesareequivalentifthetimelines andtheobservationloksare equalmodulo

L

. A

systembuiltbyonsideringallvaluesmodulo

L

isbisimilarwiththeoriginalsystemusingthisequivalene.

Basedon thesetwoequivalenes, we buildasystemby removingvariables whih do notdenotetimelines

orobservationloksandbyonsideringthevaluesmodulo

L

. Thissystemisbisimilartothespeiationand

preservesthe timed properties. Sine all valuesare bounded by thelength of theanalysis intervaland there

is abounded numberof values, it denesa systemwith abounded number ofstates. This result provesthe

deidabilityoftheframeworkfortheveriationofsafetypropertiesthatanbedoneusingthenitesystem.

6.2. Complexity. Wehaveprovedtheexisteneofanitesystemequivalenttooursystem. Wegivehere

theomplexityofaproesstoeetivelybuildthisequivalentnitesystem. Inordertobuildatransitionfroma

statetoanewstate,webuildasetofinequalitiesdeduedfromthepropertiesofthepreviousstateandfromthe

observationsandvariablesproperties. Tosolvethisset ofinequalitiesanddeduethepossiblevaluesofinstant

variables in thenew state, weuse dierene bound matries[4℄. Consideringa systemwhere

n

variables are

studied,thesizeofeah matrixis

O

(

n

2

₎

,andtheomplexityforreduingittoitsanonialform andbuilding

thenew stateis

O

(

n

3

₎

[4℄. The maximumnumber ofstates tobuild depends onall possibleombinations of

valuestaken by variables. Eah timed variable antake valuesbetween

0

and

L

and thenumber of instant variablesisamultipleof

n

,sowehave

O

(

L

n

₎

states. Lastly,theomplexitytobuild thesystemis

O

(

n

3

_∗

_L

n

₎

.

Consideringthememory,wehavetostore

O

(

L

n

₎

statesand

O

(

L

2n

₎

transitions. Thereforethisdiretapproah

istehniallyfeasibleonlywithsmallenoughsystems. Theomplexityismoreheavilyimpatedbythenumber

6.3. Veriation of an Implementation. A seondgoalis tohekthatanimplementation isorret

withregardtoaspeiationbasedonobservations. Thisapproahisfullydesribedin[13℄andisonlyhinted

here.

Asalltimedpropertiesaresafetyproperties,animplementationisorretifnoexeutiondeadloks(so as

toensureliveness)andallitsexeutionsareinludedintheexeutionsdenedbythespeiation.

Inorder to hekthe satisfationofthe speiationby animplementation,wegiveamodelof the

spe-iation in the same semantis we use to model an implementation. Suh a model is desribed by dening

elementary transitions. An elementary transition relation models the evolution of the values states of

avail-abilityin theobservationrelations ofthesystem. Theseelementarytransition relationsare used tobuild the

variable transition relationof theimage of an observation. Thevariable transition relationsare then used to

buildtheglobaltransitionrelation.

Oneboththespeiationandtheimplementationshavebeentranslatedintosuhtransitionrelations,we

mustverifythatthemodelofthespeiationsimulatestheimplementation. Inordertohekthisproperty,we

buildastatetransition systemsimilar tothesynhronizedprodutoflabelledtransition systems. Theations

areusedaslabelsonthetransitionsofthesystems.

6.4. Other Approahes. Sine our approah relies on the TLA+ formalism, we ould have used the

dediated tool TLC, theTLA+ model heker. A logial denition of the observation requires thetemporal

existentialquantier

∃

∃

∃

∃

∃

∃

, whihis notimplementedin TLC. Therefore aonretedenition of theobservation basedonanexpliitobservationlokhasbeenused. Itisonlyafterwehavereduedthesystemtoaniteone

thatamodelhekersuhasTLCouldbeused.

Tobeabletomorepreiselyharaterizeexeutionssatisfyingthespeiation,weurrentlyexplore

meth-ods to build these exeutions more easily. A rst proposal is to redue the omplexity of suh a proess by

relyingon proofson systemproperties. The proofapproahaneasily beused only under ertainonditions

and inorder to proeedto somesystemsimpliations. Forexample,aperiodisoure induespropertiesfor

its image throughan observation. Using these properties redues the number of states wehave to build by

foreastingsomeimpossibleases. Provingthefullorretnessof thesystemispossiblebutit isomplexand

ithasnotbeenautomatizedyet.

Anotherwayisto useontroller synthesis methods[3℄. Properties ofthe observationanbeexpressed as

safety properties using LTL and be derived asBühi automata [11℄. Twoautomata desribethe behaviorof

the soure and the image of an observation, exhanging values througha queue. Restritions anbe added

to introduetheused implementationand itsompatibilitywithexeutions dened bythespeiation. The

omplexityofontrollersynthesismethods hasstilltobeexplored.

7. Conlusion. We propose an approah foused on variables instead of tasks and proesses, to model

andanalyzedistributed realtimesystems. Wespeifyanabstratmodel postponingtaskand ommuniation

sheduling. Basedonthestatetransitionsystemsemantisextendedbyatimedreferential,weexpressrelations

betweenvariablesandthetimedpropertiesofvariablesandommuniations. Thesepropertiesareusedtohek

the freshness of values,their stability, andthe onsisteny of requirements. A possible analysis is to build a

nitesystembisimilarto thespeiedone. Theresultsareusedtohelp implementationhoies.

Perspetivesare to searh other methods that derease the omplexity of the analysis of a speiation

and to use this approah with dierent examples to expand the number of available properties and inrease

expressiveness. We also work on using analysis results to help generating an implementation satisfying the

speiation.

REFERENCES

[1℄ M. Abadi and L. Lamport,An old-fashioned reipe forreal time, ACM Transations onProgramming Languagesand

Systems,16(1994),pp.15431571.

[2℄ S.AndersonandJ.K.Filipe,Guaranteeingtemporalvaliditywithareal-timelogiofknowledge,inICDCSW'03:Pro.

ofthe23rdInt'lConf.onDistributedComputingSystems,IEEEComputerSoiety,2003,pp.178183.

[3℄ E.Asarin,O.Maler,andA.Pnueli,Symboliontrollersynthesisfordisreteandtimedsystems,inHybridSystemsII,

London,UK,1995,Springer-Verlag,pp.120.

[4℄ J.BengtssonandW.Yi,Timed automata: Semantis,algorithmsand tools,inLetureNotesonConurrenyandPetri

Nets,W.ReisigandG.Rozenberg,eds.,LetureNotesinComputerSienevol3098,SpringerVerlag,2004.

[6℄ N. Halbwahs, P.Caspi, P. Raymond,and D.Pilaud,Thesynhronous data-ow programming language LUSTRE,

ProeedingsoftheIEEE,79(1991),pp.13051320.

[7℄ L. Lamport,SpeifyingSystems: TheTLA+Languageand ToolsforHardwareandSoftwareEngineers,Addison-Wesley,

2002.

[8℄ E. Lee and A. Sangiovanni-Vinentelli,Aframework for omparing models of omputation, IEEE Transations on

Computer-AidedDesignofIntegratedCiruitsandSystems,17(1998),pp.12171229.

[9℄ G.Ro³uandS.Bensalem,AllenLinear(Interval)TemporalLogiTranslationtoLTLandMonitorSynthesis,in

Inter-nationalConfereneonComputer-AidedVeriation(CAV'06),no.4144inLetureNotesinComputerSiene,Springer

Verlag,2006,pp.263277.

[10℄ K. Tindell and J. Clark,Holisti shedulability analysis for distributed hard real-time systems, Miroproessing and

MiroprogrammingEuromiroJournal(SpeialIssueonParallelEmbeddedReal-TimeSystems), 40(1994),pp.117

134.

[11℄ M.Y.Vardi,Anautomata-theoretiapproahtolineartemporallogi,inLogisforConurreny: StrutureversusAutomata,

volume1043ofLetureNotesinComputerSiene,Springer-Verlag,1996,pp.238266.

[12℄ M. Xiong, R. Sivasankaran, J. A. Stankovi, K. Ramamritham, and D. Towsley, Sheduling transationswith

temporalonstraints: exploiting datasemantis,inRTSS'96: Pro.ofthe17thIEEEReal-TimeSystemsSymposium,

1996,pp.240253.

[13℄ TanguyLeBerre,PhilippeMauran,GérardPadiou,andPhilippeQuéinne,Adataorientedapproahforreal-time

systems,inIEEEInt'lConf.onReal-TimeandNetworkSystemsRTNS09,2009.

Editedby: JanuszZalewski

Reeived: September30,2009