## **Embedded Systems**



BF - ES

# Final exam Wednesday Aug 01, 09:00–11:00

- HS 001, 002, 003 in E1 3
- Seating arrangement will be posted at doors
- The exam will be open book. That is, you are allowed to use printouts of the lecture slides, books and any handwritten notes during the exam.
- Re-exam: 01.10.12 10:00-12:00, Günter Hotz lecture hall

26

- 1 -

#### **REVIEW: Automated Formal Methods**

- Model Checking: automatically verify whether certain properties are guaranteed by the model; determine safe parameters
- Controller Synthesis: automatically construct control strategies that keep the system safe

#### **Overview:**

- Intro: Analyzing FlexRay
- 2 Timed automata
- Regions & zones
- Model checking and controller synthesis
- Hybrid automata

#### BF-ES

## **REVIEW: Controller Synthesis**

We distinguish between external (uncontrolled) and internal (controlled) nondeterminism



- 3 -

#### **REVIEW:** Games



## Example templates

The cyclic-executive template:



BF-ES

## Example templates

The *multi-phase program* template:



BF-ES

- 7 -



#### Parameters as variables



## Parameter synthesis by model checking



|           | Template-based SYNTHIA |      |      |     | Uppaal-Tiga |      |         | Standard SYNTHIA |     |      |     |
|-----------|------------------------|------|------|-----|-------------|------|---------|------------------|-----|------|-----|
| Benchmark | Steps                  | Abs  | Time | Mem | States      | Time | Mem     | Steps            | Abs | Time | Mem |
| Dam 5     | 58                     | 100  | 1    | 80  | 88592       | 2    | 65      | 230              | 149 | 4    | 80  |
| Dam 25    | 268                    | 380  | 13   | 87  | 3114648     | 307  | 443     | 1115             | 718 | 1182 | 91  |
| Dam 50    | 530                    | 730  | 87   | 105 | 13545848    | 5018 | 2355    | TIMEOUT          |     |      |     |
| Dam 75    | 793                    | 1080 | 329  | 111 | TIMEOUT     |      |         | TIMEOUT          |     |      |     |
| Dam 100   | 1055                   | 1430 | 927  | 143 | TIMEOUT     |      | TIMEOUT |                  |     |      |     |
| Dam 125   | 1318                   | 1780 | 1949 | 149 | TIMEOUT     |      | TIMEOUT |                  |     |      |     |
| Dam 150   | 1580                   | 2130 | 3483 | 153 | TIMEOUT     |      | TIMEOUT |                  |     |      |     |
| Dam 175   | 1843                   | 2480 | 5127 | 213 | TIMEOUT     |      | TIMEOUT |                  |     |      |     |
| Dam 200   | TIMEOUT                |      |      |     | TIMEOUT     |      |         | TIMEOUT          |     |      |     |

time in seconds / memory consumption in MB

BF-ES

**Verifying Hybrid Automata** 

- 15 -

#### Towards model checking hybrid automata

 Idea: Iterate transition relation and continuous dynamics until an unsafe state is hit:



- **Result:** Terminates if HA is unsafe.
- Requires: Effective representations of transition relation, continuous dynamics, and initial, intermediate, and unsafe state sets s.t.
  - Calculation of the state set reachable within  $n \in \mathbb{N}$  steps is effective,
  - Emptiness of intersection of unsafe state set with the state set reachable in *n* steps is decidable.

(implemented in e.g. HyTech [Henzinger, Ho, Wong-Toi, 1995–])

BF-ES

## Hybrid automata with polyhedral constraints

We assume that the following predicates are given as polyhedral constraints:

- An initial state predicate *initial*<sub>σ</sub> ∈ FOL(ℝ, =, +) defines the possible initial states in mode σ
- An activity predicate act<sub>σ</sub> ∈ FOL(ℝ, =, +) defines the possible evolution of the continuous state while the system is in mode σ
- A transition predicate  $trans_{\sigma \to \sigma'} \in FOL(\mathbb{R}, =, +)$  defines guard and effect of transition from mode  $\sigma$  to mode  $\sigma'$

- 17 -

#### From hybrid automata to logic



Reachability of a final mode  $\sigma'$  from an initial mode  $\sigma$  and through an execution containing *n* transitions can be formalized through the inductively defined predicate  $\phi_{\sigma \to \sigma'}^n$ , where

$$\phi_{\sigma \to \sigma'}^{0} = \begin{cases} \text{false, if } \sigma \neq \sigma' ,\\ act_{\sigma}, \text{ if } \sigma = \sigma' , \end{cases}$$
$$\phi_{\sigma \to \sigma'}^{n+1} = \bigvee_{\tilde{\sigma} \in \Sigma} \exists \vec{x}_{1}, \vec{x}_{2} . \begin{pmatrix} \phi_{\sigma \to \tilde{\sigma}}^{n} [\vec{x}_{1}/\vec{x}] \land \\ trans_{\tilde{\sigma} \to \sigma'} [\vec{x}_{1}, \vec{x}_{2}/\vec{x}, \vec{x}] \land \\ act_{\sigma'} [\vec{x}_{2}/\vec{x}] \end{cases}$$

### Safety of hybrid automata

 $\Rightarrow$  An unsafe state is reachable within *n* steps iff

$$\textit{unsafe}_n = \bigvee_{\sigma' \in \Sigma} \textit{Reach}_{\sigma'}^{\leq n} \land \neg \textit{safe}_{\sigma'}$$

is satisfiable, where

$$\mathsf{Reach}_{\sigma'}^{\leq n} = \bigvee_{i \in \mathbb{N}_{\leq n}} \bigvee_{\sigma \in \Sigma} \phi^{i}_{\sigma \to \sigma'} \wedge \mathsf{initial}_{\sigma} [\vec{x} / \vec{x}]$$

characterizes the continuous states reachable in at most n steps within mode  $\sigma^\prime.$ 

- An unsafe state is reachable iff there is some  $n \in \mathbb{N}$  for which  $unsafe_n$  is satisfiable.
- The unsafe states are unreachable if (but not only if) unsafe<sub>n</sub> is unsatisfiable and  $Reach_{\sigma'}^{\leq n+1} \Rightarrow Reach_{\sigma'}^{\leq n}$ .



REVIEW

## Modeling, Design, Analysis

*Modeling* is the process of gaining a deeper understanding of a system through imitation. Models specify what a system does.

**Design** is the structured creation of artifacts. It specifies **how** a system does what it does. This includes optimization.



*Analysis* is the process of gaining a deeper understanding of a system through dissection. It specifies why a system does what it does (or fails to do what a model says it should do).

BF-ES -2-

#### **Computational models**

| Communication/<br>local computations      | Shared memory                                                  | Asynchronous message passing                 |
|-------------------------------------------|----------------------------------------------------------------|----------------------------------------------|
| Communicating<br>finite state<br>machines | Hybrid automata,<br>statecharts,<br>synchronous<br>composition |                                              |
| Data flow                                 |                                                                | Petri nets,<br>Kahn process networks,<br>SDF |
| Discrete event<br>model                   | VHDL                                                           |                                              |

BF - ES

- 25 -

#### The super-step time model Two-dimensional time: No. of discrete computation discrete activity ceases, steps progress of physical Continuous phase: time starts again Phys. time advances, no discrete steps 10-Discrete activity: no progress of physical time involved; continuous activity frozen 5 A discretely perceptible event (threshold, elapse of clock) occurs, starting discrete activity Physical time Assumption: Computation time is neglegible compared to dynamics of the environment.

BF - ES

## **VHDL Semantics**



#### **Timed and Hybrid automata**

- Motivation
  - The design of an embedded system must consider both the continuous evolution of the environment and the discrete computation of the controller
- Major points
  - Modeling with hybrid automata
  - Semantics (hybrid time sets, hybrid trajectories)
  - Zenoness
  - Automatic verification
  - Automatic controller synthesis

### **Zeno Behavior**



#### Timed Automata with Nondeterministic Delays [Alur/Dill]

A timed automaton is a tuple

$$TA = (Loc, Act, C, \rightsquigarrow, Loc_0, inv, AP, L)$$
 where:

- Loc is a finite set of locations.
- $Loc_0 \subseteq Loc$  is a set of initial locations
- C is a finite set of clocks
- $L: Loc \rightarrow 2^{AP}$  is a labeling function for the locations
- $\rightarrow \subseteq Loc \times CC(C) \times Act \times 2^{C} \times Loc$  is a transition relation, and
- $inv : Loc \rightarrow CC(C)$  is an invariant-assignment function

*Clock constraints* over set *C* of clocks are defined by:

$$g ::=$$
 True  $| x < c | x \le c | \neg g | g \land g$ 

- where  $c \in \mathbb{N}$  and clocks  $x, y \in C$
- rational constants would do; neither reals nor addition of clocks!
- Int CC(C) denote the set of clock constraints over C
- shorthands:  $x \ge c$  denotes  $\neg (x < c)$ and  $x \in [c_1, c_2)$  or  $c_1 \le x < c_2$  denotes  $\neg (x < c_1) \land (x < c_2)$

BF - ES

#### **Region Abstraction**

- Consider a timed automaton with clocks x and y
- having maximal constants 3 and 2, respectively.



Equivalence relation ≃<sub>R</sub>
onstraints
time elapsing
maximal constants

- 31 -

### **Actor Model of Continuous-Time Systems**

A *system* is a function that accepts an input *signal* and yields an output signal.

The domain and range of the system function are sets of signals, which themselves are functions.

Parameters may affect the definition of the function *S*.

x parameters y p, q  $Y: \mathbb{R} \to \mathbb{R}, \quad y: \mathbb{R} \to \mathbb{R}$   $S: X \to Y$   $X = Y = (\mathbb{R} \to \mathbb{R})$ 

- 33 -





#### Design

### **Embedded System Hardware**

Embedded system hardware is frequently used in a loop (*"hardware in a loop"*):



#### Sensors, A/D + D/A converters

- Motivation
  - Embedded systems interact with physical environment
- Major points
  - Sample & hold circuits
  - A/D converters
  - D/A converters
  - Aliasing
  - Interfaces

## **Information processing**

- Motivation
  - Embedded systems must be efficient
  - Embedded processors need not be instruction set compatible with standard PCs
- Major points
  - Power/energy efficiency
  - Code size efficiency
  - Runtime efficiency
  - Reconfigurable logic, multimedia processors, scratch pad memory...

BF - ES

- 37 -

#### **Real-time communication**

- Motivation
  - Modular system development, support, and evolution
  - Network vs. wiring harness
- Major points
  - Electrical robustness
  - Priority-based arbitration
  - TDMA
  - CSMA
  - FlexRay

## **FlexRay**



## Scheduling

- Motivation
  - Key issue in implementing RT-systems
  - Different algorithms have different assumptions and cost
- Major points
  - Aperiodic scheduling
  - Periodic scheduling
  - Scheduling with resource constraints
  - Multiprocessor scheduling

## **EDF – Earliest Deadline First**

• EDF: At every instant execute the task with the earliest absolute deadline among all the ready tasks.

#### Theorem (Horn '74):

Given a set of n independent task **with arbitrary arrival times**, any algorithm that at every instant executes the task with the earliest absolute deadline among all the ready tasks is optimal with respect to minimizing the maximum lateness.

- 41 -

#### **Aperiodic scheduling: Non-preemptive version**

- Theorem (Jeffay et al. '91): EDF is an optimal non-idle scheduling algorithm also in a non-preemptive task model.
- Non-preemptive scheduling with idle schedules allowed is NP-hard
- Possible approaches:
  - Heuristics
  - Bratley's algorithm: Branch-and-bound

## **Periodic scheduling**

- Theorem: A set of periodic tasks τ<sub>1</sub>, ..., τ<sub>n</sub> with D<sub>i</sub> = T<sub>i</sub> is schedulable with EDF iff U ≤ 1.
- Theorem (Liu, Layland, 1973): RM is optimal among all fixed-priority scheduling algorithms.
- Any set of **n** periodic tasks with a processor utilization factor  $\leq U_{lub} = n(2^{1/n} 1)$  can be scheduled by RM.



## The priority inversion problem



- Blocking time equal to length of critical section + computation time of J<sub>2</sub>.
- Unbounded time of priority inversion, if J<sub>3</sub> is interrupted by tasks with priority between J<sub>1</sub> and J<sub>3</sub> during its critical region.

### **Multiprocessor scheduling**



BF - ES

## **Periodic scheduling**

- 1. Divide the time line into time slices such that each period of each process is divided into an integral number of time slices. Slice length  $T = GCD(T_1, ..., T_n)$ .
- 2. Within each time slice, allocate processor time in proportion to the utilization  $U_i = \frac{C_i}{T_i}$  originating from the various tasks.

Processing time per slice  $r_i = TU_i = T\frac{C_i}{T_i}$ .

Hence, each task runs  $\frac{T_i}{T}r_i = \frac{T_i}{T}T\frac{C_i}{T_i} = C_i$  time units within its period.

- 3. Allocate  $\ensuremath{r_i}$  according to the following algorithm
  - (a) Look for the first processor  $proc_j$  that has free capacity in its time slices.
  - (b) Allocate that portion of  $r_i$  to  $proc_j$  that  $proc_j$  can accommodate.
  - (c) If all of  $r_i$  has been allocated then proceed with the next task (goto step a).
  - (d) Otherwise allocate the remainder of  $r_i$  to  $proc_{j+1}$ .  $proc_{j+1}$  has enough spare capacity as it has not previously been used and  $r_i \leq T$  due to  $U_i \leq 1$ . Furthermore, due to  $r_i \leq T$ , we don't generate temporal overlap between the two partial runs of task i.

- 45 -

## Partitioning

- Motivation
  - HW/SW codesign
  - Software (alone) may not have sufficent performance
  - Hardware (alone) may be too expensive
- Major points
  - Integer Linear Programming (ILP)
  - Hierarchical clustering
  - Kernighan-Lin algorithm
  - F-M heuristic

- 47 -

#### Fault tolerance: failure modes

#### Fail-silent failures

- subsystem either produces correct results or produces (recognizable) incorrect results or remains quiet
- can be masked as long as at least one system survives
- Consistent failures
  - If subsystem produces incorrect results all recipients receive same (incorrect) result
  - can be masked iff the failing systems form a minority
- Byzantine failures
  - subsystem reports different results to different dependent systems
  - can be masked iff strictly less than a third of the systems fail



#### **Analysis**

BF - ES

## **Estimation and Verification**

- Motivation
  - Design-space exploration
  - Real-time guarantees
  - Fault tolerance
  - Correctness
  - Safety
- Major points
  - WCET analysis based on abstract interpretation
  - Testing
  - Reliability analysis
  - Verification
  - Controller synthesis





## Fault tree analysis



#### Inductive computation of reliability

Assumption: failures of the individual components are independent

#### **Serial composition**



BF - ES

## **An ATPG System**



serial input

flip-flop

normal mode/test mode

#### **Automated Formal Methods**

- Model Checking: automatically verify whether certain properties are guaranteed by the model; determine safe parameters
- Controller Synthesis: automatically construct control strategies that keep the system safe

#### **Overview:**

- Intro: Analyzing FlexRay
- 2 Timed automata
- Regions & zones
- Model checking and controller synthesis
- Hybrid automata

BF - ES

- 57 -

#### Zone-based Timed Game Solving

From where can  $\rightarrow$  enforce a run to c ?



## **Development of Safety-Critical Embedded** Systems

- Daniel Kästner, Florian Martin, Reinhard Wilhelm.
- Advanced course (6 ECTS): Fr 10-12, E1.3 / HS003. Exercises, 2h.
- Goal: Working with industry tools for developing safety-critical embedded systems and understanding their theoretical background.
- Contents: Functional safety, model-based code generation, synchronous programming, task scheduling, static program analysis for safety aspects (worst-case execution time, stack usage, runtime errors).
- Tools used:
  - SCADE: CASE tool for safety-critical embedded systems (avionics)
  - Symta/S: Task scheduling & schedulability analysis (automotive)
  - aiT WCET Analyzer / StackAnalyzer / Astrée: Static program analyzers (avionics & automotive)
- Practical project with Lego Mindstorms





## Automata, Games, and Verification

- Bernd Finkbeiner, Hazem Torfah, Markus Rabe
- Advanced course (6 ECTS)
- Goal: logical and game-theoretic foundations of automatic verification and synthesis
- Contents:
  - Automata over infinite words and trees (omega-automata)
  - Infinite two-player games
  - Logical systems for the specification of nonterminating behavior
  - Transformation of automata according to logical operations

## Seminar: Real-Time Systems & Synthesis

- Bernd Finkbeiner, Michael Gerke, Peter Faymonville
- Seminar (7 ECTS)
- Organizational meeting in October
- Preparatory meetings during lecture period
- Kolloquium (1-2 days) after exams in February

- 61 -