Advanced Laboratory on Embedded Systems S.r.l.
Advanced Laboratory on Embedded Systems S.r.l.
Advanced Laboratory on Embedded Systems S.r.l.
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Alberto Ferrari – Research Scientist<str<strong>on</strong>g>Advanced</str<strong>on</strong>g> <str<strong>on</strong>g>Laboratory</str<strong>on</strong>g> <strong>on</strong> <strong>Embedded</strong> <strong>Systems</strong> S.r.l.A Research and Innovati<strong>on</strong> Company7/9/2012Alberto Ferrari - ALES S.r.l.
Outline Applicati<strong>on</strong> landscape and complexity Mapping applicati<strong>on</strong>s to executi<strong>on</strong> platforms— Satisfying Safety and real-time requirements Resp<strong>on</strong>se Time Analysis— WCE vs Test based Performance predicti<strong>on</strong> is really hard … What are the alternatives ?— Predictable architectures— Probabilistic real-time analysis— Statistical Model Checking C<strong>on</strong>clusi<strong>on</strong>s7/9/2012 Alberto Ferrari - ALES S.r.l. 2
UTC TODAY2009 Revenue - $53 billi<strong>on</strong>Hamilt<strong>on</strong>SundstrandSikorskyCarrieraerospace systemsPratt & WhitneyUTC Fire& SecuritySikorskyHamilt<strong>on</strong>SundstrandOtisOtisbuilding systemsUTC Fire& SecurityPratt &WhitneyCarrierpower soluti<strong>on</strong>sUTC Power7/9/2012Alberto Ferrari – ALES S.r.l.3
OTIS Elevators3. JIS:GeN2-JIS2. ANSI:Gen2/GEM1. EN: GeN2-CxRemote m<strong>on</strong>itoring and c<strong>on</strong>trol7/9/2012Alberto Ferrari – ALES S.r.l.4
PressureInert Gas Fire Suppressi<strong>on</strong><strong>Embedded</strong> systems modeling for fast verificati<strong>on</strong>,functi<strong>on</strong> reuse & reduced risksC<strong>on</strong>trol Panel:C<strong>on</strong>trol logic,communicati<strong>on</strong>sSensorsGasdischargenozzleInflow determined bymass flow, temperatureand gas c<strong>on</strong>centrati<strong>on</strong>O 2 c<strong>on</strong>centrati<strong>on</strong> distributi<strong>on</strong>VentOverpressuretime traceODE for cylinder/nozzledensity and temperatureGas cylinderModeling capabilityenables analysis anddesign of better firesuppressi<strong>on</strong> systemsTemperature distributi<strong>on</strong>Space to be protected andcomp<strong>on</strong>ents of fire suppressi<strong>on</strong> systemModeling enables analysis, decisi<strong>on</strong> support and designof robust c<strong>on</strong>trol for fire suppressi<strong>on</strong> systemWithoutoverpressure c<strong>on</strong>trolWithoverpressure c<strong>on</strong>trolSafepressurelimit0 10 20 30 40 50 60 70Time (sec)Outcome – better and safer fire suppressi<strong>on</strong>Implementati<strong>on</strong> with minimal change in hardware7/9/2012Alberto Ferrari – ALES S.r.l.5
Energy, Comfort, Security Needs in Buildings are EvolvingUTC presence in buildings creates opportunities and research challengesCustomer-focused soluti<strong>on</strong>sEnabled by integrated systemsCarb<strong>on</strong>-neutral buildings by 2030Buildings must be 4X-5X moreenergy efficient7/9/2012Threats becoming more complex98% false alarmsAlberto Ferrari – ALES S.r.l.6
AEROSPACE SYSTEM EVOLUTION7/9/2012Alberto Ferrari – ALES S.r.l.7
MORE ELECTRIC AIRCRAFT7/9/2012Alberto Ferrari – ALES S.r.l.8
Design and Verificati<strong>on</strong> ProcessesV & VSystem requirementsSystemValidati<strong>on</strong>System partiti<strong>on</strong>ingNetwork requirementsspecificati<strong>on</strong>System DesignNetwork and Sub-System specificati<strong>on</strong>Sub-SystemVerificati<strong>on</strong>NetworkIntegrati<strong>on</strong>7/9/2012Network selecti<strong>on</strong>and c<strong>on</strong>figurati<strong>on</strong>Partiti<strong>on</strong>ingSub-System DesignComp<strong>on</strong>entspecificati<strong>on</strong>Comp<strong>on</strong>entimplementati<strong>on</strong>ALES S.r.l.Comp<strong>on</strong>entVerificati<strong>on</strong>Sub-Systemintegrati<strong>on</strong>9
Cyber Physical <strong>Systems</strong> – Abstracting TimeC<strong>on</strong>trol DomainElectrical Domainuntimed/DTtimedExecuti<strong>on</strong> platform (untimed)Infinite resources never failing…7/9/2012 Alberto Ferrari - ALES S.r.l. 10
Introducing N<strong>on</strong> Ideal Executi<strong>on</strong> Platform…C<strong>on</strong>trol DomainElectrical DomainPerformance c<strong>on</strong>straints (latency, safety)RTOS RTOS RTOS RTOS RTOSuntimed/DT7/9/2012 Alberto Ferrari - ALES S.r.l.timedtimed… adding time… adding failure modes- Impact <strong>on</strong> c<strong>on</strong>trol functi<strong>on</strong>- HW/SW performance- Identify bottlenecks- Buffer size- Bandwidth capacity- End-to-end delay- Rec<strong>on</strong>figurati<strong>on</strong>s11
Real-time and Safety Analysis Mapping functi<strong>on</strong>al network to theplatform:— Allocati<strong>on</strong>: static vs dynamic— Scheduling: static vs dynamic Design and verificati<strong>on</strong>:— Safety c<strong>on</strong>straints (design)• Robustness to faults (10 -7 -10 -11 )– Automotive: ISO26262– Avi<strong>on</strong>ics: ARP4761, DO178C– Building Automati<strong>on</strong>: IEC61508, ISO22201,EN 81-1/A1— Real-time c<strong>on</strong>straints (verify)• Latency• Resp<strong>on</strong>se time• Resource usageAssuming that the correct behavior isimplemented …Verificati<strong>on</strong>Functi<strong>on</strong>alRequirementsFuncti<strong>on</strong>alDescripti<strong>on</strong>Functi<strong>on</strong>/PlatformMappingSynthesisVerificati<strong>on</strong>N<strong>on</strong>Functi<strong>on</strong>alRequirementsPlatformDescripti<strong>on</strong>Verificati<strong>on</strong>Verificati<strong>on</strong>PlatformAbstracti<strong>on</strong> PlatformAbstracti<strong>on</strong>7/9/2012 Alberto Ferrari - ALES S.r.l.12
Addressing Safety: Industrial practiceHighly process oriented governed by standards(ISO26262, ARP4761)Mainly based <strong>on</strong> manual flows/analysisSafety requirements processed since the initialphases of the designVerificati<strong>on</strong> based <strong>on</strong> tests and simulati<strong>on</strong>methodsModel based methods recently accepted bystandards (DOC178C)7/9/2012 Alberto Ferrari - ALES S.r.l.13
Fault Tolerant Scheduling design flowPlantFaultBehaviorSensActSensSensActAbstractinput CoarseCTRL ArbiterBestAbstractOutFineCTRLIteratorAllocateScheduleMappingECU0CH0ECU1CH1ECU2OptimizeECU0 SensCH0ECU1 SensCH1ECU2 SensECU0CH0ECU1CH1SensSensCoarseCTRLInput CoarseCTRL ArbiterBest OutputInput FineCTRL ArbiterBest OutputCoarseCTRLInput CoarseCTRL ArbiterBest OutputActActActRefineCourtesy from Claudio PinelloSens Input FineCTRLArbiterBest Output ActSensInput CoarseCTRLArbiterBest OutputSensCoarseCTRLECU2Sens Input FineCTRL ArbiterBest OutputAct7/9/2012 Alberto Ferrari - ALES S.r.l. 14Act
Distributi<strong>on</strong> of timeAnalysis vs MeasurementsBestmeasurementsWorstmeasurementsBest casepredictabilityWorst casepredictabilityLowerboundBestcaseWorstcaseUpperboundtime Experiment/Simulati<strong>on</strong> is not exhaustive:— Partial sampling yields too optimistic behavior Analysis is complex, almost impractical— Simplified analysis yields too pessimistic resultsArchitectural elements with dynamic (n<strong>on</strong> linear) behavior— State based informati<strong>on</strong>7/9/2012 Alberto Ferrari - ALES S.r.l. 15
Resp<strong>on</strong>se Time Analysis Use abstract model to compute the communicati<strong>on</strong>time and the executi<strong>on</strong> time of software— Best case - everything goes right: no cache miss, neededresources free, no c<strong>on</strong>flict to access the media— Worst case - everything goes bad: e.g. empty cache, neededresources are busy, media busy with other communicati<strong>on</strong>s Timing Accident: event causing additi<strong>on</strong>al delay Timing Penalties: associated delay Unfortunately modern executi<strong>on</strong> platforms are verydifficult to abstract to keep the problem solvable and atthe same time to achieve good predicti<strong>on</strong> results— Timing accident are complex and dynamic— Timing penalties have big range7/9/2012 Alberto Ferrari - ALES S.r.l.16
Distributi<strong>on</strong> of timePredictability of modern architectures…BestmeasurementsWorstmeasurementsBest casepredictabilityWorst casepredictabilityx10-x100LowerboundBestcaseWorstcaseUpperboundtime Experiment/Simulati<strong>on</strong> is not exhaustive— Risk of missing worse cases Analysis based <strong>on</strong> simplified models yields toopessimistic results (x10-x100)— Design soluti<strong>on</strong> is not cost effective7/9/2012 Alberto Ferrari - ALES S.r.l. 17
Looking for alternative approaches Predictable architectures— Remove/Reduce sources of indeterminati<strong>on</strong>. E.g.• Time Trigger Architecture: still need WCE to fit executi<strong>on</strong>s into slots— Enable formal analysis— Not always cost efficient— L<strong>on</strong>g term soluti<strong>on</strong> Probabilistic analysis— Accept sources of indeterminati<strong>on</strong> of current architectures— “Gray-box” analysis (partial understanding of the architecturalcomp<strong>on</strong>ents)— Statistical descripti<strong>on</strong> of the overall system— e.g. probabilistic real-time (hard deadlines met with probability of 10 -6 ,10 -12 ) Statistical Model Checking— Prove with given c<strong>on</strong>fidence the satisfacti<strong>on</strong> of a timing property— Bound the number of simulati<strong>on</strong> runs7/9/2012 Alberto Ferrari - ALES S.r.l. 18
Predictable Architectures Communicati<strong>on</strong>:— Time trigger architecture• The time uncertainty is reduced to the computati<strong>on</strong> in a time slot Computati<strong>on</strong>:— Architecture with Reduced Timing Accident• ISA with timing extensi<strong>on</strong>• Time interleaved (lately used <strong>on</strong> peripheral Cores)• Program Managed Temporary Memory– Caches, buffers, RAM and related c<strong>on</strong>trollers are fully under software c<strong>on</strong>trol• Predictable DRAM C<strong>on</strong>trollers (Predator, AMC)• Example: PRET: Berkeley Predictable Architecture Adding temporal semantics to the computati<strong>on</strong>al model— PTIDES: Programming Temporally Integrated Distributed<strong>Embedded</strong> <strong>Systems</strong>• Uses actor-oriented design• Based <strong>on</strong> Discrete-Event(DE) model of computati<strong>on</strong>7/9/2012 Alberto Ferrari - ALES S.r.l. 19
Probabilistic Real-Time Probabilistic Hard Real-Time <strong>Systems</strong>— Deadlines must be met, but it is likely to accept adeadline miss (probabilities of the order of 10 -6 -10 -12 )— It is just another failure event of the system Two approaches:— Gray-box and Statistical Analysis:• “…the effects are understood in principle, but can not becaptured analytically without very pessimistic simplificati<strong>on</strong>sand a cycle true simulati<strong>on</strong> of all possible program paths with allpotential input data combinati<strong>on</strong>s is inhibited by the complexityof the problem.”• Probabilistic descripti<strong>on</strong> of the system behavior (WCET)— Randomized Architectures• The executi<strong>on</strong> platform behaves randomly !7/9/2012 Alberto Ferrari - ALES S.r.l. 20
Probabilistic Real-Time Analysis Approach of Bernat et.al. 2002 “WCET Analysis of Probabilistic Hard Real-Time <strong>Systems</strong>” Derive Executi<strong>on</strong> Time Profile (ETP) associated to smaller units of aprogram— By measurement (<strong>on</strong> real processors) or by simulati<strong>on</strong>— By analytical methods Statistical combinati<strong>on</strong> of ETP (compositi<strong>on</strong> rules and calculati<strong>on</strong>procedure)— For Independent ETP: assuming independency between executi<strong>on</strong> of two units ofprogram)— For Dependent ETP: assuming that it is possible to calculate a Joint Executi<strong>on</strong> Profile (JEP)— For Unknown (dependency) ETP: assuming a worst JEP Problems/Doubts:— How to accurately calculate ETP?— How to accurately calculate JEP?• Dramatically more complex (experiment set grows quadratic)[RTSS02_probabilistic_hard.pdf “WCET Analysis of Probabilistic Hard Real-Time <strong>Systems</strong>”][YCS-2003-353.pdf “pWCET: a Tool for Probabilistic Worst-CaseExecuti<strong>on</strong> Time Analysis of Real-Time <strong>Systems</strong>”]7/9/2012 Alberto Ferrari - ALES S.r.l. 21
Randomized HW/SW Architectures Move towards a truly randomized architectures— Opposite directi<strong>on</strong> of predictable (deterministic) HW/SW architectures— Break any dependency <strong>on</strong> code executi<strong>on</strong> history (typical in caches, butnot <strong>on</strong>ly there!)— Probabilistic analysis suffers dependencies (i.e. it is much simpler to rely<strong>on</strong> statistical independence) Example with caches:— Randomized replacement policy (select random a replacement victim)— Traditi<strong>on</strong>al replacement (LRU) depends <strong>on</strong> executi<strong>on</strong> history• probabilistic executi<strong>on</strong> time analysis suffer of systemic cache misses (probabilisticanalysis relies <strong>on</strong> statistical independence) Problems/Doubts— How to achieve true randomizati<strong>on</strong> ?— Is this still cost effective ?— A reduced complexity architecture could achieve better meanperformance and B/WCET bounds ?[ecrts09.pdf “Using Randomized Caches in Probabilistic Real-Time <strong>Systems</strong>”]7/9/2012 [ACM-probabilistic_rt.pdf Alberto “PROARTIS: Ferrari - ALES S.r.l. Probabilistically Analysable Real-Time <strong>Systems</strong>”] 22
Statistical model checkingApplicati<strong>on</strong> scenario Executable model of a system with random comp<strong>on</strong>ents Property Φ verified or falsified by the model in a known and finite timeStatistical Model checking (SMC) Estimati<strong>on</strong> of the probability p ̂ of satisfacti<strong>on</strong> of property Φ Statistical method -> estimati<strong>on</strong> characterized by c<strong>on</strong>fidence (1- δ), errorprobability (ԑ):Pr(|p ̂−p| 1−δ— Chernoff-Hoeffding bound to determine the number of independent samplesm > 4 ε 2 ln 2δApplicati<strong>on</strong> Performance of a CAN network— Random comp<strong>on</strong>ents: clock drift, tolerance and aging of electrical comp<strong>on</strong>ents Property Φ: transmissi<strong>on</strong> of a packet without errors— p ̂ is the probability of correct transmissi<strong>on</strong> (1−p ̂=PER)— 1 transmitted packet == 1 statistical sample7/9/2012 Alberto Ferrari - ALES S.r.l.23
# nodeStatistical Model CheckingPerformance in critical scenariosClusters of nodes Scenario: 32 nodes, distance between the clusters 4 m, distance betweennodes [0.4, 2] m, clock drift of CAN c<strong>on</strong>troller ~N(0,150 ppm) SMC: 50000 samples → c<strong>on</strong>fidence interval: 0.01, error probability: 0.015 Theoretical limit: 1 Mbit/s → 40 m (analytic model)312927252321191715131197531Packet error probability estimati<strong>on</strong>Reference: “Message priority inversi<strong>on</strong> <strong>on</strong> a CAN bus”, Texas Instruments IncorporatedSimulated model:Analysis of critical scenarios not captured by the analytic model0.00% 0.50% 1.00% 1.50% 2.00% 2.50% 3.00%Packet error rate [%]Not negligible packet error rate at the theoretical length!7/9/2012 Alberto Ferrari - ALES S.r.l. 24
ProsStatistical Model CheckingPros & C<strong>on</strong>s—Scale fairly reas<strong>on</strong>ably with the system size(simulati<strong>on</strong> based)C<strong>on</strong>s—Scale pretty badly with c<strong>on</strong>fidence level• 99% -> 50K run!7/9/2012 Alberto Ferrari - ALES S.r.l. 25
C<strong>on</strong>clusi<strong>on</strong>s Several challenges in the design and verificati<strong>on</strong> of cyberphysicalsystems— Safety c<strong>on</strong>straints are becoming str<strong>on</strong>ger and their satisfacti<strong>on</strong>requires substantial manual design and verificati<strong>on</strong> effort• There are few approaches to design under these c<strong>on</strong>straints, but still notmature enough for industrial deployment— Real-time Performance analysis for modern architecture is hard• Different approaches have been proposed, n<strong>on</strong>e is really ready for primetime— Combined approach for safety and real-time design/verificati<strong>on</strong>still far from becoming real Multi-processors Distributed Architecture are becomingreality also in embedded systems— Increase WECT bounds (apparently)— Soluti<strong>on</strong>s to cost optimize these architectures are not yetavailable <strong>on</strong> industrial scale7/9/2012 Alberto Ferrari - ALES S.r.l. 26
AcknowledgmentsChristian NastasiAlessandro UlisseMassimiliano D’Angelo7/9/2012 Alberto Ferrari - ALES S.r.l. 27