Scheduling of Embedded Controllers Under Timing

Scheduling of Embedded Controllers Under Timing Contracts ∗ Mohammad Al Khatib

Antoine Girard

Thao Dang

L2S, CNRS CentraleSupélec Université Paris-Sud Université Paris-Saclay F-91192 Gif-sur-Yvette

L2S, CNRS CentraleSupélec Université Paris-Sud Université Paris-Saclay F-91192 Gif-sur-Yvette

Verimag, CNRS Université Grenoble Alpes F-38000 Grenoble

mohammad.alkhatib @l2s.centralesupelec.fr

antoine.girard @l2s.centralesupelec.fr citizens in all their aspects (housing, transportation, health, industry, assistance to the elderly, etc.). Therefore, highconfidence tools for the analysis and design of CPS, being able to cope with the tight interactions between cyber and physical components are urgently needed. Design of complex CPS can be tackled by decomposing the global design problem into smaller sub-problems. This approach can be formally implemented using contract based design [36, 10, 9]. For instance, for embedded controller implementation, [19] proposed the use of timing contracts, which specify the constraints on the time instants at which certain operations are performed such as sampling, actuation or computation. Under such contracts, the control engineers are responsible for designing a control law that is robust to all possible timing variation specified in the contract while the software engineers can focus on implementing the proposed control law so as to satisfy the timing contract. Several previous works have taken the point of view of control engineers, by developing techniques for robust stability analysis of embedded control systems under such timing contracts (see e.g. [15, 20, 7, 2]). In the first part of this paper, we adopt the point of view of the software engineer who has to implement several controllers, each subject to a timing contract, on a shared computational platform. Given best and worst case execution times for each control task, we synthesize a dynamic scheduling policy, which guarantees that each timing contract is satisfied and that the shared computational resource is allocated to at most one controller at any time. Our approach is based on the use of timed game automata [33, 13] and we show that the scheduling problem can be formulated as a timed safety game, which can be solved by the tool UPPAAL-TIGA [8], and whose solution provides a suitable scheduling policy. In the second part of the paper, we address the requirement engineering problem, which consists in synthesizing a set of timing contracts that guarantee at the same time the schedulability and the stability of the embedded controllers. We use a re-parametrization of contracts, which provides some monotonicity property to the problem and allows us to develop an effective synthesis method based on guided sampling of the timing contract parameter space. The paper is organized as follows. The problem setting is given in Section 2, where we introduce the considered classes of systems and timing contracts and where we formulate the

ABSTRACT Timing contracts for embedded controller implementation specify the constraints on the time instants at which certain operations are performed such as sampling, actuation, computation, etc. Several previous works have focused on stability analysis of embedded control systems under such timing contracts. In this paper, we consider the scheduling of embedded controllers on a shared computational platform. Given a set of controllers, each of which is subject to a timing contract, we synthesize a dynamic scheduling policy, which guarantees that each timing contract is satisfied and that the shared computational resource is allocated to at most one embedded controller at any time. The approach is based on a timed game formulation whose solution provides a suitable scheduling policy. In the second part of the paper, we consider the problem of synthesizing a set of timing contracts that guarantee at the same time the schedulability and the stability of the embedded controllers.

Keywords Embedded control; Sampled-data systems; Scheduling; Timed automata; Stability

1.

[email protected]

INTRODUCTION

Cyber-physical systems (CPS) consisting of integration of computing devices with physical processes are to become ubiquitous in modern societies (autonomous vehicles, smart buildings, robots, etc.) and will practically impact the life of ∗This work was supported by the Agence Nationale de la Recherche (COMPACS project ANR-13-BS03-0004) and by the Labex DigiCosme, Universit´e Paris-Saclay (CODECSYS project). Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

HSCC’17, April 18-20, 2017, Pittsburgh, PA, USA c 2017 ACM. ISBN 978-1-4503-4590-3/17/04. . . $15.00

DOI: http://dx.doi.org/10.1145/3049797.3049816

131

stability verification, schedulability verification and timing contract synthesis problems. Section 3 provides a solution to the schedulability verification problem based on timed games. Then, the timing contract synthesis problem is addressed in Section 4. Section 5 shows an application of our approach using an illustrative example.

Problem 1 (Stability verification). Given a system S = (A, B, K) and a timing contract θ(τ , τ , h, h) verify that S is GUES under timing contract θ(τ , τ , h, h). Several approaches are presented in the literature to solve instances of Problem 1. A non-exhaustive list is given in Table 1. From the modeling perspective, the problem can be tackled using difference inclusions, time-delay systems or hybrid systems. On the computational side, the approaches are based on semi-definite programming (Linear Matrix Inequalities (LMI) or Sum Of Squares (SOS) formulations), invariant sets or reachability analysis. Let us remark that approaches [15, 20, 7, 2] appear to be able to address all instances of Problem 1.

− + − + Notations. Let R, R+ denote the sets 0 , R , R0 , R , N, N of reals, non-negative reals, positive reals, non-positive reals, negative reals, non-negative integers and positive integers, respectively. For I ⊆ R+ 0 , let NI = N ∩ I. Given a vector p ∈ Rn , its i-th element is denoted by pi . Given two vectors p, p0 ∈ Rn , the inequality p ≤ p0 is interpreted conponentwise. For a set S, we denote the set of all subsets of S by 2S .

2.

2.3

PROBLEM FORMULATION

2.1

Sampled-data systems

In this work, we consider sampled-data systems that take into account the sequences of sampling and actuation instants (tsk )k∈N and (tak )k∈N : x(t) ˙ = Ax(t) + Bu(t), u(t) = Kx(tsk ),

∀t ∈ R+ 0

(1)

tak < t ≤ tak+1

(2)

n

m

where x(t) ∈ R is the state of the system, u(t) ∈ R is the control input, the matrices A ∈ Rn×n , B ∈ Rn×m , K ∈ Rm×n and k ∈ N. In addition, it is assumed that for all t ∈ [0, ta0 ], u(t) = 0. We assume that the sequence of sampling and actuation instants (tsk ) and (tak ) satisfy a timing contract θ(τ , τ , h, h) given by 0 ≤ ts0 , tsk ≤ tak ≤ tsk+1 , τk = tak − tsk ∈ [τ , τ ], hk = tsk+1 − tsk ∈ [h, h], R+ 0 ,

R+ 0 ,

∀k ∈ N ∀k ∈ N ∀k ∈ N

+

(3)

0 ≤ ts0i i tski ≤ tbki ≤ teki ≤ taki ≤ tsk+1 , cik = teki − tbki ∈ [ci , ci ], τki = taki − tksi ∈ [τ i , τ i ], i i hik = tsk+1 − tksi ∈ [hi , h ],

+

where τ ∈ τ ∈ h ∈ R and h ∈ R provide bounds on the sampling-to-actuation delays (which includes time for computation of the control law) and sampling periods provided that tsk ≤ tak ≤ tsk+1 for all k ∈ N. Note that we impose h 6= 0 to prevent Zeno behavior. Moreover, these parameters must belong to the following set so that the time intervals given in (3) are always non-empty and it is always possible to choose tsk+1 ≥ tak :  + + + C = (τ , τ , h, h) ∈ R+ 0 × R0 × R × R : τ ≤ τ ≤ h, h ≤ h .

2.2

Scheduling

We consider a collection of N ∈ N+ sampled-data systems {S1 , . . . , SN } of the form (1-2) where each system Si = i (Ai , Bi , Ki ), is subject to a timing contract θ(τ i , τ i , hi , h ) of i the form (3), with parameters (τ i , τ i , hi , h ) ∈ C, i ∈ N[1,N ] . In addition, we assume that these systems share a single processor to compute the value of their control inputs given by (2). The time required to compute these inputs is assumed to belong to some known interval [ci , ci ], with 0 ≤ ci ≤ ci , where ci and ci denote the best and worst case execution time to compute the input of systems Si , i ∈ N[1,N ] . The timing of events in the k-th control cycle of system Si starts at instant tski when sampling occurs. Then, system Si gains access to the computational resource at instant tbki , at which computation of the control input value begins. The computational resource is released at instant teki , at which computation of the control input value ends. After that, actuation occurs at instant taki . Formally, the sequences (tksi )k∈N , (tbki )k∈N , (teki )k∈N , and (taki )k∈N satisfy the following constraints for all i ∈ N[1,N ] : ∀k ∀k ∀k ∀k

∈N ∈N ∈N ∈N

(4)

In addition, a conflict arises if several systems request access to the computational resource at the same time. Let us define the following property, for i ∈ N[1,N ] : _
Com(Si , t) ≡ t ∈ [tbki , teki ) . k∈N

Com(Si , t) is true if and only if the computational resource is used by system Si at time t. Then, in order to prevent conflicting accesses to the computational resource the following property must hold:

Stability verification

We consider the notion of stability in the following sense:

2 ∀t ∈ R+ 0 , ∀(i, j) ∈ N[1,N ] with i 6= j,

Definition 1. The system S = (A, B, K) is globally uniformly exponentially stable (GUES) under timing contract θ(τ , τ , h, h) if there exist λ ∈ R+ and C ∈ R+ such that, for all sequences (tsk )k∈N and (tak )k∈N verifying (3), the solutions of (1-2) verify

Com(Si , t) ∧ Com(Sj , t) ≡ False.

(5)

kx(t)k ≤ Ce−λ(t−t0 ) kx(ts0 )k , ∀t ≥ ts0 .

Remark 1. It is straightforward to verify that for any sequences (tski )k∈N , (tbki )k∈N , (teki )k∈N , and (taki )k∈N satisfying (4-5), the sequences (tski )k∈N and (taki )k∈N satisfy the timing i contract θ(τ i , τ i , hi , h ).

We then define the stability verification problem as follows:

We aim at synthesizing a dynamic scheduling policy, generating sequences of timing events satisfying (4-5). The

s

132

Table 1: Methods that can solve instances of Problem 1 with description of the modeling, computational approaches, and list of restrictions. Models Algorithm Restrictions [15] difference inclusion LMI − [20] LMI − [26] LMI τ =τ =0 [27] LMI τ =τ =0 [37] SOS τ =τ =0 [22] Invariant sets τ =τ =0 [1] Reachability analysis τ =τ =0 [2] Reachability analysis − [30] time-delay systems LMI h=0 [24] LMI h = h, τ = 0 [31] LMI τ =τ =0 [23] LMI h=τ =τ =0 [7] hybrid systems SOS − [25] LMI τ = 0, h = 0

scheduler has control over the sampling and actuation instants (tski )k∈N , (tkai )k∈N and over the instants (tbki )k∈N when computation begins. However, the execution time (cik )k∈N and thus the instants when computation ends (teki )k∈N is determined by the environment and are thus uncontrollable from the point of view of the scheduler. Then, we consider the following schedulability property:

timed game automata. In fact, scheduling with timed automata are examined in literature [18, 21, 28] where in [21] an application on a steel plant is studied. The closest approach to our work is that depicted in [28] were the scheduling problem is reformulated in terms of timed game automata [13]. Although, therein the approach has the advantage of employing event-triggered controllers and eventually improves the resource utilization over the network, however it can only solve instances of our problem where tski = tbki , teki = taki and τ = τ = ci = ci = c ∈ R+ for all k ∈ N and i ∈ N[1,N ] .

Definition 2. The set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} is schedulable under timing contracts 1 N Θ = {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}, if for all i i i i sequences (ck )k∈N with ck ∈ [c , c ], for all k ∈ N and i ∈ N[1,N ] , there exist sequences (tski )k∈N , (tbki )k∈N , (teki )k∈N , and (taki )k∈N satisfying (4-5), for all i ∈ N[1,N ] .

2.4

Timing contract synthesis

In Section 4, we will consider the problem of synthesizing a set of timing contracts that guarantee at the same time the stability of the systems and the schedulability of control tasks. i i ≤ τmax , Given the bounds on the parameters 0 ≤ τmin i i 0 < himin ≤ himax , with τmin ≤ himin , τmax ≤ himax , let

Then, we define the scheduling problem as follows: Problem 2 (Schedulability verification). Given a set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} and timing 1 N contracts Θ = {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}, verify that T is schedulable under timing contracts Θ.

i i Di = [τmin , τmax ]2 × [himin , himax ]2 , i ∈ N[1,N ] ,

(6)

+

with N ∈ N , the timing contract synthesis problem is formalized as follows:

In Section 3, we will provide a solution to the schedulability verification problem. In addition, our approach will allow us to synthesize a dynamic scheduling policy for generating the sequences (tski )k∈N , (tbki )k∈N , (teki )k∈N , and (taki )k∈N satisfying (4-5), for all i ∈ N[1,N ] .

Problem 3 (Timing contract synthesis). Given a collection of systems {S1 , . . . , SN }, where Si = (Ai , Bi , Ki ) with Ai ∈ Rni ×ni , Bi ∈ Rni ×mi , and Ki ∈ Rmi ×ni , i ∈ N[1,N ] , a set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} with 0 ≤ ci ≤ ci , i ∈ N[1,N ] , and parameter sets Di , i ∈ N[1,N ] , synthesize a set P ∗ ⊆ (C N ) ∩ (D1 × · · · × DN ) such

Related work. In real-time scheduling of multiple tasks on a single processor, the objective is to obtain a calculation model related to concurrent execution of a given number of tasks [14, 16, 12]. In case some of the tasks are control tasks, scheduling and controller co-design problems are studied for periodic [6, 34], event-triggered [38], and self-triggered [17, 28] real-time implementations of the controller. In the same context, [32, 5, 4, 35] synthesize schedules based on the worst case execution time of the computational resource. In such a case, stability is guaranteed for each control loop but the schedule is conservative as long as the worst case computational time is assumed at every period for each task. Unlike these approaches, we decouple the controller stability problem and the scheduling design, using timing contracts, in order to synthesize conflict-free schedules using

1

N

that for all (τ 1 , τ 1 , h1 , h , . . . , τ N , τ N , hN , h ) ∈ P ∗ : 1. System Si = (Ai , Bi , Ki ) is GUES under timing contract θ(τ i , τ i , hi , hi ), for all i ∈ N[1,N ] . 2. The set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} is schedulable under timing contracts Θ = 1 N {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}.

3.

SCHEDULING

In this section, we provide a solution to Problem 2. Our approach is based on timed automata [3] and timed game automata [33], which we briefly introduce in the following.

133

3.1

Timed and timed game automata

• Li = {Initi , P resami , P recompi , Compi , P reaci };

Let C be a finite set of real-valued variables called clocks. We denote by B(C) the set of conjunctions of clock constraints of the form c ∼ α where α ∈ R+ 0 , c ∈ C and ∼∈ {, ≥}. We define a timed automaton (TA) and a timed game automaton (TGA) as in [13]: Definition 3. A timed (L, l0 , Act, C, E, I) where

automaton

is

a

• l0i = Initi ; • Actic = {samplei , begini , actuatei }; • Actiu = {endi , ini }; • C i = {ci , ki };

sextuple

• E i = {(Initi , ci ≥ 0, ini , {ci }, P resami ), (P resami , ci ≥ hi , samplei , {ci }, P recompi ), (P recompi , ci ≥ 0, begini , {ki }, Compi ), (Compi , ki ≥ ci , endi , ∅, P reaci ), (P reaci , ci ≥ τ i , actuatei , ∅, P resami )};

• L is a finite set of locations; • l0 ∈ L is the initial location; • Act is a set of actions;

• Inv i (Initi ) = {ci ≥ 0}, i Inv i (P resami ) = {ci ≤ h }, i i i Inv (P recomp ) = {c ≤ τ i − ci }, Inv i (Compi ) = {ki ≤ ci }, Inv i (P reaci ) = {ci ≤ τ i }.

• C is a finite set of real-valued clocks; • E ⊆ L × B(C) × Act × 2C × L is the set of edges; • Inv : L → B(C) is a function that assigns invariants to locations.

Let the sequences (tski ), (taki ), (tbki ) and (teki ) be given by the instants of the discrete transitions labelled by actions samplei , actuatei , begini and endi , respectively. It is easy to see that these sequences satisfy the constraints given by (4). Conversely, one can check that all sequences satisfying (4) can be generated by executions of TGAi . Moreover, let us remark that the controllable actions are samplei , actuatei , begini which means that the controller determines the instants when sampling and actuation occur and when computation begins. However, endi is uncontrollable, which means that the execution time, and thus the instant at which computation ends is determined by the environment. This is consistent with the problem formulation in Section 2. Finally, the computational resource is used by system Si if the current location of TGAi is Compi . To take into account the constraint given by (5), stating that two systems cannot access the computational resource at the same time, we need to define the composition of the timed game automata defined above:

Definition 4. A timed game automaton is a septuple (L, l0 , Actc , Actu , C, E, I) such that (L, l0 , Actc ∪ Actu , C, E, I) is a timed automaton and Actc ∩ Actu = ∅, where Actc defines a set of controllable actions and Actu defines a set of uncontrollable actions. Formal semantics of TA and TGA are given in [13]. Informally, semantics of a TA is described by a transition system whose state consists of the current location and value of the clocks. Then, the execution of a TA can be described by two types of transitions defined as follows: • time progress: the current location l ∈ L is maintained and the value of the clocks grow at unitary rate; these transitions are enabled as long as the value of the clocks satisfies Inv(l). • discrete transition: an instantaneous transition from the current location l ∈ L to a new location l0 ∈ L labelled by an action a ∈ Act is triggered; these transitions are enabled if there is an edge (l, G, a, C 0 , l0 ) ∈ E, such that the value of the clocks satisfies G; in that case, the value of the clocks belonging to C 0 resets to zero.

Initi

The semantics of TGA is similar to that of TA with the specificity that discrete transitions labelled by a controllable action (i.e. a ∈ Actc ) are triggered by a controller, while discrete transitions labelled by an uncontrollable action (i.e. a ∈ Actu ) are triggered by the environment/opponent. In the following, we consider safety games (see e.g. [13]) defined by a set of unsafe locations Lu ⊆ L. A solution to the safety game is given by a winning strategy for the controller such that under any behavior of the environment/opponent, the set of unsafe locations is avoided by all executions of the TGA.

3.2

i

c ≥0

ini ci ≥ 0 ci := 0

P resami i

ci ≤ h

samplei ci ≥ hi ci := 0

i actuate ci ≥ τ i

P reaci

ci ≤ τ i − ci

ci ≤ τ i

endi k i ≥ ci

Scheduling using TGA

P recompi

begini ci ≥ 0 k i := 0 k i ≤ ci

In this section, we propose a solution to Problem 2 based on a reformulation using timed game automata.

Compi

Definition 5. Let i ∈ N[1,N ] , the timed game automaton generated by control task (ci , ci ) and timing contract i θ(τ i , τ i , hi , h ) is displayed in Figure 1 and is formally defined by TGAi = (Li , l0i , Actic , Actiu , C i , E i , Inv i ) where

Figure 1: TGAi where plain edges correspond to controllable actions while dashed edges correspond to uncontrollable actions.

134

Si : Systems' models Θ: Timing contracts T : Set of control tasks

Definition 6. The timed game automaton generated by the set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} and tim1 N ing contracts Θ = {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )} is given by TGA = (L, l0 , Actc , Actu , C, E, Inv) where • L = L1 × · · · × LN , thus l = (l1 , . . . , lN ) ∈ L denotes the location of TGA; • l0 = (Init1 , . . . , InitN ); S i • Actc = N i=1 Actc ; • Actu = • C=

SN

SN

i=1

i=1

set "

i=0

T is schedulable under timing contracts corresponding Si is stable under timing

Synthesize Psti for parameters of θi 2 Θ

contracts corresponding

Actiu ;

to any parameter in Psti

i

C ;

Synthesize P 0 ⊆ P00

i := i + 1

with d(P 0 ; P00 ) ≤ "

• E = {(lm , λ, act, C 0 , ln ) ∈ L×B(C)×(Actc ∪Actu )×L : j i ∃i ∈ N[1,N ] , lm = lnj ∀j 6= i and (lm , λ, act, C 0 , lni ) ∈ i E }; V i i • Inv(l) = N i=1 Inv (l ), i ∈ N[1,N ] .

No

i == N? Yes

Pst := Pst1 × : : : × PstN

TGA describes the parallel evolution of the TGA1 , . . . , TGAN . Then, the set of locations corresponding to conflicting accesses to the computational resources is Lu ⊆ L defined by: Lu = {l ∈ L : ∃(i, j) ∈ N2[1,N ] , i 6= j, (li = Compi ) ∧ (lj = Compj )}.

P ∗ := Pst \ f(P 0 )

Figure 2: Workflow of the proposed approach.

(7)

From the previous discussions, it follows that T is schedulable under timing contracts Θ if there is a winning strategy to the safety game defined by the timed game automaton TGA and the set of unsafe locations Lu . From the practical point of view, the safety game can be solved using the tool UPPAAL-TIGA [8]. The tool synthesizes a winning strategy when it exists, which provides us with a dynamic scheduling policy for generating the sequences (tski )k∈N , (tbki )k∈N , (tkei )k∈N , and (taki )k∈N satisfying (4-5), for all i ∈ N[1,N ] .

4.

i

that for all (τ i , τ i , hi , h ) ∈ Ci∗ , Si is GUES under timing contract θ(τ i , τ i , hi , hi ). ∗ , it folThen, defining the set Pst = C1∗ × · · · × CN 1 N 1 N 1 1 N N lows that for all (τ , τ , h , h , . . . , τ , τ , h , h ) ∈ Pst , system Si = (Ai , Bi , Ki ) is GUES under timing contract θ(τ i , τ i , hi , hi ), for all i ∈ N[1,N ] .

4.2

Guarantee on schedulability

In this section, given the set Pst , defined in the previous section, we solve Problem 3 by synthesizing a set P ∗ ⊆ Pst 1 N such that for all (τ 1 , τ 1 , h1 , h , . . . , τ N , τ N , hN , h ) ∈ P ∗ , the set of control tasks T is schedulable under timing con1 N tracts Θ = {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}. The timing contract parameters are given by the vector 1 N p = (τ 1 , τ 1 , h1 , h , . . . , τ N , τ N , hN , h ). We then define the following Boolean function for p ∈ C N ∩ (D1 × · · · × DN ):

TIMING CONTRACT SYNTHESIS

In this section, we propose a solution to Problem 3. Given a collection of systems {S1 , . . . , SN }, a set of control tasks T = {(c1 , c1 ), . . . , (cN , cN )} with 0 ≤ ci ≤ ci , i ∈ N[1,N ] , and parameter sets D1 , . . . , DN , we use a previous result [2] and a monotonicity property to design an algorithm that synthesizes a set of timing contracts ensuring stability of each system Si and schedulability of T . The workflow of the proposed approach is depicted in Figure 2. The problem is divided into two parts. First, we synthesize timing contract giving a guarantee on stability for every system Si , i ∈ N[1,N ] , where a set Pst is synthesized as explained in Section 4.1. Also in this part, when it is necessary we could use any method from Section 2.2 for checking stability. In the second part, we follow the steps illustrated in Section 4.2 to synthesize a set P 0 giving a guarantee on schedulability. Notice that the method proposed in Section 3 is used for checking schedulability of control tasks. As a consequence, a solution to Problem 3 is given by P ∗ .

4.1

Define parameter p and a to any p 2 f(P 0 ) reparameterization p0 := f(p)

Sched(p) ≡ T is schedulable under timing contracts Θ. In order to solve Problem 3 we need to compute (a subset of) the set P0 defined by P0 = {p ∈ C N ∩ (D1 × · · · × DN ) : Sched(p)}.

Re-parametrization 0 We define a new parameter p0 ∈ D10 × · · · × DN with

Di0 =

Guarantee on stability

i i i i [τmin , τmax ] × [−τmax , −τmin ] × [himin , himax ] × (8)

[−himax , −himin ], i ∈ N[1,N ] ,

For i ∈ N[1,N ] , we consider each of the systems Si = (Ai , Bi , Ki ) and the set Di given by (9), i ∈ N[1,N ] . We use Algorithm 2 in [2] to synthesize a set Ci∗ ⊆ C ∩ Di such

such that p0 = (β11 , β21 , β31 , β41 , . . . , β1N , β2N , β3N , β4N ). We fur0 ther define the map f : (D10 × · · · × DN ) → (D1 × · · · × DN )

135

1

0

N

such that f (p0 ) = p = (τ 1 , τ 1 , h1 , h , . . . , τ N , τ N , hN , h ), where for all i ∈ N[1,N ]

Then, P 0 ⊆ Po0 ⊆ P . Moreover, P ∗ = f (P 0 ) ∩ Pst is a solution to Problem 3 0

Proof. P 0 ⊆ Po0 ⊆ P is a direct consequence of Proposition 1. Then, it follows that P ∗ is a solution to Problem 3.

i

τ i = β1i , τ i = min(−β2i , −β4i ), hi = β3i , h = −β4i . We associate to the parameter p0 a constraint set (C 0 )N where   β1 ≤ min(−β2 , −β4 ) − + − C 0 = β ∈ R+ × R × R × R : . 0 0 β3 ≤ −β4

4.3

Last we define the set Po0 by : n o 0 Po0 = p0 ∈ D10 × · · · × DN : ((p0 ∈ (C 0 )N ) ∧ Sched(f (p0 ))) . One can check that the following relation holds: Po = f (Po0 ). We can then show that ity property:

Po0

(9)

satisfies the following monotonic-

Algorithm 1. Timing contract synthesis function TC Synth(T ,{D1 , . . . , DN },Pst ) i i input: T , Di = [τmin , τmax ]2 × [himin , himax ]2 , i ∈ N[1,N ] , N Pst ⊆ C ∩ (D1 × · · · × DN ), output: P ∗ ⊆ C N ∩ (D1 × · · · × DN ) parameter: ε ∈ R+ 1: if p0max ∈ Po0 then 2: return (D1 × · · · × DN ) ∩ Pst ; 0 0 ) \ {p0max }; 3: else P := (D10 × · · · × DN 4: end if 5: if p0min ∈ / Po0 then 6: return ∅; 7: else P 0 := {p0min }; 8: end if 0 9: while d(P 0 , P ) > ε do . main loop 0 0 10: Pick p ∈ P \ P 0 ; . select next sample 11: if p0 ∈ Po0 then 0 12: P 0 := P 0 ∪ {p0∗ ∈ (D10 × · · · × DN ) : p0∗ ≤ p0 }; 0 0 0 0 0 13: else P := P \ {p∗ ∈ (D1 × · · · × DN ) : p0 ≤ p0∗ }; 14: end if 15: end while 16: return f (P 0 ) ∩ Pst ;

0 Proposition 1. For all p01 , p02 ∈ D10 × · · · × DN , the following implications hold:
(p02 ≤ p01 ) ∧ (p01 ∈ Po0 ) =⇒ p02 ∈ Po0 .

(p02 ≤ p01 ) ∧ (p02 ∈ / Po0 )




=⇒ p01 ∈ / Po0 .

Proof. Let p01 = (β11 , β21 , β31 , β41 , . . . , β1N , β2N , β3N , β4N ) and p02 = (α11 , α21 , α31 , α41 , . . . , α1N , α2N , α3N , α4N ). We assume p02 ≤ p01 and p01 ∈ Po0 . Then p01 ∈ (C 0 )N which implies α1i ≤ β1i ≤ −β2i ≤ α2i , α1i ≤ β1i ≤ −β4i ≤ −α4i , and α3i ≤ β3i ≤ −β4i ≤ −α4i for all i ∈ N[1,N ] . Thus p02 ∈ (C 0 )N . We also have Sched(f (p01 )). In this case, 1 N N N p1 = f (p01 ) = (τ 11 , τ 11 , h11 , h1 , . . . , τ N 1 , τ 1 , h1 , h1 ) and p2 = 1 N N N N f (p02 ) = (τ 12 , τ 12 , h12 , h2 , . . . , τ N 2 , τ 2 , h2 , h2 ) satisfy p1 ∈ C , N p2 ∈ C and for all i ∈ N[1,N ] i

i

τ i2 ≤ τ i1 , τ i2 ≥ τ i1 , hi2 ≤ hi1 , h2 ≥ h1 .

(10)

It is easy to check that if T is schedulable under timing 1 N N N contracts Θ1 = {θ(τ 11 , τ 11 , h11 , h1 ), . . . , θ(τ N 1 , τ 1 , h1 , h1 )} then T is schedulable under timing contracts Θ2 = 1 N N N {θ(τ 12 , τ 12 , h12 , h2 ), . . . , θ(τ N 2 , τ 2 , h2 , h2 )} for all p2 ∈ C sat0 isfying (10). Thus, Sched(f (p2 )) holds and p02 ∈ Po0 . This proves the first implication. For the second implication, it is sufficient to check that
(p02 ≤ p01 ) ∧ (p01 ∈ Po0 ) =⇒ p02 ∈ Po0 ¬(p02 ≤ p01 ) ∨ (p01 ∈ / Po0 ) ∨ (p02 ∈ Po0 )
0 0 0 ≡ (p2 ≤ p1 ) ∧ (p2 ∈ / Po0 ) =⇒ p01 ∈ / Po0 .

≡

Now using Proposition 1 and the set Pst obtained in Section 4.1 we can sample the parameter space to solve Problem 3. Theorem 1. Let p1 , . . . , pM1 ∈ Po0 , and p1 , . . . , pM2 ∈ 0 × · · · × DN \ Po0 and let

D10

M1

P0

=

[

0 {p0 ∈ D10 × · · · × DN : pj ≥ p0 },

j=1

P

0

M2

=

0 (D10 × · · · × DN )\

[

Algorithm for timing contract synthesis

Theorem 1 shows that it is possible to compute under and over-approximations of the set Po0 by sampling the parame0 ter space D10 × · · · × DN . In this section, given the set Pst from Section 4.1, we use this property to design a synthesis algorithm. Similar algorithms have been used in [29, 39] for computing an approximation of the Pareto front of a monotone multi-criteria optimization problem. Indeed, this latter problem can be tackled by computing an under and over-approximation of a set satisfying a monotonicity property similar to that of Proposition 1.

0 {p0 ∈ D10 × · · · × DN : p0 ≥ pj }.

j=1

136

Algorithm 1 computes an under-approximation P 0 and an 0 over-approximation P of the set Po0 by sampling iteratively 0 . the parameter space D10 × · · · × DN Lines 1 to 8 initialize these approximations by testing both 1 1 the lower bound p0min = (τmin , −τmax , h1min , −h1max , . . . , N N N τmin , −τmax , hN , −h ) and the upper bound p0max = max min 1 1 1 1 N N N (τmax , −τmin , hmax , −hmin , . . . , τmax , −τmin , hN max , −hmin ) 0 0 0 0 of the set D1 × · · · × DN . If pmax ∈ Po , then by Theorem 1, 0 f (D10 × · · · × DN ) ∩ Pst = (D1 × · · · × DN ) ∩ Pst is a solution to Problem 3. Note that in that case, all timing1 N N N contract parameters, (τ 11 , τ 11 , h11 , h1 , . . . , τ N 1 , τ 1 , h 1 , h1 ) ∈ D1 ×· · ·×DN guarantee the schedulability of T under timing 1 N contracts Θ = {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}. 0 0 0 0 If pmax ∈ / Po , then (D1 × · · · × DN ) \ {pmax } is an over-approximation of Po0 . Similarly, if p0min ∈ / Po0 , then by Theorem 1, Po0 = ∅. Note that in that case, no timing-contracts can guarantee the schedulability of T . If p0min ∈ Po0 , then {p0min } is an under-approximation of Po0 . Lines 9 to 14 describe the main loop of the timing contract synthesis algorithm. At any time of the execution, 0 0 P 0 ⊆ Po0 ⊆ P holds. We pick a sample p0 ∈ P \ P 0

the triggering of controllable actions that occur at (tski )k∈N , (tbki )k∈N , and (taki )k∈N , with i ∈ N[1,2] , guaranteeing that the set of bad states Lu of the system, given by (13), is never reached regardless of when uncontrollable actions occurring at (teki )k∈N , i ∈ N[1,2] , are exactly taken. Using UPPAAL-TIGA, we successfully prove that T is schedulable under timing contracts Θ, and thus a scheduling policy was found. The computation time required to solve the game was 1.37 seconds. Figure 3 shows the timing of events resulting from this scheduling policy. The first and second plots show that the timing contracts θ(0.1, 0.35, 0.3, 0.85) and θ(0.2, 0.6, 0.8, 1.15) are respected for both systems S1 and S2 respectively. The third plot shows that only one of the two systems gains access to the shared processor at a time since it appears clearly that

which is the unexplored parameter region lying in the overapproximation of Po0 but not in its under-approximation. If p0 ∈ Po0 (or if p0 ∈ / Po0 ), then we update the under0 0 approximation P (or the over-approximation P ) according to Theorem 1. The algorithm stops when the Hausdorff dis0 tance between the P 0 and P becomes smaller than ε. One 0 rising issue is that the choice of the sample p0 ∈ P \ P 0 , at line 10, is crucial for the efficiency of the algorithm. In our implementation, we use the selection criteria proposed in [29] which consists in choosing the sample that will pro0 duce the fastest decrease of the Hausdorff distance d(P 0 , P ). In [39] an alternative selection criteria based on multiscale grid exploration is proposed. Finally, it is important to note that Algorithm 1 needs testing if the samples p0 ∈ Po0 , which requires checking the condition Sched(f (p0 )). In our implementation, this is done using the method proposed in Section 3, which assures us that the set f (P 0 ) tends to P0 as ε → 0, where P0 1 N is the set of all solutions (τ 1 , τ 1 , h1 , h , . . . , τ N , τ N , hN , h ) such that T is schedulable under timing contracts Θ = 1 N {θ(τ 1 , τ 1 , h1 , h ), . . . , θ(τ N , τ N , hN , h )}.

5.

for all t ∈ R+ 0 , Com(S1 , t) ∧ Com(S2 , t) ≡ False. One can notice that in the first three control cycles of S2 , the beginning of the computation has to be delayed until the computational resource is released by S1 . Using this scheduling policy, Figure 4 shows results of simulating S1 and S2 , when they share a single processor to compute the value of their control inputs, for the initial states x10 = ( 23 ) and x20 = ( 23 ) with ts01 = 0.4 and ts02 = 0.9. As shown, trajectories of both systems converge to zero and therefore the scheduling policy in this case guarantees the exponential stability of each system.

ILLUSTRATIVE EXAMPLE

In this section, we verify the stability and the schedulability of two systems sharing a common computational resource under given timing contracts. Then, we show an application of the timing contract synthesis algorithm. We implemented the scheduling approach presented in Section 3 in UPPAAL-TIGA [8] and Algorithm 1 in Matlab. All reported experiments are realized on a desktop with i7 4790 processor of frequency 3.6 GHz and a 8 GB RAM. We consider two systems S1 = (A1 , B1 , K1 ) and S2 = (A2 , B2 , K2 ), taken from [11], given by the following matrices:    
0 1 0 A1 = , B1 = , K1 = −3.75 −11.5 . 0 −0.1 0.1 (11)  A2 =

0 −2

   1 0 , B2 = , K2 = 1 0.1 1


0 .

5.3

(12)

Furthermore, we set the best and worst case execution times for each task as c1 = 0.12, c1 = 0.35, c2 = 0.04, and c2 = 0.12.

5.1

Stability verification

Using Algorithm 1 in [2] we could verify that systems S1 and S2 are GUES under timing contracts θ(0.1, 0.35, 0.3, 0.85) and θ(0.2, 0.6, 0.8, 1.15) respectively. The computation times required for stability verification are 1.96 seconds and 1.5 seconds, respectively.

5.2

Timing contract synthesis

We now consider the timing contract synthesis problem for systems S1 and S2 and the set of control tasks T = {(c1 , c1 ), (c2 , c2 )}. We fix τ 1 = 0.1, h1 = 0.3, τ 2 = 0.2, and h2 = 0.8 and consider the following bounds on parameters D1 = [0.1, 0.1] × [0.1, 0.76] × [0.3, 0.3] × [0.3, 1.72] and D2 = [0.2, 0.2] × [0.2, 1.16] × [0.8, 0.8] × [0.8, 2.02] . Using Algorithm 2 in [2], we synthesize the set Pst = C1∗ × C2∗ ⊆ C 2 ∩ (D1 × D2 ) such that for all 1 2 (τ 1 , τ 1 , h1 , h , τ 2 , τ 2 , h2 , h ) ∈ Pst , system Si = (Ai , Bi , Ki ) is GUES under timing contract θ(τ i , τ i , hi , hi ), for all i ∈ 1 2 N[1,2] . The sets C1∗ and C2∗ , in the (τ 1 , h ) plane and (τ 2 , h ) plane respectively, are shown by Figure 5. Then, we search for a set P ∗ ⊆ Pst such that for 1 2 all (τ 1 , τ 1 , h1 , h , τ 2 , τ 2 , h2 , h ) ∈ P ∗ , the set of control tasks T is schedulable under timing contracts Θ = 1 2 {θ(τ 1 , τ 1 , h1 , h ), θ(τ 2 , τ 2 , h2 , h )}. We set the parameter ε = 0.04, and apply Algorithm 1 to compute the set P ∗ . The algorithm tested 944 parameter samples and the computation time was 43.4 minutes. A section of the sets f (P 0 ) 1 and P ∗ in the (0.1, τ 1 , 0.3, h , 0.6, 0.6, 1.15, 1.15) domain is shown in Figure 6.

Scheduling

6.

Now, we consider the set of control tasks T = {(c1 , c1 ), (c2 , c2 )} and the same timing contracts Θ = {θ(0.1, 0.35, 0.3, 0.85), θ(0.2, 0.6, 0.8, 1.15)} as in the previous section. In order to solve the scheduling problem, we associate to T the timed game automaton TGA as given in Definition 6. Following the approach in Section 3, we solve the safety game on TGA to find a strategy (if it exists) for

CONCLUSION

In this work, we proposed useful tools for contract-based design of embedded control systems under the form of a scheduling approach and an algorithm for timing contract synthesis. These tools can be used by control and software engineers to derive requirements that must be met by the real-time implementation of a control law. The validity of our approach has been shown on examples. As future work, it would be interesting to handle the problem of controller

137

1 Sampling Actuation Beginning/End of Computation

0.5

0 0

0.5

1

1.5 time

2

2.5

3

0

0.5

1

1.5 time

2

2.5

3

0

0.5

1

1.5 time

2

2.5

3

1.5 1 0.5 0

2

1

0

Figure 3: Timing of events (sampling, beginning/end of computation, and actuation) for systems S1 (first plot) and S2 (second plot) during the first 3 seconds; dotted lines represent constraints on actuation instants, while dashed lines represent constraints on sampling instants. In the third plot, the dotted line represents Com(S2 , t) (less frequent) and the dashed line represents Com(S1 , t) (more frequent).

References [1] M. Al Khatib, A. Girard, and T. Dang. Stability verification and timing contract synthesis for linear impulsive systems using reachability analysis. Nonlinear Analysis: Hybrid Systems, 2016. http://dx.doi.org/10.1016/j.nahs.2016.08.007. [2] M. Al Khatib, A. Girard, and T. Dang. Verification and synthesis of timing contracts for embedded controllers. In Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control, pages 115–124. ACM, 2016. [3] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994. [4] A. Aminifar, P. Eles, and Z. Peng. Jfair: a scheduling algorithm to stabilize control applications. In Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 63–72. IEEE, 2015.

Figure 4: Trajectories for systems S1 (left) and S2 (right) using the synthesized scheduling policy.

[5] A. Aminifar, S. Samii, P. Eles, Z. Peng, and A. Cervin. Designing high-quality embedded control systems with guaranteed stability. In Real-Time Systems Symposium (RTSS), pages 283–292. IEEE, 2012. synthesis given a timing contract, and to co-synthesize the controller and the timing contracts guaranteeing the schedulability of the latter and the stability of each of the systems.

[6] A. Aminifar, P. Tabuada, P. Eles, and Z. Peng. Self-triggered controllers and hard real-time guarantees. In Design, Automation & Test in Europe

138

Figure 6: A 2D section of f (P 0 ) (top) and P ∗ (bot1 tom) in the (0.1, τ 1 , 0.3, h , 0.6, 0.6, 1.15, 1.15) domain.

Figure 5: Timing contract parameters that guarantee stability for each system S1 and S2 : C1∗ (top) and C2∗ (bottom).

[10] A. Benveniste, B. Caillaud, D. Nickovic, R. Passerone, J.-B. Raclet, P. Reinkemeier, A. Sangiovanni-Vincentelli, W. Damm, T. Henzinger, and K. Larsen. Contracts for systems design: theory. Research Report RR-8759, Inria Rennes Bretagne Atlantique ; INRIA, July 2015.

Conference & Exhibition (DATE), pages 636–641. IEEE, 2016. [7] N. W. Bauer, P. J. H. Maas, and W. P. M. H. Heemels. Stability analysis of networked control systems: A sum of squares approach. Automatica, 48(8):1514–1524, 2012.

[11] C. Briat. Convex conditions for robust stability analysis and stabilization of linear aperiodic impulsive and sampled-data systems under dwell-time constraints. Automatica, 49(11):3449–3457, 2013.

[8] G. Behrmann, A. Cougnard, A. David, E. Fleury, K. G. Larsen, and D. Lime. UPPAAL-TIGA: Time for playing games! In International Conference on Computer Aided Verification, pages 121–125. Springer, 2007.

[12] G. Buttazzo. Hard real-time computing systems: predictable scheduling algorithms and applications, volume 24. Springer Science & Business Media, 2011.

[9] A. Benveniste, B. Caillaud, D. Nickovic, R. Passerone, J.-B. Raclet, P. Reinkemeier, A. Sangiovanni-Vincentelli, W. Damm, T. Henzinger, and K. Larsen. Contracts for systems design: methodology and application cases. Research Report RR-8760, Inria Rennes Bretagne Atlantique ; INRIA, July 2015.

[13] F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime. Efficient on-the-fly algorithms for the analysis of timed games. In CONCUR 2005-Concurrency Theory, pages 66–80. Springer-Verlag, 2005.

139

[14] A. Cela, ¸ M. B. Gaid, X.-G. Li, and S.-I. Niculescu. Optimal design of distributed control and embedded systems. Springer Science & Business Media, 2013.

[28] A. S. Kolarijani, D. Adzkiya, and M. Mazo. Symbolic abstractions for the scheduling of event-triggered control systems. In 54th IEEE Conference on Decision and Control (CDC), pages 6153–6158. IEEE, 2015.

[15] M. B. G. Cloosterman, L. Hetel, N. Van De Wouw, W. P. M. H. Heemels, J. Daafouz, and H. Nijmeijer. Controller synthesis for networked control systems. Automatica, 46(10):1584–1594, 2010.

[29] J. Legriel, C. Le Guernic, S. Cotton, and O. Maler. Approximating the pareto front of multi-criteria optimization problems. In Tools and Algorithms for the Construction and Analysis of Systems, pages 69–83. Springer, 2010.

[16] F. Cottet, J. Delacroix, C. Kaiser, and Z. Mammeri. Scheduling in real-time systems. Scheduling in Real-Time Systems, page 282, 2002.

[30] K. Liu, E. Fridman, and L. Hetel. Networked control systems in the presence of scheduling protocols and communication delays. SIAM Journal on Control and Optimization, 53(4):1768–1788, 2015.

[17] S.-L. Dai, H. Lin, and S. S. Ge. Scheduling-and-control codesign for a collection of networked control systems with uncertain delays. IEEE Transactions on Control Systems Technology, 18(1):66–78, 2010.

[31] K. Liu, V. Suplin, and E. Fridman. Stability of linear systems with general sawtooth delay. IMA Journal of Mathematical Control and Information, 27(4):419–436, 2010.

[18] A. David, J. Illum, K. G. Larsen, and A. Skou. Model-based framework for schedulability analysis using uppaal 4.1. Model-based design for embedded systems, 1(1):93–119, 2009.

[32] R. Majumdar, I. Saha, and M. Zamani. Performance-aware scheduler synthesis for control systems. In International Conference on Embedded Software, pages 299–308. ACM, 2011.

[19] P. Derler, E. A. Lee, S. Tripakis, and M. T¨ orngren. Cyber-physical system design contracts. In ACM/IEEE International Conference on Cyber-Physical Systems, pages 109–118, 2013.

[33] O. Maler, A. Pnueli, and J. Sifakis. On the synthesis of discrete controllers for timed systems. In Annual Symposium on Theoretical Aspects of Computer Science, pages 229–242. Springer, 1995.

[20] M. C. F. Donkers, W. P. M. H. Heemels, N. Van De Wouw, and L. Hetel. Stability analysis of networked control systems using a switched linear systems approach. IEEE Transactions on Automatic Control, 56(9):2101–2115, 2011.

[34] P. Naghshtabrizi and J. P. Hespanha. Analysis of distributed control systems with shared communication and computation resources. In American Control Conference, pages 3384–3389. IEEE, 2009.

[21] A. Fehnker. Scheduling a steel plant with timed automata. Computing Science Institute Nijmegen, Faculty of Mathematics and Informatics, Catholic University of Nijmegen, 1999.

[35] I. Saha, S. Baruah, and R. Majumdar. Dynamic scheduling for networked control systems. In Proceedings of the 18th International Conference on Hybrid Systems: Computation and Control, pages 98–107. ACM, 2015.

[22] M. Fiacchini and I.-C. Morarescu. Set theory conditions for stability of linear impulsive systems. In IEEE Conference on Decision and Control, pages 1527–1532, 2014. [23] H. Fujioka. Stability analysis of systems with aperiodic sample-and-hold devices. Automatica, 45(3):771–775, 2009.

[36] A. Sangiovanni-Vincentelli, W. Damm, and R. Passerone. Taming dr. frankenstein: Contract-based design for cyber-physical systems. European Journal of Control, 18(3):217–238, 2012.

[24] H. Gao, X. Meng, T. Chen, and J. Lam. Stabilization of networked control systems via dynamic output-feedback controllers. SIAM Journal on Control and Optimization, 48(5):3643–3658, 2010.

[37] A. Seuret and M. Peet. Stability analysis of sampled-data systems using sum of squares. IEEE Transactions on Automatic Control, 58(6):1620–1625, 2013.

[25] W. P. M. H. Heemels, A. R. Teel, N. Van de Wouw, and D. Neˇsi´c. Networked control systems with communication constraints: Tradeoffs between transmission intervals, delays and performance. IEEE Transactions on Automatic Control, 55(8):1781–1796, 2010.

[38] P. Tabuada. Event-triggered real-time scheduling of stabilizing control tasks. IEEE Transactions on Automatic Control, 52(9):1680–1685, 2007. [39] P. Tendulkar. Mapping and Scheduling on Multi-core Processors using SMT Solvers. PhD thesis, Universite de Grenoble I-Joseph Fourier, 2014.

[26] L. Hetel, J. Daafouz, S. Tarbouriech, and C. Prieur. Stabilization of linear impulsive systems through a nearly-periodic reset. Nonlinear Analysis: Hybrid Systems, 7(1):4–15, 2013. [27] L. Hetel, A. Kruszewski, W. Perruquetti, and J.-P. Richard. Discrete and intersample analysis of systems with aperiodic sampling. IEEE Transactions on Automatic Control, 56(7):1696–1701, 2011.

140