Lecture 11 :Part I: ZonesPart II: TTAs

CS5270, P.S. Thiagarajan

Zones

• A more compact representation.– Of equivalence classes of valuations.

• Can be efficiently represented as Difference Bounded Matrices (edge weighted directed graphs).

• DBMs admit a canonical representation.

• DBMs can be manipulated efficiently.

Why not regions?

• The number of regions can be very large:– Exponential in the number of clocks AND in

the size of the maximal constants appearing in the clock constraints.

– Practical verification becomes infeasible.

An Example

x

y

x

y

0-dimensional regions: 12

x

y

1-dimensional regions: 23

x

y

2-dimensional regions: 12

x

y

Total number of regions: 47

x

y

One Zone:

(2 ≤ x ≤ 5) (2 ≤ y ≤ 4)

Zones

• A zone is a clock constraint of a particular form.

• Z::= x c | x – y c | 1 2

{<, ≤, >, }• c is a natural number.

• Every region is a zone (exercise!).

Zone Automaton

• Every TTA has an associated Zone automaton ZTTA.

• This can be constructed effectively.

• But this does not do too much for us.

• Savings occur when we construct the Zone automaton on the fly to check reachability properties.

The Basic Algorithm.

Symbolic Reachability Analysis Algorithm:PASSED = ; WAIT = {(s0, D0)}While WAIT do take (s, D) from WAIT If s = sf then return ‘YES” if D is not a subset of D’ for every (s, D’) in PASSED then

add (s, D) to PASSED. For all (s1, D1) so that (s, D) ----> (s1, D1), add (s1, D1) to WAIT. end for. end ifend while

The Zone transition relation

• (s, D) ----> (s, D I(s) )– D = {V + | V D}– D is a zone.– From D we can compute D.

• (s, D) ---> (s’, D’) if there is a transition (s, g, X, s’) in TTS such that:– D’ = RX(D g) I(s’)– RX(D) = {RX(V) | V D}

• RX(V) (y) = 0 if y X, V(y) otherwise.

– RX(D) is a zone.– D’ is non-empty.

• D’ is a zone and can be computed from D.

Termination

• To ensure termination:– Remove constraints of the form x < m , x ≤ m,

x – y < m and x – y ≤ m if m > Cx.

– Replace x > m and x m with x > Cx if m > Cx.

– Replace y – x > m and y – x m with y –x > Cx and y – x Cx when m > Cx.

Zone operations

• We need to compute D.• Given D1 and D2, we need to compute

D1 D2.

• Given D and D’ we need to be able to check if D is a subset of D’.

• We must be able check if D is empty.

Zone representation.

• A zone can be represented as a DBM:– Difference Bounded Matrix.

• Invent a new clock variable x0 (which will always be 0).

• All basic constraints will be of the form

xi – xj < m or xi – xj ≤ m where m is an integer (positive or negative).

Zone Representation

• x2 < 3 becomes x2 – x0 < 3.

• X5 7 becomes x0 – x5 ≤ -7.

• X2 – x5 > 8 becomes x5 –x2 < -8.

The Matrix Representation.

x_0

x_1

x_2

.

.x_i

.

x_n

x_0 x_1 x_2 . . . x_j x_n

(2, 1)

xi – xj ≤ 2

The Matrix Representation.

x0

x1

x2

.

.xi

.

xn

x0 x1 x2 . . . xj xn

(2, 0)

xi – xj < 2

The Matrix Representation.

x0

x1

x2

.

.x3

.

x0 x1 x2 . . . x3

(0, 3)

(0, 5) (0, 2)

(0, 10) (0, 2)

(0, -4) ∞

The Graph Representation

x y(k, 1)

y – x ≤ k

x y(k, 0)

y – x < k

The Graph Representation

X1 X2

X0X3

32

-4

10

2

5

Closed Representations

• Two different zones (DBMs) can represent the same set of valuations.– (y – x ≤ 3, x = 2, y = 4) (y –x = 2, x =2, y = 4)

• A zone is closed if no constraint can be strengthened without reducing the set of associated valuations.

• Two closed zones are equivalent iff they are identical.

• So it is good to get closed zones.

Closed Zones.

• Take the graph of the zone.

• Remove all redundant edges.– The edge from x to y with weight k is

redundant if there is a path from x to y whose weight is less than or equal to k.

• Using a shortest path algorithm, the closed zone version can be computed in O(n3) time.

Closed Zones

• If D is closed then D is a subset of D’ iff for every constraint x – y ≤ m’ in D’ there is a constraint x – y ≤ m in D with m ≤ m’.

• If D is closed then D is non-empty iff there are no negative weight cycles in the graph.

• The other operations can also be performed on the graphs efficiently.

Introduction

• TTP:– A real-time protocol for distributed systems.

• high dependability • guaranteed timeliness

• Application domains: – Automotive electronics– Fly-by-wire cockpits– Railway signaling systems

Acknowledgements

• The following slides have been assembled from many web sources. In particular:

• H.Kopetz and G.Grünsteidl; Digest of Papers, FTCS-23. (IEEE CS 23rd Intl. Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533; Presented by Shruti Gorappa

Features of the TTP

• Fault-tolerance• Small overhead• Integrates numerous services

– Predictable message transmission– Message acknowledgement in group communication– Clock synchronization– Membership– Rapid mode change– Redundancy management– Temporary blackout handling

Assumptions

• Fail-silence– Communication channels only have omission

failures.– Nodes either deliver correct results or no

results • Internal failures are detected and node turned off

System Overview

• FTU- single or replicated nodes

• Replicated communication channels

• The channel is a broadcast bus

• Access is by TDMA driven by progression of global time

• Local nodes time synchronized by TTP

• Communication by rapid and periodic message exchanges

TTP Design Rationale

• Sparse time base– Messages are sent only at statically designated intervals– Inflexible compared to Event-triggered (ET) model, but easier to

test• Use of apriori knowledge

– All nodes are aware of when each node is scheduled to transmit– Sender node information need not be included in frame– Reduced overhead

• Broadcast– Correctness of transmitted message can be concluded as soon

as one receiver acknowledges message delivery (broadcast medium)

Protocol Highlights

• Bus access– A FTU will have one or two time slots depending on class of

fault-tolerance– Time be different for each node depending on amount of data

that it needs to send– Number of slots in a TDMA round given to an FTU may also be

different

• Membership Service– If a message from a sending node does not occur in designated

interval, its membership is set to 0 in other nodes– Membership checked before transmission. A node is alive if

• Its internal error detection mechanism has not indicated error• At least one of its transmitted frames has been correctly

acknowledged.

Protocol Highlights

• Temporary blackout handling– Correlated failure of a number of nodes – Identified by sudden drop in membership– Nodes send I-messages and perform local

emergency control– After membership has stabilized, mode

changed to global emergency service

Protocol Highlights

Temporal encapsulation of nodes– Communication bandwidth assigned statically– Time base is sparse- every input can be observed

and reproduced exactly

• Testability – Easy to test the implementation in comparison to ET– Easy to simulate –finite number of execution

scenarios• Uncontrolled interactions between nodes are prevented• Determinism- can replicate states of nodes

Strengths

• Can provide fault-tolerant real-time performance• Practical (MARS platform), efficient, and

scalable– Can be implemented using available hardware,

signalling mechanisms– Low overhead– High data rates, used in both twisted fiber and optical

channels

• Reusability, composability, and testability

Weaknesses

• The schedule is fixed so there is no bandwidth allocated for alarms and other spontaneous messages

• All fault-tolerance mechanism is implemented at system level, this means that very little “freedom” is left for application specific implementations

• Addition of nodes affects the existing system (although not the application)

References

• Kopetz, H., and Grunsteidl, G., "TTP - A time-triggered protocol for fault-tolerant real-time systems",  Digest of Papers., FTCS-23. (IEEE CS 23rd Int' Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533

• The Real-time Systems Research Group, Institut für Technische Informatik, Vienna University of Technology http://www.vmars.tuwien.ac.at/projects/ttp/ttpmain.html

• REAL-TIME COMMUNICATION- Evaluation of protocols for automotive systems, MICHAEL WAERN, http://www.md.kth.se/RTC/MSc-theses/RT-Com-Evaluation-Waern.pdf

• CAN bus, http://www.can-cia.org/can/protocol/• Time-triggered Technology, http://www.tttech.com/

Event-triggered Vs. Time-Triggered

• Interface to the external physical world:– Event-triggered.

• Implementation architecture:– Time- triggered?– Predicatable– Composability.

• How to integrate the two paradigms?– Interesting research opportunities!

The Automotive Electronics Case

• Current scene:– Current systems contain upto 70 ECUs

(Electronic Control Units).– Each ECY is developed and acts

independently; very little integration.– Communication:

• Event-triggered• Slow; 500 Kbits/sec

The Automotive Electronics Case

• Next Generation:– Integrated architecture.– Distributed, safety-critical, real time.– Why?

• Costs: – reduce the number of ECUs.

• Reliability• Safety• Multiple use of sensors.

Conclusion

• Time-Triggered architectures and protocols are likely to become important.

• Also related to synchronous programming languages:– Lustre, Signal, Esterel

• There are also other timed models:– Timed Petri nets, …