Verification of Real Time Systems CS 5270 Lecture 1 Hugh Anderson (Helped by P.S. Thiagarajan) 9/20/2018 CS5270 Lecture1
Basic Info Hugh Anderson S15 #06-12 ; Tel Ext. 6903 hugh@comp.nus.edu.sg www.comp.nus.edu.sg/~hugh Course web page: www.comp.nus.edu.sg/~cs5270 We will be using the IVLE system once I set it up…. 9/20/2018 CS5270 Lecture1
Office Hours Anytime – I have an “open-door” policy. Oh – also - a “buy me coffee” policy (Actually – lets call that a “join me for coffee” policy) Or … use email and fix an appointment. 9/20/2018 CS5270 Lecture1
Grading (Tentative) Assignments 20% Projects 20% Mid-Term 10% Final 50% 9/20/2018 CS5270 Lecture1
Course Material My notes and slides Selected Parts of: Hard Real-Time Computing Systems: Predictable Scheduling Algorithms and Applications: Giorgio C. Buttazzo Real-Time Systems: Design Principles for Distributed Embedded Applications: Hermann Kopetz Real-Time Systems: Scheduling, Analysis and Verification: Albert M.K. Cheng Concepts, Algorithms and Tools for Model Checking: Lecture notes by Joost-Peter Katoen: Research Articles. 9/20/2018 CS5270 Lecture1
Assignments – still not fixed… Take-home assignments 2 (?) Lab Assignments UPPAAL tool based – so have a look at Uppaal at http://www.uppaal.com/. Individual 9/20/2018 CS5270 Lecture1
Motivation … do we need any? Ubiquity of processors, Ariane-5 Software versus hardware Abstraction and software engineering 9/20/2018 CS5270 Lecture1
What is the Course About? Real Time Computing Systems. Key features and issues Modeling, analysis Verification 9/20/2018 CS5270 Lecture1
Broad Outline Introduction to Real Time Systems Timed Automata Verification Tools and Techniques. Time-triggered architectures and protocols. 9/20/2018 CS5270 Lecture1
What are Real Time Computer Systems? Correct functioning depends on: the values of the results produced. AND the physical times at which the results are produced. Real Time Computer System is embedded in a larger physical system. 9/20/2018 CS5270 Lecture1
What are real time systems? The state of the system evolves with time. Position, velocity, acceleration Pressure, temperature, level, concentration The state needs to be sensed and controlled by the computer system. 9/20/2018 CS5270 Lecture1
Control Function 9/20/2018 CS5270 Lecture1
Real time System time and external physical time are the same! At least must have a predictable relationship. 9/20/2018 CS5270 Lecture1
Computational Timing Constraints The computing system must sense, compute and actuate in a timely fashion. Many sensors and many actuators. Many control functions! Must schedule computational tasks for different control functions in a timely fashion. Computations must finish on time. Performance 9/20/2018 CS5270 Lecture1
Types of Real Time Systems Hard / Soft Hard: Must meet timing constraints always. Reactor control, automotive electronics Soft: Must meet timing constraints often. Transaction Processing system Multi-media streaming applications. Hard/Soft determined externally. Our focus will be on Hard Real Time Systems. 9/20/2018 CS5270 Lecture1
Characteristics of Hard Real Time Computing Systems. Timeliness Peak Load Handling The system should not fail at peak load conditions Predictability Fault Tolerance Maintainability 9/20/2018 CS5270 Lecture1
Impact on System Architecture Must avoid non-determinism (why?). Sources of non-determinism: Direct Memory Access (DMA) by peripheral devices. Contention for system bus. Cache Interrupts generated by I/O devices. Memory Management (paging) Dynamic data structures, recursion, unbounded loops (language level). 9/20/2018 CS5270 Lecture1
Applications Chemical and Nuclear Plant Control Railway Switching Systems Automotive applications Flight control ….. 9/20/2018 CS5270 Lecture1
Current State Ad hoc techniques, heuristic approaches. Code written in assembly language Programmed timers Low level device handling Direct manipulation of task and interrupt priorities. Goal: Optimized predictable execution on simple architectures. 9/20/2018 CS5270 Lecture1
Drawbacks Tedious programming Code quality depends on the programmer Difficult to understand and maintain. Verification of timing constraints is practically impossible. System could collapse in rare, unforeseen circumstances, leading to disasters. 9/20/2018 CS5270 Lecture1
Laws of Real Time Systems: Buttazzo’s Book If something can go wrong, it will go wrong. (Murphy’s law) 9/20/2018 CS5270 Lecture1
Laws of Real Time Systems If something can go wrong, it will go wrong. (Murphy’s law) Any software bug will tend to maximize damage. 9/20/2018 CS5270 Lecture1
Laws of Real Time Systems If something can go wrong, it will go wrong. (Murphy’s law) Any software bug will tend to maximize damage. The worst software bug will be discovered 6 months after the field test. 9/20/2018 CS5270 Lecture1
Laws of Real Time Systems If something can go wrong, it will go wrong. (Murphy’s law) Any software bug will tend to maximize damage. The worst software bug will be discovered 6 months after the field test. A system will stop working at the worst possible time. 9/20/2018 CS5270 Lecture1
Laws of Real Time Systems If something can go wrong, it will go wrong. (Murphy’s law) Any software bug will tend to maximize damage. The worst software bug will be discovered 6 months after the field test. A system will stop working at the worst possible time. Sooner or later the worst possible combinations of circumstances will occur. 9/20/2018 CS5270 Lecture1
Formal Methods (Myths?!#$) Common in hardware design – buildings, bridges, VHDL chip design and so on. It is a common misconception that FM is hard to use and slows things down. Most studies show the reverse is true. Design phase slower, implementation and integration faster… Overall FASTER. CICS, banking, by wire systems. 9/20/2018 CS5270 Lecture1
FM for real time systems Model real time systems precisely, mathematically, formally External events System events Verify timing properties Propagate timing constraints down to the system level. Verify implementation meets the specification at each level. 9/20/2018 CS5270 Lecture1
Assurance: Modelling 9/20/2018 CS5270 Lecture1
Assurance: Synthesis 9/20/2018 CS5270 Lecture1
What methods can we offer? Transition systems + accepting states = automata Timed automata To capture high level descriptions. Verification tools and methods Time triggered architectures. A mix of these two paradigms. 9/20/2018 CS5270 Lecture1
State Transition Systems TS is the 4-tuple (S, Act, ⇒, Sin) S --- A set of States Act --- A set of actions ⇒ ⊆ S Ⅹ Act Ⅹ S ---- Transition Relation Sin ⊆ S ---- Initial states TS have graph view, and … often … S and Act are finite sets. Sin has only one element. The transition relation is deterministic. 9/20/2018 CS5270 Lecture1
Finite State Automata Finite State Automata (FSAs) are a basic computational model. FSAs = Regular Languages = Temporal Logics. Starting point for many system design methodologies. SDL, UML, POLIS,… Verification tools (SPIN, SMV) available. 9/20/2018 CS5270 Lecture1
A Railway System 9/20/2018 CS5270 Lecture1
The Gate/Train TS – graph view open approach left Fin-Close proceed close brake proceed Gate Train 9/20/2018 CS5270 Lecture1
The Gate Controller TS approach open left close Fin-Close proceed 9/20/2018 CS5270 Lecture1
The Signal Space open Gate Fin-close close open Fin-Close approach Controller close proceed left 9/20/2018 CS5270 Lecture1
Gate ║ Train ║ Controller Transition system To model the entire system, construct the parallel composition: Gate ║ Train ║ Controller (This is another TS) 9/20/2018 CS5270 Lecture1
Parallel composition… 9/20/2018 CS5270 Lecture1
Timing Considerations The “untimed” description is not enough! From the time “approach” is sent, “proceed” must be received within 5 time units. From the time “close” is sent, “fin-close” must be received within 3 time units. From the time “close” is received it takes at least 2 time units before “fin-close” is sent out. 9/20/2018 CS5270 Lecture1
Timed Automata Automata + clock variables. Model finite state (control) systems with timing constraints. Rich theory (too rich?). Practical tools. Emerging applications. Lot more needs to be done for applications. 9/20/2018 CS5270 Lecture1
The Basic Idea proceed Approach 9/20/2018 CS5270 Lecture1
The Basic Idea proceed x ≤ 5 Approach; x From the time “approach” was sent “proceed” must be received within 5 time units. 9/20/2018 CS5270 Lecture1
The Basic Idea Y is a set of clock variables being reset to 0. act ; Y φ act is an action (or event, or signal). Y is a set of clock variables being reset to 0. φ is a clock constraint. φ ::= x ≤ c | x ≥ c | x < c | x > c | φ1 φ2 c is a rational number (integer OK for model) 9/20/2018 CS5270 Lecture1
The Gate/Train Automata open 2 ≤ x ≤ 4 Fin-Close close; x repair x > 4 Gate 9/20/2018 CS5270 Lecture1
The Gate/Train Automata left Approach; y proceed brake y < 5 y ≥ 5 proceed Train 9/20/2018 CS5270 Lecture1
Time-Triggered Architectures A method for organizing real-time computing systems. Main Application domain: Automotive electronics. But also used in AIRBUS 380, … See: http://www.tttech.com/technology/articles.htm FlexRay is a closely related industry “standard” BMW, Daimler-Benz, Philips Semiconductor, Bosch, … 9/20/2018 CS5270 Lecture1
The Main Idea Event-triggered Timed automata CAN (Controller Area Network) Meeting of 3 people Everyone speaks whenever he/she has something to say. Must wait for the currently speaker to finish before a new speaker can start. Imagine a meeting of 40 people! 9/20/2018 CS5270 Lecture1
The Main Idea Time-triggered Every speaker is assigned a predetermined time slot. After one round, the speaker gets a slot again. Also, a topic-schedule has been worked out in advance. Top1, Top2, Top4 in the first round. Top1, Top3 and Top5 in the second round Top2, Top4 and Top5 in the third round. Ensure no one breaks the rules! 9/20/2018 CS5270 Lecture1
Time-Triggered Architecture 9/20/2018 CS5270 Lecture1
Time-Triggered Architecture Basic unit: NODE Node: A processor with memory I-O subsystem Operating system Application software Time-triggered communication controller 9/20/2018 CS5270 Lecture1
Time-Triggered Architecture Communication (TTA Protocol) Nodes connect to each other via two independent channels. The communication subsystem executes a periodic Time Division Multiple Access (TDMA) schedule. Read a data frame + state information from CNI (Communication Node Interface) at predetermined fetch instant and deliver to the CNIs of all receiving nodes at predetermined delivery instants. 9/20/2018 CS5270 Lecture1
Time-Triggered Architecture Communication All the TTPs in a cluster know this schedule. All nodes of a cluster have the “same” notion of global time. fault-tolerant clock synchronization. TTA BUS topolgy. 9/20/2018 CS5270 Lecture1
Next week Hard real time architectures Clocks, timing, and synchronization 9/20/2018 CS5270 Lecture1