Reglar Specifications of Resorce Reqirements for Embedded Control Software Rajeev Alr and Gera Weiss University of Pennsylvania Abstract For embedded control systems a schedle for the allocation of resorces to a software component can be described by an infinite word whose ith symbol models the resorces sed at the ith sampling interval. Dependency of performance on schedles can be formally modeled by an atomaton (ω-reglar langage) which captres all the schedles that keep the system within performance reqirements. We show how sch an atomaton is constrcted for linear control designs and exponential stability or settling time performance reqirements. Then we explore the se of the atomaton for online schedling and for schedlability analysis. As a case stdy we examine how this approach can be applied for the LQG control design. We demonstrate by examples that online schedlers can be sed to garantee performance in worst-case condition together with good performance in normal conditions. We also provide examples of schedlability analysis. Introdction A key qestion in the design and implementation of embedded real-time systems is: how does one specify the resorce reqirements of a component? When the resorce is CPU the most commonly sed framework for specifying the sage reqirements is the periodic task model [2]: each component specifies a period sometimes along with a deadline which gives the freqency at which the component mst execte. The designer of the component makes sre that the performance objectives will be met as long as the component is exected consistent with its period. For implementation the real-time operating system performs a worst-case exection time analysis on all the components followed by schedlability analysis to check whether all the timing reqirements can be met (c.f. [ 4]). Specifying resorce reqirements sing periods has advantages de to simplicity and analyzability bt has some key deficiencies. First periodic task model has limited expressiveness: a specification sch as execte the component every 5ms does not say whether the schedler shold or shold not execte it more freqently if enogh compting resorces are available. For some tasks sch as pdating sensor readings of environment as the load decreases the component shold be exected more freqently and this will improve the system performance. For some tasks sch as refreshing of display a fixed period is reasonable. For control systems while periodic task specifications (e.g. once every 5 slots ) captre only the worst-case bonds we cannot simply treat these as pper bonds and se at least once every 5 slots as the specification. This is consistent with the common wisdom in control theory that more freqent exection need not imply better performance. In general for complex systems consisting of a mix of tasks the framework shold allow flexible and expressive specifications of resorce reqirements. Second sch specifications do not compose in the sense that a system composed of two components cannot be specified by a single period and when a component is added the schedlability analysis mst be performed again on the global set of tasks. The focs of this paper is performance of the control system. Or goal is to garantee that the system meets its performance reqirements. We take a control design with performance objective sch as exponential stability or settling time and compte a specification of resorce reqirement. We se formal langages and finite atomata over infinite words as an expressive analyzable and composable specification framework for resorce reqirements. We assme that resorces are allocated in discrete slots of some fixed dration. Sch a virtal time-triggered allocation strategy may be becase of time-triggered architectre [9] or becase the system spports the FLET (Fixed Logical Exection Time) programming abstraction [8]. Given a component the allocation of the resorce to that component in a particlar exection can be described by an infinite word σ = σ σ 2 where each symbol σ i describes whether the component was schedled dring the ith slot or not. The resorce reqirement of a component then can be specified by a langage L of infinite words that describes all acceptable schedles. The designer of the component makes sre that the performance objectives will be met on all schedles
in L and the schedler mst ensre that the rntime allocation of the resorce to the component corresponds to some word in L. We will assme that L is specified by finite atomata with acceptance conditions for infinite words (sch as Büchi atomata) or eqivalently by ω-reglar expressions (see [2] for an introdction to theory of langages of infinite words). In the literatre one can find other formalisms for expressing dependencies between tasks and exection constraints [2 3 7 7]. We se atomata becase it can express the semantics of all these models and becase we are interested in control performance not efficient inpt langages. We consider two ways of formalizing and composing specifications. In the first we assme that the resorce can be allocated to only one component in any given slot. In this case the specification of a component with task identifiers I is a langage over the alphabet I {} where I means that the slot is not allocated to this component. The composition of two specifications can be compted by an appropriate prodct constrction on atomata and test of schedlability corresponds to testing of langage emptiness. In the second style of specification we assme that mltiple tasks can be allocated in a given slot. Then the specification of a component containing tasks from a set I of identifiers is an ω-langage over the alphabet 2 I : the ith symbol of the word gives the set of tasks schedled in the ith slot (the empty set means that none of the tasks of this component are schedled in this slot). Composing two specifications L and L 2 over task identifiers I and I 2 yields a langage L over the task set I I 2 obtained sing an appropriate prodct constrction. This more general style of reqirements gives platform-independent specifications. On a pacific platform P we first need to compte the feasible sbsets of I that can be schedled in a slot (this can be done sing worst-case exection time analysis). The platform-specific specification is then compted by intersection of L with the set of all feasible schedles on P and tested for emptiness to determine schedlability. To obtain the above specifications we offer a methodology for designing control systems as follows. First a feedback law is designed for each sbset of resorces that may become available at some time. For example if only one resorce is to be schedled we design two feedback laws F and F for times where the resorce is not sed and for time where it is sed respectively. Then we identify the fnctions f and f that map the state of the closedloop system (plant and controller) to the next state when F and F are applied respectively. This gives s a switched system x(t + ) = f σ(t) (x(t)) where σ : N { } is sch that σ(t) = if and only if the resorce is sed at time t. For stability reqirements in the case that f and f are linear we give an algorithm that extracts an atomaton for the switched system. This atomaton is sch that the switched system is exponentially sable for every schedle in its ω-langage. This atomaton can be sed to combine the sbsystem with other software components as described above. The theoretical part is complemented with detailed examples that demonstrate how the framework is applied to particlar case stdies. The focs of the examples is schedling CPU resorces for an LQG controller. This controller takes the form of two layers. One layers is a standard control design expressed as linear transfer fnctions. The other layer is an heavy comptation that feeds information to the control design. Assming that pdating the linear transfer fnctions takes negligible comptational resorces we design two modes. The first mode is the original control design and the second is a control design that does not se data from the heavy comptation. We detail the comptation of an atomaton for this particlar system. Using that atomaton we show by a simlation experiment how the expressiveness of the atomata interface allows a schedler to take advantage of nsed slots and by that improve controller performance. We also demonstrate how atomata based interface allows schedlability analysis that leads to refinement of control objectives ntil an acceptable schedle is fond. When the system becomes non schedlable we demonstrate the se of the atomata interface in constrcting an platform-independent description of the schedling constraints that can be sed to choose an implementation platform. The types of performance reqirements considered are exponential stability and settling-time of the step response. The examples are compted sing a prototype implementation of or algorithms. This implementation is a Mathematica notebook that ses bilt-in and external tools. The amont of time needed to compte the examples with or prototype implementation are reported for reference. Related Work Many researchers have identified the lack of composability as a problem for scalable component-based design and integration and offered composable and hierarchical schedling frameworks [6 8 4 9]. For example [9] proposes the periodic resorce model where the specification of a component consists of (T C) meaning that the component shold get C nits of comptation every T nits of time and shows how to abstract a set of periodic tasks with EDF or rate-monotonic schedling policies into a single periodic resorce. While these efforts address composability the expressiveness is still limited to specifying periods for individal components. Formal methods literatre consists of general frameworks sch as I/O atomata [3] fair transition systems [5] and interface atomata [5] for captring inter- 2
faces with well-developed theories of composition and refinement. Or se of atomata is consistent with sch general frameworks and can be viewed as light-weight instantiation for the specific prpose of schedling. Timed atomata have also been sed for schedlability analysis []. The idea of sing formal langages and Büchi atomata as an interface to captre the set of acceptable schedles over the alphabet of task identifiers was first advocated in or recent paper [23] which focses on specifying stability of switched systems sing atomata. In the crrent paper we se the proposed concepts to instantiate a methodology for control systems design. To this end we establish the following additions. First expressibility is enhanced by allowing mltiple tasks per slot. Second we show how a switched system is obtained for linear control designs. Thirds detailed case stdies show how the reslting atomaton can be sed for practical applications. 2 Atomata based specifications 2. ω-reglar langages We review the basic definitions related to ω-atomata and ω-langages [2 22]. Given an alphabet Σ an ω-word is an infinite seqence σ σ 2... with each σ i Σ. An ω- langage L over Σ is a set of ω-words. A Büchi atomaton A over Σ consists of a finite set of states Q an initial state q Q a transition fnction δ : Q Σ 2 Q and a set F Q of accepting states. A rn of the atomaton A over an ω-word σ σ 2... consists of an infinite seqence of states q q q 2... starting at the initial state sch that q i δ(q i σ i ) for each i >. The rn is accepting iff for infinitely many positions i q i F. The langage L(A) of the atomaton consists of ω-words σ sch that A has an accepting rn over σ. An ω-langage L is said to be ω-reglar iff there is a Büchi atomaton A sch that L(A) = L. A Büchi atomaton A = (Q q δ F ) is deterministic if for all states q and symbols a δ(q a). A deterministic atomaton has at most one rn over a given ω-word. A Büchi atomaton A = (Q q δ F ) is a safety atomaton if F = Q that is a word is accepted as long as there is an infinite rn. The ω-reglar langages are effectively closed nder a variety of operations sch as langage intersection and langage homomorphisms. To check whether the langage L(A) of a Büchi atomaton is non-empty it sffices to consider the transition graph G A of the atomaton: the nodes in G A are states of A and there is an edge from q to q iff q δ(q a) for some symbol a. The langage L(A) is nonempty iff there is a cycle in G A that is reachable from the initial state q and contains some state in F. The atomaton A is said to be trim if for every state q there is a cycle in G A that is reachable from q and contains some state in F. Every atomaton with non-empty langage can be converted into an eqivalent trim one by deleting redndant states and transitions. 2.2 Exclsive slot allocation Sppose each slot can be allocated to at most one task. Let I be the set of task identifiers of all the tasks in a component. Then from the point of view of a component a schedle can be represented by an infinite seqence w = σ σ 2... over task identifiers I along with a special symbol I: for each slot i σ i = if the slot is not allocated to the component and otherwise σ i specifies the task that was allocated the ith slot. The specification S of a component is (I L) where I is the set of task identifiers with I and L is ω-langage over the alphabet I {}. Note that the specification exposes the set of task identifiers within a component bt this information is necessary for the schedler to make resorce allocation. Consider two components whose resorce reqirements are specified as (I L ) and (I 2 L 2 ). Typically I and I 2 will be disjoint bt this is not reqired. In fact one can have have I = I 2 and in this case L and L 2 are specifying two distinct reqirements on schedling sch that the composition corresponds to conjoining the reqirements. Sppose the ω-langages L and L 2 are given by atomata A = (Q q δ F ) and A 2 = (Q 2 q 2 δ 2 F 2 ) respectively. The composed specification is (I I 2 L) where the composed langage L can be compted sing a modified prodct constrction. Let s first assme that the atomata are safety atomata. The composed atomaton A has states Q Q 2 with initial state (q q 2 ). The transition relation δ is specified as follows: For a = and for a I I 2 (p p 2 ) δ((q q 2 ) a) iff p δ (q a) and p 2 δ 2 (q 2 a); for a I \ I 2 (p p 2 ) δ((q q 2 ) a) iff p δ (q a) and p 2 δ 2 (q 2 ); and analogosly for a I 2 \ I (p p 2 ) δ((q q 2 ) a) iff p δ (q ) and p 2 δ 2 (q 2 a). Ths for a task a belonging to only one of the components the a-transitions of this component are synchronized with -transitions of the other component. If the atomata have non-trivial accepting conditions then we need to add a bit to the prodct states to make sre that accepting states of both are visited infinitely often as in the classical intersection of Büchi atomata [22]. After constrcting the prodct we apply the trimming operation to get rid of redndant states. If the reslt of trimming is the empty atomaton then the two components cannot be composed de to schedling conflicts. 3
2.3 Schedling task sets per slot While the assmption of one task per slot gives sefl specifications for better tilization of resorces the specification can be made richer. For a component with set I of tasks resorce allocation from the point of view of this component is now specified by an ω-word w = σ σ 2... sch that each σ i I gives all the tasks of this component that are schedled dring the ith slot. If σ i is the empty set then no task of this component is schedled dring this slot. The resorce reqirement of the component is given as the specification (I L) where L is an ω-langage over the alphabet 2 I of task sets. A direct motivation for sing this type of specification is for schedling sets of identical resorces. For example if we want to schedle tasks to rn on a dal processor system we may allow two tasks per slot. Another motivation is as follows. The FLET (Fixed Logical Exection Time) programming abstraction [8] is a sefl methodology for designing control software. The main idea in FLET is fixing the times where data is moved between internal software variables and actator/sensors. The standard se of this approach is to choose a set of tasks to rn between pdates and make sre that they are schedlable within the given time. We propose sing atomata to schedle possibly different task sets to slots. In addition to improved performance this approach allows platform independent analysis that can be combined with platform-dependent information to choose a platform (see Section 4.3 below for examples). Consider two components with specifications (I L ) and (I 2 L 2 ). Sppose the Büchi atomata A and A 2 represent their specifications. Then the prodct atomaton A representing the composite specification over the task set I I 2 is compted as follows. The state-space is Q Q 2 with initial state (q q 2 ). The transition relation δ is specified by: for a task set α I I 2 (p p 2 ) δ((q q 2 ) α) iff p δ (q α I ) and p 2 δ 2 (q 2 α I 2 ). For schedlability analysis given a component with task set I we mst first determine for each set α I if α is feasible: dring one slot can all tasks in α be exected. This reqires estimates of the exection times of all the tasks in I. Formally a platform P is a mapping from 2 I to { } indicating feasibility of each task set. A schedle σ σ 2... is feasible on a platform P if P (σ i ) = for each i. Let the set of all feasible schedles on a platform P be L P. Given a component specification S = (I L) and a platform P : 2 I { } the platform-specific specification is (I L L P ). Given an atomaton A over 2 I representing the resorce specification L we can obtain the feasible schedles in L by deleting all transitions corresponding to infeasible task sets and trimming the atomaton. If the reslting langage L L P is empty then the component is not schedlable on the platform P. Note that with this approach the same specification can be sed for different platforms. Also the exclsive slot allocation discssed in Section 2.2 is a special case of a platform where only singleton task sets are feasible. 3 Schedling resorces for control software In this section we otline a methodology for designing resorce sage schedlers in software based controllers (software which monitors and affects a physical plants). The proposed methodology relies on the analysis exposed in [23] where the synthesis of schedles (switchingsignals) for switched systems is discssed. Here we show how this framework can be sed to schedle resorces in control software. Specifically we show how schedling sage of resorces in control software translates to finding a switching signal in a switched system. We also show how schedling atomata can be sed to improve the design of software controllers. Atomata based schedling is best sited for schedling comptational resorces where it is critical that the schedler itself does not consme significant comptational resorces. Software control systems typically operate at a fixed freqency. After reading each new sample from the sensor the software reacts to the plant s changed otpt by recalclating and adjsting the drive signal. The plant responds to this change another sample is taken and the cycle repeats. Eventally the plant shold reach the desired state and the software will cease making changes. When distrbances arrive or a new setpoint is chosen the process repeats itself. We assme that a linear model which is an approximation of the dynamics of a physical plant is given. Specifically consider a plant modeled as a so called discrete-time linear time-invariant system (see e.g. [2]) x p (t + ) = A p x p (t) + B p (t) y(t) = C p x p (t) consisting of state eqation defined in terms of the matrices A p and B p and otpt eqation that maps the state to the otpt defined in terms of C p. The state is denoted by x p the otpt by y and the control inpt by. A feedback control software for this plant takes the otpt y and decides what action shold be taken by the maniplated variable to remove errors. Many controller designs take the form of a dynamic feedback that is the controller is a dynamical system by itself. More specifically the controller is designed as a linear time-invariant system sch that when the otpt of the controller is attached to the inpt of the system and vice verse the composed system is stable. Mathematically assme that the controller is 4
described by the discrete-time linear time-invariant system x c (t + ) = A c x c (t) + B c y(t) (t) = C c x c (t) where x c is the state of the controller and A c B c and C c are respectively the state transition matrix the inpt map and the otpt map for the controller. Then it is easy to verify that the dynamics of the composed system (the controller and the plant together) can be described by Ap B x(t + ) = p C c x(t) B c C p A c where x = (x T p x T c ) T is the concatenation of the states of the plant and the controller. To model limitation of resorces we se switched systems []. More specifically assme that access to certain inpt and/or otpt variables reqires allocation of shared resorces. By rewiring the B c matrix for otpt variables and C c matrix for inpt variables we model resorce allocation as follows. A switched system is defined with a mode for every sbset of resorces that may be available at a time. The modes that correspond to not sing the ith inpt or otpt variable have zero at the ith entry of the C c or B c matrix respectively. The A c matrices are designed accordingly. With this abstraction switching seqences for the reslting switched system correspond to allocation of resorces to the control loop. Let m be the nmber of modes. For every mode i =... m we have the controller x c (t + ) = A ci x c (t) + B ci y(t) (t) = C ci x c (t). The composition of the system with the controller modes gives the closed-loop switched system x(t + ) = A σt x(t) () where σ = σ σ 2... is sch that σ t reflects the resorces sed at time t and Ap B A i = p C ci i =... m. B ci C p A ci The next step is an analysis of the system (). We se formal-langages techniqes to characterize the set of schedles that meet performance specifications. Specifically an atomaton is compted whose langage is the set of schedles that garantee exponential stability. For the parameters l N and ρ ( ] a system is said to be (l ρ)-exponentially-stable if x(t + l) / x(t) < ρ for every t N and x(t) R n. For the system () consider the langage G lρ = x(t + l) {σ : < ρ for all t and x(t)} x(t) = {σ : A σt+l A σt+ < ρ for all t and x(t)}. The eqivalence follows from the definition of matrix norm. Given l N and ρ ( ] we propose the following algorithm: () Constrct the set B = {σ : A σl A σ ρ}. (2) Bild the reglar expression {... m} σ B {... m} σ{... m}. (3) Translate the reglar expression to a deterministic finite atomaton. (4) Delete all states from which there is no path to an accepting state. Proposition 3.. The above algorithm comptes a Büchi atomaton for G lρ. Proof. The set B contains all the words of length l that are not allowed as sbwords. For a word σ B the sb-expression {... m} σ{... m} defines the langage of words that contain σ as a sbword. The sm σ B {... m} σ{... m} is the langage of all words that contain a word in B as a sbword. Therefor the whole expression defines the set of words that do not contain any of the words in B as a sbword. Next we arge that same conclsion remains if we consider the atomaton as a Büchi atomaton. Becase all non accepting states are traps an infinite rn is accepted iff all the states are accepting. Since this is also the accepting condition for finite words the conclsion that the atomaton accepts all words that do not have a word in B as a sbword remains valid also for infinite words. When infinite words are concerned a word can be rejected once the atomaton gets to a state from which there is not path to an accepting state. Ths deleting sch states does not change the langage of the atomaton. The reslting atomaton is a description of all schedles in G lρ. When the reqirement for the system is exponential stability it is a finite representation of all acceptable schedles. It can be sed both for schedlability analysis and as a practical tool for online schedling as follows. For schedlability analysis assme that we have compted atomata for all the sbsystems that share a resorce. Then sing algorithms for atomata intersection we can compte an atomaton for the langage of all schedles that meet the reqirements of all sbsystems. If this langage is not empty the system is schedlable. Having a representation of all the schedles that satisfy the specifications allows the selection of a good schedle based on optimization criteria. See the next section for examples of sing atomata for schedlability analysis. For online schedling the atomaton can be sed as an effective decision procedre. Following the schedled tasks and pdating the crrent state of the atomaton shold not take significant comptational resorces. Since the atomaton represents the set of allowed schedles it can be sed to infer the set of tasks that can be schedled in every comptation slot. If at each slot we only choose a task that labels an edge that exists the crrent state of the atomaton we 5
are garanteed that we will be able to do this forever and that the reslting schedle is acceptable for all sbsystems. Examples for sing atomata as online schedlers are given in the next section. 4 Case stdies in control and schedling In this section we explore applications of the proposed methodology. We give an explicit controller design with two operating modes - one that ses heavy comptational resorces and one that only se lightweight comptations. Using this example we show how atomata can be sed for both schedlability analysis and online schedling. need to specify how the control signal is prodced when the otpt is not available. The second mode of the controller that operates when the otpt cannot be compted carry a simlation of the plant. As seen in Figre 2 the strctre is very similar to that of the LQG controller. The difference being that a simlation block replaces the estimation block and the otpt of the plant is not sed. Distrbance y Plant 4. A controller design Consider a system where reading the plant otpt is comptationally demanding (e.g. an heavy image processing algorithm is needed for obtaining the otpt). We propose two modes of operation for the controller one that ses the otpt measrement and one that does not se it. Then schedles of invocation of the heavy algorithm correspond to mode switches of the control system. The controller itself is bilt of blocks with linear dynamics that can be compted with negligible resorces. Linear qadratic Gassian (LQG) control is a standard method of designing feedback control laws for linear systems with additive Gassian noise. We examine how this method can be adopted to operate when there are not enogh comptational resorces to get the otpt in every sampling interval. An LQG controller is a combination of the soltions of estimator and fll-state feedback based on the so-called separation principle. It can be atomatically compted sing the lqg command in MATLAB [24]. The strctre of the controller is depicted in Figre. Distrbance y Plant Distrbance x State Feedback x Simlator Figre 2. Simlation mode. The dynamics of the simlation blocks are the dynamics of the system. The idea is to se the last estimation as a starting point and then simlate the dynamics of the system assming no noise. Similar ideas have been proposed in networked control systems (see e.g. [6]). Formally let x p (t + ) = A p x p (t) + B p (t) y(t) = C p x p (t) be a linear time-invariant model of the plant and x c (t + ) = A c x c (t) + B c (t)y(t) (t) = C c x c (t) a linear-time invariant model for the LQG controller. The simlation mode depicted in Figre 2 is formally modeled by x c (t + ) = A c x c (t) + B c y(t) (t) = C c x c (t) x x y where A c = A p + B p C c B c = and C c = C c. The composition of the system with the controller modes gives the closed-loop switched system State Feedback Estimator Figre. Closed loop with LQG feedback. If the otpt can be compted in every slot we can se this design as is and get best performance. Otherwise we where A = ( Ap B p C c A p + B c C p x(t + ) = A σt x(t) (2) ) ( Ap B A = p C c B c C p A c ). 6
and σ = σ σ 2 { } ω is sch that σ t = iff the otpt y(t) is available to the controller (the comptation that evalates y is schedled). As a specific example consider the plant ẋ p = x p + y = x p. Sampling every time nit gives the discrete-time matrices: ( ) A p = B p = +e 2 +e 2 2e 2 2e 2 +e 2 +e 2 2e 2 2e 2 ( 3 4( 4e 2 + 4 C p =. e 2 ) ) The lqg MATLAB command gives.229.3865 A c =.2969.27978.4233 B c =.4643 C c = (.4992.47288). The closed loop matrices are Ap B A = p C c B c C p A c.568.432.357.339 =.432.568.42.34.42.2.39.46.29.28 Ap B A = p C c A p + B p C c.568.432.357.339 =.432.568.42.34.2.94..29.433 As a performance specification for the system x(t+) = A σt x(t) we consider the set x(t + 8) G 8 = {σ : < 2 x(t) 2 for all t N x(t) Rn }. of all schedles that achieve (8 /2)-exponential-stability. In order to get an atomaton for this reqirement we compte the set B = {σ { } 8 : A σ8 A σ /2} by enmerating all words of length 8. An atomaton that accepts all infinite seqences whose sbwords are not in B is depicted in Figre 3. The fact that the strctre of this atomaton is nontrivial gives some evidence for the vale of atomata-based specifications. Figre 3. An atomaton for G 8 2. 4.2 An online schedler To see the power of atomata as online schedlers consider the following experiment: given a nmber γ (load factor) a random word is generated as follows. The word is generated by a random walk over the graph. If the crrent state has two otgoing edges - choose with probability γ and with probability γ. If the state has only one otgoing edge take it. This experiment simlates a control systems with an online schedler and the LQG controller scheme described above. The factor γ models an external comptation load that the controller has to share comptational resorces with. The controller has priority over the external load bt its load shold be proportional to γ. When 7
γ = the controller ses the resorces only if necessary to garantee the minimal reqired performance. When γ = it takes all available resorces. When < γ < it leaves the needed proportion of resorces to the external load. In all cases it is garanteed that the reqirements for the control system are met becase the generated seqence is always in G 8/2. In Figre 4 the otpt of the plant when simlated with different load factors is displayed. In this simlation the initial plant state is the eqilibrim and the initial estimator state is (2 2) T. No noise is inserted dring the simlation. -.5 - -.5 2 3 4 5 6 7 Load factor is.3 Load factor is.6 Load factor is.9 Figre 4. Performance nder varying load. These graphs highlight the advantage of sing atomata over static schedling. With static schedling one has to plan for the worst case. With atomata it is possible to assre performance in the worst case and adjst the schedle for better performance when resorces are available. An alternative to or approach provided that the loadfactor is confined to a finite nmber of vales is to design and analyze a schedle for each load vale. This soltion is only relevant if the load factor does not change too freqently becase transient schedles are not analyzed. Or approach allows freqent mode switches and infinite nmber of modes. 4.3 Schedlability analysis Often a single microprocessor is sed to implement several control loops. We demonstrate how this can be done with performance garantees. As an example consider a compter that implements three control loops. Assme that these are three independent copies of the plant described in Section 4.. A block diagram for this system is given is Figre 5. First we assme that at most one task can rn in each comptation slots (as described is Section 2.2). In particlar only one of the control loops can evalate the otpt r y r 2 2 y 2 r 3 3 y 3 Compter Plant Plant 2 Plant 3 Figre 5. Independent control loops. of the corresponding plant. The other two loops evolve in simlation mode (the mode in which the crrent otpt of the plant is not sed as described in Section 4. above). To compte the composition we make three copies of the atomaton depicted in Figre 3. Then we replace each in the first atomaton with 2 3; each in the the second atomaton with 3 and each in the third atomaton with 2. For i = 2 3 we also replace every in the ith atomaton with i. The renamed atomata are over the alphabet { 2 3}. The langage of the ith atomaton represent the allowed schedles from the point of view of the ith component. To compte the langage of schedled that are allowed by all the sbsystems we take the intersection of these langages. For this specific case it trns ot that the intersection is empty (the comptation takes few seconds on a 2 GHz Intel Core Do laptop). This means that the system is not schedlable. One option in sch case is relaxing performance reqirements. For example we can repeat the same procedre for the langage G /2 instead of G 8/2 (reqire that any sbseqence of length and not 8 is contracting at least by /2). This reslts with an atomaton with 263 states that accepts a non empty langage. One can extract a cyclic schedle from this atomaton by following a cycle. For example the schedle (323232) ω is extracted in this way. Another option when the system is not schedlable is a better implementation platform. This corresponds to the analysis method described in Section 2.3. In this case we replace every i in the ith atomaton with the list of sbsets of { 2 3} that contain i. Zeroes are replaced with the list of sbsets that do not contain i. The intersection of the three set-based atomata is an atomaton over the alphabet 2 23 with 8 states (the comptation takes abot 3 mintes on a 2 GHz Intel Core Do laptop). This atomaton can be sed to choose an implementation platform. For example we can check if the system can rn on a platform that allows any pair of the three tasks to rn concrrently by intersecting it with the langage ({} + {} + {2} + { 2} + { 3} + {3 2}) ω. This comptation takes abot abot 4 mintes (on the same 2 GHz Intel Core Do laptop) and yields an atomaton with 8
32 states and a non-empty langage. As another example we can also check if the system is schedlable on a platform that allows tasks and 2 to rn concrrently bt task 3 mst get an exclsive slot. This amonts to intersecting the reqirements atomaton with the langage ({}+{}+{2}+{ 2}) ω. After another 4 mintes we get an atomaton with a nonempty langage which means that the system is schedlable on sch a platform. The reslting atomata can be sed to extract platform specific schedles. Note that if the platform is fixed we can optimize the procedre by only considering the allowed alphabet in the first place. 4.4 Using atomata to assre step response properties In many control applications a step-response with desired properties is reqired. We show as an example how settling-time can be garanteed. Consider a system with two modes of operation where and x(t + ) = A σt x(t) + B σt (t) y(t) = C σt x(t).3734.5425 A =.5425.75658.6938 B =.352 C = (.2464.866 ) A = B =.3734.5425.5425.75658.22.52 C = (.5.3 ). When the loops is closed the state eqation is x(t + ) = (A σt B σt C σt )x(t)+b σt r(t) where r(t) is the vale of the reference signal at time t and x(t) is the state of the system. The particlar reqirement that we want to garantee is G(5 5.6.86) = {σ : if r() = = r(t ) = and r(t) = = r(t + 5) = then y(t + 5)... y(t + 5) (.6.86)}. In words: we want the step response to settle in the interval (.6.86) in 5 steps. To compte an atomaton for this set we compte the set B of all schedles of length 5 that do not satisfy the above reqirement. The comptation takes few seconds (on a 2 GHz Intel Core Do laptop) and give a list of 74 words (ot of 2 5 = 32768). The comptation of an atomaton whose langage are all words that do not contain any sbstring in B takes 5 mintes (on the same machine) and yields an atomaton with 355 states. If we want a periodic schedle of length 4 we can intersect the reslting atomaton with the langage σ {} 4σ ω. This gives the atomaton depicted in Figre 6. Figre 6. Atomaton for periodic schedles that satisfy the settling-time reqirement. 5 Conclsions and Ftre Work We have illstrated the se of formal langages and Büchi atomata over infinite words as an expressive analyzable and composable specification framework for resorce reqirements. In the proposed methodology the control designer instead of specifying a fixed period specifies an ω-reglar langage L of schedles that are acceptable for control performance. As components are added their resorce specifications are composed sing atomata theoretic operations and the system is schedlable as long as the specification langage of acceptable schedles in nonempty. We have presented a case stdy that shows that for certain performance objectives atomata have the sitable expressiveness and allow performance varying with the load. We are designing a prototype implementation for schedling of control systems. As the nmber of components grow we will have to address scalability isses (since checking of emptiness reqires constrcting the prodct of 9
component specifications followed by the trimming operation). We hope that the symbolic representations developed in the model checking literatre will be sefl for this prpose. We have recently shown that the performance gap between the model-level semantics of proportional-integral (PI) controllers and their implementation-level semantics can be rigorosly qantified if the controller implementation is exected on a predictable time-triggered architectre according to a given periodic schedle [6]. We are exploring if this reslt can be lifted to ω-reglar langages of schedles. Scanning all possible words as proposed in the algorithm proposed in Section 3 is not always necessary. Finding better ways to explore the possible evoltions and qantify their performance is a sbject for ftre research. We hope that clever algorithms will allow constrction of atomata for larger systems and more complicated reqirements. We focs on schedling a single comptational resorce bt it is clear that the developed methods can be sed for other applications sch as schedling network access and mltiple resorces. Possible extensions to the framework inclde distribted and observation-gided schedling. Acknowledgments We thank George Pappas for fritfl discssions related to this paper. This research was partially spported by NSF grants CPA 5449 and CSR-EHS 5943. References [] Y. Abdeddaïm and O. Maler. Job-shop schedling sing timed atomata. In proc. of 3th Conf. on Compter Aided Verification (CAV) pages 478 492 2. [2] M. Anand S. Fischmeister and I. Lee. Composition Techniqes for Tree Commnication Schedles In 9th Eromicro Conference on Real-Time Systems (ECRTS) 27. [3] S.K. Barah. A general model for recrring real-time tasks. In Proceedings of the 9th IEEE Real-Time Systems Symposim pages 4 22 998. [4] G.C. Bttazo. Hard real-time compting systems: Predictable schedling algorithms and applications. Klwer Academic Pblishers 997. [5] L. de Alfaro and T.A. Henzinger. Interface atomata. In Proc. of the 9th symp. on Fondations of Software Engineering (FSE) pages 9 2. ACM Press 2. [6] Z. Deng and J. Li. Schedling real-time applications in an open environment. In Proceedings of the 8th IEEE Real- Time Systems Symposim pages 38 39 997. [7] C.C Han K.J. Lin and C.J. Ho. Distance-constrained schedling and its applications to real-time systems. In IEEE Trans. Compt. 45(7):84826 996. [8] T.A. Henzinger B. Horowitz and C.M. Kirsch. Giotto: A time-triggered langage for embedded programming. Proceedings of the IEEE 9():84 99 23. [9] H. Kopetz and G. Baer. The time triggered architectre. Proceedings of the IEEE 9():2 26 23. [] H. Kopetz. Real-Time Systems: Design Principles for Distribted Embedded Applications. Klwer Academic Pblishers 2. [] D. Liberzon. Switching in systems and control. Birkhäser 23. [2] C. Li and J. Layland. Schedling algorithms for mltiprogramming in a hard real-time environment. Jornal of the ACM 2() 973. [3] N.A. Lynch R. Segala and F.W. Vaandrager. Hybrid I/O atomata. Information and Comptation 85():5 57 23. [4] A.K. Mok and A.X. Feng. Towards compositionality in realtime resorce partitioning based on reglarity bonds. In Proceedings of the 22nd IEEE Real-Time Systems Symposim pages 29 38 2. [5] Z. Manna and A. Pneli. The temporal logic of reactive and concrrent systems: Specification. Springer-verlag 99. [6] J. Nilsson Real-time control systems with delays Ph.D. Thesis Lnd Institte of Technology 998. [6] T. Nghiem G.J. Pappas A. Girard and R. Alr. Timetriggered implementations of dynamic controllers. In Proceedings of the 6th Annal ACM Conference on Embedded Software (EMSOFT) pages 2 26. [7] P. Pop P. Eles and Z. Peng. Schedlability analysis for systems with data and control dependencies. In Eromicro Conference on Real-Time Systems pages 2 28 2. [8] J. Regehr and J.A. Stankovic. HLS: A framework for composing soft real-time schedlers. In Proceedings of the 22nd IEEE Real-Time Systems Symposim pages 3 4 2. [9] I. Shin and I. Lee. Compsitional real-time schedling framework. In Proceedings of the 25th IEEE Real-Time Systems Symposim pages 57 67 24. [2] E.D. Sontag. Mathematical control theory: Deterministic finite-dimensional systems volme 6 of Texts in Applied Mathematics. Springer 998. Second Edition. [2] W. Thomas. Atomata on infinite objects. In J. van Leewen editor Handbook of Theoretical Compter Science volme B pages 33 9. Elsevier Science Pblishers 99. [22] M.Y. Vardi and P. Wolper. Reasoning abot infinite comptations. Information and Comptation 5(): 37 994. [23] G. Weiss and R. Alr. Atomata based interfaces for control and schedling. In Proc. th Int. Workshop on Hybrid Systems: Comptation and Control LNCS 446 pages 6 63. Springer 27. [24] http://www.mathworks.com/prodcts/matlab/