emc2 – executable application models and design tools for ... · emc2 { executable application...

19
EMC 2 – Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical Focus ARTEMIS Technology Conference, EMC 2 Workshop, October 6 2016 1 / 16

Upload: others

Post on 26-Jun-2020

26 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

EMC2 – Executable Application Models and Design Tools for

Mixed-Critical, Multi-Core Embedded Systems

Technical Focus

ARTEMIS Technology Conference, EMC2 Workshop, October 6 2016

1 / 16

Page 2: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Motivation: Reconcile Computation and Control

Context: smart embedded systems involve increasingly complex tasks andparallel computing resources, in the control loop

fuel_rate

1

validate_sample_time

In1

fuel_calc

est_airflow

fb_correction

fuel_mode

fuel_rate

control_logic

es_i

es_o

O2_normal

fuel_mode

airflow_calc

sensors

O2_normal

fuel_mode

est_airflow

fb_correction

sensors

1

O2

1

Pressure

2

Throttle

3

Speed

4

Fail 5

MultiThree FourTwoOneNone

Fueling_Mode 6Fuel_Disableden:fuel_mode = DISABLED;

Overspeed

Shutdown

Running H

Low_Emissionsen:fuel_mode = LOW;

HWarmup

Normal

Rich_Mixtureen:fuel_mode = RICH;

Single_Failure

INC INC1

DEC1

DEC2

INC

1

INC2

DECDEC2

{es_o = es_i;}

[es_i.speed > max_speed]

2

[! in(Fail.Multi)]

1

enter(Fail.Multi)

1

exit(Fail.Multi)

[in(Speed.normal) & ...es_i.speed < (max_speed − hys)]

[in(Fail.Multi)]

2

[in(Fail.One)]

1

[in(Fail.One)]

[in(Fail.None)]

[in(O2.A.O2_normal)]

2

Feedback Control

Feedforward Control

fb_correction

2

est_airflow

1

Throttle Transient

.01−.01z −1

1−.8z −1

<=

==

Ramp Rate Ki

2−D T(u)u1

u2

Pumping Constant

2−D T(u)u1

u2

Oxygen Sensor

Switching Threshold

0.5

sld_FuelModes.LOW

K Ts

z−1

Convert

0

0.5

fuel_mode

3

O2_normal

2

sensors

1

<speed>

<throttle>

normal_operation

e1

enable_integration

e0

<map>

<ego>

dataflow

automata

Block-diagram, synchronous languages

Distribution?Acceleration?Scalability?Efficiency?Isolation?Races?Heisenbugs?

2 / 16

Page 3: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Motivation: Reconcile Computation and Control

→ Parallelizing compilation for block-diagrams and state machines(so-called synchronous programs), integrating non-functional constraints:e.g., porting computational libraries to safety-critical environments is aburning challenge

→ Modeling the system and providing guarantees that parts of thesystem achieve a desired contract: e.g., timing composability , isolation

→ New applications such as online optimization, high-performancesimulation, monitoring, data analytics in control systems

→ Also, security is a growing dimension, from logical/software bugs toside-channel attacks and hardware fault injection

3 / 16

Page 4: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Motivation: Reconcile Computation and Control

Prototypical scenario: online optimization in the loop of a safety-criticalsystem

E.g., (Fast) Model Predictive Control : anticipate input sequence withreceding horizon, relying on convex solvers with incrementally refinedprecision, possibly running in parallel with a safe but less optimized PIDcontroler

(courtesy Morari, Hempel, ETHZ)

4 / 16

Page 5: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Correct and Efficient Concurrency “By Construction”Between the hammers of

correction, programmability , certification, performanceand the anvil of cost

Proposed Approach... or, when reliability meets efficiency

1. A single source code should serveI as an abstract model for verificationI as an executable model for simulationI as the high level program from which target-specific

sequential/parallel code is generated

2. Provide correctness and safety guarantees throughout the design andrefinement phases, and through compilation

3. Rely upon proven and efficient execution environnements

4. Rely upon formal models of SW stack and HW platform, to improvequality and ease certification 5 / 16

Page 6: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Passenger Exchange

I MissionI Issue commands to open or

close doors according to agiven plan

I Announce imminent dooropening/closing topassengers

I Warn the traffic supervisionwhen the passenger exchangecannot be completed

I SafetyI While the train has not

stopped securely, the doorscannot be opened

I Only properly aligned doorscan be opened

I The train is only allowed toleave when all doors areclosed

6 / 16

Page 7: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Experimental Platform: Zynq 7k

7 / 16

Page 8: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Mixed-Time-Critical Chronogram

Timecritical

Non-timecritical

Noncritical

1. GetPlatform

2. ComputeDoor Map

3. CheckDoor Map

4. ComputeCommands

5. CheckCommands

6. CheckDepartureConditions

7. LoggingUtility

8 / 16

Page 9: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Tasks Missing Deadlines

Time-triggered protocol

Time-criticalI Computing (TCCP)

I Copy to buffer (TCTB)

I Copy from buffer (TCFB)

Non-time-criticalI Computing (NTCCP)

I Copy to buffer (NTCTB)

I Copy from buffer (NTCFB)

9 / 16

Page 10: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Platform Configuration

I ARM core 0: non-time-critical and non-critical tasks, Linux

I ARM core 1: time-critical tasks, bare-metal environment, softwarestack running in on chip memory of 256KB (code and data)

I FPGA: communication buffers

Hardware configuration (Vivado)Resource Used Available Util%Slice LUTs 2345 53200 4.40%Slice Registers 2815 106400 2.64%Block RAM Tile 8 140 5.71%

10 / 16

Page 11: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Modeling/Programming Flow

Aiming for SIL 4 certification→ synchronous programming methodology

Listing 1: Simplified check commands in Heptagon

node check_command(door_command : command; door_map : int)

returns (safe_command : command)

letsafe_command = if door_map <> -1 then door_command else None;

tel

task check_commands(unpunctual door_commands : command^n; door_map : int^n)

returns (safe_commands : command^n)

letif ontime door_commands thensafe_commands = map<<n>> check_command(door_commands, door_map);

elsesafe_commands = None^n;

endtel

11 / 16

Page 12: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Modeling/Programming Flow

Aiming for SIL 4 certification→ synchronous programming methodology

Listing 2: Snippet of the passenger exchange in Heptagon

node passenger_exchange(train_position : int)

returns (safe_door_commands : command^n; departure_authorization : bool)

varplatform : int;

unpunctual door_map : int^n;

safe_door_map : int^n;

unpunctual door_commands : command^n;

letplatform = get_platform(train_position);

door_map = compute_door_map(platform);

safe_door_map = check_door_map(door_map, platform);

door_commands = compute_commands(door_map);

safe_door_commands = check_commands(door_commands, safe_door_map);

departure_authorization = check_departure_conditions(safe_door_commands);

tel

11 / 16

Page 13: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Modeling/Programming Flow

Aiming for SIL 4 certification→ synchronous programming methodology

Listing 3: Time-critical C code generated by the Heptagon compilervoid passenger_exchange_tc(int train_position,

command safe_door_commands[8],

bool* departure_authorization) {

int platform, door_map[8], safe_door_map[8];

command door_commands[8];

bool ontime1, ontime2;

get_platform(train_position, &platform);

send(0, &platform, sizeof(int), TC);

ontime1 = receive(1, door_map, sizeof(int) * 8, TC);

check_door_map(ontime1, door_map, safe_door_map);

ontime2 = receive(2, door_commands, sizeof(command) * 8, TC);

check_commands(ontime2, door_commands, safe_door_map, safe_door_commands);

check_departure_conditions(safe_door_commands, departure_authorization);

}

11 / 16

Page 14: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Modeling/Programming Flow

Aiming for SIL 4 certification→ synchronous programming methodology

Listing 4: Non-time-critical C code generated by the Heptagon compilervoid passenger_exchange_ntc() {

int platform, door_map[8];

command door_commands[8];

receive(0, &platform, sizeof(int), NTC);

compute_door_map(platform, door_map);

send(1, door_map, sizeof(int) * 8, NTC);

compute_commands(door_map, door_commands);

send(2, door_commands, sizeof(command) * 8, NTC);

}

11 / 16

Page 15: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Case Study – Model/Code Metrics

Software specifications metricsFunctions ≈ 30Requirements ≥ 100

Code metrics Files LOCHeptagon sources 27 2741C generated from Heptagon 70 7014Additionnal C code 11 611

12 / 16

Page 16: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

EMC2 – Executable Application Models and Design Tools for

Mixed-Critical, Multi-Core Embedded Systems

Selected Scientific and Technical Challenges

ARTEMIS Technology Conference, EMC2 Workshop, October 6 2016

13 / 16

Page 17: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Point of View – Models of Computation

Moving from abstract MoC to concrete programs

I ?DF models: lessons from research tools (Ptolemy, StreamIt) andproduction (COMPAAN, ΣC)

I What is the role of static analysis in the abstraction of concreteprograms into manageable MoCs?

I What is the role of profile-driven and dynamic analyses (see RWTHand Silexica’s MAPS framework)?

I Competition for resources: responsibility of the tool or programmeror both?

I What should be dealt with statically, dynamically, how to integratenon-functional constraints and objectives?

I Interaction with “concrete programs”, including memorymanagement?

I Issues with expressiveness, modularity, and fundamental researchneeded to clean the chaotic MoC landscape

14 / 16

Page 18: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

Point of View – Programming LanguagesResearch program in language design

I Build on the synchronous hypothesis in control systems→ relaxation: synchronization up to bounded delay (n-synchrony)→ efficiency: capture fine-grain schedules into the clock calculus

I Explicit parallelism in synchronous/block-diagram languages→ multi-threading and/or explicit distribution→ automatic synthesis of (loosely) time-triggered communications

Tools and software platforms

I Full automation, rigorously established, correctness by construction

I Runtime environment, (asymmetric) multi-processor configuration

Hardware platforms

I Facilitate isolation, functional and non-functional

I Enable timing-composable implementations... while preserving efficient and scalable common-case performance... it can be done without radical changes on the (micro)architecture

15 / 16

Page 19: EMC2 – Executable Application Models and Design Tools for ... · EMC2 { Executable Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems Technical

16 / 16