Lecture 11 :
Part I: Zones
Part II: TTAs
CS5270, P.S. Thiagarajan
Zones
• A more compact representation.
– Of equivalence classes of valuations.
• Can be efficiently represented as
Difference Bounded Matrices (edge
weighted directed graphs).
• DBMs admit a canonical representation.
• DBMs can be manipulated efficiently.
Why not regions?
• The number of regions can be very large:
– Exponential in the number of clocks AND in
the size of the maximal constants appearing
in the clock constraints.
– Practical verification becomes infeasible.
An Example
y
x
0-dimensional
regions: 12
y
x
1-dimensional
regions: 23
y
x
2-dimensional
regions: 12
y
x
Total number of
regions: 47
y
x
One Zone:
(2 ≤ x ≤ 5)  (2 ≤ y ≤ 4)
y
x
Zones
• A zone is a clock constraint of a particular
form.
• Z::= x  c | x – y  c | 1  2
•   {<, ≤, >,  }
• c is a natural number.
• Every region is a zone (exercise!).
Zone Automaton
• Every TTA has an associated Zone
automaton ZTTA.
• This can be constructed effectively.
• But this does not do too much for us.
• Savings occur when we construct the
Zone automaton on the fly to check
reachability properties.
The Basic Algorithm.
Symbolic Reachability Analysis Algorithm:
PASSED = ; WAIT = {(s0, D0)}
While WAIT   do
take (s, D) from WAIT
If s = sf then return ‘YES”
if D is not a subset of D’ for every (s, D’) in PASSED then
add (s, D) to PASSED.
For all (s1, D1) so that (s, D) ----> (s1, D1),
add (s1, D1) to WAIT.
end for.
end if
end while
The Zone transition relation
• (s, D) ----> (s, D  I(s) )
– D = {V +  | V  D}
– D is a zone.
– From D we can compute D.
• (s, D) ---> (s’, D’) if there is a transition (s, g, X,
s’) in TTS such that:
– D’ = RX(D  g)  I(s’)
– RX(D) = {RX(V) | V  D}
• RX(V) (y) = 0 if y  X, V(y) otherwise.
– RX(D) is a zone.
– D’ is non-empty.
• D’ is a zone and can be computed from D.
Termination
• To ensure termination:
– Remove constraints of the form x < m , x ≤ m,
x – y < m and x – y ≤ m if m > Cx.
– Replace x > m and x  m with x > Cx if m > Cx.
– Replace y – x > m and y – x  m with y –x >
Cx and y – x  Cx when m > Cx.
Zone operations
• We need to compute D.
• Given D1 and D2, we need to compute
D1  D2.
• Given D and D’ we need to be able to
check if D is a subset of D’.
• We must be able check if D is empty.
Zone representation.
• A zone can be represented as a DBM:
– Difference Bounded Matrix.
• Invent a new clock variable x0 (which will
always be 0).
• All basic constraints will be of the form
xi – xj < m or xi – xj ≤ m where m is an
integer (positive or negative).
Zone Representation
• x2 < 3 becomes x2 – x0 < 3.
• X5  7 becomes x0 – x5 ≤ -7.
• X2 – x5 > 8 becomes x5 –x2 < -8.
The Matrix Representation.
x_0
x_1
x_2 . . .
x_j
x_n
x_0
x_1
x_2
xi – xj ≤ 2
.
.x_i
.
x_n
(2, 1)
The Matrix Representation.
x0
x1
x2 . . .
xj
xn
x0
x1
x2
xi – xj < 2
.
.xi
.
xn
(2, 0)
The Matrix Representation.
x0
x1
x1
(0, 10)
x2
.
.
x3
(0, -4)
∞
(0, 3)
x0
.x3
x2 . . .
(0, 5)
(0, 2)
(0, 2)
The Graph Representation
(k, 1)
x
(k, 0)
y
y–x≤k
x
y
y–x<k
The Graph Representation
10
X1
X2
-4
2
3
X0
2
5
X3
Closed Representations
• Two different zones (DBMs) can represent
the same set of valuations.
– (y – x ≤ 3, x = 2, y = 4) (y –x = 2, x =2, y = 4)
• A zone is closed if no constraint can be
strengthened without reducing the set of
associated valuations.
• Two closed zones are equivalent iff they
are identical.
• So it is good to get closed zones.
Closed Zones.
• Take the graph of the zone.
• Remove all redundant edges.
– The edge from x to y with weight k is
redundant if there is a path from x to y whose
weight is less than or equal to k.
• Using a shortest path algorithm, the closed
zone version can be computed in O(n3)
time.
Closed Zones
• If D is closed then D is a subset of D’ iff for
every constraint x – y ≤ m’ in D’ there is a
constraint x – y ≤ m in D with m ≤ m’.
• If D is closed then D is non-empty iff there
are no negative weight cycles in the graph.
• The other operations can also be
performed on the graphs efficiently.
Introduction
• TTP:
– A real-time protocol for distributed systems.
• high dependability
• guaranteed timeliness
• Application domains:
– Automotive electronics
– Fly-by-wire cockpits
– Railway signaling systems
Acknowledgements
• The following slides have been
assembled from many web sources. In
particular:
• H.Kopetz and G.Grünsteidl; Digest of
Papers, FTCS-23. (IEEE CS 23rd Intl.
Symp. on Fault-Tolerant Computing), Aug.
1993, pp.524 -533; Presented by Shruti
Gorappa
Features of the TTP
• Fault-tolerance
• Small overhead
• Integrates numerous services
–
–
–
–
–
–
–
Predictable message transmission
Message acknowledgement in group communication
Clock synchronization
Membership
Rapid mode change
Redundancy management
Temporary blackout handling
Assumptions
• Fail-silence
– Communication channels only have omission
failures.
– Nodes either deliver correct results or no
results
• Internal failures are detected and node turned off
System Overview
• FTU- single or replicated
nodes
• Replicated communication
channels
• The channel is a broadcast
bus
• Access is by TDMA driven by
progression of global time
• Local nodes time synchronized
by TTP
• Communication by rapid and
periodic message exchanges
TTP Design Rationale
• Sparse time base
– Messages are sent only at statically designated intervals
– Inflexible compared to Event-triggered (ET) model, but easier to
test
• Use of apriori knowledge
– All nodes are aware of when each node is scheduled to transmit
– Sender node information need not be included in frame
– Reduced overhead
• Broadcast
– Correctness of transmitted message can be concluded as soon
as one receiver acknowledges message delivery (broadcast
medium)
Protocol Highlights
• Bus access
– A FTU will have one or two time slots depending on class of
fault-tolerance
– Time be different for each node depending on amount of data
that it needs to send
– Number of slots in a TDMA round given to an FTU may also be
different
• Membership Service
– If a message from a sending node does not occur in designated
interval, its membership is set to 0 in other nodes
– Membership checked before transmission. A node is alive if
• Its internal error detection mechanism has not indicated error
• At least one of its transmitted frames has been correctly
acknowledged.
Protocol Highlights
• Temporary blackout handling
– Correlated failure of a number of nodes
– Identified by sudden drop in membership
– Nodes send I-messages and perform local
emergency control
– After membership has stabilized, mode
changed to global emergency service
Protocol Highlights
Temporal encapsulation of nodes
– Communication bandwidth assigned statically
– Time base is sparse- every input can be observed
and reproduced exactly
• Testability
– Easy to test the implementation in comparison to ET
– Easy to simulate –finite number of execution
scenarios
• Uncontrolled interactions between nodes are prevented
• Determinism- can replicate states of nodes
Strengths
• Can provide fault-tolerant real-time performance
• Practical (MARS platform), efficient, and
scalable
– Can be implemented using available hardware,
signalling mechanisms
– Low overhead
– High data rates, used in both twisted fiber and optical
channels
• Reusability, composability, and testability
Weaknesses
• The schedule is fixed so there is no bandwidth
allocated for alarms and other spontaneous
messages
• All fault-tolerance mechanism is implemented
at system level, this means that very little
“freedom” is left for application specific
implementations
• Addition of nodes affects the existing system
(although not the application)
References
• Kopetz, H., and Grunsteidl, G., "TTP - A time-triggered
protocol for fault-tolerant real-time systems", Digest of
Papers., FTCS-23. (IEEE CS 23rd Int' Symp. on FaultTolerant Computing), Aug. 1993, pp.524 -533
• The Real-time Systems Research Group, Institut für
Technische Informatik, Vienna University of Technology
http://www.vmars.tuwien.ac.at/projects/ttp/ttpmain.html
• REAL-TIME COMMUNICATION- Evaluation of protocols for
automotive systems, MICHAEL WAERN,
http://www.md.kth.se/RTC/MSc-theses/RT-Com-EvaluationWaern.pdf
• CAN bus, http://www.can-cia.org/can/protocol/
• Time-triggered Technology, http://www.tttech.com/
Event-triggered Vs. Time-Triggered
• Interface to the external physical world:
– Event-triggered.
• Implementation architecture:
– Time- triggered?
– Predicatable
– Composability.
• How to integrate the two paradigms?
– Interesting research opportunities!
The Automotive Electronics Case
• Current scene:
– Current systems contain upto 70 ECUs
(Electronic Control Units).
– Each ECY is developed and acts
independently; very little integration.
– Communication:
• Event-triggered
• Slow; 500 Kbits/sec
The Automotive Electronics Case
• Next Generation:
– Integrated architecture.
– Distributed, safety-critical, real time.
– Why?
• Costs:
– reduce the number of ECUs.
• Reliability
• Safety
• Multiple use of sensors.
Conclusion
• Time-Triggered architectures and
protocols are likely to become important.
• Also related to synchronous programming
languages:
– Lustre, Signal, Esterel
• There are also other timed models:
– Timed Petri nets, …