## Loosely Time-Triggered Architectures for Distributed Control Applications

Albert Benveniste (Inria-Rennes) Paul Caspi † (formerly Verimag)

also contributions from Anne Bouillard, Alberto Sangiovanni-Vincentelli Stavros Tripakis, Claudio Pinello, Benoit Caillaud and **Guillaume Baudart** 

Collège de France — March 5, 2014

Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 1 / 38

イロト 不得 トイヨト イヨト 二日

## Paul Caspi



The father of this work is Paul Caspi. In the 1990's he was consulting for Airbus, Toulouse, flight control department. He noticed that Airbus was using a time-triggered but asynchronous computing and communication infrastructure for distributed control. A sophisticated discipline was used for Scade programming was used to compensate for the resulting artifacts. Paul launched PhDs to analyze and formalize this. With a number of colleagues, we

subsequently discovered that the right formalization was a new middleware that we decided to call LTTA.

イロト 不得下 イヨト イヨト



- 2) From synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

・ロン ・四 ・ ・ ヨン ・ ヨン

- 3

## Motivation: model based design process

From Federated to Integrated Architectures: IMA in aeronautics



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 4 / 38

## Motivation: model based design process

From Federated to Integrated Architectures: AUTOSAR in automobile

#### Key AUTOSAR "Methodology and RTE"



Benveniste et al. ()

(日) (同) (三) (三)

## Motivation: model based design process Model-based design processes: IMA in aeronautics

SCADE Solutions for ARINC 661 Compliant Systems | Esterel Technologies

http://www.esterel-technologies.com/products/scade-arinc-661/



#### A fully-integrated COTS solution for the specification, development and certification of avionics displays following the ARINC 661 standard

The SCADE Solutions for ARINC 661 Compliant Systems are a tool suite for creating and simulating

2 sur 5

03/01/2014 10:07

(日) (同) (三) (三)

Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 4 / 38

## Motivation: model based design process

Model-based design processes: AUTOSAR in automobile



DEVELOPMENT AND AUTOSAR COMPLIANT EMBEDDED SYSTEMS

ACCELERATE THE AUTOSAR Builder is an open, flexible and powerful modeling and simulation sustems and their associated embedded software. It fully supports RUTOSAR SIMULATION OF concepts and standards, including: RUTOSAR System, RUTOSAR Software Compo

#### SYSTEM DESIGN AND CONFIGURATION

#### SOFTWARE COMPONENT DESIGN AND CODING

#### REAL-TIME EXECUTABLE GENERATION

#### VIRTURE FUNCTIONAL BUS (VFB) SIMULATION

#### REAL-TIME EXECUTABLE GENERATION

#### Our 3DEXPERIENCE Platform powers our brand applications, serving 12 industries, and provides Desput Suctiones the IBOP/HENCE Constant, associate backwest and associated with vitral universes to intake particularly incompany. By world independent

courties, Formore information, visit norm, Microm

DASSAULT | The SDEXEFINITE COTTONS

イロト 不得下 イヨト イヨト 二日



## Motivation: model based design process

Model-based design processes:

- Models of Computation and Communication (MoCC)
  - For the functions (synchronous programming, Kahn Networks...) with corresponding formalisms
  - For the architectures: this talk

# **Motivation: TTA**

Architecture MoCCs:

- TTA (Time-Triggered Architecture) [Hermann Kopetz 1987, 1991] A comprehensive MoCC-based architecture:
  - strong synchrony
  - global discrete notion of time
  - time-based fault-tolerance
  - time-based scheduling (TDMA)
  - time-based interfaces

イロト 不得下 イヨト イヨト 二日

# **Motivation: TTA**

Architecture MoCCs:

- TTA (Time-Triggered Architecture) [Hermann Kopetz 1987, 1991] A comprehensive MoCC-based architecture:
  - strong synchrony
  - global discrete notion of time
  - time-based fault-tolerance
  - time-based scheduling (TDMA)
  - time-based interfaces
- Resistances to TTA:
  - cost of synchronization
  - rigidity of TDMA
  - cost of re-design (adaptations & upgrades)

Benveniste et al. ()

イロト イポト イヨト イヨト 二日

## Motivation: resistances to TTA



Computers on trains for speed control

Computers on tracks for collision avoidance and to avoid losing a train (ghost train!!)

MBPC

Wired communications for fixed computers

For computers on trains: use wheels or wireless

イロト イポト イヨト イヨト

Communication by Sampling (LTTA)

## Motivation: resistances to TTA

#### AFDX technology – Addressing : MAC, IP, UDP



Benveniste et al. ()

イロト 不得 トイヨト イヨト 二日

## Motivation: resistances to TTA



#### Quote from TTTech

TTEthernet is a fault-tolerant real-time communication protocol for safety-related systems. It integrates data flows of time-triggered, rate-constrained, and standard Ethernet in one physical infrastructure. The TTEthernet switches provide the means for robust partitioning between these three traffic classes.

## **Motivations and Overall Objectives**

When no TTA infrastructure can be offered by the medium itself, e.g.:

- wide area distributed system
- wireless
- other...(available asynchronous infrastructure)

but it is still wanted to have a

- coherent *logical* synchronous basis
- with, preferably, controlled timing behavior, then:

## **Motivations and Overall Objectives**

When no TTA infrastructure can be offered by the medium itself, e.g.:

- wide area distributed system
- wireless
- other...(available asynchronous infrastructure)

but it is still wanted to have a

- coherent *logical* synchronous basis
- with, preferably, controlled timing behavior, then:

# Relax TTA to LTTA (Loosely Time-Triggered Architecture)

Benveniste et al. ()

#### 2 From synchronous programs to 1-safe nets

- 3 Loosely Timed-Triggered Architecture
- Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

Benveniste et al. ()

イロト イポト イヨト イヨト

- 3

### From synchronous programs to 1-safe nets

A synchronous machine with two computers and two 1-buffers

top: a data-flow representation of the synchronous machine 1-buffer W<sub>2</sub> bottom: a net form: the subset of red places represents the end of each reaction; dashed: back-pressure

### From synchronous programs to 1-safe nets

A synchronous machine with two computers and two 1-buffers

top: a data-flow representation of the synchronous machine 1-buffer W<sub>2</sub> bottom: a net form: no special places are distinguished; yields a net model of a 1-buffer Kahn network

Benveniste et al. ()

### From synchronous programs to nets

- This shows that 1-clocked synchronous programs having no delay-free circuit can be implemented on 1-buffered nets
- For multi-clocked synchronous programs, tokens hold a  $\perp$  to indicate absence of data;

### From synchronous programs to nets

- This shows that 1-clocked synchronous programs having no delay-free circuit can be implemented on 1-buffered nets
- For multi-clocked synchronous programs, tokens hold a  $\perp$  to indicate absence of data; is it possible to get rid of this signalling overhead?
- Yes it is! Assuming tokens carry data:
  - if, by only reading its present input tokens, a transition can infer which tokens will be absent in the next firing, then *this transition does not need the*  $\perp$  *signaling*; such a transition is called endochronous

### From synchronous programs to nets

- This shows that 1-clocked synchronous programs having no delay-free circuit can be implemented on 1-buffered nets
- For multi-clocked synchronous programs, tokens hold a  $\perp$  to indicate absence of data; is it possible to get rid of this signalling overhead?
- Yes it is! Assuming tokens carry data:
  - if, by only reading its present input tokens, a transition can infer which tokens will be absent in the next firing, then *this transition does not need the*  $\perp$  *signaling*; such a transition is called endochronous
- If a net is such that all its transitions are endochronous, then the ⊥-labeled tokens need not be circulated and the resulting net provides a model of the asynchronous execution of the synchronous program

This is the subject of extensive research in the synchronous languages community (Caillaud, Potop...) and also related to asynchronous circuits

Benveniste et al. ()

イロト 不得下 イヨト イヨト 二日



- Prom synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

Benveniste et al. ()

イロト イポト イヨト イヨト

## **Loosely Time-Triggered Architecture**



#### Communication by Sampling

- ${\small \bigcirc} \ \ {\rm Communication\ medium} \sim {\rm set\ of\ shared\ memories,\ 1\ per\ variable}$
- Each computer periodically samples its external world And so does the communication medium itself

Benveniste et al. ()

イロト 不得下 イヨト イヨト

## **Loosely Time-Triggered Architecture**



#### Communication by Sampling

- ${\small \bigcirc} \ \ {\rm Communication\ medium} \sim {\rm set\ of\ shared\ memories,\ 1\ per\ variable}$
- Each computer periodically samples its external world And so does the communication medium itself

Advantages:

- communication medium off-the-shelf
- autonomy, no deadlock, no livelock

Results, however, in losses and duplications

Benveniste et al. ()

イロト 不得下 イヨト イヨト

## Loosely Time-Triggered Architecture



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 13 / 38

イロト イポト イヨト イヨト

## **Loosely Time-Triggered Architecture**



Problems when writing/sensing with non synchronized clocks:



no harm so far for continuous feedback control

RT-Builder [Geensys→DS] JitterBug/TrueTime [Arzen]

(日) (同) (三) (三)

Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 13 / 38

## Loosely Time-Triggered Architecture



Problems when writing/sensing multiple discrete signals:

Cases 1 and 2 correspond to two different outcomes for the local clock of  $A_1$ .

イロト イポト イヨト イヨト

3

Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 13 / 38

# Loosely Time-Triggered Architecture

#### A two-level architecture:

#### • Low-level high-speed computing layer

- for use in continuous feedback control
- Communication by Sampling used as such; no protocol, no middleware
- robustness to artifacts ensured thanks to
  - Continuity properties of physical system for control, and
  - 2 advanced techniques of robust control design

イロト イポト イヨト イヨト 二日

# Loosely Time-Triggered Architecture

#### A two-level architecture:

#### • Low-level high-speed computing layer

- for use in continuous feedback control
- Communication by Sampling used as such; no protocol, no middleware
- robustness to artifacts ensured thanks to
  - continuity properties of physical system for control, and
  - 2 advanced techniques of robust control design

#### Top-level lower-speed computing layer

- for use in discrete control (protection handling, mode management)
- middleware ensuring strict preservation of semantics

イロト イポト イヨト イヨト 二日

# Loosely Time-Triggered Architecture

#### A two-level architecture:

#### • Low-level high-speed computing layer

- for use in continuous feedback control
- Communication by Sampling used as such; no protocol, no middleware
- robustness to artifacts ensured thanks to
  - Continuity properties of physical system for control, and
  - 2 advanced techniques of robust control design

#### Top-level lower-speed computing layer

- for use in discrete control (protection handling, mode management)
- middleware ensuring strict preservation of semantics

Case of interest: all-electric aircraft

- feedback control of electric motors with a  $\mu$ -sec time scale (AFDX and ARINC technologies not fast enough)
- flight control and flight management with a m-sec time scale

Benveniste et al. ()

## Preservation of the semantics: the problem



Flow equivalence ensured by a special LTTA protocol on top of Communication by Sampling

Benveniste et al. ()

- 4 @ > - 4 @ > - 4 @ >

## Preservation of the semantics: the problem



Flow equivalence ensured by a special LTTA protocol on top of Communication by Sampling

Two approaches:

- building on back-pressure and elastic circuits
- building on time by "making events thick"

Benveniste et al. ()

#### Back Pressure LTTA



- Prom synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
  - 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

Benveniste et al. ()

イロト イポト イヨト イヨト

## Back-Pressure LTTA

Principle:

- start with a target architecture that is a 1-safe, conflict-free Petri net (an event graph):
  - nodes alternate input-reads and output-writes
  - links are
    - FIFO of finite size, modeled by a series of place-transitions in sequence
    - together with a mirroring back-pressure virtual link with the same amount of successive place-transitions
  - this is called an *elastic circuit* in asynchronous hardware
  - it can implement a Kahn network with bounded buffer size

イロト 不得下 イヨト イヨト 二日

## Back-Pressure LTTA

Principle:

- start with a target architecture that is a 1-safe, conflict-free Petri net (an event graph):
  - nodes alternate input-reads and output-writes
  - links are
    - FIFO of finite size, modeled by a series of place-transitions in sequence
    - together with a mirroring back-pressure virtual link with the same amount of successive place-transitions
  - this is called an *elastic circuit* in asynchronous hardware
  - it can implement a Kahn network with bounded buffer size



Benveniste et al. ()

- 4 週 ト - 4 三 ト - 4 三 ト

Back Pressure LTTA

#### **Back-Pressure LTTA**

top: Node as a Net reads and writes alternate

bottom: Link as a Net 1-buffer on each link





 $\mathcal{N}_{ji}$ : directed link  $j \rightarrow i$  dashed: back-pressure

$$\left(\prod_{i}\widetilde{\mathcal{N}}_{i}\right)\times\left(\prod_{j\to i}\mathcal{N}_{ji}\right)$$

- 4 同 6 4 日 6 4 日 6

BP-EC (elastic circuit)

Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 18 / 38
### **Back-Pressure LTTA**

top: Node as a Net reads and writes alternate

bottom: Link as a Net 1-buffer on each link



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 19 / 38

### **Back-Pressure LTTA**

top: Node as a Net reads and writes alternate

bottom: Link as a Net 1-buffer on each link



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 19 / 38

# **Back-Pressure LTTA**

top: Node as a Net reads and writes alternate

bottom: Link as a Net 1-buffer on each link Problem: fail-stop of a node blocks the entire net



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 19 / 38

Principle:

- start with a target architecture that is a 1-safe, conflict-free Petri net (an event graph):
  - nodes alternate input-reads and output-writes
  - links are
    - FIFO of finite size, modeled by a series of place-transitions in sequence
    - together with a mirroring back-pressure virtual link with the same amount of successive place-transitions
  - this is called an *elastic circuit* in asynchronous hardware
  - it can implement a Kahn network with bounded buffer size

Principle:

- start with a target architecture that is a 1-safe, conflict-free Petri net (an event graph):
  - nodes alternate input-reads and output-writes
  - links are
    - FIFO of finite size, modeled by a series of place-transitions in sequence
    - together with a mirroring back-pressure virtual link with the same amount of successive place-transitions
  - this is called an *elastic circuit* in asynchronous hardware
  - it can implement a Kahn network with bounded buffer size
- Add a skipping mechanism
  - allowing nodes to fire freely, triggered by their local clocks, without getting blocked by tokens originating from other nodes.

Benveniste et al. ()

# Back-Pressure LTTA



 $\mathcal{N}_{ji}$ : directed link  $j \rightarrow i$  dashed: back-pressure

$$\left(\prod_{i}\widetilde{\mathcal{N}}_{i}\right)\times\left(\prod_{j\to i}\mathcal{N}_{ji}\right)$$

BP-EC (elastic circuit)



**BP-LTTA** 

## **Back-Pressure LTTA**



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 22 / 38

## **Back-Pressure LTTA**



Benveniste et al. ()

Loosely Time-Triggered Architectures for Distributed Control Applications 22 / 38

Features:

- Under absence of failure, logical synchronous pace is provided with no prior assumption regarding local clocks
- Nodes are triggered by their own local clocks
  - $\implies {\sf node activation is robust against fail-stop nodes} \\ {\sf and local computing activities survive node failure}$

イロト イポト イヨト イヨト 二日

Features:

- Under absence of failure, logical synchronous pace is provided with no prior assumption regarding local clocks
- Nodes are triggered by their own local clocks
  - $\implies$  node activation is robust against fail-stop nodes and local computing activities survive node failure
- Still, abstracting away the (lower priority) skipping mechanism yields again the BP architecture (~ elastic circuit):
  - $\implies$  communication does not survive node failure
  - $\implies$  the pace of fetching fresh data coincides with that of pure BP

Benveniste et al. ()



- Prom synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

Benveniste et al. ()

イロト イポト イヨト イヨト

Principle:

- Here we ensure robustness against fail-stop nodes for both
  - node activation (as in BP-LTTA)
  - and communication
- Requires prior assumptions regarding local clocks (bounds on intervals between successive ticks)

# Time-based LTTA: approach





Time-based, pure CbS link (top), compared to BP-link (bottom)

Observe the lack of synchronization that results

イロト イポト イヨト イヨト 二日

Benveniste et al. ()

# Time-based LTTA: approach



Time-based, pure CbS link (top), compared to BP-link (bottom)

Observe the lack of synchronization that results

イロト 不得 トイヨト イヨト 二日

#### Re-synchronization

Re-synchronization is by ensuring a clean alternation of writing and reading phases throughout the entire architecture. This is achieved by:

- slowing-down by synchronizing on *local* physical time
- accelerating using a token-based *publication* broadcast

Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

### Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



Benveniste et al. ()

# Time-based LTTA: distributed protocol



**Assumption**: Inter-tick time of local clocks:  $T_{\min} \le \kappa_{k+1}^i - \kappa_k^i \le T_{\max}$ ; Communication delays:  $\tau_{\min} \le \tau \le \tau_{\max}$ .

**Thm**: with adequate choices of p and q the TB-LTTA net ensures a clean alternation of global read and write periods



- 2 From synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

Benveniste et al. ()

イロト イポト イヨト イヨト

# Back-pressure LTTA performance

- Inter-tick time of local clocks:  $T_{\min} \leq \kappa_{k+1}^i \kappa_k^i \leq T_{\max}$
- Communication delays:  $\tau_{\min} \leq \tau \leq \tau_{\max}$ .

node link  $T_{max}$   $\tau_{max}$  $T_{max}$   $\tau_{max}$  Performance of Back-Pressure LTTA (using max/+) Elastic circuit (no periodic clock):

$$\lambda_{\widetilde{\mathcal{N}}} = rac{1}{2\max(\mathcal{T}_{max}, au_{\max})}$$

# Back-pressure LTTA performance

- Inter-tick time of local clocks:  $T_{\min} \leq \kappa_{k+1}^i \kappa_k^i \leq T_{\max}$
- Communication delays:  $\tau_{\min} \leq \tau \leq \tau_{\max}$ .



Performance of Back-Pressure LTTA (using max/+) Elastic circuit (no periodic clock):

$$\lambda_{\widetilde{\mathcal{N}}} = rac{1}{2\max(T_{max}, au_{max})}$$

With clock and skipping mechanism:  $T_{max} \leftarrow T_{max}$  and  $\tau_{max} \leftarrow \tau_{max} + T_{max}$ 

$$\lambda_{\mathcal{N}} = rac{1}{2(\mathcal{T}_{max} + au_{max})}$$

# **Time-based LTTA performance**



Correctness of time-based LTTA

These conditions on p, q ensure  $\hat{\mathcal{L}}_{\mathcal{M}} = \mathcal{L}_{\widetilde{\mathcal{N}}}$  :

$$\begin{array}{lll} \rho & > & \frac{2\tau_{\max}}{T_{\min}} + \frac{T_{\max}}{T_{\min}} \\ q & > & \frac{\tau_{\max} - \tau_{\min}}{T_{\min}} + \frac{T_{\max}}{T_{\min}} + \rho\left(\frac{T_{\max}}{T_{\min}} - 1\right) \end{array}$$

Performance of time-based LTTA

Worst case throughput  $(p_* \text{ and } q_* \text{ optimal})$ :

$$\lambda_{\mathcal{M}} = rac{1}{(p_\star + q_\star)T_{\max}}$$

(日) (周) (三) (三)

3

Benveniste et al. ()

# Comparison regarding throughput

• BP-LTTA: lower bound for throughput is

$$\lambda_{\mathcal{N}} = rac{1}{2(T_{\max} + au_{\max})}$$

• TB-LTTA: when delay and jitter small relative to nominal period,  $p_{\star} = q_{\star} = 2$  and the lower bound for the throughput is

$$\lambda_{\mathcal{M}} \approx \frac{1}{2} \lambda_{\mathcal{N}}$$

• TB-LTTA for distant communications or when the clocks are precise, i.e.,  $\tau_{\max} \gg T_{\max} \approx T_{\min}$ , we have  $p_{\star} = 2 \frac{\tau_{\max}}{T_{\min}}$ ,  $q_{\star} = 1$  and the lower bound for the throughput becomes

$$\lambda_{\mathcal{M}} \approx \lambda_{\mathcal{N}}$$

Benveniste et al. ()

▲□▶ ▲□▶ ▲∃▶ ▲∃▶ = ののの

- Motivations
- Prom synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions

#### Conclusion

イロト イポト イヨト イヨト

### Extensions

• So far communications have a 1-delay:  $\mathcal{N}_{ji} = \left[ \begin{array}{c} & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & &$ 

This can be relaxed: zero-delay communications are allowed, assuming that no zero-delay circuit exists (see paper)

### Extensions

• So far communications have a 1-delay:  $\mathcal{N}_{ji} = \left[ \begin{array}{c} & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & &$ 

This can be relaxed: zero-delay communications are allowed, assuming that no zero-delay circuit exists (see paper)

• Back-pressure and time-based LTTA can be blended (see paper)

### Extensions

• So far communications have a 1-delay:  $\mathcal{N}_{ji} = \left[ \begin{array}{c} & & \\ & & \\ & & \\ & & \\ & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & & \\ & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & &$ 

This can be relaxed: zero-delay communications are allowed, assuming that no zero-delay circuit exists (see paper)

- Back-pressure and time-based LTTA can be blended (see paper)
- For time-based LTTA we required broadcast of publication events We conjecture that this can be relaxed (but not simply removed)

Benveniste et al. ()
- Motivations
- Prom synchronous programs to 1-safe nets
- 3 Loosely Timed-Triggered Architecture
- 4 Back Pressure LTTA
- 5 Time-based LTTA
- 6 Performances and comparison
- 7 Extensions



イロト イポト イヨト イヨト

3

## Conclusion

• Relaxing TTA to LTTA, a software based middleware

- providing a logical synchronous time basis
- with time bounds under additional assumptions
- Back-Pressure LTTA & Time-Based LTTA
  - similar performances w.r.t. throughput
  - BP-LTTA more flexible
  - TB-LTTA more robust against node failures
  - blending the two is easy and natural (see paper)
- The following services can be borrowed from TTA with no changes:
  - fault tolerance
  - scheduling
  - interfacing

Benveniste et al. ()

イロト 不得下 イヨト イヨト 二日

### However...

- Notice from Hermann Kopetz: low cost precise clocks now exist, for synchronization-free distributed control in the range of the  $\mu$ sec
  - does this imply that unsynchronized, precise clock based triggering is enough to ensure full TTA?
  - what about the various OS artifacts?

イロト 不得 トイヨト イヨト 二日

### However...

- Notice from Hermann Kopetz: low cost precise clocks now exist, for synchronization-free distributed control in the range of the  $\mu$ sec
  - does this imply that unsynchronized, precise clock based triggering is enough to ensure full TTA?
  - what about the various OS artifacts?
- Variations about the assumptions for TB-LTTA:
  - studies of real-life constraints for distributed real-time architectures are needed to avoid considering irrelevant assumptions

イロト イポト イヨト イヨト 二日

## However...

- Notice from Hermann Kopetz: low cost precise clocks now exist, for synchronization-free distributed control in the range of the  $\mu{\rm sec}$ 
  - does this imply that unsynchronized, precise clock based triggering is enough to ensure full TTA?
  - what about the various OS artifacts?
- Variations about the assumptions for TB-LTTA:
  - studies of real-life constraints for distributed real-time architectures are needed to avoid considering irrelevant assumptions
- It is very welcome that Guillaume Baudart, Timothy Bourke, and Marc Pouzet, reconsider this theory seriously and develop a simulation platform (see Synchron'13 at Dagstuhl)

Benveniste et al. ()

イロト 不得 トイヨト イヨト 二日

## **Conclusion**<sup>Conclusion</sup>

- Formal executable models of computing infrastructures are useful for virtual modeling
- Mathematical models are more essential
  - support math reasoning
  - correct-by-construction deployment
  - with no need for extensive virtual model exploration

# MoCCs as important as MOOCs albeit less buzzy

Benveniste et al. ()

- 4 週 ト - 4 三 ト - 4 三 ト