### A Synchronous Approach to Quasi-Periodic Systems

PhD Defense - Guillaume Baudart

March 13, 2017



#### **Reactive systems:**

- constant interaction with the environment
- for an unbounded amount of time
- must not fail



#### **Reactive systems:**

- constant interaction with the environment
- for an unbounded amount of time
- must not fail



#### Quasi-periodic systems:

- several computing nodes
- unsynchronized architecture

#### **Reactive systems:**

- constant interaction with the environment
- for an unbounded amount of time
- must not fail



aircraft, nuclear plants, trains, cars...

#### Quasi-periodic systems:

- several computing nodes
- unsynchronized architecture

Example: Flight Control System



Example: Flight Control System

Two redundant Flight Guidance Systems Only one active side (pilot side)



Example: Flight Control System

Two redundant Flight Guidance Systems Only one active side (pilot side)



Crew can switch from one to the other

Example: Flight Control System

Two redundant Flight Guidance Systems Only one active side (pilot side)



Crew can switch from one to the other

Example: Flight Control System

Two redundant Flight Guidance Systems Only one active side (pilot side)



Crew can switch from one to the other

Generate pitch and roll guidance commands

The two modules must share information to avoid control glitch

Example: Flight Control System

Two redundant Flight Guidance Systems Only one active side (pilot side)

Run embedded application...



Crew can switch from one to the other

Generate pitch and roll guidance commands

The two modules must share information to avoid control glitch

Example: Flight Control System



Crew can switch from one to the other

Generate pitch and roll guidance commands

The two modules must share information to avoid control glitch

For each process, activations are triggered by a **local clock** Execution: infinite sequence of activations

• For each process: **known bounds** for the time between two activations

- **Buffered communication** without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock** Execution: infinite sequence of activations

• For each process: **known bounds** for the time between two activations

- **Buffered communication** without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock** Execution: infinite sequence of activations

• For each process: **known bounds** for the time between two activations

- **Buffered communication** without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock** Execution: infinite sequence of activations

• For each process: **known bounds** for the time between two activations

- **Buffered communication** without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



For each process, activations are triggered by a **local clock** Execution: infinite sequence of activations

• For each process: **known bounds** for the time between two activations

- **Buffered communication** without message inversion or loss
- Bounded communication delay
  - $0 \le \tau_{\min} \le \tau \le \tau_{\max}$



- Overwriting: loss of values
- Oversampling: duplication of values



- Overwriting: loss of values
- **Oversampling:** duplication of values
- Combination of signals



- Overwriting: loss of values
- **Oversampling:** duplication of values
- Combination of signals



- Overwriting: loss of values
- **Oversampling:** duplication of values
- Combination of signals





- Overwriting: loss of values
- **Oversampling:** duplication of values
- Combination of signals



- Overwriting: loss of values
- **Oversampling:** duplication of values
- Combination of signals



- Overwriting: loss of values
- Oversampling: duplication of values
- Combination of signals



## Programming-based Approach

#### A program is a formal model ...

- precisely model every detail of the system
- based on the semantics of the programming language

## Programming-based Approach

#### A program is a formal model ...

- precisely model every detail of the system
- based on the semantics of the programming language

#### ... that can be executed and verified

- tests / simulations
- automated verification tools

## Programming-based Approach

#### A program is a formal model ...

- precisely model every detail of the system
- based on the semantics of the programming language

#### ... that can be executed and verified

- tests / simulations
- automated verification tools

#### Which programming language?

Domain specific languages for reactive systems [Benveniste, Berry, Caspi, Edwards, Halbwachs, Le Guernic, Pouzet ...]

A synchronous program executes in a **succession of discrete steps** The programmer writes high-level specifications: **stream functions** à la Lustre

Based on **discrete logical time**, they offer:

- Mathematically precise semantics
- Efficient and reliable code generation
- Dedicated verification tools

Domain specific languages for reactive systems [Benveniste, Berry, Caspi, Edwards, Halbwachs, Le Guernic, Pouzet ...]

A synchronous program executes in a **succession of discrete steps** The programmer writes high-level specifications: **stream functions** à la Lustre

Based on **discrete logical time**, they offer:

- Mathematically precise semantics
- Efficient and reliable code generation
- Dedicated verification tools

Scade/Lustre is routinely used in the industry

Domain specific languages for reactive systems [Benveniste, Berry, Caspi, Edwards, Halbwachs, Le Guernic, Pouzet ...]

A synchronous program executes in a **succession of discrete steps** The programmer writes high-level specifications: **stream functions** à la Lustre

Based on **discrete logical time**, they offer:

- Mathematically precise semantics
- Efficient and reliable code generation
- Dedicated verification tools

Scade/Lustre is routinely used in the industry

Ideal framework to study quasi-periodic systems

Domain specific languages for reactive systems [Benveniste, Berry, Caspi, Edwards, Halbwachs, Le Guernic, Pouzet ...]

A synchronous program executes in a **succession of discrete steps** The programmer writes high-level specifications: **stream functions** à la Lustre

Based on **discrete logical time**, they offer:

- Mathematically precise semantics
- Efficient and reliable code generation
- Dedicated verification tools

Scade/Lustre is routinely used in the industry

Ideal framework to study quasi-periodic systems

However for quasi-periodic systems:

- Multiple synchronous programs execute in parallel
- They are **not synchronized**
- The architecture is characterized by real-time parameters

A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
```

A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
      reset z \rightarrow -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z \rightarrow do emit c done
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]





A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
```

```
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
      reset z → -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z → do emit c done
```

```
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z → -. arbitrary(t_min, t_max)
and z = up(x)
and present z → do emit c done
```

```
dx/dt = 1: time elapsing
```



A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
and present z \rightarrow do emit c done
dx/dt = 1: time elapsing
```

A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

Continuous-time dynamics of the architecture simulated with ODEs

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
      reset z \rightarrow -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z \rightarrow do emit c done
```

```
dx/dt = 1: time elapsing
```

Discrete controllers are activated on signal emissions

```
let hybrid rt_controller(sensor1, sensor2) = o where
  rec c1 = metro(t_min, t_max)
  and c2 = metro(t_min, t_max)
  and present c1 → do emit cmd1 = fgs(sensor1) done
  and present c2 → do emit cmd2 = fgs(sensor2) done
  and cmd = if switch then cmd1 else cmd2
```

A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

Continuous-time dynamics of the architecture simulated with ODEs

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
      reset z \rightarrow -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z \rightarrow do emit c done
```

```
dx/dt = 1: time elapsing
```

Discrete controllers are activated on signal emissions

```
let hybrid rt_controller(sensor1, sensor2) = o where
  rec c1 = metro(t_min, t_max)
  and c2 = metro(t_min, t_max)
  and present c1 → do emit cmd1 = fgs(sensor1) done
  and present c2 → do emit cmd2 = fgs(sensor2) done
  and cmd = if switch then cmd1 else cmd2
```

Design discrete controllers and the real-time architecture in the very same language.

http://zelus.di.ens.fr

A synchronous language extended with continuous time [Benveniste, Bourke, Caillaud, Pouzet]

Continuous-time dynamics of the architecture simulated with ODEs

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
     reset z → -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z → do emit c done
```

```
dx/dt = 1: time elapsing
```

Discrete controllers are activated on signal emissions

```
let hybrid rt_controller(sensor1, sensor2) = o where
rec c1 = metro(t_min, t_max)
and c2 = metro(t_min, t_max)
and present c1 → do emit cmd1 = fgs(sensor1) done
and present c2 → do emit cmd2 = fgs(sensor2) done
and cmd = if switch then cmd1 else cmd2
```

```
Same approach in
Ptolemy [Lee]
Simulink [Mathworks]
```

Design discrete controllers and the real-time architecture in the very same language.

http://zelus.di.ens.fr

#### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

#### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

#### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

Unified synchronous framework Executable specifications Correctness proofs Optimizations and comparisons

#### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

Unified synchronous framework Executable specifications Correctness proofs Optimizations and comparisons

Zélus extended with timed nondeterminism Symbolic simulation Modular source-to-source compilation Prototype implementation

#### Verification

Verifying safety properties of quasi-periodic systems

Quasi-Synchronous Abstraction

### Contributions

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

#### Verification

Verifying safety properties of quasi-periodic systems

Quasi-Synchronous Abstraction

### Contributions

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

| Centre Equation                                                                      |                                                                                                       |
|--------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|
| 2 avenue de Vignati<br>38610 GIERES<br>Tel. +33 4 76 63 48 4<br>Fax +33 4 76 63 48 5 | 48                                                                                                    |
| Fax +33 4 /6 63 48 :                                                                 | 50                                                                                                    |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      | The Quasi-Synchronous Approach to                                                                     |
|                                                                                      | Distributed Control Systems                                                                           |
|                                                                                      | Crisys draft                                                                                          |
|                                                                                      | October 2000                                                                                          |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
|                                                                                      |                                                                                                       |
| Centre Natio                                                                         | onal de la Recherche Scientifique Universite Joseph Fourier Institut National Polytechnique de Grenob |

Industrial practices observed at Airbus

#### Verification

Verifying safety properties of quasi-periodic systems

Quasi-Synchronous Abstraction

### Contributions

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems



#### Industrial practices observed at Airbus

[Bhattacharyya, Halbwachs, Jahier, Mandel, Miller, Tinelli, Larrieu, Raymond, Shankar, ...]

### Is the abstraction sound?

#### Verification

Verifying safety properties of quasi-periodic systems

Quasi-Synchronous Abstraction

### Contributions

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems



#### Industrial practices observed at Airbus

[Bhattacharyya, Halbwachs, Jahier, Mandel, Miller, Tinelli, Larrieu, Raymond, Shankar, ...]



Real-time Model (RT)







#### Why discretize?

Verification in a simpler discrete-time model [Milner, Berry, Halbwachs, ...] Use discrete-time model checking tools (Lesar-Verimag, Kind2-Ulowa)

[Mil83, BS01, HB02, GG03a, GG03b, HM06]













Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication



Abstracting execution time Abstracting communication

### Problems:

- Lots of possible interleavings
- Too general



Abstracting execution time Abstracting communication

### Problems:

- · Lots of possible interleavings
- Too general



### Can we do better using real-time assumptions?

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

Reduce the state-space in two ways:

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

Focus on 'almost' synchronous architectures with fast transmissions

"It is not the case that a component process executes more than twice between two successive executions of another process."

#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

2. Limit activation interleavings A process is at most twice as fast as another



Focus on 'almost' synchronous architectures with fast transmissions



#### Reduce the state-space in two ways:

1. Transmissions as unit delays (one step of the logical clock)



Replace transmission with precedence

2. Limit activation interleavings A process is at most twice as fast as another



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 

**Theorem:** A real-time model with more than two processes is, in general, not unitary discretizable.



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



**Definition:** A trace is unitary discretizable if there exist a discretization where **transmission** can be modeled as **unit delays** 



Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



#### Before reception



y

Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



Before reception



**Lemma:** A trace is unitary discretizable if and only if there are no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are unitary discretizable.

Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



**Lemma:** A trace is unitary discretizable if and only if there are no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are unitary discretizable.

#### Before reception





Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



**Lemma:** A trace is unitary discretizable if and only if there are no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are unitary discretizable.

#### Before reception



y



Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



**Lemma:** A trace is unitary discretizable if and only if there are no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are unitary discretizable.

#### Before reception





Gather all contraints on a unitary discretization f in a weighted graph

#### After reception



**Lemma:** A trace is unitary discretizable if and only if there are no cycle of positive weight in the associated trace graph.

**Definition:** A real-time model is *unitary discretizable* if all possible traces are unitary discretizable.

#### Before reception





Forbidden topologies in the static communication graph



Forbidden topologies in the static communication graph



Forbidden topologies in the static communication graph



Forbidden topologies in the static communication graph



**Theorem:** A quasi-periodic architecture is unitary discretizable if and only if, in the communication graph

- 1. All u-cycles are cycles of balanced u-cycle, or  $\tau_{\rm max} = 0$ , and
- 2. There is no balanced u-cycle, or  $\tau_{\min} = \tau_{\max}$ , and
- 3. There is no cycle in the communication graph, or  $T_{\min} \ge L_c \tau_{\max}$

L<sub>c</sub>: size of the longest elementary cycle

**Proof:** If there is a u-cycle, construction of a counter-example

Communications











**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



p = 2: # ➡



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



**Proof:** If there is a u-cycle, construction of a counter-example



Proof: If there is a u-cycle, construction of a counter-example



**Proof:** On the other hand, by contraposition,

PC/u-cycle

















# **Topology Examples**

Communications of the application



# **Topology Examples**

Communications of the application



Require instantaneous communications

## Quasi-Synchronous Systems

"It is not the case that a component process executes more than **twice between two successive** executions of another process."

Theorem: A real-time model is quasi-synchronous if and only if,

- 1. it is unitary discretizable
- 2.  $2T_{\min} + \tau_{\min} \ge T_{\max} + \tau_{\max}$



## **Multirate Systems**

"It is not the case that a component process executes more than **n times between m successive** executions of another process."

n/m-quasi-synchrony [Smeding, Goessler]

Theorem: A real-time model is n/m-quasi-synchronous if and only if,

1. it is unitary discretizable

2. for any pair of communicating nodes  $A \coloneqq B$ 

$$nT_{\min}^{A} + \tau_{\min} \ge (m-1)T_{\max}^{B} + \tau_{\max}$$
$$nT_{\min}^{B} + \tau_{\min} \ge (m-1)T_{\max}^{A} + \tau_{\max}$$



## Summary

#### The quasi-synchronous abstraction:

- 1. Model transmission as unit delays
- 2. Constrain node activations interleavings

#### **Contributions:**

- Condition 1 is not sound in general
- Notion of unitary discretization
- Exact conditions to recover soundness
- Characterization of quasi-synchronous systems
- Generalization to multirate systems



Constrain both the communication graph and the real-time characteristics of the architecture to recover soundness of the quasi-synchronous abstraction.

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

How to preserve the semantics of the embedded application?

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

How to preserve the semantics of the embedded application?



[Benveniste, Bouillard, Caspi, Di Natale, Pinello, Talpin, Tripakis, Sangiovanni-Vincentelli]

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Contributions

Unified synchronous framework Executable specifications Correctness proofs Optimizations and comparisons

## How to preserve the semantics of the embedded application?

| EMSOFT'02 |                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                         |
|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
| EMSOFT'C  | )7                                                                                                                                                                                                                                                                                                                                                                                                                              |                                         |
| CDC'08    | 3                                                                                                                                                                                                                                                                                                                                                                                                                               |                                         |
| IEEE      | Comp.'08                                                                                                                                                                                                                                                                                                                                                                                                                        | us Models on                            |
| . 6       | EMSOFT'IO                                                                                                                                                                                                                                                                                                                                                                                                                       | ng vinw at<br>cred Architectures        |
|           | <text><text><section-header><text><text><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header><section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></section-header></text></text></section-header></text></text> | <text><text><text></text></text></text> |

[Benveniste, Bouillard, Caspi, Di Natale, Pinello, Talpin, Tripakis, Sangiovanni-Vincentelli]

[BCLG+02, BCDN+07, CB08, TPB+08, BBC10]

### How to Preserve the Semantics?

(of an application on a quasi-periodic architecture)

### How to Preserve the Semantics?

(of an application on a quasi-periodic architecture)

#### **Clock synchronization**

e.g. TTA [Kopetz, Bauer 2003]



Require dedicated hardware and dedicated controllers

### How to Preserve the Semantics?

(of an application on a quasi-periodic architecture)

#### **Clock synchronization**

e.g. TTA [Kopetz, Bauer 2003]

#### Unsynchronized nodes + Middleware = LTTA



Require dedicated hardware and dedicated controllers



Lightweight alternative

Previous model: timed Petri nets [Benveniste, Caspi, Bouillard]



**Help:** Design the protocol Analysis (worst case throughput)

**But:** Cannot be compiled/simulated Mix real-time characteristics and discrete code





A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



```
let node ltta_node(i) = o where
  rec (o, im) = ltta_controller(i, om)
  and present im(v) → do emit om = machine(v) done
```

A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



```
let node ltta_node(i) = o where
  rec (o, im) = ltta_controller(i, om)
  and present im(v) → do emit om = machine(v) done
```

A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



[Carloni, McMillan, Sangiovanni-Vincentelli]

A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



[Carloni, McMillan, Sangiovanni-Vincentelli]

A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



[Carloni, McMillan, Sangiovanni-Vincentelli]

A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications



A **middleware** controls the execution of the embedded application The controller **waits** for new inputs and **delays** publications





Inspired by elastic circuits [Cortadella, Kishinevsky, ...]

[Benveniste, Caspi, Di Natale, Pinello, Sangiovanni-Vincentelli, Tripakis]





Broadcast communication Waiting mechanisms 2 phases: Exec/Send

[Benveniste, Caspi]

Replace acknowledgments with timeouts



#### **Round-Based**

**Back-Press** 

Wait

(\* skip \*)

rec m = mem(om, mi)

| Wait  $\rightarrow$ 

| Ready  $\rightarrow$ 

and automaton

all\_inputs\_fresh /
emit im = data(i) and end

all\_acks\_fresh / emit c

unless all\_inputs\_fresh the

unless all\_acks\_fresh then
 do emit o = m in Wait

do emit im = data(i) and

let node bp\_controller(i, ra, om, mi)

**do** (\* skip \*)

**do** (\* skip \*)

Acknowledgments

2 phases: Exec/Send

and all\_inputs\_fresh = forall\_fresh
and all\_acks\_fresh = forall\_fresh(r

Point-to-point communica



```
and all_inputs_fresh = forall_fresh(i, im, true)
and o = om
```

```
let node timeout(i_live) = (n \leq 0) where rec reset n = p fby (n - 1) every i_live
```

Broadcast communication Crash-detectors (timeouts) I phase: Exec + Send Inspired by distributed algorithms [Attiya, Dwork, Lynch, ...]





Architecture independent Block if a node crashes



Architecture independent Block if a node crashes Require timing characteristics Can run in degraded mode

# Comparisons with clock synchronization

Zélus simulations of the FGS example Compute slowdown compared to a synchronous execution\*

Execution period << Communication delay



**Global Clock:** based on a master clock synchronization [Kopetz] arbitrary(t\_min, t\_max): Random choice

BP: Back-Pressure TB: Time-Based RB: Round-Based GC: Global Clock

<sup>\*</sup>The smaller, the better

# Comparisons with clock synchronization

Zélus simulations of the FGS example Compute slowdown compared to a synchronous execution\*

Execution period >> Communication delay



**Global Clock:** based on a master clock synchronization [Kopetz] arbitrary(t\_min, t\_max): Random choice

BP: Back-Pressure TB: Time-Based RB: Round-Based GC: Global Clock

<sup>\*</sup>The smaller, the better

# Summary

#### Loosely Time-Triggered Architectures:

How to deploy synchronous code? Add a layer of middleware Three protocols

#### **Contributions:**

- Unified synchronous framework
- Executable specifications
- Correctness proofs
- Optimization and comparisons

| Guiles                                                 |                                                                                                                                                                                                                           |
|--------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| D Explant<br>Inde, Park                                |                                                                                                                                                                                                                           |
| ABSTRACT                                               |                                                                                                                                                                                                                           |
| analy Thur Diagon<br>and in many vilue :               |                                                                                                                                                                                                                           |
| They hulld up the part                                 | Leosoly Time-Triggersd Architecturus                                                                                                                                                                                      |
| wing only service in<br>new of misdleways th           | Inprovements and Comparisons                                                                                                                                                                                              |
| protections applicable                                 | <b>GULLAUME BAUDART</b> , Entre normalie modelinger                                                                                                                                                                       |
| the time property and in<br>the second and designed in | ABERT BENYENSTE, INUA, Bases                                                                                                                                                                                              |
| to modified using a set                                | TIMOTIFY BOURKE INHA, Park                                                                                                                                                                                                |
| wa proceeds, Jack 2                                    |                                                                                                                                                                                                                           |
| irvaits and Tracilla<br>sared to provins nor           |                                                                                                                                                                                                                           |
| and ov compliant the way                               | Leondy Time Triggered Architectures [J773a] are a response for constructing distributed subsolied control<br>systems. Time held on the quark particular architecture, where computing only encoder words periodically.    |
| Fine-Based periooni.                                   | ty-addings this layer of middlenser that the litates the implementation of synchronous applications.                                                                                                                      |
| AND REPORTED ON                                        | In this paper, we show how the deployment of a spectrosous application on a spassi-periodic architec-                                                                                                                     |
| I. INTRODUCT                                           | tion cancel to conclude using a spectromene forcedness. These we detail two protocols, these elements EPDs,<br>resultiment of elastic circuits, and Trac-Band LETS, based on waking. Compared to previous work, are       |
| Web must braheat                                       | present excitedine models that are by unsulid for emerging, a sheadlifed environ of the Tano-Saard pro-                                                                                                                   |
| drouts spations, like                                  | used and aptimizations for systems using forcultural commutization. We day compare the LTD2 approach<br>with architectures faced on clock symplectication.                                                                |
| he discritization of                                   | Congress and August Depression for Nameral, alonging of Despiser Architecture, C.4 (Apartar                                                                                                                               |
| out their out walk                                     | Purpose and Application-Based System) Reacting and EntroldedSystem                                                                                                                                                        |
| months of the origin                                   | Strategy Renard Theory                                                                                                                                                                                                    |
| Andhotup (TTA)12                                       | Aultiona Key Nords and Pheases Quasi-formula Architecture, Loosely Time Diggered Architecture,                                                                                                                            |
| anatomic as in the E                                   | There Baard LTTA. Ruck Pressary LTTA                                                                                                                                                                                      |
| To subside and                                         | ACM Reference Format:                                                                                                                                                                                                     |
| sectores sources and                                   | Gullaures Baudot, Albert Browniek and Trustle Bourk. 2015 Loney Time-Triggerd Additionary<br>Improvements and Comparisons. ACM Stress Bediell. Comput. Rpl. V, 5, Article A (January YYYY), 25                            |
| appro are accuracy of                                  | preprint.                                                                                                                                                                                                                 |
| difficial washronia                                    | NV: http://dx.dx.org/10.11a/j.000000.000000                                                                                                                                                                               |
| images are shollon for<br>stillarity and security (    | 1. INTRIDUCTION                                                                                                                                                                                                           |
| multicule are intended                                 | This paper is about implementing programs expressed as stream equations, like these                                                                                                                                       |
| ations that private the                                | written in Lusire, Sgnal, or the discrete subset of Simulak, over networks of embedded                                                                                                                                    |
|                                                        | concretion. Here wells concretion is accirated on in own local-dook, none middleware in<br>norded to ensure the correct essention of the original program. One possibility a to rely                                      |
|                                                        | or a clock synchronization painteed as in the Time Wiggans' Architecture (TTR) Mapara                                                                                                                                     |
|                                                        | 2011. Another is to use one-constraining protocols as in the Loosely Time-Triggered                                                                                                                                       |
|                                                        | Auhitacoure ("TTA: Beneniste et al. 2005, Beneniste et al. 2007, Tripakis et al. 2008,<br>Capa and Beneniste 2009, Beneniste et al. 2019.                                                                                 |
| 10000000000000000000000000000000000000                 | The enhedded applications that we enaide invoice both continuous control and discrete                                                                                                                                     |
| Defer P of American, 5                                 | lugic. Since the conference layers are naturally retrack to sampling artifacts, continuous                                                                                                                                |
| 1261283                                                | components can simply communicate through shared memory without additional synchro-                                                                                                                                       |
|                                                        | minition. But the discrete logic for mode charges and similar functionalities is sensitive to<br>such artifacts and requires more careful coordination. The LTD3 protocols extend communi-                                |
|                                                        | enion by sampling with mechanisms that preserve the senantice of the discrete layer. They                                                                                                                                 |
|                                                        | are simple to implement and involve little additional network communication. They thus                                                                                                                                    |
|                                                        |                                                                                                                                                                                                                           |
|                                                        | Persianita to mean slightl or hash copies of all or part of this work for personal orchameters use is general<br>without the provided that copies are not made or distributed for public or commercial advantage and task |
|                                                        | cosies here this series and the full station on the first page. Copyrights for components of this work                                                                                                                    |
|                                                        | cound by otherwitten 1757 must be toround. Elementing with metter's partnershall. To copy otherwise,<br>or republish, to past outservers or to indistribute to lists, requires prior pacific terminion and/or a lot.      |
|                                                        | Report president from pressummericani.org.<br>glywww.actat. anno anatywww.co. Ater, anno                                                                                                                                  |
|                                                        | 22: http://dx.doi.org/10.1043/000000.000000                                                                                                                                                                               |
|                                                        |                                                                                                                                                                                                                           |
|                                                        | WNI Transaction on Encoded Comparing Systems, Yol. V. N. N. Article A.Publication date January VVVV.                                                                                                                      |
|                                                        |                                                                                                                                                                                                                           |
|                                                        |                                                                                                                                                                                                                           |

LTTA are lightweight protocols to ensure the correct execution of synchronous code running on a quasi-periodic architecture

<sup>[</sup>EMSOFT 2015, ACM TECS 2016]

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

How to simulate constrained nondeterminism?

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

How to simulate constrained nondeterminism?

#### Zélus

Synchronous language Continuous + Discrete Modular compilation Numeric solver [Benveniste, Bourke, Caillaud, Pouzet]

#### Uppaal

Timed automata Nondeterminism Symbolic representation [Behrmann, David, Larsen,...]

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

#### Contributions

Zélus extended with timed nondeterminism

Symbolic simulation

Modular source-to-source compilation

Prototype implementation

# How to simulate constrained nondeterminism?

#### Zélus

Synchronous language Continuous + Discrete Modular compilation Numeric solver [Benveniste, Bourke, Caillaud, Pouzet]

#### Uppaal

Timed automata Nondeterminism Symbolic representation [Behrmann, David, Larsen,...]

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
  rec der x = 1.0 init -. arbitrary(t_min, t_max)
      reset z \rightarrow -. arbitrary(t_min, t_max)
  and z = up(x)
  and present z \rightarrow do emit c done
```

Embedded application activates on signal emissions

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
we only use der x = 1
and present z \rightarrow do emit c done
```

Embedded application activates on signal emissions

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
where only use der x = 1
We only use der x = 1
```

Embedded application activates on signal emissions

Zsy: Zélus extended with timed nondeterminism

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c() \rightarrow 0
and emit c when {t \geq t_min}
and always {t \leq t_max}
```

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
where only use der x = 1
We only use der x = 1
```

Embedded application activates on signal emissions

Zsy: Zélus extended with timed nondeterminism

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c() \rightarrow 0 \leftarrow timer (time elapsing)
and emit c when {t \geq t_min}
and always {t \leq t_max}
```

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
where are a constraints of the const
```

Embedded application activates on signal emissions

Zsy: Zélus extended with timed nondeterminism

let hybrid metro(t\_min, t\_max) = c where rec timer t init 0 reset c()  $\rightarrow$  0  $\leftarrow$  fimer (fime elapsing) and emit c when {t  $\geq$  t\_min}  $\leftarrow$  guard (may) and always {t  $\leq$  t\_max}

Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs

```
let hybrid metro(t_min, t_max) = c where
rec der x = 1.0 init -. arbitrary(t_min, t_max)
reset z \rightarrow -. arbitrary(t_min, t_max)
and z = up(x)
where are a constraints of the const
```

Embedded application activates on signal emissions

Zsy: Zélus extended with timed nondeterminism



Simulate both the embedded application and the architecture

Zélus: mix discrete-time and continuous-time dynamics expressed with ODEs



Zsy: Zélus extended with timed nondeterminism



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture



Symbolic simulation: capture multiple executions, using DBMs

Example: a 2-node quasi-periodic architecture



**Symbolic simulation:** capture multiple executions, using DBMs Zones characterized by a set of possible choices

Example: a 2-node quasi-periodic architecture



**Symbolic simulation:** capture multiple executions, using DBMs Zones characterized by a set of possible choices

Example: a 2-node quasi-periodic architecture



**Symbolic simulation:** capture multiple executions, using DBMs Zones characterized by a set of possible choices

Example: a 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture



Example: a 2-node quasi-periodic architecture

















Continuous components are compiled into discrete function manipulating zones

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c \rightarrow 0
and emit c when {t_min \leq t}
and always {t \leq t_max}
```

Continuous components are compiled into discrete function manipulating zones

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c \rightarrow 0
and emit c when {t_min \leq t}
and always {t \leq t_max}
```



Continuous components are compiled into discrete function manipulating zones

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c \rightarrow 0
and emit c when {t_min \leq t}
and always {t \leq t_max}
```



Continuous components are compiled into discrete function manipulating zones

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c \rightarrow 0
and emit c when {t_min \leq t}
and always {t \leq t_max}
```



## **Prototype Implementation**

```
let hybrid metro(t_min, t_max) = c where
rec timer t init 0 reset c() \rightarrow 0
and emit c when {t \geq t_min}
and always {t \leq t_max}
```

let hybrid archi(t\_min, t\_max) = c1, c2 where rec c1 = metro(t\_min, t\_max) and c2 = metro(t\_min, t\_max)

## **Prototype Implementation**

```
let hybrid metro(t_min, t_max) = c where
  rec timer t init 0 reset c() \rightarrow 0
  and emit c when \{t > t_{min}\}
                                                            zeluc -symb archi qpa.zls
  and always {t \leq t_max}
let hybrid archi(t_min, t_max) = c1, c2 where
  rec c1 = metro(t_min, t_max)
  and c2 = metro(t_min, t_max)
let node metro_symb(t, wait, c, zg, (t_min, t_max)) = c, zi, za, [zs] where
  rec zit = present (true fby false) \rightarrow zreset(zg, t, 0)
            | c \rightarrow zreset(zg, t, 0)
            else zg
  and zs = zmake(\{t > t_min\})
  and zb = zmake(\{t < t_max\})
  and za = zinterfold([zb])
  and zi = if wait then (zall fby zi) else zit
let node archi_symb((t1, t2), wait, (c1, c2), zg, (t_min, t_max)) =
  (c1', c2'), zi, za, gv1 @ gv2 where
  rec c1', zi1, za1, gv1 = metro_symb(t1, wait, c1, zg, (t_min, t_max))
  and c2', zi2, za2, gv2 = metro_symb(t2, wait, c2, zi1, (t_min, t_max))
  and za = zinterfold([za1; za2])
  and zi = if wait then (zall fby zi) else zi2
(*** Runtime ***)
let node archi(wait, (c1, c2), (t_min, t_max)) = (c1', c2'), bv, bw, zc where
  rec zg = ztrig([c1; c2], zcp, gvp)
  and (c1', c2'), zi, za, gv = archi_symb((1, 2), wait, (c1, c2), zg, (t_min, t_max))
  and zc, bv, bw = znext(wait, zi, za, gv)
  and zcp = zall fby zc
  and gvp = [] fby gv
```

## **Prototype Implementation**

```
let hybrid metro(t_min, t_max) = c where
  rec timer t init 0 reset c() \rightarrow 0
  and emit c when \{t > t_{min}\}
                                                           zeluc -symb archi qpa.zls
  and always {t \leq t_max}
let hybrid archi(t_min, t_max) = c1, c2 where
  rec c1 = metro(t_min, t_max)
  and c2 = metro(t_min, t_max)
let node metro_symb(t, wait, c, zg, (t_min, t_max)) = c, zi, za, [zs] where
  rec zit = present (true fby false) \rightarrow zreset(zg, t, 0)
            | c \rightarrow zreset(zg, t, 0)
            else zg
  and zs = zmake(\{t > t_min\})
  and zb = zmake(\{t < t_max\})
  and za = zinterfold([zb])
  and zi = if wait then (zall fby zi) else zit
let node archi_symb((t1, t2), wait, (c1, c2), zg, (t_min, t_max)) =
  (c1', c2'), zi, za, gv1 @ gv2 where
                                                                                         zeluc qpa_run.zls
  rec c1', zi1, za1, gv1 = metro_symb(t1, wait, c1, zg, (t_min, t_max))
  and c2', zi2, za2, gv2 = metro_symb(t2, wait, c2, zi1, (t_min, t_max))
  and za = zinterfold([za1; za2])
  and zi = if wait then (zall fby zi) else zi2
(*** Runtime ***)
let node archi(wait, (c1, c2), (t_min, t_max)) = (c1', c2'), bv, bw, zc where
  rec zg = ztrig([c1; c2], zcp, gvp)
  and (c1', c2'), zi, za, gv = archi_symb((1, 2), wait, (c1, c2), zg, (t_min, t_max))
  and zc, bv, bw = znext(wait, zi, za, gv)
  and zcp = zall fby zc
  and gvp = [] fby gv
```

#### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

#### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

#### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

Unified synchronous framework Executable specifications Correctness proofs Optimizations and comparisons

### Verification

Verifying safety properties of quasi-periodic systems

The Quasi-Synchronous Abstraction

### Implementation

Deploying code on quasi-periodic architectures

Loosely Time-Triggered Architectures

### Simulation

Simulating the possible behaviors of quasi-periodic systems

Symbolic Simulation

Abstraction is not sound in general Give exact conditions of application Generalization to multirate systems

Unified synchronous framework Executable specifications Correctness proofs Optimizations and comparisons

Zélus extended with timed nondeterminism Symbolic simulation Modular source-to-source compilation Prototype implementation

#### **Real-time requirements**

LTTAs preserve the semantics at the cost of additional latency Not acceptable for all applications (emergency button) What is the impact of these delays on the application?

#### **Real-time requirements**

LTTAs preserve the semantics at the cost of additional latency Not acceptable for all applications (emergency button) What is the impact of these delays on the application?

#### **Characterizing robust applications**

Some applications are already robust to sampling artifacts (3-voters) How to check this property on a given application? What is the impact of the sampling artifacts on the semantics?

#### **Real-time requirements**

LTTAs preserve the semantics at the cost of additional latency Not acceptable for all applications (emergency button) What is the impact of these delays on the application?

#### **Characterizing robust applications**

Some applications are already robust to sampling artifacts (3-voters) How to check this property on a given application? What is the impact of the sampling artifacts on the semantics?

#### Zélus in a proof assistant

Formalization of a the semantics mixing discrete and continuous time Prove properties involving real-time specifications (Time-Based LTTA)

#### **Real-time requirements**

LTTAs preserve the semantics at the cost of additional latency Not acceptable for all applications (emergency button) What is the impact of these delays on the application?

#### **Characterizing robust applications**

Some applications are already robust to sampling artifacts (3-voters) How to check this property on a given application? What is the impact of the sampling artifacts on the semantics?

#### Zélus in a proof assistant

Formalization of a the semantics mixing discrete and continuous time Prove properties involving real-time specifications (Time-Based LTTA)

#### Model checking

Explore all possible simulation choices (symbolic simulation) Reuse existing technique for model checking timed systems (Uppaal) Model check the generated code with Kind2 and Lesar

- [EMSOFT'13] A Synchronous Embedding of Antescofo, a Domain-Specific Language for Interactive Mixed Music, with Florent Jacquemard, Louis Mandel, and Marc Pouzet International Conference on Embedded Software (EMSOFT) 2013
  - [FARM'13] Programming Mixed-Music in ReactiveML,
     with Louis Mandel and Marc Pouzet
     *ICFP Workshop on Functional Art, Music, Modeling and Design (FARM)* 2013
- [EMSOFT'15] Loosely Time-Triggered Architectures: Improvements and Comparisons, with Timothy Bourke and Albert Benveniste International Conference on Embedded Software (EMSOFT) 2015
  - [TECS'16] Loosely Time-Triggered Architectures: Improvements and Comparisons, with Timothy Bourke and Albert Benveniste ACM Transaction on Embedded Computing Systems (TECS) 2016
- [FMCAD'16] **Soundness of the Quasi-Synchronous Abstraction**, with Timothy Bourke and Marc Pouzet *International Conference on Formal Methods in Computer-Aided Design (FMCAD)* 2016
  - [JFLA'17] **CloudLens, un langage de script pour l'analyse de données semi-structurées** with Louis Mandel, Olivier Tardieu, and Mandana Vaziri *Journées Francophone des Langages Applicatifs (JFLA)* 2017
- [Submitted] CloudLens, a scripting language for semi-structured data with Louis Mandel, Olivier Tardieu, and Mandana Vaziri