Title: Model Checking based Analysis of Endtoend Latency in Embedded, Realtime Systems with Clock Drifts
1Model Checking based Analysis of End-to-end
Latency inEmbedded, Real-time Systems with Clock
Drifts
- Swarup Mohalik, A. C. Rajeev, Manoj G. Dixit, S.
Ramesh - General Motors RD - India Science Lab,
Bangalore, India - P. Vijay Suman, Paritosh K. Pandya
- Tata Institute of Fundamental Research, Mumbai,
India - Shengbing Jiang
- General Motors RD, Warren, MI, USA
- June 7, 2008
2Safety Requirement
Acc. Pedal, brake pedal, steering wheel, ..
Vehicle Path Estimation
braking
throttle
Yaw rate, Lat accel, Veh speed, Act gear, ..
ACC Controller
HMI output
Object detection
Haptic seat
Radar / Lidar
yyy
Forward Lane Detection
Enable/Disable Interface
bbb
aaa
Actuators
Sensors
End-to-End Latency lt 100 ms
3End-to-End Latency
m2
m1
m3
60
30
Time
0
60
40
20
0
5
5
5
5
5
5
50
40
30
20
0
10
35
25
4Buffer Semantics
- FIFO, Overwrite/Non-overwrite
Overflow
Non-overwrite
Buffer size 1
Overwrite
Overwrite
5Execution and Transmission Jitter
- Affects buffer overflow and end-to-end latency
Jitter
Buffer size 1
Overflow
6Clock Drifts
- Clocks drift (about ?30ppm)
- Affect end-to-end latency appreciably
10
10
10
10
ECU 1
50
40
30
60
70
20
10
0
ECU 2 Nominal Clock
10
10
10
35
0
55
15
25
ECU 2 Drifting Clock (Assuming a constant drift
of 0.8)
8
8
8
8
44
28
60
12
0
32
Clock drift of ECU2 changes the pick-up time for
messages
7End-to-end Latency Computation
- Traditional methods for end-to-end latency
computation - End-to-end latency WCRT1 ?i2..n
(PeriodiWCRTi) - Can disallow several feasible schedules for tasks
- Proposed method for end-to-end latency
computation - Based on formal methods
- Exact computation and hence can be used to
evaluate more number of feasible schedules
8Specifying End-to-end Latency
...
WL max latk(n) k gt 0 (1)
9Analyzing End-to-end Latency
- Equation (1) can be used to compute the
worst-case - But it will be limited to finite (even though
large) analysis time - Detecting buffer overflow in the presence of
jitters and clock drifts is not done - Analysis over ALL messages is possible by model
checking techniques - Infinite state space can be represented
symbolically - Formal Modeling
- Model the problem instance using Timed Automata
- Deadline violation is posed as reachability
analysis onTimed Automata - Reachability analysis is done using UPPAAL tool
10Timed Automata for End-to-end Latency Analysis
FIFO
Jitter
Drift
Deadline Violation
Buffer Overflow
11Case Study
Tasks T1 to T8 form a task chain in the
architecture
12Results on Case Study
13Summary
- End-to-end latency is an important system
parameter, and is derived from safety
requirements - End-to-end latency is affected by implementation
aspects such as - Buffer semantics
- Jitter
- Clock drift
- Formal methods based approaches can model
implementation detailsand carry out
accurateend-to-end analysis