The Quasi-Synchronous Approach to Distributed Control Systems

Transcription

1 The Quasi-Synchronous Approach to Distributed Control Systems Paul Caspi Verimag Laboratory Crisys Esprit Project ap/crisys/

2 The Quasi-Synchronous Approach to Distributed Control Systems Paul Caspi Verimag Laboratory Crisys Esprit Project ap/crisys/ Where does it come from? How to simulate it? How to understand it? Fault-tolerance

3 Where does it come from? From analog boards to computers Analog Board Clock periodic clocks A/D Computer D/A synchronous programs

4 Synchronous Programming General initialize state; loop each input event read other inputs; compute outputs and state; emit outputs end loop Several styles (imperative, data-flow,...) Allow multiple simultaneous event : no performance problems

5 Synchronous Programming Periodic initialize state; loop each clock read other inputs; compute outputs and state; emit outputs end loop

6 Synchronous Programming Periodic initialize state; loop each clock read other inputs; compute outputs and state; emit outputs end loop most applications of synchronous programming are actually periodic ones. hybridity: sampling differential equations require periodicity!

7 Where does it come from? From networks of analog boards to local area networks Analog Board Analog Board Clock Clock A/D Computer Serial Serial Computer D/A Clock Clock independent periodic clocks A/D Computer Computer D/A synchronous programs Bus

8 Interest Autonomy, robustness Each computer is a complete one, including its own clock and even possibly its own power supply. Communication between computers is non-blocking, based on periodic reads and writes, akin to periodic sampling.

9 How to formalize it Net View on chain - eq_chain same_period(c1, c2) and same_period(c2, c3) and same_period(c3, c1) c3 c2 c1 FBY FBY x FBY f1 FBY f2 f3 z Synchronous simulation, test and verification tools apply Efficiency issues?

10 How to understand it? Communication Abstraction Continuous Systems Non Continuous Systems Mixed Systems

11 Communication Abstration Worst situation: reads occur just before writes x(t-2t) write clock x (t) read clock Bounded communication delays T

12 Uniformly Continuous Signals x x ε η(ε) ε 0 η 0 t t t t η x x t x t ε Bounded delays yield bounded errors

13 Uniformly Continuous Systems ε η(ε) System ε 0 η 0 x x x x η f x f x ε Bounded errors yield bounded errors

14 But... Even very simple controllers are not uniformly continuous. PID for instance η Controller Bounded errors do not yield bounded errors

15 Stabilized Systems The closed-loop system computes uniformly continuous signals ε η(ε) U Controller X Z Plant Y Bounded delays yield bounded errors

16 Doubts... This casts a doubt on two wishful thoughts: composability system properties are the mere addition of sub-system ones separation of concerns: automatic control people specify computer science people implement Critical control systems require a tight cooperation between both people

17 Non Continuous Systems Combinational Systems Robust Sequential Systems Sequential Systems

18 Uniform Bounded-Variability There exists a minimum stable time T x associated with a signal x. x T x T x The analog of uniform continuity?

19 Sampling Tuples A possible sampling a b X X

20 Sampling Tuples Another possible sampling a X X! X!! b Non deterministic bounded delays

21 But... Delays on tuples do not yield delayed tuples x δ x y y Solution : Confirmation functions

22 Confirmation Functions When a component of a tuple changes, wait for some max " min time before taking it into account. If x#, y# are $ min% max& bounded images of x and y, then con f irm$ x# % y# & is a delayed image of $ x% y& allows to retrieve the continuous framework

23 Confirmation Functions Net View on confirm - eq_confirm difft4 watchdog U nmax Idt4 Ud nmax ' E( max ) min T min * + 1

24 Robust Sequential Systems idea : avoid critical races, between state variables : order insensitivity, between inputs : confluence Property checker

25 - Can robustness analysis be avoided? example : mutual exclusion Property : always not (y and z) a non robust solution : z y -

26 .. Can robustness analysis be avoided? example : mutual exclusion Property : always not (y and z) a robust solution : z y same answer as for error analysis in continuous systems

27 / / Robust solutions are distributable a robust solution : z y z waits for y to go down before going up and conversely. not y not z y 1 not y z 1 not z no critical race!

28 Non Robust Sequential Systems require either soft or hard synchronization. Time Triggered Architecture for instance.

29 A soft synchronization algorithm Non Robust Sequential Systems a b c requires a speed-up by 4 broadcast region execute region next broadcast

30 Implementation Net View on SYNCH - eq_synch FBY 1 SCHED u nu FBY 1 UN XN VARNODE1 Idt3 nx C3

31 Implementation State Machine View - SCHED write1 idle 1 : true 1 : nu and not NUP 2 : NUP write2 wait1 1 : true 1 : true wait2 1 : true 3 : (not nu) and not NUP 2 : NUP execute 1 : nu and not NUP

32 Mixed Systems Example : Threshold crossing ε S C t Relates errors and delays : τ4 τ 5 2ε C6 7 t8 5 This analysis too should not be skipped

33 Concurrency Actual Practices (Airbus) 6hz P1 P2 P3 3hz 2hz P2.1 P2.2 P3.1 P3.2 P3.3 P1 P2.1 P3.1 P1 P2.2 P3.2 P1 P2.1 P3.3

34 Concurrency A Crisys Proposal: earliest deadline preemptive scheduling P1 P2 P3 P1 P3* P1 P2 Schedulability condition ; WET i9 1: i 1 n T i

35 Concurrency A Crisys Proposal: earliest deadline preemptive scheduling P1 P2 P3 P1 P3* P1 P2 Schedulability condition > WET i< 1= i 1 n T i Generalizes the synchronous program execution condition WET > T

36 Concurrency Exact functional semantics is guaranteed as soon as Slow processes communicate with fast processes through a slow clock unit delay c t f t f t A A A B A D A A A x x 0 x 1 x 2 x 3 x 4 x? c x 0 x 2 x 4 f@ x? ca f@ x 0 f@ x 2 f@ x 4 f@ x? ca z z 0 z 0 f@ x 0 f@ x 2 z 0C za c z 0 z 0 f@ f@ f@ x 0 x 0 x 2

37 Fault Tolerance E Continuous Computations : Threshold Voting Units differ from more than the maximum normal error

38 Fault Tolerance F Continuous Computations : Threshold Voting Units differ from more than the maximum normal error F Combinational : Bounded-Delay Voting Units differ from more than the maximum normal delay

39 Fault Tolerance G Continuous Computations : Threshold Voting Units differ from more than the maximum normal error G Combinational : Bounded-Delay Voting Units differ from more than the maximum normal delay G Sequential Computations : 2/2 Bounded-Delay Voting

40 Bounded-Delay Voters Net View on vote2_2 - eq_vote2_2 X1 T3plus X2 T3plus Idt3 Xinit T3plus X watchdog n n H EI max J min T min K L 1

41 Sequential Computations Idea: vote on input and on state But Byzantine problems 2M 2 votes are not sensitive to Byzantine problems: N a bad unit is only compared with a single good one: it agrees: it looks good it disagrees: a fault is detected.

42 Sequential Computations: 2/2 Sequential Voters Net View on SeqVote - eq_seqvote U1 vote2_2t4 T4plus confirm VARNODE2 T3plus NX U2 nu nx Uinit X2 FBY 1 vote2_2t3 T3plus nnx XinitP Xinit nx O nmax up nmax x nnx O n Q nx

43

44 W R W W R R W R R R Proof Hints X S FT XU UV X 1 S FT XU U 1V X 1 S FT X 1 U U 1V τ u τ x X 1 S FT XU U 1V τ u τ x X 1 S FT X 1 U U 1V

45 Conclusion X Some insight on techniques used in practice. X maybe useful for designers and certification authorities ( Crisys Esprit Project) X An attempt to catch the attention of the Computer Science Community on these important problems.

46 Questions Y When are clock synchronization methods useful and more efficient than the ones presented here?

47 Questions Z When are clock synchronization methods useful and more efficient than the ones presented here? Z How to safely encompass some event-driven computations within the approach?

48 Questions [ When are clock synchronization methods useful and more efficient than the ones presented here? [ How to safely encompass some event-driven computations within the approach? [ Are there linguistic ways to robustness (synchronous-asynchronous languages)?

49 Questions \ When are clock synchronization methods useful and more efficient than the ones presented here? \ How to safely encompass some event-driven computations within the approach? \ Are there linguistic ways to robustness (synchronous-asynchronous languages)? \ Is there a common framework encompassing both theories? continuous uniformly continuous signals uniformly continuous functions unstable systems discrete uniform bounded variability robust systems sequential non robust systems