A Protocol for Loosely Time-Triggered Architectures — LTTA

Albert Benveniste<sup>(1)</sup>, Paul Caspi<sup>(2)</sup>, Paul Le Guernic<sup>(1)</sup>, Hervé Marchand<sup>(1)</sup>, Jean-Pierre Talpin<sup>(1)</sup>, Stavros Tripakis<sup>(2)</sup>

(1) Irisa/Inria, Rennes , (2) Verimag, Grenoble

Emsoft'2002

## Contents

### LTTA: 1. what, where, why 2. problem 3. solution 4. analysis



the writer's buffer is periodic the bus is periodic the reader's buffer is periodic



the writer's buffer is periodic the bus is periodic the reader's buffer is periodic values are sustained in writer/bus/reader clocks are <u>not</u> physically synchronized



the writer's buffer is periodic the bus is periodic the reader's buffer is periodic values are sustained in writer/bus/reader clocks are <u>not</u> physically synchronized a leightweight, flexible architecture

## Contents

### LTTA: 1. what, where, why 2. problem 3. solution 4. analysis









it can lose or duplicate data, but boundedly so

### LTTA bus can lose or duplicate data, but boundedly so

### LTTA bus can lose or duplicate data, but boundedly so

This is acceptable for distributed low-level sampled-data control, since control design methods are robust enough to accomodate for this, thanks to continuity and stability of the closed-loop system.

### LTTA bus can lose or duplicate data, but boundedly so

This is acceptable for distributed low-level sampled-data control, since control design methods are robust enough to accomodate for this, thanks to continuity and stability of the closed-loop system.

But this may be a problem to implement distributed discrete control of operating modes, or protection control.

## Contents

### LTTA: 1. what, where, why 2. problem 3. solution 4. analysis

A protocol on the top of LTTA



### A protocol on the top of LTTA



when encapsulated by this protocol, the medium behaves like a point-to-point network of FIFO channels: enough to apply the Benveniste-Caillaud technique for distributed implementation of synchronous programs









### behaviour of the protocol



# behaviour of the protocol input **boolean flag THEOREM:** the protocol behaves as a bundle of FIFO channels, with variable but bounded delay

$$w \ge b$$
 and  $\left\lfloor \frac{w}{b} \right\rfloor \ge \frac{r}{b}$ 

## Contents

### LTTA: 1. what, where, why 2. problem 3. solution 4. analysis

how to prove the theorem? how to prove the theorem?

## 1. by "brainual " proof (paper)

extends to almost periodic clocks (robustness)

# how to prove the theorem?

- 1. by "brainual " proof (paper) extends to almost periodic clocks (robustness)
- 2. (almost) automatically

by formal analysis of a distributed <u>asynchronous</u> system using <u>synchronous</u> languages!





how to abstract the metric condition  $[w \ge b] \land [\left|\frac{w}{b}\right| \ge \frac{r}{b}]$  into a logical one?



how to abstract the metric condition  $[w \ge b] \land [\left\lfloor \frac{w}{b} \right\rfloor \ge \frac{r}{b}]$  into a logical one?

 $[w \ge b]$  : never two  $t^{\mathbf{w}}$  between two  $t^{\mathbf{b}}$  $[\lfloor \frac{w}{b} \rfloor \ge \frac{r}{b}]$  : more difficult, but feasible





#### The Lustre proof

```
const n = 3; - the input is a bit stream of width 3
```

```
node writer(x : bool<sup>n</sup>) returns (xw: bool<sup>n</sup>; bw: bool);
let
   bw = true \rightarrow pre not bw;
   xw = x;
\operatorname{tel}
const init = false^n:
node reader(x: bool^n: b: bool) returns (cro: bool: xr: bool^n):
let
   cro = not (b = (false \rightarrow pre b));
   xr = if cro then x
           else (init \rightarrow pre xr);
\operatorname{tel}
node bus(xw: bool^n; bw: bool) returns (xr: bool^n; br: bool);
let
    xr, br = (xw, bw);
\operatorname{tel}
node faster(cb, cw: bool) returns (prop: bool);
var w_before_b: bool;
let
    w_before_b = if cw then true
                    else if cb then false
                         else (false \rightarrow pre w_before_b);
    - tells that there is an unmatched cw
    prop = not (cw and (false \rightarrow pre w_before_b));
- this node implements (??)
tel
node firstafter(cb, cw: bool) returns (cbw: bool);
var waiting: bool;
let
   cbw = cb and (false \rightarrow pre waiting);
   waiting = if cw then true
```

```
else if cbw then false
                     else (false \rightarrow pre waiting);
- this node implements (??)
tel
```

```
node vecteq(xw: bool<sup>n</sup>; xr: bool<sup>n</sup>) returns (prop: bool);
var aux: bool^{(n+1)};
let
   aux[0] = true;
   aux[1..n] = aux[0..n-1] and (xr = xw);
   prop = aux[n];
tel
```

node compare(cw: bool; xw: bool^n; xr: bool^n) returns (prop: bool); var equal: bool; last: bool^n; unmatched: bool; let last = if equal then xw else (init  $\rightarrow$  pre last); - stores the value to be matched equal = vecteq(xr, (init  $\rightarrow$  pre last)); - tells whether the value to be matched is actually matched unmatched = if cw and not (true  $\rightarrow$  pre equal) then true else if equal then false else false  $\rightarrow$  pre unmatched; - tells that there are two values waiting for match prop = not(cw and (false  $\rightarrow$  pre unmatched)); - a new value should not arrive while two values are waiting for match tel

node verif(cw, cb, cr: bool; (x: bool^n) when cw) returns (prop: bool; xw, xr, xro: bool^n; bw, br: bool; cro: bool);  $\mathbf{let}$ xw, bw = if cw then current writer(x)else ((init, false)  $\rightarrow$  pre(xw, bw)); xr, br = if cb then current bus((xw, bw) when cb)else ((init, false)  $\rightarrow$  pre(xr, br)); cro, xro = if cr then current reader((xr, br) when cr)else ((false, init)  $\rightarrow$  pre(cro, xro));

prop = compare(cw, xw, xro);

```
assert faster(cb, cw) and faster(cr, firstafter(cb, cw));
- these assertions implement (??) and (??)
assert #(cw, cb, cr);
- so as not to get bored by simultaneous clocks
```

#### tel (\*

moucherotte% lesar albert2.lus verif -Pollux Version 2.0 TRUE PROPERTY moucherotte%

#### The Signal proof

```
process protocol = (? boolean xw; event cw, cb, cr ! boolean xr , inv)
     (| (xb, bb, sbw) := bus (xw, writer(xw,cw), cb)
                                                                     \% writer + bus \%
      |(xr, br, sbb)| := reader (xb, bb, cr)
                                                                     % reader %
                                                                     % condition (??) %
      cb^{\hat{}} = sbw default cb
      cr = (when switched(sbb)) default cr
                                                                     % condition (??) %
      xok := fifo_2 (xw)
                                                                     % fifo_2 satisfies (??) %
       inv := equal (xok, xr)
                                                                     % tests if xok=xr %
      1) where boolean bw, xb, bb, sbw, sbb, br, xok:
     process writer = (? boolean xw; event cw ! boolean bw)
          (| bw^{2} = xw^{2} = cw
           bw := not (bw$1 init true)
           D;
                                                                     % bw: boolean flag %
    process bus = (? boolean xw, bw; event cb ! boolean xb, bb, sbw)
          (|(xb, bb, sbw) := buffer (xw, bw, cb)|);
    process reader = (? boolean xb, bb; event cr ! boolean xr, br, sbb)
          (|(yr, br, sbb) := buffer (xb, bb, cr) | xr := yr when switched (br) |)
                                                                     % switched(br) validates xr %
          where boolean yr; end;
    process switched = (? boolean b ! boolean c)
          (| zb := b\$1 \text{ init true} | c := (b and not zb) or (not b and zb) |)
          where boolean zb; end;
                                                                     % c=true when b alternates %
    process buffer = (? boolean x, b; event c ! boolean bx, bb, sb)
          (|(sx, sb) := shift_2(x, b) | (bx, bb) := current_2(sx, sb, c) |)
          where boolean sx; end;
                                                                     % delays, sustains, filters %
    process shift_2 = (? \text{ boolean } x, b ! \text{ boolean } sx, sb)
                                                                     % see shift_1 %
         (|(sx, sb) := current_2(x, b, sb)| interleave(x, sx)|);
        process current 2 = (? \text{ boolean wx, wb; event c }! \text{ boolean rx, rb})
              (| \mathbf{rx} := (\mathbf{wx} \text{ cell } \mathbf{c} \text{ init false}) \text{ when } \mathbf{c}
                | rb := (wb cell c init true) when c |);
                                                                     % see current_1 %
        process interleave = (? boolean x, sx !)
              (|x = when b| sx = when not b| b := not (b$1 init false))
              where boolean b; end;
                                                                     % x and sx interleave %
    process equal = (? boolean y, z ! boolean inv)
          (|i := (y \text{ and } z) \text{ or } (not y \text{ and not } z) \text{ default inv}
           | inv := i $1 init true
                                                                     % tests if y=z %
           ); where boolean i; end;
    process fife_2 = (? \text{ boolean } x ! \text{ boolean } x \text{ or })
          (| xok := shift_1(shift_1(x)) |);
        process shift_1 = (? \text{ boolean } x ! \text{ boolean } sx)
                                                                    % x.sx satisfy (??) %
         (| sx := current_1 (x, sx) | interleave (x, sx) |);
            process current 1 = (? \text{ boolean wx; event } c ! \text{ boolean rx})
              (| \mathbf{rx} := (\mathbf{wx} \text{ cell } \mathbf{c} \text{ init false}) \text{ when } \mathbf{c} |);
                                                                     % current triggered by c %
```

#### Sigali:

set\_reorder(1); read("protocol.z3z"); read("Creat\_SDP.z3z"); read("Verif\_Determ.z3z"); POSSIBLE(B\_False(S,inv));  $\rightarrow$  resultat False Always(B\_True(S,inv));  $\rightarrow$  resultat True

### CONCLUSION

LTTA architectures (such as in use, e.g., at Airbus) can be made GALS-like

this allows for the distributed deployment of synchronous programs

this is probably a particular case of a more general theory of " correct distributed deployments ", currently under study