Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 86 2009-10-13
86 Model-Based Design for Embedded Systems
messages that can arrive at ECU1. Using flat event models, we could only
assume that every message contains a new signal for both receiving tasks,
which results in a load of 91.58% of ECU1. With the HEM, we also obtain the
maximum number of messages that contain a signal that was sent by task
ctrl1 (marked by squares), and the maximum number of messages contain-
ing a signal from ctrl2 (marked by triangles). If we now use the timings of
signal arrivals as activation timings of the receiving tasks, we obtain a much
smaller load of only 45% for ECU1.
Hence, the system is not only schedulable, but it also appears that the bus
with less than 50% utilization still has sufficient reserves to accommodate the
additional communication of the parking-assistant application. Especially,
since the time the parking assistant is enabled, the ESP communication is
disabled.
3.8.2 Analyzing Scenario 2
In Scenario 2, Sensors 1 and 2 are disabled, and therefore tasks mon1 and
mon2 are never activated. Consequently, they will not send data to the tasks
eval1 and eval2. The control tasks ctrl1 and ctrl2 are still executed and send
their data to the execution tasks running on ECU1. Their local response times
will slightly decrease, as there will now be no competition for the shared
memory from the second core. On the CAN bus we have the two addi-
tional communication tasks C3andC4, representing the communication of
the parking-assistant application. When we analyze this system, we obtain a
maximum latency of 22 ms for the path IP1 → IP2 and 131 ms for the path
Sens3 → SigOut. Therefore, the system is also schedulable when only the
parking-assistant application is running.
3.8.3 Considering Scenario Change
Having analyzed the two scenarios in isolation from each other, we neglected
the (recurrent) transient overload that may occur during the SC. This may
lead to optimistic analysis results. Thus, the SC analysis is needed to verify

the timing constraints across the SC. In the first experiment, we perform an
SC analysis assuming an “all scenarios in one” execution, that is, all tasks
belonging to both scenario task sets are assumed to be able to execute simul-
taneously. We obtain a maximum latency of 59 ms for the path IP1 →IP2 and
151 ms for the parking-assistant application path (path Sens3 →SigOut). So,
the system is not schedulable, since neither constraint is met. In the second
experiment, we use the compositional scenario-aware analysis presented in
Section 3.5.2 for the timing verification across the SC. We calculate a maxi-
mum latency of 39 ms for the path IP1 → IP2 and 131 ms for the parking-
assistant application path. Thus, we notice that there is an improvement in
the calculated maximum latencies of the constrained application paths. How-
ever, the path IP1 → IP2 slightly exceeds its constraint.
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 87 2009-10-13
Formal Performance Analysis 87
1
0.8
0.6
0.4
0.2
0
Initial value Slack
BUS ECU1 ECU2 ECU3 ECU4
FIGURE 3.13
One-dimensional slack of the resource speeds.
3.8.4 Optimizing Design
As the design is not feasible in its current configuration, we need to optimize
the critical path IP1 → IP2 latency. For this, we can explore the priority
configuration of the communication tasks on the CAN bus. This can be per-
formed automatically on the basis of genetic algorithms (refer to [11] for
details). A feasible configuration is obtained for the following priority order:

C1 > C2 > C5 > C3 > C4. The obtained maximum path IP1 → IP2 latency
is equal to 29. Even though the maximum latency of the parking-assistant
applicationincreasedfrom131to138,thisisstilllessthantheimposedconstraint.
3.8.5 System Dimensioning
According to Section 3.6, the performance slack of the system components
can be efficiently used in order to select hardware components that are opti-
mal with respect to cost. The diagram presented in Figure 3.13 shows the
minimum speed of the CAN bus and the single-core ECUs. The presented
values are relative to the resource speed values in the initial configuration.
These values were individually obtained for each resource, which means that
the speed of only one resource was changed at any one time.
3.9 Conclusion
This chapter has given an overview of state-of-the-art compositional
performance analysis techniques for distributed systems and MPSoCs.
Furthermore, we have highlighted specific timing implications that require
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 88 2009-10-13
88 Model-Based Design for Embedded Systems
attention when addressing the MPSoC setups, hierarchical communication
networks, and SCs. To leverage the capabilities of the overall approach,
sensitivity analysis and robustness optimization techniques were imple-
mented that work without executable code and that are based on robustness
metrics.
By means of a simple example, we have demonstrated that modeling
and formal performance analysis are adequate for the verifying, optimizing,
and dimensioning heterogeneous multiprocessor systems. Many of the tech-
niques presented here are already used in industrial practice [35].
References
1. K. Albers, F. Bodmann, and F. Slomka. Hierarchical event streams and
event dependency graphs: A new computational model for embedded
real-time systems. Proceedings of the 18th Euromicro Conference on Real-

Time Systems, Dresden, Germany, pp. 97–106, 2006.
2. AUTOSAR. AUTOSAR Specification of Communication V. 2.0.1,
AUTOSAR Partnership, 2006. .
3. P. Balbastre, I. Ripoll, and A. Crespo. Optimal deadline assignment for
periodic real-time tasks in dynamic priority systems. In 18th Euromicro
Conference on Real-Time Systems, Dresden, Germany, 2006.
4. I. Bate and P. Emberson. Incorporating scenarios and heuristics to
improve flexibility in real-time embedded systems. In Proceedings of
the IEEE Real-Time and Embedded Technology and Applications Symposium
(RTAS), San Jose, CA, April 2006.
5. J. L. Boudec and P. Thiran. Network Calculus: A Theory of Deterministic
Queuing Systems for the Internet. Springer, Berlin, 2001.
6. S. Chakraborty, S. Künzli, and L. Thiele. A general framework
for analysing system properties in platform-based embedded system
designs. In Proceedings of the IEEE/ACM Design, Automation and Test in
Europe Conference (DATE), Munich, Germany, 2003.
7. P. Emberson and I. Bate. Minimising task migration and priority changes
in mode transitions. In Proceedings of the IEEE Real-Time and Embedded
Technology and Applications Symposium (RTAS), Seatlle, WA, April 2007.
8. J. Filipiak. Real Time Network Management. North-Holland, Amsterdam,
the Netherlands, 1991.
9. O. Gonzalez, H. Shrikumar, J. Stankovic, and K. Ramamritham. Adap-
tive fault tolerance and graceful degradation under dynamic hard
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 89 2009-10-13
Formal Performance Analysis 89
real-time scheduling. In Proceedings of the IEEE International
Real-Time Systems Symposium (RTSS), San Francisco, CA, December
1997.
10. W. Haid and L. Thiele. Complex task activation schemes in system level
performance analysis. In Proceedings of the IEEE/ACM International Con-

ference on HW/SW Codesign and System Synthesis (CODES-ISSS), Salzburg,
Austria, September 2007.
11. A. Hamann, M. Jersak, K. Richter, and R. Ernst. Design space explo-
ration and system optimization with SymTA/S-symbolic timing analysis
for systems. In Proceedings 25th International Real-Time Systems Symposium
(RTSS04), Lisbon, Portugal, December 2004.
12. A. Hamann, R. Racu, and R. Ernst. A formal approach to robustness max-
imization of complex heterogeneous embedded systems. In Proceedings
of the IEEE/ACM International Conference on HW/SW Codesign and System
Synthesis (CODES-ISSS), Seoul, South Korea, October 2006.
13. R. Henia and R. Ernst. Scenario aware analysis for complex event mod-
els and distributed systems. In Proceedings of the Real-Time Systems Sym-
posium, Jucson, AZ, 2007.
14. R. Henia, A. Hamann, M. Jersak, R. Racu, K. Richter, and R. Ernst. Sys-
tem level performance analysis—the SymTA/S approach. IEE Proceed-
ings Computers and Digital Techniques, 152(2):148–166, March 2005.
15. R. Henia, R. Racu, and R. Ernst. Improved output jitter calculation for
compositional performance analysis of distributed systems. Parallel and
Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International,
Long Beach, CA, pp. 1–8, 2007.
16. T. Henzinger and S. Matic. An interface algebra for real-time compo-
nents. In Proceedings of the IEEE Real-Time and Embedded Technology and
Applications Symposium (RTAS), San Jose, CA, April 2006.
17. I. IXP2400. IXP2800 Network Processors.
18. V. Izosimov, P. Pop, P. Eles, and Z. Peng. Design optimization of time-
and cost-constrained fault-tolerant distributed embedded systems. In
Proceedings of the IEEE/ACM Design, Automation and Test in Europe Con-
ference (DATE), Munich, Germany, March 2005.
19. M. Jersak. Compositional performance analysis for complex embedded
applications. PhD thesis, Technical University of Braunschweig, Braun-

schweig, Germany, 2004.
20. B. Jonsson, S. Perathoner, L. Thiele, and W. Yi. Cyclic dependencies in
modular performance analysis. In ACM & IEEE International Conference
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 90 2009-10-13
90 Model-Based Design for Embedded Systems
on Embedded Software (EMSOFT), Atlanta, GA, October 2008. ACM
Press.
21. E. Lee, S. Neuendorffer, and M. Wirthlin. Actor-oriented design of
embedded hardware and software systems. Journal of Circuits Systems and
Computers, 12(3):231–260, 2003.
22. P. Lee, T. Anderson, J. Laprie, A. Avizienis, and H. Kopetz. Fault Toler-
ance: Principles and Practice. Springer Verlag, Secaucus, NJ, 1990.
23. J. Lehoczky. Fixed priority scheduling of periodic task sets with arbitrary
deadlines. In Proceedings of the IEEE Real-Time Systems Symposium (RTSS),
Lake Buena Vista, FL, 1990.
24. J. Lemieux. Programming in the OSEK/VDX Environment. CMP Books,
Lawrence, KS, 2001.
25. C. Lu, J. Stankovic, S. Son, and G. Tao. Feedback control real-time
scheduling: Framework, modeling, and algorithms. Real-Time Systems
Journal, 23(1–2):85–126, 2002.
26. A. Maxiaguine, S. Künzli, S. Chakraborty, and L. Thiele. Rate analysis for
streaming applications with on-chip buffer constraints. In Proceedings of
the IEEE/ACM Asia and South Pacific Design Automation Conference (ASP-
DAC), Yokohama, Japan, pp. 131–136, January 2004.
27. M. Negrean, S. Schliecker, and R. Ernst. Response-time analysis of arbi-
trarily activated tasks in multiprocessor systems with shared resources.
In Proceedings of Design, Automation and Test in Europe (DATE 2009),Nice,
France, April 2009.
28. K. Poulsen, P. Pop, V. Izosimov, and P. Eles. Scheduling and voltage
scaling for energy/reliability trade-offs in fault-tolerant time-triggered

embedded systems. In Proceedings of the IEEE/ACM International Confer-
ence on HW/SW Codesign and System Synthesis (CODES-ISSS), Salzburg,
Austria, October 2007.
29. R. Racu and R. Ernst. Scheduling anomaly detection and optimization for
distributed systems with preemptive task-sets. In 12th IEEEReal-Time and
Embedded Technology and Applications Symposium (RTAS),SanJose,CA,
April 2006.
30. R. Racu, A. Hamann, and R. Ernst. Automotive system optimization
using sensitivity analysis. In International Embedded Systems Symposium
(IESS), Embedded System Design: Topics, Techniques and Trends, Irvine, CA,
pp. 57–70, June 2007. Springer.
31. R. Racu, A. Hamann, and R. Ernst. Sensitivity analysis of complex
embedded real-time systems. Real-Time Systems Journal, 39(1–3):31–72,
2008.
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 91 2009-10-13
Formal Performance Analysis 91
32. J. Real and A. Crespo. Mode change protocols for real-time systems:
A survey and a new proposal. Real-Time System, 26(2):161–197, 2004.
33. K. Richter, D. Ziegenbein, M. Jersak, and R. Ernst. Model composition for
scheduling analysis in platform design. In Proceedings of the 39th Design
Automation Conference (DAC 2002), New Orleans, LA, June 2002.
34. K. Richter. Compositional performance analysis. PhD thesis, Technical
University of Braunschweig, Braunschweig, Germany, 2004.
35. K. Richter. New kid on the block: Scheduling analysis improves quality
and reliability of ecus and busses. Embedded World Conference, Nurem-
berg, Germany, 2008.
36. J. Rox and R. Ernst. Construction and deconstruction of hierarchical
event streams with multiple hierarchical layers. In Proceedings of the
Euromicro Conference on Real-Time Systems (ECRTS 2008), Prague, Czech
Republic, July 2008.

37. J. Rox and R. Ernst. Modeling event stream hierarchies with hierarchical
event models. In Proceedings of the Design, Automation and Test in Europe
(DATE 2008), Munich, Germany, March 2008.
38. S. Schliecker, M. Ivers, and R. Ernst. Integrated analysis of communi-
cating tasks in MPSoCs. Proceedings of the 4th International Conference on
Hardware/Software Codesign and System Synthesis, Seoul, Korea, pp. 288–
293, 2006.
39. S. Schliecker, M. Ivers, and R. Ernst. Memory access patterns for the anal-
ysis of MPSoCs. 2006 IEEE North-East Workshop on Circuits and Systems,
Gatineau, Quebec, Canada, pp. 249–252, 2006.
40. S. Schliecker, M. Ivers, J. Staschulat, and R. Ernst. A framework for
the busy time calculation of multiple correlated events. 6th International
Workshop on WCET Analysis, Dresden, Germany, July 2006.
41. S. Schliecker, M. Negrean, and R. Ernst. Reliable performance analysis
of a multicore multithreaded system-on-chip (with appendix). Technical
report, Technische Universität Braunschweig, Braunschweig, Germany,
2008.
42. S. Schliecker, M. Negrean, G. Nicolescu, P. Paulin, and R. Ernst. Reli-
able performance analysis of a multicore multithreaded system-on-chip.
In Proceedings of the 6th IEEE/ACM/IFIP International Conference on Hard-
ware/Software Codesign and System Synthesis, pp. 161–166. ACM, New
York, 2008.
43. S. Schliecker, J. Rox, M. Ivers, and R. Ernst. Providing accurate event
models for the analysis of heterogeneous multiprocessor systems.
In Proceedings of the 6th IEEE/ACM/IFIP International Conference on
Nicolescu/Model-Based Design for Embedded Systems 67842_C003 Finals Page 92 2009-10-13
92 Model-Based Design for Embedded Systems
Hardware/Software Codesign and System Synthesis, pp. 185–190. ACM, New
York, 2008.
44. S. Segars. The ARM9 family-high performance microprocessors for

embedded applications. Proceedings of the International Conference on Com-
puter Design: VLSI in Computers and Processors, 1998. ICCD’98.,Austin,
TX, pp. 230–235, 1998.
45. L. Sha, R. Rajkumar, J. Lehoczky, and K. Ramamritham. Mode change
protocols for priority-driven preemptive scheduling. Technical Report
UM-CS-1989-060, 31, 1989.
46. J. Staschulat and R. Ernst. Worst case timing analysis of input dependent
data cache behavior. Euromicro Conference on Real-Time Systems, Dresden,
Germany, 2006.
47. K. W. Tindell, A. Burns, and A. J. Wellings. Mode changes in priority
pre-emptively scheduled systems. In IEEE Real-Time Systems Symposium,
Phoenix, AZ, pp. 100–109, 1992.
48. S. Vestal. Fixed-priority sensitivity analysis for linear compute time mod-
els. IEEE Transactions on Software Engineering, 20(4):308–317, April 1994.
49. R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley,
G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut,
P. Puschner, J. Staschulat, and P. Stenström, The worst-case execution-
time problem—overview of methods and survey of tools, Transactions on
Embedded Computing Systems, 7(3):1–53, 2008.
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 93 2009-9-30
4
Model-Based Framework for Schedulability
Analysis Using U
PPAAL 4.1
Alexandre David, Jacob Illum, Kim G. Larsen, and Arne Skou
CONTENTS
4.1 Introduction 93
4.2 U
PPAAL andItsFormalism 95
4.2.1 Modeling Language 95

4.2.2 Specification Language 99
4.3 Schedulability Problems 99
4.3.1 Tasks 100
4.3.2 Task Dependencies 100
4.3.3 Resources 101
4.3.3.1 Scheduling Policies 101
4.3.3.2 Preemption 101
4.3.4 Schedulability 102
4.4 Framework Model in U
PPAAL 102
4.4.1 Modeling Idea 102
4.4.2 Data Structures 103
4.4.3 Task Template 104
4.4.3.1 Modeling Task Graphs 106
4.4.4 Resource Template 107
4.4.5 Scheduling Policies 109
4.4.5.1 First-In First-Out (FIFO) 110
4.4.5.2 Fixed Priority 110
4.4.5.3 Earliest Deadline First 111
4.5 FrameworkInstantiation 112
4.5.1 Schedulability Query 113
4.5.2 Example Framework Instantiation 114
4.6 Conclusion 116
Acknowledgment 116
References 116
4.1 Introduction
Embedded systems involve the monitoring and control of complex physical
processes using applications running on dedicated execution platforms in a
93
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 94 2009-9-30

94 Model-Based Design for Embedded Systems
resource-constrained manner in terms of, for example, memory, processing
power, bandwidth, energy consumption, and timing behavior.
Viewing the application as a collection of interdependent tasks, various
“scheduling principles” may be applied to coordinate the execution of tasks
in order to ensure orderly and efficient usage of resources. Based on the phys-
ical process to be controlled, timing deadlines may be required for the indi-
vidual tasks as well as the overall system. The challenge of “schedulability
analysis” is now concerned with guaranteeing that the applied scheduling
principle(s) ensure that the timing deadlines are met.
For single-processor systems, industrial applied schedulability analy-
sis tools include TimeWiz from TimeSys Corporation [10] and RapidRMA
from TriPacific [11], based on rate monotonic analysis. More recently, Sym-
TA/S has emerged as an efficient tool for system-level performance and
timing analysis based on formal scheduling analysis techniques and sym-
bolic simulation [26]. These tools benefit from the great success of real-
time scheduling theories: results that were developed in the 1970s and the
1980s, and are now well established. However, these theories and tools have
become seriously challenged by the rapid increase in the use of multi-cores
and multiprocessor systems-on-chips (MPSoCs).
To overcome the limitation to single-processor architectures, applications
of simulation have been pursued, including—in the case of MPSoCs—the
ARTS framework (based on SystemC) [22,23], the Daedaleus simulation tool
[25], and the Design-Trotter [24].
Though extremely useful for early design exploration by providing very
adequate performance estimates, for example, memory usage, energy con-
sumption, and options for parallelizations, the use of simulation makes the
schedulability analysis provided by these tools unreliable; though no dead-
line violation may be revealed after (even extensive) simulation, there is no
guarantee that this will never occur in the future. For systems with hard real-

time requirements, this is not satisfactory.
During recent years, the use of real-time model checking has become an
attractive and maturing approach to schedulability analysis providing abso-
lute guarantees: if after model checking no violations of deadlines have been
found, then it is guaranteed that no violations will occur during execution. In
this approach, the (multiprocessor) execution platform, the tasks, the inter-
dependencies between tasks, their execution times, and mapping to the plat-
form are modeled as timed automata [3], allowing efficient tools such as
U
PPAAL [28] to “verify” schedulability using model checking.
The tool TIMES [4] has been pioneering this approach, providing a rather
expressive task-model called time-triggered architecture (TTA) allowing for
complex task-arrival patterns, and using the verification engine of U
PPAAL to
verify schedulability. However, so far the tool only supports single-processor
scheduling and limited dependencies between tasks. Other schedulability
frameworks using timed automata as a modeling formalism and U
PPAAL as a
backend are given in [8,13,14,17,27]. Also, related to schedulability analysis,
Nicolescu/Model-Based Design for Embedded Systems 67842_C004 Finals Page 95 2009-9-30
Model-Based Framework for Schedulability Analysis Using UPPAAL 4.1 95
a number of real-time operating systems (RTOS) have been formalized and
analyzed using U
PPAAL [16,20].
The MOVES analysis framework [19], presented in Chapter 5 of this book,
is closely related to this chapter. Whereas the chapter on MOVES reports on
the ability to apply U
PPAAL to verify properties and schedulability of embed-
ded systems through a number of (realistic size) examples, we provide in this
chapter a detailed—and compared with [5], alternative—account on how to

model multiprocessor-scheduling scenarios most efficiently, by making full
use of the modeling formalism of U
PPAAL. This chapter offers an UPPAAL mod-
eling framework [15]) that may be instantiated to suit a variety of scheduling
scenarios, and which can be easily extended. In particular, the framework
includes
• A rich collection of attributes for tasks, including the offset, best-
and worst-case execution times, minimum and maximum interarrival
times, deadlines, and task priorities
• Task dependencies
• Assignment of resources, for example, processors or busses, to tasks
• Scheduling policies, including first-in first-out (FIFO), earliest deadline
first (EDF), and fixed priority scheduling (FPS)
• Possible preemption of resources
The combination of task dependencies, execution time uncertainties, and
preemption makes schedulability of the above framework undecidable [21].
However, the recent support for stopwatch automata [9] in U
PPAAL leads to
an efficient approximate analysis that has proved adequate for several con-
crete instances, as demonstrated in [19].
The outline of the remaining chapter is as follows: In Section 4.2, we show
the formalism of U
PPAAL by the use of an example. In Section 4.3, we give an
introduction to the types of schedulability problems that can be analyzed
using the framework presented in Section 4.4. Following the framework, in
Section 4.5, we show how to instantiate the framework for a number of dif-
ferent schedulability problems by way of an example system. Finally, we
conclude the chapter in Section 4.6.
4.2 UPPAAL and Its Formalism
In this section, we provide an introductory description of the UPPAAL model-

ing language.
4.2.1 Modeling Language
The tool UPPAAL is designed for design, simulation, and verification of
real-time systems that can be modeled as networks of timed automata [2],