- Email: [email protected]
Experiments with the Synchronous Methodology Illustrating its Support of Predictability
Copyright © IFAC Real Time Programming.
Gramado. RS. Brazil. 1997
EXPERIMENTS WITH THE SYNCHRONOUS METHODOLOGY ILLUSTRATING ITS SUPPORT OF PREDICTABILITY P. LE GUERNIC and
E. RUTTEN
IRISA / INRIA - Rennes, Campus de Beaulieu, F-35042 RENNES, France e-mail: Paul.LeGuernicCirisa.fr.Eric.RuttenCirisa.fr
Abstract. This paper analyses experiments with the SIGNAL programming environment for the design of safety-critical systems, with an emphasis on predictable behaviour. This environment is based upon a data-flow language and a synchronous model; the composition of interacting sub-systems and tasking of data-flow processes do not introduce unpredictability. It offers integrated tools for transformations and analysis. The practical relevance of the synchronous model and methodology is illustrated with a focus on predictabilty by examples gathered from a spectrum of experiments (robot vision, production cell control and power transformer control) . Keywords. Reactive systems , synchronous language, predictability, experiments.
1. PREDICTABILITY IN REACTIVE SYSTEMS
The synchronous approach to reactive systems addresses this problem specifically, in the form of programming languages and environments amongst which the data flow language SIGNAL (Le Guernic e.a. , 1989) , and also ESTEREL , LUSTRE , ARGOS (Halbwachs , 1993) and STATE CHARTS (Harel , 1987) . They offer tools based on a formal model of reactive systems for e.g. analysis, verification, evaluation, and code generation . A characteristic feature of the synchronous models is the synchronous composition. It supports the construction of complex systems by composing interacting sub-systems without introducing new unpredictability like nondeterminis m in the communications between components or in tasking . The intuitive image of "instantaneous execution and communication" sometimes associated with synchrony means that it is an implementationindependent structuring mechanism ; at the actual implementation stage , "de-synchronization" of programs takes into account the asynchronous communications of the target system (Aubry e.a ., 1996). A construct of preemptive data-flow task , that can be started , suspended, resumed and interrupted . is integrated in this framework , and benefits from its advantages. The formal definition of the synchronous model is at the base of predictability-preserving transformation tools between different levels of design . Synchronous models provide for more compact representations , hence facilitating the scaling-up performance of such tools. This approach induces a methodology (Gautier e.a ., 1994) where these functionalities are used to go from the original (possibly partial) specification to final (possibly distributed) implementation.
This paper makes a synthesis of a variety of experiments illustrating the support of predictability in the synchronous methodology for the design of reactive systems. Real-time reactive systems are in constant interaction with an environment, and the very own dynamics of this environment have to be taken into account in the execution of the system. One application domain concerned is that of safetycritical embedded systems, found in areas such as e.g. avionics, transportation systems , plant control, and robotics . One difficulty in guaranteeing predictability is the complexity of behaviours: they are defined with regard to combinations of states and events , internal or coming from the environment , with "asynchronous" (meaning sporadic) or multiple rates. Another concern is the complexity of structure: it imposes (de- )composition of interacting sub-systems, in multiple layers of hierarchy, involving sets of tasks. When complex interactions are supported by a nondeterministic model of communication , and the activation (sequencing and preemption) of tasks relies on operating system tasking, they are likely to introduce additional unpredictability, not due to the components of the system themselves. Hence, in that respect, these operating system level mechanisms are not satisfactory, and there is a need for programming models that are at once powerful enough to describe complex behaviour and structure, formally sound so as to support automated assistance tools , while not introducing undue unpredictability in composition and tasking .
81
Various experiments have been performed with SIGNAL and the methodology associated to its use , some made in cooperation with industrial partners. Among them were systems for speech recognition (Le Guernic e.a., 1989), digital watch control (Gautier e.a ., 1994), active vision in robotics (Marchand, E . e.a ., 1996), the control of a production cell (In Lewerentz e.a ., 1995), the control of an electrical power transformer station (Marchand, H. e.a ., 1995), and behavioural animation in computer graphics . This particular paper illustrates the practical relevance of the synchronous methodology W.r. t . predictability, with examples extracted from some of them.
Signal compiler
2. THE SIGNAL ENVIRONMENT The application domain of the SIGNAL model, language and methodology (Le Guernic e.a ., 1989; Gautier e.a. , 1994) is reactive systems. It is based on the notion of reaction: the system acts in the presence of an input , by computing the new value of its state variables, and emitting outputs towards its environment. It is an abstraction of cyclic processes in signal processing and sensor-based control, and of automata and controllers used for the management of tasks, or also of processors and logical circuits. It is used in formalisms like GRAFCET (Sequential Function Charts) or STATECHARTS (Harel, 1985) and other synchronous languages. It corresponds to the model of time in control theory and signal processing equations, for the description of sampled continuous processes. SIGNAL is an equational data-flow language. Behaviours are specified in terms of signals (streams or series of values, with a presence clock) ; events are special signals with no value but their presence. They are defined by equations featuring the following available operations: functions on the values of signals (extended to series) , down-sampling i.e. selection according to a boolean condition, up-sampling i.e. prioritary merging of streams , and delay, accessing the previous value of a signal, at the same clock. This minimal kernel is powerful enough for the description of general, arbitrarily complex, multi-rate behaviours. It is enriched with derived operators for user confort . The semantics of operators is given by the solution of the system of equations, in terms of sets of the possible traces for the involved signals . In this paper, we focus on complex structure specification: this is handled by the synchronous composition operator. It corresponds exactly to t he composition of systems of equations, where the resulting semantics is the solution of the resulting equation system , i.e. the traces which are solution to both the composed equations systems, in other terms the intersection of the solutions to each of them. For hierarchical sequencing and preemption of data-flow tasks, the GTi extension to SIGNAL (Rutt en e.a., 1995) enables t o associate a data-flow process (possibly featuring sub-tasks) to the time interval of its activation. Preemption of the task, when leaving its interval, can be suspensive (if started again, it begins from its current internal state) or interruptive (it starts again from its initial state). The fact that tasking is defined on top of SIGNAL makes it compatible with all the SIGNAL framework .
performance evaluation) Foruan77. C (execution. simulation)
Fig. 1. The SIGNAL design environment . As illustrated in Fig. 1, the compilation of the specification constructs, from a SIGNAL program , a graph representation of the program modeling the set of operations, the data dependencies between them, and their activation clocks. Tasks in GTi are defined on top of the SIGNAL language, and are treated by a pe-processor to the compiler. The analysis tools carry out treatments like checking the consistency of data dependencies, of synchronization relations between activation clocks (e.g. , inclusion is used to build a hierarchy), and the detection of dependency cycles on data, or causality cycles on events. At this stage , some non-deterministic specifications are detected , which should be more tightly controlled in order to be made predictably executable. Based on this model, transformations feature optimizations, using the same kind of claculus on activation clocks to detect redundant operations or dead code (null activation clock: operations that will never be activated). Optimizations are performed globally on t~e model; therefore it is possible to use redundancy III the specification of a complex system , which can make it easier, whithout causing inefficiency in the implementation, thanks to later optimizations. From the model , the synthesis of a scheduling consists in finding an ordering of operations respecting the constraints on dependencies and activations. Code generation then consists in automatically producing executable code for correct (w.r. t. specification) and predictable controllers in ADA, C or FORTRAN. Other output s of the SIGNAL compiler feature VHDL or SYNDEX , which is the input language to a tool for distribution
82
and timing analysis on signal processing architectures (Sorel, 1994). A model of the dynamical behavio.u r of programs , abstracted to boolean and event sIgnals , supports the checking of d ynamical properti~s by performing their automated proof (Chap. VII III Lewerentz e.a ., 1995 ). The whole environment is integrated, working on a unified model (the data-flow graph) so that no manual transformations or linkings are needed, hence avoiding interpretation errors. CMERA_ VELOCITY ()
The specificity of synchronous composition, and its practical interpretation, is that it describes interactions between components in terms of causality dependencies between events and signals. It is the very same composition as the basic equations system constructing mechanism. At this level, composition is a specification parallelism: composed sub-systems exchange signals which communicate information between them . It is not meant for directly describing distributed implementations themselves, but . for building larger specifications from smaller ones . LIkewise , tasking is not meant for directly describing implementation in processes or threads , but for controlling the modes of activation of data-flow processes in a hierarchically structured manner. They make no implementation assumption, neither on the communication media implementing interactions (e .g. the nondeterminism of asynchronous communication), nor on operating system level tasking strategies or mechanisms , nor on the implementation decomposition of the system , into distributed processes and tasks. Particularly, the latter point reflects that it must be possible to make a functional decomposition of the specification without having to cope with the parallel implementation (which can be made following a different decomposition) , and even without actually implementing the composition in a distributed way, or the tasks as operating system processes. The rationale for this differentiation is that these are two different issues, and that it would introduce all the unpredictability coming with non-deterministic operating system mechanisms, thereby also dramatically, although irrelevantly, increasing model complexity, if it can be obtained at all. Nonetheless, there exist methods for the distributed implementation of SIGNAL programs (Aubry e.a ., 1996; Gautier e.a ., 1994). They feature the partitioning of the graph representation into sub-graphs (quite independently from the functional decomposition) constituting tasks or processes according to a variety of criteria like the common dependency on a given subset of inputs . The communications between them will be "de-synchronized", i.e. it will result into the composition of synchronous processes using actual communication channels, taking their asynchrony into account , while respecting the causal relationships.
.... Servoing control
Fig. 2. Graphical block diagram specification of vision-based servoing. the regulation of a task function , which is an equation c = f( s) giving the value of the control c to be applied to the actuator, in terms of the values s acquired by the sensors. Such a task can be composed of several sub-tasks, with a priority order. The implementation of such a control law is made by sampling sensor information s into a flow of values St, which are used to compute the flow of commands Ct : '
3. COMPOSITION OF INTERACTING SYSTEMS A first experiment concerns a robot active vision system for 3D recognition (Marchand, E. e.a ., 1996). The general motivation for the application of SIGN AL t o robot control comes from the form of robot control laws. At the relatively lowest level, they consist in
83
Environment
Servoing control ctrl-in'lr---------~c~md~-o~u~t~ Clrl-out"
ctrl-in
sensor-m
sensor-in l'I":""SI
Parameters
clrl-in'
cmd-out
possible behaviours
arm
cmd-out
Estimation higher-level
Fig. 3. Visual servoing and estimation in parallel.
safe interaction
conlroller
Another experiment concerns the controller of a production cell. This case study has also been treated by a number of other formal methods and languages for reactive systems (Lewerentz e.a .. 1995) . It concerns the control of several devices: two feed belts, a rotating elevating table , a press, a moveable crane, two extensible arms on a rotating base. Functionnaly, for each device we define a controller. It takes sensor information as input , and reacts to it by issuing commands to actuators , taking into account its own internal state: it describes the possible behaviours. For example, the press controller has sensor inputs (in Fig. 4: sensor-in) giving the position of its mobile part (high (closed) , low (open) , middle) , and the commands (cmd-out) which it sends out to the device are to move upwards, to move downwards, or to stop. The controller consists of rules like: stop when moving upwards and reaching the high position. Interactions between these devices are various ; for example, a collision can occur if an arm extends while its angular position is facing the press and this latter is not wide open. Another example is that an arm must wait for the press to have opened before it can load it by extending inside and dropping an object to be pressed. In order to enable the synchronization (for cooperation or competition) with other devices , its controller is provided with additional inputs and outputs (in Fig. 4: ctrl-in and ctrl-out) for the commmunication of control information. For example. when stopping in low position, emit an availability signal , and wait for a release signal before moving upwards. When grouping two or more devices, the control signals have to be used by an additional controller defining the safe behaviours of the group. which makes sure that the devices synchronize so as to manage competitions. and to coordinate their actions. For example. if an arm holds an object to be pressed . then its controller has to wait for the press to be open and ready to accept the object. while the press has to wait for the arm to have moved and dropped the object at the right location before it can close again to press the object . This kind of control might involve sensor information as well , and be dynamical, in the sense that it has an internal state. In order for this to be able to synchronize with yet another layer of control. it is itself provided with synchro-
safe behaviours for another (group of) dev.ce(s) L
_
Fig. 4. Layered specification , with possible behaviours , safe behaviours, and complete scenario. nization in- and outputs (ctrl-in' and ctrl-out' ). Fig. 4 shows how this sub-system is built , in the upper dashed box . The role of composition here is exactly that of the composition of systems of equations: the possible behaviors are all the traces of the partial specifications for each device, in particular there are no constraints on the control inputs _ The additional safe interaction controller defines the possible traces for these control signals (a priori they are less than all arbitrary possible ones, unless the controller is empty) . Hence , composing individual controllers with this safe interaction controller defines a set of behaviours which is the intersection of the possible ones with the safe ones. This pattern can be repeated hierarchically at several levels , as shown in Fig. 4 with the composition with the lower dashed box and the higher-level interaction controller. Obtaining the final global controller of the production cell , grouping all devices, is a matter of reaching a level where all interaction control aspects are handled without resorting to external control inputs . In that case . the specified behaviour is determined by its sensor input (dotted box in Fig . 4), and in that sense is a complete scenario for the production cell_ This completes a methodology for layered specification effectively using synchronous composition . As was discussed in section 2, a distributed implementation of the global controller might be decomposed differently, for example, according to sensors location, where one sensor can be used by several controllers.
4.
TASKI~G
OF DATA-FLOW PROCESSES
In the robot vision application (Marchand. E. e.a .. 1996) introduced in the previous section, a library of different tasks was built . each differently optimized
84
1
.. " E. ~1-_ _ _ _.:. I RE'=':' C_ _ _ _ _ _ _ _ _ _
LIS-rempty=hlSe . IC
LISTempty=hlse
l -_ _ "R_ _-3 : I na t
3
?,ll ndlr: t rue : 't'I ev
LISTem
lE
~ .~~~~~
l C .}-_ _":.:.R~_-3 .. I C i : Inot
3
~ll.nd~ ;= t ru e
:
'f
:
Ir l
Is1 1 __ -- -- -- --
I
,
-- l - - - - - - - t - - - 3
~.
Fig. 5. Sequencing of data flow vision tasks. for a given shape of objects (cylinders, segments, polyhedral objects , ... ). So, for the reconstruction of environments featuring a number of different objects, data flow processes have to be sequenced for each primitive object of the scene, with different phases: selection of a primitive , precise active estimation , and concurrently, coarse estimation of the other ones, as well as the creation or the update of a list of 2-D segments which contains a 2-D description of the observed scene. Each active estimation ends when all the primitive parameters have been accurately computed with a sufficient precision. Each coarse estimation ends when the corresponding segment gets out of the image or is preempted when the active estimation ends. Tasks can be used to hierarchically structure these data-flow controllers and associate them with their start and end events (i.e. activity intervals) which depend on the image data, the estimated parameters of the primitives, and the state of the list of segments. Fig. 5 illustrates the hierarchical decomposition of these tasks. An exploration phase builds a list of 2-D segments; it is active on time interval lE. In alternance with this , i.e. when not in lE, the scene reconstruction task is active on IREC . It is itself an alternance between two sub-tasks: a primitive selection task, on interval IC , and the primitive reconstruction. The selection chooses a segment in the list to be considered. If the list is empty (i.e. , LISTempty=true) , it causes the scene reconstruction ( IREC) to exit. When the list is not empty, the primitive reconstruction process for the chosen primitive on IR is itself decomposed into sub-tasks. It begins with a recognition process which estimates the nature of the considered primitive (segment or cylinder), on Inat , which ends with the boolean event Cylinder . It continues with the estimation of the parameters of its 3D structure , according to the value of Cylinder: in the case of a segment (Cylinder=false) , only its length on interval 151; in the case of a cylinder (Cylinder=true) , its radius and position of axis on Icv , and then its length on IcI. In parallel with this estimation, a coarse estimation of some primitives can be performed on intervals Iri ; if active when the current optimal estimation terminates, it will be interrupted. After each estimation of a primitive, the list of 2D segments is updated and a new selection is performed on IC . This way, the decomposition of the recognition task into a sequencing of data flow sub tasks has been specified in the same integrated language and model framework.
Fig. 6. Hierarchical preemptive control for defect confirmation in a power transformer.
mation station (Marchand, H . e.a., 1995) . The French national electrice network, operated by Electricite de France (EDF) , counts a large number of transformer stations. Such a transformer station features an automatic control system handling the response to electric defects on the lines connected to it, by means of circuit breakers. The control involves complex interactions between communicating automata, interruption and preemption behaviors , timers and timeouts , reactivity to external events, ... The controller has to distingish between several types of defects (phase PH, homopolar H, or wattmetric W) , and between transient and persistent ones . Each circuit breaker controller defines a behavior beginning with the confirmation and identification of the type of the defect , and continuing in a treatment phase. The confirmation phase consists in taking the time to let transient defects cease naturally. For each of the defect types (PH, H, or W) a delay can assess its persistent presence. They are tested in sequence, until a defect is confirmed (i.e ., present at the end of the corresponding delay). However, the sequence is interrupted as soon as the defect disappears, or one of the previously examined defect appears. This latter point involves a preemption hierarchy, as illustrated in Fig. 6 , where the behaviour can be decomposed into a hierarchy of sub-tasks interruptible by higher-level tasks. The confirmation task, active on interval LPH, is started when a defect is detected (First...Defect ), and stopped when signal Defect occurs ( true in case of confirmation (DeLConf) , false if the defect has disappeared before ), causing the interruption of all its sub-tasks . Confirmation is decomposed into: the waiting for a delay Delay..PH , at the end of which, if the PH defect is sensed, then DeLConf is emitted (causing termination) , else the sub-task for the H defect is started, on time interval LH, interruptible on the occurrence of PH . This sub-task itself decomposes quite similarly into first waiting for Delay...H to elapse, then if the H defect is sensed, emitting DeLConf...H (causing termination) , else starting the sub-task for the W defect on time interval LW, interruptible on the occurrence of H. This last sub-task consists of sensing for defect W at the end of Delayj/. This illlustrates the use of hierarchies of interruptible sub-tasks, comparable to hierarchical parallel automata as in STATE CHARTS (Harel, 1987) . They are independently of their possible separation into several system-level processes and the use of a system-level tasking mechanism .
Another application of the tasking mechanisms of SIGNAL , more illustrative of the hierarchical interruption structures, is the controller of a power transfor-
85
bution of synchronous programs (Gautier e.a. , 1994; Aubry e.a. , 1996) . As was suggested in this paper, decomposition into distributed processes and tasks may then follow a structure different from that of the functional sub-systems.
5. CONCLUSION To summarize , this paper illustrates , with the results of experiments, the characteristics and practical relevance of the synchrony hypothesis and methodology w.r.t. its support of predictability. The composition and tasking offered by SIGNAL provide for structuring of specifications without introducing unpredictability. This also has an influence on tool support in that models give a formal and more compact basis for automated transformation and analysis (e.g. detecting non-determinism in specifications). Advantages for the users feature a high degree of automation in the design; it eases scaling up to large-sized and complex systems, reuse of existing components, and provides for safety of proven algorithms and productivity. A comparison can be drawn with the design of integrated circuit , which does not go without using CAD tools and environment. The integration of the tools in the programming environments around a unified model involves less manual linkings or translations, which are error-prone, and unanalysable formally. Analysis and optimization are performed globally, which gives a priori better results than local techniques, and is more than what manual ones usually can handle. Other functionalities offered by the SIGNAL approach, not described here, are related to the verification of properties of dynamical behaviours (Chap. VII in Lewerentz e.a ., 1995), the link to hardware/software co-design, or hybrid systems.
ACKNOWLEDGEMENT Acknowledgement is due to participants in the various experiments mentioned here: Pascalin Amagbegnon, Fran<;ois Chaumette, Eric Marchand, Herve Marchand, Mazen Samaan (part of this work was supported by ELECTRICITE DE FRANCE) .
REFERENCES Aubry, P. , Le Guernic , P., and Machard, S. (1996) Synchronous distribution of SIGNAL programs. Proc. 29'h Hawaii Int. Conf. on System Sciences, Jan. 1996, Vo!. 1, pp. 656-665 , IEEE. Baker, T.P., and Pazy, O. (1991). Real time features for ADA9x. Proc. IEEE Real Time Systems Symp ., Dec . 1991 , pp . 172-180, IEEE. Gautier, T ., Le Guernic , P., Maffei's, O . (1994). For a New Real-Time Methodology. INRIA Research Report no. 2364 (FTP: ftp.inria.fr , INRIA/publication/RR/RR-2522.ps.gz) . Halbwach, N. (1993) Synchronous programming of reactive systems. Kluwer. Harel, D. (1987) STATECHARTS: a visual formalism for complex systems. Science of Computer programming, 8(3) , pp . 231-274.
The synchronous approach is focused on improving the management of the control part of applications. Therefore a limitation is that it has no general support for data manipulation like e.g. numerical computation, or graphical functions. However, it is possible to make links from a SIGNAL program to libraries written in C and/or FORTRAN, by using the notion of external function calls. Explicitly asynchronous communication is not supported either. This is an important difference with related work in more traditional approaches represented by e.g. CSP-like languages (Hoare, 1985) like OCCAM , AnA (Baker e.a., 1991) or models like communicating automata or Petri nets. These models are closer to realistic (actual) mechanisms for communication and tasking (although synchrony is the natural parallelism framework in digital circuits for example , where a global clock gives the cadence of computations) . Their parallel and tasking constructs are powerful structuring tools. But they bring in non-determinism, and therefore, models of behaviours are more complex, and predictability is not guaranteed anymore, also because of the dependency on external system configuration, not in the same model, hence not analysable.
Hoare, C.A.R. (1985). Communicating Sequential Processes, Prentice-Hall Int . Le Guernic, P., Le Borgne , M ., Gautier, T . and Le Maire, C. (1989) Programming real time application with SIGNAL. Proc. of the IEEE, 79(9) , pp. 1321-1336. Lewerentz , C . and T . Lindner (eds.) (1995). Formal Development of Reactive Systems - Case Study Production Cell, LNCS no. 891 , Springer. (Chap. VII describes the SIGNAL contribution). Marchand, E ., Rutten, E. and Chaumette, F . (1996) Applying the synchronous approach to real time active visual reconstruction. IEEE Trans. on Control Systems Technology, (to appear). Marchand, H ., Rutten, E. and Samaan, M. (1995). Synchronous design of a transformer station controller with SIGNAL. Proc. 4th IEEE Conf. on Control Applications, CCA '95, Albany, New York, Sept. 28-29, 1995, pp. 754-75. Rutten, E. and Le Guernic , P . (1995). Sequencing and preempting data flow tasks. Proc. 2d h IFACj IFIP Workshop on Real Time Programming, Ft Lauderdale, Florida, Nov. 6-10, 1995, Elsevier. Massively parallel computing Sorel, Y. (1994). systems with real-time constraints: the "algorithm-architecture adequation" methodology. Proc. Massively Parallel Computing Systems Conf., Ischia, Italy, 1994 .
Our experiments , especially the aspects we focused on in this paper, show concrete examples where using such mechanisms for implementation-independent structuring would have introduced unpredictability unnecessarily. This is a practical argument for the use of synchronous composition. This does of course not exclude implementing a synchronous specification on an asynchronous platform: there exist approaches for the tool-supported "de-synchronization" and distri-
86
Gramado. RS. Brazil. 1997
EXPERIMENTS WITH THE SYNCHRONOUS METHODOLOGY ILLUSTRATING ITS SUPPORT OF PREDICTABILITY P. LE GUERNIC and
E. RUTTEN
IRISA / INRIA - Rennes, Campus de Beaulieu, F-35042 RENNES, France e-mail: Paul.LeGuernicCirisa.fr.Eric.RuttenCirisa.fr
Abstract. This paper analyses experiments with the SIGNAL programming environment for the design of safety-critical systems, with an emphasis on predictable behaviour. This environment is based upon a data-flow language and a synchronous model; the composition of interacting sub-systems and tasking of data-flow processes do not introduce unpredictability. It offers integrated tools for transformations and analysis. The practical relevance of the synchronous model and methodology is illustrated with a focus on predictabilty by examples gathered from a spectrum of experiments (robot vision, production cell control and power transformer control) . Keywords. Reactive systems , synchronous language, predictability, experiments.
1. PREDICTABILITY IN REACTIVE SYSTEMS
The synchronous approach to reactive systems addresses this problem specifically, in the form of programming languages and environments amongst which the data flow language SIGNAL (Le Guernic e.a. , 1989) , and also ESTEREL , LUSTRE , ARGOS (Halbwachs , 1993) and STATE CHARTS (Harel , 1987) . They offer tools based on a formal model of reactive systems for e.g. analysis, verification, evaluation, and code generation . A characteristic feature of the synchronous models is the synchronous composition. It supports the construction of complex systems by composing interacting sub-systems without introducing new unpredictability like nondeterminis m in the communications between components or in tasking . The intuitive image of "instantaneous execution and communication" sometimes associated with synchrony means that it is an implementationindependent structuring mechanism ; at the actual implementation stage , "de-synchronization" of programs takes into account the asynchronous communications of the target system (Aubry e.a ., 1996). A construct of preemptive data-flow task , that can be started , suspended, resumed and interrupted . is integrated in this framework , and benefits from its advantages. The formal definition of the synchronous model is at the base of predictability-preserving transformation tools between different levels of design . Synchronous models provide for more compact representations , hence facilitating the scaling-up performance of such tools. This approach induces a methodology (Gautier e.a ., 1994) where these functionalities are used to go from the original (possibly partial) specification to final (possibly distributed) implementation.
This paper makes a synthesis of a variety of experiments illustrating the support of predictability in the synchronous methodology for the design of reactive systems. Real-time reactive systems are in constant interaction with an environment, and the very own dynamics of this environment have to be taken into account in the execution of the system. One application domain concerned is that of safetycritical embedded systems, found in areas such as e.g. avionics, transportation systems , plant control, and robotics . One difficulty in guaranteeing predictability is the complexity of behaviours: they are defined with regard to combinations of states and events , internal or coming from the environment , with "asynchronous" (meaning sporadic) or multiple rates. Another concern is the complexity of structure: it imposes (de- )composition of interacting sub-systems, in multiple layers of hierarchy, involving sets of tasks. When complex interactions are supported by a nondeterministic model of communication , and the activation (sequencing and preemption) of tasks relies on operating system tasking, they are likely to introduce additional unpredictability, not due to the components of the system themselves. Hence, in that respect, these operating system level mechanisms are not satisfactory, and there is a need for programming models that are at once powerful enough to describe complex behaviour and structure, formally sound so as to support automated assistance tools , while not introducing undue unpredictability in composition and tasking .
81
Various experiments have been performed with SIGNAL and the methodology associated to its use , some made in cooperation with industrial partners. Among them were systems for speech recognition (Le Guernic e.a., 1989), digital watch control (Gautier e.a ., 1994), active vision in robotics (Marchand, E . e.a ., 1996), the control of a production cell (In Lewerentz e.a ., 1995), the control of an electrical power transformer station (Marchand, H. e.a ., 1995), and behavioural animation in computer graphics . This particular paper illustrates the practical relevance of the synchronous methodology W.r. t . predictability, with examples extracted from some of them.
Signal compiler
2. THE SIGNAL ENVIRONMENT The application domain of the SIGNAL model, language and methodology (Le Guernic e.a ., 1989; Gautier e.a. , 1994) is reactive systems. It is based on the notion of reaction: the system acts in the presence of an input , by computing the new value of its state variables, and emitting outputs towards its environment. It is an abstraction of cyclic processes in signal processing and sensor-based control, and of automata and controllers used for the management of tasks, or also of processors and logical circuits. It is used in formalisms like GRAFCET (Sequential Function Charts) or STATECHARTS (Harel, 1985) and other synchronous languages. It corresponds to the model of time in control theory and signal processing equations, for the description of sampled continuous processes. SIGNAL is an equational data-flow language. Behaviours are specified in terms of signals (streams or series of values, with a presence clock) ; events are special signals with no value but their presence. They are defined by equations featuring the following available operations: functions on the values of signals (extended to series) , down-sampling i.e. selection according to a boolean condition, up-sampling i.e. prioritary merging of streams , and delay, accessing the previous value of a signal, at the same clock. This minimal kernel is powerful enough for the description of general, arbitrarily complex, multi-rate behaviours. It is enriched with derived operators for user confort . The semantics of operators is given by the solution of the system of equations, in terms of sets of the possible traces for the involved signals . In this paper, we focus on complex structure specification: this is handled by the synchronous composition operator. It corresponds exactly to t he composition of systems of equations, where the resulting semantics is the solution of the resulting equation system , i.e. the traces which are solution to both the composed equations systems, in other terms the intersection of the solutions to each of them. For hierarchical sequencing and preemption of data-flow tasks, the GTi extension to SIGNAL (Rutt en e.a., 1995) enables t o associate a data-flow process (possibly featuring sub-tasks) to the time interval of its activation. Preemption of the task, when leaving its interval, can be suspensive (if started again, it begins from its current internal state) or interruptive (it starts again from its initial state). The fact that tasking is defined on top of SIGNAL makes it compatible with all the SIGNAL framework .
performance evaluation) Foruan77. C (execution. simulation)
Fig. 1. The SIGNAL design environment . As illustrated in Fig. 1, the compilation of the specification constructs, from a SIGNAL program , a graph representation of the program modeling the set of operations, the data dependencies between them, and their activation clocks. Tasks in GTi are defined on top of the SIGNAL language, and are treated by a pe-processor to the compiler. The analysis tools carry out treatments like checking the consistency of data dependencies, of synchronization relations between activation clocks (e.g. , inclusion is used to build a hierarchy), and the detection of dependency cycles on data, or causality cycles on events. At this stage , some non-deterministic specifications are detected , which should be more tightly controlled in order to be made predictably executable. Based on this model, transformations feature optimizations, using the same kind of claculus on activation clocks to detect redundant operations or dead code (null activation clock: operations that will never be activated). Optimizations are performed globally on t~e model; therefore it is possible to use redundancy III the specification of a complex system , which can make it easier, whithout causing inefficiency in the implementation, thanks to later optimizations. From the model , the synthesis of a scheduling consists in finding an ordering of operations respecting the constraints on dependencies and activations. Code generation then consists in automatically producing executable code for correct (w.r. t. specification) and predictable controllers in ADA, C or FORTRAN. Other output s of the SIGNAL compiler feature VHDL or SYNDEX , which is the input language to a tool for distribution
82
and timing analysis on signal processing architectures (Sorel, 1994). A model of the dynamical behavio.u r of programs , abstracted to boolean and event sIgnals , supports the checking of d ynamical properti~s by performing their automated proof (Chap. VII III Lewerentz e.a ., 1995 ). The whole environment is integrated, working on a unified model (the data-flow graph) so that no manual transformations or linkings are needed, hence avoiding interpretation errors. CMERA_ VELOCITY ()
The specificity of synchronous composition, and its practical interpretation, is that it describes interactions between components in terms of causality dependencies between events and signals. It is the very same composition as the basic equations system constructing mechanism. At this level, composition is a specification parallelism: composed sub-systems exchange signals which communicate information between them . It is not meant for directly describing distributed implementations themselves, but . for building larger specifications from smaller ones . LIkewise , tasking is not meant for directly describing implementation in processes or threads , but for controlling the modes of activation of data-flow processes in a hierarchically structured manner. They make no implementation assumption, neither on the communication media implementing interactions (e .g. the nondeterminism of asynchronous communication), nor on operating system level tasking strategies or mechanisms , nor on the implementation decomposition of the system , into distributed processes and tasks. Particularly, the latter point reflects that it must be possible to make a functional decomposition of the specification without having to cope with the parallel implementation (which can be made following a different decomposition) , and even without actually implementing the composition in a distributed way, or the tasks as operating system processes. The rationale for this differentiation is that these are two different issues, and that it would introduce all the unpredictability coming with non-deterministic operating system mechanisms, thereby also dramatically, although irrelevantly, increasing model complexity, if it can be obtained at all. Nonetheless, there exist methods for the distributed implementation of SIGNAL programs (Aubry e.a ., 1996; Gautier e.a ., 1994). They feature the partitioning of the graph representation into sub-graphs (quite independently from the functional decomposition) constituting tasks or processes according to a variety of criteria like the common dependency on a given subset of inputs . The communications between them will be "de-synchronized", i.e. it will result into the composition of synchronous processes using actual communication channels, taking their asynchrony into account , while respecting the causal relationships.
.... Servoing control
Fig. 2. Graphical block diagram specification of vision-based servoing. the regulation of a task function , which is an equation c = f( s) giving the value of the control c to be applied to the actuator, in terms of the values s acquired by the sensors. Such a task can be composed of several sub-tasks, with a priority order. The implementation of such a control law is made by sampling sensor information s into a flow of values St, which are used to compute the flow of commands Ct : '
3. COMPOSITION OF INTERACTING SYSTEMS A first experiment concerns a robot active vision system for 3D recognition (Marchand, E. e.a ., 1996). The general motivation for the application of SIGN AL t o robot control comes from the form of robot control laws. At the relatively lowest level, they consist in
83
Environment
Servoing control ctrl-in'lr---------~c~md~-o~u~t~ Clrl-out"
ctrl-in
sensor-m
sensor-in l'I":""SI
Parameters
clrl-in'
cmd-out
possible behaviours
arm
cmd-out
Estimation higher-level
Fig. 3. Visual servoing and estimation in parallel.
safe interaction
conlroller
Another experiment concerns the controller of a production cell. This case study has also been treated by a number of other formal methods and languages for reactive systems (Lewerentz e.a .. 1995) . It concerns the control of several devices: two feed belts, a rotating elevating table , a press, a moveable crane, two extensible arms on a rotating base. Functionnaly, for each device we define a controller. It takes sensor information as input , and reacts to it by issuing commands to actuators , taking into account its own internal state: it describes the possible behaviours. For example, the press controller has sensor inputs (in Fig. 4: sensor-in) giving the position of its mobile part (high (closed) , low (open) , middle) , and the commands (cmd-out) which it sends out to the device are to move upwards, to move downwards, or to stop. The controller consists of rules like: stop when moving upwards and reaching the high position. Interactions between these devices are various ; for example, a collision can occur if an arm extends while its angular position is facing the press and this latter is not wide open. Another example is that an arm must wait for the press to have opened before it can load it by extending inside and dropping an object to be pressed. In order to enable the synchronization (for cooperation or competition) with other devices , its controller is provided with additional inputs and outputs (in Fig. 4: ctrl-in and ctrl-out) for the commmunication of control information. For example. when stopping in low position, emit an availability signal , and wait for a release signal before moving upwards. When grouping two or more devices, the control signals have to be used by an additional controller defining the safe behaviours of the group. which makes sure that the devices synchronize so as to manage competitions. and to coordinate their actions. For example. if an arm holds an object to be pressed . then its controller has to wait for the press to be open and ready to accept the object. while the press has to wait for the arm to have moved and dropped the object at the right location before it can close again to press the object . This kind of control might involve sensor information as well , and be dynamical, in the sense that it has an internal state. In order for this to be able to synchronize with yet another layer of control. it is itself provided with synchro-
safe behaviours for another (group of) dev.ce(s) L
_
Fig. 4. Layered specification , with possible behaviours , safe behaviours, and complete scenario. nization in- and outputs (ctrl-in' and ctrl-out' ). Fig. 4 shows how this sub-system is built , in the upper dashed box . The role of composition here is exactly that of the composition of systems of equations: the possible behaviors are all the traces of the partial specifications for each device, in particular there are no constraints on the control inputs _ The additional safe interaction controller defines the possible traces for these control signals (a priori they are less than all arbitrary possible ones, unless the controller is empty) . Hence , composing individual controllers with this safe interaction controller defines a set of behaviours which is the intersection of the possible ones with the safe ones. This pattern can be repeated hierarchically at several levels , as shown in Fig. 4 with the composition with the lower dashed box and the higher-level interaction controller. Obtaining the final global controller of the production cell , grouping all devices, is a matter of reaching a level where all interaction control aspects are handled without resorting to external control inputs . In that case . the specified behaviour is determined by its sensor input (dotted box in Fig . 4), and in that sense is a complete scenario for the production cell_ This completes a methodology for layered specification effectively using synchronous composition . As was discussed in section 2, a distributed implementation of the global controller might be decomposed differently, for example, according to sensors location, where one sensor can be used by several controllers.
4.
TASKI~G
OF DATA-FLOW PROCESSES
In the robot vision application (Marchand. E. e.a .. 1996) introduced in the previous section, a library of different tasks was built . each differently optimized
84
1
.. " E. ~1-_ _ _ _.:. I RE'=':' C_ _ _ _ _ _ _ _ _ _
LIS-rempty=hlSe . IC
LISTempty=hlse
l -_ _ "R_ _-3 : I na t
3
?,ll ndlr: t rue : 't'I ev
LISTem
lE
~ .~~~~~
l C .}-_ _":.:.R~_-3 .. I C i : Inot
3
~ll.nd~ ;= t ru e
:
'f
:
Ir l
Is1 1 __ -- -- -- --
I
,
-- l - - - - - - - t - - - 3
~.
Fig. 5. Sequencing of data flow vision tasks. for a given shape of objects (cylinders, segments, polyhedral objects , ... ). So, for the reconstruction of environments featuring a number of different objects, data flow processes have to be sequenced for each primitive object of the scene, with different phases: selection of a primitive , precise active estimation , and concurrently, coarse estimation of the other ones, as well as the creation or the update of a list of 2-D segments which contains a 2-D description of the observed scene. Each active estimation ends when all the primitive parameters have been accurately computed with a sufficient precision. Each coarse estimation ends when the corresponding segment gets out of the image or is preempted when the active estimation ends. Tasks can be used to hierarchically structure these data-flow controllers and associate them with their start and end events (i.e. activity intervals) which depend on the image data, the estimated parameters of the primitives, and the state of the list of segments. Fig. 5 illustrates the hierarchical decomposition of these tasks. An exploration phase builds a list of 2-D segments; it is active on time interval lE. In alternance with this , i.e. when not in lE, the scene reconstruction task is active on IREC . It is itself an alternance between two sub-tasks: a primitive selection task, on interval IC , and the primitive reconstruction. The selection chooses a segment in the list to be considered. If the list is empty (i.e. , LISTempty=true) , it causes the scene reconstruction ( IREC) to exit. When the list is not empty, the primitive reconstruction process for the chosen primitive on IR is itself decomposed into sub-tasks. It begins with a recognition process which estimates the nature of the considered primitive (segment or cylinder), on Inat , which ends with the boolean event Cylinder . It continues with the estimation of the parameters of its 3D structure , according to the value of Cylinder: in the case of a segment (Cylinder=false) , only its length on interval 151; in the case of a cylinder (Cylinder=true) , its radius and position of axis on Icv , and then its length on IcI. In parallel with this estimation, a coarse estimation of some primitives can be performed on intervals Iri ; if active when the current optimal estimation terminates, it will be interrupted. After each estimation of a primitive, the list of 2D segments is updated and a new selection is performed on IC . This way, the decomposition of the recognition task into a sequencing of data flow sub tasks has been specified in the same integrated language and model framework.
Fig. 6. Hierarchical preemptive control for defect confirmation in a power transformer.
mation station (Marchand, H . e.a., 1995) . The French national electrice network, operated by Electricite de France (EDF) , counts a large number of transformer stations. Such a transformer station features an automatic control system handling the response to electric defects on the lines connected to it, by means of circuit breakers. The control involves complex interactions between communicating automata, interruption and preemption behaviors , timers and timeouts , reactivity to external events, ... The controller has to distingish between several types of defects (phase PH, homopolar H, or wattmetric W) , and between transient and persistent ones . Each circuit breaker controller defines a behavior beginning with the confirmation and identification of the type of the defect , and continuing in a treatment phase. The confirmation phase consists in taking the time to let transient defects cease naturally. For each of the defect types (PH, H, or W) a delay can assess its persistent presence. They are tested in sequence, until a defect is confirmed (i.e ., present at the end of the corresponding delay). However, the sequence is interrupted as soon as the defect disappears, or one of the previously examined defect appears. This latter point involves a preemption hierarchy, as illustrated in Fig. 6 , where the behaviour can be decomposed into a hierarchy of sub-tasks interruptible by higher-level tasks. The confirmation task, active on interval LPH, is started when a defect is detected (First...Defect ), and stopped when signal Defect occurs ( true in case of confirmation (DeLConf) , false if the defect has disappeared before ), causing the interruption of all its sub-tasks . Confirmation is decomposed into: the waiting for a delay Delay..PH , at the end of which, if the PH defect is sensed, then DeLConf is emitted (causing termination) , else the sub-task for the H defect is started, on time interval LH, interruptible on the occurrence of PH . This sub-task itself decomposes quite similarly into first waiting for Delay...H to elapse, then if the H defect is sensed, emitting DeLConf...H (causing termination) , else starting the sub-task for the W defect on time interval LW, interruptible on the occurrence of H. This last sub-task consists of sensing for defect W at the end of Delayj/. This illlustrates the use of hierarchies of interruptible sub-tasks, comparable to hierarchical parallel automata as in STATE CHARTS (Harel, 1987) . They are independently of their possible separation into several system-level processes and the use of a system-level tasking mechanism .
Another application of the tasking mechanisms of SIGNAL , more illustrative of the hierarchical interruption structures, is the controller of a power transfor-
85
bution of synchronous programs (Gautier e.a. , 1994; Aubry e.a. , 1996) . As was suggested in this paper, decomposition into distributed processes and tasks may then follow a structure different from that of the functional sub-systems.
5. CONCLUSION To summarize , this paper illustrates , with the results of experiments, the characteristics and practical relevance of the synchrony hypothesis and methodology w.r.t. its support of predictability. The composition and tasking offered by SIGNAL provide for structuring of specifications without introducing unpredictability. This also has an influence on tool support in that models give a formal and more compact basis for automated transformation and analysis (e.g. detecting non-determinism in specifications). Advantages for the users feature a high degree of automation in the design; it eases scaling up to large-sized and complex systems, reuse of existing components, and provides for safety of proven algorithms and productivity. A comparison can be drawn with the design of integrated circuit , which does not go without using CAD tools and environment. The integration of the tools in the programming environments around a unified model involves less manual linkings or translations, which are error-prone, and unanalysable formally. Analysis and optimization are performed globally, which gives a priori better results than local techniques, and is more than what manual ones usually can handle. Other functionalities offered by the SIGNAL approach, not described here, are related to the verification of properties of dynamical behaviours (Chap. VII in Lewerentz e.a ., 1995), the link to hardware/software co-design, or hybrid systems.
ACKNOWLEDGEMENT Acknowledgement is due to participants in the various experiments mentioned here: Pascalin Amagbegnon, Fran<;ois Chaumette, Eric Marchand, Herve Marchand, Mazen Samaan (part of this work was supported by ELECTRICITE DE FRANCE) .
REFERENCES Aubry, P. , Le Guernic , P., and Machard, S. (1996) Synchronous distribution of SIGNAL programs. Proc. 29'h Hawaii Int. Conf. on System Sciences, Jan. 1996, Vo!. 1, pp. 656-665 , IEEE. Baker, T.P., and Pazy, O. (1991). Real time features for ADA9x. Proc. IEEE Real Time Systems Symp ., Dec . 1991 , pp . 172-180, IEEE. Gautier, T ., Le Guernic , P., Maffei's, O . (1994). For a New Real-Time Methodology. INRIA Research Report no. 2364 (FTP: ftp.inria.fr , INRIA/publication/RR/RR-2522.ps.gz) . Halbwach, N. (1993) Synchronous programming of reactive systems. Kluwer. Harel, D. (1987) STATECHARTS: a visual formalism for complex systems. Science of Computer programming, 8(3) , pp . 231-274.
The synchronous approach is focused on improving the management of the control part of applications. Therefore a limitation is that it has no general support for data manipulation like e.g. numerical computation, or graphical functions. However, it is possible to make links from a SIGNAL program to libraries written in C and/or FORTRAN, by using the notion of external function calls. Explicitly asynchronous communication is not supported either. This is an important difference with related work in more traditional approaches represented by e.g. CSP-like languages (Hoare, 1985) like OCCAM , AnA (Baker e.a., 1991) or models like communicating automata or Petri nets. These models are closer to realistic (actual) mechanisms for communication and tasking (although synchrony is the natural parallelism framework in digital circuits for example , where a global clock gives the cadence of computations) . Their parallel and tasking constructs are powerful structuring tools. But they bring in non-determinism, and therefore, models of behaviours are more complex, and predictability is not guaranteed anymore, also because of the dependency on external system configuration, not in the same model, hence not analysable.
Hoare, C.A.R. (1985). Communicating Sequential Processes, Prentice-Hall Int . Le Guernic, P., Le Borgne , M ., Gautier, T . and Le Maire, C. (1989) Programming real time application with SIGNAL. Proc. of the IEEE, 79(9) , pp. 1321-1336. Lewerentz , C . and T . Lindner (eds.) (1995). Formal Development of Reactive Systems - Case Study Production Cell, LNCS no. 891 , Springer. (Chap. VII describes the SIGNAL contribution). Marchand, E ., Rutten, E. and Chaumette, F . (1996) Applying the synchronous approach to real time active visual reconstruction. IEEE Trans. on Control Systems Technology, (to appear). Marchand, H ., Rutten, E. and Samaan, M. (1995). Synchronous design of a transformer station controller with SIGNAL. Proc. 4th IEEE Conf. on Control Applications, CCA '95, Albany, New York, Sept. 28-29, 1995, pp. 754-75. Rutten, E. and Le Guernic , P . (1995). Sequencing and preempting data flow tasks. Proc. 2d h IFACj IFIP Workshop on Real Time Programming, Ft Lauderdale, Florida, Nov. 6-10, 1995, Elsevier. Massively parallel computing Sorel, Y. (1994). systems with real-time constraints: the "algorithm-architecture adequation" methodology. Proc. Massively Parallel Computing Systems Conf., Ischia, Italy, 1994 .
Our experiments , especially the aspects we focused on in this paper, show concrete examples where using such mechanisms for implementation-independent structuring would have introduced unpredictability unnecessarily. This is a practical argument for the use of synchronous composition. This does of course not exclude implementing a synchronous specification on an asynchronous platform: there exist approaches for the tool-supported "de-synchronization" and distri-
86