Application-specific Architecture Selection for Embedded Systems via Schedulability Analysis

Han Liu†, Hehua Zhang*, Yu Jiang‡, Xiaoyu Song‡, Ming Gu* and Jiaguang Sun*
*School of Software Tsinghua University, TNLIST, KLISS, Beijing, China
†Department of Computer Science and Technology, Tsinghua University, TNLIST, KLISS, Beijing, China
‡Department of ECE, Portland State University, Oregon, USA

Abstract—Architecting real-time embedded systems is of the top significance during the design phase, especially in complex applications. Due to limited time and resource, to guarantee scheduling eminence without violating application-specific constraints is a challenging problem in architecture level. In this paper, we firstly present an enhanced transformation from AADL models to Cheddar input for schedulability analysis. With subprogram and delayed connection, this transformation is feasible for complex system designs. Based on schedulability analysis, we further propose a novel architecture selection engine, which evaluates scheduling performance through selection standards and application-specific constraints via satisfaction functions. With the proposed selection engine, information from both schedulability and real-time constraints are captured to pick up an optimal architecture. We apply the proposed approach on the architecture selection of an industrial control system in railway applications. Four candidate AADL architectures are transformed and analyzed for schedulability. Then in the selection engine, candidates are ranked within two application constraints. Compared to the selection of general criteria and traditional AHP, our engine excels at better schedulability and satisfaction on real-time application-specific constraints. Moreover, with adjustment on constraints, our engine shows delicate sensitivity by generating a modified selection. We believe the proposed approach can facilitate architecture design of real-time embedded systems.

Keywords—AADL; Schedulability; Architecture Selection Engine

I. INTRODUCTION

With the widespread application of real-time embedded systems (RTES), architecture modeling is gaining more attention. Its increasing popularity results from two aspects. Firstly, most system failures are ascribed to inappropriate architecture designs. For RTES where timing and resource are strictly constrained, a bad architecture may lead to a weak implementation which is incapable of satisfying constraints. Secondly, preference for architecture modeling comes from the need to uncover design defects at early stage. Based on an architecture model, schedulability analysis can check timing properties of RTES. As a result, it is easier to fix poor designs at an architecture level to reduce development costs.

However, architecture design is absorbing more complex features as remote calls and synchronous computation. Since these features can hardly be loaded for analysis, detecting design defects is a challenging problem. In addition, a schedulable architecture is not necessarily the optimal for two reasons. Firstly, applications may have various priorities over scheduling parameters. Moreover, application-specific constraints are difficult to capture and analyze in practice, which poses another challenge in architecture design of RTES.

To address these problems, we present a novel approach for architecture selection in RTES with specification in Architecture Analysis and Description Language(AADL) [1]. Main contributions of this paper are: (1) An augmented schedulability analysis method for RTES, where AADL architecture specification is transformed into input of a popular schedulability analyzer Cheddar [2]. Compared to other transformation strategies, our method includes advanced constructs as subprogram and delayed connection. Consequently, complex architecture with various timing of communication can be analyzed for schedulability. (2) A novel architecture selection engine, integrating scheduling information with application-specific constraints. Candidate architectures are evaluated over response time, processor utilization, context switches and flow latency, which are strongly related to timing performance of the system. In addition, we defined a layer of application-specific constraints in the engine to detect and reflect constraint violations in architecture selection, which makes our engine a better alternate for RTES.

II. RELATED WORK

Limited time and computation resource, as the intrinsic nature of embedded systems, mirrors the value of schedulability analysis. In [3], Liu’s theory states that processor utilization can be used as a sufficient condition for schedulability. To analyze schedulability of AADL models, transformation-based approaches are proposed. Timed automata and Uppaal are used in [4] to analyze schedulability through verification. Based on Liu’s theory, Cheddar [2] is implemented to address this problem in a delicate manner with detailed scheduling information.

From another perspective, architecture selection is already a prevailing topic. It is accepted that the selection is a tradeoff between most vital architectural angles. Due to the simplicity, multi-criteria decision making (MCDM) methods like Analytical Hierarchy Process(AHP) [5] are widely adopted to balance this tradeoff. The related works may be categorized in two groups: (1) selection in embedded systems. [6] presents a combined method with Architecture Tradeoff Analysis(ATAM) and AHP to make decisions on choosing SW/HW integration. Attributes as safety, reliability, modifiability and serviceability are taken into consideration. In [7], AHP and other MCDM methods are used to analyze performance of the partition design on embedded systems. Although this approach shares some common attributes with ours, including processor utilization, latency and response time, it does not handle the domain

III. ARCHITECTURE SELECTION ENGINE

We propose an architecture selection engine with a combination of schedulability analysis and application-specific constraints. The selection process is displayed in Figure 1.

As presented in Figure 1, candidate architectures are transformed for schedulability analysis using the proposed rules. Scheduling results are collected by the analyzer and delivered into the proposed selection engine. Based on the proposed criteria, our engine evaluates candidates and checks performance through a proposed satisfaction function over application constraints. As output of our engine, an optimal architecture is selected.

A. Architecture transformation

The current Cheddar is incapable of handling AADL models with subprogram and delayed connection. We provide an enhanced transformation from AADL to Cheddar to cover non-support components.

An AADL model $M$ is a tuple $(Pro, Th, Sp, D, Int)$ where $Pro$ is a set of processors. $Th$ denotes thread set. A thread is a tuple $(dp, e, d, p, call)$, where $dp \in \{period, aperiod, sporadic, background\}$ represents the dispatching protocol. $e$ is the execution time. $d$ and $p$ are the deadline and period of the thread. $call$ is a set of subprogram calls in a thread. $Sp$ is subprograms. $D$ is the data defined in the model. $Int$ denotes interactions in port connections($PC$), delayed port connections($DPC$), access connections($AC$) and subprogram calls($SC$).

Input of Cheddar is a tuple $(Pr, Ad, Task, R, I)$, where $Pr$ is a set of processors with mapped address space $Ad$. A Task is a tuple $(type, cap, dl, p)$.

type $\in \{period, aperiod, sporadic, customized\}$ defines the mechanism to activate a task. $cap$ denotes the execution time of the task. $dl$ and $p$ represent deadline and period. $R$ refers to resource in the model. In this paper, we only consider data resource. $I$ denotes connections between tasks.

Based on the configuration above, we present transformation rules formally, from an AADL model $M_A$ to a Cheddar input model $M_C$ as in Table I. In the first rule, an AADL processor is transformed to a Cheddar processor with a mapping address space. Scheduler of the Cheddar processor is set according to the $Scheduling\_Protocol$ property of AADL processor. Data components in AADL is mapped to resource of Cheddar. Begin and end time of the resource access is set at the dispatching and execution completion point of the corresponding AADL thread which owns the data. Thread and subprogram components, which are execution units in AADL, are converted to task in Cheddar. The capacity of a task is the sum of execution time of a thread and all its owning subprograms. For another advanced construct delayed port connection in AADL, it is cut into two adjacent connections. The cutting point is transformed as a task which executes between the execution and period end of its predecessor. In respect of other kind of interactions in AADL, the last rule is used to transform them into connections in Cheddar.

B. Selection Engine

Input of our engine is a tuple $(WCRT, PU, CS, FL)$, which is also the output of Cheddar. $WCRT$ is average worst-case response time for all the tasks. $PU$ denotes the processor utilization. $CS$ represents the number of context switches and $FL$ is the end-to-end flow latency.

Presented in Figure 2, the proposed selection engine is an extension of traditional AHP, which has 4 layers including Goal, Standard, Constraint and Solution. To accomplish the Goal, multiple objectives are defined in the Standard layer as $\{ST_{WCRT}, ST_{PU}, ST_{CS}, ST_{FL}\}$, referring to scheduling results. Candidates are listed in Solution layer. Traditional AHP uses an integer between 1 and 9 represent the comparative advantage. Although the method is convenient, it is incapable to fully capture the impact of application constraint violation. Thus, we propose the Constraint layer, which is a collection of constraints. Each constraint is a triple $(C, S, \Phi_{ij})$. $C$ denotes...
the content. $S$ is the attached standard. $\Phi_{ij}$ is the satisfaction function with a Solution $i$ and a Standard $j$. $\phi_{ij}$ is defined as in (1).

$$\Phi_{ij} = \begin{cases} 
1, & \text{i satisfies the constraint} \\
1, & \text{c \in [0, 1), j has no constraints} \\
0, & \text{j violates the constraint} 
\end{cases} \quad (1)$$

As in (1), the satisfaction function has a range from 0 to 1. The closer it is to 1, the lighter the hazard is in constraint violation. The major strength of the Constraint layer is the capability to reflect violations directly in the selection.

In selection, pairwise comparisons are used to compare two objects. For $n$ objects, a pairwise comparison $P = (a_{ij})_{n \times n}$ satisfies that $a_{ii} = 1$, $i < n$ and $a_{ij} = \frac{1}{a_{ji}}$, $i < n, j < n$. $a_{ij}$ is set in “1-9” scale as in [5]. In addition, comparisons of Solutions are built over each Standard. Overall five comparisons are constructed. According to [5], normalized maximal eigenvector of a pairwise comparison is defined as the weighted vector. Object with a larger weight has greater impact on architecture selection. Assuming the weighted vector of Standards is $W_{standard} = [w_{ST1}, w_{ST2}, w_{ST3}, w_{ST4}]$. For Solution with $m$ candidates, there are four $m \times m$ pairwise comparisons. The weighted vector of $i_{th}(i \leq m)$ matrix is $W_{solution}^{i} = [w_{SO1}^{i}, w_{SO2}^{i}, \ldots, w_{SOm}^{i}]$. Four weighted vectors of Solution are assembled into a weighted matrix as following. $R = \{(W_{solution}^{i})^{T} | i = 1, 2, 3, 4\}$

The total weighted vector $V$ of our selection engine is defined as follows, representing scores of all the candidate architectures considering scheduling performance and application-specific constraints.

$$W = [w_1, w_2, \ldots, w_m], \quad w_i = \sum_{j=1}^{4} w_{stj} \phi_{ij}, \quad i = 1, 2, \ldots, m$$

IV. CASE STUDY

The proposed approach is applied on a real industrial system, the Braking Electronically Control System (BECU). Based on railway applications, two constraints are:

1) Latency of braking flow must not exceed 1450 $\mu$s.

2) $WCRT$ of the sending thread in BECU must not exceed 150 $\mu$s.

As in Figure 3, four candidate architectures are modeled in graphical AADL [1]. A and B have centralized calculation threads with calls to subprograms and delayed connections, while C and D spread functions to distributed threads. Scheduling properties of candidates are listed in Table II. Through transformation, schedulability analysis is shown in Table II.
Targeting at high-speed railway and subway applications, 
*Standard* pairwise comparisons are shown in Table III. WCRT and FL are more valued in railway while PU and CS are prioritized in subway. The selection is in Figure 4.

![Fig. 4: Selection in high-speed railway & subway applications](image1)

In Figure 4, the y-axis denotes the weight calculated by our engine. The results display the impact of application-specific requirements on architecture selection. Specifically, C is selected as the best architecture for high-speed railway applications due to its short flow latency, while B with less context switches is selected out for subway applications.

We also compare the proposed engine with two selection approaches: a) general criteria selection [11], including modifiability, scalability, development effort and portability and b) traditional AHP with scheduling information in subway application domain. The comparison is exhibited in Figure 5.

![Fig. 5: Selection comparison to general criteria and AHP](image2)

Under general criteria, candidate A is selected out. However, the selection suffers from poor schedulability with longer WCRT and flow latency than selection in high-speed railway applications. As an alternate, traditional AHP presents a similar result as the proposed engine. Nevertheless, without insights into application constraints, A is considered better than C in traditional AHP with the fact that A fails to meet constraints of subway domain.

<table>
<thead>
<tr>
<th>Candidate</th>
<th>Tight constraints</th>
<th>Loose constraints</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>Weight</td>
<td>Rank</td>
</tr>
<tr>
<td>A</td>
<td>0.2754</td>
<td>3</td>
</tr>
<tr>
<td>B</td>
<td>0.2942</td>
<td>1</td>
</tr>
<tr>
<td>C</td>
<td>0.2762</td>
<td>2</td>
</tr>
<tr>
<td>D</td>
<td>0.1206</td>
<td>4</td>
</tr>
</tbody>
</table>

For subway applications, we loose the WCRT constraint from 150µs to 180µs. The comparison results are shown in Table IV. Comparatively, the relative merit between A and C reverses. To sum up, adjustment on application-specific constraints can be reflected through the proposed selection engine in a delicate manner.

**V. Conclusion**

In this paper, we propose an enhanced transformation strategy on AADL models for schedulability analysis and a scheduling-based architecture selection engine for embedded systems. With the transformation strategy, complex AADL models including subprograms and delayed connections can be involved in schedulability analysis. With the proposed engine, both scheduling information and application-specific constraints are captured for selection. Our approach is applied on a real complex industrial system, BECU. Candidate architectures in AADL are analyzed for schedulability. The proposed selection engine then calculates a selection. In comparison with general criteria and traditional AHP, our engine excels at guaranteeing schedulability and meeting application-specific constraints. Furthermore, our engine shows delicate sensitivity to modification on constraints. In the future, we plan to apply this approach on more large-scale systems.

**Acknowledgment**

This research is sponsored in part by NSFC Program (No. 61202010, 91218302), National Key Technologies R&D Program (No.SQ2012BAJY4052), 973 Program (No.2010CB 328003) of China and Tsinghua University Initiative Scientific Research Program(20131089331).

**References**