Handbook of Real-Time Computing [1st ed. 2022] 9812872507, 9789812872500

The aim of this handbook is to summarize the recent rapidly developed real-time computing technologies, from theories to

299 90 45MB

English Pages 1539 [1511] Year 2022

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Preface
Contents
About the Editors
Section Editors
Contributors
Part I Principles and Theories of Real-Time Computing
1 Timing and Timing Control
Contents
1 Introduction
2 The History of Time
3 Time Measurement
3.1 Time Standards
3.2 Accuracy and Precision
3.3 Global Time
3.4 Quality of Time Measurement
3.5 Sparse Time
4 Clock Synchronization
4.1 Synchronization Condition
4.2 Central-Master Clock Synchronization
4.3 Fault-Tolerant Clock Synchronization
4.4 Fault-Tolerant-Average (FTA) Algorithm
4.5 External Clock Synchronization
5 Benefits of a Global Time in the Design of a Hard Real-Time System
5.1 Periodic Behavior
5.2 Temporal Predictability
5.3 Context Alignment
5.4 Error Detection
5.5 Fault-Tolerant Architectures
6 Conclusion
References
2 Modeling of Real-Time Software Systems
Contents
1 Introduction
1.1 On Models, Modeling, and Modeling Languages
1.2 Modeling Real-Time Software
1.3 Real-Time Analysis Languages
1.3.1 Performance Analysis Languages
1.3.2 Timing and Schedulability Analysis Methods
2 Categorizing Real-Time Modeling Languages
2.1 General Modeling Language Characteristics
2.1.1 Target Domain
2.1.2 Domain Coverage
2.1.3 Development Cycle Coverage
2.1.4 Purpose of Models
2.1.5 Multiple Levels of Abstraction
2.1.6 Primary Syntactical Form
2.1.7 Primary Language Paradigm
2.1.8 Precision Level
2.1.9 User-Defined Extensibility
2.1.10 Tool Support
2.1.11 Language Resources
2.2 Language Characteristics Specific to Real-Time Languages
2.2.1 Primary Model of Computation
2.2.2 Representation of Time
2.2.3 Modeling Qualities of Service (QoS)
2.2.4 Platform Modeling
2.2.5 Modeling Deployment
3 A Review of Notable Real-Time Modeling Languages
3.1 Historical RT Modeling Languages
3.1.1 Hatley-Pirbhai
3.1.2 Mascot 3
3.1.3 STATEMATE
3.1.4 SDL-92
3.1.5 Shlaer-Mellor (OOA)
3.1.6 HRT-HOOD
3.1.7 Real-Time Object-Oriented Modeling (ROOM)
3.2 Recent RT Modeling Languages
3.2.1 AADL
3.2.2 UML-Based RT Modeling Languages
3.2.3 UML-RT
3.2.4 Executable UML
3.2.5 UML-SDL (UML Profile Z.109)
3.2.6 UML/MARTE
3.2.7 SysML
3.3 Other Real-Time Modeling Languages (RTMLs)
3.3.1 Simulink and Stateflow
3.3.2 East-ADL
4 State of the Practice and Future Trends
References
3 Uncertainty Theories for Real-Time Systems
Contents
1 Introduction
2 Background and Fundamentals of Uncertainty Handling
2.1 Uncertainty Concepts and Taxonomies
2.1.1 Epistemic and Aleatory Uncertainty
2.1.2 Dimensions of Uncertainty
2.1.3 Subjective Uncertainty Perspective
2.1.4 Uncertainty from the Perspective of a Software System in Operation
2.2 Mathematical Theories for Handling Uncertainty
2.2.1 Probability Theory
2.2.2 Fuzzy Sets, Fuzzy Logic, and Possibility Theory
3 A Reference Model of Uncertainty Concerns for Real-Time Computing
3.1 Scope and Aims of the Reference Model
3.2 The Reference Model
3.2.1 Uncertainty Regarding the Execution Platform
3.2.2 Uncertainty Regarding the Communication Infrastructure
3.2.3 Uncertainty Regarding Data Processing
3.2.4 Uncertainty Regarding Coordination
4 Overview of Uncertainty Handling Approaches for Real-Time Systems
4.1 Handling Uncertainty in the Execution Platform
4.2 Handling Uncertainty in Communication
4.3 Handling Uncertainty in Data Processing
4.4 Handling Uncertainty Regarding Coordination of Different Systems
5 Engineering Considerations
5.1 Requirements Elicitation and Analysis
5.2 System and Context Modeling
5.3 Automated Verification and Analysis Techniques
6 Conclusion
References
4 Interface Design for Embedded and Real-Time Systems
Contents
1 Introduction
1.1 Overview
2 Embedded and Real-Time Systems
2.1 Overview
2.2 Interface and System Variations and Assessments
2.3 Challenges in Interface Design for Embedded Real-Time Systems
3 UX Design Processes and Methods
3.1 Overview
3.2 Criteria-Based Decision Making
3.3 Initiation and Planning
3.4 User Research and Requirements
3.5 Iterative Design and Test
3.6 Release and Post-release
3.7 Closing Thoughts
4 User Interfaces: Humans to Machines
4.1 Overview
4.2 Selection Criteria
4.3 Direct Controls or Outputs
4.4 Graphical User Interfaces (GUIs)
4.4.1 Embedded GUIs
4.4.2 External GUIs
4.5 Voice User Interfaces (VUIs)
4.6 Wearable Interfaces
4.7 Other Interaction Approaches
4.8 Closing Thoughts
5 Messaging Interfaces: Machines to Machines
5.1 Overview
5.2 Messaging, Queueing, and Serialization
5.3 Communications Protocols
5.3.1 Low Level Communications
5.3.2 IP Communications
5.3.3 M2M Wired and Wireless Protocols
5.3.4 IoT Application Protocols
5.4 Selection Criteria for Protocols
5.5 APIs and Microservices
5.6 Closing Thoughts
6 Conclusion
6.1 Closely Related Topics
6.1.1 Project Management
6.1.2 Device Production
6.1.3 Security Concerns
6.2 In Closing
References
Part II Real-Time Scheduling
5 Semi-partitioned Multiprocessor Scheduling
Contents
1 Introduction
2 System Model and Concepts
3 Implicit-Deadline Periodic Tasks
4 Implicit-Deadline Sporadic Tasks
5 Arbitrary-Deadline Sporadic Tasks
6 Comparison
7 Implementation Aspects
8 Conclusions
References
6 Practical Considerations in Optimal MultiprocessorScheduling
Contents
1 The Scheduling Problem
1.1 Terminology and Background
1.2 Fixed-Rate Servers
2 Optimality in Multiprocessor Scheduling
3 Approaches to Scheduling Optimality
3.1 Deadline Sharing
3.2 Fairness in Execution Progress
3.3 Task Aggregation as a Means of Fairness Relaxation
3.4 Nonfair Execution Progress Is Possible
3.5 Nonfair Execution Progress Via Duality
3.6 Nonfair Execution Progress Via Relaxing Partitioning
4 Hierarchical Nonfairness Based Approaches
4.1 The RUN Algorithm
4.1.1 Off-line Phase
4.1.2 On-line Phase
4.2 The QPS Algorithm
4.2.1 Off-line Phase
4.2.2 On-line Phase
4.3 Dealing with Sporadic Tasks
4.3.1 Sporadic Tasks in RUN
4.3.2 Sporadic Tasks in QPS
5 Final Comments
References
7 Soft Real-Time Scheduling
Contents
1 Introduction
2 Basic Definitions
3 Meeting Some Deadlines
4 Bounded Tardiness/Lateness
4.1 Review of EDF Scheduling
4.2 Work on Bounded Lateness and Bounded Tardiness Without Overload
5 Overload Management Using Value Functions
5.1 Locke's Best-Effort Heuristic
5.2 Providing a Guarantee on Achieved Value: D*
5.3 Providing the Optimal Guarantee: Dover
5.4 Providing Guarantees on Multiprocessors: MOCA
5.5 Rate-Based Earliest Deadline Scheduling
5.6 Schedulers Accounting for Dependencies
6 Overload Management by Changing Minimum Separation Times
7 Overload Management in Mixed-Criticality Scheduling
7.1 Techniques to Reduce Dropped Low-Criticality Jobs
7.2 Scaling Separation Times of Low-Criticality Jobs Instead of Dropping Jobs
7.2.1 Overload and MC2
8 Summary
References
8 Hierarchical Scheduling
Contents
1 Introduction
2 Uniprocessor Hierarchical Scheduling Systems
3 Compositional Framework for HSS
3.1 Demand Bound Functions for EDF and RM
3.2 Interface and Resource Supply Task in Compositional Framework
3.3 Compositional Framework Based on Bounded Delay Resource Model
3.3.1 Static Resource Partition Model
3.3.2 Bounded Delay Resource Model
3.3.3 Hierarchical Partition Scheduling
3.4 Compositional Framework Based on Periodic Resource Model
3.4.1 Periodic Resource Model
3.4.2 Schedulability Conditions for PRM
3.4.3 PRM Interface Generation: Periodic Capacity Bounds of PRM
3.4.4 Workload Utilization Bounds of PRM Under EDF and RM
3.5 Compositional Framework Based on Explicit Deadline Periodic Resource Model
3.5.1 Schedulability Conditions for EDP
3.5.2 Optimality Properties in EDP
3.5.3 EDP Interface Generation
3.5.4 Exact Transformation of Interfaces in EDP
4 Real-Time Calculus for HSS
4.1 Workload and Service Model
4.2 Schedulability Analysis
4.3 Compositional Analysis for Hierarchical Scheduling Systems
5 Comparison of Compositional and RTC Frameworks
6 Summary
References
9 Mixed-Criticality Uniprocessor Scheduling
Contents
1 Introduction and Motivation
2 Model and Definitions
3 The Uniprocessor Scheduling of Collections of MC Jobs
4 The Uniprocessor Scheduling of Collections of MC Tasks
4.1 Fixed Priority Scheduling
4.2 Dynamic Priority Scheduling
5 Further Information
References
10 Probabilistic Analysis
Contents
1 Introduction
1.1 Probabilistic Terminology and Notation
1.2 Probabilistic Task Model
1.3 Probabilistic Real-Time Constraints
2 Schedulability Analysis for Probabilistic Real-Time Tasks
2.1 Probabilistic Response Time Analysis
2.2 Detailed Example
3 Optimal Priority Assignment
3.1 Priority Assignment Example
3.2 Optimal Priority Assignment Using Audsley's Algorithm
4 Complexity of Probabilistic Schedulability Analyses
5 Review of Prior Work
6 Conclusions and Open Problems
Appendix: Task Set Generation
References
11 Multiprocessor Real-Time Locking Protocols
Contents
1 Introduction
2 The Multiprocessor Real-Time Locking Problem
2.1 Common Assumptions
2.2 Key Design Choices
2.2.1 Request Order
2.2.2 Spinning vs. Suspending
2.2.3 Progress Mechanism
2.2.4 Support for Fine-Grained Nesting
2.2.5 In-Place vs. Centralized Critical Sections
2.3 Analysis and Optimization Problems
2.4 Historical Perspective
3 Progress Mechanisms
3.1 Priority Inversion on Uniprocessors
3.2 Priority Inversion on Multiprocessors
3.3 Non-preemptive Sections
3.4 Priority Inheritance
3.5 Allocation Inheritance
3.6 Priority Boosting
3.7 Restricted Priority Boosting
3.8 Priority Raising
4 Spin-Lock Protocols
4.1 Spin-Lock Protocols for Partitioned Scheduling
4.1.1 Non-FIFO Spin Locks
4.1.2 Preemptable Spinning
4.1.3 Spin-Lock Protocols Based on Priority Boosting
4.1.4 Non-preemptive Critical Sections with Allocation Inheritance
4.2 Spin-Lock Protocols for Global Scheduling
5 Semaphore Protocols for Mutual Exclusion
5.1 Suspension-Oblivious Analysis of Semaphore Protocols
5.1.1 Suspension-Oblivious Analysis and Blocking Optimality
5.1.2 Global Scheduling
5.1.3 Partitioned Scheduling
5.1.4 Clustered Scheduling
5.2 Suspension-Aware Analysis of Semaphore Protocols
5.2.1 Suspension-Aware Schedulability Analysis and Blocking Optimality
5.2.2 Global Scheduling
5.2.3 Partitioned Scheduling
5.2.4 Semi-partitioned Scheduling
5.2.5 Clustered Scheduling
6 Centralized Execution of Critical Sections
6.1 Advantages and Disadvantages
6.2 Centralized Protocols
6.3 Blocking Optimality
7 Independence Preservation: Avoiding the Blocking of Higher-Priority Tasks
7.1 Use Cases
7.2 Fully Preemptive Locking Protocols for Partitioned and Clustered Scheduling
8 Protocols for Relaxed Exclusion Constraints
8.1 Phase-Fair Reader-Writer Locks
8.2 Multiprocessor Real-Time k-Exclusion Protocols
9 Nested Critical Sections
9.1 Coarse-Grained Nesting with Group Locks
9.2 Early Protocol Support for Nested Critical Sections
9.3 Recent Advances in Fine-Grained Multiprocessor Real-Time Locking
10 Implementation Aspects
10.1 Spin-Lock Algorithms
10.2 Avoiding System Calls
10.3 Implementations of Allocation Inheritance
10.4 RTOS and Programming Language Integration
11 Conclusion, Further Directions, and Open Issues
11.1 Further Research Directions
11.2 Open Problems
References
12 Parallel Real-Time Scheduling
Contents
1 Introduction
2 Models of Parallel Real-Time Tasks
2.1 Parallel Job Model
2.2 Parallel Real-Time System Model
3 Decomposition-Based Scheduling of Parallel Tasks
3.1 Theoretical Results for Parallel Synchronous Tasks
3.2 Theoretical Results for Parallel DAG Tasks
3.3 Implementations and Practical Considerations
4 Global Scheduling of Parallel Tasks
4.1 Theoretical Bounds
4.2 Schedulability Test and Response Time Analysis
4.3 Implementations and Practical Considerations
5 Federated-Based Scheduling of Parallel Tasks
5.1 Theoretical Results
5.2 Implementations and Practical Considerations
6 Mixed-Criticality Scheduling of Parallel Tasks
7 Summary
References
13 Real-Time Task Models
Contents
1 Introduction
2 Periodic/Sporadic Real-Time Task Models
2.1 Basic Periodic/Sporadic Task Models
2.2 Extensions with Jitter and Burst
2.3 Offset-Based Task Models
3 Graph-Based Real-Time Task Models
3.1 Multiframe Task Models
3.2 Recurring Branching Task Models
3.3 Digraph Real-Time Task Models
3.4 Task Automata
4 Parallel Real-Time Task Models
4.1 Gang Task Model
4.2 Parallel Synchronous Task Models
4.3 DAG Task Model
4.4 Parallel Conditional Task Models
4.5 Data-Flow Task Model
5 Real-Time Calculus
6 Conclusion
References
14 Complexity of Uniprocessor Scheduling Analysis
Contents
1 Introduction
2 Sporadic and Periodic Tasks
2.1 Sporadic and Synchronous Periodic Tasks
2.1.1 Upper Bounds
2.1.2 Lower Bounds
2.1.3 Other Results
2.2 Asynchronous Periodic Tasks
3 Task Models with Complex Job-Release Patterns
3.1 EDF-Schedulability
3.2 FP-Schedulability
4 Conclusions
References
Part III Real-Time Systems
15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends
Contents
1 Introduction
2 Real-Time Systems
3 Real-Time Cyber-Physical Systems
4 Requirements and Components of Real-Time CPSs
5 Related Topics to Real-Time CPSs
6 Applications of Real-Time CPSs
6.1 Intelligent Manufacturing
6.2 Vehicular Systems and Intelligent Transportation
6.3 Medical and Healthcare Systems
6.4 Smart Grid
6.5 Smart Buildings
6.6 Data Centers
7 Challenges of Real-Time CPSs
8 Conclusions
References
16 Real-Time Data Analytics in Internet of Things Systems
Contents
1 Introduction to Real-Time Data Analytics in IoT Systems
1.1 Fundamentals of IoT Systems
1.2 Data Analytics in IoT Systems
1.2.1 IoT Data Characteristics
1.2.2 Taxonomy of IoT Data Analytics
2 Architectures for Real-Time Data Analytics in IoT Systems
2.1 Cloud-Based IoT System Architecture
2.2 Edge-Cloud Collaborative IoT System Architecture
3 Applications of Real-Time Data Analytics in IoT Systems
3.1 Smart City
3.2 Smart Healthcare
3.3 Smart Grid
3.4 Social Network
3.5 Environmental Monitoring
3.6 Industrial IoT
4 Challenges and Future Research Directions
4.1 Optimized Collaboration Between Edge and Cloud Computing
4.2 Autonomous Collaborations Among IoT End Devices
4.3 Cost-Efficient Event Management
4.4 Real-Time Security and Privacy Protection
5 Conclusion
References
17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems
Contents
1 Introduction
2 Security Threats
3 Authentication and Key Distribution in AMI
4 Secure Data Aggregation with Integrity Preservation
4.1 Setup Phase
4.2 Data Aggregation Phase
4.3 Trapdoor Collision Phase
4.4 Hash Verification Phase
4.5 Key Blinding Phase
4.6 Performance Evaluation
4.6.1 Computational Time and CPU Cycles
4.6.2 Communication Latency
4.6.3 Communication Overhead
4.7 Security Discussions
4.7.1 Data Integrity
4.7.2 Data Authenticity
4.7.3 Security of Polynomial Exchange
5 Key Management
5.1 Classification of Key Management Schemes
5.2 Symmetric-Based Key Management
5.3 Asymmetric-Based Key Management
5.3.1 Identity-Based Without Pairing
5.3.2 Identity-Based Schemes Using Pairing
5.4 Hybrid-Based Key Management
6 Conclusions and Outlook
References
18 Real-Time Simulation Support for Real-Time Systems
Contents
1 Introduction
2 What Is Simulation and Real-Time Simulation
3 Evolution of Real-Time Simulation
4 Real-Time Simulation Support for Real-Time Systems
5 Challenges and Best Practices in Industry
6 Conclusion
References
19 Real-Time Control Systems with Applicationsin Mechatronics
Contents
1 Introduction
1.1 Definitions and Characteristics of Real-Time Systems
1.2 Real-Time Operating Systems (RTOS)
1.3 Digital Control Systems: Controller Design and Discretization
2 Steer-by-Wire System with SMC
2.1 Introduction of SBW
2.2 Controller Design
2.3 Simulation Results
2.3.1 Sinusoidal Motion Tracking (Test A)
2.3.2 Trapezoid Motion Tracking (Test B)
2.4 Summary
3 Electronic Throttle (ET) System with NTSMC
3.1 Introduction of ET System
3.2 Controller Design
3.3 Simulation Results
3.4 Summary
4 Permanent Magnet Linear Motor (PMLM) with FNTSMC
4.1 Introduction of PMLM System
4.2 Controller Design
4.3 Simulation Results
4.4 Summary
5 Conclusion
References
20 PANTHEON: SCADA for Precision Agriculture
Contents
1 Precision Agriculture at Large
2 Precision Agriculture for Hazelnut Orchards: A Case Study
3 PANTHEON: A SCADA System for Agriculture
3.1 A SCADA for Hazelnut Management
3.1.1 Hazelnut Remote Sensing
4 Experimental Setup
5 SCADA Hardware Components
5.1 Wireless Network Backbone
5.2 Ground Robotic Platforms
5.2.1 Common Sensorial Equipment for Localization, Safety, and Navigation System
5.2.2 Ground Robot R-A Farming Sensorial Equipment
5.2.3 Ground Robot R-B Farming Sensorial Equipment
5.3 Aerial Robotic Platforms
5.3.1 Sensorial Equipment
5.4 IoT Agrometeorologic Monitoring Network
6 SCADA Software Architecture
6.1 Software Architecture
6.1.1 Data Collection and Preprocessing Layer
6.1.2 Data Transfer Layer
6.1.3 Data Storage and Processing Layer
6.2 Features of the Software Application
7 Conclusions
References
21 Smart Grid and Demand Side Management
Contents
1 Introduction
2 System Model
2.1 The Cost Function for the Power Provider
2.2 The Utility Functions for Power Consumers
3 One-Provider and One-Consumer Case
3.1 Problem Formulation
3.2 Lagrange Duality
3.3 Distributed Solution
4 One-Provider and Multi-Consumer Case
4.1 Without Interaction Among Consumers
4.2 With Interaction Among Consumers
4.2.1 Game Theory
4.2.2 Game Among Consumers
4.2.3 Distributed Solution
5 Simulation
5.1 One-Provider and One-Consumer Case
5.2 One-Provider and Multi-Consumer Case
5.2.1 Without Interaction Among Consumers
5.2.2 With Interaction Among Consumers
6 Conclusion
References
22 Vehicle Communications for Infotainment Applications
Contents
1 Intelligent Transportation System and Its Applications
1.1 Safety Applications
1.2 Traffic Management
1.3 Infotainment Applications
2 V2X Communications to Support Infotainment Applications
2.1 V2V-Based Solutions for Infotainment Applications
2.2 V2I-Based Solutions for Infotainment Applications
3 Recent Advances in Combination of V2I and V2V for Infotainment Applications
3.1 Should V2I Communications Be Combined with V2V Communications?
3.2 Existing Solutions Combining V2I Communications with V2V Communications
3.3 Preliminary Results of Our Proposed Cooperation Scheme
4 Conclusion
References
23 Cloud Empowered Real-Time Virtual Manufacturing Systems
Contents
1 Introduction
2 Literature Review (State of the Art)
3 An Integrated Framework for Cloud Empowered VMS
3.1 Prepositioning of Components
3.2 Specification of the Cloud-Empowered VMS Components
3.3 Software Technologies
3.3.1 3D Modeling or Development Tools
3.3.2 Photogrammetry Software
3.3.3 Cloud Platform
3.3.4 Cloud Deployment Strategies
4 Use Case of the Cloud Empowered VMS
4.1 The Physical Shopfloor Components
4.1.1 ETON 5000 SYNCRO Production System
4.1.2 AUTOMATEX CPT4700 Panel Cutter
4.1.3 AUTOMATEX MULTITEX 3300-2000
4.1.4 Available Industry 4.0 Packaging Solutions
4.2 Proposed Hybrid Virtual Manufacturing Process
4.2.1 The Details of the Components
4.2.2 The Operation Process
4.2.3 The Operation Flow
5 Conclusion
References
24 Real-Time Internet of Things for Smart Environments
Contents
1 What Is Real-Time IoT?
2 Example Applications
3 Characteristics of Real-Time IoT
4 Layered and Distributed Architecture
5 Layered Network Stack
5.1 Application Layer
5.2 MQTT and Its Support for Real-Time IoT
5.3 Transport Layer
5.4 Network Layer
5.5 MAC Layer
5.6 IEEE-802.15.4e: Time Slotted Channel Hopping
5.7 Physical Layer
5.7.1 IEEE-802.15.4
5.7.2 LPWAN Technologies
6 Operating System Support for Real-Time IoT
7 Design Considerations for Real-Time IoT
7.1 Many Sources of Latency in IoT Systems
7.2 Protocol and Operating System Recommendations
8 Conclusion
References
25 CyreumE: A Real-Time Situational Awareness and Decision-Making Blockchain-Based Architecture for the Energy Internet
Contents
1 Introduction
1.1 CyreumE Overview
1.2 Security Guarantees
1.3 Energy Internet Requirements for Real-Time Situational Awareness and Decision-Making
1.4 Contributions to Knowledge
1.5 Structure of the Chapter
2 Dataset
3 CyreumE-CP
3.1 Identity-Based Communication Paradigm
3.2 Description of CyreumE-CP
3.3 Formal Security Verification of CyreumE-CP Using AVISPA
4 CyreumE
4.1 Real-Time Situational Awareness Process CRSA
4.2 Distributed Value Chain Framework CDVC
4.3 The Real-Time Decision-Making Process CRDM
5 Security Analysis
6 Case Studies
6.1 Impact of Failures on SCADA System: Generation (Lack of Real-Time Availability of Operational Data/Reliability Issues) and Distribution (ATC&C) Losses
6.2 Disputes Across the Value Chain of the Power Grid
7 Discussion and Related Work
8 Conclusion and Future Work
References
26 A Real-Time Robotic System for Sewing PersonalizedStent Grafts
Contents
1 Introduction
2 Related Work
3 Overview
3.1 Module I: Personalized Module
3.2 Module II: Bimanual Sewing Module
3.2.1 Data Acquisition
3.2.2 Task Learning
3.2.3 Trajectory Optimization for Task Contexts
3.3 Module III: Vision Module
3.3.1 Tool Pose Tracking
3.3.2 Needle Detection
3.3.3 Visual Servoing
4 System Performance
4.1 Trajectory Following
4.2 Needle Driving and Piercing
4.3 Autonomous Sewing of Personalized Stent Grafts
5 Conclusion
References
Part IV Real-Time Networks and Communications
27 Low-Latency Multicast and Broadcast Technologies for Real-Time Applications in Smart Grid
Contents
1 Introduction
2 Low-Latency Multicast to Minimize End-to-End Delay for WAC
2.1 Problem Formulation
2.2 Problem-Solving with Lagrangian Relaxation
2.3 Algorithm Design
3 Low-Latency Multicast for Multiple Multicast Trees with Shared Links in WANs
3.1 Problem Formulation and Analysis
3.2 Problem-Solving with Constrained Optimization
3.2.1 Constrained Optimization
3.2.2 Heuristics for BCBT
3.2.3 Algorithm Design
4 Low-Latency Constrained Broadcast in NANs
4.1 Problem Formulation
4.2 Constrained Optimization and Solving
4.2.1 Layered Graph G(V + s,E)
4.2.2 Objective Function
4.2.3 Constraints to the Selection of Core Nodes
4.2.4 Constraints to Non-core Nodes
4.2.5 Constrained Optimization for CBS-ML
4.3 An Illustrative Example
5 Conclusions
References
28 The Efficacy and Real-Time Performance of RefractionNetworking
Contents
1 Introduction
2 Previous Research
3 Upstream Protocols
3.1 Rebound
3.2 Multiflow
3.3 Conjure
3.4 Siegebreaker
4 Downstream Protocols
5 Bidirectional Protocols
5.1 Slitheen
5.2 Gossip Protocol
5.3 Slitheen++
6 Discussion
6.1 Attacks
6.2 Barriers to Adoption
6.3 ISP Deployments
6.4 Future Research
7 Conclusion
References
29 Providing Real-Time and Reliable Transmission in Routing Protocols for Large-Scale Sensor Networks
Contents
1 Introduction
2 Routing Metrics for Reliable and Real-Time Data Transmission
2.1 Single Routing Metric
2.2 Composite Routing Metric
3 Route Discovery Process for Large-Scale Networks
4 Route Maintenance Process for Supporting Real-Time and Reliable Transmissions
5 Conclusion
References
30 Software-Defined Networking for Real-Time NetworkSystems
Contents
1 Introduction
2 Real-Time Networks (RTN)
3 Software-Defined Networks (SDN)
4 Benefits of SDN-RTN Integration
5 Standards for RTN
6 RTN Protocols
6.1 Real-Time Ethernet (RTE)
6.2 Wireless MAC Protocols for RTN
6.3 CAN Bus Protocol and Advancements
7 Variants of CAN Bus
7.1 Field Bus Protocol
7.2 Cross-Layer WNCS Network
7.3 Time-Sensitive Software-Defined Networks: TSSDN
8 SDN-Based RTN Architecture
9 Problem Formulation of SDRTN
10 Simulators for SDRTN
10.1 Virtual Time–Enabled Mininet
10.2 Mininet
10.3 WiFi-Mininet
11 Experimental Demonstrations
12 Conclusion
References
31 Satellite Communication Networks
Contents
1 Introduction
2 Background
3 ITU
4 Orbits
4.1 LEO
4.2 MEO
4.3 GEO
5 Services
5.1 FSS
5.2 BSS
5.3 MSS
6 Segments
7 Scenarios and Use Cases
8 Radio Link
8.1 Link Budget Analysis
9 Antenna Gain
10 EIRP
11 Noise
12 G/T
13 Losses
14 Bandwidth
15 Spectral Efficiency
16 Software-Defined Radio
17 Software-Defined Networking
18 SDR-SDN Integration
19 Interfacing
20 Security
21 Summary
References
Part V Real-Time Multi-Agent Systems
32 Event-Triggering Impulsive Differential Evolution
Contents
1 Introduction
2 Background Information
2.1 DE
2.2 Event-Triggered Mechanism (ETM)
2.3 Impulsive Control
3 An Event-Triggered Impulsive Control Scheme
3.1 The Proposed Approach
3.2 DE with an Event-Triggered Impulsive Control Scheme
4 Experimental Results and Analysis
4.1 Parameter Settings
4.2 Comparison with Six DE Algorithms
4.3 Effectiveness of Two Types of Impulses
4.4 Effectiveness of Random Selection of the Reference State in Stabilizing Impulses
4.5 Parameter Sensitivity Study
4.6 Scalability Study
4.7 Working Mechanism of ETI
5 Conclusion
References
33 Distributed Impulsive Control of Leader-Following Multi-agent Systems
Contents
1 Introduction
2 Leader-Following Consensus of Homogenous Nonlinear Multi-agent Systems via Distributed Impulsive Control
2.1 Problem Formulation
2.2 Leader-Following Consensus Criteria with Distributed Impulsive Control
2.2.1 Coupling Strength and Selective Pinning Scheme in the Case of h2>0
2.2.2 Coupling Strength and Selective Pinning Scheme in the Case of h2≥>0
2.3 Impulse Pinning Controllability
2.4 Pinning Feedback Gain
3 Network-Based Leader-Following Consensus of Homogenous Nonlinear Multi-agent Systems via Distributed Impulsive Control
3.1 Leader-Following Consensus Criteria with Delayed Impulsive Control
3.2 Numerical Simulations
4 Leader-Following Consensus of Heterogenous Nonlinear Multi-agent Systems via Distributed Impulsive Control
4.1 Leader-Following Bounded Consensus Criteria
4.1.1 Coupling Strength and Selective Pinning Scheme in the Case of h2>0
4.1.2 Coupling Strength and Selective Pinning Scheme in the Case of h2≥>0
4.2 Optimization
4.2.1 Optimization with h2>0
4.2.2 Optimization with h2≥
4.3 Controller Design with a Prescribed Error Bound
4.4 Numerical Simulations
5 Conclusion
6 Notes
References
34 Impulsive Control of Multi-agent Systems with PartialInformation
Contents
1 Introduction
2 Preliminaries
2.1 Mathematical Notations
2.2 Algebraic Graph Theory
2.3 Preliminaries on Matrix Theory
3 Problems Formulation
4 Impulsive Controller Development
5 Consensus Under Identical Impulsive Period
5.1 Consensus Analysis of System (7)
5.2 Consensus Analysis of System (8)
5.3 Performance Optimization of Convergence Speed
5.4 Performance Optimization of Decay Rate of Error Energy
6 Consensus Under Time-Varying Impulsive Period
7 Examples
7.1 Examples for Consensus Under Identical Impulsive Period
7.2 Examples for Consensus Under Time-Varying Impulsive Period
8 Conclusion
References
35 Analysis and Design of Synchronization for a Heterogeneous Network
Contents
1 Introduction
2 Problem Formulation
2.1 Algebraic Graph Theory
2.2 System Model
2.3 Distributed Controller
3 Event-Based Control of Reference Generators
3.1 Predicted Value for Edge state
3.2 Synchronization of Reference Generators
3.3 Lower Bound for Inter-event Intervals
4 Output Regulation of Nonidentical Agents
5 Simulation Example
6 Conclusion
References
36 Consensus of Multi-agent Systems with Intermittent Communication and Its Extensions
Contents
1 Introduction
1.1 Notations
1.2 Preliminaries on Algebraic Graph Theory
1.3 Preliminaries on Matrix Theory
2 Consensus of Second-Order Multi-agent Systems with Synchronously Intermittent Communication
2.1 Model Formulation
2.2 Second-Order Consensus in Strongly Connected Networks with Synchronously Intermittent Communication
2.3 Second-Order Consensus in Networks Containing a Directed Spanning Tree with Synchronously Intermittent Communication
3 Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Synchronously Intermittent Communication
3.1 Model Formulation
3.2 Second-Order Consensus in Nonlinear Multi-agent Systems with Synchronously Intermittent Communication
3.3 Second-Order Consensus in Delayed Nonlinear Multi-agent Systems with Synchronously Intermittent Communication
4 Consensus Tracking of Nonlinear Multi-agent Systems with Asynchronously Intermittent Communication
4.1 Model Formulation
4.2 Consensus Tracking in Networks with Fixed Directed Topology Containing a Directed Spanning Tree
4.3 Consensus Tracking in Networks with Every Possible Topology Containing a Directed Spanning Tree
4.4 Consensus Tracking in Networks with Topology Frequently Containing a Directed Spanning Tree
5 Numerical Simulations
5.1 Consensus of Second-Order Multi-agent Systems withIntermittent Communication
5.2 Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Intermittent Communication
6 Conclusions
References
37 Synchronization in Coupled Harmonic Oscillator Systems Based on Sampled Position Data
Contents
1 Introduction
2 Preliminaries
2.1 Notations
2.2 Graph Theory
3 Problem Formulation and Algorithm Design
4 Synchronization Under Protocol (2)
5 Synchronization Under Protocol (3)
5.1 Synchronization Criteria for Network (1) with Protocol (3)
5.2 Design of β and T for Undirected Network
5.3 Design of β and T for Directed Network
6 Numerical Results
6.1 Synchronization with Current Sampled Position Data
6.2 Synchronization with Past Sampled Position Data
7 Conclusions
References
38 Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses
Contents
1 Introduction
2 Model Formulation and Some Preliminaries
3 Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses
4 Numerical Example
5 Conclusion
References
39 Adaptive Consensus of Multiple Lagrangian Systems
Contents
1 Introduction
2 Background
3 Consensus of Multiple Lagrangian Systems Under a Directed Graph with Full Information
4 Consensus of Multiple Lagrangian Systems Under a Directed Graph Without Relative Velocity Information
5 Conclusions
References
40 On Discrete-Time Convergence for General Linear Multi-agent Systems Under Dynamic Topology
Contents
1 Introduction
2 Preliminaries
2.1 Notation
2.2 Concepts in Graph
2.3 Row Stochastic Matrix
2.4 Problem Statement
3 Main Results
3.1 Convergence Analysis
3.2 Further Analysis and Extensions
4 Conclusion
References
41 Distributed Consensus of Stochastic Delayed Multi-agent Systems Under Asynchronous Switching
Contents
1 Introduction
2 Preliminaries
3 Main Results
4 Numerical Examples
4.1 Appendix: Proofs
5 Conclusion
References
42 Outer Synchronization of Partially Coupled Dynamical Networks via Pinning Impulsive Controllers
Contents
1 Introduction
2 Preliminaries and Problem Statement
2.1 Notation
2.2 Partially Coupled Dynamical Networks
2.3 Error Dynamical System
3 Outer Synchronization of Drive-response Partially Coupled Networks
3.1 Pinning Impulsive Control Scheme
3.2 Impulsive Control Protocol via Concept of Average Impulsive Interval
4 Numerical Examples
5 Conclusion
References
43 Time-Varying Formation Control Under Switching Interaction Topologies Theories and Applications
Contents
1 Introduction
2 Preliminaries and Problem Description
2.1 Basic Concepts and Results on Graph Theory
2.2 Problem Description
3 Time-Varying Formation Analysis
4 Time-Varying Formation Feasibility and Protocol Design
5 Simulation and Experimental Results
5.1 Numerical Simulation for High-Order Linear Swarm System
5.2 Quadrotor Formation Platform
5.3 Simulations and Experiments for Quadrotor Swarm Systems
6 Conclusions
References
44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach
Contents
1 Introduction
2 Preliminaries and Problem Statement
2.1 Notation
2.2 Graph Theory
2.3 Consensus Protocol via Low-Gain Feedback Approach
2.4 Impulsive Consensus Protocol via Low-Gain Feedback Approach
3 Impulsive Consensus Protocol Design
3.1 Low-Gain-Based Impulsive Consensus Protocol
3.2 Low-and-High-Gain-Based Impulsive Consensus Protocol
3.2.1 Design of Low-Gain Parameter γ0
3.2.2 Design of High-Gain Parameter β0
3.2.3 Design of Low-and-High-Gain-Based Impulsive Control Gain Matrix K
4 Numerical Examples
5 Conclusion
References
45 Event-Triggered Schemes for Leader-Following Consensus of Multi-agent Systems
Contents
1 Introduction
2 Preliminaries and Problem Formulation
2.1 Notations
2.2 Leader-Following Consensus
2.3 Basic Theory on Graphs and Matrices
2.4 Other Useful Lemmas
2.5 Problem Formulation
2.5.1 Continuous-Time Control Protocol
2.5.2 Event-Triggered Control Protocol
3 Three Types of Event-Triggered Schemes on Leader-Following Consensus of General Linear Multi-agent Systems
3.1 Centralized Event-Triggered Control
3.2 Clustered Event-Triggered Control
3.3 Distributed Event-Triggered Control
3.4 Discussion on Event Detection
3.5 Summary
3.6 Notes
4 An Impulsive Framework for Event-Triggered Consensus Analysis: The Clustered Case
4.1 Event-Triggered Protocol via State Feedback
4.2 Consensus Analysis Based on Impulsive Control Framework
4.3 The Case with External Disturbance
4.4 Numerical Examples
4.5 Summary
4.6 Notes
References
46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent Systems Based on Multistep PredictiveMechanism
Contents
1 Introduction
2 Preliminaries on Graph Theory and Problem Formulation
2.1 Preliminaries on Graph Theory
2.2 Problem Formulation
3 Main Results
3.1 Analysis on Ultra-fast Formation Control
3.2 Designs of Control Gain and Coupling Gain
4 Simulation Examples
4.1 Example 1
4.2 Example 2
5 Conclusions
References
47 Particle Swarm Optimization of Real-Time PID Controllers
Contents
1 Introduction
2 Theory
3 Algorithms
4 Application to Control Parameter Optimization
5 Application to Real-Time Parameter Identification
5.1 Kinetic Modelling and Identification Criterion of a VTOL Aircraft
5.2 Design of the Estimation Procedure
5.3 Description of the Experimental Setup
5.4 Parameter Estimation and Experimental Results
5.5 Model Validation
6 Conclusions
References
Index
Recommend Papers

Handbook of Real-Time Computing [1st ed. 2022]
 9812872507, 9789812872500

  • 0 1 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Yu-Chu Tian David C. Levy Editors

Handbook of Real-Time Computing

Handbook of Real-Time Computing

Yu-Chu Tian • David C. Levy Editors

Handbook of Real-Time Computing With 442 Figures and 75 Tables

Editors Yu-Chu Tian School of Computer Science Queensland University of Technology Brisbane, QLD, Australia

David C. Levy School of Electrical and Information Engineering The University of Sydney Sydney, NSW, Australia

ISBN 978-981-287-250-0 ISBN 978-981-287-251-7 (eBook) https://doi.org/10.1007/978-981-287-251-7 © Springer Nature Singapore Pte Ltd. 2022 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

Preface

Real-time computing correlates the performance of a computer, embedded system, or communication network together with time. It focuses on the design of application systems that must complete a task or return a response within a certain time frame, which is known as deadline. Depending on the application, the deadline requirement could range from nanosecond in computer network communications to millisecond in medical diagnosis or even seconds or minutes in many industrial control systems. Missing the deadline will violate the system requirements, while completing a task much earlier than the deadline may also deteriorate the system performance. Fast responses and/or precise timing control with or without fast response requirements are typical features of real-time computing. This can be interpreted as completing computing tasks at right times in real-time computing. Real-time computing is widely used in various applications. In industrial systems such as power plants and power transmission and distribution networks, real-time monitoring and control over the whole communication networked systems become essential for system stability, performance, safety, and reliability. In our daily life, with the increasing demand on high-speed communication and network activities, real-time computing has become one of the key technologies to provide ultimate real-time networked services. The Handbook of Real-Time Computing aims to summarize the state of the art of real-time computing. It is organized into five sections, which cover five selected aspects of real-time computing from theory to applications. The five sections are • • • • •

Principles and Theories of Real-Time Computing Real-Time Scheduling Real-Time Systems Real-Time Networks and Communications Real-Time Multi-agent Systems

Each of these five sections is edited by an expert in the specific domain. Authors of all chapters are experts on their respective topics, and many of them are well-recognized world-leading researchers. We congratulate all section editors and authors for their contributions, which reflect their expertise and knowledge, to the present handbook. We hope that the collection of these sections each with a number of chapters in the present handbook will provide a full and quick technical reference v

vi

Preface

with a high-level historic review, detailed technical descriptions, and latest practical applications in real-time computing. It has been a long journey to present this five-section handbook to readers. We would like to acknowledge all section editors and authors for their creative contributions, without which the production of this handbook would have not been possible. We are grateful to Springer’s MRW (Major Reference Works) publisher Mr. Stephen Yeung, who initiated this handbook project and demonstrated his enthusiasm, professionalism, support, and patience throughout the process of the project. Last but not the least, special thanks go to Springer’s project coordinators (Books), Ms. Rekha Sukumar, Ms. Juby George, Meena Thiagarajan, Akshara P P, Nivedita Baroi, and Mr. Ramesh Nath Premnath, who coordinated the project at different times leading to the production of the handbook. It has been an enjoyable experience to work with these professionals and Springer. Let us look forward to further development and evolution of new theories and technologies of real-time computing. Brisbane, Australia Sydney, Australia July 2022

Dr. Yu-Chu Tian Dr. David C. Levy

Contents

Volume 1 Part I Principles and Theories of Real-Time Computing . . . . . . . . . . . .

1

Tao Yue 1

Timing and Timing Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H. Kopetz

3

2

Modeling of Real-Time Software Systems . . . . . . . . . . . . . . . . . . . . . . Bran Seli´c

25

3

Uncertainty Theories for Real-Time Systems . . . . . . . . . . . . . . . . . . . Torsten Bandyszak, Thorsten Weyer, and Marian Daun

99

4

Interface Design for Embedded and Real-Time Systems . . . . . . . . . Bruce Montgomery

133

Part II

Real-Time Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173

Arvind Easwaran 5

Semi-partitioned Multiprocessor Scheduling . . . . . . . . . . . . . . . . . . . Björn Andersson

6

Practical Considerations in Optimal Multiprocessor Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . George Lima, Ernesto Massa, and Paul Regnier

175

193

7

Soft Real-Time Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jeremy P. Erickson and James H. Anderson

233

8

Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jin Hyun Kim, Deepak Gangadharan, Kyong Hoon Kim, Insik Shin, and Insup Lee

269

9

Mixed-Criticality Uniprocessor Scheduling . . . . . . . . . . . . . . . . . . . . Sanjoy Baruah

303

vii

viii

Contents

10

Probabilistic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dorin Maxim, Liliana Cucu-Grosjean, and Robert I. Davis

323

11

Multiprocessor Real-Time Locking Protocols . . . . . . . . . . . . . . . . . . . Björn B. Brandenburg

347

12

Parallel Real-Time Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jing Li, Kunal Agrawal, and Chenyang Lu

447

13

Real-Time Task Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yue Tang, Nan Guan, and Wang Yi

469

14

Complexity of Uniprocessor Scheduling Analysis . . . . . . . . . . . . . . . Pontus Ekberg and Wang Yi

489

Part III

Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

507

Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mehdi Korki, Jiong Jin, and Yu-Chu Tian

509

Jiong Jin 15

16

Real-Time Data Analytics in Internet of Things Systems . . . . . . . . . Tianqi Yu and Xianbin Wang

17

Authentication and Integrity Protection for Real-Time Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sye Loong Keoh, Heng Chuan Tan, and Zhaohui Tang

18

Real-Time Simulation Support for Real-Time Systems . . . . . . . . . . . Xi Zheng

19

Real-Time Control Systems with Applications in Mechatronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hai Wang, Youhao Hu, Mao Ye, Jie Zhang, Zhenwei Cao, Jinchuan Zheng, and Zhihong Man

541

569 591

605

20

PANTHEON: SCADA for Precision Agriculture . . . . . . . . . . . . . . . . Laura Giustarini, Sebastian Lamprecht, Rebecca Retzlaff, Thomas Udelhoven, Nico Bono Rossellò, Emanuele Garone, Valerio Cristofori, Mario Contarini, Marco Paolocci, Cristian Silvestri, Stefano Speranza, Emanuele Graziani, Romeo Stelliferi, Renzo Fabrizio Carpio, Jacopo Maiolini, Riccardo Torlone, Giovanni Ulivi, and Andrea Gasparri

641

21

Smart Grid and Demand Side Management . . . . . . . . . . . . . . . . . . . . Ruilong Deng

681

22

Vehicle Communications for Infotainment Applications . . . . . . . . . . Bach Long Nguyen, Duy T. Ngo, and Hai L. Vu

705

Contents

ix

23

Cloud Empowered Real-Time Virtual Manufacturing Systems . . . . Sourabh Dani, Akhlaqur Rahman, Jiong Jin, and Ambarish Kulkarni

723

24

Real-Time Internet of Things for Smart Environments . . . . . . . . . . Gowri Sankar Ramachandran and Bhaskar Krishnamachari

761

25

CyreumE: A Real-Time Situational Awareness and Decision-Making Blockchain-Based Architecture for the Energy Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abubakar Sadiq Sani, Dong Yuan, Stephen Ogaji, and Zhao Yang Dong

787

A Real-Time Robotic System for Sewing Personalized Stent Grafts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bidan Huang, Ya-Yen Tsai, and Guang-Zhong Yang

837

26

Volume 2 Part IV

Real-Time Networks and Communications . . . . . . . . . . . . . . . .

859

Naveen Chilamkurti 27

28

29

30

31

Low-Latency Multicast and Broadcast Technologies for Real-Time Applications in Smart Grid . . . . . . . . . . . . . . . . . . . . . . . . Yuemin Ding and Xiaohui Li

861

The Efficacy and Real-Time Performance of Refraction Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Andrew Stephens and Mohammad Hammoudeh

893

Providing Real-Time and Reliable Transmission in Routing Protocols for Large-Scale Sensor Networks . . . . . . . . . . . . . . . . . . . . Lapas Pradittasnee

911

Software-Defined Networking for Real-Time Network Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bhargavi Goswami, Shuwen Hu, and Yanming Feng

933

Satellite Communication Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . Muhammad Furqan and Bhargavi Goswami

959

Part V Real-Time Multi-Agent Systems . . . . . . . . . . . . . . . . . . . . . . . . . .

981

Yang Tang 32

Event-Triggering Impulsive Differential Evolution . . . . . . . . . . . . . . Wei Du and Yang Tang

983

x

Contents

33

Distributed Impulsive Control of Leader-Following Multi-agent Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019 Wangli He, Feng Qian, Guanrong Chen, and Qing-Long Han

34

Impulsive Control of Multi-agent Systems with Partial Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073 Ming-Feng Ge, Zhi-Wei Liu, and Li Ding

35

Analysis and Design of Synchronization for a Heterogeneous Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111 Yuanqing Wu, Renquan Lu, Peng Shi, Hongye Su, and Zheng-Guang Wu

36

Consensus of Multi-agent Systems with Intermittent Communication and Its Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143 Guanghui Wen, Wenwu Yu, Zhisheng Duan, and Peijun Wang

37

Synchronization in Coupled Harmonic Oscillator Systems Based on Sampled Position Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199 Qiang Song, Fang Liu, Guanghui Wen, Jinde Cao, and Yang Tang

38

Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 Wenbing Zhang, Yang Tang, and Qingying Miao

39

Adaptive Consensus of Multiple Lagrangian Systems . . . . . . . . . . . . 1245 Jie Mei

40

On Discrete-Time Convergence for General Linear Multi-agent Systems Under Dynamic Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1263 Jiahu Qin, Huijun Gao, and Changbin Yu

41

Distributed Consensus of Stochastic Delayed Multi-agent Systems Under Asynchronous Switching . . . . . . . . . . . . . . . . . . . . . . . 1283 Xiaotai Wu, Yang Tang, Jinde Cao, and Wenbing Zhang

42

Outer Synchronization of Partially Coupled Dynamical Networks via Pinning Impulsive Controllers . . . . . . . . . . . . . . . . . . . . 1311 Jianquan Lu, Chengdan Ding, Jungang Lou, and Jinde Cao

43

Time-Varying Formation Control Under Switching Interaction Topologies Theories and Applications . . . . . . . . . . . . . . . . . . . . . . . . . 1333 Xiwang Dong, Yongzhao Hua, Zixuan Liang, Qingdong Li, and Zhang Ren

44

Semi-global Consensus of Multi-agent Systems with Impulsive Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369 Zhen Li, Jian-an Fang, Tingwen Huang, Wenqing Wang, and Wenbing Zhang

Contents

xi

45

Event-Triggered Schemes for Leader-Following Consensus of Multi-agent Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403 Wenying Xu and Daniel W. C. Ho

46

Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent Systems Based on Multistep Predictive Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1445 Wenle Zhang, Jianchang Liu, and Honghai Wang

47

Particle Swarm Optimization of Real-Time PID Controllers . . . . . . 1467 David C. Levy, Yongzhong Lu, Danping Yan, Min Zhou, and Shiping Chen

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497

About the Editors

Professor Yu-Chu Tian is a computer scientist working as Professor of Computer Science in the School of Computer Science, Queensland University of Technology (QUT), Brisbane QLD, Australia. He received his Ph.D. degree in computer and software engineering in 2009 from the University of Sydney, Sydney NSW, Australia, and his Ph.D. degree in industrial automation in 1993 from Zhejiang University, Hangzhou, China. He has worked in a number of universities including Zhejiang University (Hangzhou, China), Hong Kong University of Technology (Hong Kong, China), Curtin University (Perth WA, Australia), the University of Maryland at College Park (MD, USA), and Queensland University of Technology (Brisbane QLD, Australia). Professor Tian has been playing a leadership role in QUT’s research and development as well as teaching and learning in big data computing, cloud computing, real-time computing, computer networks, and cyberphysical system security. He has been working at QUT initially as a lecturer, and later as a senior lecturer and associate professor, and currently as a full professor. At QUT, he has established and headed the Networks and Systems Group, the Discipline of Networks and Communications, and the Big Data Lab. So far, Professor Tian has supervised over 30 PhD and Master of Research students to completion. He has also mentored and supervised over 30 research fellows. Professor Tian is an Australian Research Council (ARC) recognized expert with international standing. He has secured over 20 competitive research grants in excess of $7 million funds in total for leading-edge research and development. From his research, he has published a book on the computation of mathematical models for complex industrial processes. He has also xiii

xiv

About the Editors

published more than 250 refereed research articles. He holds a patent on real-time control of large-scale and continuous galvanizing line. Professor Tian’s current research interests include big data computing, cloud computing, real-time computing, computer networks, smart grid communications and control, optimization and machine learning, networked control systems, and cyber-physical system security. Contact Professor Tian via email [email protected]. Dr. David C. Levy is an honorary associate professor in the School of Electrical and Information Engineering at the University of Sydney. He was head of the disciplines of computer and software engineering and Head of School prior to his leaving to pursue a private consulting career. He now acts as a technical advisor to two start-ups and has done some occasional teaching in Australia and China. He has supervised over 50 graduate students to completion, received grants totaling in excess of $2.5 million, and been on the organizing committee of 17 conferences, chairing 6. He is a member of the IEEE and the ACM, and has served on the CDIO Council and on the Real Time Architectures committee of IFAC. He has acted as an assessor for grant applications in South Africa and Australia and has served as a reviewer for many research papers. Dr. Levy received his B.E. degree in electrical engineering from the University of Natal, Durban, South Africa, in 1970, followed by M.Sc. and Ph.D. from the same institution. He taught electronic engineering at the University of Natal, with stints at the Technion, Israel, and Clemson, USA. After an extended visit to the CSIRO in Australia, Dr. Levy took up a position at the University of Sydney in 1994 where he led major curriculum revisions and served as Head of School. Dr. Levy holds two patents on embedded systems for chemical sensors. He has over 200 refereed papers on his publication record, along with 1 book and 2 book chapters.

Section Editors

Section: Real-Time Networks and Communications Naveen Chilamkurti La Trobe University Melbourne, Australia

Section: Real-Time Scheduling Arvind Easwaran Nanyang Technological University School of Computer Science and Engineering Singapore, Singapore

xv

xvi

Section Editors

Section: Real-Time Systems Jiong Jin Swinburne University of Technology School of Science, Computing and Engineering Technologies Melbourne, VIC, Australia

Section: Real-Time Multi-Agent Systems Yang Tang East China University of Science and Technology The Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education Shanghai, China

Section: Principles and Theories of Real-Time Computing Tao Yue Nanjing University of Aeronautics and Astronautics, Simula Research Laboratory Nanjing University of Aeronautics and Astronautics Nanjing, China

Contributors

Kunal Agrawal Washington University in St. Louis, St. Louis, MO, USA Björn Andersson Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA James H. Anderson Department of Computer Science, The University of North Carolina, Chapel Hill, NC, USA Torsten Bandyszak The Ruhr Institute for Software Technology, University of Duisburg-Essen, Essen, Germany Sanjoy Baruah Department of Computer Science and Engineering, Washington University in St. Louis, St. Louis, MO, USA Björn B. Brandenburg Max Planck Institute for Software Systems (MPI-SWS), Kaiserslautern, Germany Jinde Cao School of Mathematics, Southeast University, Nanjing, China Zhenwei Cao School of Software and Electrical Engineering, Swinburne University of Technology, Melbourne, VIC, Australia Renzo Fabrizio Carpio Rome Tre University, Rome, Italy Guanrong Chen Department of Electronic Engineering, City University of Hong Kong, Kowloon, Hong Kong Shiping Chen Data61, Commonwealth Scientific and Industrial Research Organization, Marsfield, NSW, Australia Mario Contarini University of Tuscia, Viterbo, Italy Valerio Cristofori University of Tuscia, Viterbo, Italy Liliana Cucu-Grosjean Inria, Paris, France Sourabh Dani Swinburne University of Technology, Melbourne, VIC, Australia Marian Daun The Ruhr Institute for Software Technology, University of DuisburgEssen, Essen, Germany Robert I. Davis University of York, York, UK xvii

xviii

Contributors

Ruilong Deng College of Control Science and Engineering, School of Cyber Science and Technology, Zhejiang University, Hangzhou, China Chengdan Ding Department of Mathematics, Southeast University, Nanjing, China Li Ding School of Electrical Engineering and Automation, Wuhan University, Wuhan, China Yuemin Ding Tecnun School of Engineering, University of Navarra, San Sebastian, Spain Xiwang Dong School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Key Laboratory of System Control and Information Processing, Ministry of Education, Shanghai, P.R. China Beijing Advanced Innovation Center for Big Data and Brain Computing, Beihang University, Beijing, P.R. China Zhao Yang Dong School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia Wei Du Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China Zhisheng Duan State Key Laboratory for Turbulence and Complex Systems, Department of Mechanics and Engineering Science, College of Engineering, Peking University, Beijing, P. R. China Pontus Ekberg Department of Information Technology, Uppsala University, Uppsala, Sweden Jeremy P. Erickson Department of Computer Science, The University of North Carolina, Chapel Hill, NC, USA Jian-an Fang School of Information Science and Technology, Donghua University, Shanghai, China Yanming Feng School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia Muhammad Furqan Queensland University of Technology, Brisbane, QLD, Australia Deepak Gangadharan Department of Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA Huijun Gao Research Institute of Intelligent Control and Systems, Harbin Institute of Technology, Harbin, China

Contributors

xix

Emanuele Garone Université Libre de Bruxelles, Brussels, Belgium Andrea Gasparri Rome Tre University, Rome, Italy Ming-Feng Ge School of Mechanical Engineering and Electronic Information, China University of Geosciences, Wuhan, China Laura Giustarini Ferrero, Senningerberg, Luxembourg Bhargavi Goswami School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia Emanuele Graziani SIGMA Consulting, Rome, Italy Nan Guan The Hong Kong Polytechnic University,Kowloon, Hong Kong Mohammad Hammoudeh Manchester Metropolitan University, Manchester, UK Qing-Long Han School of Software and Electrical Engineering, Swinburne University of Technology, Melbourne, VIC, Australia Wangli He Key Laboratory of Advanced Control and Optimization for Chemical Processes, East China University of Science and Technology, Shanghai, China Daniel W. C. Ho Department of Mathematics, City University of Hong Kong, Hong Kong SAR, China Shuwen Hu School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia Youhao Hu School of Electrical and Automation Engineering, Hefei University of Technology, Hefei, China Yongzhao Hua School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Bidan Huang Tencent Robotics X, Shenzhen, China Tingwen Huang The Science Program, Texas A&M University, Doha, Qatar Jiong Jin School of Science, Computing and Engineering Technologies, Swinburne University of Technology, Melbourne, VIC, Australia Sye Loong Keoh School of Computing Science, University of Glasgow, Glasgow, UK Jin Hyun Kim Department of Information and Communication Engineering, Gyeongsang University, Jinju, Gyeongnam, South Korea Kyong Hoon Kim Department of Informatics, Gyeongsang National University, Jinju, Gyeongnam, South Korea H. Kopetz Technical University of Vienna, Vienna, Austria

xx

Contributors

Mehdi Korki School of Science, Computing and Engineering Technologies, Swinburne University of Technology, Melbourne, VIC, Australia Bhaskar Krishnamachari University of Southern California, Los Angeles, CA, USA Ambarish Kulkarni Swinburne University of Technology, Australia

Melbourne, VIC,

Sebastian Lamprecht Trier University, Trier, Germany Insup Lee Department of Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA David C. Levy School of Electrical and Information Engineering, The University of Sydney, Sydney, NSW, Australia Jing Li New Jersey Institute of Technology, Newark, NJ, USA Qingdong Li School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Xiaohui Li School of Information Science and Engineering, Wuhan University of Science and Technology, Wuhan, China Zhen Li School of Automation, Xi-an University of Posts & Telecommunications, Xi-an, China Zixuan Liang School of Aerospace Engineering, Beijing Institute of Technology, Beijing, P.R. China George Lima Department of Computer Science, Institute of Mathematics and Statistics, Federal University of Bahia, Salvador, Bahia, Brazil Fang Liu School of Information Engineering, Henan International Joint Laboratory of Behavior Optimization Control for Smart Robots, Huanghuai University, Henan, China Jianchang Liu College of Information Science and Engineering, Northeastern University, Shenyang, P. R. China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang, P. R. China Zhi-Wei Liu School of Artificial Intelligence and Automation, Huazhong University of Science and Technology, Wuhan, China Key Laboratory of Image Processing and Intelligent Control, Ministry of Education, Huazhong University of Science and Technology, Wuhan, China Jungang Lou School of Information Engineering, Huzhou University, Huzhou, China

Contributors

xxi

Chenyang Lu Washington University in St. Louis, St. Louis, MO, USA Jianquan Lu Department of Mathematics, Southeast University, Nanjing, China Renquan Lu Guangdong Key Laboratory of IoT Information Processing, School of Automation, Guangdong University of Technology, Guangzhou, China Yongzhong Lu School of Software Engineering, Huazhong University of Science and Technology, Wuhan, China Jacopo Maiolini Rome Tre University, Rome, Italy Zhihong Man School of Software and Electrical Engineering, Swinburne University of Technology, Melbourne, VIC, Australia Ernesto Massa State University of Bahia and Unifacs, Salvador, Bahia, Brazil Dorin Maxim University of Lorraine, Nancy, France Jie Mei Harbin Institute of Technology, Shenzhen, Guangdong, China Qingying Miao School of Continuing Education, Shanghai Jiao Tong University, Shanghai, China Bruce Montgomery Department of Computer Science, University of Colorado Boulder, Boulder, CO, USA Duy T. Ngo School of Electrical Engineering and Computing, The University of Newcastle, Callaghan, NSW, Australia Bach Long Nguyen School of Electrical Engineering and Computing, The University of Newcastle, Callaghan, NSW, Australia Stephen Ogaji Department of Fuel and Gas, Niger Delta Power Holding Company, Abuja, Nigeria Marco Paolocci University of Tuscia, Viterbo, Italy Lapas Pradittasnee King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand Feng Qian Key Laboratory of Advanced Control and Optimization for Chemical Processes, East China University of Science and Technology, Shanghai, China Jiahu Qin University of Science and Technology of China, Hefei, China Gowri Sankar Ramachandran University of Southern California, Los Angeles, CA, USA Akhlaqur Rahman Engineering Institute of Technology, Australia

Melbourne, VIC,

Paul Regnier Department of Computer Science, Institute of Mathematics and Statistics, Federal University of Bahia, Salvador, Bahia, Brazil

xxii

Contributors

Zhang Ren School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Rebecca Retzlaff Trier University, Trier, Germany Nico Bono Rossellò Université Libre de Bruxelles, Brussels, Belgium Abubakar Sadiq Sani School of Electrical and Information Engineering, The University of Sydney, Sydney, NSW, Australia Bran Seli´c Malina Software Corp, Nepean, ON, Canada Faculty of Information Technology, Monash University, Clayton, VIC, Australia Peng Shi College of Automation, Harbin Engineering University, Harbin, China College of Engineering and Science, Victoria University, Melbourne, VIC, Australia Insik Shin Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Yuseong-gu, South Korea Cristian Silvestri University of Tuscia, Viterbo, Italy Qiang Song College of Electrical Engineering, Henan University of Technology, Zhengzhou, China Stefano Speranza University of Tuscia, Viterbo, Italy Romeo Stelliferi Azienda Agricola Stelliferi, Nepi (VT), Italy Andrew Stephens Manchester Metropolitan University, Manchester, UK Hongye Su National Laboratory of Industrial Control Technology, Institute of Cyber Systems and Control, Zhejiang University, Hangzhou, China Heng Chuan Tan Advanced Digital Science Centre, Singapore, Singapore Yang Tang Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China Yue Tang The Hong Kong Polytechnic University,Kowloon, Hong Kong Zhaohui Tang University of Southern Queensland, QLD, Australia Yu-Chu Tian School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia Riccardo Torlone Rome Tre University, Rome, Italy Ya-Yen Tsai Hamlyn Centre for Robotic Surgery, Imperial College London, London, UK Thomas Udelhoven Trier University, Trier, Germany Giovanni Ulivi Rome Tre University, Rome, Italy

Contributors

xxiii

Hai L. Vu Department of Civil Engineering, Institute of Transport Studies, Monash University, Clayton, VIC, Australia Hai Wang Discipline of Engineering and Energy, Center for Water, Energy and Waste, Harry Butler Institute, Murdoch University, Perth, WA, Australia Honghai Wang College of Information Science and Engineering, Northeastern University, Shenyang, P. R. China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang, P. R. China Peijun Wang School of Mathematics, Southeast University, Nanjing, P. R. China Wenqing Wang School of Automation, Xi-an University of Posts & Telecommunications, Xi-an, China Xianbin Wang Department of Electrical and Computer Engineering, Western University, London, ON, Canada Guanghui Wen School of Mathematics, Southeast University, Nanjing, P. R. China Thorsten Weyer The Ruhr Institute for Software Technology, University of Duisburg-Essen, Essen, Germany Xiaotai Wu The School of Mathematics and Physics, Anhui Polytechnic University, Wuhu, China Yuanqing Wu Guangdong Key Laboratory of IoT Information Processing, School of Automation, Guangdong University of Technology, Guangzhou, China Zheng-Guang Wu National Laboratory of Industrial Control Technology, Institute of Cyber Systems and Control, Zhejiang University, Hangzhou, China Wenying Xu School of Mathematics, Southeast University, Nanjing, China Department of Mathematics, City University of Hong Kong, Hong Kong SAR, China Danping Yan College of Public Administration, Huazhong University of Science and Technology, Wuhan, China Guang-Zhong Yang Hamlyn Centre for Robotic Surgery, Imperial College London, London, UK Mao Ye School of Electrical and Automation Engineering, Hefei University of Technology, Hefei, China Wang Yi Department of Information Technology, Uppsala University, Uppsala, Sweden Changbin Yu Australian National University and NICTA Ltd, Canberra, ACT, Australia

xxiv

Contributors

Tianqi Yu Department of Electrical and Computer Engineering, Western University, London, ON, Canada Wenwu Yu School of Mathematics, Southeast University, Nanjing, P. R. China Dong Yuan School of Electrical and Information Engineering, The University of Sydney, Sydney, NSW, Australia Jie Zhang School of Electrical and Automation Engineering, Hefei University of Technology, Hefei, China Wenbing Zhang Department of Mathematics, Yangzhou University, Jiangsu, China Wenle Zhang College of Information Science and Engineering, Northeastern University, Shenyang, P. R. China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang, P. R. China Jinchuan Zheng School of Software and Electrical Engineering, Swinburne University of Technology, Melbourne, VIC, Australia Xi Zheng Department of Computing, Macquarie University, Sydney, NSW, Australia Min Zhou College of Public Administration, Huazhong University of Science and Technology, Wuhan,China

Part I Principles and Theories of Real-Time Computing Tao Yue

1

Timing and Timing Control H. Kopetz

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 The History of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Time Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Time Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Accuracy and Precision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Global Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Quality of Time Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Sparse Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Synchronization Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Central-Master Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Fault-Tolerant Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Fault-Tolerant-Average (FTA) Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 External Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Benefits of a Global Time in the Design of a Hard Real-Time System . . . . . . . . . . . . . . . . 5.1 Periodic Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Temporal Predictability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Context Alignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Error Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 Fault-Tolerant Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 5 6 7 8 9 10 11 13 13 14 15 17 18 18 19 19 21 21 22 22 23

H. Kopetz () Technical University of Vienna, Vienna, Austria e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_52

3

4

H. Kopetz

Abstract A real-time computer system must provide its results at specified instants of physical time. But what is time? After a short look at the history of time, this contribution investigates time measurement in a distributed computer system and introduces the notions of precision and accuracy of a global time base. It then discusses different methods for the synchronization of the local clocks of a distributed computer system. Since the global time base of a safety-critical realtime computer system must not fail if any one of its constituent physical clock fails, the topic of fault-tolerant clock synchronization is treated in detail. The final section elaborates on the benefits that can be accrued from the existence of a fault-tolerant global time base in a large real-time system. One of the most important benefits is the achievement of temporal predictability and the simplification of the interfaces among the nodes of a large distributed computer system by the use of time-triggered protocols. Time-triggered protocols provide error detection without failure propagation from a faulty receiver to a correct sender.

1

Introduction

A real-time computer system must react to stimuli from its environment within time intervals dictated by its environment. The instant when a result must be produced is called a deadline. If a result has utility even after the deadline has passed, the deadline is classified as soft, otherwise it is firm. If severe consequences could result when a firm deadline is missed, the deadline is called hard. The focus of this contribution is on timing and timing control in a hard real-time system. We call the integration of a (often distributed) real-time computer system with a controlled physical process a cyber-physical system (CPS). The distributed realtime computer system forms the cyber part, while the physical process forms the physical part of a cyber-physical system. A good example for a CPS is an automotive engine that is controlled by a real-time computer system. Depending on the input from the driver, the computer calculates the amount of fuel that must be injected into the engine. The exact point in time, when the injection must take place is determined by the physical environment of the computer system, that is, by the position of the piston within the cylinder of the engine and must be within a small time window of a few microseconds. This contribution is structured as follows. In the next section we briefly consider the history of time and elaborate on the difference between the Newtonian model of time and the relativistic model of time. In Sect. 3 we introduce a hypothetical reference clock and time-standards in order to be able to measure the progress of time. The notions of accuracy and precision of a digital time base, the characteristics of a digital global time, the concept of a sparse time base, and the inherent limits of time measurement in a distributed computer system are further topics discussed in Sect. 3. Section 4 is devoted to clock synchronization that is required to establish and

1 Timing and Timing Control

5

maintain a reliable global time base in a distributed real-time system. The achieved precision of the clock synchronization determines the reasonable granularity of the global time base and limits the synchronization error and the digitalization error. The topic of fault-tolerant clock synchronization that leads to a robust global time base that is resilient to Byzantine errors of a clock is treated in detail before looking shortly at external time synchronization. Section 5 looks at the benefits that derive from the availability of a robust global base in the design and operation of a distributed real-time computer system. The contribution closes with a conclusion in Sect. 6.

2

The History of Time

The main difference between a real-time computer system and a classical (non-real time) computer system is the requirement to produce a result at a given instant of physical time. What then is time? If no one asks me, I know what it is. If I wish to explain it to him who asks, I do not know. These words of the Christian Philosopher Saint Augustin (Herandes 2016), expressed more than 1500 years ago, characterize aptly the Mystery of Time. The notion of time is so tightly interwoven with our culture and language that the grammatical constructs of future and past and words like change, behavior, history, music, or life (and many more) have no meaning in a world without time. Time is an essential element of our mental models for understanding the phenomena in the changing physical world around us. Time and change are thus the two sides of a single coin. The progress of (physical) time can only be assessed if a regularly changing physical process – preferably a periodic process, such as the swinging of a pendulum – is available as a reference. A regularly changing process visits repeatedly corresponding states. The number of periods that a periodic process completes during a unit of time is called the frequency of the process. In celestial mechanics two periodic processes are of outstanding significance for the measurement of the progress of physical time: the period of the rotation of the earth around its axis determines the duration of the day and the period of the rotation of the earth around the sun determines the duration of an astronomical year. Since the duration of an astronomical year cannot be expressed as an integer multiple of the duration of a day, leap years have to be introduced in our calendar in order to maintain the synchronization between the days of the year with the position of the sun. Before the wide availability of precise clocks, sundials, water clocks, and the ringing of bells, predominantly on the towers of churches, were used to indicate the passage of time during the day. This changed with the invention of the pendulum clock by Christiaan Huygens in the seventeenth century (Bennett et al. 2002). In a pendulum clock, the swinging of a pendulum is applied to mechanical clockwork

6

H. Kopetz

that records the number of swings. With a pendulum clock it became possible to precisely measure the duration of short intervals. The new instruments for the measurement of time allowed scientists to study the trajectory that a physical object follows in time from given initial conditions. This led Isaac Newton to posit in the Principia (Newton 2016), published in 1687, the model of an absolute time that exists independently of any perceiver and progresses at a regular pace all over the universe. This model of an absolute universal time (sometimes called Newtonian time) forms the foundation of classical physics. The equations of classical physics are symmetric with respect to the progression of time, that is, time can flow in either direction. The physical justification for a unidirectional flow of time – the arrow of physical time that flows from the past to the future – is given by the second law of thermodynamics, which was formulated by Carnot in the nineteenth century (Craig 2016). The second law of thermodynamics states that in a closed system the entropy – a measure for the disorder – can only increase over time. An ice cube dissipates in a liquid, thus cooling the liquid, while the reverse process, the heating of the liquid and the forming of an ice cube, is never observed. In the beginning of the twentieth century the model of an absolute universal physical time was unchallenged. However, in the theory of relativity published by Albert Einstein in the beginning of the twentieth century, the hypothesis of an absolute time that reigns all over the universe had to be abandoned (Hawkins 2016). The model of an absolute time is only applicable in case the observer and the observed object share the same location. Otherwise a new model of time – the relativistic time – that is relative to the location and the movement of the observer has to be introduced. In a scenario where the observer and the CPS are at a given location in space the assumptions for using the Newtonian model of an absolute time are met. The rest of this chapter is therefore based on the Newtonian model of physical time in order to avoid the complexities introduced by the relativistic model of time.

3

Time Measurement

Newtonian time progresses at a regular pace from the past to the future. In the physical world, the time-line can be represented by a continuously increasing realvalued variable and depicted by the arrow of time. We call a cut of the time-line an instant and the time-span between two instances a duration. A relevant happening that occurs at an instant is called an event. A modeled property of an entity that holds between two events is called a state of the entity. A change of state is thus an event. A clock is an instrument for the measurement of the progress of physical time. We restrict our discussion to digital clocks which comprise a physical oscillator and a tick counter. The physical oscillator produces the periodic ticks of the clock that are counted in a memory element of the clock, the tick-counter. The duration between two adjacent ticks of a clock is called a granule of the clock. The duration of a

1 Timing and Timing Control

7

granule can only be measured if a reference clock with a much finer granularity is available. Since the tick-counter of a digital clock does not change during a granule (only at the beginning and end of a granule), time measurement with a digital clock of an event that occurs within a granule of the clock induces a digitalization error of, at most, one granule. The timestamp of an event is the value of the tick-counter of the clock of an observer at the moment of event occurrence. If the duration between two events that are observed by two different clocks must be determined, then the clocks must be aligned (synchronized) and the representation of time must be standardized. The unification of the representation of time requires the standardization of two parameters: the duration of a granule and the start of counting, the epoch of the clock.

3.1

Time Standards

The worldwide standard for identifying the years and the days within a year is the Gregorian Calendar, introduced by Pope Gregory XIII in 1582 (Moyer 1982). The Gregorian Calendar starts with value zero for the assumed birth of Jesus Christ as its epoch. The standard unit for the duration of a granule is the second. Originally, a second was defined as the 1/86400 part of the astronomical day – the astronomical second. The 86,400 astronomical seconds per day (24 h of 60 min each, where each minute comprises 60 s) were derived from astronomical observations by the Babylonians and Romans more than 2000 years ago. With the advent of more precise methods of timekeeping it was realized that astronomical days are not of a uniform duration. Since the transition frequency of selected atoms provide a more stable time base for defining the duration of a second, the International Bureau of Time decreed in 1967 that the duration of 9,192,671,770 periods of the radiation of the caesium-133 defines the duration of the SI (physical) second (Taylor 2001). Atomic clocks are accurate to 1 s over one million years, that is, better than 10−12 (i.e., one picosecond/second). The Temps International Atomique (TAI) time is a time standard that continuously counts the SI second. Since the astronomical second deviates unpredictably and slightly from the SI second, occasionally a leap second has to be introduced in the duration of a day in order to keep the terrestrial time, that is, hours of the day, synchronized with the rotation of the earth. Today, the prevalent worldwide time standard is set by the Global Positioning System (GPS) time (Dana 1997) which continuously counts the SI seconds and is not perturbed by leap seconds. The representation of GPS time consists of two fields: a count of weeks field since January 6, 1980 (the epoch of GPS time) and a count of seconds field within the current week. Since the count of weeks is represented in a ten-bit field, after every 1024 weeks (i.e., after every 19.6 years) the week counter is rolled over to zero. At the time of this writing, last roll-over of GPS time (the most recent epoch of GPS time) was on April 6, 2019. The worldwide distribution of

8

H. Kopetz

GPS time is accomplished by the global positioning system (GPS) and is accurate to within 10 to 100 nanoseconds, depending on the quality of the GPS signal receiver. GPS time is thus a globally available digital time reference that is of a sufficient quality for most cyber-physical system applications. The availability of GPS time is critical for the operation of many infrastructure systems, such as telecommunication and energy distribution.

3.2

Accuracy and Precision

In most computer systems a quartz crystal functions as the physical oscillator of a digital clock. The frequency of a quartz crystal depends on the size of the crystal and environmental conditions, such as temperature and humidity. The data sheet of a crystal oscillator informs about its intended frequency and its possible drift rate ρ. A drift rate of, for example, 10−6 , implies that a clock may drift up to one μsec/sec from the time reference. If the state of a clock is not periodically corrected in order to bring it within a defined range of the time reference – this is the topic of clock synchronization – any unsynchronized quartz crystal clock will eventually drift away from a given time reference beyond any bound. Let us assume the availability of a hypothetical digital reference clock z with a very fine granularity (e.g., an atomic clock that ticks in the femto-second range) that is precisely aligned with GPS time. We call a tick of the reference clock z a reference-tick and the duration between two reference-ticks a reference-granule. We consider the miniscule digitalization error of a single reference-granule a second order quantity that can be disregarded. Given two clocks, clock j and clock k with the same granularity. We call the physical tick of each clock a micro-tick (we will use the term tick later on to denote the ticks of the global time). The offset at micro-tick i between the two clocks j and k is defined as     off set j k i = /z micro-tick j i –z micro-tick k i / where z(micro-tickj i ) denotes the state of the reference clock z at micro-tick i of clock j and z(micro-tickk i ) denotes the state of the reference clock z at micro-tick i of clock k. The offset denotes the time difference between respective micro-ticks of the two clocks, expressed in the number of reference-granules of the reference clock z. The offset of clock k with respect to the reference clock z at tick i is called the accuracyk i of clock k at micro-tick i. The maximum offset over all micro-ticks over a period of interest is called the accuracyk of clock k. The accuracy denotes the maximum offset of a given clock from the external time reference during a duration of interest. Let us now look at an ensemble of n clocks {1, 2, . . . , n}. The maximum offset between the respective micro-ticks of any two clocks of the ensemble defines the precision ensemble of the ensemble at tick i: i

1 Timing and Timing Control

9

  jk over all clock pairs j, k i ensemble = Max ∀j, k, off set i The maximum of ensemble over an interval of interest is called the precision i Π of the ensemble. The precision is expressed in the number of granules of the reference clock z and denotes the maximum offset of respective micro-tick of any two clocks of the ensemble during a duration of interest. It follows that an ensemble of clocks, where every clock is characterized by an accuracy A is also precise, where the precision ≤ 2A The inverse is not valid, since an ensemble of clocks can drift away from the reference time.

3.3

Global Time

Suppose an ensemble of nodes exists, each one with its own local physical clock k that micro-ticks with granularity gk . Assume that all clocks of the ensemble are internally synchronized with a precision Π over the interval of interest. It is then possible to select a subset of the micro-ticks of each local clock k for the generation of a local representative of a global notion time at each node. We call such a selected local tick the tick of a global time. For example, every tenth micro-tick of a local clock k may be interpreted as a global tick of this clock k. The number of micro-ticks between two global ticks determines the granularity of the global time. Note, however, that there may be a time difference of up to Π among the global ticks of the global time of an ensemble. If this time difference is of no concern, then we can abstract from the particular physical clock that produces a global tick and consider the global tick at this node as the local representative of the global notion of time in the distributed system. A global time is thus an abstract notion that is approximated by properly selected micro-ticks from the synchronized local physical clocks of an ensemble. There remains one question open: How should we determine a reasonable granularity of the global time, that is, the number of micro ticks between two global ticks? This question is answered by the reasonableness condition of the global time which states that 2 precision > Global granularity < precision If the right side of the reasonableness condition is satisfied, then the global timestamps of a single event that is observed by two different nodes of our ensemble can differ by at most one global tick. This is the best we can achieve. Because of the impossibility of synchronizing the clocks perfectly (the synchronization error), and the granularity of any digital time (the digitalization error) there is always the

10

H. Kopetz

possibility of the following sequence of events: clock j ticks, event e occurs, clock k ticks. In such a situation, the single event e is timestamped by the two clocks j and k with a difference of one tick. The left side of the reasonableness condition limits the duration of the global granularity and thus ensures that the quality of our global time is not degraded by an unnecessarily long granularity.

3.4

Quality of Time Measurement

The critical parameter that determines the quality of a global time base is the precision Π that is maintained among all clocks of the distributed system. The precision determines the synchronization error and the digitalization error of the global time base. This precision is established by the recurrent clock synchronization. The introduction of a global time simplifies drastically the measurement of durations between events that are observed by different nodes of a distributed system at the expense of a reduced quality of the time measurement. This is demonstrated by the following example depicted in Fig. 1 (Kopetz 2012). Consider the measurement of the duration between the start event and the finish event at a downhill skiing competition. If these events are timestamped by a single clock then the digitalization error will be one micro-tick of this single clock. If there is clock j at the start and clock k at the finish, then the offset between these two clocks must be known in order to calculate the duration of interest, since the value of a timestamp of one clock cannot be compared with a timestamp generated by another clock if the two clocks are not synchronized. Let us now look at the measurement error under the assumption that a global time is available. The top line of Fig. 1 shows the micro-ticks of the reference clock of an omniscient observer. The line immediately below shows the global ticks of clock j (the clock at the start) and the next line the global ticks of clock k (the clock at the finish). We further assume that the precision Π of the ensemble is known and the reasonableness condition is satisfied. According to the left part of Fig. 1, the start event occurs at instant 17 and the finish event at instant 42, as timestamped by the reference clock of the omniscient observer. The duration is thus 25 micro-ticks of the reference clock (disregarding the

Fig. 1 Time measurement by using a global time

1 Timing and Timing Control

11

digitalization error of one micro-granule of the reference clock, which is considered a second order quantity). We now look at the measurement with a reasonable global time: Case 1: Clock j (the start clock) timestamps the start event with 2 and clock k (the finish clock) timestamps the finish event with 3. The recorded duration is thus 1 granule, corresponding to 10 microgranules of the reference clock. Case 2: Assume that the clocks are interchanged. Clock k (the new start clock) timestamps the start event with 1 and clock j (the new finish clock) timestamps the finish event with 4. The recorded duration is thus 3 granules, corresponding to 30 microgranules of the reference clock. The left part of Fig. 1 shows even a more bizarre situation. The event 67 occurred before the event 69, but the timestamp of events suggests that event 67 occurred after event 69. This bizarre situation is caused by the summation of the synchronization error (expressed by the precision Π of the ensemble) and the digitalization error of one granule which (according the reasonableness condition) is larger than the precision Π. This leads us to the following four fundamental limits of time measurement in distributed real-time systems with a reasonable global time base with granularity g: (i) If a single event is observed by two different nodes, there is always the possibility that the global timestamps differ by one granule. A one-granule difference in the timestamps of two events is not sufficient to reestablish the temporal order of the events from their timestamps. (ii) If the observed duration of an interval is dobs , then the true duration dtrue is bounded by (dobs − 2g) < dtrue < (dobs + 2g) (iii) The temporal order of events can be recovered from their timestamps if the difference between their timestamps is greater than 2 granules. (iv) The temporal order of events can always be recovered from their timestamps, if the events are at least 4 granules apart.

3.5

Sparse Time

Assume a set {E} of events that are of interest in a particular context. If these events are allowed to occur at any instant of the timeline, then we call the time base dense. If the occurrence of these events is restricted to some active intervals of duration ε with an interval of silence of duration  between any two active intervals, then we call the time base ε/ sparse, or simply sparse for short (Fig. 2) [(Kopetz 2012), p.62]. Events that occur in the active intervals are called sparse events. If the -interval is long enough, for example, four granules of the global time, then all sparse events can be ordered consistently on the basis of their global timestamps. The ε-intervals

12

H. Kopetz

Fig. 2 Sparse time base

can be numbered by integers. All events that happen within an ε-interval are named by the same integer and are considered simultaneous. It is obvious that the occurrences of events can only be restricted if the given system has the authority to control these events, that is, these events are in the sphere of control of the distributed computer system (Davies 1979). We call these events internal events. The set of internal events could be the events of sending or receiving messages or the events of starting or terminating a program execution. In a timetriggered system, where the control signals are derived from the progression of the global time, the internal events can be restricted during the design to the ε-interval of the global time and thus become sparse events. It is then possible to establish a consistent view of the temporal order (including simultaneity) of all internal (sparse) events on the basis of their global timestamp in a distributed computer system. The occurrence of events outside the sphere of control of the computer system, the external events, cannot be restricted to the ε-interval. We call these events non-sparse events. It can happen that the temporal order of a set of non-sparse events, established on the base of their global timestamps generated at different nodes of the distributed system, is inconsistent (see the right side of Fig. 1). To arrive at a consistent view of the order of non-sparse events within a distributed computer system the nodes must execute an agreement protocol. The established consistent view of event occurrence, established by an agreement protocol, does not necessarily reflect the temporal order of event occurrence. The first phase of an agreement protocol requires an information interchange among the nodes of the distributed system with the goal that every node acquires the differing local views about the state of the world from every other node. At the end of this first phase, every correct node possesses exactly the same information as every other node. In the second phase of the agreement protocol, each node applies an identical deterministic algorithm to this consistent information to reach the same conclusion about the assignment of the event to an ε-interval of the sparse time base – the commonly agreed value. In the fault-free case, an agreement algorithm requires an additional round of information exchange as well as the resources for executing the agreement algorithm. Agreement algorithms are costly, both in terms of communication requirements, processing requirements, and – worst of all – in terms of the additional delay they introduce into a control loop. It is therefore expedient to look for solutions to the

1 Timing and Timing Control

13

consistent temporal ordering problem in distributed computer systems that do not require these additional overheads. The sparse time model, introduced above, provides such a solution within a distributed computer system.

4

Clock Synchronization

The purpose of clock synchronization is to ensure that the global ticks of all correct clocks occur within the specified precision, despite the varying drift rate of the local clocks at each node. Because the availability of a proper global time base can be of crucial importance for the operation of a distributed real-time system, the clock synchronization should not depend on the correctness of a single clock, that is, it should be fault-tolerant.

4.1

Synchronization Condition

The finite precision of the clocks of an ensemble is realized by a recurrent resynchronization of the clocks of the ensemble to bring the instants when the global time counters are incremented at each node close to each other. The period of resynchronization is called the resynchronization interval Rint . The maximum accumulated divergence of any two good clocks of the ensemble from each other during the resynchronization interval Rint (where the clocks are free running) is called the drift offset Γ that is given by Γ = 2ρRint . where ρ denotes the maximum drift rate of the clock crystals, taken from the data-sheet of the crystal. The number two comes from the fact that the two clocks can drift in different directions. The maximum offset of the time instants of the global ticks immediately after a resynchronization is calculated by a convergence function Φ that is a characteristic of the clock synchronization algorithm. The synchronization condition (see Fig. 3) [(Kopetz 2012), p67]  ≥ ( + ) states the relationship between precision, drift offset during the resynchronization interval, and the result of the convergence function. In the worst case, when a clock touches the boundary of the precision (see Fig. 3) immediately before the resynchronization  = ( + )

14

H. Kopetz

Fig. 3 Synchronization condition

The synchronization condition states that the synchronization algorithm must bring the clocks so close together that the amount of accumulated divergence during the next free-running resynchronization interval will not cause a clock to leave the precision interval.

4.2

Central-Master Clock Synchronization

The simplest clock synchronization method is the central-master clock synchronization. A unique node, the central master, periodically sends the value of its time counter in a synchronization message to all other nodes, the slave nodes. As soon as a slave node receives a new synchronization message from the master, the slave records the timestamp of message arrival. The difference between the master’s time, contained in the synchronization message, and the recorded slave’s timestamp of message arrival, corrected by the known latency of the message transport, is a measure of the deviation of the clock of the slave from the clock of the master. The slave then corrects its clock by this deviation to bring it into agreement with the master’s clock. The convergence function  of the central master algorithm is determined by the difference between the fastest and slowest message transmission to the slave nodes of the ensemble, that is, the latency jitter between the event of writing the synchronization time value by the master and the events of message arrival timestamping at all slaves. Applying the synchronization condition, the precision of the central master algorithm is given by: central = latency j itter + The central master synchronization is often used in the startup phase of a distributed system. It is simple, but not fault tolerant, since a failure of the master

1 Timing and Timing Control

15

ends the resynchronization, causing the free-running clocks of the slaves to leave the precision interval soon thereafter. In a variant of this algorithm, a multi-master strategy is followed: if the active master fails silently and the failure is detected by a local time-out at a shadow master, one of the shadow masters assumes the role of the master and continues the resynchronization. However, the fault hypothesis of this algorithm is limited, since it assumes that the master either works correctly or fails (fail-silence of the master).

4.3

Fault-Tolerant Clock Synchronization

A fault-tolerant clock synchronization algorithm maintains the synchrony of the global time even in the case that any of the local clocks that contribute to the global time fails in a malicious failure mode. Typically, distributed fault-tolerant clock resynchronization proceeds according to the following three distinct phases: (i) Reading the time values: In the first phase, every node acquires knowledge about the state of the global time counters in all the other nodes by the exchange of messages among the nodes. (ii) Calculating the convergence function: In the second phase, every node analyzes the collected information to detect errors, and executes the convergence function to calculate a correction value for the local global time counter. A node must deactivate itself if the correction term calculated by the convergence function is larger than the specified precision of the ensemble. (iii) Applying the correction value: Finally, in the third phase, the local time counter of the node is adjusted by the calculated correction value. Existing algorithms differ in the way in which the time values are collected from the other nodes, in the type of convergence function used, and in the way in which the correction value is applied to the local time counter. Reading the time values: In a local area network, the most important term affecting the precision of the synchronization is the jitter in the reading of the time messages that carry the current time values from one node to all the other nodes. The known minimal delay for the transport of a time message between two nodes can be compensated by a priori knowledge, a delay-compensation term that compensates for the delay of the message in the transmission channel and in the interface circuitry. The delay jitter depends more than anything else on the system level, at which the synchronization message is assembled and interpreted. If this is done at a high level of the architecture, for example, in the application software, all random delays caused by the scheduler, the operating system, the queues in the protocol software, the message retransmission strategy, the media-access delay, the interrupt delay at the receiver, and the scheduling delay at the receiver, accumulate, and degrade the quality of the time values, thus deteriorating the precision of the

16

H. Kopetz

Table 1 Ranges of the jitter of the synchronization message (Kopetz and Ochsenreiter 1987) Synchronization message assembled and interpreted At the application software level In the kernel of the operating system In the hardware of the communication controller

Approximate range of jitter 500 μsec to 5 msec 10 μsec to 100 μsec Less than 1 μsec

clock synchronization. The following table gives approximate value ranges for the jitter that can be expected at the different level (Table 1): Since a small jitter is important to achieve high precision in the global time, a number of special methods for jitter reduction have been proposed. Christian (1989) proposed the reduction of the jitter at the application software level using a probabilistic technique: a node queries the state of the clock at another node by a query-reply transaction, the duration of which is measured by the sender. The received time value is corrected by the synchronization message delay that is assumed to be half the round-trip delay of the query-reply transaction. Calculating the convergence function: In an ensemble of three nodes, a malicious node that is not fail-silent can prevent the other two nodes from synchronizing their clocks since they cannot satisfy the synchronization condition (Kopetz 2012). Assume an ensemble of three nodes, and a convergence function where each of the three nodes sets its clock to the average value of the neighbors. Clocks A and B are good, while clock C is a malicious two-faced clock that disturbs the other two good clocks in such a manner that neither of them will ever correct their time value and will thus eventually violate the synchronization condition. Such a malicious, twofaced manifestation of behavior is sometimes called a malicious error or a Byzantine error. It has been shown (Lamport and Melliar Smith 1985) that clock synchronization can only be guaranteed in the presence of Byzantine errors if the total number of clocks N ≥ (3 k + 1), where k is the number of Byzantine faulty clocks. A Byzantine error can lead to inconsistent views of the state of the clocks among the ensemble of nodes. A special class of algorithms, the interactive-consistency algorithms (Pease et al. 1980), inserts additional rounds of information exchanges to agree on a consistent view of the time values at all nodes. These additional rounds of information exchanges increase the quality of the precision at the expense of additional communication overhead. Other algorithms – one round algorithms – work with inconsistent information, and establish bounds for the maximum error introduced by the inconsistency. Applying the correction value: The correction term calculated by the convergence function can be applied to the local-time value immediately (state correction), or the rate of the clock can be modified so that the clock speeds up or slows down during the next resynchronization interval to bring the clock into better agreement with the rest of the ensemble (rate correction). State correction is simple to apply, but care must be taken that global time base maintains the consecutive property despite the resynchronization. Rate correction can be implemented either in the digital domain by changing the number of micro-ticks in some of the granules of

1 Timing and Timing Control

17

the global time, or in the analog domain by adjusting the voltage of the crystal oscillator. To avoid a common-mode drift of the complete ensemble of clocks, the average of the rate correction terms among all clocks in the ensemble should be close to zero.

4.4

Fault-Tolerant-Average (FTA) Algorithm

An example of a fault-tolerant synchronization algorithm that works with inconsistent information and therefore does not need an additional round of information exchange is the FTA algorithm (Fig. 4). The FTA algorithm is a one-round algorithm that works with inconsistent information and bounds the error introduced by the inconsistency. At every node, the N measured time differences between the node’s clock and the clocks of all other nodes are collected (the node considers itself a member of the ensemble with time difference zero). These time differences are sorted by size. Then the k largest and the k smallest time differences are removed (assuming that an erroneous time value is either larger or smaller than the rest). The remaining N-2 k time differences are by definition within the precision window definition (since only k values are assumed to be erroneous and an erroneous value is larger or smaller than a good value). The average of these remaining N-2 k time differences is the correction term for the node’s clock. The Precision of the FTA can be calculated as follows: Assume a distributed system with N nodes, each one with its own clock (all time values are measured in seconds). At most k out of the N clocks behave in a Byzantine manner. A single Byzantine clock will cause the following error Ebyz in the calculated averages at two different nodes in an ensemble of N clocks: Ebyz = / (N -2k). In the worst case a total of k Byzantine errors will thus cause an error term of Ek -byz = k/ (N -2k).

Fig. 4 Fault-tolerant-average (FTA) algorithm

18

H. Kopetz

Considering the jitter of the synchronization messages, the convergence function of the FTA algorithm is given by Φ (N, k, ε) = (k/ ( N–2 k)) + ε Combining the above equation with the synchronization condition from above and performing a simple algebraic transformation, we get the precision of the FTA algorithm:  (N, k, ε, ) = (ε + ) (N-2k) / (N –3k) The Byzantine error term (N - 2k)/(N – 3k) indicates the loss of quality in the precision due to the inconsistency arising from the Byzantine errors. In a real environment, at most one Byzantine error is expected to occur in a synchronization round (and even this will happen very, very infrequently), and thus, the consequence of a Byzantine error in a properly designed synchronization system is not serious. For example, in a system with four nodes, one of them is Byzantine, the Byzantine error term is 2. The FTA algorithm is implemented in the hardware of the TimeTriggered Protocol (TTP) controller (Kopetz and Gruensteidl 1994).

4.5

External Clock Synchronization

External clock synchronization links the global time of a cluster to an external standard of time. For this purpose, it is necessary to access a timeserver, that is, an external time source that periodically broadcasts the current reference time in the form of a time message (e.g., GPS receiver). This time message must raise a synchronization event (such as the beep of a wrist watch) in a designated node of the cluster and must identify this synchronization event on the agreed time scale. Such a time scale must be based on an a widely accepted measure of time, for example, the physical second, and must relate the synchronization event to a defined origin of time, the epoch. The interface node to a timeserver is called a time gateway . In a fault-tolerant system, the time-gateway should be a fault-tolerant unit.

5

Benefits of a Global Time in the Design of a Hard Real-Time System

As pointed out in the introduction, a hard real-time computer system is a computer system where the correctness of the system behavior depends not only on the logical results of the computations but also on the physical time when these results are produced. By system behavior we mean the sequence of outputs in time of a system. The design of a hard real-time system is fundamentally different from the design of a soft real-time system. While a hard real-time computer system must sustain

1 Timing and Timing Control

19

a guaranteed temporal behavior under all specified load and fault conditions, it is permissible for a soft real-time computer system to miss a deadline occasionally. Today, most hard real-time computer systems are distributed, that is, they consist of a set of computational nodes that exchange real-time data by a real-time communication system. Some nodes, the sensor nodes, observe the environment with sensors that transform a selected physical sensation to a bit-pattern and interpret this bit-pattern to arrive at refined real-time data that represents the chosen physical sensation to a standard form. Other nodes process the refined real-time data to arrive at setpoints for controlled variables that are sent to actuator nodes. The actuator nodes output these setpoints to the actuators such that a desired physical effect in the environment is realized at the appropriate instant.

5.1

Periodic Behavior

Many hard-real time computer systems, particularly control systems, are characterized by a periodic behavior. The arrow of time is partitioned into a sequence of equidistant sampling intervals. At the start of a sampling interval, called a sampling point, the sensor nodes observe the environment. During the sampling interval the computer system calculates the new output. At the end of a sampling interval, the computer outputs new setpoints to the actuators. Decotignie notes [(Decotignie 2005)-4]: Periodicity is not mandatory, but often assumed as it leads to simpler algorithms and more stable and secure systems. Most of the algorithms developed with this assumption are very sensitive to period duration variations, jitter at the starting instant. This is especially the case of motor controllers in precision machines. Simultaneous sampling of inputs is also an important stability factor.

The periodic sampling points in different nodes of a distributed system can be triggered (derived) from the advance of the robust global time, resulting in implicit system-wide precise synchronization of the sampling intervals. The simultaneous sampling of the different sensors, connected to different nodes of a distributed system, simplifies the fusion of the sensed variables (sensor fusion) and the construction of a model that characterizes the structure of the environment at the precise instant of sampling.

5.2

Temporal Predictability

In many practical scenarios, the behavior of a real-time system is realized by the execution of periodic real-time (RT) transactions that start with the sampling of the input data and terminate with the delivery of the setpoints to the actuators. The temporal predictability of these RT transactions is important for the achievement of a high quality of control in a control system. In a time-triggered distributed real-time system the start instants and the termination instants of all processing actions at the nodes and communication

20

H. Kopetz

Fig. 5 Cyclic phase-aligned real-time (RT transaction)

actions that transport the data among the nodes inside an RT transaction are derived from the progression of the global time according to an a priori provided temporal execution schedule as shown in Fig. 5. The development of such a timetriggered schedule requires that the execution times of all communication actions and processing actions that are part of an RT transaction are constant and are known a priori at design time. Constant Communication Actions: The real-time communication system that transports the messages among the nodes of the distributed computer system, either a bus or a switched network, is most often shared among a number of nodes. A constant time for the transmission of a message in such a shared network can only be established at design time if any access conflicts to the network during execution time are avoided. The preplanned time-triggered access schedule to the network that is at the core of any time-triggered communication protocol avoids any access conflicts at execution time and guarantees a constant message transmission time. An overview of the available time-triggered protocols is given in (Obermaisser 2012). Constant Processing Actions: The execution time of many control algorithms is variable and depends on the provided input data. There are two techniques to arrive at a constant execution time: (i) To calculate the Worst-Case Execution Time (WCET) (Wilhelm et al. 2008) of a program and provide a corresponding constant time-slot for the execution of the program. Since the average execution of a program is significantly smaller than its WCET, this technique does not make best use of the available time. (ii) To use an anytime algorithm (Kopetz 2018). An anytime algorithm, for example, Newton’s iteration algorithm, consists of a core segment followed by an enhancing segment. The execution of the core segment is guaranteed to provide a first satisficing result quickly. A result is a satisficing result if it is adequate (but not necessarily optimal) in the particular situation and meets all safety assertions. Continuous improvements of the satisficing result are

1 Timing and Timing Control

21

provided by the repeated execution of the enhancing segment until the deadline is reached. In the anytime approach, the simple core segment must deploy algorithms that are amenable to WCET analysis. The size of the time-interval between the average execution time of the core segment and the WCET of the core segment is used to improve the quality of the result.

5.3

Context Alignment

The amount of data that must be transported in order to transmit an information item from a sender to one or a set of receivers can be reduced if the context of the receiver is well-aligned with the context of the sender (Kopetz 2019). A global time that is available at the sender and the receiver increases this shared context and leads to a reduction of the amount of data that must be transmitted. This reduction of the amount of data improves the speed of data transmission and increases the responsiveness of a real-time control system. In the Time-Triggered Protocol (TTP) (Kopetz and Gruensteidl 1994) the a priori known periodic send instants of a message are used to identify implicitly the clock of the sender of a message. No explicit data must be transmitted to identify the sender. The difference between the a priori known expected arrival time of the time-triggered message and the measured arrival time of this message informs the receiver about the offset between the clock of the sender and the clock of the receiver. This information, which is collected for every message in every round by a hardware mechanism in the TTP controller, is sufficient for the fault-tolerant clock synchronization that is part of the TTP protocol. In TTP there is no need to send explicit synchronization messages.

The technique of identifying the meaning of a data item, such as a single-bit alarm notification, by the instant of receiving the alarm message (that contains this data item) by the receiver and by the position of the alarm bit in an alarm message helps to reduce significantly the bandwidth requirement for the predictable and timely transmission of alarm information in a time-triggered distributed system of alarm messages (Kopetz 2019).

5.4

Error Detection

A global time plays an important role in the detection of temporal data errors and component failures in a distributed real-time system. Temporal Data Errors: Real-time data has a limited temporal validity. Using a data item outside its temporal validity interval can have serious consequences. Consider an autonomous car observing a traffic light. If the information item the traffic light is green is used outside its temporal validity interval, an accident can occur. The global time at the sender can be used to assign a validity timestamp to the real-time data item. The receiver can interpret this validity timestamp, using the global time of the receiver.

22

H. Kopetz

Component Failures: Many component failures are fail-silent, that is, in the case of a component failure the failed component does not send any message at all. The detection of a fail-silent component failure can only be performed in the temporal domain, based on a priori knowledge about the temporal behavior of a correct component. In a time-triggered system, where the receiver knows a priori the global time instant when a message from a particular component is expected to arrive, the error-detection latency for the detection of a component failure is minimal. A short error-detection latency is of paramount importance for the timely mitigation of the consequences of a component failure.

5.5

Fault-Tolerant Architectures

In many safety critical computer applications, where a failure of the computer can have catastrophic consequences for the society at large (e.g., a computer-controlled airplane, an autonomous car, or a nuclear reactor), the magical number of 109 h of safe operation (that is more than 100,000 years) is demanded. Such a high reliability can only be demonstrated if a fault-tolerant architecture is deployed where the safety case is based on a combination of experimental evidence about the dependability of the components of the architecture and an analytical analysis of the structure of the architecture. Many fault-tolerant architectures deploy triple modular redundancy (TMR), that is, a three replicated component form a fault-tolerant unit that masks the failure of any one of its components by majority voting. Such a TMR structure requires the availability of a fault-tolerant global time. As demonstrated in section “FaultTolerant-Average algorithm (FTA)” the generation of a global time requires four clocks. The existence of a fault-tolerant global time is thus a prerequisite for the deployment of a TMR architecture.

6

Conclusion

The phenomenal growth of computer systems that directly interact with the physical world, such as the Internet of Things (IoT) and cyber-physical systems, requires a deep understanding of the issues that surface when cyber-space meets physicalspace. The Newtonian model of physical time that governs the behavior of objects in the physical space assumes an absolute time that exists independently of any perceiver and progresses at a regular pace all over the universe. This progress of the physical time determines at what instants a real-time computer system has to interact with a physical process in the physical world. A real-time computer that executes its algorithms in cyber-space must thus be made aware of the progression of the physical time. This awareness is provided by the concept of a global time in every node of a distributed real-time computer system. This chapter has shown how such a robust global time can be provided and discussed the characteristics, limitations,

1 Timing and Timing Control

23

and benefits of a fault-tolerant global time base in a distributed real-time computer application.

References M. Bennett et al., Huygen’s Clock. Proc. Math. Phys. Eng. Sci.. British Royal Society 458(2019), 563–579 (2002) C. Craig, Thermodynamic Asymmetry of Time. (The Stanford Encyclopedia of Philosophy, 2016). Stanford University, Stanford. https://plato.stanford.edu/entries/time-thermo/ F. Cristian, Probabilistic Clock Synchronization. Distribut. Comput. 3. Springer Verlag, 146–185 (1989) P.H. Dana, Global Positioning System (GPS) time dissemination for real-time applications. RealTime Syst.. 12(1), 9–40 (1997) C.T. Davies, Data processing integrity, in Computing Systems Reliability, (Cambridge University Press, Cambridge, MA, 1979), pp. 288–354 J.D. Decotignie, Which network for which application, in The Industrial Communication Technology Handbook, ed. by R. Zuwarski, (Taylor and Francis, Boca Raton, 2005), pp. 19/1–19/15. – p. 19-4 S. Hawkins, A Brief History of Time (Bantam Books, New York, 2016) W.A.S. Herandes, Augustine on Time. Int. J. Human. Sci.. 6(6), 37–40 (2016) H. Kopetz, Real Time Systems—Design Principles for Distributed Embedded Applications, 2nd edn. (Springer, New York, 2012) H. Kopetz, Anytime algorithms is time-triggered control system, in Principles of Modeling, ed. by M. Lohstroh. Springer LNCS 10760, (Springer, New York, 2018), pp. 326–335 H. Kopetz, Simplicity Is Complex—Foundations of Cyber-Physical System Design (Springer, Cham, 2019) H. Kopetz, G. Gruensteidl, TTP, a protocol for fault-tolerant real-time systems. IEEE Comput.. 7(1), 14–23 (1994) H. Kopetz, W. Ochsenreiter, Clock synchronization in distributed real-time systems. IEEE Trans. Comput.. 36(8), 933–940 (1987) L. Lamport, P.M. Melliar Smith, Synchronizing clocks in the presence of faults. J. ACM 32(1), 52–58 (1985) G. Moyer, The Gregorian calendar. Sci. Am. 246(5), 144–153 (1982) I. Newton, Principia: Mathematical Principles of Natural Philosophy. Originally published in 1687 (University of California Press, Berkeley; London, 2016) R. Obermaisser, Time-Triggered Communication (Taylor and Francis, Boca Raton, 2012) M. Pease, R. Shostak, L. Lamport, Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980) B. Taylor (ed.), The International System of Units. NIST Special Publication 130. 2001 Edition. National Institute of Standards and Technology (NIST). US Department of Commerce. Gaithersburg, Maryland (2001) R. Wilhelm et al., The Worst-case Execution-time Problem Overview of Methods and Survey of Tools. ACM Trans. Embed. Comput. Syst. 7(3), 1–36 (2008)

2

Modeling of Real-Time Software Systems Bran Seli´c

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 On Models, Modeling, and Modeling Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Modeling Real-Time Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Real-Time Analysis Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Categorizing Real-Time Modeling Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 General Modeling Language Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Language Characteristics Specific to Real-Time Languages . . . . . . . . . . . . . . . . . . . . 3 A Review of Notable Real-Time Modeling Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Historical RT Modeling Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Recent RT Modeling Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Other Real-Time Modeling Languages (RTMLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 State of the Practice and Future Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26 26 27 28 28 29 33 39 40 78 93 95 96

Abstract Because real-time software is subject to more stringent requirements on quality and timing than other categories of software, the use of models and modeling languages has a long tradition in that domain. Initially, models were used in the early phases of development, for analyzing and predicting key system characteristics, as well as for capturing requirements and design intent. However, with the emergence of a new generation of modeling languages and model transformation technologies, nowadays modeling is present across the entire development cycle, including the automated generation of complete implementations directly from

B. Seli´c () Malina Software Corp, Nepean, ON, Canada Faculty of Information Technology, Monash University, Clayton, VIC, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_57

25

26

B. Seli´c

models. This chapter first defines the various roles that models and modeling languages play in software development. Next, a framework for characterizing and comparing different real-time modeling languages is described. Finally, some of the most notable real-time modeling languages are reviewed, starting from some of the earliest and up to the most recent.

Keywords Model-based engineering · Modeling languages · Real-time software

1

Introduction

This chapter presents an overview of how models and modeling methods have been applied to the design and development of real-time and embedded systems, with particular focus on computer-based modeling languages developed intended specifically for the real-time domain.

1.1

On Models, Modeling, and Modeling Languages

Models have been an integral part of engineering from time immemorial. Thus, in the oldest surviving engineering text, written in the first century BC, the Ancient Roman engineer, Marcus Vitruvius Pollio, discusses the use of scale models in the design of siege engines (Pollio 1914). For the purposes of this text, an engineering model is defined as: a selective representation of a system intended to capture accurately and concisely all of its essential properties relevant to a given set of concerns.

This definition implies that models should be constructed with a specific purpose in mind (i.e., for a “given set of concerns”). This means that there can be multiple different models of a given system, based on their purpose. In general, engineering models can serve any or all of the following functions (Selic 2003): a) To foster understanding of the system under study by analyzing its model; this includes, in particular, the use of models to make predictions about a system’s properties of interest b) To facilitate communication about the system and design ideas among the system stakeholders c) To specify what is to be implemented; that is, the use of models as specifications for implementation teams The power of models stems from two core features of all good models: 1. Models limit the amount of information that they capture, to avoid mentally confounding information overload. In other words, models are abstractions of

2 Modeling of Real-Time Software Systems

27

the reality that they represent. Ideally, they only expose those aspects of a system that are of interest to the observer, while either omitting or at least hiding other information. For example, when modeling a software-based system, good models typically omit details of the underlying computer-based implementation, such as the hardware elements and machine language instructions that comprise its actual concrete implementation. Instead, they focus more on its logical/conceptual aspects. 2. The other key feature of good engineering models is that their concrete form is adjusted to match the worldview of the observer. For the case of human observers, this means that the model is expressed using a human-understandable form. When this principle is applied to software systems, it implies that the model should be specified in terms that most directly capture the commonly understood concepts, or ontology, of the domain. The latter point in particular is fundamental to the design of modeling languages, which are the means for constructing models of software. The more accurately and more succinctly a software model represents its software, the easier it becomes for stakeholders to understand and analyze it. The need to be as specific as possible while at the same time abstracting away irrelevant detail is why there is a compelling need for domain-specific modeling languages and why it is so difficult to design them.

1.2

Modeling Real-Time Software

The domain of real-time software is in particular need of good modeling capabilities, primarily because real-time systems interact with physical systems and the physical environment in general. This environment is, of course, highly diverse, complex, concurrent, and generally unpredictable. Designing software to be reliable and dependable in such circumstances is more challenging than in many other domains where software is being used. Basic flow-charts are among the earliest attempts to model software in ways that emphasize understandability while hiding implementation detail. This eventually led to more sophisticated modeling notations (i.e., modeling languages). Perhaps the most notable of these early attempts were the structured analysis and design technique (SADT) developed by Douglas Ross in the late 1960s, and the later structured design approach by Larry Constantine and Ed Yourdon (1975). These were general purpose modeling notations, but the need to be more precise and more accurate led to specializations of these modeling languages for real-time applications. Section 3 describes the evolution of real-time modeling languages starting from this point through to the present day, using a series of some of the most noteworthy examples. To help with categorizing and comparing the different real-time languages, Sect. 2 provides a conceptual framework for characterizing them.

28

1.3

B. Seli´c

Real-Time Analysis Languages

Prior to delving into the various real-time modeling languages, it worth noting mentioning two important categories of quantitative analyses methods developed primarily for real-time systems. Although they are generally not considered to be software modeling languages per se, they are, in essence, model-based approaches that have developed their own abstract representations of time-sensitive systems. Both categories are highly developed and are based on sound mathematical foundations. Therefore, they are rare examples of the successful application of quantitative mathematical methods to software engineering problems. They can be used in conjunction with most of the modeling languages described here.

1.3.1 Performance Analysis Languages These are languages that are based on classical queueing theory (Kleinrock 1975), which was developed early in the twentieth century to model and analyze telephony systems. With early experiments in computer communications networks, it was quickly realized that this theory could be adapted to provide useful predictions of important design features such as throughputs, delays, and queue sizes not only for computer networks, but also in many different kinds of computer applications (e.g., database design). Since then, numerous further adaptations of the basic queueing methods have been developed for performance analysis of various kinds of software systems (Jain 1991; Smith and Williams 2001). 1.3.2 Timing and Schedulability Analysis Methods These represent a collection of modeling methods specifically for assessing quantitative timing properties of an important category of real-time systems (e.g., (Liu and Layland 1973; Klein et al. 1993)). They are applicable primarily to hard time-driven real-time systems, which tend to have a static structure and a dominantly periodic behavior. The theoretical basis consists of different strategies for scheduling periodic tasks in multiprocessing systems. Thus, based on a given set of tasks and a scheduling discipline, it is possible to formally predict whether or not such a system will meet all of its deadlines.

2

Categorizing Real-Time Modeling Languages

To provide a systematic means of classifying and comparing the different modeling languages reviewed in this chapter, a number of key properties have been selected as a means of characterizing them. These have been grouped into two categories: 1. General language characteristics – these are general properties that can be used to characterize any modeling language 2. Real-time specific characteristics – these are properties that are specific to modeling languages targeting the real-time domain

2 Modeling of Real-Time Software Systems

2.1

29

General Modeling Language Characteristics

The following represent core design dimensions of a modeling language: • • • • • • • • • • •

Target domain of the language Extent of domain coverage Role in the development cycle Purpose of models Levels of abstraction Primary syntactical form Primary language paradigm Precision level Language extensibility Tool support Language resources The meaning of each of these characteristics is explained in below.

2.1.1 Target Domain Although all the languages in this survey qualify as real-time modeling languages, some may be more focused on a particular application domain(s). This can have a major impact on the design of the language, such as its chosen model of computation, communications model, or concurrency model. The basic classification of real-time systems into hard and soft is one way of categorizing a modeling language. Hard real-time languages are very much constrained by the need to ensure full temporal correctness; that is, that all critical deadlines will be met. Soft real-time languages take a more relaxed approach to such constraints. Although some languages may support both styles, they may still be dominated by one of them. Another domain-based categorization is based on whether or not a language is intended for mission- or safety-critical applications. For obvious reasons, languages focused on these domains are much more constrained. Last but not least, a language can be classified based on its application domain, such as telecom, automotive, aerospace, etc. 2.1.2 Domain Coverage A modeling language may be intended to be complete in the sense that it supports modeling of all aspects that are relevant in its chosen domain. Conversely, a partial language may be designed to be integrated with one or more other languages or facilities that complement its modeling capabilities. 2.1.3 Development Cycle Coverage Some modeling languages were designed be used primarily in the front-end of the development cycle, such as requirements specification or high-level architecture

30

B. Seli´c

design. Languages in this category are unlikely to offer extensive support for modeling of fine-grained detail. Alternatively, a full-cycle language is designed to be used throughout the entire development cycle, including, notably, implementation.

2.1.4 Purpose of Models Languages may be intended for descriptive modeling, whereby their primary purpose is to facilitate communication and high-level qualitative analysis and design. They typically omit fine-grained detail and are primarily used for stakeholder communication and early design evaluation. Languages that support prescriptive modeling tend to be high fidelity with sufficient information included that the model can serve either as a fundamental reference for implementation or even as a source for generating implementations. Of course, languages in this latter category can still be used to produce descriptive models simply by omitting detail. 2.1.5 Multiple Levels of Abstraction By their essence, models represent abstract representations of the systems they model. This means that they generally emphasize semantically significant (i.e., architectural) aspects of the application but either omit or hide more detailed elements. To that end, they tend to rely on syntactical forms – most often graphical – that not only highlight this distinction, but which are also chosen to facilitate understanding. For example, a state machine is most readily understood if it is rendered using the conventional nodes and arcs graph-based representation. This is in contrast to programming languages, where the syntactic uniformity of a textual representation tends to hide the distinction between architecturally significant aspects and low-level implementation detail. This ability to clearly separate and distinguish elements at different levels of abstraction, both from a semantic and syntactic perspective, is a fundamental characteristic of good modeling languages. In the case of real-time modeling languages, this means the ability to directly express the major real-time domain concepts using first-class language constructs. Because their semantics are part of the definition of the language, these concepts can be automatically recognized by any language-specific tools such as model editors, design analyzers, code generators, etc. 2.1.6 Primary Syntactical Form All modeling languages covered in this chapter have a graphical concrete syntax that is typically supplemented by some form of textual specifications. However, the key differentiator here is whether the graphical or the textual form is dominant in the sense that it is designed as the primary form for creating models. 2.1.7 Primary Language Paradigm Early real-time modeling languages were based on the structural approach for specifying models. This implied flow-based models of computation. More recent languages favor the object-oriented paradigm, which implies support for inheritance

2 Modeling of Real-Time Software Systems

31

and strict encapsulation through abstract data types. Some languages offer support for both paradigms, although one tends to be dominant.

2.1.8 Precision Level The precision level of a modeling language refers to the degree of exactness to which the semantics of the language constructs are defined. The following is a useful taxonomy of language categories with respect to this categorization (in increasing order of precision): • Ad hoc modeling languages are informal and lack a systematic and comprehensive definition of their constructs and their meanings. Instead, they typically rely on graphical representations that in some symbolic or intuitive way suggest the intended semantics (e.g., icons). Many of them are intended for single use, such as ad hoc notations that are used in high-level slide presentations. • Codified languages are modeling languages that are defined informally using natural language descriptions of their semantics. However, in contrast to ad hoc languages, they have a published comprehensive specification of their language constructs and semantics. This makes them reusable. A notable example of a language in this category is the original UML language. (Note, however, that with the introduction of the UML Action Semantics specification published for the first time in 2011, UML now has a formal specification (Object Management Group 2018).) • High-level formal modeling languages are languages whose semantics are defined formally, typically using a precise mathematical formalism. The elements of these languages are generally limited to higher-level constructs. They are primarily intended for creating descriptive architectural-level models, which although they lack implementation-level detail, can still be meaningfully analyzed using suitable formal methods. • Executable formal modeling languages. In contrast to the preceding category, these are formally defined languages whose range of constructs spans the full range of detail, from high-level to detail-level elements. They are distinguished by the fact that models constructed with such languages can be executed on a computer. • Implementation-oriented modeling languages are a subset of the preceding category that are specifically designed for constructing prescriptive models that can be automatically transformed into fully fledged executable implementations. Of course, they can still be used to produce descriptive models simply by leaving out detail.

2.1.9 User-Defined Extensibility Given the diversity of real-time software applications, it is impractical for a single modeling language to adequately span the full range of phenomena that could be involved in the domain. For example, a particular application might involve a hardware device with unique and highly idiosyncratic semantics. The traditional programming language approach to such cases is to provide specialized program

32

B. Seli´c

libraries to cover the unique equipment. Unfortunately, this is not always sufficient, since the semantics of such custom constructs are not part of the language definition. This means that language-specific tools (e.g., model validators) will not be able to properly account for these semantics, which limits their usefulness. An alternative to the custom library approach is to extend the language definition to accommodate the additional concept. Some modeling languages provide a built-in language extension capability. One example of such a facility is the UML profile mechanism. Language extensions can fall into one of two categories: conformant extensions and nonconformant ones. Conformant extensions are semantically compatible with the base language. This means that the extensions are simply specializations of existing language concepts with some additional semantic tweaks, but whose semantics do not violate the semantics of the base language. This is particularly useful since it allows tools designed for the base language to be used with such extended models with little or no modification. Nonconformant extensions, on the other hand, add new semantics to the language that are not recognized by base language tools. The UML profile mechanism produces conformant extensions by default, since all extensions are defined as specializations of existing standard UML language constructs.

2.1.10 Tool Support The language support tools that most obviously come to mind are model authoring and editing tools. However, for actual practical application, there is an impressive additional spectrum of tools required. These include, but are not limited to, the following: • Model-to-model transformation tools. These may be required, for example, to convert a source model into a corresponding analysis model, such as, say, a queueing model for performance analysis or a schedulability model for schedulability analysis. • Model-to-text transformation tools. These are tools that can be used to transform a model into a matching textual representation, for documentation and other purposes. (In fact, the ability to generate documentation from a model is one of the primary motivations for using modeling in industrial practice.) • Model validation tools. Validation tools are used to determine whether or not a design model satisfies key system requirements (e.g., QoS correctness, logical correctness). This may even include formal validation tools such as model checkers or theorem provers. To be truly effective, such tools must accommodate the specific semantics of the language concepts. • Test generation tools. Modern software testing (verification) relies heavily on automated support not only to generate and execute tests but also to select which of many possible tests are to be executed. • Model simulation and debug tools. In the ideal case, the ability to monitor and debug executing models should be done at the source (i.e., model) level

2 Modeling of Real-Time Software Systems

33

rather than at the code level. These types of tools often provide animation and sophisticated execution control (breakpoints, tracing, etc.) • Model management tools. Model management tools are needed when the models are co-developed by multiperson teams. They include standard diff/merge capabilities, as well as version management tools. • Modeling and design guidance tools. These are primarily design support tools that help guide designers in developing their ideas. They are particularly useful for ensuring consistency within teams. In addition to the above, there may be numerous other language-specific tools associated with a modeling language.

2.1.11 Language Resources A computer language, whether it be a programming or modeling language, is, in essence, just one of the necessary components involved in the development of software. In addition to the tooling described above, there is an additional complement of facilities that are critical to its practical use. This includes at least the following: • Language documentation, including fully fledged language reference and user manuals • Language training materials and courses • Domain-specific model libraries • The ready availability of language experts Without these, even the technically most superior language, may not be of much practical value.

2.2

Language Characteristics Specific to Real-Time Languages

The following are identified as key modeling language characteristics, specific to the real-time domain, which can be used to characterize and differentiate languages: • • • • •

Model(s) of computation Representation of time Representing qualities of service (QoS) Modeling platforms Specifying software-to-platform deployment

2.2.1 Primary Model of Computation “Model of computation” is a term used to describe how behavior takes place in a computational formalism. Well-known generic models of computation include procedural, object-oriented, and functional. In the real-time domain, two distinct

34

B. Seli´c

models of computation have evolved. One of these is the time-driven model, which is inspired by the continuous behavioral paradigm of the physical world. Because it has to be realized on a computer, time is discretized into a sequence of minute interval “chunks” of equal duration. All the necessary computations for phenomena that were active during a particular interval are computed based on the current data sample and their outputs passed on as updated data to be used as input to the next chunk in sequence. The effect is an approximation of continuously executing behavior. A particular variant of time-driven computation is the synchronous model (Berry 1999). The alternative model of computation to this one is the event-driven model. In this case, computation occurs only as the result of the occurrence of some event. This could be, for example, the result of an asynchronous stimulus generated by the external environment or the arrival of a communications message sent by one software entity to another. Computation only takes place when events occur. Most practical real-time systems combine these two models, although the usual approach is to select one as the primary model within which the other is nested. Regardless of which model is dominant, for the real-time domain concurrency is an immanent property present in all models of computation in the domain. What constitutes a unit of concurrency varies. In the object-oriented model, for instance, concurrency is often manifested in the form of an “active” object, that is, an object that, following its creation, continues to execute in parallel with other active objects in its environment. Another critical dimension related to the model of computation is whether computation is centralized or distributed. In the latter case, distribution is typically a consequence of the physical distribution of the computational resources. As described earlier, this introduces a set of physical phenomena into the computation that can have significant impact on the design and quality of an application. Last but not least, another key aspect of the computation model is the model of communication; that is, the methods by which the concurrent application entities communicate with each other. This could be via shared data, synchronous procedure calls (e.g., the Ada rendezvous), or asynchronous message passing.

2.2.2 Representation of Time Time in computers can be represented in a variety of different ways. Most early realtime applications were centralized, executing on single processor system, where all time-related information is sourced from a single hardware clock. Consequently, in such a centralized model complex issues such as the accuracy and precision of the clock (since there was no reference clock to which it could be compared) were ignored. However, with the rise of more complex physically distributed realtime systems, where each computational site might be relying on its own clock, a distributed model of time may be required. Since physical clocks could have different characteristics (e.g., precision, drift, offset, etc.), an application may have to contend with the complex issue of relationships between multiple time sources.

2 Modeling of Real-Time Software Systems

35

2.2.3 Modeling Qualities of Service (QoS) A salient characteristic that distinguishes real-time software applications from other types of software is the incursion of the physical world into the formal world of algorithms and mathematical logic. This is because they need to interact, in a timely and reliable fashion, with the complex and unpredictable physical environment in which they are embedded. This adds an engineering dimension to real-time software design, which must inevitably be combined with the design of the logic of the application. This engineering aspect has to do with ensuring that an application design will satisfy critical engineering requirements, such as timeliness, capacity, responsiveness/timeliness, energy consumption, availability, security, etc., which characterize the quality of the design. The term quality of service or QoS for short is generally used to cover these highly diverse quality characteristics. Since an application fundamentally depends on its platform for its implementation, the QoS that can be achieved by an application is a direct function of the QoS provided by the platform. This means that real-time software designers may have to account for the platform and its characteristics in their designs. For example, if the available computing speed and memory capacity of the hardware are limited, the corresponding design of the application software may need to work within the constraints that this imposes. Unfortunately, such constraints often clash with the goal of “platform independent” designs, that is, applications that can be ported to different platforms with little or no adaptation (see Sect. 2.2.4). The problem is exacerbated in case of physically distributed applications running on top of physically distributed platforms. In that case, it is not sufficient to account just for the platform QoS. It is also necessary to specify how components of the application are to be deployed to elements of the platform in so that the QoS requirements are met. In summary, for real-time applications, logical correctness is not sufficient to ensure full correctness; its QoS correctness can be of equal significance (Fig. 1). To complicate matters, the two are often interdependent, which requires engineering type trade-offs between them.

Fig. 1 Correctness of real-time software systems

36

B. Seli´c

Designing for QoS correctness can be a serious challenge for classical approaches to software, since much of the original theory of computing and accompanying programming language technologies are primarily based on a strictly mathematical view of software. As a typical example of the consequences of such a “purist” approach to software design, no mainstream programming language supports the concept of physical types (e.g., speed, throughput) as first-order concepts. Instead, in most mainstream programming languages, all quantities, either physical or just numerical, are represented simply by numbers such as integers or reals. It is possible, of course, for values with physical connotations to be embedded in data structures with an associated physical dimension (e.g., km/h, MB/sec). Unfortunately, this is not sufficient, since the core physical semantics behind such quantities are not supported by traditional programming languages. For example, a simple addition of two velocities could lead to a result that exceeds the speed of light, which we know is not physically possible (A classical and highly instructive illustration of this type of problem is the case of the Mars Climate Orbiter. This was a NASA spacecraft intended to monitor the climate on the surface of Mars. Unfortunately, it crashed upon deployment at a cost of many hundreds of millions of dollars. The root cause of the error was traced to an attempt to combine a value expressed in metric units with a value expressed in Imperial units (Stephenson et al. 1999). This is a typical type violation error, which should in principle be detected automatically by compilers. But, with no concept of physical types in the language, the compiler could not detect the discrepancy between the two values.). A standard computer language compiler would not detect such a semantic violation, which means that it is the programmer who must detect and deal with it – a method that has been proven highly error prone time and again.

2.2.4 Platform Modeling In this text, the term platform refers to the combination of software and hardware facilities required to ensure that a software application can execute in a way that fully meets its specification. In essence, a platform provides a set of capabilities that can be used by applications to implement their functionality (Most platforms can support multiple applications in the same category.). For example, when an application running on top of an operating system needs to send a message, this operation will ultimately be realized by a messaging service provided by the operating system. Similarly, if an application needs a new memory buffer for storing data, it is the operating system’s memory management function that will acquire the necessary memory space and offer it to the application. As these examples demonstrate, the relationship between an application and its supporting platform is a client-server relationship, with the application playing the role of the client. This means that we can represent a platform as a collection of services (Fig. 2). Depending on the programming model, these services are accessed by various means, including application programming interfaces (APIs) or more sophisticated types of interfaces such as ports. In this chapter, all such application-to-platform interfaces are covered under the generic term service access

2 Modeling of Real-Time Software Systems

37

Fig. 2 An example application and its platform

point (SAP) (This terminology is taken from the well-known ISO/IEC Open System Interconnection model (ISO/IEC 1994).). Note that, as described here, the platform concept is defined relative to a given application or collection of applications that share it. The most obvious platform is, of course, the computing hardware itself. However, some software applications, such as operating systems and interpreters, are written for the sole purpose of providing a customized platform for higher-level applications. Consequently, it is common for platforms to be represented by vertically layered stacks, as shown in Fig. 2. In this example, Layer 2 serves as a platform for Layer 3, while Layer 1 is the platform for Layer 2. Hardware is always the bottom layer (Layer 0) and is the only layer that actually physically manipulates data and executes instructions. It is worth noting that, with the exception of the hardware layer, software-realized layers tend to be purely conceptual; that is, they are typically design-time groupings with no corresponding first-class run-time manifestation. For instance, as shown in Fig. 2, service module Service A.2 accesses the hardware directly (as indicated by the directed arrow between the modules), bypassing all the layers in between. This may seem like a violation of encapsulation, but the reality is that, unlike software modules, software layers typically do not actually encapsulate their contents. This allows individual layer services to directly access the platform services that they need, without having to “pass through” intervening layers that do not provide them with any useful support functionality. That is, each service has its own set of layer stacks, although all of such stacks converge on the same hardware layer at the bottom. (This means that highly abstract representations of platform layering shown as a vertically ordered stack of opaque layers can be highly misleading, since such structures are mistakenly interpreted to mean that entities in one layer can only access the facilities of the layer immediately below.) Thus, Service A.2 involves two distinct layer stacks: (1) Service A.2-Service B.1-Service OS.P-Computer Hardware and (2) Service A.2-Computer Hardware.

38

B. Seli´c

Platform Resources The implementation of a platform service consists of code, data, as well as any additional facilities, such as specialized hardware devices, that are required to fully realize its functionality. In this chapter, these are referred to generically as resources. A resource is defined as “a source of supply, support, or aid, especially on that can be drawn upon when needed” (from https://www.dictionary.com/browse/resource? s=t), which not only closely matches the nature of what services do, but it also implies the physical essence that underlies all computing resources. Namely, it is the hardware layer that provides the actual physical underpinning out of which all service resources are constructed. Moreover, since all resources are rooted in hardware, they are all finite in some way, that is, of limited size or capacity. This can be of particular significance for real-time and embedded systems, where the finite nature of resources can have far-reaching implications, as explained in the following section. Required QoS and Provided QoS In his 1996 book, the author Henri Petroski, who studies and writes about engineering practice, noted that “[v]irtually every calculation an engineer performs . . . is a failure calculation . . . to provide the limits that cannot be exceeded” (Petroski 1996). This is, in essence, what is behind the distinction made between required QoS and provided QoS. Namely, by treating the application-platform relationship as an example of the client-server design pattern, with the application being the client and the platform the server, it is possible to perform quantitative and qualitative comparisons between them and thereby determine whether or not the limits of the platform have been exceeded. That is, the provided QoS of the platform has to at least meet the required QoS of the application – a classic case of supply meeting demand. Ensuring that supply meets demand sounds like a simple enough one-to-one comparison operation, but, in the case of software applications, this can become much more complicated. This is primarily due to the fact that platform resources are often shared between different parts of an application or even between different applications. On the Precise Meaning of Platform Independence Platform independence is a long-sought goal in software engineering. In fact, it is one of the primary objectives that led to the development of third generation programming languages, such as Fortran or C. The intent of this goal is clear: given the diversity of computing hardware and its rapid and continuous evolution, it should be possible to execute a software application on as broad a spectrum of different platforms as possible with no or minimal adaptation. In addition to the obvious advantage of application portability, platform independence also supports the separation of concerns, whereby application design and hardware design can, to a degree, be addressed independently of each other. In practice, platform independence is often incorrectly interpreted in an absolute sense; that is, that application design is completely independent of the underlying

2 Modeling of Real-Time Software Systems

39

platform. However, as discussed above, this is not always possible and particularly when it comes to real-time software, which is often fundamentally dependent on the properties of its underlying platform.

2.2.5 Modeling Deployment Deployment refers to the allocation of application elements to platform elements capable of supporting them. In its most obvious manifestation, this refers to the placement of computational elements of an application to the computing resources and services of the platform. (This can be quite a challenging design issue in case of multi-processor or physically distributed platforms.) Deployment also covers the assignment of application communication channels to platform services and resources that realize the transfer of information. Most generally, it deals with the matching of service access points to platform services. Clearly, the ability to compare required QoS specifications of application components to provided QoS capabilities of corresponding platform services can play a critical role in ensuring QoS correctness. However, this comparison is not as simple as it sounds, since, as noted earlier, a given platform service can be shared by different application components or even different applications sharing the same platform service. This can result in complex and difficult to analyze interference between nominally independent but concurrent application elements.

3

A Review of Notable Real-Time Modeling Languages

Most real-time software interacts with one or more physical entities that exist independently of that software. Keeping track of such external entities and their state adds a strong structural dimension to real-time software. In fact, this is such a dominant element that, in most cases, the algorithmic (i.e., behavioral) aspects of real-time applications are often subordinate to the structural aspects. This is one of the reasons why object-based models of computing are a natural conceptual fit for many real-time systems. This ability to specify structure directly was also one of the primary drivers of the sudden surge of interest in new object-oriented design methods in the late 1980s and early 1990s. Because structure is readily expressed by graphs, a new generation of graphically oriented modeling languages emerged concurrently. With some exceptions, most of these early languages were informal, intended primarily for descriptive modeling. But, over time, the need to create a tighter bond between design and implementation led to more formal modeling languages, some of which could even be used to automatically generate full implementations directly from the models. Graphically oriented modeling languages targeting the real-time domain evolved in two directions: (a) as specializations of existing general-purpose modeling languages, such as MARTE, which specializes UML, or (b) as domain-specific languages, such as AADL or SDL. The advantages of the former are that they are often able to reuse available general-purpose language expertise and, possibly, some of the tools. However, they tend to be more complex since they may inherit the

40

B. Seli´c

full set of concepts from the general-purpose base language. In contrast, domainspecific languages are generally simpler and cover the domain better. But, they require specialized training and it may be difficult to find adequate tool support for them. The following is a review of an important subset of modeling languages designed specifically to be used for modeling real-time and embedded systems. They were selected on the basis of either their theoretical contributions or on the practical impact that they had in the domain, and are presented more or less in historical sequence, so that readers can observe how the language landscape has evolved. A short overview of each language is provided, followed by an assessment against the language characterization framework described in the preceding section. Needless to say, it is not possible to provide complete and detailed descriptions of the languages, so only the most salient features are described. Readers interested in more detail should refer to the appropriate reference material cited in the References section. Important Caveat: With some exceptions, the author cannot claim deep and extensive knowledge of or personal experience with all of the modeling languages described here. Although the author has done his utmost to ensure accurate descriptions of the languages and the design intent behind them, it is possible that some misinterpretations or even misrepresentation may have crept in. This is particularly true of the earlier languages since it is becoming increasingly more difficult to obtain adequate information (books, papers, tools, project reports, etc.), despite all the wonderful and powerful research tools that are currently available via the Internet. So, if readers with deeper knowledge of any of these languages finds fault with these descriptions and conclusions, it will be much appreciated if they are reported back to the author.

3.1

Historical RT Modeling Languages

Languages in this group represent early attempts at graphically oriented real-time modeling languages. All of them were used in industrial practice, including for some impressive software systems. However, over time, all of them were gradually displaced by the “current” generation of modeling languages described in Sect. 3.2.

3.1.1 Hatley-Pirbhai The Hatley-Pirbhai method for developing real-time systems was developed by Derek Hatley and Imtiaz Pirbhai, specifically for real-time system development (Hatley and Pirbhai 1987). Its origins can be traced to the general-purpose Yourdon Structured Design approach to software engineering that was introduced in the 1970s (Yourdon and Constantine 1975), which was subsequently specialized for the real-time domain by Ward and Mellor (1985). Hatley and Pirbhai extended the Ward-Mellor approach by introducing an explicit separation between control and function behaviors, with distinct modeling capabilities for each. Their method incorporates a domain-specific modeling language. The modeling language does not have a name per se, but is, instead, an integral component

2 Modeling of Real-Time Software Systems

41

of the Hatley-Pirbhai software development method. This means that it is not particularly well-suited to use with alternative design methods. At its core is functional decomposition utilizing a flow-based model of computation characteristic of the structured analysis and structured design methods. In this approach a software system is conceived as an input-output transformer. It takes inputs from the environment and transforms them into the appropriate outputs to the environment. Uniquely perhaps among real-time modeling languages, the Hatley-Pirbhai language is not intended for modeling actual software designs. Instead, it is used to specify the system requirements. This is achieved by means of a requirements model. A fundamental underlying assumption of Hatley-Pirbhai is that system implementation is a distinct step that is driven by this model and that, therefore, the requirements specification must not impose any constraints on how it is to be implemented. In other words, the purpose of the requirements models it to specify what is to be built without being explicit about how it is to be built. Development of the requirements model is intended to be iterative and involves the gradual construction of a hierarchy of models representing stepwise refinements starting the from highest level requirements down to the most detailed ones. But the iterative nature of this process should not be confused with modern agile methods, since it is assumed in Hatley-Pirbhai that implementation should not commence until the requirements are specified in sufficient detail to serve as an unambiguous guide to implementation. In other words, it is biased towards a waterfall-like approach. The requirements model makes a clear separation between data flows and control flows, with distinct diagram types and distinct language constructs for each. Data flows are captured using Data Flow Diagrams (DFDs), while control is represented by means of Control Specifications (CSPECs) and Control Flow Diagrams (CFDs). Note that data flows can be used to capture more than just information flows, but also various material transfers, such as electrical current or liquid flow. “Control” refers to functions that are used to control the operational state of the data flows as well as the system as a whole (e.g., activation and deactivation). The second major type of model supported by the Hatley-Pirbhai modeling language is the architecture model. Note that the term “architecture” is interpreted here in a relatively narrow sense and specifies just the hardware configuration of a system; that is, the bottom layer of what is referred to as a platform in preceding sections (any higher platform layers are deemed the responsibility of design). The Modeling Language The central language construct of a Hatley-Pirbhai requirements model is the process (Fig. 3). A process is used to denote a function that: (a) transforms a set of data inputs into appropriate outputs and (b) responds to control signals that are used to control its operation. There is a rule that states that a process name must be a verb. Associated with each process is a unique specification of its characteristics called a process spec or PSPEC. For example, this might include a detailed specification of the transformation performed by the process, such as a mathematical formula or algorithm. This is generally a semi-formal textual specification, in the form of pseudo-code or structured English.

42

B. Seli´c

Fig. 3 Basic graphical symbols used in the Hatley-Pirbhai modeling language

The inputs and outputs of a process are shown by directed data flow arcs representing “pipelines” that specify the direction and data that flows through them. Control flows, on the other hand, are depicted by dashed-line arcs and capture the transfer of control between processes as well as the flow of control to and from the CSPEC control specification. The latter is a specification of some eventdriven control logic and may be specified in a variety of ways including finite state machines. Control flows that are initiated by or received by the CSPEC control logic are denoted by short straight-line bars at the starting or terminating ends of a control flow, respectively. Terminator nodes represent external entities that are connected to the system but lie outside the system. In other words, they capture the environment of the system. In Hatley-Pirbhai, they are the ultimate sources or sinks of all data and control flows to and from the system. Stores are shown by two parallel lines with a label representing the type of items stored. They are used to buffer the items of a flow, whether data or control. Hence, they can be both sources and targets of flows. An architecture model contains architecture modules, which typically represent physical entities such as input-output devices, complex physical systems, or computers. However, architecture modules can also be used to capture complex software systems. The communication flows between two architecture modules are represented by information flow vectors, which are groupings of all like flows between the two modules. They can be either control or data information flows. For specifying the physical conduits by which energy or material is transferred between modules, Hatley-Pirbhai uses information flow channels. Diagram Types The requirements and architecture models of Hatley-Pirbhai are constructed using different types of diagrams. The starting point in either model is a context diagram that captures the system as a “black box” surrounded by all the external elements with which it interacts.

2 Modeling of Real-Time Software Systems

43

The requirements model uses a data context diagram and a control context diagram for specifying the data and control flows, respectively. The data context diagram is simply a high-level DFD and the control context diagram is a high-level CFD. Examples of these two diagrams for a simple video streaming application are shown in below. These models are then refined using the appropriate diagram types. For example, the “streaming video presentation” process from the DFD in Fig. 4a is refined into the DFD shown in Fig. 5, while the CFD in Fig. 4b is refined as depicted in Fig. 6. Note that both the DFD and the CFD show the same processes and stores, but they show different types of flows. As mentioned earlier, the control flow is specified via a CSPEC, which could be expressed in a number of ways, including tables and finite state machines. Figure 7 shows a state machine specification for the CFD in Fig. 6 (this form is used in cases where the control signals are a function of previous inputs to the CSPEC). HatleyPirbhai allows both Moore and Mealy type state machines – the choice is up to

Fig. 4 A Data context diagram (a) and a control context diagram (b) of a simple video streaming application

Fig. 5 The DFD refinement of the Data Context Diagram from Fig. 4a

44

B. Seli´c

the modeler. In this case, a Moore machine is used, which means that the activated processes start when the target state is entered and automatically terminated when that state is exited. The control events that trigger the transitions are generated by the processes. The architecture model uses an architecture context diagram as its starting point. It is the starting point for all diagrams that are part of the architecture model. It uses information flow vectors to depict the boundary between the system and its environment. An example architecture context diagram is shown in Fig. 8, for the streaming video application cited above.

Fig. 6 The refined CFD of the control context diagram from Fig. 4b

Fig. 7 The CSPEC state machine for the CFD in Fig. 6

2 Modeling of Real-Time Software Systems

45

Fig. 8 The Architecture context diagram for the video streaming application

Fig. 9 Architecture interconnect diagram for the video streaming application

Finally, an architecture interconnect diagram captures the physical channels that carry the flows passing between architecture modules. It uses interconnect flow channels for this purpose (Fig. 9). As was the case with the requirements model, these can be refined further with more detailed diagrams. Similar to the PSPEC specifications for processes, there are separate semi-formal specifications for each architectural module and each interconnect channel. Language Characteristics Table 1 below, provides an overview of the salient characteristics of the HatleyPirbhai method, as per the categorization scheme defined in Section 2 of this chapter.

46

B. Seli´c

Table 1 Hatley-Pirbhai Language Characteristics Language characteristic Target domain

Domain coverage Development cycle coverage

Purpose of models

Multiple abstraction levels Primary syntactical form Primary language paradigms Precision level

User-defined extensibility Tool support

Support General real-time systems Partial Front end (requirements models, descriptive design models) Descriptive (high-level analysis and design models) Yes

Remarks Used primarily in defense and safety-critical applications as a means of specifying requirements precisely No detail level modeling capability The language was initially conceived as a means of capturing requirements in a precise fashion. Nevertheless, it was often used in high-level analysis and design.

Graphical Structured analysis/ structured design Ad hoc

The semantics of the Hatley-Pirbhai modeling language are mostly defined using natural language (i.e., an ad hoc level). This was one of the main complaints directed at it, since the meaning of the models would sometimes be misinterpreted by implementation teams

None Declining

Language resources Primary model of computation Representation of time

Reference text

Modeling QoS Platform modeling Modeling deployment

None Yes

Flow- based Informal

Yes

At its peak, Hatley-Pirbhai was supported by a number of commercial CASE tools At its peak, numerous training courses were available from commercial organizations Complemented with support for event-driven behavior via state machines No provision is extended for modeling multiple or distributed time sources or for specifying the characteristics of any timing devices. Timing requirements are specified as sampling rates and maximal response time constraints However, only hardware elements of a platform can be defined using architecture diagrams This was primarily done via annotations

2 Modeling of Real-Time Software Systems

47

3.1.2 Mascot 3 The Modular Approach to Software Construction, Operation, and Test (MASCOT) method and modeling language were developed by the Royal Signals and Radar Establishment in the UK. The initial versions (MASCOT and MASCOT 2) were developed between 1971 and 1980. The ultimate version, MASCOT 3, was developed in 1986. Responsibility for maintaining this version was assigned to the Joint IECCA and MUF Committee on Mascot (JIMCOM) in 1987. This committee included representatives from the defense and computing communities in the United Kingdom. An initial version of the official reference manual was published (JIMCOM 1987). However, there does not appear to be any further release of that specification. A very readable book by Allworth and Zobel on the design of realtime software systems was published in 1987 (Allworth and Zobel 1987). It includes an extensive description of the MASCOT 3 language, including recommendations on how to implement its virtual machine. The approach and motivation behind MASCOT were reminiscent to that of HOOD and its real-time variant HRT-HOOD (see Sect. 3.1.6). Like those languages, the intent was to provide a full-cycle language starting from high-level descriptive modeling down to detailed modeling serving prescriptive purpose. Both focused on modeling structure, while assuming that application-specific behavior would be embedded in the structural context using the chosen implementation (i.e., programming) language. Like HRT-HOOD, to facilitate the timeliness properties of an application, only static applications were permitted, that is, applications that did not dynamically create or terminate processes were supported. Although somewhat restrictive, this still covered a broad spectrum of hard real-time application types. In addition, both languages supported the concept of templates for key structural concepts. These have some similarity to the class concept in object-oriented languages. Once a structural template is defined, it can be reused multiple times in a given application. But neither language provided an inheritance capability for such templates. This may be one of the main reasons why both of these languages were ultimately replaced by object-oriented languages. Despite these similarities, there were some significant differences when compared to HOOD. The most outstanding of these is the introduction of an underlying run-time platform, the MASCOT virtual machine, which provided a set of basic services such as clock access and timing, interprocess communications, synchronization, as well as multiprocessing and scheduling. The intent was that all programs developed using MASCOT 3 would execute on top of this platform. This ensures that well-formed MASCOT 3 models may be executable. It also enables a relatively high-degree of platform independence. Most importantly, perhaps, it also provides a de facto definition of the semantics of the language, since this virtual machine is responsible for implementing and enforcing those semantics. While a detailed specification of the MASCOT 3 virtual machine is provided in the MASCOT Reference Manual (JIMCOM 1987), it is mostly in the form of natural language descriptions. Furthermore, it provides much latitude for implementation-specific variations (e.g., scheduling policy) to allow for different implementations based on application-specific needs and available platform technologies. Hence, this modeling language belongs in the codified category.

48

B. Seli´c

A textual syntax for MASCOT 3 was defined, such that it was representationally equivalent to the graphical notation. Provided that appropriate tool support was available, modelers could use either form or even choose to alternate between them. The Modeling Language A representative MASCOT 3 top-level (system) model is depicted by the abstract example in Fig. 10. It shows the key structural components and their communication interconnections. The rectangles with rounded corners represent three subsystems (subsys1, subsys2, and dcmp_subsys). Communications between components may involve intercommunication data areas, or IDAs (pts_ida and sa_ida). MASCOT 3 supports two basic forms of IDAs: data pools and channels. However, the diagram in Fig. 10 is at the highest level of abstraction and, therefore, does not provide the full details of which communication forms are actually used in specific cases. Instead, it uses a generic rectangular form to represent the two IDAs. These can be refined into more specific forms in more detailed representations. Note that the graphical elements whose borders are drawn using thicker lines represent items that may be decomposed further. Figure 11a shows the internal structure of the dcmp_subsys subsystem from Fig. 10. This view shows two activities (actA and actB) as well as two communication connections of different types (a pool, gw_pool, and a channel, sp_chnl). Proceeding further with decomposition, Fig. 11b shows the structure of the actA activity, which is comprises three finer-grained interacting activities (main, sub1, and sub2) connected by links. The semantics of each of these basic modeling concepts are described below. The principal modeling concepts of MASCOT 3 are shown in Fig. 12.

Fig. 10 Example MASCOT 3 system model

2 Modeling of Real-Time Software Systems

49

Fig. 11 Decompositions of elements from Fig. 10

The basic functional unit of MASCOT is the activity. Each activity represents a single concurrent thread of control and is represented by a circle. An activity can be either composite, such as activity actA in Fig. 11b, or primitive. Composite activities are decomposed into internal modules and are identified by a thicker boundary contour. Despite the use of circles to denote the internal modules, they all execute on the same thread, the thread of the containing activity. Communications between internal modules are via procedure call and are denoted by links. These are shown in the diagrams by lines with a superimposed triangular arrow ornament, which indicates the direction of the invocations (e.g., subif1 in Fig. 11b). Communications between activities, on the other hand, may involve pools (e.g., gw_pool in Fig. 11a) or channels (e.g., sp_chnl in Fig. 11a) depending on the desired type of communications. Pools are collections of shared data items, whereas channels are first-in-first-out storage buffers. Both kinds of communication connections are automatically protected against concurrency conflicts.

50

B. Seli´c

Fig. 12 Basic Modeling language constructs of MASCOT 3

In contrast to HOOD, MASCOT 3 has a more refined model of interactions between modules. Namely, it supports the partitioning of the full interface of a module (an IDA or an activity) into distinct groupings called access interfaces, which represent different interaction “protocols.” Thus, a given module might offer different access interfaces to different collaborators, based on the nature and purpose of the interactions between them. An access interface defines the type of data flow that it supports (e.g., a specific data type) and the procedure that is invoked to process it. A MASCOT 3 module declares the access interfaces that it provides as well as the access interfaces that it needs from its collaborators. This is one of the first applications of the contract-based approach that is key to componentbased design. By such means it is possible to decouple a module from a particular context so that the same component type can be reused in multiple different contexts and designs. A coupling between modules is well-formed as long as the contracts between their offered and required access interfaces are compatible. The coupling between modules is specified by means of data flow paths. These are represented by directed lines that connect the access interfaces of the interacting modules, which identify the access interface involved as well as the direction of data flow. Clearly, the two access interfaces at the source and destination ends of the flow path must match. To distinguish between required and provided access interfaces, MASCOT 3 uses the concepts of ports and windows, respectively. A window, representing a provided interface, is depicted by a thin black rectangle located near the edge of a module’s contour. A port, on the other hand, specifies a required interface and is represented by a small filled circle also located near the contour’s edge. Since real-time systems invariably involve some type of input-output device, MASCOT 3 provides two concepts. Servers, represented by “D” shaped elements, are software units that are capable of interacting with a particular device (Fig. 12).

2 Modeling of Real-Time Software Systems

51

Language Characteristics Table 2 below, provides an overview of the salient characteristics of the MASCOT 3 language, as per the categorization scheme defined in Section 2 of this chapter. Table 2 MASCOT 3 Language Characteristics Language characteristic Target domain Domain coverage

Support Hard real-time systems Partial

Remarks The language did not allow dynamic creation and destruction of processes Detail level modeling, including choice of (programming) language, was left as an implementation concern However, prescriptive models were not used for automated code generation, but wee, instead, intended to serve as guidelines for coding using an implementation language of choice

Development cycle coverage

Full-cycle

Purpose of models

Descriptive and prescriptive Yes

The language only covers the architectural level

Graphical

But, a textual form was also available

Object-based structure with flow-based behavior

MASCOT 3 is a hybrid of object-based and flow-based computing paradigms. System-level behavior was represented as a flow between activities mediated through IDAs. But, the activities themselves were represented by units of concurrency, similar to the active object concept of UML. Although no inheritance or generalization support is provided, the template mechanism provides a class-like facility MASCOT 3 is based on a virtual machine approach (the MASCOT 3 kernel), which was responsible for activity scheduling and synchronization. Its semantics are defined relatively precisely using natural language

Multiple abstraction levels Primary syntactical form Primary language paradigms

Precision level

Codified

User-defined extensibility Tool support

None None

Language resources

Language reference

Primary model of computation

Flow-based

Since the language was used in some practical applications, there were likely at least model authoring tools available. However, at the time of this writing, such tools do not seem to be available The official reference manual for MASCOT 3 does not seem to be available on the internet. However, the book by Allworth and Zobel can still be obtained Realized by a series of data transfers between concurrent entities mediated by IDAs (continued)

52

B. Seli´c

Table 2 (continued) Representation of time

Informal

Modeling QoS Platform modeling

None None

Modeling deployment

None

Clocks and timing services in MASCOT 3 are the responsibility of the MASCOT virtual machine. However, the specifics of this are left up to individual implementations The MASCOT 3 kernel provides a virtual platform for the execution of MASCOT 3 implementations. This achieves a degree of platform independence. However, there are no explicit modeling constructs for specifying platforms.

3.1.3 STATEMATE STATEMATE is the name of a computer-based tool developed and marketed by ILogix, Inc. The tool supported a modeling language originally designed by David Harel and colleagues at the Weizmann Institute in Israel (Harel 1987). The language and corresponding method were designed to assist in the design of “reactive systems,” which were defined as systems that maintain an ongoing interaction with their environment. At the core of the approach was the concept of Statecharts, a sophisticated hierarchical finite state machine formalism with a graphical concrete syntax. This work had a significant impact, particularly in the real-time modeling space, and has been adopted and adapted widely by most subsequent real-time modeling languages, including, notably UML and SysML. In addition to Statecharts, the modeling language of the STATEMATE tool comprised two additional complementary modeling languages: Activity-charts, used to capture information flows, and Module-charts, for describing the structure of the underlying platform. The primary purpose of STATEMATE was to support “requirements analysis, specification, and high-level design” (Harel and Politi 1998). The approach was somewhat method-agnostic, but was primarily intended to be used in conjunction with various structured analysis methods that were prevalent at the time. Its primary artifact was a system model that captured the requirements of the system and which could serve as a blueprint for design. Because the modeling language concepts were defined using precise mathematical semantics, it was possible to execute STATEMATE models using the corresponding tool from I-Logix. The resulting models could also be transformed in various ways including generating executable computer code, documents, and various forms suitable for analysis. Although it was not object-oriented in the traditional sense (e.g., it had no direct support for inheritance), because of its highly influential Statechart language, STATEMATE represents a cross-over form between earlier modeling languages based on structured analysis methods and later object-oriented languages. When the Object Management Group initiated a consolidation of object-oriented modeling languages, the concepts of STATEMATE, particularly those of the

2 Modeling of Real-Time Software Systems

53

Statechart language, were evolved and incorporated into the initial release of the Unified Modeling Language. Modeling Language The STATEMATE languages were organized around three core viewpoints: functional, behavioral, and structural. The functional viewpoint, expressed by means of activity-charts, was used to specify the capabilities of the modeled system and the flows of control and information. The behavioral viewpoint, expressed using Statecharts, served to define the control and timing of the system. Finally, the structural viewpoint, expressed by means of module-charts, identified the structural elements (modules) of the system and their communication links. A data dictionary was also used to capture nongraphical detailed information associated with elements in the three views. Crucially, all three modeling languages supported recursive decomposition of their core concepts, which facilitates abstraction and the modeling of highly complex hierarchically structured systems. The basic model of computation is a combination of data flow and event-driven behavior. The former is used for functional transformations in activity-charts, while the latter is used for control behavior in statecharts. Activity-Chart Language and Concepts The activity-chart language concepts (Fig. 13) are partly based on classical structured methods for specifying data and control flows, similar to those of the Hatley Pirbhai approach (Sect. 3.1.1), with some differences in the concrete syntax. However, in addition to showing functional activities representing input-output transformations, the activity-chart language could also be used to represent simple or composite objects. In contrast to the physical objects represented in modulecharts, the objects appearing in activity-charts represent logical (i.e., conceptual) entities.

Fig. 13 STATEMATE activity-chart concepts

54

B. Seli´c

External activities or objects represent entities that existed outside the modeled system (i.e., the system under consideration). Internal activities, on the other hand, represent either objects or functions that were part of the system. These activities can be decomposed to any depth, depending on their nature and purpose. A special kind of internal activity is a control activity, which captures the control logic for managing functional activities (e.g., enabling and disabling). The control logic itself is specified using the Statechart language in special statechart diagrams. The activities in an activity-chart are connected by directed arcs denoting flows. Data flows specify the transfer of data between source and target functional activities, while control flows, drawn using a dashed line style, specify the flow of control to and from control activities. Statechart Language and Concepts As mentioned earlier, statecharts have been used to specify event-driven behavior by other real-time modeling languages. However, in practically all cases, there are numerous subtle semantic variations from the original statechart formalism as supported in STATEMATE (Fig. 14). For example, in cases when a given event occurrence can trigger two or more transitions at different levels in the hierarchy, the outermost of these candidate transitions is the one that is triggered. In contrast, in UML statecharts, it is the innermost one that is triggered. In other words, the inner transitions override the outer ones. Perhaps the most notable statechart concept in STATEMATE is the concept of “and” states as realized by means of orthogonal (or “concurrent”) regions of a composite state. In this case, there is a separate substate machine in each region that executes concurrently with its peers. The state machine of each peer region has its own state, so that the system is in effect in multiple states simultaneously. Hence, the name “and” states for this case. But within any single region’s state machine, only one of the states can be current, so that the states within a region are referred to as “or” states. Note that the actions of a transition triggered in one region may trigger a transition in a peer region, which means that the regions can interact with each other. The semantics of such interactions can be quite complex.

Fig. 14 STATEMATE statechart concepts (subset)

2 Modeling of Real-Time Software Systems

55

Transitions emanating from states (as opposed to those emanating from connectors) are triggered by the occurrence of events associated with the transition. However, whether or not a transition will be triggered can be additionally controlled by an associated guard condition, which allow triggering only if it evaluates to true at the time the event has occurred. A transition may have an attached action, which is executed if the transition is triggered. Actions are specified using a custom action language specific to STATEMATE. The execution of these action is assumed to be instantaneous (“zero-time hypothesis”). In addition to actions on transitions, states can have entry reactions, which are executed whenever the state is entered by a triggered transition, as well as exit reactions, which are executed whenever the state is exited by any one of its outgoing transitions. This allows modeling of both Moore and Mealy type automata. STATEMATE supports different kinds of events. The most obvious are explicit signals that are propagated between communicating activities. In addition, two other kinds of events are possible: Change events occur when the state of a state machine or the value of some data item is changed. For example, a transition from one state to another in a region may trigger a transition in one or more of its peer regions. Finally, Timeout events represent the expiration of some time interval associated with a state. These work in conjunction with states. That is, it is possible to assign an explicit time value to a state, which represents the maximum time that the state machine can reside in that state before a timeout event will occur. If some event occurs that takes the state machine out of that state before the time interval has expired, the timing will have no effect. However, if the timer expires before any such outgoing transition is triggered, a timeout event will be generated, which can be used to trigger an outgoing transition. There are numerous other unique features of STATEMATE statecharts, such as History and Choice connectors. Readers interested in the full semantics of these and other STATEMATE concepts are referred to the book by Harel and Politi (1998). Module-Chart Language and Concepts The module-chart language of STATEMATE (Fig. 15) specifies the actual physical configuration of the system under study. As such, it is the “container” of both the activities described by the activity-chart language and the state machines described by the statechart language. The core concept here is the module. External modules represent entities that are outside the system under study, and are differentiated by being rendered using dashed lines, similar to the notation convention used in the activity-chart language. However, as noted earlier, the modules specified in module-charts represent physical entities. Modules are connected by directed arcs that represent either information flows or, more concretely, the physical channels through which such flows propagate. Language Characteristics Table 3 below, provides an overview of the salient characteristics of the STATEMATE language, as per the categorization scheme defined in Section 2 of this chapter.

56

B. Seli´c

Fig. 15 STATEMATE module chart concepts (subset)

Table 3 STATEMATE Language Characteristics Language characteristic Target domain Domain coverage Development cycle coverage Purpose of models

Multiple abstraction levels Primary syntactical form Primary language paradigms

Support Complex reactive systems Full

Remarks

Both application and platform modeling supported, including detail level actions and data

Full-cycle Descriptive and prescriptive models Yes

Prescriptive models could be automatically translated into programming language implementations

Graphical Object-based, flow-based, event-driven

Precision level

Implementation

User-defined extensibility Tool support

None Yes

Activity charts use a flow-based paradigm, control activities use state machines, and module charts are object-based. However, neither inheritance nor generalization are supported There were several technical papers that defined the formal semantics of STATEMATE. However, none of them were standardized

STATEMATE was originally developed and supported by a powerful tool of the same name from I-Logix. This tool provided not only a model editing, but also a model execution capability along with some sophisticated implementation generation facilities. Later, development and support of STATEMATE was taken over by Telelogic Inc. following their purchase of I-Logix. Telelogic was in turn purchased by IBM rational. However, support for the tool has now been discontinued. (continued)

2 Modeling of Real-Time Software Systems

57

Table 3 (continued) Language resources

Reference manual, user guide textbook

Primary model of computation Representation of time

Event-driven

Modeling QoS Platform modeling

None Yes

Modeling deployment

Yes

Partial

The STATEMATE tool came with full documentation. Training was available from the vendor, while the tool was supported. Also, an extensive user guide textbook was available (Harel and Politi 1998) Detailed action code is control-flow based. STATEMATE includes an explicit model of time, as represented by means of state time bounds and timeout triggers. However, there is no explicit measure of physical time. Instead, time is specified in terms of clock units or ticks, with the actual physical value of a unit left as an implementation choice. A single central time source is assumed Module charts are used to specify the hardware platform. No special provision for modeling software platforms, although these are subsumed within the implementation of the STATEMATE virtual machine The allocation of activities in activity charts (including control activities) is done via the data dictionary. Each module entry in the dictionary would specify which activities it hosted

3.1.4 SDL-92 The Specification and Description Language (SDL) is a modeling language intended originally for specifying telecom software (Sarma 1996). Nevertheless, its eventdriven paradigm proved suitable to applications in other domains, where it has been used successfully. The language was originally developed and subsequently maintained by the International Telecommunications Union (ITU), an international standardization body. The SDL language has undergone a number of revisions including, most notably SDL-92, which added object-oriented concepts to the language (ITU 1994). From its very first release, SDL focused on a graphical concrete syntax as its primary user-facing form, although it does have an equivalent textual form as well. It was designed as an executable language, so that the idea of using it as a means for producing prescriptive models that could be automatically translated into implementations was a natural consequence. A recent annex to the standard provides a formal mathematical definition of the semantics of SDL. Although the language is still being revised and maintained as ITU-T Specification Z.100 (the latest release is SDL-2010), interest in SDL has diminished significantly, primarily due to the emergence of UML. In response, the SDL standardization group issued an SDL-based profile of UML (ITU-T Specification Z.109), which allows the creation of UML-style SDL models (albeit, with a few minor limitations) (ITU-T 2016).

58

B. Seli´c

Modeling Language SDL consists of two formally related sublanguages: a structure modeling language and a state machine modeling language (for specifying event-driven behavior). The primary structure modeling concepts and their concrete graphical representations are shown in Fig. 16. To support reuse, SDL-92 introduced the notion of element types into the language – corresponding to the class concept of objectoriented languages. It also supports inheritance: a type can be declared as inheriting from a parent type (only single inheritance is supported). This means that it can (a) add new elements, as well as (b) redefine those elements inherited from its parent that were explicitly marked as “virtual” (i.e., redfinable). Note, however, that this approach does not guarantee proper type-subtype compatibility; an inheriting type may not necessarily be behavior compatible with its parent. The basic structural component of SDL-92 is a block, which can be an instance of a corresponding block type. A block type may be decomposed into a network of collaborating block or process instances. This type of decomposition can be carried to any desired depth, resulting in a tree-like hierarchical structure. A top-level block is called a system. In addition to block instances, a structural decomposition may also include process instances, which, like blocks, may be instances of their corresponding process types. Process instances are the link between structure and behavior. Processes contain state-based behaviors and cannot be decomposed further structurally. Consequently, they represent the leaves in structural decomposition trees. Blocks are interconnected by means of channels, which represent explicit communication paths. Channels can be unidirectional or bidirectional. As shown in Fig. 16, signals that can be validly exchanged across channels are explicitly declared in the diagrams. In line with the event-driven paradigm of SDL, communication across channels is asynchronous. Connections originating or terminating on a process are called signal routes. In order to differentiate between multiple routes when sending signals, SDL introduces the concept of gates, representing the end points of signal routes. Gates should not be confused with the port concept present in many component-based languages. They are merely a means for identifying signal routes and do not have a concrete run-time manifestation. Although processes cannot be decomposed into finer-grained structural units, complex processes may be split into modular behavioral units called services. A

Fig. 16 SDL-92 Structure modeling concepts

2 Modeling of Real-Time Software Systems

59

service is a unit of sequential execution. The services of a process interact with each other by passing signals and data. The behavior of processes and services is described by state machines. SDL92 supports a relatively straightforward Mealy-based nonhierarchical state machine model. But it does provide the functional equivalent of group transitions, that is, transitions that can be outgoing from multiple different states. Uniquely among state-machine based formalisms, SDL-92 does not use the conventional state-transition type of notation. Instead, it used a flow-chart inspired notation, whose basic constructs are defined in Fig. 17. An example of this approach is depicted in Fig. 18(a), with the equivalent more conventional (e.g., UML-like) state machine style shown in Fig. 18(b). (Later revisions of the SDL standard did add a more traditional notation as an option.)

Fig. 17 SDL-92 Behavior modeling concepts

Fig. 18 SDL-92 (a) Example process diagram [(b) UML equivalent]

60

B. Seli´c

Language Characteristics Table 4 below, provides an overview of the salient characteristics of the SDL-92 language, as per the categorization scheme defined in Section 2 of this chapter.

Table 4 SDL-92 Language Characteristics Language characteristic Target domain

Support Reactive real-time systems

Domain coverage

Partial

Development cycle coverage Purpose of models

Full-cycle

Multiple abstraction levels Primary syntactical form

Descriptive and prescriptive models Yes Graphical

Primary language paradigms

Object-oriented and event-driven

Precision level User-defined extensibility Tool support

Implementation None

Language resources

Formal language standard (Z.100), textbooks, training courses Event-driven

Primary model of computation

Yes

Remarks SDL was originally intended for specifying telecommunications systems, but its event-driven paradigm has proved useful in many other real-time domains where this paradigm is suitable Only application software specification is supported; no platform modeling constructs are provided

SDL-92 includes a detailed level language The detailed level is specified using a combination of graphical and textual syntaxes. A complete textual syntax is also available. Structure modeling is based on the object paradigm with support for inheritance. The primary behavioral paradigm is event-driven

At the time SDL-92 was defined, there were two commercial vendors (Telelogic and Verilog) that provided extensive commercial grade tool support for the language. These two vendors eventually merged and the merged entity was later acquired by IBM. However, it appears that support for SDL-based tooling by IBM has been discontinued at the time of this writing The original SDL-92 standard and subsequent revisions are still available as are some textbooks the provide methodological and language usage guidance The detail level language is control-flow based (continued)

2 Modeling of Real-Time Software Systems

61

Table 4 (continued) Representation of time

Partial

Modeling QoS Platform modeling Modeling deployment

None None None

SDL provided an explicit timer concept. This represented a named object that was owned by a process that created it. The timer would be given a time value and, provided that it was not reset, a time signal would be generated to the process when either the specified time interval expired, or the specified absolute time value was reached. However, there is an implicit assumption of a single global time source behind all timers. No standard unit of time was defined; instead, its value was set by the particular implementation

3.1.5 Shlaer-Mellor (OOA) The Shlaer-Mellor Object-Oriented Analysis (OOA) method, named after its primary authors, Sally Shlaer and Stephen Mellor, was one of the first development methods that was inspired by the object paradigm and which focused on real-time type applications. It emerged in the late 1980s, at the time of the sudden surge of interest in the object paradigm within the software engineering community. As such, the method represents an interesting transient between the traditional methods inspired by structured analysis and structured design approaches and object-oriented approaches that eventually displaced them. Thus, in addition to core object-based concepts and concurrent state machines, it retained the use of data-flow model of computation, albeit in significantly a reduced role. The method and its modeling language were designed to cover the full development cycle by means of a progressive refinement of models, until sufficient detail is provided such that the model could be automatically translated into computer programs with no manual intervention in the generated output. Its modeling language was supported by several commercial tools, which enabled model creation, model execution, and fully automated code generation. With the timely publication of a “how to” textbook (Shlaer and Mellor 1992), the method received significant attention and was widely used in industrial practice. However, with the adoption of the UML standard, interest in the Shlaer-Mellor method declined. In response, the method has evolved and adapted to the UML context in the form of Executable UML (Mellor and Balcer 2002). Akin to the Hatley-Pirbhai method (Sect. 3.1.1), the purpose of the analysis model in the Shlaer-Mellor method is to provide a precise specification of “what” is to be built, rather than a design per se. And, similar to the MASCOT 3 approach (Sect. 3.1.2), it is based on a virtual machine platform, which ensures conformance of executing models to the defined language semantics. However, in contrast to

62

B. Seli´c

MASCOT 3, the semantics of the Shlaer-Mellor virtual machine are precisely defined and complete. Consequently, it belongs in the category of executable languages. The design and implementation that result from such specification models depend on available technologies. Shlaer-Mellor defines a process for this purpose called Recursive Design, and it depends to a certain extent on the technologies selected by the implementation team. However, the availability of computer-based tools, including custom editors and code generators, can greatly reduce this effort. A full textual syntax is defined for the language, but this is primarily intended for code generation purposes. Modelers are expected to use the graphical form of the syntax – with the assistance of a model authoring tool, of course. Modeling Language The Shlaer-Mellor method commences with a partitioning of the overall application context into distinct domains. Each domain represents a distinct subject-area with its own ontology and semantics. For example, the Constitution of the United States separates the Government into three domains: Legislative, Judicial, and Executive. Although these interact with each other, each one represents a distinct world, with its own organizational principles and structure. In a Shlaer-Mellor model, these would be represented as separate domains in a domain chart, with relationships between them called bridges (Fig. 19). Larger domains may have to be decomposed further into subsystems. Subsystems are not further decomposed into finer-grained units. Each “elementary” domain or subsystem is described by three kinds of models (An elementary domain is one that is sufficiently compact that it does not need to be decomposed into subsystems.). Information models capture the kinds of objects (analogous to classes in conventional OO terminology) that exist in that domain or subsystem and the relationships between them. Information models are derived from the classical entity-relationship approach to modeling databases and are similar in form and purpose to class models of UML. A second type of model is a state model, which uses state diagrams for specifying the lifecycles of objects in the information model. (Recall that the core model of computation in ShlaerMellor is event driven, which means that behavior takes place after an event has occurred.) The third type of model is the process model, which specifies the detailed behavior (actions) performed by individual objects, while responding to events.

Fig. 19 A domain chart representing the branches of the US Government

2 Modeling of Real-Time Software Systems

63

Actions are described using a data-flow representation. These can be supplemented by object communication diagrams, which capture the possible interactions between collaborating objects, as well as optional thread of control charts that capture details of interactions that occur upon arrival of an event. (The term “thread of control” as used in Shlaer-Mellor should not be confused with the notion of an operating system thread. In this case, it denotes an end-to-end causally connected path of object executions corresponding to a use case). Figure 20 shows an example of a fragment from an information model. The rectangles in this diagram represent the entities, or objects, of the information model. Note that in contrast to standard OO terminology, in Shlaer-Mellor the term “object” denotes the set of all objects that conform to the type. In other words, it corresponds to the “class” concept in class-based OO languages. The rectangles include the name of the object (including its formal shorthand “nickname”, such as “(UV)”), and a list of attributes that are characteristic to it. In order to distinguish individual instances within an object set, exactly one of the attributes is used as a unique instance identifier. These special attributes are marked by an asterisk (*). The lines between the boxes represent relationships between objects. All relationships are labeled with an “R” prefix followed by a serial number that uniquely distinguishes them. In the example diagram above, there are two relationships, R1 and R2. The former, R1, specifies a generic relationship between two objects, VEHICLE and VEHICLE OWNER. The arrowhead ornamentation is used to indicate the multiplicity of the relationship. A single arrowhead indicates that to each instance of the source object there is exactly one instance of the target object.

Fig. 20 A fragment of a Shlaer-Mellor information model

64

B. Seli´c

A double arrowhead means that there can be multiple instances. An additional “C” annotation next to the arrowhead(s) means that the lower bound of the multiplicity can be zero. For example, associated with each VEHICLE OWNER there can be zero or more instances of VEHICLE. In the opposite direction the diagram indicates that there can be one or more VEHICLE OWNER instances corresponding to each VEHICLE. R1 is an example of a relationship that has its own attributes and that may even have its own lifecycle (i.e., state machine), equivalent to the association class concept of UML. The link between the relationship and its object (OWNERSHIP) is indicated by the vertical arrow terminating on the relationship line. The second relationship in the diagram, R2, represents a special type-subtype kind of relationship, analogous to the generalization relationship of UML. It is marked by a horizontal line fragment that crosses the relationship line just below the parent object (e.g., VEHICLE) as well as the annotation “is a.” As might be expected, subtypes inherit all the attributes of the parent and can add their own. It is important to note that the Shlaer-Mellor modeling language uses a unique interpretation of the object paradigm and its generalization/inheritance relationships. As noted above, the objects in an information model represent collections of all objects of their type and this is precisely how they are realized by the virtual machine. An object is a container of all its currently existing instances. If a particular instance is to be singled out, it has to be selected from the set using its unique identifier. Moreover, the generalization hierarchy is not collapsed at run time. This means that, for the example in Fig. 20, there is going to be present at run time a collection of VEHICLE instances, a collection of POWERED VEHICLE instances, and a collection of UNPOWERED VEHICLE instances. This unique interpretation of the type-subtype relationship allows an instance to dynamically migrate from one subtype to a peer subtype. For example, if we removed the engine from a POWERED VEHICLE, it would then become an UNPOWERED VEHICLE. Each subtype contains a subset of the lifecycle of the parent supertype. In the ShlaerMellor method, this is used to model entities whose behavior varies depending on their mode. For instance, an instance of a Person type can migrate from a Child subtype to an Adult subtype when appropriate. Subtype instances are connected via their “is a” relationship to their parent supertype instances. Thus, if an event arrives that cannot be handled by a subtype, it is passed on to the parent for handling. The handling of events, and, more generally, the lifecycle of objects is represented in the Shlaer-Mellor modeling language using state machines, since the dominant model of computation is event-based. Note that the state machines are associated with instances of an object rather than the object collection (i.e., the class). Thus, although a single state machine may describe the behavior of an object, at run time each instance will have its own associated state machine. Figure 21 illustrates a typical Shlaer-Mellor state machine for a vehicle. States are represented by rectangles and transitions by directed arcs. A special type of state is a terminal state, which if reached, means that the corresponding

2 Modeling of Real-Time Software Systems

65

Fig. 21 An example Shlaer-Mellor state machine

object is terminated. These states are denoted by a dashed border, such as the SCRAPPED state in Fig. 21. Transitions are triggered by events. Events can be generated by object instances or they may come from external terminator objects. Events may carry data associated with the event, including the identifier of the receiving object (so that it can be selected from within its object set). Note that the method stipulates that generated events are never lost and that transmission is instantaneous. This, of course, may be problematic when modeling physically distributed systems. An object communication model is used to capture which objects can generate which events. An example is shown in Fig. 22 An example of a Shlaer-Mellor Object Communication Model. This diagram does not specify the order of events or their causal connections. Once triggered, a transition in a state machine will execute using run-tocompletion semantics. This means that once a transition is triggered, it will not be interrupted by the arrival of other events until the transition to the target state is complete. Contrary to some state machine formalisms, it is not assumed that

66

B. Seli´c

Fig. 22 An example of a Shlaer-Mellor Object Communication Model

transitions are instantaneous. Events arriving while the current event is being handled will be queued to be processed once the current transition completes. The state machine formalism used is based on the Moore automaton approach, which means that the actions in response to an arriving event are performed in the state, as opposed to in the transition. This means that all transitions terminating on a given state must be processed by a common set of actions. The processing of events is handled by actions associated with states. Actions are described using data-flow diagrams, such as the one shown in Fig. 23. The semantics and notation of these diagrams are similar to those of HatleyPirbhai (Sect. 3.1.1). Both control flows and data flows are supported. Later version of the Shlaer-Mellor method provided a more compact textual representation for such things, using a custom action language.

Language Characteristics Table 5 below, provides an overview of the salient characteristics of the ShlaerMellor language, as per the categorization scheme defined in Section 2 of this chapter.

2 Modeling of Real-Time Software Systems

67

Fig. 23 An example of a Shlaer-Mellor Action Data Flow Diagram

Table 5 Shlaer-Mellor Language Characteristics Language characteristic Target domain Domain coverage

Development cycle coverage Purpose of models

Multiple abstraction levels Primary syntactical form Primary language paradigms

Support Reactive real-time systems Full

Remarks

The Shlaer-Mellor modeling language focused primarily on application modeling, but it could also be used to model the software elements of a platform using the same language constructs. Nevertheless, it did not have explicit concepts for representing hardware. The associated OOA method, however, did provide guidelines on how to deal with specific hardware platforms by means of customizable platform-specific code generators

Full-cycle Descriptive and prescriptive models Yes Graphical Object-oriented and event-driven.

A textual syntax was provided for modeling detail-level data and actions. The primary language paradigm for modeling structure was object-oriented, although the model of inheritance was unconventional since it did not collapse the inheritance hierarchy at run time. The primary behavioral paradigm is based on event-driven state machines (continued)

68

B. Seli´c

Table 5 (continued) Precision level User-defined extensibility Tool support

Implementation None

Language resources

Yes

Primary model of computation Representation of time

Event-driven Yes

Modeling QoS Platform modeling

None Partial

Modeling deployment

None

Yes

There existed several commercial tools that supported the original Shlaer-Mellor method, including one from the company set up by the two primary inventors of the approach, Sally Shlaer and Stephen Mellor. Some of these tools evolved along with the migration of the Shlaer-Mellor method to executable UML language and method. In addition to the original technical volume describing the method (Shlaer and Mellor 1992), there were numerous training courses available from several commercial enterprises

The Shlaer-Mellor method included explicit support for timers and timing. For example, timers could be used to trigger transitions in state machines. Current time values could be accessed from the virtual machine. However, there is no explicit support for multiple time sources, a single centralized time source is assumed. Hence it is not particularly well suited for modeling distributed applications where such multiple sources might exist A primary objective of the Shlaer-Mellor approach was to ensure that the application software could be ported to different platforms with minimal or no change. To achieve that objective, the platform is partitioned into two distinct layers: An architecture layer, which provided a hardware-independent interface to the application, and an “implementation” layer that contained the underlying hardware. The architecture could be treated as yet another domain (the Architecture Domain) and therefore could be modeled using the standard Shlaer-Mellor language constructs for capturing logical representations of platform entities such as concurrency units and data storage facilities. No specific modeling constructs were provided for specifying hardware entities (i.e., the Implementation Domain)

2 Modeling of Real-Time Software Systems

69

3.1.6 HRT-HOOD Hard Real-Time HOOD (HRT-HOOD) (Burns and Wellings 1995) is a specialization of the Hierarchical Object Oriented Design (HOOD) method and modeling language. It was developed by Alan Burns and Andy Wellings of the University of York to provide modeling support for a category of Ada-based hard-real-time systems. A primary objective was that models developed with HRT-HOOD could be formally analyzed and validated for key real-time QoS characteristics, such as timeliness and dependability. The original HOOD method and language were developed under the auspices of the European Space Agency (ESA) in the late 1980s and, at one time, were mandatory for their major space programs (European Space Agency (ESA) 1989). It has also been used in various defense and aerospace applications. The initial release focused on the Ada programming language, which was being mandated at the time by government defense agencies in a number of countries. Support for other languages, including Fortran, C/C++, and Eiffel was added later. The objective was for the language to cover the full development cycle, from high-level architecture modeling to implementation (using automated code generation to a chosen target language). HRT-HOOD provides specializations of certain existing HOOD concepts and also imposes constraints on the use of others to ensure that the objective of formal analyzability is maintained. For example, HOOD supports just two types of objects: passive and active (the latter corresponds to objects that execute on their own thread). HRT_HOOD allows both of these (although it adds constraints on how and where they can be used) but also adds three additional types that are commonly encountered in hard-real time systems. As already noted, there are a large number of well-formedness rules or constraints, which are defined to ensure that models can be analyzed by formal means. Like HOOD, HRT-HOOD focuses primarily on the high-level structural aspects of an application; that is, which objects exist, what services (operations) do they provide, and how they are mutually related at run time. Where appropriate, detailed QoS data is directly included in the model, such as worst-case execution times (WCETs), periods, and the like. This information is used for analyzing properties such as timeliness. However, HRT-HOOD does not provide any formalism for modeling behavior – the choice is left to the modeler. In addition to a relatively compact graphical syntax, the HRT_HOOD modeling language also provides an equivalent textual syntax. This can be parsed by code generators to produce code “skeletons” in the chosen target language. The generated skeletons are then refined manually with appropriate program code.

Modeling Language A partial specification of the basic HRT-HOOD modeling constructs is provided in Fig. 24 below.

70

B. Seli´c

Fig. 24 Basic language concepts of HRT-HOOD

The essential concept is an object. (Note that, despite the “OO” within its name, HRT-HOOD like HOOD itself does not support inheritance in the object-oriented sense of the term.) Objects encapsulate their internals in the traditional manner exposing only an interface in the form of provided operations; that is, operations that can be invoked by other objects. The behavior of an object is described by its Object Control Structure (OBCS), which, as explained above, is not specified by the modeling language. Instead, it is meant to be inserted in the appropriate place in the generated code skeleton by programmers using the chosen target programming language. Objects can contain other “child” objects, which are fully encapsulated. This decomposition can be carried to an arbitrary degree, terminating with so-called terminal objects. To aid in analysis terminal objects have associated real-time attributes that capture various required QoS properties of the object (e.g., WCET, period, scheduling priority). In HRT-HOOD diagrams, these attributes are shown in tabular form (enclosed by double-lined rectangles). HRT-HOOD objects can be one of the following five types: • Passive objects (indicated by “Pa” in the “object type” field of the graphic) correspond to traditional objects as found in object-oriented languages such as C++ or Java. When one of their provided operations is invoked, they respond immediately using the thread of the invoking object. In other words, they cannot block a caller. • Active (“A”) objects, on the other hand, have their own execution thread, allowing for modeling concurrency. They control whether, when, and how they will respond to invocations of their provided operations. • Protected (“Pr”) objects are passive objects that control access to data that might be shared by more than one thread (similar Hoare’s monitors (Hoare 1974)). This means that they can block a caller depending on their internal state. • Cyclical (“C”) objects are special kinds of active objects that model cyclical time-driven activities that are executed periodically.

2 Modeling of Real-Time Software Systems

71

• Sporadic (“S”) objects are also specialized active objects and are used for capturing aperiodic event-driven behavior. Operations of objects are either constrained or unconstrained. Unconstrained operations are executed immediately when invoked, using the thread of the invoker. Passive objects can only have unconstrained operations. For active objects, the situation is more complex. Response to an invocation depends on the OBCS, which decides which of potentially multiple pending invocations to accept at a given time. However, depending on the nature of the operation and the requirements of the invoker, an operation can be invoked in one of the following ways: • Asynchronous Execution Request (ASER). This is an asynchronous communication paradigm: the caller is not blocked, and the request is queued to be accepted by the OBCS when deemed appropriate. • Loosely Synchronous Execution Request (LSER). In this case, the caller is blocked until the request is accepted by the receiver. At that point, the caller is unblocked, and the receiver commences execution of the invoked operation using its own thread. • Highly Synchronous Execution Request (HSER). This is fully synchronous invocation, like the Ada rendezvous. The caller is blocked until the execution of the invoked operation is completed (on the thread of the receiver), at which point the caller and receiver continue executing concurrently. There are also two timed variations of the LSER and HSER methods (TOER_LSER and TOER_HSER respectively), whereby the caller associates a timeout with the invocation. If the invocation does not complete by the time when the timeout expires, the invocation will terminate, and the caller will proceed as if the invocation was completed. In the HRT-HOOD diagrams, constrained invocations are indicated by the type followed by a zig-zag arrow graphic. An object can invoke operations on other objects in its context (i.e., its external “peers” in the same decomposition frame) or its child objects. These use relationships are indicated in the diagrams by solid directed arcs from the using object to the used object. Optionally, a dataflow annotation can be placed next to the arc, indicating the type of data being passed and direction of flow. Note, however, that these annotations are informal and serve a purely documentational purpose. Finally, operation invocations that are delegated to corresponding operations of child objects are denoted by dashed directed lines. An abstract example of an HRT-HOOD diagram is shown below (Fig. 25). Language Characteristics Table 6 below, provides an overview of the salient characteristics of the HRT-HOOD language, as per the categorization scheme defined in Section 2 of this chapter.

72

B. Seli´c

Fig. 25 An abstract example of an HRT_HOOD diagram

Table 6 HRT-HOOD Language Characteristics Language characteristic Target domain

Domain coverage Development cycle coverage Purpose of models

Multiple abstraction levels Primary syntactical form Primary language paradigms

Support Safety-critical hard real-time systems Partial Full-cycle Descriptive and prescriptive models Yes

Remarks

Only architectural level modeling is supported

The detail level data and action specifications were meant to be programmed using the Ravenscar profile of Ada

Graphical Object-based and control-flowbased

The HRT-HOOD language was defined at the time that some OO features were added to Ada-95. However, these are not supported explicitly in the modeling language. Interactions between objects are achieved by means of control-flow based Ada rendezvous (continued)

2 Modeling of Real-Time Software Systems

73

Table 6 (continued) Precision level

Codified

User-defined extensibility Tool support

None Partial

Language resources

Partial

Primary model of computation Representation of time

Object-based and control-flow based Yes

Modeling QoS

Partial

Platform modeling Modeling deployment

None None

HRT-HOOD models were meant to serve as prescriptive specifications for implementations using the Ravenscar version of Ada. Consequently, its concepts were constrained to satisfy the semantics of that profile

The vision behind HRT_HOOD included a comprehensive computer-based set of tools for formally analyzing the timeliness and dependability characteristics of models. The feasibility of such a toolset was investigated and partially validated empirically during the development of the language. At that time, a number of commercial vendors of HOOD tools also expressed an interest in supporting the language. However, at the time of this writing it appears that tool support for HRT-HOOD is quite limited. An extensive search on the world wide web revealed only a single relatively small commercial tool vendor that includes some support for the language but only as part of a broader HOOD tool offering Both the language and the method are described in a textbook published by the creators of the language (Burns and Wellings 1995). This includes a description of how an HRT-HOOD model can be systematically realized using the Ada-95 or Ada-83 programming languages

HRT_HOOD is focused on centralized systems, so the model of time is based on that premise. This means that there is no provision for dealing with multiple time sources or the imperfections of individual clocks. However, the ability to analyze the timing properties of an HRT-HOOD design was one of the primary motivators for the language. Therefore, there is strong support in both the language and the method for such analyses The only QoS characteristics other than time that could be specified in an HRT_HOOD model are scheduling parameters. (this was needed for analyzing the timeliness characteristics of the design.)

74

B. Seli´c

3.1.7 Real-Time Object-Oriented Modeling (ROOM) The Real-time Object Oriented Modeling (ROOM) language was a componentbased language, which emerged in the telecom domain, and was primarily designed for complex event-driven real-time systems. It was one of the first true classbased object-oriented modeling languages, with full support for inheritance for both structure and behavior. For the latter, it relied on a restricted variant of Harel’s statecharts. The structure modeling capabilities of ROOM were particularly rich and were designed to capture complex dynamic software architectures and included an explicit capability to represent layered systems. It was the first real-time modeling language to explicitly support the concept of ports – discrete interface points. In addition, it was the first such language to introduce the notion of bi-lateral protocols as a method for typing port-based interfaces. A protocol was defined as a collection of input and output signals or invocations. Most of these concepts were later integrated into OMG’s UML language. ROOM itself was later translated into a special “dialect” of UML called UML-RT. The ROOM language was fully formal and the resulting models were executable. Detailed actions could be specified in traditional programming languages, such as C or C++. The entire model could then be automatically translated into an implementation in that programming language. However, this program relied on an underlying ROOM virtual machine, which enforced the semantics of the language (i.e., communication paradigm, concurrency management, etc.). Basic Language Structure ROOM had a clear distinction between architectural level modeling and detailed modeling. The former used a graphical syntax to capture high-level structure and behavior (state machines). The detail level was primarily textual and was used to capture data and detailed behavior. Inheritance relationships were represented textually using indented lists. Basic Language Concepts ROOM only used two diagram types: Structure diagrams, for capturing object classes, and State machine diagrams, for describing state machine behavior. (NB: later versions also supported a basic form of message sequence charts.) The basic elements of the ROOM structural modeling language are shown in Fig. 26. The fundamental structural entity in the language is called an actor. This is a potentially concurrent (i.e., “active”) object that had an external and an internal structure. The external structure of an actor comprises a set of zero or more discrete interaction points called ports. A port was typed by a protocol, which consists of a set of incoming and outgoing signals, that could pass through the port as part of a collaboration between actors. Clearly, what is incoming and what is outgoing depends on which end of an interaction an actor is playing. That is, what is incoming on one end is going to be outgoing on the other. To avoid duplicating protocol types for opposing ends, ROOM declares protocols from the perspective of just one of the ends and uses the concept of port conjugation to type the port at the opposite end. A conjugated port simply inverts the declared incoming and outgoing signals of its protocol type. In the notation, a conjugated port is recognized by the inversion of its color fill scheme (black-on-white instead of white-on-black).

2 Modeling of Real-Time Software Systems

75

Fig. 26 ROOM structure modeling concepts

There are two types of ports. Relay ports simply transfer onwards any signals received – regardless of whether they are incoming or outgoing. End ports, on the other hand are ports to the state machine component of the actor. A port may be replicated, which indicates that there is a collection of port instances all of the same type. The internal structure of an actor consists of zero or more instances of other actor classes, called references or components. These component references may connect to each via bindings that join their ports. Bindings can only be drawn between ports of compatible types. Port types are considered compatible if the incoming signals of one are matched by outgoing signals of the other, and vice versa. Bindings represent explicit communication channels and clearly identify all possible interactions that an actor reference has in a given context. Like ports, reference components may be replicated, meaning that they represent an array of instances of the same type (note, however, that each instance in the array is independent of the others and operates concurrently with them). One special component of an actor is the controller component that contains the actor’s state machine. The state machine communicates with the rest of the world, including its peer components, via its end ports. Unlike STATEMATE, the controller component is not depicted explicitly in a structure diagram but is implied by the presence of its end ports. As noted, ROOM uses a restricted form of Harel statecharts, with the following primary differences: • The region construct of statecharts is not supported. If concurrent entities are to be modeled, they should be represented explicitly by distinct actor reference components. This also ensures that the interaction between concurrent components is explicit. • States are modeled as encapsulations. This means that transitions cannot cross state boundaries. If a transition outside the state needs to connect to a substate inside a state, it has to do so indirectly, by connecting to an explicit entry or exit point (depending on the direction of the transition), from which a separate transition connects to the desired substate. This has the important advantage when used with state machine inheritance. Namely, this allows a simple state in an ancestor actor class to be refined into a composite state in a subclass, without affecting the definition of the ancestor class.

76

B. Seli´c

• In cases where different transitions at different levels in the decomposition are triggerable by the current event, ROOM gives priority to the innermost transition (unlike STATEMATE, where it is the outermost that is selected). Once a transition is triggered in a state machine, the event is processes fully before any further events are considered. This is known as the run-to-completion paradigm. It has the advantage that it avoids concurrency conflicts that might occur in the context of a single state machine. While the transition is taking place, any arriving communication events will be queued. (NB: This approach was used in UML state machines as well. STATEMATE Statecharts exhibit a similar semantics, except that they are based on the assumption that transition execution is instantaneous.) Both synchronous and asynchronous communications are supported in ROOM. However, in recognition of the need for timely responses in real-time systems, a priority can be attached to a message, such that higher-priority queued events may be processed earlier than lower priority ones. The choice of scheduling discipline is not mandated but is left as implementation-specific issue. Language Characteristics Table 7 below, provides an overview of the salient characteristics of the ROOM language, as per the categorization scheme defined in Section 2 of this chapter. Table 7 ROOM Language Characteristics Language characteristic Target domain

Support Reactive real-time systems

Domain coverage

Partial

Development cycle coverage Purpose of models

Full-cycle

Multiple abstraction levels

Descriptive and prescriptive Yes

Remarks ROOM was originally designed for complex telecom applications, such as data or voice switching. However, it practice it was applied to a variety of different soft real-time event-driven applications The modeling language only addressed application modeling. However, the same language concepts could also be used to model elements of the software platform. No specific constructs were provided for modeling hardware. This included full code generation from prescriptive models

In addition to the graphical architectural-level language, ROOM included an object-oriented detail language called rapid prototyping language (RPL), which was based on Smalltalk-80. However, that language was only intended for prototyping, since it included garbage collection, which is generally not compatible with real-time concerns. So, for actual implementation-oriented models, a traditional language such as C or C++ was used (continued)

2 Modeling of Real-Time Software Systems

77

Table 7 (continued) Primary syntactical form Primary language paradigms

Graphical

Precision level

Executable

User-defined extensibility Tool support

None

Object-oriented and event-driven

Yes

Language resources

Language definition and methodology guide

Primary model of computation

Event-driven

Representation of time

Yes

ROOM was one of the first executable modeling languages that supported all the characteristics of the object paradigm, including inheritance The semantics of the language were specified in the form of a virtual machine specification written in C++

The language was single-source supported by the ObjecTime tool from ObjecTime limited. It enabled the creation and modification of models, as well as simulation in the development environment. The simulator had rich debugging capabilities and could be coupled to external devices and programs Some basic analysis capabilities were included with the ObjecTime tool A code generation capability for C/C++ and Java languages was provided The language was fully specified in the “ROOM book” (Selic et al. 1994), which was made available with every ObjecTime license. In addition, courses were available with suitable training material. However, these became obsolete with the purchase of ObjecTime limited by rational software The underlying model of computation of ROOM was event-driven, based on synchronous or asynchronous communications between collaborating actor state machines. A time-triggered paradigm could be emulated using the timing service, which could be ordered to periodically send a time signal. However, timely response to such signals could not be guaranteed, since the essential paradigm was not time-driven ROOM supports a Timing service, which was provide by the ROOM virtual machine. This service could be used either for interval timing or time-of-day notifications. In either case, when the desired instant of time is reached, a signal is sent to the requesting state machine, which can then be handled in the usual manner. However, for interval timers, time values are specified in term of clock ticks rather than an explicit physical time measure. Since all time-related operations are handled by the underlying virtual machine, there is no assumption about a single time source in ROOM. However, a model cannot choose which time service instance to use in situations where the implementation of the virtual machine might be distributed (continued)

78

B. Seli´c

Table 7 (continued) Modeling QoS Platform modeling

None Partial

Modeling deployment

None

3.2

ROOM used the concept of service access points and service provision points, to enable modeling of software platforms. These could be modeled using ROOM as well. However, no special provision was available for modeling hardware resources or their qualities of service The ObjecTime toolset provided facilities for mapping ROOM actors to logical threads, which represented units of concurrency and scheduling. These could then be separately mapped to actual physical (i.e., OS) processes. However, this was a feature of the toolset and not the language itself

Recent RT Modeling Languages

The group of languages described in this section represent the state of the art in real-time language design at the time of this writing.

3.2.1 AADL The Architecture Analysis and Design Language (AADL) is primarily focused on mission-critical and safety-critical systems (Feiler and Gluch 2012). It was originally derived from the MetaH architecture description language, but is now promoted and its definition and release officially managed by the Society of Automotive Engineers (SAE) (Society of Automotive Engineers 2012). At the time of this writing, the current officially released version is version 2.1, which was published in 2012 (AADLv2). A distinguishing feature of AADL is that thanks to the precise definition of its concepts and related constraints, models at different levels of abstraction can be analyzed by formal methods. A separate set of annexes to the language specification provide facilities and methods for different kinds of analyses, including fault and safety analysis. The language is partial in the sense that, for more detailed models, such as prescriptive models, it needs to be complemented with one or more other languages, including possibly traditional programming languages. Modeling Language AADL consists of two related sub-languages: one for modeling the (software) architecture of the application and the other for modeling the underlying platform. The term “architecture” here refers to the structural aspects of the application, with a rather basic capability for specifying different operational modes of systems. In addition, a more recent release of the language includes an annex that supports modeling of behavior using relatively basic state-based automata.

2 Modeling of Real-Time Software Systems

79

The two languages use a common basic structural abstraction called the component. Concrete refinements of this high-level abstract concept are, in essence, generalized representations of common implementation technologies specific to the real-time domain, such as processes and threads. However, regardless of their specific nature, components all share a common conceptual framework. This framework distinguishes between a component type declaration and a component implementation specification. A component type specifies just the external face (i.e., “black-box” view) of a category of components, equivalent to the concept of an abstract class in object-oriented languages. Component implementations, on the other hand, capture the implementation detail of the type, typically comprising a pattern of communicating parts, called subcomponents. Crucially, a given component type can have multiple different implementations. Regardless of its kind, a component type specification contains the following declarations: • The kind of component (e.g., process, thread, . . . ) and unique name of the component type • The name of the component that this component extends (optional) • Set of publicly accessible features (i.e., interaction points with other components) • Data or control flows that pass through this component (optional) • Set of properties of this component, which specify various QoS and other parameters of the component and their values (scheduling priority, execution timings, deadlines, etc.); these are typically used for various types of formal and informal analyses Note the use of the optional “extends” declaration, which is used to specialize a more abstract component type, in the style of object-oriented classification strategies. A component implementation specification contains the following declarations: • The kind of component and the unique name of the implementation • The name of the component type that it implements (“refines”) • An optional name of the component implementation that this implementation specializes (“extends”) • A list of subcomponents that are part of the implementation • A possibly empty list of subprograms that this implementation calls • A specification of all connections between subcomponents or between subcomponents and component type interface points • A possibly empty list of flows through the component. • A list of operational modes of the component • A list of properties associated with the implementation The basic component types for describing applications are depicted in Fig. 27.

80

B. Seli´c

Fig. 27 AADL application modeling concepts

A system component is an abstraction representing some composite of software and hardware with a clearly defined purpose. The intent behind this concept is to provide abstract generalized views of elements in early phases of development, which may be refined later in the development cycle into more specific component types. A process component is a generalization of the common operating system concept representing a protected address space containing some code and data. Continuing with the operating system analogy, a thread component represents a concurrent schedulable entity in the context of a process. Threads may have defined properties such as timing data (e.g., worst-case execution time), dispatching type (periodic or aperiodic), required memory space, etc. An AADL process must contain at least one thread. AADL thread groups represent convenient units of reuse, comprising a grouping of data and threads that share common properties. Data component types and instances include data type declarations and data type instances that can be included in a process or thread. Finally, subprograms in AADL represent invokable code units. Software component implementations must explicitly declare all the subprograms that they invoke. It is possible to declare valid subprogram call sequences to specify the correct order of invocations of multiple subprograms. Note that a subprogram implementation does not actually contain the code, which could be written in some programming language. Ports are features of application components that are used to represent different kinds of interaction points of components. Data ports are used for transmission of instances of data types. These types of ports do not involve queues. Event ports are for message-based communication (e.g., triggering of mode transitions) and may have an associated queue. The receiving component can process messages in this queue as appropriate. Event data ports are for message-based communication for events that may include data. Connections between ports can only be made between compatible ports, that is, a receiving port must be able to accept information sent by

2 Modeling of Real-Time Software Systems

81

Fig. 28 AADL platform modeling concepts

the transmitting port. Examples of the graphical representation of port connections can be seen in Fig. 27 (process component implementation). Figure 28 illustrates the concrete syntax notation of the concepts used to model platforms. A processor component represents a platform environment that can execute thread component instances. This does not necessarily represent just a hardware device, but may also include the software infrastructure (e.g., operating system) that handles the scheduling and dispatching functions. A processor implementation might specify the concrete hardware-software combination. It may also include as subcomponents memory components. Memory components are repositories of data and executable code. The properties may specify the type of memory (e.g., RAM, ROM). Bus components represent the hardware and software infrastructure used for communications. Finally, device components represent external devices by means of which an application interacts with that environment. Language Characteristics Table 8 below, provides an overview of the salient characteristics of the AADL language, as per the categorization scheme defined in Section 2 of this chapter. Table 8 AADL language characteristics Language characteristic Target domain

Domain coverage

Support Mission- and safety-critical real-time systems Partial

Development cycle coverage

Full-cycle

Purpose of models

Descriptive and prescriptive

Remarks Because of the high degree of criticality in these domains, it focuses primarily on hard-real time applications The language itself only covers the architectural aspects of systems and, optionally, some very high-level behavioral modeling capability. This includes both application and platform modeling. Everything else is expected to be handled by other complementary languages. AADL is particularly focused on producing models that can be analyzed even very early in the development cycle As noted above, a prescriptive AADL model needs to be complemented with specifications expressed in other modeling or programming languages (continued)

82

B. Seli´c

Table 8 (continued) Multiple abstraction levels Primary syntactical form

Yes

Primary language paradigms Precision level

Object-oriented and flow-based Codified

User-defined extensibility

Partial

Tool support

Yes

Language resources

Language specification, training courses

Primary model of computation

Object-oriented, flow-based, event-driven Yes

Representation of time

Textual

However, AADL only covers the architectural level specifications Although AADL does provide a graphical syntax (supplemented with textual annotations), from a practical point of view, the textual syntax is the dominant form. One important advantage of this is the ability to take advantage of the rich set of tools developed for textual languages, such as diff/merge, search, etc. Both inheritance and subtyping are supported The semantics of AADL are specified by a combination of natural language descriptions as well as syntactic and semantic well-formedness rules The standard language is extended by means of purpose-specific annexes. Users can define their own annexes for specific types of analyses There is an open-source AADL authoring tool called OSATE developed and maintained by the software engineering Institute at Carnegie-Mellon University (http://aadl.info). This serves as the reference implementation for the language and other AADL tools. It includes both textual and graphical editing capabilities and is supplemented with a number of specialized analysis tools (security, schedulability, latency, etc.). Another key tool, ocarina (http://www. openaadl.org), provides code generation as well as a variety of model verification capabilities (worst-case execution time, petri net analysis, etc.). A commercial AADL tool is available from Ellidiss (http://www.ellidiss.fr/public/wiki/wiki/AADL) The official language specification, including all the annexes, can be purchased from SAE (https://www. sae.org/standards/content/as5506/). In addition, training courses are available from the SEI. Also, there are several published books on how to apply AADL in practice (Delange 2017; European Space Agency (ESA) 1989) However, the highly specialized nature of the language means that there is not as yet a large community of experienced AADL practitioners to draw on

AADL has an explicit model of time with predefined time units (e.g., ps, ms, sec, . . . ). A single global time source is assumed (continued)

2 Modeling of Real-Time Software Systems

83

Table 8 (continued) Modeling QoS

Yes

Platform modeling

Yes

Modeling deployment

Yes

The type mechanism allows the definition of various physical quantities expressed using appropriate physical units (e.g., feet, kilograms). A number of standard physical unit types are predefined Explicit modeling of application platforms is one of the primary strengths of AADL, with a dedicated language subset defined expressly for that purpose The allocation of software components to platform components is done via a system’s property specification. It is possible to declare in advance which kinds of deployment bindings are allowed. This imposes constraints on the actual deployment, that can be declared for a particular system instance. Note that for a given system, different system implementations can use different deployment strategies

3.2.2 UML-Based RT Modeling Languages The adoption of the Unified Modeling Language standard (Object Management Group (OMG) 2017) had a significant impact on the evolution of modeling languages in general. (Since UML is widely taught and used, basic familiarity with UML is presumed in this section.) Prior to its adoption, there were over 90 published object-oriented methods and languages, many of them supported by single-source tools. Consequently, the provision of a method- and vendor-agnostic industry standard was welcomed by industry in particular, causing a disruption in the modeling language domain in general. Demand for prior modeling languages (and their tools) dropped suddenly in favor of UML. Although UML was a generalpurpose modeling language, nominally not favoring any particular domain, the designers and vendors of many domain-specific modeling languages adapted by recasting their languages in a UML form. This was facilitated by the built-in ability of UML to provide for extending the language in the form of UML profiles (Selic 1999). The profile mechanism could be used in one of two ways: • As a means for defining first-class UML-compatible domain-specific modeling languages and • As a means for defining domain-specific annotation languages, which could be “overlaid” on existing UML-based models to recast them from a domain-specific viewpoint. The latter form was particularly useful for supporting different kinds of analyses for models. Namely, by annotating an existing UML model using an analysisspecific annotation profile could provide information that could be used for formal

84

B. Seli´c

or informal analysis of a given type. (This can be compared to the AADL approach of specifying properties of model elements, except that it is not necessary to directly incorporate all the various types of properties of interest into the modeling language itself.) One key advantage of the profile mechanism is that, because it is based on standardized built-in extensibility mechanisms of UML, modeling languages based on profiles can take advantage of many general-purpose UML tools as well as the widely available UML expertise (e.g., UML is taught in most software engineering curricula across the globe). Moreover, profiles themselves can be further specialized by users by taking advantage of the very same extension mechanism of UML. Therefore, it is relatively straightforward to produce highly customized domainspecific languages by these means. The following five real-time modeling languages discussed are based on UML profiles. Three of them, UML-RT, Executable UML, and SDL (Z.109), are, in essence, recastings of the original modeling languages into a UML form. Since the original concepts and characteristics of those languages are described in Sects. 3.1.7, 3.1.5, and 3.1.4, respectively, they are only discussed briefly here, focusing on the differences relative to their corresponding originals.

3.2.3 UML-RT UML for Real Time (Selic and Rumbaugh 1998), or UML-RT for short, is, in essence, a UML version of the ROOM modeling language (see Sect. 3.1.7) realized as a profile of UML, whereby the modeling concepts of ROOM are specified as specializations of standard UML concepts. For example, ROOM actors, renamed to capsules in UML-RT (to avoid conflicts with the use case actor concept), are modeled by a stereotype of the UML Class concept. This is achieved by imposing semantic and syntactic constraints on the base Class concept to ensure consistency with the corresponding ROOM concept. One of the interesting consequences of this UML/ROOM merge is that UMLRT can take advantage of diagram types that were not available in ROOM, most notably the ability to express class hierarchies using UML Class diagrams (ROOM used indented lists to represent inheritance relationships between classes, but no other types of class relationships.).

Tool Support UML-RT was originally supported by the RSA-RTE tool from IBM Rational. This was a full-cycle tool, based on the IBM Rational System Architect tool. It provided model authoring, code generation, and a facility for executing UML-RT models. This tool was subsequently transferred by IBM to HCL and renamed RTist (https:// www.hcltech.com/brochures/software/hcl-rtist). In addition, in collaboration with Ericsson of Sweden, a fully capable open source version of a UML-RT tool was built on top of the open-source Papyrus tool (Papyrus-RT). This tool can be obtained from the Eclipse Foundation (https://wiki.eclipse.org/Papyrus-RT).

2 Modeling of Real-Time Software Systems

85

Language Resources Basic documentation for the UML-RT tools is available both from Eclipse and HCL. HCL also provides training including webinars. However, given its highly specialized nature, there is not a wide population of UML-RT expertise available.

3.2.4 Executable UML Executable UML (sometimes abbreviated to xtUML) is a UML-based evolution of the original Shlaer-Mellor Object-Oriented Analysis (OOA) language and method (see Sect. 3.1.5). Tool Support The original OOA tool was designed and built by Project Technology. The company and the tool were later purchased by Mentor Graphics, where it was updated to a new version and renamed Bridgepoint. More recently, the source code for Bridgepoint has been placed in the public domain. A version of that tool, called BridgePoint Pro, is now maintained by OneFact, Inc. (https://onefact.net/products/bridgepoint-pro/). Language Resources Substantial resources for training in both the language and the associated method are available, including webinars and custom courses (see https://xtuml.org/learn/). An excellent starting point for learning about the language and its design philosophy can be found in the book by Balcer and Mellor (Balcer and Mellor 2002).

3.2.5 UML-SDL (UML Profile Z.109) When the disruptive introduction of the UML language standard occurred, interest in SDL diminished significantly. To mitigate this effect, the International Telecommunications Union (ITU) responded to the introduction of UML by providing a UML profile for the SDL-2010 revision of the SDL language (ITU-T 2016). This was preceded by active participation of key SDL language designers who contributed significantly to the second major release of UML, UML 2.0. This ensured that the core SDL concepts could be readily expressed as specializations of appropriate UML concepts. Tool Support Tool support for SDL in its full form, with automated code generation and various analyses capabilities, has greatly diminished since the standardization of UML. A powerful and extensive SDL modeling capability, including the ability to create executable SDL models, is provided through the Pragmadev Studio suite of tools (http://www.pragmadev.com/product/studio.html). However, at the time of this writing, there does not seem to be any commercial tool support for the Z.109 profile. Language Resources The only substantial resource for the Z.109 profile is the ITU-T reference document itself (ITU-T 2016).

86

B. Seli´c

3.2.6 UML/MARTE The Modeling and Analysis of Real-Time and Embedded Systems (MARTE) UML profile (Object Management Group (OMG) 2019) is a successor to an earlier profile adopted by the Object Management Group, the UML Profile for Schedulability, Performance, and Time (SPT) (Object Management Group (OMG) 2005; Selic and Gerard 2014). The intent behind both profiles was to specialize UML for both modeling and analyzing real-time software applications. The specific focus on schedulability and performance of SPT was due to the availability of proven and practical formal analyses methods. MARTE expanded on the conceptual foundations of SPT, providing significantly more comprehensive constellation of modeling concepts and capabilities. As its name suggests, MARTE provides support both for (a) modeling realtime software applications, and (b) analyzing such systems, preferably by formal methods. The result of the former is a rich domain-specific modeling language – which can be combined with standard UML where appropriate – while the latter provides a collection of analysis-specific annotation languages. Although only two such languages are included in the MARTE standard itself (one for schedulability analysis and the other for performance analyses), it has been the basis for a variety of other analysis-specific research profiles such as security, safety, and availability. The specification of the MARTE standard covers over 700 pages and, due to space limitations, it is not possible to cover its concepts individually. Instead, the following provides an overview of the categories of concepts supported. An illustrative example of a simple MARTE model is provided at the end of the section. The Organization of the MARTE Standard The overall organization and content of the MARTE standard are depicted in Fig. 29.

Fig. 29 The organization and content of the MARTE profile

2 Modeling of Real-Time Software Systems

87

The MARTE Foundations Package The Foundations package of MARTE is based on the conceptual model of platforms and platform services described in Sects. 2.2.3 and 2.2.4. It is focused on the following: • The notion of a resource, which captures the finite nature of the computing and other platform hardware that ultimately underlies all software applications • The notion of quality of service In this approach, a platform consists of a set of physical and/or logical resources, which provide services, which can be characterized by their provided quality of service. Applications, on the other hand, are viewed as clients of these platform (resource) services, which require a necessary quality of service to meet their objectives. The Foundation package of MARTE is itself decomposed into the following finer-grained concept groups: • The basic resource modeling abstraction (i.e., resource as a provider of services) • A basic classification of different resource categories (e.g., storage, communication, computing, concurrency support, hardware devices, etc.) • A foundational model for specifying qualities of service (sometimes referred to as nonfunctional properties), either quantitatively (e.g., bits/sec) or qualitatively (e.g., earliest-deadline-first scheduling). Note that these could be expressed using a special language, called Value Specification Language, that is defined in an annex of the standard. A set of common predefined physical data types and corresponding physical data unit definitions is also included. • A comprehensive model of time and timing resources such as clocks and timers (described further below). • A general model of deployment for specifying how application components are deployed across elements of the platform. The concepts in this package are then refined further in the modeling and analysis packages respectively.

Time Modeling in MARTE MARTE supports modeling time in a variety of different ways, from purely logical time, to very precise physical time and time sources (clocks). Three distinct timerelated modeling capabilities are provided: • Modeling the structure of time. This includes the notion of multiple time bases and the relationships between them (e.g., for modeling physically distributed time sources). • Modeling different forms of measuring time, from logical clocks to chronometric clocks. For instance, if desired, it is possible to specify detailed characteristics of individual clocks, such as their precision, accuracy, drift, etc.

88

B. Seli´c

• Modeling the usage of time, including time associated with event occurrences, durations of executable actions, time constraints. MARTE provides for direct representation of phenomena commonly found in real-time and embedded applications and platforms. The concepts in this package are grouped into the following categories: • General concepts for modeling software application components. This includes modeling of push/pull flow-based port interfaces to components (e.g., for modeling streaming applications) as well as discrete client-server interfaces. • Abstract structural and behavioral concepts encountered in concurrent and timesensitive software, with associated time-related characteristics (execution time, time of occurrence, deadlines, etc.) and resource management policies (e.g., queue management, mutual exclusion management). • Concrete concepts for modeling application-level software resources, such as schedulable concurrency units (processes, threads, etc.), interrupts, memory partitions, as well as their methods of interaction (synchronous, asynchronous). • Concrete concepts for modeling platforms and platform resources, including both their functional characteristics (memory, communication, etc.) and physical characteristics (e.g., layout, size). The (General) Analysis Package This package contains a generic model that captures a common category of demandsupply types of analyses (Fig. 30). The application represents the demand side and the platform the supply side. The purpose of these analyses is to determine if the specified platform can support the resource and service demands that are imposed on it by an application.

Fig. 30 The MARTE generic analysis model

2 Modeling of Real-Time Software Systems

89

Demand is specified by two items of information: • Application resource usage scenarios, which capture the dynamic acquisition and release of resources over time • The intensity or workload of resource demand (e.g., rate of service requests) Supply is specified by the platform resources and resource services and their quality of service characteristics. This generic model applies to many different kinds of engineering analysis. As noted earlier, the MARTE standard includes support for two specific types of analyses that fit this model: schedulability analysis, which is used to determine if all application deadlines will be met (applicable primarily for hard real-time systems), and performance analysis, which is based on queueing theory and can help in determining processing throughputs. The analysis profiles provide concepts that can be used to annotate a UML, MARTE, or combined model with analysis-specific concepts and data. For example, in the case of performance analysis, elements of the original model can be supplemented (i.e., annotated) with information that identifies the clients and servers and their characteristics (e.g., arrival rates, service rates). This information can then be used by specialized analysis tools to make predictions. An Example MARTE Model The simple UML example in Fig. 31 is intended to provide some sense of how MARTE is used to model real-time systems. This application takes inputs from two sensors, whose inputs are accepted and processed in some application-specific manner by two concurrent processes (s1 and s2). The results of this processing are then dispatched to an archiver process, which sorts them and stores the results in a data base.

Fig. 31 Basic “unadorned” UML model

90

B. Seli´c

Fig. 32 A MARTE version of the example application model

This “unadorned” model does not specify any information that might be deemed critical for a real-time application. For example, it is not clear what are the scheduling parameters of the three processes (e.g., whether or not they can be preempted). Figure 32 shows a MARTE-based model of the same application. The stereotype tag «swSchedulableResource» is used to denote a logical unit of concurrency. This MARTE concept includes a set of attributes that identify, among other characteristics, its scheduling parameter data. In this simple example, only two of these parameters are shown: isStaticSchedulingFeature and isPreemptable. The model also shows that the data base requires a capacity of at least 1 MB (it is tagged as a storage resource with a capacity of 1,000,000 8-bit bytes). Finally, it also specifies that the archiver process must execute within 1 microsecond, as indicated by the parameter value of the MARTE «resourceUsage» tag. Since this is a model of the application, all of these parameter values specify the required QoS of this particular application. The next step is to define a platform for this application and determine if that platform is capable of providing the resources and quality of service required. A candidate platform for this application is shown in the top part of Fig. 33. The platform model uses MARTE platform modeling concepts, such as «hwComputingResource» (representing a processing unit) and «hwMedia» (for modeling communications hardware). The bottom three elements shown in this diagram specify the class definitions of the MARTE elements that appear in the platform model, including the values of some the key attributes. For example, the maximum speed rating of ProcessorS type processors is specified as 5 MIPS. The final step is to provide an application to platform deployment mapping, as shown in Fig. 34. A quick comparison of the required and provided QoS values

Fig. 33 A Platform model for the example application

2 Modeling of Real-Time Software Systems 91

92

B. Seli´c

Fig. 34 MARTE deployment specification for the example model

indicates that this platform can satisfy the QoS requirements of the application. (The simplicity of the analysis of this example hides the general complexity involved in determining whether or not a given platform is satisfactory. This is because there is just one application running on the platform. The problem becomes much more involved if there are multiple applications sharing the same platform resources.) The following table summarizes the characteristics of the MARTE modeling language using the categorization framework introduced in Sect. 2.

3.2.7 SysML Strictly speaking, the Systems Modeling Language (SysML), is not a real-time modeling language, since it has a much broader scope, as it is intended for systems engineering. This, of course, includes the ability to model softwarebased components of systems. However, a common methodological guideline is that, once a component of a system model has been designated for realization in software, further development of that component should proceed using a realtime (modeling) language. In those circumstances, a UML-based language, such as MARTE, represents a good choice, given that the concepts of the current release

2 Modeling of Real-Time Software Systems

93

of SysML are not only based on UML, but are, in fact, defined as specializations of UML through a UML profile. The language and its profile were developed and standardized by the OMG. (This coupling between UML and SysML is likely to change with the forthcoming release of the second major version of SysML, SysML 2.) Language Characteristics Table 9 below, provides an overview of the salient characteristics of the SysML language, as per the categorization scheme defined in Section 2 of this chapter. Tool Support There exist both commercial and open-source SysML tools. Since SysML was defined as a UML profile, most UML tool vendors also provide support for SysML. Some tools even provide a model execution capability. Language Resources Since the initial adoption of the SysML standard in 2007, interest in the language has been steadily increasing particularly within the systems engineering community. Training courses are available from numerous sources as are several popular textbooks (Delligatti 2014; Friedenthal et al. 2008).

3.3

Other Real-Time Modeling Languages (RTMLs)

This section briefly describes two other notable modeling languages that are used in the real-time domain. Space limitations and intellectual property concerns prevent a more in-depth coverage in this chapter, but readers interested in learning more about them can consult the appropriate references.

3.3.1 Simulink and Stateflow Two commercial software tools, Simulink and Stateflow, from MathWorks, Inc. (https://www.mathworks.com), are among the most widely utilized tools in the realtime domain. Simulink is a modeling and simulation environment that includes a graphical modeling language for modeling component-based systems. Stateflow is a state-machine modeling language that can be used for specifying the behavior of event-driven components appearing in a Simulink model. For example, this combination can be used in a manner analogous to the STATEMATE approach (see Sect. 3.1.3), where components specified using the Stateflow language act as controllers of other components in a Simulink model. The Simulink language is similar in scope and approach to SysML (see Sect. 3.2.7): it allows the modeling of system structures as a hierarchy of interconnected blocks (components) of different types. The Stateflow language is a vendor-specific variant of David Harel’s statecharts, similar to in the STATEMATE tool.

94

B. Seli´c

Table 9 MARTE Language Characteristics Language characteristic Target domain Domain coverage

Support General real-time software Partial

Development cycle coverage

Full-cycle

Purpose of models

Descriptive and prescriptive models

Multiple abstraction levels Primary syntactical form Primary language paradigms

Yes

Precision level

Remarks

MARTE covers the architectural elements of both applications and platforms. But it does not provide support for detail level data and actions The ability to perform formal qualitative analyses even on very abstract preliminary models means that it can be applied in all phases of development Both descriptive and prescriptive models can be constructed using MARTE. Note that, unlike most other real-time modeling languages, with their QoS and other annotations, MARTE models can provide crucial semantic information that can be used by automated code generation to produce optimal code However, only the architectural aspects can be specified using MARTE

Graphical Object-oriented, flow-based, event-driven, time-driven Codified

User-defined extensibility

Yes

Tool support

Yes

Language resources

Yes

Primary model of computation Representation of time

Flow-based and event-driven Yes

Modeling QoS

Yes

Platform modeling Modeling deployment

Yes Yes

Most MARTE concepts are defined using a relatively precise natural language MARTE uses the built-in specialization mechanism of UML. This allows language users to further specialize its concepts Most commercial and open source tools provide the official MARTE profile definition as an option In addition to the standard itself, there exists a technical volume intended as a simplified user guide for MARTE (Selic and Gerard 2014)

MARTE has a very rich and comprehensive model of time, with a wide range of user-selectable choices regarding precision and accuracy MARTE provides the most complete QoS modeling capability of all current real-time modeling languages MARTE provides comprehensive conceptual support for modeling both software and hardware platforms MARTE provides the full capability to specify software to platform modeling

2 Modeling of Real-Time Software Systems

95

Simulink allows simulation of models, to assist in the analysis and debugging of complex system models. Moreover, these models can be automatically transformed into equivalent C or C++ code. Hence, both descriptive and prescriptive modeling are supported thereby covering the full development cycle. Since both products are used extensively in industry, the products are mature and are supported by a rich complement of powerful tools. There is a rich library of different models for different domains. Training courses and materials are readily available.

3.3.2 East-ADL Like the UML and SysML languages developed by the Object Management Group, the Electronics Architecture and Software Technology – Architecture Description Language (EAST-ADL) (EAST-ADL Association 2013) was developed and is maintained by a consortium of commercial, government, and academic institutions, most of them involved with automotive systems (http://www.east-adl.info/). It is aligned with two other international standards in the automotive domain: the ISO 26262 safety standard from the International Standards Association and the AUTOSAR standard from the AUTOSAR consortium. Both of these standards are multifaceted and comprehensive specifications covering development and production processes, system architectures, quality analyses procedures, etc. EAST-ADL is actually a conglomeration of different viewpoints with different specifications and languages (Fig. 35). The specification uses UML class modeling to specify the metamodels of the different modeling (sub)languages represented by the horizontal bars. The vertical bars on the right of the diagram represent different analysis methods that can be used with EAST-ADL. EAST-ADL is representative of a new style of model-based approaches, wherein multiple modeling languages are combined into a synergistic system for dealing with the types of present-day complex real-time/cyber-physical systems.

4

State of the Practice and Future Trends

Although the use of modeling languages and methods for real-time and embedded software development in industry is still not as widespread as it could be (except in some sectors such as telecom, aerospace, and automotive), there is no doubt that it is growing and that it can lead to major improvements in product quality and productivity (Weigert and Weil 2006; Whittle et al. 2014). Modeling languages designed specifically focused on real-time development have a long tradition. The earliest ones, produced in the 1970s, were heavily influenced by the structured analysis and structured design methods of the day. They were primarily focused on the front-end activities of the development cycle, such as requirements and high-level design capture. However, over time, several key languages, such as the STATEMATE language, paved the way for full-cycle languages that could even be used to specify fully-fledged implementations, with the help of automated code generation techniques. A third qualitative leap occurred

96

B. Seli´c

Fig. 35 Structure of various EAST-ADL Specifications

with the introduction of object-oriented languages, such as SDL-92, Shlaer-Mellor, and ROOM. Finally, the adoption of UML, which introduced a systematic approach to modeling language design, has resulted in the current generation of full-cycle modeling languages. One important emerging trend is the coupling of additional model analysis methods and corresponding tools, as indicated by the vertical bars in the EAST-ADL example demonstrates (Fig. 35). In addition to the now traditional performance and timing analysis methods (see Sect. 1.3.2), new methods are being developed for analyzing other important characteristics of designs, such as safety, security, energy consumption, and dependability. In summary, model-based approaches in general and in the real-time/cyberphysical domain in particular are gradually moving to the more traditional style of engineering supported by more systematic and more formal techniques, resulting in more predictable and more reliable designs of software.

References S.Y. Allworth, R.N. Zobel, Introduction to Real-Time Software Design (Springer-Verlag, New York, NY, 1987) M. Balcer, S. Mellor, Executable UML: A Foundation for Model-Driven Architecture (AddisonWesley Professional, Reading, MA, 2002)

2 Modeling of Real-Time Software Systems

97

G. Berry, in The Foundations of Esterel, ed. by G.D. Plotkin, C. Strong, M. Tofte. Proof, Language, and Interaction, Esssays in Honour of Robin Milner (The MIT Press, Cambridge, MA, 1999) A. Burns, A. Wellings, HRT-HOOD: A Structured Design Method for Hard Real-Time Ada Systems (Elsevier Science, Amsterdam, 1995) J. Delange, AADL in Practice (Reblechon Development Company, 2017) L. Delligatti, SysML Distilled – A Brief Guide to the Systems Modeling Language (AddisonWesley, Boston, 2014) EAST-ADL Association, EAST-ADL Domain Model Specification (v.2.1.12). (2013). http://www. east-adl.info/Specification/V2.1.12/EAST-ADL-Specification_V2.1.12.pdf European Space Agency (ESA), HOOD Reference Manual Issue 3.0 (Noordwijk, 1989) P. Feiler, D. Gluch, Model-based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language (Addison-Wesley Professional, Boston, 2012) S. Friedenthal, A. Moore, R. Steiner, A Practical Guide to SysML – The Systems Modeling Language (Morgan Kaufmann- OMG Press, Amsterdam, 2008) D. Harel, Statecharts: A visual formalism for complex systems. Sci. Comput. Program. 8(3), 231– 274 (1987) D. Harel, M. Politi, Modeling Reactive Systems with Statecharts: the Statemate Approach (McGraw-Hill, 1998) D. Hatley, I. Pirbhai, Strategies for Real-Time System Specification (Dorset House Publishing, New York, 1987) C.A.R. Hoare, Monitors – An operating system structuring concept. Communications of the ACM, CACM 17(10), 549–557 (1974) ISO/IEC, International Standards Organization: ISO/IEC 7498–1:1994 – Information Technology – Open Systems Interconnection – Basic Reference Model: The Basic Model, 2nd ed, ISO/IEC 7498–1:1994(E). (1994) ITU, Specification and Description Language (SDL) (1994) ITU-T, Z.109: Specification and Description Language – Unified Modeling Language Profile for SDL-2010 (2016) R. Jain, The Art of Computer Systems Performance Analysis (Wiley, New York, 1991) JIMCOM, The Official Handbook of MASCOT, version 3.1 issue 1, Joint IECCA and MUF Committee on Mascot (1987) M. Klein et al., A Practitioner’s Handbook for Real-Time Analysis: Guide to Rate Monotonic Analysis for Real-Time Systems (Kluwer Academic Publishers, Norwell, 1993) L. Kleinrock, Queueing Systems, vol. 1 (Wiley-Interscience, New York, 1975) C. Liu, J. Layland, Scheudling algorithms for multiprogramming in a hard real-time environment. J. ACM 20(1), 46–61 (1973) S. Mellor, M. Balcer, Executable UML: A Foundation for Model-Driven Architecture (AddisonWesley Professional, Reading, MA, 2002) Object Management Group (OMG), UML Profile for Schedulability, Performance, and Time (v1.1), OMG document formal/05–01-02 (OMG, Milford, 2005) Object Management Group (OMG), Unified Modeling Language (v2.5.1), OMG document formal/17–12-05 (OMG, Milford, 2017) Object Management Group (OMG), Semantics of a Foundational Subset for Executable UML Models, OMG document formal/18–12-01 (OMG, Milford, 2018) Object Management Group (OMG), UML Profile for Modeling and Analysis of Real-Time and Embedded Systems (v1.2), OMG document formal/19–04-01 (OMG, Milford, 2019) H. Petroski, Invention by Design – How Engineers Get from Thought to Thing (Harvard University Press, Cambridge, 1996) V. Pollio, The Ten Books on Architecture, (Morgan, M.H. translator) (Dover Publications Inc., New York, NY, 1914) A. Sarma, Introduction to SDL-92. Computer Networks and ISDN Systems 28, 1603–1615 (1996) B. Selic, Turning clockwise: Using UML in the real-time domain. Commun. ACM 42(10), 46–54 (1999) B. Selic, The pragmatics of model-driven development. IEEE Softw. 20(5), 19–25 (2003)

98

B. Seli´c

B. Selic, S. Gerard, Modeling and Analysis of Real-Time and Embedded Systems with UML and MARTE – Developing Cyber-Physical Systems (Morgan Kaufman, Amsterdam, 2014) B. Selic, J. Rumbaugh, Using UML for Modeling Complex Real-Time Systems (IBM, 1998). https://www.ibm.com/developerworks/rational/library/content/03July/1000/1155/1155_umlmo deling.pdf B. Selic, P. Ward, G. Gullekson, Real-Time Object-Oriented Modeling (Wiley, New York, NY, 1994) S. Shlaer, S. Mellor, Object Lifecycles: Modeling the World in States (Yourdon Press, Prentice Hall, Englewood Cliffs, 1992) C. Smith, L. Williams, Performance Solutions: A Practical Gide to Creating Responsive, Scalable Software (Addison-Wesley Professional, Reading, 2001) Society of Automotive Engineers (SAE International), Architecture Analysis & Design Language (AADL), SAE document AS5506B (2012) A. Stephenson et al., Mars Climate Orbiter Mishap Investigation Board Phase 1 Report, (NASA 1999), https://llis.nasa.gov/llis_lib/pdf/1009464main1_0641-mr.pdf. Accessed 22 Dec 2019 P. Ward, S. Mellor, Structured Development for Real-Time Systems (Prentice-Hall, Englewood Cliffs, 1985) T. Weigert, F. Weil, Practical Experiences in Using Model-Driven Engineering to Develop Trustworthy Computing Systems, IEEE SUTC 2006 (2006) J. Whittle, J. Hutchinson, M. Rouncefield, The state of practice in model-driven engineering. IEEE Softw. 32(3), 79–85 (2014) E. Yourdon, L. Constantine, Structured Design: Fundamentals of a Discipline of Computer Program and Systems Design (Prentice-Hall, Englewood Cliffs, 1975)

3

Uncertainty Theories for Real-Time Systems Torsten Bandyszak, Thorsten Weyer, and Marian Daun

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Background and Fundamentals of Uncertainty Handling . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Uncertainty Concepts and Taxonomies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Mathematical Theories for Handling Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 A Reference Model of Uncertainty Concerns for Real-Time Computing . . . . . . . . . . . . . 3.1 Scope and Aims of the Reference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 The Reference Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Overview of Uncertainty Handling Approaches for Real-Time Systems . . . . . . . . . . . . . . 4.1 Handling Uncertainty in the Execution Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Handling Uncertainty in Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Handling Uncertainty in Data Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Handling Uncertainty Regarding Coordination of Different Systems . . . . . . . . . . . . 5 Engineering Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Requirements Elicitation and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 System and Context Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Automated Verification and Analysis Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

100 102 102 105 107 107 108 114 114 115 116 118 119 119 120 121 121 122

Abstract Real-time systems are typically reactive embedded software-intensive systems that are part of a larger technical system such as a vehicle or an airplane. Realtime systems perform time-critical tasks, which depend on timely processing of context data obtained from sensors, and making decisions as well as performing

T. Bandyszak () · T. Weyer · M. Daun The Ruhr Institute for Software Technology, University of Duisburg-Essen, Essen, Germany e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_64

99

100

T. Bandyszak et al.

actions based on the assessed context situation. Real-time systems thus face various uncertainties that may occur during operation. To cope with uncertainties in real-time execution, this chapter introduces general taxonomies and theories for handling uncertainty and relates these to the field of real-time computing. To that end, a reference model is proposed, which specifically determines sources of uncertainty in the context of a real-time system when it is in operation. Building upon the reference model, an overview of uncertainty handling approaches that specifically address real-time concerns and can be utilized to handle the different uncertainty in real-time systems is given. Finally, since real-time systems have to be constructed in such a way that they are able to handle uncertainties at runtime, this chapter also regards the need to identify, model, and analyze potential uncertainties that can occur during operation already in the engineering of realtime systems.

Keywords Uncertainty · Real-time systems · Real-time uncertainty · Context uncertainty · Uncertainty modeling · Uncertainty analysis · Reference model

1

Introduction

Real-time systems are characterized by the fact that their demanded outputs or reactions are subject to certain real-time conditions, i.e., timing constraints for the provision of output data or for the desired reaction to stimuli from the context must be met. It is typically distinguished between hard (i.e., strict constraints whose violation may cause serious safety hazards), firm (i.e., causing useless but not severely dangerous outcomes), and soft real-time constraints (i.e., weaker conditions that do not necessarily but may cause gradual decrease in utility of the produced outcomes) (Laplante 2004; Shin and Ramanathan 1994)). The challenge is to ensure, especially in the engineering of real-time systems, that particularly hard real-time constraints are constantly met during operation. Many real-time systems are reactive in the sense that they process context information commonly gathered through sensor devices and closely interact with their environment in the context of superordinate technical systems or processes they are embedded in (cf., e.g., Stankovic 1996). However, real-time systems may also exhibit properties that are typically associated with information systems, e.g., for stock market trading applications (Ulusoy 1995). Since the early days of real-time computing as a research area, one main focus has been on resource management in the light of real-time requirements. Such requirements demand efficient usage of demands efficient usage of available computing resources, which are restricted w.r.t. space or energy consumption. However, due to the emergence of new technologies, such as IoT (Stankovic 2014; Want et al. 2015), and advances in computing resources, the complexity of

3 Uncertainty Theories for Real-Time Systems

101

developing real-time systems has been raised due to the increased interconnection between different systems as well as the demand for innovative applications and advanced functionality to be provided by such systems (Buttazzo 2006; Calvaresi et al. 2017; Kopetz 2011). This includes capabilities to act autonomously, selfadapt to changing context situations, and collaborate with other systems to achieve emergent properties (cf., e.g., Kopetz 2011). For example, autonomous vehicles are connected through advanced vehicular ad hoc network (VANET) technology in order to enable the collaborative formation of vehicle platoons to increase driver safety and increase traffic flow (Arem et al. 2006; Axelsson 2017). The need to compute tasks in real-time according to defined deadlines combined with the trend of advanced functionality enabling real-time systems to autonomously operate and interact in highly dynamic contexts brings about a wide range of potential uncertainties (Laplante 2004). Uncertainties can occur at various points in time during the operation of such systems. This makes the analysis of the real-time behavior more difficult and could eventually lead to situations where critical real-time constraints cannot be maintained during operation. For example, in a collaborative vehicle platoon, where information is exchanged between the lead vehicle and its followers, hard real-time constraints pertain to the sharing of information about critical situations such as an accident or obstacle ahead of the platoon. Uncertainties can occur here, for example, due to imprecision or failure of sensors (Rajamani and Shladover 2001) or delays in transmission of the information via the VANET (Liu et al. 2001), which affects the required coordination among different systems. At the same time, uncertainties can also occur in the technical execution platform of a system under consideration (in this case an embedded CACC software system (Amoozadeh et al. 2015)), e.g., the time required to evaluate sensor data to derive any necessary actions is treated with an uncertainty. The term “uncertainty” thus has a broad range of notions, and concrete uncertainties can be described in different ways. Different facets and concepts need to be considered for describing specific kinds of uncertainty that are handled differently. There is a variety of specific approaches dealing with uncertainty in real-time systems, each having a distinct focus on specific timing-related uncertainty aspects. These solution approaches are typically based on formal, mathematical approaches (e.g., probability theory or fuzzy logic (Ranganathan et al. 2004)). This chapter answers the question in which forms uncertainty can manifest during the operation of real-time systems exhibiting the characteristics introduced above. The goal of this chapter is to provide a comprehensive and well-structured overview of uncertainty handling theories relevant for coping with uncertainty in real-time systems. To this end, this chapter introduces a reference model for distinguishing different kinds of uncertainty that can emerge from the operational context of real-time systems at runtime. The reference model is then used to categorize specific uncertainty handling techniques that enable real-time embedded systems to cope with the different runtime uncertainties. Moreover, essential engineering considerations for developing systems that are able to fulfill their time-critical duties in uncertain contexts are discussed.

102

T. Bandyszak et al.

The remainder of this chapter is organized as follows: section 2 introduces taxonomies and theoretical concepts of uncertainty as well as mathematical theories for handling uncertainty. Section 3 presents the reference model and describes each kind of real-time computing uncertainty in detail. Section 4 analyzes existing uncertainty handling approaches for real-time systems using the reference model. Section 5 elaborates on engineering practices aimed at handling uncertainty when actually developing the real-time software system. Section 6 concludes the paper and gives a brief summary.

2

Background and Fundamentals of Uncertainty Handling

In the following, taxonomies and principle concepts for describing uncertainty as well as the major mathematical formalisms to handle uncertainty are introduced.

2.1

Uncertainty Concepts and Taxonomies

The term “uncertainty” has been topic of discussions in many research disciplines and sciences, including decision sciences and risk assessment (Paté-Cornell 1996; Walker et al. 2003) or ecology (Refsgaard et al. 2007; Regan et al. 2002). To obtain a general understanding of how uncertainty is treated, such literature from different research areas is helpful, although not directly related to real-time computing. In very generic terms, “uncertainty” can be defined as: A state or situation in which it is unclear whether a given piece of information (e.g., a model created by humans or data collected at runtime) properly reflects the real-world phenomena it is supposed to describe. In the literature different notions of the term “uncertainty” are discussed, which will be investigated in the following. This includes concepts to describe uncertainty (for different purposes) as well as taxonomies that distinguish different types and/or different dimensions of uncertainty.

2.1.1 Epistemic and Aleatory Uncertainty A fundamental distinction of the term “uncertainty” differentiates between epistemic and aleatory uncertainty (cf. Kiureghian and Ditlevsen 2009). Epistemic uncertainty denotes a lack of knowledge as the reason for uncertainty, while aleatory uncertainty covers uncertainty that is present due to the inherent variability or stochastic nature of real-world phenomena (Kiureghian and Ditlevsen 2009; Li et al. 2013). The subject of uncertainty may differ, and different terms are used, e.g., knowledge and physical uncertainty (Cailliau and Lamsweerde 2015) or subjective and stochastic uncertainty (Helton 1994). Epistemic and aleatory uncertainty are fundamental and are used to categorize formal uncertainty modeling approaches as will be elaborated later in Sect. 2.2. However, note that the differentiation between aleatory and epistemic uncertainty is discussed controversially in research (cf. Aven and Renn 2010; Winkler 1996), and a clear distinction between these uncertainty types has not become consensus. This becomes obvious in concrete

3 Uncertainty Theories for Real-Time Systems

103

uncertainty taxonomies, for instance, in the work of Regan et al. (2002), where “natural variation” and “inherent randomness” (which could be seen as two kinds of aleatory uncertainty) are actually considered types of epistemic uncertainty. Even though there might be disagreement and concerns regarding the distinction of uncertainty types in general, for concrete purposes such as analyzing uncertainty, they are considered useful (cf. Winkler 1996). The following subsections will have a closer look at more specific uncertainty concepts that are useful for characterizing uncertainty in the engineering of software-intensive real-time systems.

2.1.2 Dimensions of Uncertainty Further classifications of uncertainty employ a multi-faceted view on uncertainty. This leads to a distinction of fine-granular concepts for characterizing and analyzing uncertainty. Besides the distinction between epistemic and aleatory uncertainty, which is referred to as the “nature” dimension of uncertainty, Walker et al. (2003) defines “location” and “level” of uncertainty as additional concepts or dimensions. The location concept is used to identify where uncertainty manifests within models of a specific subject (e.g., a system under consideration and its context), while the level of uncertainty distinguishes detailed classes of uncertainty regarding the knowledge about the uncertainty (i.e., ranging from ignorance to statistically modeled uncertainty). These three dimensions of uncertainty proposed by Walker et al. (2003) are further utilized in Mahdavi-Hezavehi et al. (2017) and Perez-Palacin and Mirandola (2014), where they are adopted to characterize uncertainty specific to self-adaptive software systems. Two additional dimensions of uncertainty can be distinguished: the emerging time and source of uncertainty (Mahdavi-Hezavehi et al. 2017). Emerging time distinguishes design-time uncertainty (i.e., uncertainty that occurs during development of a system) from runtime uncertainty (i.e., uncertainty that occurs when the system is in operation). During design-time uncertainty relates to, e.g., desired stakeholder needs expressed in natural language or regarding the adequate consideration of design alternatives, cf. Famelis et al. 2012; Fukamachi et al. 2015; Ramirez et al. 2012). These kinds of uncertainties are handled differently than runtime uncertainty, cf., e.g., Horkoff et al. (2014) and Yang et al. (2012). The latter is in focus of this chapter. Another dimension is the source of uncertainty, i.e., the situation or cause uncertainty originates from. Sources of uncertainty during operation of softwareintensive systems will be elaborated on in more detail in Sect. 2.1.4. 2.1.3 Subjective Uncertainty Perspective A comprehensive conceptual model of uncertainty has been proposed by Zhang et al. (2016). The model, for which UML-based modeling support is available (Zhang et al. 2019), employs a subjective perspective on uncertainty, because it originally targets the handling of uncertainty regarding the subjective assumptions made by developers during development (e.g., when testing a software). Hence, subjective uncertainty concepts, which relate to the imperfect knowledge (i.e., beliefs) held by some belief agent, are distinguished from objective concepts independent from individual observations of reality (i.e., which are supported by

104

T. Bandyszak et al.

objective evidence). Subjective uncertainty relates to expressions of an agent’s beliefs and is further described by the following concepts: The type of uncertainty defines which kind of subject the uncertainty refers to. This could be, for instance, the content of a belief statement or an aspect of the physical environment. The locality of an uncertainty denotes the place where the uncertainty shows in a belief statement, i.e., a specific action or situation contained in a belief statement, where the uncertainty occurs. Factors leading to uncertainty are described using the indeterminacy source concept. Different kinds of indeterminacy sources capture different circumstances in which knowledge is missing to appropriately describe a phenomenon. The effect of an uncertainty is distinguished as well. Furthermore, uncertainties can be prioritized given the risk (e.g., low or high risk) associated with them. The conceptual model also covers aspects related to timing considerations. As such, one specific type of subjective uncertainty is dedicated to expressing uncertainty of a belief agent regarding a temporal specification contained in a belief statement. Furthermore, the model takes into account the period during which an uncertainty related to a belief statement exists, as well as the temporal pattern (e.g., periodic, sporadic, or upon a specific occasion) in which it occurs. Furthermore, it includes concepts related to measuring uncertainty, i.e., expressing uncertainty in numbers such as probability values (see Sect. 2.2).

2.1.4

Uncertainty from the Perspective of a Software System in Operation While the works of Zhang et al. (2019, 2016) are very fundamental and comprehensive, covering many different aspects of uncertainty from different perspectives (including uncertainty that occurs during development, especially testing), other authors employ more specific perspectives on uncertainty software-intensive systems are concerned with. In (Bandyszak et al. 2018, 2020) concepts dedicated to modeling uncertainty exclusively from the perspective of a system (that is to be developed) during operation are proposed. This partially builds upon a subset of concepts from Zhang et al. (2016), but with the specialized notions of “observation point” and “activation condition” to capture the artifacts (e.g., context data received from sensors) given which a system is able to identify uncertain situations during operation, and the events and conditions under which uncertainty may in principle occur (i.e., when an uncertainty can become active), respectively. Furthermore, a potential runtime uncertainty itself can be explicitly identified, providing means to distinguish different uncertainties as well as their dependencies. Such dependencies include causal relationships between uncertainties, as well as amplification relationships characterizing situations where an uncertainty may amplify, i.e., have an impact on the potential effects of another uncertainty. Esfahani and Malek (2013) as well as Ramirez et al. (2012) provide a more detailed account of the potential sources of uncertainty (i.e., reasons why uncertainty can occur) that are relevant for self-adaptive systems during their operation. Ramirez et al. focus on sources related to the perception of the environment through

3 Uncertainty Theories for Real-Time Systems

105

sensors (such as sensor noise or sensor imprecision). Thereby, generic causal relationships between different sources of uncertainties can be established. Esfahani and Malek also consider more specific uncertainty sources related to the adaptation logic of a self-adaptive system, which is illustrated using the established MAPEK reference model (Kephart and Chess 2003). This includes uncertainty due to incorrect models of a managed system or uncertainty due to unforeseen changes or conflicts in the objectives used for adapting a managed system to changed parameters.

2.2

Mathematical Theories for Handling Uncertainty

Mathematical uncertainty handling theories have been already summarized in different works, e.g., (Esfahani and Malek 2013; Khaleghi et al. 2013; Li et al. 2013), each exhibiting a different level of detail and mathematical rigor in description. This section presents a distilled and consolidated overview of the uncertainty formalisms that are used in real-time systems. The two major streams of mathematical uncertainty handling theories are probabilistic and fuzzy-set-based approaches (Ranganathan et al. 2004). Among other approaches toward formally modeling uncertainty, probability theory plays a dominant role, which also reflects in the later investigation of approaches for handling real-time uncertainty (see Sect. 4).

2.2.1 Probability Theory Probability theory can express both aleatory and epistemic uncertainty (Li et al. 2013). There are two principle interpretations of probability: A frequentist (also denoted “objectivist”) and a subjectivist interpretation (cf., e.g., Jeffrey 2004; Khrennikov 2009). The frequentist interpretation is the classical one. Originally, it was proposed to describe and analyze random experiments. Probability expresses how likely a specific event may occur based on its relative frequency in the outcomes of repeated conduction of random experiments. A simple example is throwing a standard six-sided dice, where each possible outcome has the probability of 1/6. In basic probability theory, a probability measure or distribution is a function that assigns a probability value to events that are subsets of a certain sample space. The sample space contains all possible outcomes of a random experiment. Based on Kolmogorov axioms, random variables can be defined over probability spaces. It is oftentimes not practical or not feasible to exactly define probability measures. Approximation techniques building upon frequentist probability theory include Monte Carlo simulation, which is based on simulating a probability distribution through repeated random sampling (Mooney 1997). Another approach for approximating probability distributions is the Markov Chain Monte Carlo technique (Brooks et al. 2011; Gilks et al. 1995). A Markov chain is a transition system in which the states represent random variables and where the value of the successor state only depends on its direct predecessor state (Markov property).

106

T. Bandyszak et al.

Thus, Markov chains include a notion of time and are frequently used in simulating stochastic processes. It can be distinguished between discrete time and continuous time Markov chains (cf. Hermanns et al. 2000). In contrast to the frequentist interpretation, the subjectivist interpretation of probability (cf. Jeffrey 2004; Khrennikov 2009) is more general and allows application to express “likelihood” beyond that associated to the outcomes of random experiments. The probability of an event denotes the degree of belief an agent associates to that event, independently of specific outcomes of repeating a random experiment. The subjectivist interpretation of probability allows inferring probabilities of events in spite of a lack of explicit information. Rather, conditional probabilities are used to model dependencies to other events, based on which inferences can be made. Inferring subjective probability values for a specific event depend on information about the event, i.e., a priori probabilities of causally related events and their conditional relationships, e.g., for probabilistically expressing dependencies between medical symptoms and diseases (Li et al. 2013). As an extension in the subjectivist line of probability interpretation (Li et al. 2013), Dempster-Shafer evidence theory (Dempster 1968; Shafer 1976) has been proposed. Dempster-Shafer evidence theory can be seen as an extension of Bayesian theory considering upper (denoted plausibility) and lower bounds (denoted belief) of probability. Its principle idea is to model available evidence that partly or fully supports a claim about a certain phenomenon. Thereby, lack of information is taken into account in the model.

2.2.2 Fuzzy Sets, Fuzzy Logic, and Possibility Theory Fuzzy sets have been originally proposed by Zadeh (1965) in order to formalize the notion of vagueness contained in natural language. Fuzzy sets are used to model classifications that have ill-defined boundaries and thus are not covered by the wellestablished traditional set theory. A membership function, which, in normalized form, maps to values between zero and one, characterizes the degree of membership of an element to a fuzzy set. For example, members of the fuzzy set “warm temperature” are evaluated differently by individuals and are thus assigned different membership values (Li et al. 2013). Fuzzy sets can be considered generalizations of traditional set theory, i.e., a traditional, “crisp” set can be characterized as a fuzzy set with a membership function assigning either the value one or zero to all elements under consideration. There are specific operators defined for extending the classical set operators to fuzzy sets. For eventually reaching decisions, the socalled defuzzification step involves mapping fuzzy sets into crisp values that can be interpreted. To that end, a multitude of defuzzification techniques is available (cf., e.g., Leekwijck and Kerre 1999). Fuzzy logic can be seen as the equivalent of propositional logic for traditional set theory w.r.t. fuzzy sets. Fuzzy logic operators, e.g., the fuzzy “or” can be mapped to fuzzy set operations (e.g., fuzzy set union). Compared to probability theory (see Sect. 2.2.1), fuzziness targets situations where there is uncertainty regarding the properties and classification of real-world phenomena, specifically when perception through individuals varies. In contrast, using probabilistic methods, the potential

3 Uncertainty Theories for Real-Time Systems

107

events are typically known in advance (or can at least strictly be separated from each other), while it is uncertain when and how frequently an event occurs (Kosko 1990). Fuzziness allows expressions characterizing an element as part of two or more different fuzzy set, with respective membership values. Possibility theory (Dubois and Prade 1988; Zadeh 1978) builds upon fuzzy sets and fuzzy logic, serving as an counterpart or alternative of probability theory (Li et al. 2013). Possibility theory is concerned with imprecision and incompleteness of available data characterizing uncertainty. The core idea is to formalize the confidence regarding the validity of some piece of information. Imperfect data is expressed using so-called possibility distributions. A possibility distribution assigns possibility values to events in order to characterize to what extent it is possible that they happen or are valid. Possibility theory further incorporates two measures, i.e., a measure of possibility and a measure of necessity. One interpretation of these measures is that necessity represents a lower bound while possibility describes the upper possibility bound of a specific event under consideration, thus restricting the uncertainty space. A necessity measure quantifies to what degree the event can be taken for granted. In turn, a possibility measure quantifies the degree of plausibility of an event.

3

A Reference Model of Uncertainty Concerns for Real-Time Computing

In this section, a reference model is introduced to systematically distinguish different kinds of uncertainty in the operational context of real-time software systems and allow for comprehensible comparison and categorization of existing approaches toward uncertainty handling. We first motivate and explain the goals of the reference framework, which is afterwards presented in detail.

3.1

Scope and Aims of the Reference Model

As real-time computing is an active research area since the 1970s (cf. Liu and Layland 1973), there are mature research results for enabling systems to perform critical functionality under real-time constraints. Such specific solution approaches do not necessarily mention “uncertainty” explicitly. Rather, there is a variety of approaches that rely on, e.g., probability theory (cf. Sect. 2.2.1) in order to provide a solution for some problem related to uncertainty handling in real-time systems. However, uncertainty classification is difficult due to lack of theoretical considerations of how uncertainty manifests in real-time systems. The general introduction and conceptualization of uncertainty in real-time systems by Laplante (2004) are helpful but consider many different uncertainty causes (including designtime uncertainty, cf. Sect. 2.1.2) that significantly that significantly differ in their handling, while operational uncertainty is discussed only on a high level. In contrast, this chapter employs a very specific perspective on a real-time system under

108

T. Bandyszak et al.

consideration: its embedding into its operational context. This is a more narrow view and yet allows distinguishing techniques for enabling real-time systems to handling uncertainty. Thus, the model employs a black-box view on the actual software implementation of a real-time software system under consideration and places emphasis on uncertainty rooted in the context of the system. The operational context of an embedded real-time software system comprises the following: • Technical (execution and networking) hardware and infrastructure • Context entities about which the system gathers information and which are somehow affected by the system • Other technical systems that interact with the system (including sensor devices as well as other systems connected via networks) Through interaction with its operational context, a real-time system has to fulfill its (potentially safety-critical) requirements. A particular characteristic of real-time systems are their timing requirements, i.e., constraints restricting the response times of the system for performing its desired (re-)actions. Hence, in general uncertainty in real-time systems specifically concerns the real-time behavior of a system, which could be soft or hard timing constraints. Uncertainty in the operational context can cause violations of real-time requirements, which may in turn lead to safety hazards, cf. e.g., (Tenbergen et al. 2017). The essential aim of the model is to systematically describe where and how uncertainty can manifest in the operational context of real-time software systems. Thereby the reference model constitutes the basis for categorizing uncertainty handling techniques that can be employed to enable realtime embedded systems to cope with the different runtime uncertainties in their context without delving into technical details (see Sect. 4).

3.2

The Reference Model

The conceptual reference model distinguishes different “kinds” of uncertainty (cf. Sect. 2.1) that specifically relate to aspects of the operational context of realtime embedded software systems. This reference model is based on core concepts and characteristics specific to real-time systems and also accounts for modern trends in real-time computing such as the increasing connectivity and networking of autonomous real-time systems that cooperate in order to achieve some task (cf. Sect. 1). The model helps identify uncertainty concerns relevant for real-time systems and provides a unifying framework for categorizing solution approaches that specifically deal with uncertainty, which are possibly associated with other computer science research areas. Figure 1 shows the reference model, which is referred to as the ECDC reference model for uncertainty in real-time computing. The ECDC reference model is named after the four core concepts that it builds upon in order to characterize real-time uncertainty (Execution platform, Communication infrastructure, Data processing, Coordination).

3 Uncertainty Theories for Real-Time Systems Uncertainty related to processing context data that is either obtained from sensor devices or communicated from other systems in a network.

Conceptual layer Technical layer Provides computing resources

Data Processing

109 Uncertainty related to coordination among different autonomous realtime systems that collaborate to achieve some “higher” goals

Provides data for information exchange

Coordination

Provides computing resources

Communication

Execution platform

Uncertainty related to executing software components on computing hardware, which is maintained by the operating system.

Enables

infrastructure

Provides network infrastructure

Uncertainty related to the networking resources that are used to enable the exchange of data and coordination among different technical devices

Fig. 1 The ECDC reference model for considering uncertainty in real-time computing

As can be seen, the four core concepts after which the model is named reflect typical tasks and infrastructural elements real-time systems employ to fulfill their duty. These are the following: • Execution platform: The execution platform comprises the hardware and operating system environment that is responsible for executing the real-time embedded software. This includes hardware resources such as RAM, processors, but also scheduling-related aspects of the operating system, e.g., tasks or threads (cf. Feiler and Gluch 2012). • Communication infrastructure: The communication resources (i.e., network nodes and links) are also subject to timing constraints. Hence, different technical considerations such as communication protocols as well as quality of service and reliability attributes of real-time systems are taken into account here. • Data processing: This component of the reference model refers to the higherlevel functionality of a real-time embedded system, which utilizes the computing infrastructure provided by the execution platform. Data processing is concerned with efficient algorithms and concepts for processing the data a real-time embedded system gathers as input to produce the required outputs according to defined timing constraints. Typically, real-time embedded systems process context data obtained through sensor devices. • Coordination: Since real-time systems are increasingly networked in order to form system groups aiming at serving some higher purpose (e.g., systems of systems such as vehicle platoons (Axelsson 2018; Maier 1998)), the timeefficient and time-critical coordination among different autonomous real-time systems has to be considered as an area of potential runtime uncertainties as well.

110

T. Bandyszak et al.

Of course, coordination requires communication facilities as well as efficient data processing of each of the real-time systems involved in a collaboration. The constituent classes of uncertainty identified in the reference model are explained in detail in the following subsections.

3.2.1 Uncertainty Regarding the Execution Platform A real-time embedded software system is typically deployed to and operated on a microcontroller whose size, and thus computing power is limited, depending on the surrounding technical system and possibly other constraints (such as cost or energy consumption (Bambagini et al. 2016)) (Shin and Ramanathan 1994; Stankovic 1988, 1996). Uncertainty regarding the real-time execution platform can be further refined into (1) uncertainty caused by unforeseeable hardware failures and (2) uncertainty caused by inherent complexity and dynamics real-time schedulers face during runtime. Uncertainty regarding the execution platform relates to the hardware devices used for real-time computing. During operation, failures of computer hardware components may occur so that the operating system has to carry out re-execution or recovery actions in response. This might in turn negatively affect the execution time of time-critical tasks, which introduces uncertainty during operation of realtime software systems (Brüggen et al. 2016). One potential root source are so-called soft errors induced by radiation, which may deviate the system behavior (Baumann 2005). Real-time uncertainties related to the execution platform are caused by the inherent inability to foresee all the different factors and situations that can occur during runtime, in particular related to the scheduling of time-critical tasks. Realtime operating systems have to perform scheduling according to a predefined policy, taking into account a multitude of conditions and criteria constraining the execution of each task and the overall set of tasks (Cheng 2003; Korouši´c-Seljak 1994). During operation, the actual time a task needs to be executed typically varies and is thus uncertain, e.g., depending on program inputs causing different conditional parts of the code to be executed (Tongsima et al. 2000). The satisfaction of timing constraints and requirements also depends on the (possibly sudden) occurrence and properties of other executed tasks, which may cause undesired timing behavior (Chen et al. 2018; Liu and Lee 2003). In general, scheduling algorithms typically distinguish hard real-time constraints, which have to be met strictly in order to avoid potentially hazardous behavior, (cf., e.g. Davis and Burns 2011), and soft real-time constraints, which may not hold temporarily, cf. other handbook chapter (Erickson and Anderson 2019). Development-time uncertainties include uncertainty regarding the definition of the deployment mapping (Lo 1988) or regarding the (automated) hardware/software partitioning (Jiang et al. 2012) and the choice between general scheduling policies (Korouši´c-Seljak 1994).

3 Uncertainty Theories for Real-Time Systems

111

3.2.2 Uncertainty Regarding the Communication Infrastructure Communication devices are used to enable the exchange of data between, e.g., sensors, actuators, and a software-intensive real-time system under consideration. Uncertainty regarding such communications have long been researched in the area of computer networks under the terms reliability, dependability, or fault tolerance (cf., e.g., Al-Kuwaiti et al. 2009). Similar to the inherent aleatory uncertainty present when executing a program on an execution platform (cf. Sect. 3.2.1), network infrastructure devices and connections can also be affected by stochastic events causing failures during operation due to imperfect technology. Sources of uncertainty regarding the real-time communication between a real-time system under consideration and other devices and systems in its context reflect typical network quality of service issues (cf., e.g., Durvy et al. 2003). Such sources are: • Network unavailability: Due to disturbances or failures of the links between network nodes, the network may not be able to deliver its service. • Delayed delivery of messages: Due to imperfect technology and/or external influences, such as electromagnetic interference (Broster et al. 2005), the network may fail to deliver a message according to a maximum allowed transmission time. • Message loss: Due to network unavailability or other disturbances, a message might get completely lost. These sources of uncertainty are of particular importance in real-time systems, as they depend on the timely delivery of messages that contain essential context data to be processed (cf. Sect. 3.2.3) and/or coordination messages (cf. Sect. 3.2.4). Messages in such real-time settings are typically only valid for a limited time frame, which requires timely transmission on an end-to-end basis. In addition, computer networks can be vulnerable to adversarial attacks. Network security-related issues, of course, may also constitute sources of uncertainty relevant for real-time systems, which may manifest in the form of corrupted messages (Papadimitratos and Haas 2003). However, for the sake of simplicity, detailed network security considerations are not the main focus of this chapter, which is a research area on its own (cf., e.g. Giraldo et al. 2017).

3.2.3 Uncertainty Regarding Data Processing Real-time embedded systems are tightly integrated into physical processes and thus process context data (i.e., data about objects existing in the operational environment of the system, cf. Daun et al. 2016a) according to defined real-time constraints in order to react to these external stimuli (Schneider 2004). This category of uncertainty considers the processing of data on a semantical layer (see Fig. 1), i.e., regarding the content of the data, independently of computing resources for the actual (technical) data processing. Two levels of complexity regarding the handling of uncertainty can be distinguished here: (1) uncertainty related to context data from

112

T. Bandyszak et al.

one individual source (e.g., sensor) and (2) uncertainty related to different context data provided by different, potentially heterogeneous sources (e.g., sensors, others technical systems, humans). Considering context data from an individual source, uncertainty emerges from the inherent imperfection of sensor technology. According to Ramirez et al. (2012), the root causes of uncertainty related to context perception are sensor failure, sensor noise, and sensor imprecision. These technology-related issues could lead to the following manifestations of uncertainties related to sensor data from a single source (adapted and simplified based on (Alam et al. 2017; Khaleghi et al. 2013; Ramirez et al. 2012)): • Inaccuracy (or imprecision): A measurement diverges from its corresponding “real” value. Vagueness, i.e., the ill definition of attributes defined in some data (cf. Sect. 2.2.2), can be seen as a specialization of imprecision. • Non-specificity: An exact value of a measurement is not available; rather a realworld property can be only expressed as a certain range of values. • Incompleteness: Measurements are incomplete, i.e., data is missing to fully characterize a domain under consideration. These kinds of uncertainties related to (context) data processing are generic in the sense that they can be applied to any embedded system. Also information systems have to cope with data-related uncertainty, e.g., when considering knowledge representation in data bases (Li et al. 2013). In real-time systems, however, such uncertainty needs to be considered taking (hard or soft) timing constraints into account (cf. Bonissone and Halverson 1990). This means that real-time systems have to react in real time to any such uncertainty, which requires systematic consideration (i.e., identification and modeling) of uncertainty pertaining to sensorrelated issues (cf. Aloulou et al. 2015; Bettini et al. 2010). Data-related uncertainty may thus lead to missing of a deadline, which may in turn have hazardous consequences. Regarding the processing of context data from multiple sources, additional uncertainties have to be considered. When real-time systems gather information about some real-world phenomena from different sources (e.g., directly connected sensor devices and information received from other systems), inconsistency of different pieces of data describing the same real-world phenomenon may occur (Khaleghi et al. 2013; Ramirez et al. 2012). Efficiently identifying and resolving inconsistencies pose additional challenges specific for real-time systems (Ibarguengoytia et al. 2001). Further uncertainties are due to (possibly unknown) correlation among different pieces of information gathered from different sources and disorder of different data items that need to be processed sequentially (Bakr and Lee 2017; Grabisch and Prade 2001; Khaleghi et al. 2013). All this may also lead to violation of critical timing constraints. When fusing information from different sources, there is also uncertainty regarding the exact time different measurements have been

3 Uncertainty Theories for Real-Time Systems

113

obtained, which is referred to as temporal noise (Brooks and Iyengar 1997). Such temporal noise emerges due to different local clocks and uncertainties regarding transmission (see Sect. 3.2.2).

3.2.4 Uncertainty Regarding Coordination Due to the increasing connectivity of individual real-time embedded systems, there is a trend toward interconnected, collaborating embedded systems (cf., e.g. Mosterman and Zander 2016). These are typically distributed (Pereira and Carro 2007) and can be seen as “systems of systems” (Maier 1998; Nielsen et al. 2015). During operation, individual-embedded real-time systems collaborate with each other in order to achieve some “higher” goal or provide services that go beyond the capabilities of each individual system on their own. This is typically denoted “emergence” (Boardman and Sauser 2006). Emergent properties resulting from collaboration of individual systems can be desired or undesired (i.e., potentially harmful) (Johnson 2006). At the same time, the individual systems remain to a certain extent autonomous w.r.t. achieving their own, local goals and objectives (Boardman and Sauser 2006). The dynamicity of each individual system might also cause uncertainty for the collaboration w.r.t. achieving the global goals (DeLaurentis 2005). Collaboration entails communication and requires processing context data of each individual system in order to enable the information exchange among different systems (see Fig. 1). In the following, the specific focus is on the coordination required for systematic information exchange as well as maintenance of emergent properties of the overall collaborative network of interconnected real-time systems. From the collaborative nature of such real-time systems, the following sources of uncertainty emerge: • Different knowledge representations: Since the context of real-time systems in a collaboration is dynamic and open, new systems may join a collaboration. In this setting, uncertainty may occur due to different ways of representing knowledge (i.e., information to be exchanged and collaboratively processed, cf. Kopetz 2014). There can be a mismatch between semantic concepts used to encode messages to be exchanged between different systems (Hildebrandt et al. 2019). This concern is distinguished from context data processing, where the type level of messages is not considered. • Orchestration and consensus: Different autonomous systems have to coordinate and achieve consensus about the activities to be performed in collaboration. Since each individual system contributes its part to achieve desired emergent properties, the interaction between individual systems requires constant monitoring and management. For example, vehicle platoons collaboratively maintain a safe distance between the individual platooning vehicles (cf., e.g., Zheng et al. 2016). • Goal conflicts: Individual collaborating real-time systems may have conflicting goals (Daun et al. 2019; Silva et al. 2015), which may remain uncovered. This

114

T. Bandyszak et al.

includes potentially adversarial systems engaging in a collaboration with harmful intentions (cf. Bijani and Robertson 2014; Li et al. 2018). Again, all these kinds of uncertainties occur during operation and need to be handled efficiently; otherwise this easily results in timing constraint violations. As mentioned, there are dependencies to the other elements of the reference model. For example, time delays in communication may obstruct consensus among a group of systems (Olfati-Saber and Murray 2004), or uncertainty regarding the execution platform may have impacts on higher-level control mechanisms for distributed realtime systems (Shankaran et al. 2008).

4

Overview of Uncertainty Handling Approaches for Real-Time Systems

In the following, an overview of different categories of solution approaches for addressing the specific kinds of uncertainties relevant for real-time systems is given. The ECDC reference model (see Sect. 3) and the fundamental uncertainty handling techniques presented in Sect. 2 are used to identify, categorize, and provide a brief overview of specific solution approaches. The following subsections are structured according to the four core concepts of the ECDC reference model. Specific emphasis is placed on the fact that the task under consideration of the specific methods (e.g., context data processing or real-time scheduling) as well as the uncertainty handling on top of that needs to be performed in real time.

4.1

Handling Uncertainty in the Execution Platform

As introduced in Sect. 3.2.1, two classes of uncertainty related to execution platforms for real-time software systems include uncertainty related to unpredictable hardware failures and scheduling uncertainty. Uncertainty related to hardware failures is aleatory (cf. Sect. 2.1). It cannot be completely avoided and may be more or less likely depending on the application area. Hardware failures can be accounted for by making hardware more reliable by design (also denoted “hardening” of hardware components, e.g., against radiation (Garg et al. 2006)). From a software point of view, software-based hardening techniques are available as well, e.g., (Santini et al. 2017). Furthermore, the effects of hardware failures can be handled by designing software-based redundancy (cf., e.g., Ulbrich et al. 2012). Software-based recovery mechanisms (e.g., using checkpoints) can also be employed to handle uncertainty caused by hardware failures; for an overview the reader be referred to, e.g., Egwutuoha et al. (2013) and Gao et al. (2015a, b). For considering uncertainty in real-time operating systems that are responsible for scheduling time-constrained tasks, a multitude of approaches has been proposed. Building upon probability theory, the concept of probabilistic real-time scheduling

3 Uncertainty Theories for Real-Time Systems

115

has been proposed (for details, see other handbook chapter (Maxim et al. 2019)). The basic idea is to handle uncertainty that can occur during operation due to inherent stochasticity (Burns et al. 2003) by considering properties of tasks using probability theory, i.e., as random variables (Hu et al. 2001) (see section 2.2.1). Furthermore, (hard) timing constraints can be relaxed by specifying maximum acceptable deadline violations of tasks (Burns et al. 1999). In addition to probabilistic approaches, there are also approaches utilizing fuzzy logic (Litoiu and Tadei 2001; Muhuri and Shukla 2008), whereby fuzziness describes, e.g., uncertain task deadlines.

4.2

Handling Uncertainty in Communication

On the one hand, uncertainty in the communication facilities used by real-time systems can be handled by enhancing the reliability of network infrastructure by design. This covers considerations of the physical devices and links to be used, as well as the communication protocols. However, in current ubiquitous and dynamic environments, the reliability properties and topology of the network infrastructure in which a real-time system is actually going to operate may not be completely foreseeable during system development. In such settings, ad hoc network protocols are used (Royer and Toh 1999; Toh 2001). Wireless sensor networks constitute a large application area of real-time ad hoc networks; for a recent survey, see Kim et al. (2017). Other specific applications include vehicular ad hoc networks (VANETs), where handling uncertainty regarding the movements and positions of vehicles plays a major role for inter-vehicle communication (cf. Abdel-Halim and Fahmy 2018; Harri et al. 2009; Hartenstein and Laberteaux 2008; Li and Wang 2007; Zeadally et al. 2012). Communication protocol design for real-time communication is concerned with guaranteeing timely delivery of messages throughout the network (He et al. 2003). In this context, uncertainty is most notably handled using probabilistic approaches (see Sect. 2.2) to account for the indeterminism and dynamicity of the network topology (cf., e.g., Felemban et al. 2005). Instead of aiming at guaranteeing absolute reliability, e.g., w.r.t. timely delivery of messages, such approaches strive for “probabilistic reliability” (Luo et al. 2004). Gossiping protocols are used to enhance the reliability of the dissemination of data by means of redundant messages spread across the different network nodes (Kermarrec et al. 2003). The routing approach presented in Liu et al. (2013) explicitly accounts for uncertainty regarding message transmission delays (see Sect. 3.2.2). Further approaches to handle timing uncertainties in communication infrastructures deal with protocols for synchronizing the local clocks of networked real-time systems, e.g., wireless sensor networks (Römer 2001; Sundararaman et al. 2005). This can be seen as an uncertainty handling service provided by the communication infrastructure for enabling coordination among distributed real-time systems (cf. Fig. 1).

116

4.3

T. Bandyszak et al.

Handling Uncertainty in Data Processing

The processing of uncertain data has been discussed extensively in the area of information fusion. Information fusion is concerned with transforming a set of input data stemming from different sources and/or different points in time into a single output that exhibits a higher quality according to some targeted goal or objective (Khaleghi et al. 2013; Nakamura et al. 2007). Uncertainty related to the data to be fused is a major concern in information fusion, and there are various frameworks available (Dubois et al. 2016), e.g., possibilistic information fusion based on possibility theory (Dubois and Prade 2000). Sensor fusion, i.e., the fusion of data stemming from sensors as a specialized type of information source, is considered a subarea of information fusion (Nakamura et al. 2007). In the information fusion literature, different levels of data processing are distinguished (see e.g. Dasarathy 1997; Llinas and Hall 1998; Nakamura et al. 2007). These layers refer to the content of the data that is fused by applying different approaches different approaches. It is distinguished it is distinguished between raw data, properties of context objects (denoted “features”), as well as high-level decisions derived based on multiple observations and processing steps. Yet there are other ways of classifying information fusion approaches. Table 1 gives an overview of two classifications given in Khaleghi et al. (2013) and Nakamura et al. (2007). For further details of these approaches, comprehensive surveys are available to which the interested reader be referred (Alam et al. 2017; Castanedo 2013; Khaleghi et al. 2013; Nakamura et al. 2007). In the following, insights into realtime applications and real-time characteristics of information fusion approaches addressing uncertainty are given. In comparison with classic fusion approaches that do not consider aspects of time, real-time information fusion approaches need to consider additional uncertainties as the ones mentioned above. As described by Brooks and Iyengar (1997), for fusing information from distributed sensors, the uncertainty regarding the timing of measurements received from different sensors is taken into account. Applications of fusion techniques in real-time settings under uncertainty include object detection by wireless sensor networks (Tan et al. 2009) or autonomous vehicles (ChavezGarcia and Aycard 2016) and manufacturing logistics (Song et al. 2013). In (Feng et al. 2009) drowsiness detection of car drivers is automated using Dempster-Shafer fusion for combining multiple kinds of evidences for drowsiness. A hybrid fusion approach is presented in Liu et al. (2019), where fuzzy logic and adaptive estimation using a Kalman Filter approach are employed in order to realize raw sensor data fusion for unmanned water vehicles. Some approaches target the detection of faulty sensors or anomalies in data issued by sensors. An anomaly detection algorithm that explicitly takes different kinds of sensor data-related uncertainties (see Sect. 3.2.3) into account is presented in Ul Islam et al. (2018). Faulty sensor identification can be considered a specific case of estimation (Ibarguengoytia et al. 2001; Zhang 2011a). Ibarguengoytia

3 Uncertainty Theories for Real-Time Systems

117

Table 1 Classification of information fusion approaches. (Categories from Khaleghi et al. (2013) and Nakamura et al. (2007)) Classification according to the fusion objective (Nakamura et al. 2007) Brief description Transition from one belief to another, higher-level one based on posterior knowledge (using, e.g., Bayesian theory, Dempster-Shafer theory, or fuzzy logic) Estimation Probability theory-based control loop approaches (e.g., Kalman filter) for estimating the most likely value out of a set of available values Feature Maps Extraction of context object features from raw sensor data Compression Handling correlated data in wireless sensor networks through exploiting special correlation of sensors Reliable Out of a set of sensor values, the interval that is reliable in the abstract sensors sense that it contains the “real” value of a measured property Aggregation Handling redundant values, e.g., caused by redundant data or duplication of data through communication Classification according to addressed challenges (Khaleghi et al. 2013) Challenge Brief description Fusing imperfect data Various approaches covering different uncertainty aspects (see Sect. 3.2.3), based on mathematical theories for uncertainty handling (see Sect. 2) Fusing correlated data Approaches dealing with the elimination of cross-dependencies between data and handling unknown correlations Fusing inconsistent data Approaches aiming at validating spurious data using multiple sources, resolving data that is out of order, and conflicting data Fusing disparate data Approaches for fusing data that are heterogeneous regarding their source (e.g., data from sensors and data collected from users) and consequently their form Objective Inference

et al. (2001) utilize Bayesian networks as a probabilistic formalism to model dependencies (and independencies) among multiple sensors as well as to identify the faulty sensor. The approach estimates sensor values based on other sensors’ values to determine candidate faulty sensors and then detects the real faulty sensor. It is applied incrementally in order to be real-time applicable, using a maximumentropy approach to determine the next sensor to check. Another related research area that is concerned with data-related uncertainties is real-time databases (Ozsoyoglu and Snodgrass 1995; Ramamritham 1993; Ramamritham et al. 2004; Yu et al. 1994). Real-time databases have timing constraints associated with database transactions and timing semantics for the validity of data stored in the database (Stankovic et al. 1999; Vrbsky and Tomi´c 1998). Some techniques from real-time databases have also been applied to manage resourceefficient real-time filtering of uncertain data streams (cf., e.g., Woo and Mok 2007).

118

4.4

T. Bandyszak et al.

Handling Uncertainty Regarding Coordination of Different Systems

The coordination among a number of collaborating systems has been researched most notably in the area of multi-agent systems. Employing the agent-based paradigm, real-time embedded systems are considered as autonomous entities that process context information and make decisions (cf. Weyns and Georgeff 2010; Wooldridge 1997). Recently, agent-based mechanisms have also been employed for real-time IoT and CPS (Calvaresi et al. 2017; Fortino et al. 2018). A multitude of agent coordination, consensus, and orchestration algorithms are available in the literature (see, e.g., Olfati-Saber 2006; Olfati-Saber et al. 2007). According to Howe et al. (1990), timing and uncertainty considerations are closely intertwined in real-time agent development, because there exists uncertainty about the evolution of the context over time, and uncertainty can be introduced due to the need to react upon stimuli in real-time, possibly using imperfect data (see Sect. 4.3). In (Berna-Koes et al. 2004) timeliness regarding the communication among agents is considered by introducing a separate communication channel for low-level information (e.g., raw sensor data), which is separated from higher-level coordination messages (e.g., for negotiation among agents). Specific approaches considering uncertainty in the negotiation process among agents can be found, e.g., in (Li et al. 2006; Ouelhadj et al. 2005). A real-time negotiation approach taking uncertainty regarding context perception and dynamics in multi-agent systems into account is presented in Soh and Tsatsoulis (2005). Coordination and negotiation approaches utilizing probability theory (most notably Bayesian networks) to account for uncertainty can be found, e.g., in the works of Zeng and Sycara (1998) and Zhang et al. (2015). An approach toward multi-agent consensus under uncertainty regarding communication failures can be found in another chapter of this handbook (Wen et al. 2019). A research area related to uncertainty handling for collaborating systems is trust management in multi-agent systems. Trust management mechanisms are a means to cope with the inherent uncertainty regarding other agent’s internals (e.g., beliefs, desires, intentions, cf. Rao and Georgeff 1991). This is closely connected to security issues of reaching consensus among agents, since adversary intruders in collaborations may impact the consensus, which needs to be handled accordingly (cf. LeBlanc and Koutsoukos 2011). Trust management deals with evidence and measurements of an agent’s trustworthiness, which can be processed by agents interacting with other agents in order to, e.g., decide which agent to collaborate with (Ramchurn et al. 2004). Different approaches to realize trust management are available; for an overview, please refer to Ramchurn et al. (2004), Sabater and Sierra (2005), and Yu et al. (2013). Specific approaches dealing with uncertainty and trust, e.g., utilize Dempster-Shafer evidence theory (Sensoy et al. 2013) (see Sect. 2.2). Regarding real-time applications, specific real-time concerns of trust management approaches have been investigated in Zhang (2011b), focusing on vehicular ad hoc networks. A survey of trust mechanisms in mobile ad hoc networks can be found in Govindan and Mohapatra (2012). Maintaining trust requires suitable concepts and

3 Uncertainty Theories for Real-Time Systems

119

monitoring facilities for detecting misbehaviors that might indicate threats to trust and trustworthiness (Gol Mohammadi et al. 2014; Bandyszak et al. 2016). Regarding different knowledge representations for the information exchange between heterogeneous and autonomous systems, respective uncertainty needs to be handled in appropriate knowledge integration techniques. To represent knowledge in a machine-readable format, formal ontology-based approaches have been proposed (cf. Blair et al. 2011; Wang et al. 2012). These employ heavyweight ontologies as a vocabulary to encode and share knowledge among autonomous systems (Obitko and Marik 2002). When different ontologies are automatically mapped in order to achieve a common knowledge base and understanding of the terms defined therein, uncertainty can be handled by, e.g., employing Dempster-Shafer evidence theory (Laamari and Ben Yaghlane 2007; Nagy et al. 2007). An ontology fusion approach for a real-time application, i.e., in vehicular ad hoc networks, is proposed in Ruta et al. (2018).

5

Engineering Considerations

While the reference model (see Sect. 3) and the overview of existing approaches (section 4) focused on uncertainty rooted in the (operational) context of realtime embedded software systems, this section provides some insights into how uncertainty is considered in engineering methodologies for real-time systems. The reference model distinguished several kinds of uncertainties in the operational context of real-time software systems. Engineering activities need to explicitly consider such uncertainties in order to enable the developed system to appropriately and – if possible – autonomously handle uncertainty so that the system still is able to satisfy its requirements. Specifically for real-time systems, the goal is to assure by design that the implemented system will exhibit the desired real-time behavior when in operation. As was shown in Sect. 4, there is a variety of techniques that can be applied at runtime to cope with uncertainty, depending on the source of uncertainty. Engineering approaches for real-time systems pay special attention to the specification and verification of timing constraints, which may cause catastrophic failures. For instance, timing behavior needs to be modeled as dedicated timing annotations. On top of the consideration of timing requirements, uncertainty needs to be handled as a first-class concern during development as well (Garlan 2010; Oquendo 2019). To this end, the following subsections provide a high-level overview of how potential runtime uncertainties can be considered during typical phases or activities of systems development in general.

5.1

Requirements Elicitation and Analysis

In order to be able to handle operational uncertainty during development, engineers have to identify such uncertainties first. This has significant similarities to requirements elicitation, where requirements (e.g., system behavior) are explored.

120

T. Bandyszak et al.

Discovering potential runtime uncertainties rooted in the operational context of a real-time embedded system requires systematically identifying relevant system context objects (including their structure, functions, and behavior (Daun et al. 2016a, b)) first. This plays a major role in requirements elicitation techniques (Sutcliffe and Sawyer 2013). For identifying potential runtime uncertainties, awareness and a deep understanding of uncertainty are crucial. It is important to know what kinds of such uncertainties exist, how they manifest at runtime, under which conditions they may occur, and what their root cause is. To this end, taxonomies such as the ones presented in Sect. 2.1, e.g., (Zhang et al. 2016; Bandyszak et al. 2018), which explain what constituent elements make up a description of uncertainty, are essential. Furthermore, it is helpful to systematically discover and analyze environmental conditions in which the satisfaction of requirements is potentially endangered (e.g., Ramirez et al. 2011). In early stages, this can be done, e.g., based on high-level goal models of the system under consideration (Cheng et al. 2009). Goal modeling can also be particularly helpful for analyzing the collaborative behavior of a group of systems (Daun et al. 2019). For collaborative systems, it is in general challenging to identify and analyze the specific manifestations that can emerge during operation (Daun et al. 2015; Johnson 2006).

5.2

System and Context Modeling

Since model-based engineering is well-established for developing embedded systems (Liebel et al. 2018; Liggesmeyer and Trapp 2009), using models for system specification can be seen as the common approach. Once system context and requirements have been sufficiently understood, they need to be modeled. This can be done using a variety of general-purpose or domain-specific modeling languages. There are also specific modeling languages or extensions to existing modeling languages for explicitly capturing real-time requirements, such as real-time UML (Douglass 2004). More formal approaches include, e.g., timed automata (Alur and Dill 1994). In principle, there are two ways of modeling uncertainty that relates to the modeled behavior of a real-time system and its context: (1) integrating uncertainty information into these models, e.g., through the use of stereotypes as in Bernardi et al. (2011) and Zhang et al. (2019), or orthogonally modeling uncertainty in a separate diagram and linking it to the other models using trace links (Bandyszak et al. 2018, 2020). Other related modeling aspects include the specification of potential safety hazards that may occur during operation, which should also be handled early during development of safety-critical real-time systems (Tenbergen et al. 2017). Furthermore, constraints on the potential manifestations of collaborative groups of systems (cf. Sect. 4.4) need to be systematically modeled as well (Brings et al. 2019).

3 Uncertainty Theories for Real-Time Systems

5.3

121

Automated Verification and Analysis Techniques

Based on specifications of desired (or prohibited) system properties and models of the system and its environment, automated verification techniques can be applied. One major stream of verification techniques is model checking. Specifically for real-time systems, some form of timed automata depicting timing behavior is used to model the system under consideration, while desired system properties can be specified using real-time temporal logic such as Timed CTL (Alur et al. 1990). For taking uncertainty into account, probabilistic model-checking approaches and tools, such as PRISM (Kwiatkowska et al. 2011), have been proposed (Katoen 2016; Kwiatkowska et al. 2018). The underlying formalism for real-time purposes can be continuous time Markov chains (Aziz et al. 2000; Baier et al. 2003). There are also approaches specifically important for real-time systems, e.g., for explicitly considering uncertainty in schedulability analysis (Axelsson 2005).

6

Conclusion

Uncertainty can occur in many different ways during the operation of real-time software systems. For instance, failures of computing resources or network delay may cause violation of real-time constraints. Since many real-time software systems are embedded and reactive (e.g., cyber-physical systems), operational uncertainty can have hazardous effects on safety. Real-time systems thus have to cope with uncertainty during operation, largely autonomously without human intervention. Engineering such systems relies on understanding the potential uncertainties that can occur during operation (including knowledge about possible sources of uncertainty) as well as specific means and techniques that can be built into the systems in order to enable the automated handling of uncertainty. This chapter provided an overview of fundamental theories and mathematical formalisms for describing uncertainty in general. Furthermore, a reference model for uncertainty with a specific focus on real-time software systems during their operation has been proposed. This reference model distinguishes important sources of uncertainty rooted in the operational context of real-time systems. It characterizes uncertainty regarding the execution and communication infrastructure of real-time systems, as well as regarding the processing of context data and coordination with other systems. Building upon the reference model and fundamental theories for describing uncertainty, a comprehensive and structured overview of specific approaches that enable real-time systems to cope with uncertainty during operation has been given. Furthermore, engineering considerations for designing real-time systems in such a way that they are able to handle uncertainties at runtime are described.

122

T. Bandyszak et al.

References I.T. Abdel-Halim, H.M.A. Fahmy, Prediction-based protocols for vehicular ad hoc networks: survey and taxonomy. Comput. Netw. 130, 34–50 (2018). https://doi.org/10.1016/j.comnet. 2017.10.009 M. Al-Kuwaiti, N. Kyriakopoulos, S. Hussein, A comparative analysis of network dependability, fault-tolerance, reliability, security, and survivability. IEEE Commun. Surv. Tutorials 11(2), 106–124 (2009). https://doi.org/10.1109/SURV.2009.090208 F. Alam, R. Mehmood, I. Katib, N.N. Albogami, A. Albeshri, Data fusion and iot for smart ubiquitous environments: a survey. IEEE Access 5, 9533–9554 (2017). https://doi.org/10.1109/ ACCESS.2017.2697839 H. Aloulou, M. Mokhtari, T. Tiberghien, R. Endelin, J. Biswas, Uncertainty handling in semantic reasoning for accurate context understanding. Knowl.-Based Syst. 77, 16–28 (2015). https://doi. org/10.1016/j.knosys.2014.12.025 R. Alur, D.L. Dill, A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994). https://doi.org/10.1016/0304-3975(94)90010-8 R. Alur, C. Courcoubetis, D. Dill, Model-checking for real-time systems, in 1990 Proceedings of the Fifth Annual IEEE Symposium on Logic in Computer Science, 1990, pp. 414–425. ISSN: null. https://doi.org/10.1109/LICS.1990.113766 M. Amoozadeh, H. Deng, C.-N. Chuah, H.M. Zhang, D. Ghosal, Platoon management with cooperative adaptive cruise control enabled by vanet. Veh. Commun. 2(2), 110–123 (2015). https://doi.org/10.1016/j.vehcom.2015.03.004 v.B. Arem, v.C.J.G. Driel, R. Visser, The impact of cooperative adaptive cruise control on trafficflow characteristics. IEEE Trans. Intell. Transp. Syst. 7(4), 429–436 (2006). https://doi.org/10. 1109/TITS.2006.884615 T. Aven, O. Renn, Risk Management and Governance: Concepts, Guidelines and Applications (Springer, Berlin/Heidelberg, 2010). ISBN 978-3-642-13926-0 J. Axelsson, A method for evaluating uncertainties in the early development phases of embedded real-time systems, in 11th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA’05), 2005, pp. 72–75. ISSN: 2325-1301. https:// doi.org/10.1109/RTCSA.2005.12 J. Axelsson, Safety in vehicle platooning: a systematic literature review. IEEE Trans. Intell. Transp. Syst. 18(5), 1033–1045 (2017). https://doi.org/10.1109/TITS.2016.2598873 J. Axelsson, An initial analysis of operational emergent properties in a platooning system-ofsystems, in 2018 Annual IEEE International Systems Conference (SysCon), 2018, pp. 1–8. ISSN: 2472-9647. https://doi.org/10.1109/SYSCON.2018.8369506 A. Aziz, K. Sanwal, V. Singhal, R. Brayton, Model-checking continuous-time Markov chains. ACM Trans. Comput. Log. 1(1), 162–170 (2000). https://doi.org/10.1145/343369.343402 C. Baier, B. Haverkort, H. Hermanns, J.-P. Katoen, Model-checking algorithms for continuoustime Markov chains. IEEE Trans. Softw. Eng. 29(6), 524–541 (2003). https://doi.org/10.1109/ TSE.2003.1205180 M.A. Bakr, S. Lee, Distributed multisensor data fusion under unknown correlation and data inconsistency. Sensors 17(11), 2472 (2017). number: 11 publisher: Multidisciplinary Digital Publishing Institute. https://doi.org/10.3390/s17112472 M. Bambagini, M. Marinoni, H. Aydin, G. Buttazzo, Energy-aware scheduling for real-time systems: a survey. AACM Trans. Embed. Comput. Syst. 15(1), 7–1734 (2016). https://doi.org/ 10.1145/2808231 T. Bandyszak, M. Moffie, A. Goldsteen, P. Melas, B.I. Nasser, C. Kalogiros, G. Barni, S. Hartenstein, G. Giotis, T. Weyer, Supporting coordinated maintenance of system trustworthiness and user trust at runtime, in Trust Management X, ed. by S.M. Habib, J. Vassileva, S. Mauw, M. Mühlhäuser, IFIP Advances in Information and Communication Technology (Springer, Cham, 2016), pp. 96–112. ISBN 978-3-319-41354-9. https://doi.org/10.1007/978-3-31941354-9_7

3 Uncertainty Theories for Real-Time Systems

123

T. Bandyszak, M. Daun, B. Tenbergen, T. Weyer, Model-based documentation of context uncertainty for cyber-physical systems, in Proceedings of the 14th IEEE International Conference on Automation Science and Engineering (CASE), Munich, 2018, pp. 1087–1092 T. Bandyszak, M. Daun, B. Tenbergen, P. Kuhs, S. Wolf and T. Weyer, Orthogonal uncertainty modeling in the engineering of cyber-physical systems, in IEEE Transactions on Automation Science and Engineering, 17(3), 1250–1265 (2020) https://doi.org/10.1109/TASE.2020. 2980726 R.C. Baumann, Radiation-induced soft errors in advanced semiconductor technologies. IEEE Trans. Device Mater. Reliab. 5(3), 305–316 (2005). https://doi.org/10.1109/TDMR.2005. 853449 M. Berna-Koes, I. Nourbakhsh, K. Sycara, Communication efficiency in multi-agent systems, in IEEE International Conference on Robotics and Automation, 2004. Proceedings. ICRA ’04. 2004, vol. 3, 2004, pp. 2129–21343. ISSN: 1050-4729. https://doi.org/10.1109/ROBOT.2004. 1307377 S. Bernardi, J. Merseguer, D.C. Petriu, A dependability profile within marte. Softw. Syst. Model. 10(3), 313–336 (2011). https://doi.org/10.1007/s10270-009-0128-1 C. Bettini, O. Brdiczka, K. Henricksen, J. Indulska, D. Nicklas, A. Ranganathan, D. Riboni, A survey of context modelling and reasoning techniques. Pervasive Mob. Comput. 6(2), 161–180 (2010). https://doi.org/10.1016/j.pmcj.2009.06.002 S. Bijani, D. Robertson, A review of attacks and security approaches in open multi-agent systems. Artif. Intell. Rev. 42(4), 607–636 (2014). https://doi.org/10.1007/s10462-012-9343-1 G.S. Blair, A. Bennaceur, N. Georgantas, P. Grace, V. Issarny, V. Nundloll, M. Paolucci, The role of ontologies in emergent middleware: supporting interoperability in complex distributed systems, in Middleware 2011, ed. by F. Kon, A.-M. Kermarrec Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2011), pp. 410–430. ISBN 978-3-642-25821-3. https://doi.org/ 10.1007/978-3-642-25821-3_21 J. Boardman, B. Sauser, System of systems – the meaning of, in 2006 IEEE/SMC International Conference on System of Systems Engineering, 2006, pp. 118–123. https://doi.org/10.1109/ SYSOSE.2006.1652284 P.P. Bonissone, P.C. Halverson, Time-constrained reasoning under uncertainty. Real-Time Syst. 2(1), 25–45 (1990). https://doi.org/10.1007/BF01840465 v.d.G. Brüggen, K.-H. Chen, W.-H. Huang, J.-J. Chen, Systems with dynamic real-time guarantees in uncertain and faulty execution environments, in 2016 IEEE Real-Time Systems Symposium (RTSS), 2016, pp. 303–314. ISSN: null. https://doi.org/10.1109/RTSS.2016.037 J. Brings, M. Daun, T. Bandyszak, V. Stricker, T. Weyer, E. Mirzaei, M. Neumann, J.S. Zernickel, Model-based documentation of dynamicity constraints for collaborative cyber-physical system architectures: findings from an industrial case study. J. Syst. Archit. 97, 153–167 (2019). https:// doi.org/10.1016/j.sysarc.2019.02.012 R.R. Brooks, S.S. Iyengar, Real-time distributed sensor fusion for time-critical sensor readings. Opt. Eng. 36(3), 767–780 (1997). https://doi.org/10.1117/1.601274 S. Brooks, A. Gelman, G. Jones, X.-L. Meng, Handbook of Markov Chain Monte Carlo (CRC Press, Boca Raton, London, New York, 2011). ISBN 978-1-4200-7942-5 I. Broster, A. Burns, G. RodrÍguez-Navas, Timing analysis of real-time communication under electromagnetic interference. Real-Time Syst. 30(1), 55–81 (2005). https://doi.org/10.1007/ s11241-005-0504-z A. Burns, S. Punnekkat, L. Strigini, D.R. Wright, Probabilistic scheduling guarantees for faulttolerant real-time systems, in Dependable Computing for Critical Applications 7, 1999, pp. 361–378. ISSN: null. https://doi.org/10.1109/DCFTS.1999.814306 A. Burns, G. Bernat, I. Broster, A Probabilistic Framework for Schedulability Analysis, in Embedded Software, ed. by R. Alur, I. Lee Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2003), pp. 1–15. ISBN 978-3-540-45212-6. https://doi.org/10.1007/978-3540-45212-6_1

124

T. Bandyszak et al.

G. Buttazzo, Research trends in real-time computing for embedded systems. ACM SIGBED Rev. 3(3), 1–10 (2006). https://doi.org/10.1145/1164050.1164052 A. Cailliau, v.A. Lamsweerde, Handling knowledge uncertainty in risk-based requirements engineering, in 2015 IEEE 23rd International Requirements Engineering Conference (RE), 2015, pp. 106–115. https://doi.org/10.1109/RE.2015.7320413 D. Calvaresi, M. Marinoni, A. Sturm, M. Schumacher, G. Buttazzo, The challenge of real-time multi-agent systems for enabling IoT and CPS, in Proceedings of the International Conference on Web Intelligence (Association for Computing Machinery, Leipzig, Germany, 2017), pp. 356– 364. ISBN 978-1-4503-4951-2. https://doi.org/10.1145/3106426.3106518 F. Castanedo, A review of data fusion techniques. Sci. World J. 2013, 704504 (2013). https://doi. org/10.1155/2013/704504 R.O. Chavez-Garcia, O. Aycard, Multiple sensor fusion and classification for moving object detection and tracking. IEEE Trans. Intell. Transp. Syst. 17(2), 525–534 (2016). https://doi. org/10.1109/TITS.2015.2479925 H. Chen, X. Zhu, G. Liu, W. Pedrycz, Uncertainty-aware online scheduling for real-time workflows in cloud service environment. IEEE Trans. Serv. Comput. 1–1 (2018). https://doi.org/10.1109/ TSC.2018.2866421 A.M.K. Cheng, Real-time scheduling and schedulability analysis, in Real-Time Systems (John Wiley & Sons, Ltd, Hoboken, 2003), pp. 41–85. ISBN 978-0-47122462-4 B.H.C. Cheng, P. Sawyer, N. Bencomo, J. Whittle, A goal-based modeling approach to develop requirements of an adaptive system with environmental uncertainty, in International Conference on Model Driven Engineering Languages and Systems. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2009), pp. 468–483. ISBN 978-3-642-04424-3. https://doi.org/ 10.1007/978-3-642-04425-0_36 B.V. Dasarathy, Sensor fusion potential exploitation-innovative architectures and illustrative applications. Proc. IEEE 85(1), 24–38 (1997). https://doi.org/10.1109/5.554206 M. Daun, J. Brings, T. Bandyszak, P. Bohn, T. Weyer, Collaborating multiple system instances of smart cyber-physical systems: a problem situation, solution idea, and remaining research challenges, in 2015 IEEE/ACM 1st International Workshop on Software Engineering for Smart Cyber-Physical Systems, 2015, pp. 48–51. https://doi.org/10.1109/SEsCPS.2015.17 M. Daun, J. Brings, T. Weyer, B. Tenbergen, Fostering concurrent engineering of cyber-physical systems a proposal for an ontological context framework, in 2016 3rd International Workshop on Emerging Ideas and Trends in Engineering of Cyber-Physical Systems (EITEC), 2016a, pp. 5–10. https://doi.org/10.1109/EITEC.2016.7503689 M. Daun, B. Tenbergen, J. Brings, T. Weyer, SPES XT context modeling framework, in Advanced Model-Based Engineering of Embedded Systems (Springer, Cham, 2016b), pp. 43–57. https:// doi.org/10.1007/978-3-319-48003-9_4. ISBN 978-3-319-48002-2 M. Daun, V. Stenkova, L. Krajinski, J. Brings, T. Bandyszak, T. Weyer, Goal modeling for collaborative groups of cyber-physical systems with GRL: reflections on applicability and limitations based on two studies conducted in industry, in Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, 2019, pp. 1600–1609. ISBN 978-1-4503-5933-7. https:// doi.org/10.1145/3297280.3297436 R.I. Davis, A. Burns, A survey of hard real-time scheduling for multiprocessor systems. ACM Comput. Surv. 43(4), 35–13544 (2011). https://doi.org/10.1145/1978802.1978814 D.A. DeLaurentis, A taxonomy-based perspective for systems of systems design methods, in 2005 IEEE International Conference on Systems, Man and Cybernetics, vol. 1, 2005, pp. 86–911. https://doi.org/10.1109/ICSMC.2005.1571126 A.P. Dempster, A generalization of Bayesian inference. J R Stat Society: Ser B (Methodological) 30(2), 205–232 (1968). https://doi.org/10.1111/j.2517-6161.1968.tb00722.x B.P. Douglass, Real Time UML: Advances in the UML for Real-time Systems (Addison-Wesley Professional, Boston, 2004). ISBN 978-0-321-16076-8 D. Dubois, H. Prade, Possibility Theory: An Approach to Computerized Processing of Uncertainty (Plenum Press, New York, London, 1988). ISBN 978-1-4684-5287-7

3 Uncertainty Theories for Real-Time Systems

125

D. Dubois, H. Prade, Possibility theory in information fusion, in Proceedings of the Third International Conference on Information Fusion, vol. 1, 2000, pp. 6–191. https://doi.org/10. 1109/IFIC.2000.862412 D. Dubois, W. Liu, J. Ma, H. Prade, The basic principles of uncertain information fusion. an organised review of merging rules in different representation frameworks. Inf. Fusion 32, 12–39 (2016). https://doi.org/10.1016/j.inffus.2016.02.006 M. Durvy, C. Diot, N. Taft, P. Thiran, Network availability based service differentiation, in Quality of Service – IWQoS 2003, ed. by K. Jeffay, I. Stoica, K. Wehrle Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2003), pp. 305–325. ISBN 978-3-540-44884-6. https:// doi.org/10.1007/3-540-44884-5_17 I.P. Egwutuoha, D. Levy, B. Selic, S. Chen, A survey of fault tolerance mechanisms and checkpoint/restart implementations for high performance computing systems. J Supercomput. 65(3), 1302–1326 (2013). https://doi.org/10.1007/s11227-013-0884-0 J.P. Erickson, J.H. Anderson, Soft real-time scheduling, in Handbook of Real-Time Computing, ed. by Y.-C. Tian, D.C. Levy (Springer, Singapore, 2019), pp. 1–35. https://doi.org/10.1007/978981-4585-87-3_4-1. ISBN 978-981-4585-87-3 N. Esfahani, S. Malek, Uncertainty in self-adaptive software systems, in Software Engineering for Self-Adaptive Systems II. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2013), pp. 214–238. ISBN 978-3-642-35812-8 M. Famelis, R. Salay, M. Chechik, Partial models: towards modeling and reasoning with uncertainty, in 2012 34th International Conference on Software Engineering (ICSE), 2012, pp. 573–583. https://doi.org/10.1109/ICSE.2012.6227159 P.H. Feiler, D.P. Gluch, Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language (Addison-Wesley, Upper Saddle River, 2012). ISBN 978-0-13-313290-8 E. Felemban, C.-G. Lee, E. Ekici, R. Boder, S. Vural, Probabilistic QoS guarantee in reliability and timeliness domains in wireless sensor networks, in Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 4, 2005, pp. 2646– 26574. ISSN: 0743-166X. https://doi.org/10.1109/INFCOM.2005.1498548 R. Feng, G. Zhang, B. Cheng, An on-board system for detecting driver drowsiness based on multi-sensor data fusion using Dempster-Shafer theory, in 2009 International Conference on Networking, Sensing and Control, 2009, pp. 897–902. https://doi.org/10.1109/ICNSC.2009. 4919399 G. Fortino, W. Russo, C. Savaglio, W. Shen, M. Zhou, Agent-oriented cooperative smart objects: from iot system design to implementation. IEEE Trans. Syst. Man Cybern. Syst. Hum. 48(11), 1939–1956 (2018). https://doi.org/10.1109/TSMC.2017.2780618 T. Fukamachi, N. Ubayashi, S. Hosoai, Y. Kamei, Modularity for Uncertainty, in 2015 IEEE/ACM 7th International Workshop on Modeling in Software Engineering, 2015, pp. 7–12. https://doi. org/10.1109/MiSE.2015.9 Z. Gao, C. Cecati, S.X. Ding, A survey of fault diagnosis and fault-tolerant techniques – Part I: fault diagnosis with model-based and signal-based approaches. IEEE Trans. Ind. Electron. 62(6), 3757–3767 (2015a). https://doi.org/10.1109/TIE.2015.2417501 Z. Gao, C. Cecati, S.X. Ding, A survey of fault diagnosis and fault-tolerant techniques – Part II: fault diagnosis with knowledge-based and hybrid/active approaches. IEEE Trans. Ind. Electron. 62(6), 3768–3774 (2015b). https://doi.org/10.1109/TIE.2015.2419013 R. Garg, N. Jayakumar, S.P. Khatri, G. Choi, A design approach for radiation-hard digital electronics, in 2006 43rd ACM/IEEE Design Automation Conference, 2006, pp. 773–778. ISSN: 0738-100X. https://doi.org/10.1145/1146909.1147105 D. Garlan, Software engineering in an uncertain world, in Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research. FoSER ’10 (ACM, New York, 2010), pp. 125– 128. event-place: Santa Fe, New Mexico. ISBN 978-1-4503-0427-6. https://doi.org/10.1145/ 1882362.1882389 W.R. Gilks, S. Richardson, Spiegelhalter, Markov Chain Monte Carlo in Practice (Chapman and Hall/CRC, Boca Raton, 1995). https://doi.org/10.1201/b14835. ISBN 978-0-429-17023-2

126

T. Bandyszak et al.

J. Giraldo, E. Sarkar, A.A. Cardenas, M. Maniatakos, M. Kantarcioglu, Security and privacy in cyber-physical systems: a survey of surveys. IEEE Design Test 34(4), 7–17 (2017). https://doi. org/10.1109/MDAT.2017.2709310 N. Gol Mohammadi, T. Bandyszak, M. Moffie, X. Chen, T. Weyer, C. Kalogiros, B. Nasser, M. Surridge, Maintaining trustworthiness of socio-technical systems at run-time, in Trust, Privacy, and Security in Digital Business, ed. by C. Eckert, S.K. Katsikas, G. Pernul. Lecture Notes in Computer Science (Springer, Cham, 2014), pp. 1–12. ISBN 978-3-319-09770-1. https://doi.org/ 10.1007/978-3-319-09770-1_1 K. Govindan, P. Mohapatra, Trust computations and trust dynamics in mobile adhoc networks: a survey. IEEE Commun. Surv. Tutorials 14(2), 279–298 (2012). https://doi.org/10.1109/SURV. 2011.042711.00083 M. Grabisch, H. Prade, The correlation problem in sensor fusion in a possibilistic framework. Int. J. Intell. Syst. 16(11), 1273–1283 (2001). https://doi.org/10.1002/int.1059 J. Harri, F. Filali, C. Bonnet, Mobility models for vehicular ad hoc networks: a survey and taxonomy. IEEE Commun. Surv. Tutorials 11(4), 19–41 (2009). https://doi.org/10.1109/SURV. 2009.090403 H. Hartenstein, L.P. Laberteaux, A tutorial survey on vehicular ad hoc networks. IEEE Commun. Mag. 46(6), 164–171 (2008). https://doi.org/10.1109/MCOM.2008.4539481 T. He, J.A. Stankovic, C. Lu, T. Abdelzaher, SPEED: a stateless protocol for real-time communication in sensor networks, in 23rd International Conference on Distributed Computing Systems, 2003. Proceedings, 2003, pp. 46–55. ISSN: 1063-6927. https://doi.org/10.1109/ICDCS.2003. 1203451 J.C. Helton, Treatment of uncertainty in performance assessments for complex systems. Risk Anal. 14(4), 483–511 (1994). https://doi.org/10.1111/j.1539-6924.1994.tb00266.x H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, M. Siegle, A Markov chain model checker, in Tools and Algorithms for the Construction and Analysis of Systems, ed. by S. Graf, M. Schwartzbach Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2000), pp. 347–362. ISBN 978-3-540-46419-8. https://doi.org/10.1007/3-540-46419-0_24 C. Hildebrandt, T. Bandyszak, A. Petrovska, N. Laxman, E. Cioroaica, S. Törsleff, Eureca: epistemic uncertainty classification scheme for runtime information exchange in collaborative system groups. SICS Softw.-Intensive Cyber-Phys. Syst. 34(4), 177–190 (2019). https://doi.org/ 10.1007/s00450-019-00422-9 J. Horkoff, R. Salay, M. Chechik, A.D. Sandro, Supporting early decision-making in the presence of uncertainty, in 2014 IEEE 22nd International Requirements Engineering Conference (RE), 2014, pp. 33–42. https://doi.org/10.1109/RE.2014.6912245 A.E. Howe, D.M. Hart, P.R. Cohen, Addressing real-time constraints in the design of autonomous agents. Real-Time Syst. 2(1), 81–97 (1990). https://doi.org/10.1007/BF01840467 X.S. Hu, T. Zhou, E.H.-M. Sha, Estimating probabilistic timing performance for real-time embedded systems. IEEE Trans. Very Large Scale Integr. VLSI Syst. 9(6), 833–844 (2001). https://doi.org/10.1109/92.974897 P.H. Ibarguengoytia, L.E. Sucar, S. Vadera, Real time intelligent sensor validation. IEEE Trans. Power Syst. 16(4), 770–775 (2001). https://doi.org/10.1109/59.962425 R. Jeffrey, Subjective Probability: The Real Thing, 1st edn. (Cambridge University Press, Cambridge, 2004). https://doi.org/10.1017/CBO9780511816161. ISBN 978-0-521-82971-7 Y. Jiang, H. Zhang, X. Jiao, X. Song, W.N.N. Hung, M. Gu, J. Sun, Uncertain model and algorithm for hardware/software partitioning, in 2012 IEEE Computer Society Annual Symposium on VLSI, 2012, pp. 243–248. https://doi.org/10.1109/ISVLSI.2012.14 C.W. Johnson, What are emergent properties and how do they affect the engineering of complex systems? Reliab. Eng. Syst. Saf. 91(12), 1475–1481 (2006). https://doi.org/10.1016/j.ress.2006. 01.008 J.-P. Katoen, The probabilistic model checking landscape, in Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science. LICS ’16 (ACM, New York, 2016), pp. 31–45. [Online; Accessed 19 July 2018]. ISBN 978-1-4503-4391-6. https://doi.org/10.1145/ 2933575.2934574

3 Uncertainty Theories for Real-Time Systems

127

J.O. Kephart, D.M. Chess, The vision of autonomic computing. Computer 36(1), 41–50 (2003). https://doi.org/10.1109/MC.2003.1160055 A.-M. Kermarrec, L. Massoulie, A.J. Ganesh, Probabilistic reliable dissemination in large-scale systems. IEEE Trans. Parallel Distrib. Syst. 14(3), 248–258 (2003). https://doi.org/10.1109/ TPDS.2003.1189583 B. Khaleghi, A. Khamis, F.O. Karray, S.N. Razavi, Multisensor data fusion: a review of the state-of-the-art. Inf. Fusion 14(1), 28–44 (2013). https://doi.org/10.1016/j.inffus.2011. 08.001 A. Khrennikov, Interpretations of Probability, 2nd rev. and ext. ed. edn. (De Gruyter, Berlin, Boston, 2009). https://doi.org/10.1515/9783110213195. ISBN 978-3-11-020748-4 B.-S. Kim, H. Park, K.H. Kim, D. Godfrey, K.-I. Kim, A survey on real-time communications in wireless sensor networks. Wirel. Commun. Mob. Comput. 2017 (2017). https://doi.org/10.1155/ 2017/1864847 A.D. Kiureghian, O. Ditlevsen, Aleatory or epistemic? Does it matter? Struct. Saf. 31(2), 105–112 (2009). https://doi.org/10.1016/j.strusafe.2008.06.020 H. Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications (Springer, New York, 2011). ISBN 978-1-4419-8237-7 H. Kopetz, A conceptual model for the information transfer in systems-of-systems, in 2014 IEEE 17th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, 2014, pp. 17–24. https://doi.org/10.1109/ISORC.2014.19 B. Korouši´c-Seljak, Task scheduling policies for real-time systems. Microprocess. Microsyst. 18(9), 501–511 (1994). https://doi.org/10.1016/0141-9331(94)90073-6 B. Kosko, Fuzziness vs. probability. Int. J. Gen. Syst. 17(2-3), 211–240 (1990). https://doi.org/10. 1080/03081079008935108 M. Kwiatkowska, G. Norman, D. Parker, PRISM 4.0: verification of probabilistic real-time systems, in Computer Aided Verification, ed. by G. Gopalakrishnan, S. Qadeer Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2011), pp. 585–591. ISBN 978-3-642-221101. https://doi.org/10.1007/978-3-642-22110-1_47 M. Kwiatkowska, G. Norman, D. Parker, Probabilistic model checking: advances and applications, in Formal System Verification: State-of the-Art and Future Trends, ed. by R. Drechsler (Springer, Cham, 2018), pp. 73–121. https://doi.org/10.1007/978-3-319-57685-5_3. ISBN 978-3-31957685-5 N. Laamari, B. Ben Yaghlane, Uncertainty in semantic ontology mapping: an evidential approach, in Symbolic and Quantitative Approaches to Reasoning with Uncertainty, ed. by K. Mellouli Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2007), pp. 418–429. ISBN 978-3-540-75256-1. https://doi.org/10.1007/978-3-540-75256-1_38 P.A. Laplante, The certainty of uncertainty in real-time systems. IEEE Instrum. Meas. Mag. 7(4), 44–50 (2004). https://doi.org/10.1109/MIM.2004.1383464 H.J. LeBlanc, X.D. Koutsoukos, Consensus in networked multi-agent systems with adversaries, in Proceedings of the 14th international conference on Hybrid systems: computation and control. HSCC ’11 (Association for Computing Machinery, Chicago, 2011), pp. 281–290. ISBN 978-14503-0629-4. https://doi.org/10.1145/1967701.1967742 W.V. Leekwijck, E.E. Kerre, Defuzzification: criteria and classification. Fuzzy Sets Syst. 108(2), 159–178 (1999). https://doi.org/10.1016/S0165-0114(97)00337-0 F. Li, Y. Wang, Routing in vehicular ad hoc networks: a survey. IEEE Veh. Technol Mag. 2(2), 12–22 (2007). https://doi.org/10.1109/MVT.2007.912927 C. Li, J. Giampapa, K. Sycara, Bilateral negotiation decisions with uncertain dynamic outside options. IEEE Trans Syst Man Cybern Part C (Appl Rev) 36(1), 31–44 (2006). https://doi.org/ 10.1109/TSMCC.2005.860573 Y. Li, J. Chen, L. Feng, Dealing with uncertainty: a survey of theories and practices. IEEE Trans. Knowl. Data Eng. 25(11), 2463–2482 (2013). https://doi.org/10.1109/TKDE.2012.179 T. Li, J. Horkoff, J. Mylopoulos, Holistic security requirements analysis for socio-technical systems. Softw. Syst. Model. 17(4), 1253–1285 (2018). https://doi.org/10.1007/s10270-0160560-y

128

T. Bandyszak et al.

G. Liebel, N. Marko, M. Tichy, A. Leitner, J. Hansson, Model-based engineering in the embedded systems domain: an industrial survey on the state-of-practice. Softw. Syst. Model. 17(1), 91–113 (2018). https://doi.org/10.1007/s10270-016-0523-3 P. Liggesmeyer, M. Trapp, Trends in embedded software engineering. IEEE Softw. 26(3), 19–25 (2009). https://doi.org/10.1109/MS.2009.80 M. Litoiu, R. Tadei, Real-time task scheduling with fuzzy deadlines and processing times. Fuzzy Sets Syst. 117(1), 35–45 (2001). https://doi.org/10.1016/S0165-0114(98)00283-8 C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973). https://doi.org/10.1145/321738.321743 J. Liu, E.A. Lee, Timed multitasking for real-time embedded software. IEEE Control Syst Mag 23(1), 65–75 (2003). https://doi.org/10.1109/MCS.2003.1172830 X. Liu, A. Goldsmith, S.S. Mahal, J.K. Hedrick, Effects of communication delay on string stability in vehicle platoons, in ITSC 2001. 2001 IEEE Intelligent Transportation Systems. Proceedings, 2001, pp 625–630. https://doi.org/10.1109/ITSC.2001.948732 X. Liu, H. Zhang, Q. Xiang, X. Che, X. Ju, Taming uncertainties in real-time routing for wireless networked sensing and control. IEEE Trans Smart Grid 4(1), 288–301 (2013). https://doi.org/ 10.1109/TSG.2012.2209209 W. Liu, Y. Liu, R. Bucknall, A robust localization method for unmanned surface vehicle (USV) navigation using fuzzy adaptive Kalman filtering. IEEE Access 7, 46071–46083 (2019). https:// doi.org/10.1109/ACCESS.2019.2909151 J. Llinas, D.L. Hall, An introduction to multi-sensor data fusion, in ISCAS ’98. Proceedings of the 1998 IEEE International Symposium on Circuits and Systems, vol. 6, 1998, pp. 537–5406. https://doi.org/10.1109/ISCAS.1998.705329 V.M. Lo, Heuristic algorithms for task assignment in distributed systems. IEEE Trans. Comput. 37(11), 1384–1397 (1988). https://doi.org/10.1109/12.8704 J. Luo, P.T. Eugster, J.-P. Hubaux, Probabilistic reliable multicast in ad hoc networks. Ad Hoc Netw. 2(4), 369–386 (2004). https://doi.org/10.1016/S1570-8705(03)00055-6 S. Mahdavi-Hezavehi, P. Avgeriou, D. Weyns, A Classification framework of uncertainty in architecture-based self-adaptive systems with multiple quality requirements, in Managing Trade-Offs in Adaptable Software Architectures, ed. by I. Mistrik, N. Ali, R. Kazman, J. Grundy, B. Schmerl (Morgan Kaufmann, Boston, 2017), pp. 45–77. https://doi.org/10.1016/B978-0-12802855-1.00003-4. ISBN 978-0-12-802855-1 M.W. Maier, Architecting principles for systems-of-systems. Syst Eng. 1(4), 267–284 (1998). https://doi.org/10.1002/(SICI)1520-6858(1998)1:43.0.CO;2-D D. Maxim, L. Cucu-Grosjean, R.I. Davis, Probabilistic analysis, in Handbook of real-time computing, ed. by Y.-C. Tian, D.C. Levy (Springer, Singapore, 2019), pp. 1–23. https://doi. org/10.1007/978-981-4585-87-3_9-1. ISBN 978-981-4585-87-3 C.Z. Mooney, Monte Carlo Simulation (SAGE Publications, Thousand Oaks, 1997). ISBN 978-15063-1790-8 P.J. Mosterman, J. Zander, Cyber-physical systems challenges: a needs analysis for collaborating embedded software systems. Softw. Syst. Model. 15(1), 5–16 (2016). https://doi.org/10.1007/ s10270-015-0469-x P.K. Muhuri, K.K. Shukla, Real-time task scheduling with fuzzy uncertainty in processing times and deadlines. Appl. Soft Comput. 8(1), 1–13 (2008). https://doi.org/10.1016/j.asoc.2006. 06.006 M. Nagy, E. Motta, M. Vargas-Vera, Multi-agent ontology mapping with uncertainty on the semantic web, in 2007 IEEE International Conference on Intelligent Computer Communication and Processing, 2007, pp. 49–56. ISSN: null. https://doi.org/10.1109/ICCP.2007. 4352141 E.F. Nakamura, A.A.F. Loureiro, A.C. Frery, Information fusion for wireless sensor networks: methods, models, and classifications. ACM Comput. Surv. 39(3) (2007). https://doi.org/10. 1145/1267070.1267073 C.B. Nielsen, P.G. Larsen, J. Fitzgerald, J. Woodcock, J. Peleska, Systems of systems engineering: basic concepts, model-based techniques, and research directions. ACM Comput. Surv. 48(2), 18–11841 (2015). https://doi.org/10.1145/2794381

3 Uncertainty Theories for Real-Time Systems

129

M. Obitko, V. Marik, Ontologies for multi-agent systems in manufacturing domain, in Proceedings of the 13th International Workshop on Database and Expert Systems Applications, 2002, pp. 597–602. ISSN: 1529-4188. https://doi.org/10.1109/DEXA.2002.1045963 R. Olfati-Saber, Flocking for multi-agent dynamic systems: algorithms and theory. IEEE Trans. Autom. Control 51(3), 401–420 (2006). https://doi.org/10.1109/TAC.2005.864190 R. Olfati-Saber, R.M. Murray, Consensus problems in networks of agents with switching topology and time-delays. IEEE Trans. Autom Control 49(9), 1520–1533 (2004). https://doi.org/10.1109/ TAC.2004.834113 R. Olfati-Saber, J.A. Fax, R.M. Murray, Consensus and cooperation in networked multi-agent systems. Proc. IEEE 95(1), 215–233 (2007). https://doi.org/10.1109/JPROC.2006.887293 F. Oquendo, Coping with uncertainty in systems-of-systems architecture modeling on the IoT with SosADL, in 2019 14th Annual Conference System of Systems Engineering (SoSE), 2019, pp. 131–136. ISSN: null. https://doi.org/10.1109/SYSOSE.2019.8753842 D. Ouelhadj, J. Garibaldi, J. MacLaren, R. Sakellariou, K. Krishnakumar, A Multi-agent infrastructure and a service level agreement negotiation protocol for robust scheduling in grid computing, in Advances in Grid Computing - EGC 2005, ed. by P.M.A. Sloot, A.G. Hoekstra, T. Priol, A. Reinefeld, M. Bubak Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2005), pp. 651–660. ISBN 978-3-540-32036-4. https://doi.org/10.1007/11508380_66 G. Ozsoyoglu, R.T. Snodgrass, Temporal and real-time databases: a survey. IEEE Trans. Knowl. Data Eng. 7(4), 513–532 (1995). https://doi.org/10.1109/69.404027 P. Papadimitratos, Z.J. Haas, Secure message transmission in mobile ad hoc networks. Ad Hoc Netw 1(1), 193–209 (2003). https://doi.org/10.1016/S1570-8705(03)00018-0 M.E. Paté-Cornell, Uncertainties in risk analysis: six levels of treatment. Reliab. Eng. Syst. Saf. 54(2), 95–111 (1996). https://doi.org/10.1016/S0951-8320(96)00067-1 C.E. Pereira, L. Carro, Distributed real-time embedded systems: recent advances, future trends and their impact on manufacturing plant control. Ann. Rev. Control 31(1), 81–92 (2007). https://doi. org/10.1016/j.arcontrol.2007.02.005 D. Perez-Palacin, R. Mirandola, Uncertainties in the modeling of self-adaptive systems: a taxonomy and an example of availability evaluation, in Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering. ICPE ’14 (ACM, New York, 2014), pp. 3–14. event-place: Dublin, Ireland. ISBN 978-1-4503-2733-6. https://doi.org/10.1145/2568088. 2568095 K. Römer, Time synchronization in ad hoc networks, in Proceedings of the 2nd ACM International Symposium on Mobile ad hoc Networking & Computing. MobiHoc ’01 (Association for Computing Machinery, Long Beach, 2001), pp. 173–182. ISBN 978-1-58113-428-5. https:// doi.org/10.1145/501436.501440 R. Rajamani, S.E. Shladover, An experimental comparative study of autonomous and co-operative vehicle-follower control systems. Transp. Res. Part C: Emerg Technol 9(1), 15–31 (2001). https://doi.org/10.1016/S0968-090X(00)00021-8 K. Ramamritham, Real-time databases. Distrib Parallel Databases 1(2), 199–226 (1993). https:// doi.org/10.1007/BF01264051 K. Ramamritham, S.H. Son, L.C. DiPippo, Real-time databases and data services. Real-Time Syst. 28(2), 179–215 (2004). https://doi.org/10.1023/B:TIME.0000045317.37980.a5 S.D. Ramchurn, D. Huynh, N.R. Jennings, Trust in multi-agent systems. Knowl Eng Rev 19(1), 1–25 (2004). https://doi.org/10.1017/S0269888904000116 A.J. Ramirez, A.C. Jensen, B.H.C. Cheng, D.B. Knoester, Automatically exploring how uncertainty impacts behavior of dynamically adaptive systems, in 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011), 2011, pp. 568–571. https://doi. org/10.1109/ASE.2011.6100127 A.J. Ramirez, A.C. Jensen, B.H.C. Cheng, A taxonomy of uncertainty for dynamically adaptive systems, in 2012 7th International Symposium on Software Engineering for Adaptive and SelfManaging Systems (SEAMS), 2012, pp. 99–108. https://doi.org/10.1109/SEAMS.2012.6224396 A. Ranganathan, J. Al-Muhtadi, R.H. Campbell, Reasoning about uncertain contexts in pervasive computing environments. IEEE Pervasive Comput. 3(2), 62–70 (2004). https://doi.org/10.1109/ MPRV.2004.1316821

130

T. Bandyszak et al.

A.S. Rao, M.P. Georgeff, Modeling rational agents within a BDI-architecture, in Proceedings of the Second International Conference on Principles of Knowledge Representation and Reasoning, 1991, pp. 473–484. ISBN 978-1-55860-165-9 J.C. Refsgaard, J.P. van der Sluijs, A.L. Højberg, P.A. Vanrolleghem, Uncertainty in the environmental modelling process – a framework and guidance. Environ. Model. Softw. 22(11), 1543–1556 (2007). https://doi.org/10.1016/j.envsoft.2007.02.004 H.M. Regan, M. Colyvan, M.A. Burgman, A taxonomy and treatment of uncertainty for ecology and conservation biology. Ecol. Appl. 12(2), 618–628 (2002) E.M. Royer, C.-K. Toh, A review of current routing protocols for ad hoc mobile wireless networks. IEEE Pers. Commun. 6(2), 46–55 (1999). https://doi.org/10.1109/98.760423 M. Ruta, F. Scioscia, F. Gramegna, S. Ieva, E.D. Sciascio, R.P.D. Vera, A knowledge fusion approach for context awareness in vehicular networks. IEEE Internet Things J 5(4), 2407–2419 (2018). https://doi.org/10.1109/JIOT.2018.2815009 J. Sabater, C. Sierra, Review on computational trust and reputation models. Artif. Intell. Rev. 24(1), 33–60 (2005). https://doi.org/10.1007/s10462-004-0041-5 T. Santini, C. Borchert, C. Dietrich, H. Schirmeier, M. Hoffmann, O. Spinczyk, D. Lohmann, F.R. Wagner, P. Rech, Effectiveness of software-based hardening for radiation-induced soft errors in real-time operating systems, in Architecture of Computing Systems - ARCS 2017, ed. by J. Knoop, W. Karl, M. Schulz, K. Inoue, T. Pionteck Lecture Notes in Computer Science (Springer, Cham, 2017), pp. 3–15. ISBN 978-3-319-54999-6. https://doi.org/10.1007/978-3-319-54 999-6_1 K. Schneider, Verification of Reactive Systems: Formal Methods and Algorithms. Texts in Theoretical Computer Science. An EATCS Series (Springer, Berlin/Heidelberg, 2004). https:// doi.org/10.1007/978-3-662-10778-2. ISBN 978-3-540-00296-3 M. Sensoy, A. Fokoue, J.Z. Pan, T.J. Norman, Y. Tang, N. Oren, K. Sycara, Reasoning about uncertain information and conflict resolution through trust revision, in Proceedings of the 2013 International Conference on Autonomous Agents and Multi-agent Systems. AAMAS ’13 (International Foundation for Autonomous Agents and Multiagent Systems, Richland, SC, 2013), pp. 837–844. ISBN 978-1-4503-1993-5 G. Shafer, A Mathematical Theory of Evidence (Princeton University Press, Princeton, 1976). ISBN 978-0-691-10042-5 N. Shankaran, X.D. Koutsoukos, D.C. Schmidt, Y. Xue, C. Lu, Hierarchical control of multiple resources in distributed real-time and embedded systems. Real-Time Syst. 39(1), 237–282 (2008). https://doi.org/10.1007/s11241-007-9014-5 K.G. Shin, P. Ramanathan, Real-time computing: a new discipline of computer science and engineering. Proc. IEEE 82(1), 6–24 (1994). https://doi.org/doi:10.1109/5.259423 E. Silva, T. Batista, F. Oquendo, A mission-oriented approach for designing system-of-systems, in 2015 10th System of Systems Engineering Conference (SoSE), 2015, pp. 346–351. https://doi. org/10.1109/SYSOSE.2015.7151951 L.-K. Soh, C. Tsatsoulis, A Real-Time Negotiation Model and A Multi-Agent Sensor Network Implementation. Autonomous Agents and Multi-Agent Systems 11(3), 215–271 (2005). https:// doi.org/10.1007/s10458-005-0539-5 W. Song, W. Li, X. Fu, Y. Cao, L. Yang, RFID based real-time manufacturing information perception and processing, in Algorithms and Architectures for Parallel Processing, ed. by R. Aversa, J. Kołodziej, J. Zhang, F. Amato, G. Fortino. Lecture Notes in Computer Science (Springer, Cham, 2013), pp. 303–310. ISBN 978-3-319-03889-6. https://doi.org/10.1007/9783-319-03889-6_35 J.A. Stankovic, Misconceptions about real-time computing: a serious problem for next-generation systems. IEEE Comput. 21(10), 10–19 (1988). https://doi.org/10.1109/2.7053 J.A. Stankovic, Real-time and embedded systems. ACM Comput. Surv. 28(1), 205–208 (1996). https://doi.org/doi:10.1145/234313.234400 J.A. Stankovic, Research directions for the internet of things. IEEE Internet of Things Journal 1(1), 3–9 (2014). Conference Name: IEEE Internet Things J. https://doi.org/10.1109/JIOT.2014. 2312291

3 Uncertainty Theories for Real-Time Systems

131

J.A. Stankovic, S.H. Son, J. Hansson, Misconceptions about real-time databases. IEEE Comput. 32(6), 29–36 (1999). https://doi.org/10.1109/2.769440 B. Sundararaman, U. Buy, A.D. Kshemkalyani, Clock synchronization for wireless sensor networks: a survey. Ad Hoc Netw 3(3), 281–323 (2005). https://doi.org/10.1016/j.adhoc.2005. 01.002 A. Sutcliffe, P. Sawyer, Requirements elicitation: towards the unknown unknowns, in 2013 21st IEEE International Requirements Engineering Conference (RE), 2013, pp. 92–104. https://doi. org/10.1109/RE.2013.6636709 R. Tan, G. Xing, B. Liu, J. Wang, Impact of data fusion on real-time detection in sensor networks, in 2009 30th IEEE Real-Time Systems Symposium, 2009, pp. 323–332. https://doi.org/10.1109/ RTSS.2009.30 B. Tenbergen, T. Weyer, K. Pohl, Hazard relation diagrams: a diagrammatic representation to increase validation objectivity of requirements-based hazard mitigations. Requir. Eng. 23(2), 291–329 (2017). https://doi.org/10.1007/s00766-017-0267-9 C.K. Toh, Ad Hoc mobile wireless networks: protocols and systems (Pearson Education, Upper Saddle River, 2001). ISBN 978-0-13-244204-6 S. Tongsima, E.H.-M. Sha, C. Chantrapornchai, D.R. Surma, N.L. Passos, Probabilistic loop scheduling for applications with uncertain execution time. IEEE Trans Comput 49(1), 65–80 (2000). https://doi.org/10.1109/12.822565 P. Ulbrich, M. Hoffmann, R. Kapitza, D. Lohmann, W. Schroder-Preikschat, R. Schmid, Eliminating single points of failure in software-based redundancy, in 2012 Ninth European Dependable Computing Conference, 2012, pp. 49–60. ISSN: null. https://doi.org/10.1109/EDCC.2012.21 O. Ulusoy, Research issues in real-time database systems: survey paper. Inf. Sci. 87(1), 123–151 (1995). https://doi.org/10.1016/0020-0255(95)00130-1 R. Ul Islam, M.S. Hossain, K. Andersson, A novel anomaly detection algorithm for sensor data under uncertainty. Soft Computing 22(5), 1623–1639 (2018). https://doi.org/10.1007/s00500016-2425-2 S.V. Vrbsky, S. Tomi´c, Satisfying timing constraints of real-time databases. J. Syst. Softw. 41(1), 63–73 (1998). https://doi.org/10.1016/S0164-1212(97)10007-3 W.E. Walker, P. Harremoës, J. Rotmans, v.d.J.P. Sluijs, v.M.B.A. Asselt, P. Janssen, v.M.P.K. Krauss, Defining uncertainty: a conceptual basis for uncertainty management in model-based decision support. Integr. Assess. 4(1), 5–17 (2003). https://doi.org/10.1076/iaij.4.1.5.16466 W. Wang, S. De, R. Toenjes, E. Reetz, K. Moessner, A Comprehensive Ontology for Knowledge Representation in the Internet of Things, in 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012, pp. 1793–1798. ISSN: 23249013. https://doi.org/10.1109/TrustCom.2012.20 R. Want, B.N. Schilit, S. Jenson, Enabling the internet of things. IEEE Comput. 48(1), 28–35 (2015). https://doi.org/10.1109/MC.2015.12 G. Wen, W. Yu, Z. Duan, P. Wang, Consensus of multi-agent systems with intermittent communication and its extensions, in Handbook of Real-Time Computing (Springer, Singapore, 2019), pp. 1–55. https://doi.org/10.1007/978-981-4585-87-3_20-1 D. Weyns, M. Georgeff, Self-adaptation using multiagent systems. IEEE Softw. 27(1), 86–91 (2010). https://doi.org/10.1109/MS.2010.18 R.L. Winkler, Uncertainty in probabilistic risk assessment. Reliab. Eng. Syst. Saf. 54(2), 127–132 (1996). https://doi.org/10.1016/S0951-8320(96)00070-1 H. Woo, A.K. Mok, Real-time monitoring of uncertain data streams using probabilistic similarity, in 28th IEEE International Real-Time Systems Symposium (RTSS 2007), 2007, pp. 288–300. ISSN: 1052-8725. https://doi.org/10.1109/RTSS.2007.29 M. Wooldridge, Agent-based software engineering. IEE Proc. Softw. Eng. 144(1), 26–37 (1997). https://doi.org/10.1049/ip-sen:19971026 H. Yang, A. De Roeck, V. Gervasi, A. Willis, B. Nuseibeh, Speculative requirements: automatic detection of uncertainty in natural language requirements, in 2012 20th IEEE International Requirements Engineering Conference (RE), 2012, pp. 11–20. ISSN: 1090-750X. https://doi. org/10.1109/RE.2012.6345795

132

T. Bandyszak et al.

P.S. Yu, K.-L. Wu, K.-J. Lin, S.H. Son, On real-time databases: concurrency control and scheduling. Proc. IEEE 82(1), 140–157 (1994). https://doi.org/10.1109/5.259432 H. Yu, Z. Shen, C. Leung, C. Miao, V.R. Lesser, A survey of multi-agent trust management systems. IEEE Access 1, 35–50 (2013). https://doi.org/10.1109/ACCESS.2013.2259892 L.A. Zadeh, Fuzzy sets. Inf. Control 8(3), 338–353 (1965). https://doi.org/10.1016/S00199958(65)90241-X L.A. Zadeh, Fuzzy sets as a basis for a theory of possibility. Fuzzy Sets Syst. 1(1), 3–28 (1978). https://doi.org/10.1016/0165-0114(78)90029-5 S. Zeadally, R. Hunt, Y.-S. Chen, A. Irwin, A. Hassan, Vehicular ad hoc networks (vanets): status, results, and challenges. Telecommun. Syst. 50(4), 217–241 (2012). https://doi.org/10.1007/ s11235-010-9400-5 D. Zeng, K. Sycara, Bayesian learning in negotiation. Int. J. Hum.-Comput. Stud. 48(1), 125–141 (1998). https://doi.org/10.1006/ijhc.1997.0164 X. Zhang, Sensor bias fault detection and isolation in a class of nonlinear uncertain systems using adaptive estimation. IEEE Trans. Autom. Control 56(5), 1220–1226 (2011a). https://doi.org/10. 1109/TAC.2011.2112471 J. Zhang, A survey on trust management for VANETs, in 2011 IEEE International Conference on Advanced Information Networking and Applications, 2011b, pp. 105–112. https://doi.org/10. 1109/AINA.2011.86 J. Zhang, F. Ren, M. Zhang, Bayesian-based preference prediction in bilateral multi-issue negotiation between intelligent agents. Knowl.-Based Syst. 84, 108–120 (2015). https://doi.org/ 10.1016/j.knosys.2015.04.006 M. Zhang, B. Selic, S. Ali, T. Yue, O. Okariz, R. Norgren, Understanding uncertainty in cyberphysical systems: a conceptual model, in European Conference on Modelling Foundations and Applications. Lecture Notes in Computer Science (Springer, Cham, 2016), pp. 247–264. ISBN 978-3-319-42060-8 M. Zhang, S. Ali, T. Yue, R. Norgren, O. Okariz, Uncertainty-wise cyber-physical system test modeling. Softw. Syst. Model. 18(2), 1379–1418 (2019). https://doi.org/10.1007/s10270-0170609-6 Y. Zheng, S.E. Li, J. Wang, D. Cao, K. Li, Stability and scalability of homogeneous vehicular platoon: study on the influence of information flow topologies. IEEE Trans. Intell. Transp. Syst. 17(1), 14–26 (2016). https://doi.org/10.1109/TITS.2015.2402153

4

Interface Design for Embedded and Real-Time Systems Bruce Montgomery

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Embedded and Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Interface and System Variations and Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Challenges in Interface Design for Embedded Real-Time Systems . . . . . . . . . . . . . 3 UX Design Processes and Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Criteria-Based Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Initiation and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 User Research and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Iterative Design and Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Release and Post-release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Closing Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 User Interfaces: Humans to Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Direct Controls or Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Graphical User Interfaces (GUIs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Voice User Interfaces (VUIs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Wearable Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.7 Other Interaction Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.8 Closing Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Messaging Interfaces: Machines to Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Messaging, Queueing, and Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Communications Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Selection Criteria for Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134 135 136 136 138 140 141 141 143 144 146 148 152 153 153 153 154 154 155 157 158 158 159 159 159 160 161 165

B. Montgomery () Department of Computer Science, University of Colorado Boulder, Boulder, CO, USA e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_65

133

134

B. Montgomery

5.5 APIs and Microservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 Closing Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Closely Related Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 In Closing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166 167 168 168 169 169

Abstract This overview for the handbook provides insights on design aspects, approaches, and alternatives for monitoring and controlling real-time and embedded devices and systems. Making these interface designs usable and effective is central to successful product introductions and differentiation. The detailed review of interface design techniques includes developing for both user interfaces and message-based communications, enabling key interactions. A wide range of user interface options are reviewed, including direct physical controls, interactive graphical displays, and voice user interfaces, along with industry-standard user interface design tools such as Qt and HTML. Design for these elements is supported by a framework of processes used in phases of iterative UX design like analysis and planning, user research, and user experience design and test. Each UX design phase visited includes sets of UX design methods regularly employed at that stage, with common and useful UX methods such as personas, usability heuristics, sketching, prototyping, surveys, and microinteraction design. Device control via messaging and application programming interfaces (APIs) are also considered, including protocol alternatives to enable low level, machineto-machine (M2M), internet of things (IoT), and low-power wide area networks (LPWANs) communications. Methods for analysis, selection, and implementation of communication protocols in designs are reviewed, including application of message queueing tools, cloud-based IoT frameworks, messaging and microservice architectures, and API design best practices. Design examples include architectures for a wide variety of systems such as single-board computer-based prototypes, wireless sensor networks and IoT gateways, devices using web- and mobile-based device interfaces, and connected wearable devices.

Keywords M2M /machine-to-machine · IoT/Internet of Things · Discount user experience · Pugh matrix · Use cases · Fidelity · Microinteractions · Graphical user interface · Messages · APIs

1

Introduction Design isn’t finished until somebody is using it. – Dr. Brenda Laurel

4 Interface Design for Embedded and Real-Time Systems

1.1

135

Overview

It is hard to imagine an embedded or real-time device that does not have some form of an interface. It may be extremely minimal – maybe the device is activated by the insertion of a battery with no other visible controls – but why is the device being activated? What is it sensing, what is it controlling? If it senses something, does it communicate that activity? Visually? Audibly? Is a message sent to something it connects to? Are there device settings? This chapter reviews considerations, processes, and methods for the design of interfaces for embedded and real-time devices and related systems. Such devices primarily communicate in two ways – directly with people or by connection to other devices or systems. To differentiate these two connection cases, they are referred to as user interfaces and messaging interfaces. In both cases, the successful design of the interfaces depends on the designer’s thorough understanding, implementation, and verification of the expected use, performance, and behavior of the device and its elements. Interface design is a common issue in all systems connecting to people or other systems, but for embedded and real-time systems there are particular and unique considerations to bring to the design process. Yet, often because of the challenges of developing real-time systems, the interface design, crucial as it likely is to the successful implementation of the system, is ignored or downplayed to focus on other aspects. A typical discussion of the multidisciplinary nature of real-time design (Laplante and Ovaska 2012) mentions programming languages, algorithms, data structures, control theory, operating systems, and other contributing areas, but does not touch on interface design or user experience related topics. It is true that much of the literature around interface design (and related usability and user experience) processes and methods is focused on web and other graphical user interfaces (GUIs). But the growth of the Internet of Things (IoT), the omnipresent networks of connected devices, should shift this focus; the scale of the IoT gives clarity to its importance, recent estimates see a market size of $1.4 trillion by 2027 and over 83 billion connections by 2024 (Crane 2021). As people become increasingly dependent on embedded and real-time devices on their person, in homes and businesses, in daily transactions and communications, and in medical, industrial, and transportation systems, it drives further focus on providing thorough support for how a system’s interfaces effectively perform for interactions with people and other systems. This chapter presents the aspects of interface design for these systems in four primary sections. The first section looks at the nature of embedded and realtime systems, examples of devices and interactions, and considerations of why appropriate support for interface design is so crucial to such projects. The second section of the chapter reviews relevant user experience (UX) design processes and methods that support embedded and real-time device and system designs. The methods for UX design clearly apply to user interfaces, but even a team developing

136

B. Montgomery

an API for a messaging interface should consider the user experience provided by the API documentation and support, as well as the success or issues found by API users implementing connections. The third and fourth sections examine user interfaces and messaging interfaces respectively, interface types and elements, use approaches, and other supporting considerations.

2

Embedded and Real-Time Systems . . . when all is said and done, embedded systems programming has all the same ingredients as all other computer programming, only the proportions may differ. – Larry Constantine

2.1

Overview

There are few industries that do not have the need for real-time embedded systems for controlling and monitoring various applications. One list of typical real-time domains (Laplante and Ovaska 2012) includes devices for aerospace, civilian, industrial, medical, and multi-media uses for tasks such as elevator control, robotic assembly, home theaters, and aircraft navigation. In these cases, the real-time aspects of the systems may vary, but they are all used to provide assessment of input and correct output in a method that meets provided timing constraints. In some cases, tasks like this could be handled by a general-purpose computer, but more often a custom embedded microprocessor-based system combining sensors, power management, and interfaces is used to provide this real-time response to a specific need. In this chapter’s review of interface design for these types of systems, the focus starts from the connected edges of the embedded real-time system vs. other on-board design of supporting infrastructure. It extends to the people, environment, and external systems to interface with. Figure 1 shows the target areas for this discussion. At the edge of the system, there can be embedded software support for low-level communications, often used to connect to sensors, peripherals, and human-computer interface elements such as screens and keypads. The design considerations of the user- or human-connected elements are encompassed in the term user experience (or UX), defined as “the overall effect created by the interactions and perceptions that someone has when using a product or a service” (Buley 2013). Generally, as in Fig. 2, UX is broader than just usability, including all the elements of the interaction – hardware, user interfaces, the environment, the user’s goals, etc. Although the two terms are often interchanged for each other, usability is a specific concern within a user experience, with its own aspects and contributors. A typical definition of usability (Nielsen 2012) states it is a “quality attribute that assesses how easy user interfaces are to use” and includes a number of aspects of usability shown in Fig. 3.

4 Interface Design for Embedded and Real-Time Systems

Fig. 1 Focus for embedded real-time system interface design review

Fig. 2 The broad scope of the term user experience

137

138

B. Montgomery

Fig. 3 Usability aspects or quality components (Nielsen 2012)

Messaging interfaces and network connections are used to connect to other embedded systems (machine-to-machine) and to internet- or cloud-based systems (Internet of Things). In one discussion of defining these communications (Minerva et al. 2015), the term M2M or machine-to-machine covers “the communication between two or more entities that do not necessarily need any direct human intervention” to automate decisions, data transfer, and other processes. The IoT or Internet of Things definition extends communication beyond the device to encompass the whole scope of connected elements: “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.” Another way to consider M2M vs. IoT is by looking at the now standard OSI (Open Systems Interconnect) seven-layer networking model (see Fig. 4), which presents a nested set of concerns for a generic networking connectivity working up from the physical layer of Ethernet cables or RF signals up through to applications using networked data flows. Generally, M2M is looking at device design and interconnection, and focuses on the elements of communication in the network layer and below. IoT includes more overall system and application focus; IoT designs tend to look at the network layer and application-oriented layers above.

2.2

Interface and System Variations and Assessments

One aspect that makes embedded real-time interfaces challenging is simply the range of potential design approaches and applications. Consider a typical embedded control system, the thermostat. At its simplest, a thermostat may be not much more than a temperature selector, a temperature sensor, and terminals to interface to the heating system being turned off once the target temperature is reached. In practice, home thermostats often control both heating and cooling, and may use an LCD display screen to show the system mode (cool, heat, off), the current and target temperature, and other system conditions, such as a low internal battery. In a larger home or office with separate heating and cooling zones, a more complex thermostat system may have the thermostats connect in a mesh network to balance the settings across the entire building, to set up schedules of different

4 Interface Design for Embedded and Real-Time Systems

139

Fig. 4 The OSI seven-layer networking model (layers and data concerned at the layer)

settings, and to bring the measurement devices in contact with some form of a gateway to allow a smart phone-based application to monitor and control the entire set of devices that make up the system. Continuing to scale up, consider multiple multi-family apartments in a complex, where the system may be part of a network of a connected set of subsystems, monitored via a cloud-based dashboard that a maintenance company uses to apply machine-learning algorithms to data from hundreds of devices for detecting anomalies, identifying maintenance needs, and for energy saving controls. Regardless of the complexity of the networking in this embedded real-time application, in many cases, the primary connectivity from the thermostat is to a person, and the design of the user interface for the human interaction can be a differentiating factor in the success or failure of a particular product design. In one example of a formal usability study of connected thermostats (Herter and Okuneva 2014), the examination of system usability illustrates both typical elements of such studies and the benefits of a thorough review. The study asked typical users to apply a set of common tasks across a variety of connected thermostats, resulting in an assessment of usability metrics, determination of feature preferences, and identification of specific design concerns. The preparation for the study included sample size assessment, task development, recruitment scripts, non-disclosure agreements, a facilitator’s guide, and a tailored participant survey. The study assessed a dozen different thermostats, including the new (at the time) Nest thermostat with its unique circular interface. Each thermostat was tested over 3 days by 26–28 participants selected for a mix of age, gender, and other characteristics. Study participants were asked to perform standard sets of tasks such as identifying indoor temperature and changing the heating target. The study used time on task to assess efficiency, and survey responses to assess preferences. The results of the UX tests in the study produced a set of features users ranked as important to their user experience. In the survey results the highest rated thermostat

140

B. Montgomery

was one with a clear large color display, good feel and sound, and high ease of use. Interestingly, the unique design of the Nest in this study did not provide well for usability and placed it in a middle ranking for its user experience. Over time, Nest has changed their thermostat design over several generations to respond to user and market needs (Axon 2020).

2.3

Challenges in Interface Design for Embedded Real-Time Systems

In some ways, developing embedded and real-time systems is no different than any other engineering efforts. Most engineering efforts are impacted by what one author (Cohen 2015) calls “the Fundamental Principle of Product Development” which is that surprises (or issues or defects) get more expensive if discovered later, or to restate, product development is an exercise in uncovering surprises as soon as possible. This statement draws from earlier original work (by Barry Boehm in 1976) showing that fixing defects in software development is significantly less expensive in early project stages than in later ones (Selby 2007). It is not hard to imagine a situation where a defect is found and fixed in a sentence during a requirement review verses the impact of that same defect in a released product that could lead to a recall or worse, significantly impacting customers and engineering team plans. This is a primary driver in identifying the practices used in interface design that help to expose issues in designs as early as feasible. Another common engineering issue is the estimation of effort; again, Boehm’s early work exposed a software development phenomenon now commonly labeled the cone of uncertainty. The typical cone diagram shows that estimates of effort made in early design phases have the potential for significant error, but as projects mature, the cone begins to tighten as the team learns more about the true requirements, the remaining work, and therefore become able to make better estimates (Selby 2007). This guiding principle helps in selecting the approaches used for planning and project control in design efforts; ideally methods should allow for updates, learning, and change control. There is little question that developing embedded and real-time systems is a challenging endeavor due to the nature of the work. This is because embedded systems are purpose-built for the application they target, and the balancing of the requirements, design criteria, and selected elements can be very difficult. In an introduction to embedded system development (White 2011), various constraints are considered. Typical hardware constraints include memory (RAM), code space (ROM/flash), processor speed, power consumption (or battery life), required peripherals, and more. This is combined with software (or board-level firmware) constraints for timing, deterministic operation, fault-tolerance, available supporting software tools and operating systems, and the extent of the ability to diagnose issues. Project constraints can also have significant impacts: development cost, reliability, schedule, resources, risks. To all this, now add the needs for user interfaces or messaging interfaces as elements of a successful delivery as well as the broad design

4 Interface Design for Embedded and Real-Time Systems

141

space of possible components and protocols; the design can become a frustrating exercise without proper methodologies to support the effort. Working through the balance of product features for the initial release of a design can be its own challenge (Maurya 2012). Most new development projects tend to focus on a minimum viable product (or MVP) that defines the least that can be delivered for a successful release. But a new release is also driven by what makes the product desirable to customers, the unique value proposition (or UVP). These elements, MVP and UVP, must be balanced for a successful release. Too little feature delivery in the MVP may result in underserving the customer, too much effort on UVP features can produce a product that overserves, and because of the effort involved, may cause a project to miss key delivery windows. Without clear understanding and processes, interface design can miss these two delivery goals. A final challenge in many cases is convincing an experienced engineer or team that the effort focused on interface design is required. Another name coined for this danger is “the engineer’s conceit.” It is echoed in statements like: • • • •

“I know what the user wants.” “I’ll do my best work and the interface design will be perfect.” “My whole team likes the design, it’s great.” Etc.

In the next section on user experience processes, the keys to fixing this tendency are presented: a commitment by designers to user assessment and involvement, task definitions, iterative design, and using proven design approaches for user and messaging interfaces.

3

UX Design Processes and Methods Usability is about people and how they understand and use things, not about technology. – Steve Krug

3.1

Overview

Examining and developing design cycles in general engineering is an often-visited topic. Whether the design process is being optimized for schedule control, to allow for change, for ensuring delivery, for quality or defect control, for innovation, etc., most design cycles include some common phases: initiation, planning, discovery, requirements development, design steps, testing, release activities, and post-release assessments. These activities are common in both UX-focused and other engineering efforts. The Project Management Book of Knowledge (Project Management Institute 2017) looks at two common approaches to project management in detail, waterfall and agile. Waterfall project life cycles are predictive; scope, cost, risk, and

142

B. Montgomery

Fig. 5 The Design Funnel (adapted from Buxton 2007)

schedule are all detailed early on and are managed throughout the project. Agile project management schemes (like Scrum or Kanban) also perform some upfront scoping of work, but time, cost, and project content can be modified as the iterative project work increases the development team’s understanding of the path ahead. There are two key considerations that impact a team’s approach to project progress, a desire for progressive elaboration and the risk of premature optimization. Figure 5, the design funnel concept (Buxton 2007), shows this paired and balanced process of closing in on the final optimized design and the continuing elaboration of the design details. Continuing elaboration is needed to define the design envelope but making premature design decisions may lead to loopbacks and delays, or possibly block superior approaches. Ideally the processes used should provide some freedom to explore the design space but also efficiently take the design team through to a final delivered design. UX-focused published design processes to drive usable product deliveries also exhibit a wide variety as practitioners try to optimize processes to reach design goals. As typical examples, one thorough examination of the UX design process at the usability.gov website (U.S. Dept. of Health and Human Services 2006) provides a phased approach that includes methods to use in phases labeled Plan, Analyze, Design, and Test and Refine. An alternative detailed process example (Ross et al. 2000) presents a user-centered design approach with Analysis, Design, Implementation, and Deployment phases. Both approaches include some shared and some different design methods to employ. In considering the varying content of UX design processes, another categorization is considering the process in terms of formal and discount methods. The term “discount” usability engineering comes from an early work by the developer of usability heuristic evaluation (Nielsen 1989). Discount user experience processes focus on simplified user testing with just a few participants. Discount assessments often employ simple paper or other prototypes over multiple iterative rounds of

4 Interface Design for Embedded and Real-Time Systems

143

design where improvements and increasing details are introduced. The goal is to find the key usability issues with quick, early, and repeated design iteration. This contrasts with “formal” usability tests that may involve studies employing usability experts, large numbers of participants, carefully designed experiments, specialized tools and laboratories, all yielding a mix of qualitative and quantitative metrics. The methods reviewed here for UX work with real-time systems focus on discount methods that can maximize improvement results for a minimum required effort and expertise. In cases where specialized resources are available or project goals require more formal UX design approaches, experts in UX design and analysis can provide valuable perspectives. This section of the chapter presents methods best used in discount UX design for embedded systems, dividing the methods into how they are used in four design phases – initiation and planning, user research and requirements, iterative design and test, and finally release and post-release of the system or device. Many of the UX design methods can be used for design and assessment of human interaction with messaging interfaces as well as their more common application to user interfaces.

3.2

Criteria-Based Decision Making

One aspect common to all engineering design is using selected criteria to compare and select alternatives. With respect to UX design methods, this can come into play when selecting UX methods or examining UX design options. Often, these decisions can be made based on the expertise and experience of individuals or teams involved in a design effort. In some cases, however, it may be necessary to provide some structure to the decision process. The method presented here, the Pugh matrix, can be used at any point in the design cycle to structure a criteria-based assessment. Other assessment methods can easily be found by exploring Lean Six Sigma approaches for quality in design, but the Pugh matrix is easy to deploy and effective in use. In essence, the Pugh matrix allows comparison of design elements, processes, or concepts in relation to a baseline using selected criteria (Silverstein et al. 2009). Steps are typically as follows: 1. Determine a baseline concept (if one is not immediately available, select one from the products or processes to be assessed – that group comes from the next step) 2. Select the concepts to evaluate 3. Define the evaluation criteria to be used 4. Optionally, rank the criteria 5. Use the criteria to compare and score the concepts 6. Discuss and refine the analysis A template and example for the Pugh matrix (many can be found online) has the structure shown in Fig. 6. In this fictional example, a baseline concept was

144

B. Montgomery

Fig. 6 Typical Pugh matrix template and assessment

identified, as were four competing concepts. Six comparison criteria are included, and weighted. Scoring values can vary; using +1 to −1, +2 to −2, or other schemes are common. In totaling the results, the unweighted assessment shows Concept Two with the high score of seven vs. the baseline of zero. The weighted assessment (multiplying the concept scores by the criteria weights prior to totaling) makes Concept Two a standout choice. Note that generally, what is important in the process is less about the scoring and results and more about the discussion and assessment that occurs within a design team while the matrix is being built. Developing the results as a team reduces favoritism among concepts and allows for a more robust assessment of the importance of each aspect of the process. It also provides a good format for presenting design decisions to stakeholders. For selecting UX methods, if a Pugh matrix approach was used, assessment criteria might include time to apply, skill required, method complexity, fit to design goal, etc. Following sections present other comparison criteria that can be used for communications protocols and user interface elements in a similar fashion.

3.3

Initiation and Planning

The initial stage of starting a UX design effort utilizes a mix of common engineering project control methods with a few that are more UX oriented. Goals for this initial stage are to scope the work, assess resources, determine the project objectives, and align with the stakeholders to get the effort authorized and started (U.S. Dept. of Health and Human Services 2006). In some cases, this may require some early envisioning of where the design efforts will go to produce elements of a usable system. This early activity provides a more realistic view of what the work is and also a foundation for a successful delivery.

4 Interface Design for Embedded and Real-Time Systems

145

One discussion of the minimum work required to successfully start a project identifies a set of typical initiation and planning activities: a charter or statement of work for an early view of scope and objectives, clarity on staffing, and a project kickoff (Lewis 2006). The project charter or statement of work documents describe and define the base effort. Depending on the template used, this document may contain the project objectives, context, goals, deliverables, and scope. For staffing, often a RACI (Responsible, Accountable, Consulted, Informed) chart helps create a staffing plan that specifically states the involvement of each project member and stakeholder. Then finally a project kickoff helps set the project team on the initial path to start work – makes the project official, aligns the team and stakeholders, and identifies initial work assignments. One of the more challenging elements of this planning can be scope assessment. Often it takes considerable effort to understand what the stakeholders expect to be done, and how this translates into required activities by the design team and supporting teams. It may also take some effort to share the initial vision of what UX goals or improvements the project will address. Some methods that support these efforts include stakeholder interviews, work breakdown structures, and visual communication aides such as a project brief or an artifact from the future. Conducting stakeholder interviews (alternatively labeled a listening tour) is identified in one UX process discussion as a key early activity for capturing the perspectives of the various people defining or sponsoring the work (Buley 2013). The goal here is to further understand the UX priorities and support for the design effort. A straightforward and useful exercise, the steps include developing a preliminary set of questions, identifying interviewees, conducting brief one-onone interviews in-person or remotely, taking and reviewing notes from the sessions, and then later sharing the summary and assessment with the interviewees, along with acknowledging their contribution. Determining project scope is a challenge at the beginning of a project; because of the likelihood of change and discovery, agile approaches that allow for change more easily during execution can be effective. But regardless of the project management approach, the initial view of what the deliverables really are for any project is of central importance to planning the UX effort. A proven method for scope definition is the work breakdown structure or WBS. Initially introduced in defense and space exploration project work in the 1960s, the WBS provides a deliverable-oriented hierarchical decomposition of work that defines all the work for a project or a phase (Project Management Institute 2006). A WBS can be represented by either a textbased or graphical outline (see Fig. 7), and many tools are available for developing a WBS and integrating the data with other project management tools. The detail level of a WBS is up to the project team, but common rules of thumb include the 80-hour rule, where no bottom-level task is scoped to over 2 weeks (to help reduce the impact of delayed deliveries) and the 100% rule, which says that the WBS should represent 100% of the work required for the project. Often when scoping a UX project it is easy to overlook required documentation, test, or review tasks that should be represented for a complete project view. A well-constructed WBS can contribute to team building and understanding, reduce scope creep, and

146

B. Montgomery

Fig. 7 Graphical and text-based outline view of a WBS

help control project deliverables. The WBS also supports bottom up estimates of overall project time on task or cost. Finally, tasks in a WBS can become work elements in a waterfall project schedule or stories for an agile method like Scrum. Because of the visual nature of UX work, often it makes sense to create objects that support communicating the project or project concepts more visually; two such methods are the project brief and the artifact from the future. A project brief is essentially a poster or short text view of a project that touches on key project elements – requirements, objectives, and if known, key goals or principles for the design work (ProjectManagement.com 2021). When publicly posted, the brief supports visibility and discussion about the project. Another approach to visually share the design goals of a UX project is an artifact from the future. These artifacts can take any form, an advertisement, a product review, or an actual mockup that shows some envisioned elements or usage of the future design (Institute for the Future 2021). The goal of the artifact is to spur discussion about elements of the design work and where the UX design effort is likely to go as it moves forward.

3.4

User Research and Requirements

Prior to moving into the iterations of the actual UX designs, it is important to develop an understanding of the users and the tasks they perform with the device or system being developed (or with similar devices). The methods in the user research and requirements phase help examine the user’s motivations, behaviors, and needs and the tasks they want to perform, including task priorities, the environment of use, and any other challenges that impact their use of the design. What is learned in this phase about the users and tasks also helps reduce design and project scope errors, keeping the user needs in the forefront of design considerations. One of the most powerful methods at this stage is the contextual interview, where users are observed in their natural environment to gain a better understanding of how they work or use devices (U.S. Dept. of Health and Human Services 2006). In

4 Interface Design for Embedded and Real-Time Systems

147

these sessions, the designer primarily observes the user performing tasks and may also ask questions about their intended outcomes or actions. Contextual interviews generally provide qualitative information about the issues users face, how and where they work, any preferences they may have, and the timing and difficulty of typical tasks. The value of observing users performing tasks in the environment of use is well known to UX designers; one company terms their process of studying users in their natural environment “High-Tech Anthropology” (Menlo Innovations 2021) to clarify the contribution of observing and listening at this stage. As with the earlier stakeholder interviews, it is a good practice to share conclusions from such observations with users to verify findings. Another effective method to help design teams understand users before moving into further design is the creation of user personas. Personas allow designers to think in terms of “what would the user do” by creating a description of a typical user at a detailed level, based on user and task research like the contextual interview above. There are many templates in use for personas, but most include a fictional name, job titles and responsibilities, demographics, primary goals and tasks to complete, possibly a narrative or day in the life element, and supporting information about their environment. Alan Cooper is usually credited with the persona study approach (Cooper 1999), and sees a persona as a user model, providing a representation of how a user behaves and thinks. Ideally a persona should provide an archetype that represents a segment of typical users; some persona methods develop multiple models and prioritize which personas should be considered as the focus for a design. The last method considered here is the use case. Use cases come from software engineering, and like the prior WBS, can be represented in a text-based or graphical representation. In one leading guide to effective use case development (Cockburn 2001), a use case is described as a contract between stakeholders of a system about its behavior. The text for a use case should focus on individual use scenarios, clearly identifying the primary actor (or user), their goal in the scenario, the steps they take in the scenario, the main success path, and possible alternate outcomes or scenario extensions. There are many published templates for text-based use cases, but regardless of the format, the focus should be from the user’s perspective on what they are doing and should not include any implementation details about how tasks are performed such as user interface designs or data formats. An alternative to the text-based use case is the UML (Unified Modeling Language) diagram for use cases. UML diagrams for use cases (see Fig. 8 for an example) have the advantage of capturing more information about multiple interactions in a graphical form but may lose some detail found in the text-based discussions (although the diagrams of course can be annotated). Elements of UML diagrams for use cases include actors, tasks, “includes” clauses for a shared or required task, and “extends” clauses for optional or conditional tasks. Again, in the UML use cases, the focus should be on what the user is doing, and what has value to them in the use scenario. Typically, at this stage in engineering projects some effort is expended on requirements definition, especially in waterfall models (in agile models, this occurs

148

B. Montgomery

Fig. 8 Example of a simple UML Use Case for a music playing/storage device

as needed). Use cases become key to representing the user’s needs and tasks in the set of functional, nonfunctional, and constraint-based requirements common to most system descriptions. Use cases (as user scenarios) are the “+1” in the common “4 + 1” architectural model for systems (Krutchten 1995), and act as the focus for creating logical, development, process, and physical views of a system’s architectural requirements to describe a complex design from these different perspectives. There are many other tools to consider for capturing the user’s needs and tasks for preparing to move to system design. Interview techniques such as focus groups or custom surveys are common, as are assessments of comparative products or detailed models of more complex task flows. As with all design efforts the team must consider what they feel they need to learn before progressing, and which methods will provide the insights that allow them to proceed with a user-centric mindset into the cycle of designing and testing product interactions.

3.5

Iterative Design and Test

This stage of iterative design and test-based verification is where most engineers want to work, that exciting cycle of creation: inventing, modifying, and demonstrating systems that are closer and closer to what will ultimately be released. From a UX perspective, this general engineering process of progressively elaborating the details of designs still holds true, but there is an additional requirement to maintain involvement with actual users (or at least surrogates if real users are not available) to ensure as designs evolve that they continue to represent the user and their prioritized tasks. Don Norman, perhaps the first person with the title user experience architect, wrote a classic book on the Design of Everyday Things (Norman 1990) which

4 Interface Design for Embedded and Real-Time Systems

149

reminds designers about the need to be aware of the needs of people using devices. Users should be able to see what actions are possible and should be constrained if needed to help prevent errors. The state of the system and the results of actions should be visible and clear. In general, the goal is to provide natural mappings between a user’s intentions and their actions, so users can easily decide what to do, and know when something was done. Iterative design and test cycles of progressively elaborated designs, along with some standard design guidelines to help maintain usability, should allow provision of increasingly detailed designs with these user needs in mind. In UX design, the match between the current system model and the eventual product is known as fidelity; fidelity is examined in detail in a book examining prototyping practices (McElroy 2017). In most iterative design cycles, movement is from low to medium to high fidelity models. Aspects of fidelity include the level of functionality (if any), visual details, interactivity, and data modeled. Considering these components of a model’s fidelity, each type of model is useful for different tasks. Low level fidelity models are quicker to make and can be used for exploration of concepts and alternatives. As fidelity and interaction increase, efforts needed to produce the models also increase, but the models become more useful for testing specific tasks with users. High-level near product models can be used to present to stakeholders or for finalizing on usability goals. Often in a UX design flow, designs begin as sketches. Sketching is a key exploratory engineering activity and can be broadly defined to include typical paper and pencil, whiteboard, or digital drawings as well as text descriptions, collections of physical objects or clippings from the web (Buxton 2007). Because of the speed of creating alternatives, sketching also lends itself to parallel design efforts, where different forms of interface elements are imagined and presented to select the best elements from many alternatives. As the need increases for higher fidelity representations, devices and their interfaces are often represented with wireframes. Generally, wireframe interface drawings do not include specific styles, colors, or graphics, but focus on the intended interface element layout to allow simulating functionality, navigation and task execution (Buley 2013). In practice however, given the strength of electronic design tools, higher fidelity wireframes and interface mockups are often created as well. Moving to a higher fidelity rendering should be intentional; often by maintaining a slightly lower fidelity, the user reviewing such designs likely feels more freedom to suggest changes, vs. being presented with a polished final full-color rendering that looks as though it is ready for production. One typical tool for creating wireframes and mockups (Balsamiq Studios 2021) maintains a hand-drawn look and feel in its low-fidelity digital wireframes to encourage iterative design review and change. As elaboration of designs continue, prototyping becomes important in this stage. This is particularly useful for the creation of electronic devices, where the prototypes are created to provide a variety in fidelity of models, as presented in a staged flow of increasing fidelity in electronics design prototypes and related models (Charlier 2016). Early on, a proof-of-concept model is created with a breadboard just to compare design alternatives, such as power management or component

150

B. Montgomery

assessments. A “works-like” prototype – perhaps based on a single-board computer rather than a final custom printed circuit board assembly – is created to assess device functionality or communications, or to test selected interactions. A “lookslike” prototype, based on a three-dimensional plastic print, for instance, can allow users to consider packaging, comfort, or alternative elements of a product layout without including electronics at all. Higher-fidelity prototypes, possibly employing near-production circuit boards and near final firmware, would allow for acceptance and production test assessment. Another UX design approach which applies particularly well to embedded and real-time devices is called microinteractions (Saffer 2013). Microinteractions are tiny parts of functionality – details of an interaction – that do a single thing, examined at a detailed level. Increasing the positive UX of working with these details makes overall product engagement easier and pleasurable. Microinteractions are smaller than product features; for example, providing music playback on a device is a feature, adjusting the volume is a microinteraction in that feature. The goal of examining such small elements is to provide the user signature moments that make the device interaction unique and differentiating. The method breaks interactions into triggers, rules, feedback, and loops and modes. Triggers are how the microinteraction is initiated, which can come from a user or the system. Rules are the response to triggers; they provide the path to the interaction goal. Feedback provides the user with state information as to the rule’s operation, and can be visual, audible, haptic, or any other method that informs the user. Loops and modes represent any branching or repetition in the interactions. Saffer provides guidelines for “fixing” a dull microinteraction as well as interpreting user behavior in working with details. At each stage of designs – from a paper interface to a near final product prototype – UX testing with users should be performed. There are several different test approaches that can be used along with the designs in this phase, and as the focus is on discount usability, the tests can be executed with a minimum of preparation and small numbers of users. The key to making this testing effective is examining the primary issues uncovered in each testing cycle and correcting those issues prior to the next test cycle. An example of this in a discount usability process is in a comparison of two test cycles (Krug 2006). In the first cycle, a test with eight users finds five issues. In the second test cycle, a group of three users is tested finding only three issues, but those problems found are then fixed, and a second three-person test then discovers six new issues. In short, testing often with a few users, fixing the primary usability issues found, and continuing this cycle is a recommended path toward a usable product. One testing approach for the earliest of design stages is paper prototype tests, also known as Wizard of Oz tests. A handbook for the test approach outlines the process (Snyder 2003). Using paper sketches, wireframes, or prototypes of an interface, select a set of primary tasks to have the user perform. One of the engineering participants facilitates the test, and another acts as the device or computer, telling the user what they would see based on the interactions the user states they would make. Running a pilot test to make sure the interfaces drawn are sufficient and the tasks

4 Interface Design for Embedded and Real-Time Systems

151

are clearly stated helps ensure the test is effective. The user should be instructed to “think aloud” during the test, and either the facilitator or another observer should take notes on what the user runs into in attempting the task. These early tests are surprisingly effective, and the unfinished nature of the test system encourages users to make comments and suggestions. The ease of making alternative designs or additional interface examples also makes these test cycles useful. Another useful discount usability test approach is the hallway usability test, also known as guerrilla testing (Ligertwood 2020). This approach allows testing for UX issues anytime an interface has sufficient functionality and defined tasks. It is a quick way to validate design assumptions and works well in small iterations. This testing can be done in an office or a coffee shop, or remotely with appropriate software. The method uses nearby individuals for the testing, people in the hallway of a company, etc. Ideally users should not be peers or engineers who tend to think about designs in a different manner than those outside of engineering (unless the interface targets engineers). The team performing the testing may prepare with creation of a brief pitch, instructions for the testing, and again, piloting the test to make sure preparations are adequate. The effort should be clear about what is expected from users and separate the facilitation and observation/note taking roles across people on the design team. In some cases, it may make sense to qualify users to make sure they come close to the type of user being targeted for the interface. These tests should be brief, perhaps 10–15 minutes, and should focus on a few key tasks, so as not to significantly tie up users for too long a time. Another particularly useful interface assessment, at any design stage, is a heuristics evaluation using a set of standard usability heuristics or guidelines (Nielsen 2020). The standard usability heuristics have been in use since the early 1990s and remain relevant and useful in ensuring key areas of personal usability are present in a set of interfaces. Figure 9 lists Nielsen’s general design principles in the heuristics set. To use them as an evaluation tool, it is usually best to select one or two heuristics each reviewer considers so they can specifically examine each interface in question for the particular issues. Heuristic evaluations can be useful whether performed by UX experts or by developers instructed in what to look for. Heuristic evaluations are not a substitute for user-based testing, in practice the types of issues found by both approaches differ. A best practice would be to make the heuristics known to the interface designers, and to regularly perform reviews as designs progress. Note that the heuristics are not rules, and there may be times when a particular interface cannot or should not meet the guideline. There are

1. Visibility of system status 2. Match between system and the real world 3. User control and freedom 4. Consistency and standards 5. Error prevention

6. 7. 8. 9.

Recognition rather than recall Flexibility and efficiency of use Aesthetic and minimalist design Help users recognize, diagnose, and recover from errors 10. Help and documentation

Fig. 9 Jakob Nielsen’s usability heuristics (see Nielsen 2020 for detailed descriptions)

152

B. Montgomery

also published heuristics available for specific interface domains, such as medical devices and children’s toys, that build on the base heuristics to address the specifics of those designs. The testing approaches outlined above are particularly useful and relatively easy for an engineering team to apply to keep designs as user centric as possible. There are many other design and test approaches and standards in usability practice and literature. Surveys, discussed in the next section, can be employed during test cycles, and can provide some quantitative assessment of usability improvements. Style guides, whether developed internally or selected from available publications, are useful to design teams who are developing interfaces that want to maintain a particular product branding or look and feel. A/B testing is often used when competing designs are better assessed for acceptance by actual use (although the A/B method should not be used to identify usability issues). First click tests ask users to approach an unfamiliar interface and track their interactions to see if users interpret the use of the interface in the way the designers intend. As mentioned in the comparison of formal and discount usability testing, if an organization has expert UX resources or performs formal usability testing for product releases, it would be most effective to review discount vs. formal methods and engineering vs. UX team activities at project inception to see how much and what type of UX assessment should be performed by both organizations for the product development effort.

3.6

Release and Post-release

For the most part, the solutions for most usability issues have probably been answered at this stage for embedded or real-time devices. It is certainly possible, however, that during the final manufacturing cycles with validation and certification tests or during the typical alpha-beta-release cycle to customers that problems impacting UX are identified. Any issues found during the release and manufacturing cycles must be carefully considered for how serious they are and when they will be addressed because of the possible impacts on deliveries. In the initiation and planning cycle, there should be careful analysis of the steps required to move from design to manufacturing, and what room there may be for any final change cycles. One text calls this practice “planning to fail” (Cohen 2015), and makes the case for thorough project planning. Ongoing UX assessment can benefit from devices spending time with real customers post-production. At this stage, most engineering teams get feedback from customer facing teams (technical support, sales, etc.) about any UX issues being reported, and the project teams can consider the best responses – technical notes, documentation updates, or changes for future device versions. To be proactive, the design team can employ a few UX methods at this stage to understand customer acceptance. The most obvious approach is to go back to the contextual interview approach from the user research stage, conducting field visits to see the products being used by actual users in real environments.

4 Interface Design for Embedded and Real-Time Systems

153

There is also an opportunity at this stage to employ pre-validated standard UX surveys. There are a variety of standard surveys and questionnaires for use at various UX assessment stages; one source (Sauro and Lewis 2012) divides the available instruments into post-study, post-task, website usability, and more general satisfaction categories. The advantages to employing standardized UX surveys include proven objectivity, replicability and quantification of results, and relative ease in preparation and execution. One of the most popular surveys is the Software Usability Scale (or SUS), which at one point represented over 40% of UX surveys employed in usability studies. The survey is brief, with ten questions on the user’s assessment of system complexity, ease of use, consistency, and required learning. The questions are scored on a five-point Likert scale, allowing for ease of analysis and comparison for before and after UX improvement efforts or different releases. Information gathered in the post-release stage can clearly feedback into future product releases.

3.7

Closing Thoughts

While there is always a role for experts in usability, UX, industrial design, and project management, and their expertise should be put to use if available, there is also opportunity for engineering teams to use well understood and approachable UX methods to set a good foundation for their projects, understand their user’s needs and tasks, and use that understanding as the basis for iterative design and test of highly usable embedded systems. It is also true that the usability of the device’s interface is only one design constraint; each design effort is a multidisciplinary challenge: data management, control system designs, performance and capability balancing, reliability and maintainability concerns, etc. But usability and UX weigh large if the system is to be directly used by people. How much effort the team allows for UX concerns is a decision they and their stakeholders need to make.

4

User Interfaces: Humans to Machines UI is the saddle, the stirrups, & the reins. UX is the feeling you get being able to ride the horse. – Dain Miller

4.1

Overview

The previous section reviewed the UX methods and processes for designing and assessing an interface and interactions with it. This section presents the building blocks for enabling interaction between humans and devices or systems. The review looks at the full scope of possible interface element choices, and criteria for how designers select and differentiate their options.

154

B. Montgomery

As with the UX design and assessment processes, as much as possible, user needs and tasks should drive selections and customization of interface elements, but design decisions must consider what the typical human users are capable of. In past system designs, the primary interactions between humans and devices were limited to primarily touch, sight, and some sound. More recently the addition of voice input and output has broadened the vectors for how people interact. As sensor technology improves, using movement, skin response, heart rate, etc. also broadens possible connections. The mapping from humans to devices is still somewhat incomplete, human senses for taste and smell are generally not employed in interfaces. It is also possible that the sub-population of likely users the device is designed for may have limitations – the elderly, children, and individuals with select deficits in hearing or sight for instance, or that the environment the device is used in precludes certain design choices (e.g., a voice-controlled interface in a noisy factory). Finally, the individual sensors, input, and output components also have their own strengths, weaknesses, capabilities, and electronic characteristics to consider.

4.2

Selection Criteria

Selecting something as simple as a switch for a device can be a complex decision cycle with many considerations (Hughes 2015). Again, per the earlier discussion of Pugh matrices, it is good to identify the key criteria and then weigh the alternatives against each other or an existing baseline design. Electronically, the switch characteristics for voltage and current load and the required number of contacts impact the component selection, as do physical characteristics such as size, activation force, and mounting. The available styles of switches can also be overwhelming: switches, buttons, slides, keypads, dials, thumbwheels, membranebased, fingerprint sensing, etc. A quick brainstorm of component selection criteria generates additional potential considerations for components and sensors – other electrical characteristics, operating environment, cost, licensing, reliability, sources, reference designs, development tools, data and error rates, accuracy and precision, standards conformance, etc. These choices are also informed by the UX considerations – how often will the switch be used, is the state of the switch clear to a user, are there aesthetic or manufacturing considerations?

4.3

Direct Controls or Outputs

One of the most common set of interface elements for embedded and realtime devices are direct physical controls, like the switches discussed above, and simple outputs such as lights and buzzers. A review of such device elements employed in connected product designs details their strengths, weaknesses, and usage considerations (Rowland et al. 2015). Physical controls – switches, dials, keypads, etc. – have the advantages of being straightforward and fast to use, they allow for fine adjustments, and may prove accessible for users with poor vision.

4 Interface Design for Embedded and Real-Time Systems

155

However, these types of direct local controls likely cannot be updated with firmware, nor do they lend themselves to remote use. Simple lights are a common state communicator for devices – LEDs or light bulbs – and have the advantage of being glanceable and nonintrusive indicators; color and blink rates may provide some limited meaning to signals, but for more complex interaction, multi-segment LCDs can provide numeric and text information. Audio indicators, like buzzers, alarms, and tones from speakers, can be useful to provide time critical or urgent notifications and can be designed to provide a sense of personality for a device. However, low hearing users may need additional paired notification of another type, and the noise present in each environment may limit their effectiveness. In many cases, using multiple modes of notification can provide for known limitations for users or environments. Besides the capabilities of users, cultural issues for international users can also be an issue. For instance, using a red or green light indicator may not have sufficient meaning in a culture where red or green are interpreted differently from western cultural use. Guidelines to cultural color meaning differences are available to help guide design choices (Information is Beautiful 2021). Lights could also be combined with labeling, audio, or other state indications to make their meaning clearer.

4.4

Graphical User Interfaces (GUIs)

Display screens are also a go-to option for many device designers and the screens provide for a potentially richer graphical user interface (GUI) design that can be customized for particular interactions. There are a variety of choices for such screenbased displays, monochrome and color displays, electronic-ink, and touchscreens combining the display with a touch sensitive layer for direct inputs. Using such displays increases the dynamic capabilities of interacting with users, and allow for firmware updates that can easily update the interaction specifics, but all at the cost of maintaining a more complex supporting firmware base and keeping a focus on UX concerns to ensure information exchanges and controls are simple and intuitive (Rowland et al. 2015). Systems can be designed with GUIs (or simpler text-based command line interfaces) that are embedded into the device itself or are external to the device, connected through a physical or RF data flow, and are remotely accessed through an ancillary device such as a terminal, webpage, or mobile application. Clearly the device in these cases must provide processing support to control the local or remotely communicating interactions, and for a real-time system, this becomes an issue in budgets for processing, memory, and power.

4.4.1 Embedded GUIs Including GUI screen support in an embedded system likely requires significant firmware development for customizing related input and output transactions. Because this is such a common element in so many system designs, there are many supporting development libraries and tools for supporting these designs. In a typical layered firmware design, hardware and other abstraction layers are used

156

B. Montgomery

to separate the hardware implementation of the device’s display elements and the implementation of the GUI designs. For most embedded microprocessors, there are several suggested GUI design tools and supporting libraries to help in GUI development. They may differ in cost, licensing, capabilities, development language support, and their capabilities for cross-platform development, which may be important if elements of the GUI designs are to be used on multiple devices with different architectures, or on other related platforms such as PCs or mobile devices. Selecting such development tools may call for a criteria-based decision exercise unless the development team has extensive experience or legacy products using a certain tool set suite. As an example of the variety in these tools, a site detailing GUI libraries supporting a brand of popular microcontrollers suggests six different tool kits for development use (NXP Semiconductors 2021), one of which is Qt. Qt is a full-featured example of such GUI development tools. The Qt GUI development environment provides extensive support for microcontroller-based GUI designs and has features and support typical of such tools. It is crossplatform for embedded, mobile, and desktop environments. Qt is provided for use with commercial and open-source licenses, and it provides bindings for multiple development languages and real-time operating system (RTOS) alternatives. Qt provides a “WYSIWIG” (What You See Is What You Get) UI designer to allow development of GUIs separately from the logic that drives interactions, making it easier to reuse, update, and implement GUI designs. In prototyping, it would be feasible for instance, to develop a Qt-based GUI on a single-board computer, like a Linux-based Raspberry Pi, and then later move that GUI to the actual microcontroller-based device using its local RTOS and firmware.

4.4.2 External GUIs In many cases, especially in connected IoT systems or real-time applications, devices are spending most of their time gathering data and periodically messaging from the edge of a network into other elements that act on the information. In these cases, where required human initiated interactions may be limited to status checks, alerts, and firmware updates, using an external interface to control the device may make more sense. Often these external GUIs are provided in the form of web pages or custom applications to allow for the specific required interactions. Using web development tools like HTML, CSS, jQuery, and JavaScript or higherlevel frameworks such as React or Flutter are common ways to craft the interface itself, leaving the support for interface communications as the issue at the device. By taking advantage of abstracted interfaces between the device and the interface page, whether via an API (Application Programming Interface) or other messaging, development of the elements are independent. Figure 10 shows examples of several approaches to external GUI architectures including use of embedded web servers, embedded APIs, and device connections via messaging to intermediaries such as cloud services to provide layers between a web- or mobile-based interface and the device itself. In an embedded web server, such as this example from QNX Neutrino RTOS (QNX Software

4 Interface Design for Embedded and Real-Time Systems

157

Fig. 10 Alternatives to external embedded device GUIs

Systems 2021), a web browser is directed to the device which serves pages for interaction. These communication elements and connections are good targets for works-like prototypes to confirm operations and flow. The use of APIs and messaging interfaces as design elements is examined further in section five which follows.

4.5

Voice User Interfaces (VUIs)

In recent years, the popularity of voice user interfaces (VUIs) to operating devices, especially consumer electronics (e.g., Amazon Alexa) and cellular phone VUIs (e.g., Apple Siri), has dramatically increased as the technology and development approaches began to meet user expectations. In a book on designing VUIs (Pearl 2017), it is noted that the technologies are relatively new; the 2000s saw introduction of interactive voice response (IVR) systems that followed predesigned menus of prompts and responses (e.g., an automated phone service for a bank); Apple’s Siri was introduced in 2011, and IVRs are now being replaced by more intelligent chatbots. Pearl notes that most VUIs in use today are not conversational, and the system is given a command and responds with the action and acknowledgment. In this parsing of the speech input, there are many possible error conditions – detecting but not recognizing speech, recognizing speech but incorrectly responding, etc. on top of the need to reduce latency in interactions to comfortable speech patterns for users. Besides design challenges, it is also important to consider that users with hearing

158

B. Montgomery

deficits, ADHD, autism, or other characteristics may not be able to easily interact; it is estimated 15–20% of the world’s population has an impactful disability. VUIs may also be at a disadvantage in a public space or noisy environment. For developers there are many open-source and commercial tool sets for development of VUIs and related interface elements. Developers can use all or part of the VUI tool set – creating voice output only, combining elements for singlestep commands, or designing full chatbot interactions. One of the most common approaches to using VUI tools is to connect to cloud-based speech-to-text, analysis, and text-to-speech tools. Amazon Web Services (AWS), for example, provides an entire suite of voice-related tools for development and test including Polly for text to speech, Transcribe for speech recognition, Lex for an AI-based chatbot tool, etc. AWS also provides local device support for VUIs using the Alexa Voice Service that can support device control via Alexa skills (Amazon.com 2021). Such systems are simple to prototype with a single-board computer (like a Raspberry Pi) and an inexpensive microphone and speaker but can provide very advanced interface interactions.

4.6

Wearable Interfaces

Wearables, devices worn on and used by an individual, bring their own considerations for UX, interaction, and interface design. A discussion of developing wearable devices asserts wearables typically have a number of competing design elements: size and weight, aesthetics and comfort, battery life and charging methods, reduced size and number of components, and resilience for thermal and mechanical abuse (Teel 2019). The UX needs for typical wearables (fitness trackers, smart watches, medical devices, wearable cameras, etc.) are also unique – the need for glanceability, light-weight interactions, avoiding complex data or interface elements, considered use of GUIs, voice, sound, and vibration in the interface, and making sure the device still provides functionality if disconnected from networks or other devices (Sullivan 2017). Typically, the architecture for such devices has multiple layers of communication, to mobile phones or wireless networks, and cloud connections for data gathering and assessment.

4.7

Other Interaction Approaches

There are certainly many other interaction approaches to consider for devices communicating with human senses; one technology review covers many alternatives (Rowland et al. 2015). Gesture-based devices use some image processing of a camera or proximity sensor to determine whether a hand or full body gesture is something a device should respond to; gestures must be learned, and systems must allow for false positives in assessment. Tangible user interfaces, often used in toys or educational products, depend on the position of tokens or other devices as an input for functionality; the system requires having all the necessary separate parts

4 Interface Design for Embedded and Real-Time Systems

159

for the interaction. Tactile interfaces, such as the vibration of a smart phone, can be useful, but must consider the mechanical implementation and lifespan, plus the interface is limited to the information or states that can be communicated. Contextsensitive interfaces may be able to adjust their behaviors based on their location or other environmental factors. Scanning of QR (Quick Response) or bar pattern codes may be a good alternative for entry of specific complex encoded information. Future technologies may make direct neural or brain interfaces more feasible as well.

4.8

Closing Thoughts

Embedded designers have a particularly rich palette to draw from to create their device interfaces. But it is bounded by any requirements of the device to perform real-time transactions, the technical envelope of the device’s capabilities and limits, and the understanding of the environment, needs, and expectations for specific user interactions. The best way to ensure that the user interface elements match user expectations and usability goals is to iteratively design and test with real users on their primary tasks, especially when significant design changes are made. This exposes the primary issues the design team may not have seen and gives opportunities for progressively elaborating the design to a user interface that provides a differentiating and pleasurable interaction set for the users.

5

Messaging Interfaces: Machines to Machines At a certain level of abstraction, every system is a message passing system. – Grady Booch

5.1

Overview

Besides a device having a human-focused interface, and the device’s own connections to sensors and actuators to interact with its environment, devices often share data, issue commands, and respond to requests from other devices. The terms machine-to-machine (M2M) and Internet of Things (IoT) presented earlier in the chapter provide ways of considering the forms in which devices interact and cooperate with each other; to their peers through direct connectivity, to other devices and network gateways, and to networks and cloud-based infrastructures. This section reviews messaging, queueing, and serialization of data; typical protocols at different levels of device communication; criteria to consider in protocol selection; and APIs and microservices that act as connection points and processors for message traffic.

160

5.2

B. Montgomery

Messaging, Queueing, and Serialization

Communicating between devices or with other connections generally takes the form of messages, data packets that can be thought of as an “interrupt with data” (Minerva et al. 2015). Most system communications in M2M and IoT applications is based on messaging, although there are alternatives. A shared memory area or a data storage, such as a relational database, could be used as an alternative intermediary for passing information, or a file system could be used for storage and retrieval of data by producers or consumers. In a presentation of design patterns for messaging systems (Hohpe and Woolf 2004), messaging is defined as an integration approach for asynchronous and fast communication with reliable delivery. Messaging occurs over channels, and elements of message processing include message construction and parsing, the methods and architectures for connection, routing of messages, transforming messages for different protocols, and observation and management of the messaging system behavior and the quality of service. Messages can represent data updates, events, commands, requests, or any other transactions. Messages may require some form of addressing or other control information to be embedded with the data, often in a message header, to allow systems to help route the messages to their correct destination. In some cases, messages may be large enough that they require assembly and disassembly at different points, or the messages may need to be queued for processing as they move from senders to recipients. The architecture used for the messaging is also a design choice, alternative design patterns include publish-subscribe, request/response, fan-out, point-to-point, databus, and survey messaging. Message queueing is a way to help implement these messaging design patterns. Queueing supports interconnecting systems with disparate processing rates, although designers still need to consider how to deal with senders who outpace the processing capabilities of the receiver. Common issues in queue use include the need to optimize slow elements, the CPU cost of message handling, and avoiding lost messages or handling related exceptions (Kahan 2020). As messages arrive, are older messages dropped or moved to a secondary storage if a queue is filled, or do new incoming messages simply replace messages already queued but not processed? Mathematical assessments of queue capacity and rates can help determine where issues may occur, but regardless of this, processes that may slow, stop, or enter error conditions require special consideration of message handling approaches. There are a variety of existing message queuing approaches and open-source or commercial tools that can be applied in embedded and real-time applications, many of which provide support for common messaging patterns and tools to deal with message management (Hohpe and Woolf 2019). Options for providing message handling in applications can include: • Custom, say development of a circular buffer in C for a specific board-level message transaction

4 Interface Design for Embedded and Real-Time Systems

161

• RTOS elements, such as FreeRTOS message queues and mutual exclusion support • Messaging frameworks, like ZeroMQ, that provides a socket-based messaging infrastructure • Messaging brokers, like RabbitMQ or Apache Kafka, that provide an intermediary message broker between the message producer and consumer • Language-based tools, like the Java Message Service • Service-oriented platforms, like the Oracle SOA Suite • Cloud-based systems, such as Amazon Simple Queue Service or Google Cloud Pub/Sub In all such applications, the data in each message is represented as a byte stream embedded in the message structure. However, data may exist inside the applications as multi-field complex data representations, such as structures or objects. In those cases, the data must be encoded into a binary format to store in the data field of messages. Serialization is the process of converting the data object to a byte stream; deserialization reverses the process (Microsoft 2020). A number of different serialization techniques are available: • Language-based serialization such as Java object input and output streams or Python pickles • Serialization protocols, including JSON, XML, CSV, and YAML • Serialization libraries, like MessagePack • Message framing in ZeroMQ • Custom binary serialization

5.3

Communications Protocols

Communication protocols define the way messaging is handled in a given infrastructure. Elements to define include whether the communication is synchronous (senders wait for receivers to process messages) or asynchronous (senders send messages without waiting); how messages are routed through the system, which defines in turn the structure of a message, including the header, contained data, or other particular fields needed; and how the specific message protocol defined performs send, receive, routing, and conversion tasks (Minerva et al. 2015). In practice, protocols are designed for the specific needs of the system’s communication. Also in practice, software libraries and coding examples for microprocessors, peripherals, RTOSes, etc. are readily available for most embedded development environments to handle using the various protocols. The following discussion looks at the variety of communication protocols in general use, from communications between elements on a board, on a person, between devices separated by inches or miles, and to the web and the cloud.

162

B. Montgomery

5.3.1 Low Level Communications Low level communications protocols focus on short distance data transfers within (or adjacent to) a single device. Data transfer may be in parallel or serial, full- or half-duplex (i.e., can data be sent and received at the same time or not), synchronous or asynchronous, and differ in the data rates and distances available (Patrick 2002). Often the choice of a protocol at this level is driven by the type of sensor or ancillary device being connected. Examples of potential low-level protocols include: • I2C (or I2 C) – Inter-Integrated Circuit: a protocol often used between a microprocessor and an intermittently accessed device or sensor • SPI – Serial Peripheral Interface: another board-level protocol used for elements that stream data • UART – Universal Asynchronous Receiver/Transmitter: for asynchronous serial communication, often from a parallel data source • 1-Wire: a protocol designed for simple contact applications • Other custom integration protocols: like PCI Express (Peripheral Component Interconnect Express) for high-speed serial graphic data

5.3.2 IP Communications Early in the chapter there was a discussion of the OSI seven-layer model for nested network communications (see Fig. 4). The IP (Internet Protocol) communications protocol and related protocols form the most widely used format, responsible for communications on the Internet and between devices (McEwen and Cassimally 2014). In the layered model, the IP protocol is a network layer protocol handling packets, where TCP and UDP are transport layer protocols responsible for data segments. TCP, Transmission Control Protocol, provides for complex but reliable segment routing, where the alternative, UDP (User Datagram Protocol) provides a simpler protocol for fire-and-forget messages. Like the different roles of UDP and TCP, other supporting protocols are in place at each communication layer and selecting which specific protocol to use is application dependent. Besides driving modern web-based communications, the IP protocol family is also used in many cases as the basis for other specific IoT application protocols (Gerber and Romeo 2020). Messages in IP communications are made up of nested data elements, each with its own header to parse for a particular level of protocol. Dealing with parsing or populating these message headers can be significant in the amount of processing needed for each level of a communications scheme, and many of the application protocols considered were designed to reduce such overhead for particular scenarios. As an example, consider the comparison of communication protocols used in IoT traffic, which may be tens or hundreds of bytes per second vs. the significantly higher traffic loads of web and Internet applications, where the IoT devices communicating may use a particular wireless protocol at the physical network level for a given device radio, or an IoT application protocol, such as MQTT (Message Queue Telemetry Transport), might be employed at the application layer to connect to message brokers.

4 Interface Design for Embedded and Real-Time Systems

163

5.3.3 M2M Wired and Wireless Protocols When considering M2M protocols, the options for communication choices are often broken into types of networks largely differentiated by the range of communication. These include PANs (Personal Area Networks) where devices are directly adjacent to each other or a person; LANs (Local Area Networks) with devices in a room or a home, tens of meters apart; WLANs (Wireless Local Area Networks) which may extend connectivity to a building and hundreds of meters; and finally WANs (Wide Area Networks) of several kilometers (Mitchell 2020). Another differentiator is the use of wired vs. wireless connections between the communicating devices. Wired communications are generally used for WANs or smaller areas, with the most common protocols being Ethernet and USB (Universal Serial Bus), as well as older serial protocols such as RS-232 and RS-485 (Kumari 2020). Ethernet varies in speeds from 10 Mbps up to 10 Gbps and can be configured in bus or star topologies using standard IP-based hubs, repeaters, and other networking hardware. USB is common for local connections of desktop computers and peripherals, including printers, gaming devices, or mobile phones in a bus configuration with hubbased branches. Support for implementing these protocols with communication hardware subsystems, software libraries, and interfaces for cabling devices are readily available. With the rise of wireless consumer devices and cellular phone systems, wireless communication has become expected and commonplace for interconnecting devices. There is a wide variety of wireless PAN and LAN protocols in use, again depending on application requirements, range needed, and data rates (Schatz 2016). Many commercial chipsets, development kits, and software libraries are available for integrating the protocols into connected devices. Typical wireless PAN/LAN protocols include: • Bluetooth – a 2.4 GHz PAN protocol often used for low energy device to device communications; Bluetooth is extending into LAN use with Bluetooth Mesh • ANT & ANT+ – another 2.4 GHz PAN protocol for networks of devices • NFC (Near Field Communications) – a PAN protocol at 13.56 MHz with very short range, used in some credit card and related device transactions • RFID (Radio Frequency IDentification) – a variety of PAN protocols for short range powered and unpowered devices and tags • WiFi (IEEE 802.11 a, b, g, n) – a series of versions of the ubiquitous protocol most used in wireless LANs at homes and businesses for Internet communication at 2.4 and 5 GHz • ZigBee and Z-Wave – popular home automation mesh network protocols in the 900 MHz and 2.4 GHz bands • And many others Wireless WAN and LPWAN (Low Power WAN) Protocols are differentiated by, in some cases, requiring a commercial carrier to support the communications, and generally require more sophisticated RF support for antennas, processors, and power management. Typical protocols for devices here include:

164

B. Montgomery

• LoRaWAN – an end-to-end encrypted IoT protocol with RF communication in the unlicensed 900 MHz bands (in the United States), data rates are from 250 bps to 50 Kbps between edge devices and gateways • SigFox – SigFox-based devices communicate from IoT devices to specialized base station and cloud networks for a subscription-based cost model for messages; extremely low power; small message sizes (14 byte header, 12 byte payload) • NB-IoT – a cellular LTE-based protocol, carried into new 5G cellular networks, allowing half-duplex data transmission for low data rates (∼50 Kbps) and up to 10 years or more battery life • LTE-M – a precursor to NB-IoT, LTE-M is also a cellular protocol intended for lower-rate (∼370 Kbps) non-voice data communications to reduce the power and communications costs for IoT systems • 4G and 5G Cellular modems – communication using standard cellular telephony modems; generally expensive for low-volume IoT-style communications, but provide higher bandwidth for complex data streams Note that developing and deploying wireless, or RF (Radio Frequency), connected devices can be challenging. Technically, RF antenna design and signal filtering and processing can be some of the most difficult electrical engineering challenges. In most cases, commercial products can be brought to market more quickly by using off-the-shelf development kits, specialized microprocessors, and standard communication libraries. RF communications by devices is heavily regulated in most countries, and some communications spectrum may only be used with a fee-based license. Even in unlicensed bands, regulatory rules govern spectrum use, power output, and duty cycle limits. In the United States, wireless communication is managed by the FCC (the Federal Communications Commission) which defines testing and certification requirements for commercial radio devices (FCC 2021). Even prototype devices may in some cases require FCC mandated labeling. Most countries (or international bodies, like the EU) have their own certification requirements radio products must meet prior to commercial sales.

5.3.4 IoT Application Protocols There are several messaging protocols most often employed in development of IoT applications, in part because they are supported by popular system components such as messaging brokers or cloud-based IoT frameworks. The protocols are often differentiated by their use of standard REST (REpresentational State Transfer) methods for commands: GET, POST, PUT, DELETE, etc. Protocols implementing these REST commands are said to be RESTful, otherwise the protocol is RESTless. The most common IoT application protocols include: • MQTT (Message Queue Telemetry Transport) – a lightweight RESTless messaging protocol available from all major cloud services; with a two byte header; works in a publish/subscribe manner with a broker, and has three levels of Quality of Service available to control message delivery; based on TCP/IP

4 Interface Design for Embedded and Real-Time Systems

165

Fig. 11 A typical IoT application leveraging cloud-based IoT framework services

• WebSocket – Based on HTTP(S) for initial connections; once established uses a RESTless small header for maintaining bidirectional persistent connections between a client and server; a single server can speak to many clients; can be combined with MQTT to reduce overall connection overhead • CoAP (Constrained Application Protocol) – CoAP is a RESTful protocol based on UDP/IP with a small four byte header allowing for request/response transactions • HTTP(S) (HyperText Transfer Protocol Secure) – HTTP is the standard application layer protocol for request/response communication used for most web transactions, generally using TLS (Transport Layer Security) for encryption of data • Others (AMQP, XMPP, etc.) In typical architectures of cloud-based IoT system frameworks, as provided by Amazon, Google, and Microsoft’s leading commercial cloud platforms, the IoT application protocols are used for IoT devices or gateways connecting into the cloud-based systems to provide data or conduct other messaging activities (Kurniawan 2018). Figure 11 shows an example configuration (like the IoT infrastructure provided by Amazon Web Services), where edge devices (with sensors or other data sources) send information to gateway devices. The gateways connect to defined and secured connections at the cloud service, often via an IoT application protocol such as MQTT. A cloud-based broker handles message traffic, routing incoming messages to a configured rules engine which routes the message to cloud-based services and applications. Similarly, external users may access elements of the overall application via apps or web connections into cloud-based APIs.

5.4

Selection Criteria for Protocols

With so many possible communication protocols, how does an engineering design team down select to the right choices. Many of the choices may be driven by hardware or external system elements, by the environments where the devices are used, or by the consumers of the devices. But it is likely that a criteria-based decision

166

B. Montgomery

process may be needed in some cases. The following is an original list of possible protocol elements to consider; clearly in practice this would be trimmed to the key criteria for the particular design and application. • • • • • • • • • • • • • • • • • • • • • • • • • •

Proprietary vs. interoperable/open Message Size Latency Power for Processor Time Messaging type: Publish/Subscribe, Request/Response, Broadcast, etc. Known Strengths/Weaknesses Similar (or competing) product use Availability of tools, processors, development boards Vendor/source stability Cost, licensing, royalties Certifications provided and required Frequency/bandwidth use – Licensed/unlicensed Stage of lifecycle/age of protocol Network traffic characteristics (messages/second) Scalability and network size Topology/network architecture: Tree, Star, Mesh, etc. Power use/battery life Communications range (indoor/outdoor) Data rate International use Message ordering, IDs Packet prioritization Retransmissions/retries Security (authentication, authorization, accounting, encryption) Error detection and correction Data compression

5.5

APIs and Microservices

Typically, in a specific instance of a cloud-based system such as the one outlined in Fig. 11, APIs (Application Programing Interfaces) and microservices are created to provide system interface points and single-purpose replaceable processing elements respectively that make up such a system. APIs act much like a hardware abstraction layer (HAL) in an embedded device design (Beningo 2016), where a HAL allows lower level hardware changes by maintaining an interface layer to drivers and RTOS features, an API exposes functionality and component access to users but abstracts away the implementation and allows for changes over time. Modern APIs are generally based on one of two styles of standards (McEwen and Cassimally 2014):

4 Interface Design for Embedded and Real-Time Systems

167

• REST (REpresentational State Transfer)-based APIs – used with HTTP and CoAP, RESTful APIs are most common for web- or cloud-based connectivity, and provide a standard command set for requests and responses • RPC (Remote Procedure Call) based APIs – provide a set structured request and response for any given operation from a single service endpoint – protocols for RPC APIs include SOAP (Single Object Access Protocol), XML-RPC, and JSON-RPC (with a structure based on the serialization approaches XML or JSON) REST-based APIs have become very common, driven in part by introduction of standardized REST API tools for applications (such as Swagger and RAML, the RESTful API Modeling Language) and cloud systems (such as the AWS API Gateway) as well as the ease of integration with web-based applications. The most sophisticated of REST APIs allow for discovery of services, versioning of the API, and selection of input or output serialization formats. While it may not be intuitively obvious, designing an API for an application or device is an opportunity to assess the UX of working with the API; usability of documentation for common tasks, and applying the API in typical communication scenarios could be assessed using hallway usability tests or other methods. Microservices are small independent deployable components, messaging and API based, and focused on a single set of functionalities (Amazon Web Services 2021). Microservices provide an alternative to monolithic multipurpose systems that cannot easily adapt to changes. The microservice architectural model supports the ability to provide modular elements easily bounded and replaced in a system, or to allow for such elements to have instances added or removed to respond to load changes and system performance. Successful microservices in a cloud-based system focus on their messaging and coupling as well as their cohesion in purpose. The combination of thoughtful API and microservice design can be a key to designing an effective network of connected and supported devices.

5.6

Closing Thoughts

In developing networks of embedded and real-time devices, the variety in messaging connections for monitoring, control, and data movement is immense. But much like selecting the best user interface for selected user scenarios, finding the right communication and messaging approaches for a design can be equally critical to success. Luckily, engineering teams can quickly prototype many elements of such systems, and often take advantage of open-source or commercial elements, to favor using or buying portions of a design over extensive development. Even for the most complex of multi-stage IoT systems with cloud support, much of the functionality of such systems can be added using configuration vs. code, making it easy to prototype multifaceted complex applications quickly by substituting single board computers for IoT device elements in early modeling.

168

6

B. Montgomery

Conclusion There is no real ending. It’s just the place where you stop the story. – Frank Herbert

6.1

Closely Related Topics

This chapter provided methods and alternatives for providing user and messaging interfaces to embedded and real-time devices. But there are, of course, other considerations that can impact successful delivery of such devices – these considerations include project management, device production, and security concerns.

6.1.1 Project Management In the discussion of initiation and planning for UX design efforts, there was an overview of minimum work needed to start a project (Lewis 2006). Not surprisingly, there is also significant work in maintaining a project’s progress and in bringing it to a successful delivery. Project managers must concentrate on project deliverables, understanding what they are, what state they are in, who is responsible for them, and any issues that might slow or stop their arrival. Project managers also must maintain a view of the health of the team members and dynamics, assess and mitigate risks, deal with issues as they arise, and keep stakeholders and sponsors up to date on the project status and needs. It remains a common occurrence that a project, especially software and technology projects, fails or does not meet the original delivery goals; good project management is the primary weapon for this fight. 6.1.2 Device Production Producing any electronic device in quantity for commercial sales is a challenge. An outline of a typical manufacturing process (Cohen 2015) lists the many moving parts, not all of which may be under a company’s direct control: component engineering and supply chain management, design for manufacturing and assembly, manufacturing prototyping cycles, manufacturing test systems (which can often be as complex, if not more so, than the device being produced), packaging, documentation and labeling, certification, and distribution. The engineering team’s attention to user experience and messaging connectivity means very little if the overall manufacturing and delivery cycle for the device is not carefully controlled. 6.1.3 Security Concerns The elephant in every room where interfaces are being discussed or designed is security. How does the design protect from someone unauthorized accessing the device, changing its settings, modifying its firmware, breaking into its communication, spoofing its network connections, or using the device for something it was not meant to do? If a device is connected to a network that is in any way accessible, it is just a matter of time before someone that should not tries to talk to

4 Interface Design for Embedded and Real-Time Systems

169

the device or the connected system in some way. And unfortunately, the tools needed for such work are readily available for unethical hackers: Kali Linux, Wireshark, simple electronics, hardware modules designed for penetration. IoT devices have attack surfaces via mobile or connected applications, their network connections, via the web or the cloud, and at the physical device itself. The OWASP (Open Web Application Security Project) security organization has a project (OWASP Foundation 2021) focused on IoT vulnerabilities and testing which is highly recommended for considering where to focus engineering efforts on device security issues. Underwriter Laboratories is another good source for IoT security principles and device certification approaches (Underwriters Laboratories 2017). Planning to include security as a key element of design cycles is essential for modern connected devices.

6.2

In Closing

This chapter reviewed aspects of interface design for embedded and real-time systems, including the nature of such design, UX processes and methods, user interface elements, and messaging interfaces. The goal was to present a case for a proper focus on this interface work by embedded engineers, to be considerate of how incrementally and iteratively design decisions are made, and to internalize the importance of involving actual users of the interfaces in their designs. The chapter also tries to provide easy access to the ever-wider variety of methods, components, and design choices available to employ as the interfaces and devices take shape. Engineering teams want to succeed – to develop devices that meet all their design goals, including providing key functionalities, a pleasant (and possibly differentiating) user experience, and reliable data transfer and communications. Hopefully, this review and some of the examples, methods, and guidelines presented here can help that success happen.

References Amazon Web Services, Microservices (2021), https://aws.amazon.com/microservices/ Amazon.com, Alexa design guide: get started with the guide (2021), https:// developer.amazon.com/en-US/docs/alexa/alexa-design/get-started.html S. Axon, Google’s nest thermostat gets a redesign and a bunch of new features (2020), https://ar stechnica.com/gadgets/2020/10/googles-nest-thermostat-gets-a-redesign-and-a-bunch-of-new-f eatures/ Balsamiq Studios, Balsamiq (unpublished, 2021) J. Beningo, Embedded basics - APIs vs. HALs (2016), https://www.beningo.com/ embedded-basics-apis-vs-hals/ L. Buley, The User Experience Team of One (Rosenfeld, United States, 2013) B. Buxton, Sketching User Experiences (Elsevier, Netherlands, 2007) M. Charlier, Designing for connected products (2016), https://www.webexpo.net/prague2016/talk/ designing-for-connected-products/#modal A. Cockburn, Writing Effective Use Cases (Addison-Wesley, Germany, 2001)

170

B. Montgomery

A. Cohen, Prototype to Product: A Practical Guide to Getting to Market (O’Reilly, United States, 2015) A. Cooper, The Inmates Are Running the Asylum (Sams Publishing, Switzerland, 1999) C. Crane, Re-hashed: 27 surprising IoT statistics you don’t already know (2021), https:// www.thesslstore.com/blog/20-surprising-iot-statistics-you-dont-already-know/ FCC, Equipment authorization (2021), https://www.fcc.gov/engineering-technology/laboratory-div ision/general/equipment-authorization#step1 A. Gerber, J. Romeo, Connecting all the things in the Internet of Things (2020), https:// developer.ibm.com/technologies/iot/articles/iot-lp101-connectivity-network-protocols/ K. Herter, Y. Okuneva, SMUD’s Communicating Thermostat Usability Study (Herter Energy Research Solutions, 2014) G. Hohpe, B. Woolf, Enterprise Integration Patterns (Pearson Education, United Kingdom, 2004) G. Hohpe, B. Woolf, Messaging patterns overview 2019., https://www.enterprisein tegrationpatterns.com/patterns/messaging/index.html J. Hughes, Practical Electronics: Components and Techniques (O’Reilly, Taiwan, 2015) Information is Beautiful, Colours in culture (2021), https://www.informationisbeautiful.net/visualiz ations/colours-in-cultures/ Institute for the Future, Artifacts from the future (2021), https://www.iftf.org/what-we-do/ artifacts-from-the-future/ M. Kahan, Improving your IBM MQ applications (2020), https://developer.ibm.com/ components/ibm-mq/articles/mq-best-practices S. Krug, Don’t Make Me Think, 2nd edn. (New Riders, United Kingdom, 2006) P. Krutchten, Architectural blueprints - the “4+1” view model of software architecture. IEEE Softw. 12 (1995) A. Kumari, Wired communication protocols (2020), https://electricalvoice.com/wired-communicat ion-protocols/ A. Kurniawan, Learning AWS IoT (Packt, India, 2018) P.A. Laplante, S.J. Ovaska, Real-Time Systems Design and Analysis: Tools for the Practitioner, 4th edn. (Wiley, India, 2012) B. Lewis, Bare Bones Project Management: What You Can’t Not Do (IS Survivor, United States, 2006) G. Ligertwood, Guerrilla testing: hallway usability tests for UX (unpublished, 2020) A. Maurya, Running Lean, 2nd edn. (O’Reilly, United States, 2012) K. McElroy, Prototyping for Designers (O’Reilly, United States, 2017) A. McEwen, H. Cassimally, Designing the Internet of Things (John Wiley & Sons, Germany, 2014) Menlo Innovations, High-Tech Anthropology® : balancing user and business goals to design solutions (2021), https://menloinnovations.com/services/high-tech-anthropology Microsoft, Serialization (C#) (2020), https://docs.microsoft.com/en-us/dotnet/csharp/programmingguide/concepts/serialization/ R. Minerva, A. Biru, D. Rotondi, Towards a definition of the Internet of Things (IoT) (2015) B. Mitchell, Introduction to LANs, WANs, and other kinds of area networks (2020), https:// www.lifewire.com/lans-wans-and-other-area-networks-817376 J. Nielsen, Usability engineering at a discount, in Designing and Using Human-Computer Interfaces and Knowledge Based Systems, (Elsevier, United States, 1989) J. Nielsen, Usability 101: introduction to usability (2012), https://www.nngroup. com/articles/usability-101-introduction-to-usability/ J. Nielsen, 10 Usability heuristics for user interface design, (unpublished, 2020) D. Norman, The Design of Everyday Things (Doubleday/Currency, United States, 1990) NXP Semiconductors, Graphical user interfaces for NXP microprocessors (2021), https:// www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/graphic al-user-interfaces-for-nxp-microcontrollers:GRAPHICAL-USER-INTERFACES OWASP Foundation, OWASP Internet of Things (2021), https://owasp.org/www-pro ject-internet-of-things/

4 Interface Design for Embedded and Real-Time Systems

171

J. Patrick, Serial protocols compared (2002), https://www.embedded.com/serial-protocolscompared/ C. Pearl, Designing Voice User Interfaces (O’Reilly, China, 2017) Project Management Institute, Practice Standard for Work Breakdown Structures, 2nd edn. (Project Management Institute, 2006) Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 6th edn. (Project Management Institute, United States, 2017) ProjectManagement.com, Project brief (2021). https://www.projectmanagement.com/deliver ables/231910/Project-Brief QNX Software Systems, Setting up an embedded web server (2021), http://www. qnx.com/developers/docs/6.5.0_sp1/index.jsp?topic=%2Fcom.qnx.doc.neutrino_user_guide%2 Fembedded_web_server.html M. Ross, J. Nowicki, D. Soloman, L. Yarbrough, C. Schwendeman, Designing the User Experience (Poster) (Usability Professionals’ Association, 2000) C. Rowland, E. Goodman, M. Charlier, A. Light, A. Lui, Designing Connected Products (O’Reilly, United States, 2015) D. Saffer, Microinteractions (O’Reilly, United States, 2013) J. Sauro, J. Lewis, Quantifying the User Experience: Practical Statistics for User Research (Morgan Kaufmann, Netherlands, 2012) G. Schatz, The complete list of wireless IoT network protocols (2016), https://www.link-labs.com/ blog/complete-list-iot-network-protocols R. Selby, Software Economics, in Software Engineering: Barry W. Boehm’s Lifetime Contributions to Software Development, Management, and Research (IEEE, United Kingdom, 2007) D. Silverstein, P. Samuel, N. DeCarlo, The Innovator’s Toolkit: 50+ Techniques for Predictable and Sustainable Organic Growth (John Wiley & Sons, United States, 2009) C. Snyder, Paper Prototyping (Morgan Kaufmann, Netherlands, 2003) S. Sullivan, Designing for Wearables (O’Reilly, United States, 2017) J. Teel, Introduction to developing wearable technology devices (2019), https://predict abledesigns.com/introduction-to-developing-wearable-technology-devices/ U.S. Dept. of Health and Human Services, The research-based web design & usability guidelines (unpublished, 2006) Underwriters Laboratories, IoT Security Top 20 Design Principles (Underwriters Laboratories, 2017) E. White, Making Embedded Systems (O’Reilly, United States, 2011)

Part II Real-Time Scheduling Arvind Easwaran

5

Semi-partitioned Multiprocessor Scheduling Björn Andersson

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 System Model and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Implicit-Deadline Periodic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Implicit-Deadline Sporadic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Arbitrary-Deadline Sporadic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Implementation Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

175 177 178 182 186 186 187 190 190

Abstract It is often desirable to use a real-time scheduler for multiprocessors so that the scheduler (i) can meet deadlines even at high processor utilization and (ii) generates few preemptions. Semi-partitioning (or task-splitting) is an idea to achieve this. This chapter explains this idea and lists papers in the area.

1

Introduction

It is often desirable to use a real-time scheduler for multiprocessors so that the scheduler generates few preemptions and deadlines are met even at high processor utilization. Traditionally, the research literature offered two categories of schedulers: partitioned scheduling and global scheduling. With partitioned scheduling, each

B. Andersson () Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_2

175

176

B. Andersson

task is assigned a processor, and a task does not migrate between processors. With global scheduling, tasks that are ready for execution are stored in a queue shared between processors, and, hence, a task can migrate between processors. Partitioned schedulers generate few preemptions and no migrations, but there are tasksets that utilize just above 50% of the entire processing capacity yet fail to meet deadlines. There are global schedulers that can be proven to succeed in scheduling tasksets that utilize more than 50% of the entire processing capacity, but they tend to generate a large number of preemptions. For this reason, researchers have sought an alternative approach called semi-partitioned scheduling (also called Task-Splitting) aiming to combine the best from partitioned and global scheduling. Semi-partitioned scheduling generates few preemptions and deadlines are met even at high processor utilization. In order to understand how semi-partitioned scheduling works and how it differs from partitioned and global scheduling, consider the following example: Consider n tasks to be scheduled on m processors where n = m+1. Assume that each task generates a sequence of jobs, the arrival time of jobs from the same task is separated by one time unit, and each job requires 1/2 +  time units of execution (not necessarily contiguously). (Here  is some number strictly greater than 0 and at most 1/6.) And assume that each job must finish its execution at most one time unit after its arrival. Suppose that at time zero, all these n jobs arrive. Hence, each job must finish 1/2 +  units of execution before time 1. Let us now discuss how to schedule these jobs with partitioned scheduling. With partitioned scheduling, a task is assigned to a processor, and then all jobs of this task execute on this processor. It is easy to see that in a time interval of sufficiently large duration, each task utilizes 1/2 +  of a processor’s capacity. Since there are m + 1 tasks and m processors, it follows that there is at least one processor to which at least two tasks are assigned. Since each task must utilize 1/2 +  of this processor’s capacity and there are at least two tasks assigned to this processor, it follows that these tasks must utilize at least 1 + 2 of this processor’s capacity in order to meet deadlines. Clearly, it is impossible for two or more tasks to utilize more than the processor’s capacity. Hence, there is at least one deadline miss. This example illustrates a performance limitation of partitioned scheduling. Let us now discuss how to schedule these jobs with global scheduling. Consider global scheduling where jobs have been assigned fixed priorities and priorities are unique. Then at time zero, m jobs start to execute, and they execute until time 1/2 + . Then at time 1/2 + , the lowest priority job starts to execute, and it executes until time 1. At time 1, this lowest priority job has executed for 1/2 −  time units, and it has not yet finished (because its execution time is 1/2 + ). The deadline of this lowest priority job is at time 1, and it has not finished by this time. Thus, it misses its deadline. This reasoning can be repeated for any value of  and for any value of m. Letting m approach infinity and choosing  to be arbitrarily small yields a deadline miss, and 1/2 of the entire processing capacity is utilized. This example illustrates a performance limitation of global scheduling where jobs have fixed priorities. One can alleviate this performance limitation by using other

5 Semi-partitioned Multiprocessor Scheduling

177

global schedulers that do not use fixed priorities but those that are available in the literature tend to generate a large number of preemptions. Semi-partitioned scheduling addresses these performance limitations by allowing some tasks to be split between processors. For example, among the m + 1 tasks, we can take m tasks and assign them one processor each, and then take the last task and split it into pieces and then assign these pieces to different processors. In this way, we can ensure that no processor is requested for more than 100% of its capacity. Note that splitting is an idea for generating the schedule; there is no need to modify the actual programs. We will present the main ideas behind semi-partitioned scheduling, present schedulers known in the research literature, and present performance bounds. Before doing so, however, it is necessary to introduce the system model we will use.

2

System Model and Concepts

System model Consider the problem of scheduling a taskset τ on m identical processors. The tasks are described with the sporadic task model (Mok 1983); that is, a task τi ∈ τ is characterized by Ti , Di , and Ci , with the interpretation that τi generates a sequence of jobs where the arrival times of two consecutive jobs of τi are separated by at least Ti . The absolute deadline of a job of τi is Di time units after the arrival time of this job. A job of τi is requested to execute a certain amount of time in order to finish, and this time is at most Ci . If a job finishes later than its absolute deadline, then we say that the job misses its deadline; otherwise, we say that the job meets its deadline. It is assumed that a job can be preempted (i.e., its execution can be interrupted, and then later it may resume execution at the point in the program where it was interrupted). It is assumed that a job is permitted to migrate; that is (i) a job of a task τi may start execution on another processor than the processor on which the preceding job of τi executed on, and (ii) when a job resumes after preemption, it may resume on another processor than the one it executed on just before being preempted. We require that for each job, for each instant, at this instant, the job executes on at most one processor (i.e., no job parallelism). We say that a taskset is an implicit-deadline sporadic taskset if for each task τi ∈ τ , it holds that Di = Ti . We say that a taskset is a constrained-deadline sporadic taskset if for each task τi ∈ τ , it holds that Di ≤ Ti . If no such restrictions apply, then we say that the taskset is an arbitrary-deadline sporadic taskset. If for each task τi ∈ τ it holds that the arrival times of two consecutive jobs of τi are separated by exactly Ti , then we say that the taskset is periodic. Unless otherwise stated, we assume that the run-time overhead of preemptions and dispatching in the scheduler is zero. And we assume that the execution of one job does not impact the execution time of other jobs (e.g., through cache-related preemption delay or contention for the memory bus). We say that a system is schedulable with respect to scheduler A if for each schedule that the system can

178

B. Andersson

generate with A, it holds that all deadlines are met. In figures, we let an arrow pointing upward indicate the arrival of a job. Concepts We define the utilization of a task τi as Ci /Ti . Let UBA be a number such that for each system such that m1 · τi ∈τ Ci /Ti ≤ UBA it holds that the system is schedulable with respect to A. We say that scheduler A has utilization bound UBA . We let earliest deadline first (EDF) denote a scheduler (Liu and Layland 1973). On a single-processor system, EDF works as follows: If at time t there is at least one job ready for execution, then the job selected for execution at time t is a job that has absolute deadline at least as early as the other jobs that are ready for execution. We let rate monotonic (RM) denote another scheduler (Liu and Layland 1973). On a single-processor system, RM works as follows: If at time t there is at least one job ready for execution, then the job selected for execution at time t is a job for which Ti of the task that generated the job is at least as small as the Ti of the tasks whose jobs are ready for execution. With these concepts and notations, we are ready to discuss semi-partitioned scheduling. We will start with the simplest model, then study increasingly more complex models, and then discuss implementation aspects. We will discuss (i) how tasks are assigned to processors and split and (ii) how run-time dispatching is performed. The former can be seen as a packing problem. For the latter, it is important to make sure that for each split task, it holds that at each instant, there is no job that executes simultaneously on two or more processors.

3

Implicit-Deadline Periodic Tasks

For the purpose of our discussion, consider the implicit-deadline periodic taskset mentioned in the introduction. Specifically, consider a computer system with m processors and n tasks with n = m + 1 and where the tasks are characterized as follows: T1 = 1 D 1 = 1 T2 = 1 D 2 = 1 ... Tm = 1 D m = 1 Tm+1 = 1 Dm+1 = 1

C1 = 1/2 +  C2 = 1/2 +  Cm = 1/2 +  Cm+1 = 1/2 + 

where  is a real number in (0,1/6]. Assign task τ1 to processor 1; assign task τ2 to processor 2; and so on; and assign task τm to processor m. We now face the question to which processor should τm+1 be assigned? It can be seen that if τm+1 is assigned to exactly one processor, then this processor would have a utilization 1 + 2 and hence a deadline will be missed.   We can, however, split task τm+1 into τm+1 and τm+1 so that

5 Semi-partitioned Multiprocessor Scheduling

179

   Tm+1 = 1 Dm+1 = 1 Cm+1 = 1/2 −     Tm+1 = 1 Dm+1 = 1 Cm+1 = 2.

  Note that with this split, the utilization of τm+1 plus the utilization of τm+1 equals  the utilization of τm+1 . Also note that with this split, we can assign τm+1 to one  processor and assign τm+1 to another processor; with this assignment, it holds that for each processor, the utilization of the processor is at most 100%. It is known from real-time scheduling theory on a single processor that if an implicit-deadline periodic taskset utilizes at most 100% of the capacity of a single processor and EDF is used, then all deadlines are met (Liu and Layland 1973). For this reason, it   seems like a good idea to split task τm+1 into τm+1 and τm+1 as mentioned above   and assign τm+1 and τm+1 to processors as mentioned above and then use EDF scheduling on each processor. This would generate a schedule in which all deadlines   , and we can imagine the times when τ  are met. It schedules τm+1 and τm+1 m+1 or  τm+1 execute as being times when instead τm+1 executes. In this way, we have a schedule in which the original set of tasks (τ1 ,τ2 ,. . .,τm ,τm+1 ) meet their deadline.  There is, however, one complication that needs to be dealt with. Since τm+1 and  τm+1 are assigned to different processors and each processor performs scheduling   independently of other processors, it can happen that τm+1 and τm+1 execute at the same time. This is equivalent to saying that there may be times when τm+1 executes on two processors simultaneously. Recall, however, from the system model that we require that at each instant, there is no task that executes simultaneously on two or more processors. Thus, we must modify the above ideas; we must design a scheduler   to ensure that τm+1 and τm+1 do not execute simultaneously. Suppose that we could form timeslots of arbitrarily small duration. Let [t0 ,t1 ]  on one processor in the denote one such time interval. Then we could execute τm+1  end of a timeslot and execute τm+1 in the beginning of a timeslot but on another  processor—see Fig. 1. Formally speaking, we would execute τm+1 during the time   interval [t1 − (t1 − t0 ) · Cm+1 /Tm+1 , t1 ] on one processor, and we would execute    ] on another processor. τm+1 during the time interval [t0 , t0 + (t1 − t0 ) · Cm+1 /Tm+1 Such a scheduling would offer two good properties:

Processor 1

Processor 2

Execution of τm+1’

Execution of τm+1’’

Execution of τm+1’

Execution of τm+1’’

time

timeslot

Fig. 1 Semi-partitioned scheduling with timeslots

timeslot

180

B. Andersson

1. If we consider a time interval of duration L and L is much larger than the duration     of a timeslot, then τm+1 executes for L·Cm+1 /Tm+1 time units and τm+1 executes   for L · Cm+1 /Tm+1 time units. This is equivalent to stating that if we consider a time interval of duration L and L is much larger than the duration of a timeslot, then τm+1 executes for L · Cm+1 /Tm+1 time units. (Here, we used the fact that  Cm+1  Tm+1

+

 Cm+1  Tm+1

=

Cm+1 Tm+1 ;

this fact follows from the way we do the splitting.) If

L = Tm+1 , this yields that τm+1 executes for Cm+1 time units and hence each job of τm+1 meets its deadline. 2. If we consider a time interval of duration L and L is much larger than the duration  of a timeslot, then the amount of time when τm+1 does not execute is L · (1 −    Cm+1 /Tm+1 ) time units. Hence, for the processor on which τm+1 is assigned, the other tasks assigned to this processor behave as if they execute on a processor   of speed 1 − Cm+1 /Tm+1 assuming that the other tasks have parameters much larger than the duration of the timeslot. Clearly, using timeslots of arbitrarily small duration would lead to a very large number of preemptions; this is something we would like to avoid. One can observe, however, that for implicit-deadline periodic tasks (which is what we assume in this subsection), we can form timeslots that are potentially of different duration and a timeslot begins when a job arrives and the timeslot ends when a subsequent job (potentially from another task and potentially from another processor) arrives. With such timeslots (synchronized with job arrivals), one can show that the same two good properties mentioned above hold for each time interval starting with a job arrival and ending with a job arrival. One could design a scheduling algorithm based on this idea (of using task-splitting and variable-duration timeslots that begin at job arrivals). Figure 2 shows it for an example where τ1 is assigned to processor 1, τ2 is assigned to processor 2, and τ3 is split between processor 1 and processor 2. Indeed, the research literature offers an algorithm (called EKG Andersson and Tovar 2006) which is based on theses ideas. EKG uses three additional ideas, however, which further improves its performance (in terms of reducing the number of preemptions). These are grouping, mirroring, and utilization separation—these are described next.

Processor 1

Execution of t1

Processor 2

Execution of t3 0

Executi Executi Execution of Execution of t1 on of Execution of t1 on of t3 t3 t3

Execution of t2

Executi Executi on of Execution of t2 on of Execution of t2 t3 t3 1

1.5

2

time

t1 t2 t3

Fig. 2 Semi-partitioned scheduling where a timeslot begins when a job arrives. Periodic tasks

5 Semi-partitioned Multiprocessor Scheduling

181

Grouping: Clearly, task-splitting helps to meet deadlines, but it also increases the number of preemptions as compared to partitioned scheduling. Since each new job arrival generates a new timeslot, it follows that each new job arrival generates a new preemption on all the m processors. Therefore, it is advantageous to partition the set of tasks into groups and let each group be assigned certain processors. With this grouping, a job arriving does not cause a preemption on jobs/processors of other groups. Mirroring: Determining if a job meets its deadline is equivalent to considering a time interval from the arrival of the job until the deadline of the job and check if the execution that the job performs in this time interval is equal to the requested execution time. Consider two consecutive time intervals [t0 ,t1 ] and [t1 ,t2 ] such that no job arrives within (t0 ,t1 ) and no job arrives within (t1 ,t2 ). Assume that deadlines are met. Then we can rearrange the schedule within [t0 ,t1 ], and we can rearrange the schedule within [t1 ,t2 ] as long as the amount of time allocated to each job in each of these time intervals is the same as before this rearrangement. Then after this rearrangement, deadlines are still met. This observation has a bearing on split  tasks. Consider the case that τm+1 executes in the end of [t0 ,t1 ] and in the end of  [t1 ,t2 ] and τm+1 executes in the beginning of [t0 ,t1 ] and in the beginning of [t1 ,t2 ]. Based on the above observation, let us rearrange the execution of split tasks in [t1 ,t2 ]   so that τm+1 executes in the beginning of [t1 ,t2 ] and τm+1 executes in the end of [t1 ,t2 ]. If deadlines were met before, then deadlines are met after. But after this rearrangement, there are fewer preemptions. It can be seen that for the schedule of the split tasks, the schedule for [t1 ,t2 ] is a (scaled) mirror of the schedule for [t0 ,t1 ]. Applying this idea to the schedule in Fig. 2 leads to the schedule in Fig. 3. It can be seen that in Fig. 2, there is a preemption at time 1; but in Fig. 3, there is no preemption at time 1. Utilization separation: If a taskset has some tasks with high utilization and some with low utilization, then it is advantageous to start by assigning the tasks with high utilization without splitting, and then assign the tasks with low utilization after and only split if needed. For this reason, it is advantageous to separate tasks into heavy

Processor 1

Execution of τ1

Processor 2

Execution of τ3 0

Executi Executi Execution of on of Execution of τ1 Execution of τ1 on of τ3 τ3 τ3 Executi Executi Execution of τ2 on of on of Execution of τ2 τ3 τ3

Execution of τ2

1

1.5

2

time

τ1 τ2 τ3

Fig. 3 Semi-partitioned scheduling where a timeslot begins when a job arrives. Periodic tasks. Scheduling using mirroring

182

B. Andersson

tasks and light tasks, where heavy tasks are tasks whose utilization is greater than a certain threshold and light tasks are other tasks. In summary: EKG uses five ideas (i) task-splitting, (ii) timeslots synchronized with job arrivals, (iii) grouping, (iv) mirroring, and (v) utilization separation. The name EKG is derived from the observation that it uses EDF scheduling with tasksplitting and has k processors in a group. EKG has proven performance bounds (Andersson and Tovar 2006). If processors are organized into groups such that each group (except the last one) has k processors, the utilization bound of EKG is k/(k + 1). If the processors are organized into one single group (i.e., k=m), then the utilization bound of EKG is 1. EKG also offers an upper bound on the number of preemptions. Historical perspective The EKG algorithm was the one that made the research community to start working seriously on task-splitting. However, some related ideas were presented before. A scheduler in Anderson et al. (2005) used the idea of tasksplitting, but it did not use the other ideas; it scheduled split tasks as follows: A split task is given a ratio (e.g., x/y) so that it executes x of its jobs on one processor and y of its jobs on the other processor and then repeats this pattern. This is a more coarse-grained form of scheduling a split task, and as a result, it does not offer any hard real-time guarantees. It offered a tardiness bound though; this is a bound on how much later that a job can finish after its absolute deadline. It was shown that even for tasksets with 100% utilization, this tardiness bound is respected.

4

Implicit-Deadline Sporadic Tasks

Recall that the scheduler EKG (presented in the previous section) takes advantage of the fact that future job arrivals and deadlines are known because periodic tasks are assumed. But for sporadic tasks, this is not true. Therefore, one may ask: how should EKG be modified to allow sporadic tasks? We can adapt EKG to sporadic tasks with the following reasoning. First, use timeslots of fixed duration that are not synchronized with job arrival times. Second, because the timeslots are not synchronized with job arrival times, the mirroring techniques cannot be used either. Third, the justification of the grouping technique was that we want a job arrival to only cause preemptions on other jobs assigned to the same group (of processors). But since now we use timeslots that are not synchronized with job arrivals, this advantage disappears. Based on the above reasoning, researchers have developed a scheduler (Andersson and Bletsas 2008) for implicit-deadline sporadic tasks. It works as follows: Let S denote the timeslot duration and let δ be a parameter that can be selected by the designer (a reasonable choice is δ = 4). Then choose the timeslot duration, S, as minτi ∈τ Ti S = . With S given, divide time into timeslots so that one timeslot is the δ time interval [0, S], another timeslot is the time interval [S, 2S], another timeslot is the time interval [2S, 3S], and so on. The starting time of these timeslots are synchronized across processors. A timeslot of duration S is subdivided into three

5 Semi-partitioned Multiprocessor Scheduling

183

subintervals. These subintervals, however, may be different on different processors. For processor p, the first subinterval is used to execute the task that is split between processor p and processor p − 1; if no such task exists, then this subinterval has duration zero. For processor p, the third subinterval is used to execute the task that is split between processor p and processor p + 1; if no such task exists, then this subinterval has duration zero. For processor p, the second subinterval is used to execute tasks that are assigned to processor p and are not split. These tasks are scheduled with EDF on this second subinterval, and these tasks are also allowed to execute with lower priority on the first and third subinterval. This scheduler had no name originally, but since the scheduler extended EKG, later research referred to it as Sporadic EKG (S-EKG). It was √ shown Andersson and Bletsas (2008) that S-EKG has the utilization bound 4 · ( (δ · (δ + 1) − δ) − 1. And if S is selected to be the greatest common denominator of the minimum interarrival times of tasks, then S-EKG has the utilization bound 1. An upper bound on the number of preemptions was also shown Andersson and Bletsas (2008). With the idea of task-splitting being established for hard real-time systems, researchers began using this idea in new innovative ways to attain better performance, particularly to reduce the number of preemptions. A key observation is that if one task has very small T but all other tasks have much larger T , then the timeslot duration will be small (follows from our rule for sizing the timeslot minτi ∈τ Ti S = ). For this case, each task τk that is not the task with smallest T will δ experience a number of preemptions that is approximately proportional to TSk ; this ·δ can be rewritten as minTτk ∈τ Ti . It can be seen that for tasksets where Tk  minτi ∈τ i and δ is large, this generates many preemptions. For this reason, it is worth asking whether split tasks can be scheduled without having timeslots. Kato et al. presented an approach (called portioned scheduling Kato and Yamasaki 2007, 2008a, b) that does not use timeslots. Instead, this approach schedules non-split and split tasks with a normal uniprocessor scheduler and suspends the double-prime piece of a task when the prime piece of the task executes; in this way one can be sure that a split task does not execute on two processors simultaneously. The goal of this work is to have few preemptions in simulation experiments, but it does not aim to find upper bounds on the number of preemptions. Two of these schemes Ehd2-SIP (Kato and Yamasaki 2007) and RMDP (Kato and Yamasaki 2008b) offer no improvement in utilization bound (it is 50%), but one EDDP (Kato and Yamasaki 2008a) offers better utilization bound (65%). The specifics of these schemes are as follows: Ehd2-SIP sorts tasks in ascending order of Ti and then tasks are assigned (split if needed) in that order. Run-time scheduling is based on EDF, but the double-prime piece has the highest priority. RMDP sorts tasks in ascending order of Ti and then tasks are assigned (split if needed) in that order. Run-time scheduling is based on RM; it follows from RM that the second piece has the highest priority. EDDP separates tasks into heavy or light and assigns all heavy tasks to dedicated processors (so that for each of these processors, there is only one task assigned) and lets all the light tasks be scheduled on the other processors. Runtime scheduling is based on EDF, but the double-prime piece has artificially shorter deadline in order to give it higher priority. These schemes (Kato and Yamasaki 2007,

184

B. Andersson

2008a, b) have in common that the average number of preemptions of these schemes is smaller than the slot-based ones, but it is not clear whether their worst-case bounds are better. Another approach for scheduling is to schedule split-pieces with a normal uniprocessor scheduler and let the double-prime piece arrive when the prime piece finishes execution. This scheduling has the advantage that the number of preemptions can be bounded, and it is also reasonably simple to implement. This became known as semi-partitioning (Kato and Yamasaki 2009). Unfortunately, the paper Kato and Yamasaki (2009) did not prove any utilization bound. But the idea of semi-partitioning inspired researchers to create new schedulers (Kato et al. 2009b; Lakshmanan et al. 2009; Guan et al. 2010; Santos et al. 2013), and some of them have proven utilization bounds. Specifically, Lakshmanan et al. presented a semipartitioned scheduler (Lakshmanan et al. 2009) with utilization bound 60% and another one with utilization bound 65%. Guan et al. presented a semi-partitioned scheduler (Guan et al. 2010) with utilization bound 69%. Santos et al. presented a semi-partitioned scheduler (Santos et al. 2013) with utilization bound 75%. The specifics of these schedulers Lakshmanan et al. (2009), Guan et al. (2010), Santos et al. (2013) are as follows: Lakshmanan et al. (2009) presented two schedulers PDMS_HPTS and PDMS_HPTS_DS. Both of them use fixed-priority preemptive scheduling, and priorities are assigned with deadline monotonic (DM) (Leung and Whitehead 1982), and the highest-priority task is the one that is split. They differ in that PDMS_HPTS uses bin-packing where tasks are not sorted in any particular order, whereas PDMS_HPTS_DS performs bin-packing by first sorting tasks in descending order of utilization. Guan et al. (2010) presents two schedulers SPA1 and SPA2. The utilization bound of SPA2 is 0.69; the utilization bound of SPA1 is 0.69 if each task has utilization not too high. The main idea of SPA1 is to first sort tasks in descending order of T and then assign tasks with worst-fit (i.e., assign a task to the processor with the lowest utilization). The reason for sorting tasks in descending order of T is that the main challenge is to schedule split tasks, and if we sort tasks in descending order of T , then the tasks that get split are the ones with the smallest T (and hence highest priority). The pieces of a split task are categorized as body or tail. A tail is the last piece of a task (i.e., the one that arrives when all other pieces have finished execution). A body is any other piece. Since a piece arrives when all preceding pieces have finished, it holds that a piece will have shorter deadline than its minimum interarrival time. As a result, for a split task, among the pieces of this task, the tail piece is the one with the shortest deadline. Therefore, an important challenge is to assign and split tasks so that for tasks that are split, its tail piece meets its deadline. The paper observes that if a task has sufficiently small utilization, then the tail piece has enough slack, and then it meets its deadline. With this observation, the paper proves that if the tasks that get split have sufficiently small utilization, then it holds that the utilization bound of the algorithm is 0.69—this is the same as RM scheduling on a single processor. The paper also presents an improvement of SPA1; this improved algorithm is called SPA2—which has better assignment to deal with the issue that the tail piece of a split task may have a small

5 Semi-partitioned Multiprocessor Scheduling

185

deadline. Santos et al. (2013) presented a scheduler HIME—meaning HIghestpriority Migration Managed by EDF. It uses EDF scheduling on each processor, split tasks are assigned the highest priority, and split tasks have the smallest T . It assigns tasks to processors and performs splitting as follows. First tasks are sorted in descending order of utilization. Then, tasks are considered one by one in that order. If, for the current task, there is no processor to which it can be assigned so that a schedulability test is satisfied, then task-splitting must be performed. If the current task is not the one with the smallest T , then swapping takes place (i.e., the current task is assigned integrally to a processor and one of the tasks that were already assigned is removed and is now the current task considered for splitting). This algorithm has a utilization bound of at least 0.749. By adding an optimization of the algorithm, a new algorithm is obtained, and this algorithm has utilization bound of 0.75. Historical perspective An algorithm similar to S-EKG has been proposed, and it uses timeslots to form notional processors that can span processors, and this allows more than one task to be split between a pair of processors. This algorithm is known as NPS-F (Bletsas and Andersson 2009, 2011). An algorithm similar to the one in Lakshmanan et al. (2009) has been created Burns et al. (2012) (called partitioned EDF with C = D) but using EDF and splitting a task so that the deadline of the prime piece is equal to the execution time of the prime piece. This is advantageous because it is shown that for many implicit-deadline tasksets on a single processor, it is possible to choose one task and set its deadline to a much smaller value, and this does not change schedulability; in this sense, splitting comes for free. Instead of splitting a job, one can split a task; that is let one task of a given job be assigned to one processor and then let the next job of the same task be assigned to another processor. Indeed, this is the idea of one of the schedulers presented in the paper George et al. (2011). It selects, for each task, a certain number of processors, and then the first job of the task executes on the first of those processors, the second job of the task executes on the second of those processors, and so on until a job of the task executes on the last of the processors. Then this repeats, that is, the next job of the task executes on the first of the processors. Since the job migration is performed in a round-robin pattern, this scheduler is called EDF-RRJM. Approaches for semipartitioning with fixed-priority scheduling that exploit harmonicity of periods are provided in Kandhalu et al. (2012), Fan and Guan (2014). There have been different interpretations of the phrase semi-partitioned scheduling. Algorithms before 2009 did not use this term. The term semi-partitioned scheduling was coined in the paper Kato and Yamasaki (2009). Later, the term semi-partitioned scheduling came to have a broader interpretation; any algorithm where a task may be split before run-time became referred to as semi-partitioned scheduling. There are also algorithms that are typically not categorized as semipartitioned scheduling but share the goal (of having high utilization bound and not too many preemptions) and their design was inspired by the ideas of task-splitting; this includes DP-FAIR/DP-WRAP (Levin et al. 2010), RUN (Regnier et al. 2011), U-REF (Nelissen et al. 2012), and QPS (Massa et al. 2014). Before semi-partitioned

186

B. Andersson

scheduling was invented, there were other attempts to achieve high utilization bound and few preemptions. This includes the schedulers BF (Zhu et al. 2003) and LLREF (Cho et al. 2006). They have utilization bound 1, but they generate more preemptions than the ones based on semi-partitioning.

5

Arbitrary-Deadline Sporadic Tasks

Recall that S-EKG (described in previous subsection) uses fixed-duration timeslots that are synchronized across processors and each timeslot is subdivided into three subintervals where the first and third are used for execution of split tasks and the second is used for execution of non-split tasks. One can extend this idea to arbitrarydeadline sporadic tasks as follows: minτ

∈τ

min(Di ,Ti )

i 1. The duration of timeslots (S) can be set as S = . δ 2. Form a schedulability test for non-split tasks that considers that some of the first and third subintervals are not used by split tasks; this is important because some split tasks may have very small Di and large Ti and then most of these first and third subintervals for such tasks will not be used. This schedulability test is used when deciding how to assign tasks to processors and potentially split (and if so, how to split). 3. When doing task assignment and splitting, we would like tasks with small deadlines to be the ones that are split. One can understand this from the following reasoning. Suppose that a task with small deadline is assigned to a processor p and there is also a task with long deadline that is split between processor p and processor p−1. When the split task executes in its first subinterval on processor p, we have a situation where a task with long deadline executes although a task with short deadline may be ready for execution. This is a situation with priority-inversion, and it negatively impacts performance. Therefore, it is beneficial to have tasks with short deadlines as split tasks.

These ideas were used to create a scheduler with task-splitting for arbitrary-deadline sporadic tasks (Andersson et al. 2008).

6

Comparison

Having seen the main ideas of task-splitting/semi-partitioning, we summarize the algorithms and list their utilization bounds—see Table 1. It can be seen that the schedulers that use timeslots have the potential to offer higher utilization bound than the others. But the schedulers that use timeslots generate more preemptions though; this was shown experimentally in the paper Kato et al. (2009b).

5 Semi-partitioned Multiprocessor Scheduling

187

Table 1 An overview of task-splitting/semi-partitioned schedulers with proven utilization bounds Scheduler EDF-fm

Task model Reference Utilization bound Anderson et al. imp.dead 0 (2005) sporadic

EKG

Andersson and imp.dead Tovar (2006) periodic

S-EKG

Andersson and imp.dead Bletsas (2008) sporadic

EDDP

Kato and Yamasaki (2008a)

PDMS_HPTS_DS Lakshmanan et al. (2009) SPA2 Guan et al. (2010) HIME Santos et al. (2013)

7

imp.dead sporadic

Comments Tardiness bounds are satisfied even at 100% utilization. k/(k + 1) k is selected by designer. For k = 2 For k = number of processors, util.bound = 1 √ 4 · ( (δ · (δ + 1) − δ) − 1 δ is selected by designer. For δ = 4 util.bound = 0.88. 0.65 The authors of Kato and Yamasaki (2008a) present it for periodic tasks but it also works for sporadic tasks. 0.65

imp.dead sporadic imp.dead 0.69 sporadic imp.dead 0.75 sporadic

Implementation Aspects

Having seen the theory of task-splitting/semi-partitioning, we will now turn to implementation aspects. Early semi-partitioning In 2009, the technical report (Kato et al. 2009a) presented a framework for real-time scheduling on multiprocessors. It allows the insertion of new schedulers as loadable modules in the Linux kernel. One of the schedulers tested was semi-partitioned fixed-priority scheduling (Kato and Yamasaki 2009); recall that this is a scheduler where a double-prime piece becomes ready for execution when a prime piece has finished. The paper found that the overhead is typically less than 80 μs. Slot-based task-splitting In 2010, the paper Sousa et al. (2010) reported on the challenges and ideas for implementing slot-based task-splitting scheduler (Andersson and Bletsas 2008) in the Linux kernel (Sousa et al. 2010). One of the main challenges is that at the end of a timeslot, a split task may migrate to another

188

B. Andersson

processor, and the theory assumes that this migration is performed immediately. If this migration is not performed immediately, then it could happen that one processor starts executing a split task while another processor is still executing the split task; hence a task would execute on two processors simultaneously (which is not allowed). The paper proposed to address this as follows: Recall that in this type of scheduling, a timeslot had three subintervals. We modify this so that a timeslot has four subintervals. The first subinterval is for non-split tasks and this subinterval is short (its duration needs only be as large as the migration latency). Then the second, subinterval is for split task. The third subinterval is for non-split tasks. The fourth subinterval is for split tasks. In this way, as long the migration is delayed by at most the duration of the first subinterval and the migration is delayed by at most the duration of the third subinterval, then it will hold that at each instant, a task does not execute on two or more processors at that instant. In 2011, the paper Sousa et al. (2010) followed these design principles and implemented a slotbased task-splitting scheduler in the Linux 2.6.34 kernel (Sousa et al. 2011a) on a quad-core computer system. Experiments were performed with this implementation by scheduling tasksets of utilization 0.88; this is the utilization bound of S-EKG (Andersson and Bletsas 2008). Traces of events were generated in order to compare the results in theory with the actually observed results, and it was found that most events occurred within 10 μs from when they were supposed to and all of them took place within 60 μs from when they were supposed to. These experiments were conducted in a controlled setting (no network traffic, no graphical user interface, etc.). The paper Sousa et al. (2011b) incorporated overheads in the schedulability analysis in slot-based split-task scheduling algorithms and performed experiments with the Linux kernel 2.6.34. The paper Sousa et al. (2011c) extends the previous results with experiments also for a 24-core computer system. The paper Sousa et al. (2012) improved the PREEMPT_RT patch for the Linux kernel and showed that this improvement is advantageous for slot-based split-task scheduling. The paper Sousa et al. (2013) presents Carousel-EDF—an improvement of the slotbased split task scheduling algorithm NPS-F. It reduces the overhead by reducing the number of preemptions and by reducing the overhead of job releases. The article Sousa et al. (2014) conducted an extensive study to extend slot-based splittask scheduling algorithms to incorporate various types of overhead (reserve-jitter, job-release jitter, interrupts, context switching overhead, preemption costs). They incorporate the overhead in schedulability analysis, and this schedulability analysis is used when assigning tasks to processors and deciding on splitting and sizing reserves. Later semi-partitioning The paper Kato et al. (2010) presents an implementation of the scheduler EDF-WM in the Linux kernel and combines this scheduler with resource reservation (i.e., there are budgets, and if a task executes more than its expected worst-case execution time, then a budget may be exceeded, and the runtime system detects this and takes action).

5 Semi-partitioned Multiprocessor Scheduling

189

The paper Bastoni et al. (2011) evaluates three schedulers considering overheads. It evaluates schedulers of different types: EDF-fm, EDF-WM, and NPS-F. EDFfm was designed for soft real-time systems, whereas EDF-WM and NPS-F were designed for hard real-time systems. The schedulers were implemented in the Linux kernel and overheads were measured. These overheads include (i) release overhead, (ii) scheduling overhead, (iii) context switching overhead, (iv) interprocessor interrupt latency, (v) timer-transfer overhead, (vi) tick overhead, and (vii) cache-related preemption delay. The authors incorporate these overheads in schedulability analysis of the schedulers mentioned and performed an evaluation on randomly generated tasksets. With this evaluation, the authors find that (i) for NPS-F, choosing δ = 1 gives better performance than δ = 4, (ii) NPS-F performs worse than the other schedulers, and (iii) EDF-WM performs best for the hard real-time case. The paper also gives guidance for the design of task-splitting/semipartitioned schedulers. These include (i) avoid unnecessary migrations (here it is mentioned that in low-utilization scenarios, NPS-F may perform task-splitting even when it is not needed, and this causes unnecessary migrations) and (ii) use push migrations instead of pull migrations (the reason for this is that push migration needs mostly processor-local state whereas pull migration needs global state). The paper also points out that when including overheads in schedulability analysis, one faces a circular dependency: overheads can be obtained if the task assignment/splitting is known, but in order to get a task assignment/splitting, it is necessary to perform schedulability analysis for each task, and this schedulability analysis depends on overhead. The paper Souto et al. (2015) presents schedulability analysis for schedulers considering overhead. It considers two task-splitting schedulers where it holds for a split task that a double-prime piece is released when a prime piece is finished (semipartitioning). Specifically, it considered EDF-WM and partitioned EDF with C=D and incorporates the following overheads: release overhead, scheduler overhead, cache-related preemption delay, interrupt blocking, and timer setup overhead. The paper presents statistics of overheads from a 24-core computer system, incorporates these numbers into schedulability analysis, and evaluates the schedulability test on randomly generated tasksets. The paper Brandenburg and Gül (2016) presents a scheduler aiming to reduce the average overhead of semi-partitioning. It relies on two ideas. First, it uses the C = D idea but flips the execution order of the pieces; instead of executing the prime piece first and then the double-prime piece, it starts by executing the doubleprime piece and then executes the prime piece. This has the advantage that if a job executes for much less than its worst-case execution time, it may finish in its doubleprime piece, and hence there is no need to execute the prime piece; for this case, one migration has been eliminated. Second, use slack reclamation for the reserves; this helps to reduce the average-case response time, and hence it makes it more likely that a split task will finish its execution in its double-prime piece. The scheduler was implemented in Linux and tested on a computer platform with 44 processor cores.

190

8

B. Andersson

Conclusions

Before the development of task-splitting/semi-partitioning, it was necessary to choose between either (i) schedulers that did not allow migration and hence limited utilization bound to at most 50% or (ii) schedulers that allow arbitrary migration; these allow the utilization bound to be high but generate a large number of preemptions. With the development of task-splitting/semi-partitioning, it became possible to get the best of both worlds. There is currently no task-splitting/semipartitioned scheduler that considers (i) resource sharing (i.e., two tasks may share a critical section with a mutex), (ii) contention on the memory bus, or (iii) task models with complex job generations, e.g., the arrival of one job may be generated by another job.

References J.H. Anderson, V. Bud, U.C. Devi, An EDF-based scheduling algorithm for multiprocessor soft real-time systems, in Euromicro Conference on Real-Time Systems, ed. by E. Tovar (2005), pp. 199–208 B. Andersson, K. Bletsas, Sporadic multiprocessor scheduling with few preemptions, in Euromicro Conference on Real-Time Systems, ed. by A. Burns (2008), pp. 243–252 B. Andersson, E. Tovar, Multiprocessor scheduling with few preemptions, in IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, ed. by C.-W. Hseuh, R. West (2006), pp. 322–334 B. Andersson, K. Bletsas, S.K. Baruah, Scheduling arbitrary-deadline sporadic task systems on multiprocessors, in IEEE Real-Time Systems Symposium, ed. by S. Goddard (2008), pp. 385–394 A. Bastoni, B. Brandenburg, J.H. Anderson, Is semi-partitioned scheduling practical? in Euromicro Conference on Real-Time Systems, ed. by K.-E. Årzen (2011), pp. 125–135 K. Bletsas, B. Andersson, Notional processors: an approach for multiprocessor scheduling, in IEEE Real-Time and Embedded Technology and Applications Symposium, ed. by N. Audsley (2009), pp. 3–12 K. Bletsas, B. Andersson, Preemption-light multiprocessor scheduling of sporadic tasks with high utilisation bound. J. Real-Time Syst. 47(4), 319–355 (2011) B. Brandenburg, M. Gül, Global scheduling not required: simple, near-optimal. Multiprocessor real-time scheduling with semi-partitioned reservations, in IEEE Real-Time Systems Symposium, ed. by F. Mueller (2016), pp. 99–110 A. Burns, R. Davis, P. Wang, F. Zhang, Partitioned EDF scheduling for multiprocessors using a C=D task splitting scheme. J. Real-Time Syst. 48(1), 3–33 (2012) H. Cho, B. Ravindran, E.D. Jensen, An optimal real-time scheduling algorithm for multiprocessors, in IEEE Real-Time Systems Symposium, ed. by T. Abdelzaher, G. Fohler (2006), pp. 101–110 M. Fan, G. Guan, Harmonic-aware multi-core scheduling for fixed-priority real-time systems. IEEE Trans. Parallel Distrib. Syst. 25(6), 1476–1488 (2014) L. George, P. Courbin, Y. Sorel, Job vs. portioned partitioning for the earliest deadline first semipartitioned scheduling. J. Syst. Arch. 57(5), 518–535 (2011) N. Guan, M. Stigge, W. Yi, G. Yu, Fixed-priority multiprocessor scheduling with Liu & Layland’s utilization bound, in IEEE Real-Time and Embedded Technology and Applications Symposium, ed. by N. Audsley (2010), pp. 165–174 A. Kandhalu, K. Lakshamanan, R. Rajkumar, pCOMPATS: period-compatible task allocation and splitting on multi-core processors, in IEEE Real-Time and Embedded Technology and Applications Symposium, ed. by M.D. Natale (2012), pp. 307–316

5 Semi-partitioned Multiprocessor Scheduling

191

S. Kato, N. Yamasaki, Real-time scheduling with task splitting on multiprocessors, in IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, ed. by S. Baruah, N. Chang, Y. Tobe (2007), pp. 441–450 S. Kato, N. Yamasaki, Portioned EDF-based scheduling on multiprocessors, in ACM International Conference on Embedded Software, ed. by L. Alfaro, J. Palsberg (2008a), pp 139–148 S. Kato, N. Yamasaki, Portioned static-priority scheduling on multiprocessors, in IEEE International Parallel & Distributed Processing Symposium, ed. by Y. Robert (2008b) S. Kato, N. Yamasaki, Semi-partitioned fixed-priority scheduling on multiprocessors, in IEEE Real-Time and Embedded Technology and Applications Symposium, ed. by N. Audsley (2009), pp. 23–32 S. Kato, R. Rajkumar, Y. Ishikawa, A loadable real-time scheduler suite for multicore platforms, in CMU-ECE-TR09-12, Technical Report (2009a) S. Kato, N. Yamasaki, Y. Ishikawa, Semi-partitioned scheduling of sporadic task systems on multiprocessors, in Euromicro Conference on Real-Time Systems, ed. by I. Puaut (2009b), pp. 249–258 S. Kato, R. Rajkumar, Y. Ishikawa, AIRS: supporting interactive real-time applications on multicore platforms, in Euromicro Conference on Real-Time Systems, ed. by J.H. Anderson (2010), pp 47–56 K. Lakshmanan, R. Rajkumar, J. Lehoczky, Partitioned fixed-priority preemptive scheduling for multi-core processors, in Euromicro Conference on Real-Time Systems, ed. by I. Puaut (2009), pp. 239–248 J. Leung, J. Whitehead, On the complexity of fixed-priority scheduling of periodic, real-time tasks. Perform. Eval. 2(4), 237–250 (1982) G. Levin, S. Funk, C. Sadowski, I. Pye, S. Brandt, DP-FAIR: a simple model for understanding optimal multiprocessor scheduling, in Euromicro Conference on Real-Time Systems, ed. by J.H. Anderson (2010), pp. 3–13 C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973) E. Massa, G. Lima, P. Regnier, G. Levin, S.A. Brandt, Outstanding paper: optimal and adaptive multiprocessor real-time scheduling: the quasi-partitioning approach, in Euromicro Conference on Real-Time Systems, ed. by R. Ernst (2014), pp. 291–300 A. Mok, Fundamental design problems of distributed systems for the hard-real-time environment. PhD thesis, Massachusetts Institute of Technology (1983) G. Nelissen, V. Berten, V. Nélis, J. Goossens, D. Milojevic, U-EDF: an unfair but optimal multiprocessor scheduling algorithm for sporadic tasks, in Euromicro Conference on Real-Time Systems, ed. by R. Davis (2012), pp. 13–23 P. Regnier, G. Lima, E. Massa, G. Levin, S.A. Brandt, Run: optimal multiprocessor real-time scheduling via reduction to uniprocessor, in IEEE Real-Time Systems Symposium, ed. by L. Almeida (2011), pp. 104–115 J.A. Santos, G. Lima, K. Bletsas, S. Kato, Multiprocessor real-time scheduling with a few migrating tasks, in IEEE Real-Time Systems Symposium, ed. by M.G. Harbour (2013), pp. 170–181 P.B. Sousa, B. Andersson, E. Tovar, Challenges and design principles for implementing slot-based task-splitting multiprocessor scheduling, in IEEE Real-Time Systems Symposium, Work-inProgress (2010) P.B. Sousa, B. Andersson, E. Tovar, Implementing slot-based task-splitting multiprocessor scheduling, in IEEE International Symposium on Industrial Embedded Systems, ed. by I. Bate, R. Passerone (2011a), pp. 256–265 P.B. Sousa, K. Bletsas, B. Andersson, E. Tovar, Practical aspects of slot-based task-splitting dispatching in its schedulability analysis, in IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, ed. by S. Oikawa, N. Audsley, C.-G. Lee (2011b), pp. 224–230 P.B. Sousa, K. Bletsas, E. Tovar, B. Andersson, On the implementation of real-time slot-based task-splitting scheduling algorithms for multiprocessor systems, in Real-Time Linux Workshop (2011c)

192

B. Andersson

P.B. Sousa, N. Pereira, E. Tovar, Enhancing the real-time capabilities of the Linux kernel, in Euromicro Conference on Real-Time Systems, Work-in-Progress (2012) P.B. Sousa, K. Bletsas, B. Andersson, E. Tovar, The carousel-EDF scheduling algorithm for multiprocessor systems, in IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, ed. by L.-P. Chang, C. Gill, J. Nakazawa (2013), pp. 12–21 P.B. Sousa, K. Bletsas, E. Tovar, P. Souto, B. Åkesson, Unified overhead-aware schedulability analysis for slot-based task-splitting. J. Real-Time Syst. 50(5–6), 680–735 (2014) P. Souto, P.B. Sousa, R. Davis, K. Bletsas, E. Tovar, Overhead-aware schedulability evaluation of semi-partitioned real-time schedulers, in IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, ed. by S. Chakraborty, Q. Wang, S. Hong (2015), pp. 110–121 D. Zhu, D. Mossé, R.G. Melhem, Multiple-resource periodic scheduling problem: how much fairness is necessary? in IEEE Real-Time Systems Symposium, ed. by R.R. Rajkumar (2003), pp. 142–151

6

Practical Considerations in Optimal Multiprocessor Scheduling George Lima, Ernesto Massa, and Paul Regnier

Contents 1 The Scheduling Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Terminology and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Fixed-Rate Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Optimality in Multiprocessor Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Approaches to Scheduling Optimality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Deadline Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Fairness in Execution Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Task Aggregation as a Means of Fairness Relaxation . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Nonfair Execution Progress Is Possible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Nonfair Execution Progress Via Duality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Nonfair Execution Progress Via Relaxing Partitioning . . . . . . . . . . . . . . . . . . . . . . . 4 Hierarchical Nonfairness Based Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 The RUN Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 The QPS Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Dealing with Sporadic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Final Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

194 195 197 199 201 202 203 206 209 210 212 215 216 220 224 229 229

Abstract The problem of scheduling a set of recurrent tasks subject to meeting all tasks’ deadlines is in the core of real-time systems design. Practical solutions for this

G. Lima () · P. Regnier Department of Computer Science, Institute of Mathematics and Statistics, Federal University of Bahia, Salvador, Bahia, Brazil e-mail: [email protected]; [email protected] E. Massa State University of Bahia and Unifacs, Salvador, Bahia, Brazil e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_3

193

194

G. Lima et al.

problem when there is a single processing unit in the system have long been known. For example, the cost-effective algorithm that schedules at any time the ready task with the earliest deadline has been proved optimal for a large spectrum of systems. A scheduling algorithm is said optimal for a class of systems if it generates a schedule for this class according to which no task deadline is ever missed whenever it is possible to do so. Achieving optimality in multiprocessors has shown to be more challenging and often implies high runtime overheads. Designing optimal and practical scheduling algorithms for multiprocessor systems has thus become a relevant research topic, on which this chapter offers a gentle introduction. Key concepts are explained intuitively and based on illustrations, using some of the optimal algorithms developed to date. The focus here is not on their formalization or correctness proofs. The goal is to highlight the principles behind scheduling optimality, while presenting considerations as for their applicability. Given a set of real-time tasks to be executed on a set of processors, an optimal scheduling algorithm generates a schedule such that no task deadline is missed whenever it is possible to do so. For uniprocessor systems, the simple algorithm that schedules at any time the ready task with the earliest deadline has been proved optimal and cost-effective for a large spectrum of systems. Achieving optimality in multiprocessors has shown to be more challenging and often implies high overheads. Designing optimal and practical scheduling algorithms for multiprocessor has thus become a relevant research topic, on which this chapter offers a gentle introduction. Key concepts are explained intuitively and based on illustrations, using some of the optimal algorithms developed to date. The focus here is not on their formalization or correctness proofs. The goal is to highlight the principles behind scheduling optimality, while presenting considerations as for their applicability. After presenting basic definitions and terminology in section “The Scheduling Problem” and explaining impossibility results related to scheduling optimality in section “Optimality in Multiprocessor Scheduling,” an overview on approaches to optimal multiprocessor scheduling in section “Approaches to Scheduling Optimality” is given. Intuition about how optimality can be achieved is presented via observations extracted from selected algorithms. For example, it is observed that if at any time every task receives processing resources proportional to the execution rate they require, optimality can be achieved. Several optimal algorithms implement different degrees of this notion of fairness. More recently, nonfairness based algorithms have shown to incur low overhead. Two of these algorithms are described in section “Hierarchical Nonfairness Based Approaches.” Final remarks are presented in section “Final Comments.”

1

The Scheduling Problem

Necessary concepts and basic terminology used throughout the chapter are given next.

6 Practical Considerations in Optimal Multiprocessor Scheduling

1.1

195

Terminology and Background

Scheduling a (possibly infinite) set of jobs in a set of processing resources is one of the fundamental and most studied problems in the field of real-time systems. A job J: (r, c, d) is a piece of code to be sequentially executed from its release time r until its deadline d. Its execution time or workload c is usually taken as an upper bound on the processing time required by J. Actual real-time systems usually require executing jobs under some recurring pattern, which can be conveniently defined using the concept of task. A periodic task τ i : (Ci , Ti , Di ) is the one that periodically releases jobs Ji,k : (ri,k , ci,k , di,k ) all having the same execution time ci,k = Ci and deadline di,k = Di + ri ,k for ri,k = kTi , k = 1,2, . . . , i.e., Ji,k represents the kth job of task τ i . For simplicity, it is assumed in this chapter that all tasks are initially released at instant zero unless stated otherwise. Sporadic tasks are those that release jobs with a known minimum separation time, which is also called task period by convention. A system model that contemplates sporadic tasks can thus be seen as a generalization of the periodic task model. Under the sporadic model, the system can have an infinite set of job release patterns. The job release pattern defined by aperiodic tasks is arbitrary. A periodic or sporadic task τ i can be denoted τ i : (Ci , Ti ) with Ti representing both the period and the relative deadline of τ i . In this case, the task is said to have implicit deadlines. For those systems specified in terms of a set of periodic or sporadic tasks, denoted τ , the maximum processing rate required by any periodic or sporadic task τ i ∈ τ is called utilization, denoted as Uτi = CTii . The utilization of τ is given by  Uτ = τi ∈T Uτi . A real-time system specification consists of a set of tasks (or their jobs), a set of processors on which tasks are to be executed, and certain constraints, which characterize the system behavior (e.g., identical processors) or restrict scheduling options (e.g., preemption is not allowed). A schedule for a system is said valid if it does not violate any job deadline and any system constraint. A system, its set of tasks or jobs, is said feasible if a valid schedule for it can be generated. Optimal scheduling algorithms are those capable of generating a valid schedule whenever one exists. As can be noticed, real-time scheduling is concerned with solving two subproblems: feasibility, which is to check for the existence of a possible valid schedule, and the schedule generation. Both these problems have been shown to be intractable in general (Baruah and Goossens 2004; Baruah et al. 1990). That is, checking for feasibility or finding a valid schedule may be computationally not practical. Thus, practical solutions to the scheduling problem are expected to be developed under some simplifying assumptions, appearing in the form of system constraints, which must not be too restrictive for not precluding the applicability of the results. If the scheduling problem is restricted to uniprocessor systems, solid research has been carried out around the Earliest Deadline First (EDF) scheduling algorithm (Liu and Layland 1973). Under EDF, at any scheduling instant the ready-to-execute job with the earliest deadline (ties broken arbitrarily) is chosen to run. This simple

196

G. Lima et al.

heuristic has been shown to be optimal for scheduling an arbitrary set of independent jobs if no constraint is imposed in terms of preemptions. Theorem 1 (EDF Optimality on Uniprocessor Systems, Dertouzos 1974) If there is an algorithm capable of scheduling an arbitrary set of independent jobs with no preemption constraints on a single processor, then EDF produces a valid schedule for this set of jobs under the same conditions. Unfortunately, the optimality result stated in Theorem 1 does not stand for multiprocessor systems. As a simple illustration, consider a set of three jobs released at the same instant each of which has the same deadline at 3 and requires 2 processing units to execute. Release times and deadlines are represented in the figure by up and down arrows, respectively. This representation will also be adopted in upcoming illustrations in this chapter. It can be easily seen from the illustration that EDF is not able to schedule this job set, as illustrated in Fig. 1. It would choose two of them to execute at instant 0 and the remainder job is not able to meet its deadline from time 2. The impossibility of executing a job simultaneously on two or more processors is behind the differences in multiprocessor and uniprocessor scheduling. Because of this, at time instant 1, when the laxity of the third job becomes null, it should execute from then without interruption until completion. The laxity of a job at a time t is the difference between the time interval it has to execute minus its remainder execution time. A correct schedule for this set of jobs exists, as illustrated in the figure. Negative results for multiprocessor scheduling have raised interesting research questions, motivating tremendous effort aiming at: determining under which conditions feasible systems can be correctly scheduled in multiprocessor platforms; and deriving low overhead scheduling algorithms with practical relevance. Before

Fig. 1 An illustration showing that EDF fails to schedule feasible systems on multiple processors; only three jobs are considered, specified as Ji : (0, 2, 3)

a

J1

P roc1

J2 J3

P roc2 0

1

2 3 EDF schedule

4 time

b

J1

P roc1

J2 J3

P roc2 0

1

2

3

A valid schedule

4 time

6 Practical Considerations in Optimal Multiprocessor Scheduling

197

delving into these issues, the concept of servers, which play an important role in the design of efficient scheduling mechanisms, is defined.

1.2

Fixed-Rate Servers

Servers are entities capable of scheduling other tasks or servers, called clients, providing an hierarchical scheduling abstraction. When the scheduler selects at the system level the entities to execute, if some of these entities are servers, they are in charge of selecting one of their clients based on their own scheduling criteria. The server clients are executed at rate equal to the server utilization, which is not greater than one; otherwise a multiprocessor scheduling algorithm would be needed by the server itself. Scheduling schemes based on servers are usually employed when aperiodic tasks are considered. In this context, solutions for both uniprocessor and multiprocessor systems can be found. Interested readers are referred to specialized sources, e.g., Ghazalie and Baker (1995); Stankovic et al. (1998); Pellizzoni and Caccamo (2008). In this chapter, the role of using servers is rather related with facilitating the implementation of efficient optimal scheduling mechanisms. With this purpose, Regnier et al. (2011) provide a definition of server, which was slightly modified by Massa et al. (2014). Definition 1 (Fixed-Rate (EDF) Server, Massa et al. 2014) A fixed-rate EDF server σ i (or simply “server”) is a scheduling mechanism instantiated to regulate the execution of a set of tasks or other servers τ , known as its clients. A server σ i provides an execution rate equal to its utilization Uσi  1, which is the processing bandwidth it reserves for its clients. The following rules define the attributes and behavior of a server: Deadline. The next deadline of a server σ i after time t is denoted D(σ i , t). The server deadlines will include, but may not be limited to, the deadlines of σ i ’s clients. Job release. A job J:(c,r,d) released by server σ i at time r with deadline d = D(σ i , r) satisfies c = Uσi (d − r). Execution order. Whenever a job J of server σ i executes, σ i schedules the jobs of its clients for execution in EDF order. A server reserves processing resources for a set of tasks or even other servers, regulating the execution of its clients, scheduling them by EDF. The set of deadlines of a server contains all deadlines of its clients, and a server releases a new job at any time which is also a release instant of any of its clients. If the accumulated utilization of a set of client tasks τ , Uτ , is not greater than 1, a server σ i for which Uσi  Uτ can schedule τ in a way that no deadline is missed. Theorem 2 (Fixed-Rate Server Correctness, Regnier et al. 2011) The set of clients τ of a server σ i meet their deadlines provided that Uτ  Uσi  1 and all jobs of σ i meet their deadlines.

198

G. Lima et al.

budget of σ

1.2 0.8 0.6 0.4

0

0.8

1.2

2 2.2

2.6

J1,1

J1,1 0

J2,1 1

τ

J2,1

2

3

3.4

J2,1

J1,2

τ 3

4

4.4

4.8

5.2

5.6

J1,2

J1,2

J2,2

4

J1,3

6 J1,3 , J2,2

τ

J1,3 5

τ

J2,2 6

Fig. 2 Budget management and the corresponding generated schedule by a fixed-rate EDF server σ i with client set τ = {τ 1 :(0.8, 2), τ 2 : (0.6, 3)} and Uσi = 0.6. Task τ  represents the concurrent execution of other tasks or servers

Theorem 2 is a consequence of EDF optimality for single processor systems as servers can be thought of EDF schedulers running on limited capacity processors. Figure 2 provides some illustration. The server σ i shown in the figure has utilization equal to 0.6, which corresponds to the accumulated rate needed to execute its clients, Uτ 1 +Uτ 2 . At time 0, the server releases its job with deadline at time 2 and workload equal to 0.6 × 2 = 1.2. Once σ i is scheduled by the system, its clients’ jobs are executed following EDF. At time 2 a new server job is released, but now with workload equal to 0.6 since the time interval between release time and deadline is equal to 3 – 2 = 1. In the represented schedule, τ  depicts what could be concurrent execution. As can be seen, a server is actually an execution proxy. If the utilization was equal to 1, its schedule decisions would be the same as EDF running on a single processor. It is worth noticing that a task can be seen as a special case of a server. When server σ i releases a job at time r with deadline at time d, its execution time c equals Uσi (d − r). If σ i has a single task τ i as a client, its job release pattern and workload will the same as those of τ i as long as Uσi = Uτi . This allows the use of τ to denote a set containing tasks, servers, or both. In terms of notation, though, in this chapter τ i is strictly used when referring to a task. A server is denoted σi independently of the number of clients it has. A task can be also referred to as a sever whenever the distinction between task and server is not relevant. Either a task or a server is active during the period of time between the release time of one of its jobs and its deadline. In all other intervals, it is inactive.

6 Practical Considerations in Optimal Multiprocessor Scheduling

2

199

Optimality in Multiprocessor Scheduling

When it comes to the design of scheduling algorithms for real-time systems, three types of system constraints can be identified. Application-related constraints restrict the application domain considered, possibly reducing the applicability of the associated scheduling algorithm (e.g., tasks are periodic). Execution-related constraints are connected with neglecting certain costs associated with system overhead or with implementing the designed scheduling algorithm (e.g., task preemption takes null cost). When the underline execution environment deviates from what is assumed by the execution-related constraints, the performance or correctness of the scheduling algorithm based on them may be at stake. It is also often necessary to specify scheduling-related constraints, which rule out forbidden behaviors of the scheduler or gives it more freedom (e.g., preemption may take place only at specific instants). As previously mentioned, feasibility decision problem is not tractable in general. It is thus convenient to consider a set of system constraints that make feasibility verification easy. One possibility, commonly accepted in general, is restricting the system to contemplate only sporadic implicit-deadline fully preemptive tasks and identical multiprocessors, as specified in Definition 2. For simplicity, this model is hereafter referred to as the sporadic task model although all three types of constraints, not only application-related, are taken into consideration by the model. Definition 2 (Sporadic Task Model) The sporadic task model, which allows for scheduling optimality, is specified as follows: • Application-related constraints: system tasks are sporadic, have implicit deadlines, and are independent of one another. • Execution-related constraints: task preemption and migration are costless; there are m identical unit-capacity system processors. • Scheduling-related constraints: scheduling decisions until time t cannot be based on the knowledge of tasks released after t; jobs can be preempted and may migrate from one processor to another at any time during their execution; no job can execute on more than one processor at the same time. For a task set τ to be scheduled on m processors complying with the model described by Definition 2, a schedule where no job misses its deadline exists if and only if Uτ  m (Horn 1974). That is, proving optimality for this system requires showing that the considered scheduling algorithm is correct as long as Uτ  m. In this context, the sporadic task model makes it possible to circumvent the intractability related with the feasibility problem. Interestingly, removing some of the above constraints may lead to the impossibility of obtaining optimality. For example, assume a set of jobs released by aperiodic tasks, which gives rise to an arbitrary set of jobs. Even if these jobs can be feasibly scheduled by some algorithm, no scheduling algorithm that does not use information

200

G. Lima et al.

about future events can correctly schedule them. More concisely, this property can be stated as follows. Theorem 3 (Hong and Leung 1992) No optimal on-line real-time scheduling algorithm can exist on multiprocessors for an arbitrary set of jobs if at least two of these jobs have distinct deadlines. The kind of scheduling algorithm Theorem 3 addresses is named on-line, since it is subject to not using information of future jobs when it takes a scheduling decision at a given instant. On-line scheduling contrasts with off-line scheduling, according to which the knowledge of all jobs to be scheduled is used to prepare a schedule table in an off-line manner. In this chapter, only on-line algorithms are considered. Other impossibility results, similar to the one stated in Theorem 3, for on-line scheduling algorithms were observed by other researchers for different models (Hong and Leung 1988, 1992; Dertouzos and Mok 1989; Sahni 1979). Even when jobs are released by sporadic tasks whose deadlines differ from their periods optimality has been shown impossible to be achieved (Fisher et al. 2010). As far as the implementation of scheduling algorithm is concerned, restricting the system model as in Definition 2 by forbidding task migration between processors is tempting. Doing so, uniprocessor scheduling algorithms can be applied once tasks are statically assigned to processors. Run-time overhead can also be minimized (Davis and Burns 2011). However, this partitioned scheduling approach cannot deal with some systems requiring just above 50% of its processing resources (Koren et al. 1998). For a simple intuition, consider a task set τ with m + 1 tasks to be scheduled on m processors, each one requiring 1/2 +  ( > 0,  → 0) of processing resources. In this case, the set of tasks cannot be properly partitioned and Uτ → m/2. Due to the considerations made above, the sporadic task model, as specified in Definition 2, is a common choice when it comes to designing optimal multiprocessor on-line scheduling algorithms. Scheduling algorithms that do not impose any restriction on migration of jobs between processors during their execution are usually referred to as global. As restricting migration by some means usually prevents achieving scheduling optimality, most algorithms described in this chapter belong to the global scheduling class of algorithms. There are exceptions, though. For example, it has been shown that scheduling optimality is possible even when only some selected tasks have their jobs allowed to migrate between processors during execution (e.g., McNaughton 1959; Andersson and Tovar 2006). This class of scheduling is usually referred to as semi-partitioned. Usually, semi-partitioned scheduling approaches achieve optimality for systems containing only periodic tasks. Some of them obtain optimality for the sporadic task model under limiting configurations, according to which too many preemptions are generated, e.g., Andersson and Bletsas (2008). It is hence worth defining the periodic task model. Definition 3 (Periodic Task Model) The periodic task model is specified as in Definition 2 except for the fact that all tasks are assumed to be periodic.

6 Practical Considerations in Optimal Multiprocessor Scheduling

201

In the context of on-line scheduling, Theorem 3 and the other aforementioned related negative results indicate that scheduling aperiodic tasks is more complex than when dealing with sporadic tasks. Intuitively, this is expected. When aperiodic tasks are considered, any scheduling decision made at some time t cannot use information about the (unknown) system behavior after t. On the other hand, if the system is composed of implicit-deadline sporadic tasks, some information about future system behavior is available to the scheduling algorithm at t in the form of worst-case execution rate needed by the system tasks τ , which is precisely given by the utilization Uτ . Similarly, if the task set contains only periodic tasks, the scheduler knows at t not only the execution rate required after t but also the release instants of the jobs.

3

Approaches to Scheduling Optimality

There are a number of optimal scheduling algorithms for multiprocessor systems under the models stated in Definitions 2 and 3. Instead of precisely describing them, this section offers a gentle introduction to the reasons behind their optimality. Indeed, each of these algorithms provides mechanisms guided by some principles, which are stated here as a set of generic and easy to understand observations. For example, an optimal on-line algorithm of practical relevance is expected to behave as follows. Observation 1 (Optimality Should Not Impair Efficiency) An optimal on-line scheduling algorithm of practical relevance, when scheduling a feasible set of jobs, ensures that: (i) The laxity of any job never becomes negative. (ii) The time spent scheduling jobs to execute is negligible compared to the jobs’ execution times. Property (i) implies that all jobs meet their deadlines since the laxity of a job that misses its deadline becomes negative at some instant by the deadline. Also, as the laxity of a job decreases when the job is not executing, in order for property (i) to hold the scheduling algorithm must ensure execution progress for all ready jobs in a suitable manner, possibly splitting the execution of some jobs into several chunks. In Fig. 1(b), for instance, the execution of J1 was split into two chunks, which allowed the necessary execution progress of all jobs so as to avoid missed deadlines. Property (ii) is related with how efficient the algorithm is. Indeed, the on-line job selection made at each scheduling instant cannot consume too much time. This contrasts with off-line scheduling algorithms, for which high overhead selection criteria, possibly taking into consideration a huge decision space from which the optimal solution is chosen, could be affordable. In general, it can be assumed that on-line scheduling algorithms implement an efficient job selection policy. Property (ii) has

202

G. Lima et al.

also to do with how the execution progress of jobs is ensured, which can be done using different levels of conservativeness. Conservative scheduling algorithms tend to generate too many chunks of execution per job, advancing the execution of jobs little by little. In this case, many scheduling instants, job preemption, and migration events are in place, causing scheduling overheads. Less conservative job algorithms are thus preferable. Hereafter the term execution control of a scheduling algorithm refers to how the execution progress of jobs is ensured. Returning again to Fig. 1(a) as illustration, as can be seen EDF does not provide an execution control of the selected jobs, being careless of the jobs awaiting execution. It is worth mentioning that some variants of EDF are equipped with execution control mechanisms. For example, EDZL runs EDF until the laxity of some job is null. Zero-laxity jobs are assigned the highest priority in the system. Although EDZL is an improvement over EDF in terms of schedulability (Cirinei and Baker 2007), its execution control may act too late, not avoiding deadline misses for some feasible task systems. That is, as far as optimality is concerned, the execution control of EDZL can be seen as not conservative enough. Interestingly, despite its nonoptimality, EDF, or some variant of it, has been used as a basic building block in the design of optimal and efficient scheduling approaches. The most conservative execution control approaches are based on the concept of fairness. They distribute processing resources within time windows assigning time slots to each job within these windows proportionally to the execution rate needed by their associated tasks. Strict notions of fairness tend to produce small time windows and so jobs’ execution is split in several small chunks. Relaxed version of fairness enlarges the generated time windows, producing less scheduling instants and execution chunks. The schedule illustrated in Fig. 1(b) could be produced by an algorithm based on fairness. Within time window [0,3], all three jobs receive 2/3 of a processor. Based on that illustration, it is not difficult to picture a stricter fairnessbased execution control, which could assign 2/3 of a processor to each job in time windows of size 1, for instance. Relaxed fairness criteria can be obtained by defining variable-size time windows, usually defined as a function of consecutive deadlines in the system. More recently, some execution control approaches not based on fairness have been proposed. These also execute jobs in chunks. However, unlike fairness-based execution control, the generated chunk sizes are not necessarily proportional to the task utilization. Although execution control conservativeness plays an important role in terms of scheduling overhead generated, other scheduling principles are equally relevant. The rest of this section gives more details on this issue, describing the underlying principles used by several optimal scheduling algorithms.

3.1

Deadline Sharing

When it comes to optimality, McNaughton’s algorithm (McNaughton 1959) offers a good illustration of how application-related constraints play an important role in simplifying the scheduling problem. Indeed, this algorithm is optimal in the special

6 Practical Considerations in Optimal Multiprocessor Scheduling Fig. 3 A schedule according to McNaughton’s algorithm for a set of periodic tasks τ = {τ 1 :(8,10), τ 2 : (8,10), τ 3 : (4,10)}. All jobs are released at time 0

203

τ1

P roc1

τ2 τ3

P roc2 0

2

4

6

8

10 time

case where all jobs share a common deadline. Considering a set of jobs to be scheduled at time t, all with deadline d > t, the McNaughton’s algorithm simply produces the schedule within [t, d] by distributing the jobs’ workload sequentially across the processors: (a) schedule the jobs one after another on a processor from t until deadline d; (b) on the next processor, continue with the remainder execution time (if any) of the job that could not be entirely scheduled on the previous processor and then consider the remainder jobs as in (a); (c) repeat steps (a)-(b) until all jobs are scheduled within [t, d] or all processors have been filled up. An illustration of this algorithm is shown in Fig. 3. The job of τ 1 is placed from time 0 on processor 1. As the job of τ 2 cannot be entirely assigned to the same processor, its execution is split between processors. Then the assignment of the last job is carried out on the second processor. Note that steps (a)–(c) consist of a simple scheduling criterion, which is trivially in line with EDF due to the fact that all jobs have the same deadline. Execution control employs just the degree of conservativeness needed for ensuring the required execution progress. As illustrated, it acts by suspending the execution of τ 2 on processor 2 at time 6; this job then migrates to processor 1 and continues its execution from time 8. As will be seen later on, McNaughton’s algorithm has inspired other solutions. It also highlights the following observation. Observation 2 (Scheduling Jobs With the Same Deadline Is Easy) The implementation of optimal multiprocessor scheduling is made simple when jobs share the same deadline. Interestingly, the simplicity in obtaining optimality with McNaughton’s approach is in sharp contrast with the negative result stated in Theorem 3. It is also worth noticing that the periodic task model (Definition 3) is compatible with McNaughton’s algorithm if all periodic tasks were restricted to having the same period. Unfortunately, McNaughton’s approach is not directly applicable for most real-time applications since jobs usually do not share the same deadline in actual systems.

3.2

Fairness in Execution Progress

If τ is a set of implicit deadline periodic tasks, it is known that each of any task τ i ∈ τ requires Ti Uτi time units to be executed during each time interval [(k − 1)Ti , kTi ),

204

G. Lima et al.

for k = 1, 2.... In other words, assuming that the first jobs of the tasks are released at time 0, each task τ i ∈ τ requires kT i Uτi processing units within time interval [0, kTi ), for each k > 0. This requirement could be ensured if a fluid schedule could be implemented, according to which each task τ i would be executed at a steady rate of Uτi assigning tU τi time units to τ i during any time interval [0, t). Although implementing such a schedule would not be possible in discrete systems since time advances in pre-defined steps and no more than m jobs can run on m processors at once, the concept of fluid schedule is a useful abstraction that captures the need of distributing processing resources proportional to the execution rates the system tasks need. Observation 3 (Proportionate Progress Ensures Optimality) Executing a task at a steady rate of its utilization suffices to ensure that all its jobs meet their deadlines. As strictly ensuring proportionate progress by implementing fluid schedule is not possible, a solution is via employing some approximations. One such approximation is named proportionate fairness (Baruah  (Pfair)    et al. 1996), according to which each task τ i receives either tU τi or tU τi processing units during [0, t). Scheduling algorithms to implement such a notion of fairness can be obtained based on dividing the execution of each job of a task into uniformly sized chunks which are executed within small scheduling windows (Anderson et al. 2004). Executing jobs chunk-by-chunk provides compliance with execution control requirement. It generates scheduling decision instants on a quantum basis. For example, a periodic task (8, 10) would have each of its jobs scheduled in 8 chunks (quantum of size 1). Each quantum would be associated with its own scheduling window defined by its (pseudo-) release instants and deadlines as if they were small jobs scheduled according to EDF but now with an execution control preserving proportionate fairness. The reader is refer to other sources for information on how implementing this kind of control, e.g., Anderson et al. (2004). This aspect will not be detailed here. As a simple illustration, Fig. 4 depicts a Pfair schedule for the example shown in Fig. 3. It can be observed that proportionate fairness is enforced by the way the job chunks are scheduled, advancing or delaying the execution of the jobs as needed. By comparing this schedule with the one shown in Fig. 3, it is evident that besides the generation of too many scheduling instants, Pfair may also give rise to unnecessary preemption and migration events. As previously mentioned, scheduling instants, preemptions, and migrations are causes of scheduling overheads and should be minimized for the sake of making scheduling algorithms more practical.

Fig. 4 A Pfair schedule for a set of periodic tasks τ = {τ 1 : (8, 10), τ 2 : (8, 10), τ 3 : (4, 10)}. All tasks are initially released at time 0

τ1

P roc1

τ2 τ3

P roc2 0

1

2

3

4

5

6

7

8

9 10 time

6 Practical Considerations in Optimal Multiprocessor Scheduling

205

There are a number of scheduling algorithms capable of generating Pfair schedules for periodic task systems; classical examples are “Proportionate Fairness” (PF) (Baruah et al. 1996), “Pseudo-Deadline” (PD) (Baruah et al. 1995), PD2 (Anderson and Srinivasan 2000a), and “Pseudo-Laxity” (PL) (Kim and Cho 2011). Extensions for dealing with sporadic tasks have also been developed, e. g., Anderson and Srinivasan (2000b); Srinivasan and Anderson (2002). Despite the fact that all versions of Pfair-like algorithms incur side-effects in terms of scheduling overhead, proportionate fairness is an important theoretical achievement. It has opened roads for other algorithms that implement relaxations of the proportionate fairness principle, decreasing scheduling overheads without compromising optimality. Indeed, as previously mentioned, what each task τ i requires is actually dU τi processing resources at any of its jobs’ deadlines d. In this sense, proportionate fairness enforces a much stricter execution control rule. Several optimal algorithms employ a more relaxed rule, aiming at assigning dj Uτi time units between instant 0 and any deadline in the system dj , which suffices to ensure that all jobs of τ i meet their own deadlines. This can be implemented as follows. Let d0 , d1 , d2 , d be time instants such that d0 = 0 and dj  d, with d being the deadline of the considered job of τ i and dj the deadlines of other  jobs in the system that occurred not after d. Executing any of the τ i ’s jobs for dj − dj −1 Uτi within any interval [dj − 1 , dj ) ensures what is needed to meet its τ i ’s job deadline at d. This weaker notion of fairness is stated as follows. Observation 4 (Proportionate Progress at Deadline Boundaries Suffices to Ensure Fairness-Based Schedule) If all tasks receive processing shares equal to their utilization by all deadlines in the system, then every task receives the needed processing share by any of its own deadlines. Proportionate progress at deadline boundaries provides a basis for a compromise between deadline sharing (Observation 2) and proportionate fairness (Observation 3). In fact, any mechanism that ensures progress based on deadline sharing will have to propagate all jobs’ deadlines across the system processors avoiding the need of restricting application-related constraints too much. Further, a much relaxed version of proportionate fairness is obtained by requiring a fair distribution of processing resources at only deadline boundaries. Several optimal scheduling algorithms are based on distributing processing shares considering Observation 4. This naturally holds true for McNaughton’s approach. Other algorithms for the periodic task model have been developed, notably “Boundary Fairness” (BF) (Zhu et al. 2003), DP-Wrap (Levin et al. 2010; Funk et al. 2011), “Largest Local Remaining Execution Time First” (LLREF) (Cho et al. 2006), “Precaution Greedy” (PG) and “Precaution Cut Greedy” (PCG) (Chen and Hsueh 2008), and “No Virtual Nodal Laxity First” (NVNLF) (Funaoka et al. 2008). Some of these algorithms prioritize jobs based on monitoring their execution progress and comparing it with the execution in a theoretical fluid schedule. This is the case of LLREF, PG, PCG, or NVNCP. Some of the algorithms based on Observation 4 have been extended to support sporadic tasks, e.g., Nelissen et al.

206

G. Lima et al.

Fig. 5 A DP-Wrap schedule for periodic task set τ = {τ 1 : (4, 5), τ 2 : (8, 10), τ 3 : (4, 10)}. Jobs are released from time 0

τ1

P roc 1

τ2 τ3

P roc 2 0

2

4

6

8

10 time

(2014); Levin et al. (2010); Funk et al. (2011). DP-Wrap is perhaps the simplest algorithm in this class. It can be described as follows. Within time intervals between consecutive deadlines, each of which defining a scheduling window, DP-Wrap assigns time slots to tasks equal to their utilization multiplied by the window size. These slots are then scheduled by applying McNaughton’s algorithm inside each scheduling window. For the scenario illustrated in Fig. 3, DP-Wrap would generate exactly the same schedule. Figure 5 depicts the schedule that would be generated by DP-Wrap for a slightly modified example. This time, one of the periodic tasks has deadline of 5, giving rise to two scheduling windows within time interval [0, 10). All tasks are scheduled in both windows using McNaughton’s strategy.

3.3

Task Aggregation as a Means of Fairness Relaxation

Consider an example that shows a problem in scheduling a set of tasks on m identical processors via some global algorithms. Let the set of tasks τ be composed of m + 1 periodic tasks,  m of which have the form (, 1) and one task is specified as 10 − 9, 10 + 2 , with  a positive small constant. Figure 6 illustrates a possible schedule for this system, which could be generated assigning priorities to tasks jobs globally, using EDF, for example. The job of the high utilization task receives low priority and misses its deadline despite the fact that the system has plenty of spare processing resources available. The system utilization in this example is only Uτ → 1 for  → 0. That is, there may be missed deadlines even for systems requiring just more than 1 processor out of m. This example shows what is known as Dhall’s effect (Dhall and Liu 1978). It has been pointed out that this effect has helped to spread the impression that global scheduling was inferior to partitioned approaches (Davis and Burns 2011). Indeed, if two of the low utilization tasks were assigned to the same fixed processor in this example, the shown effect would vanish and the system could be correctly scheduled. Unfortunately, as previously mentioned, partitioned scheduling algorithms are not an option if optimality is to be achieved. In the following, servers will be used as a means of carrying out task aggregation and relaxing fairness. Instead of partitioning the set of tasks into subsets to be assigned to m processors, the illustrated problem could also be solved if the two tasks were grouped together as if they were a single entity to be scheduled, that is using the concept of servers (recall Definition 1). Considering the illustrative example with m + 1 tasks described in Fig. 6, let two of the low utilization tasks be clients of a server σ i . It is not difficult

6 Practical Considerations in Optimal Multiprocessor Scheduling

207

P roc1 τ1 , . . . , τm

P roc2

τm+1

P rocm 0



1

2

3

4

5

6

7

8

9 10 time

Fig. 6 Failure in scheduling a task set τ with n = m + 1 tasks  on m processors, with τ = τ1 : (, 1) , τ2 : τ1 : (, 1) , τm : τm+1 : 10 − 9, 10 + 2 . Despite the low utilization of the task set, the high utilization task τ m + 1 misses its deadline

to see that if the system provides enough processing resources to a server (e.g., 2 units per 1 time unit) and the server is capable of scheduling these two tasks (e.g., by sequencing them), then all deadlines are met in this example even if a global scheduling approach is employed at the system level. In summary, decreasing the number of entities to be scheduled may help in improving schedulability. Observation 5 (Task Aggregation Can Improve Schedulability) If dealing with many low utilization tasks is a problem, join them into a higher utilization server. If servers are corrected scheduled and they correctly schedule their clients, a valid schedule at system level is obtained. Aggregating the system tasks into servers also allows each server to act as an execution control mechanism applied to its client tasks. As the server does not use fairness-based rules to schedule its clients, it is also a means of reducing fairness. Consequently, scheduling overhead can be decreased since a less fair execution control may generate less preemptions. To make the positive effects from aggregating tasks into servers more evident, consider another example, with task set τ containing four periodic tasks, τ 1 : (4, 5), τ 2 : (1, 2), τ 3 : (2, 5), and τ 4 : (3, 10) to be scheduled on two processors. Assume first that τ is scheduled by DP-Wrap, which produces the schedule given in Fig. 7(a). Alternatively, let tasks τ 3 and τ 4 be packed into a server σ i . The same DP-Wrap algorithm applied to τ 1 , τ 2 , and σ i generates the schedule depicted in Fig. 7(b). It is considered that σ i schedules its clients according to EDF. As can be seen, the executions of τ 3 and τ 4 are no longer pieced proportionally to their individual utilization. They use the time the server provides and follow the EDF schedule, i.e., τ 3 ’s job executes until completion before τ 4 starts executing. Aggregation in this context relaxes fairness. Observation 6 (Task Aggregation Is a Means of Relaxing Fairness) Servers with utilization less than one can provide the necessary controlled execution progress of their clients, diminishing fairness in the generated schedule.

208

G. Lima et al.

a

τ1

P roc1

τ2 τ3

P roc2

τ4 0

2

4

6

8

10 time

DP-Wrap schedule for a set of tasks

b

τ1

P roc1

τ2 τ3

P roc2

τ4 0

2

4

6

8

10 time

DP-Wrap schedule considering two tasks aggregated into a server

Fig. 7 Reducing preemption points by aggregating tasks into servers. The task set τ = {τ 1 : (4, 5), τ 2 : (1, 2), τ 3 : (2, 5), τ 4 : (3, 10)} is scheduled by DP-Wrap: (a) tasks are individually considered; and (b) τ 3 and τ 4 are scheduled via server σ i

A scheduling algorithm that would generate the kind of schedule depicted in Fig. 7(b) is known as EKG (Andersson and Tovar 2006), which stands for “EDF with task splitting and k processors in a group.” EKG first partitions the task set into subsets, each one assigned to a cluster of k processors. The algorithm achieves optimality when it is configured to have a single cluster, namely, when k equals the number of processors in the system. Considering this particular case, as the focus here is on optimality, EKG works similarly to DP-Wrap. The main difference is due to task aggregation, as already illustrated in Fig. 7(b). Under EKG, tasks are assigned to processors in an off-line manner. A migrating task is divided into two pieces scheduled on two processors at a high priority level. Nonmigrating tasks are scheduled in background via EDF. Each piece of the migrating task receives a maximum budget on its processor subject to local schedulability guarantees. Nonmigrating tasks can thus be seen as executing within a server capable of scheduling them according to EDF, as it is the case for tasks τ 3 and τ 4 in Fig. 7(b). Their execution progress could be thought of as controlled by the server jobs whose workload is a function of the server utilization. As a result, from the perspective of nonmigrating tasks, this scheme works as if they were executing on a processor at a lower rate. This is the effect of relaxing fairness previously explained.

6 Practical Considerations in Optimal Multiprocessor Scheduling

209

EKG has shown to be an efficient way of ensuring execution progress with a limited notion of fairness, as already illustrated in the schedules of Fig. 7. However, it is possible to go further and remove any notion of fairness in the schedule.

3.4

Nonfair Execution Progress Is Possible

It has been seen in the previous section that although DP-Fair is a considerable improvement over Pfair, it is still overly conservative. Task aggregation was then used for decreasing fairness in the schedule. However, at the system level, i.e., considering task aggregation into servers, the generated schedule is fair at deadline boundaries (Observation 4). In this section, another strategy is employed. EDF is used as the basis for enforcing the necessary execution progress. The basic idea is the following. Consider an EDF schedule of a set jobs on a processor from instant t and assume that some job J misses its deadline at instant d according to this schedule. The deadline miss can be avoided if J starts its execution on another processor at t and executes there for the necessary amount of time so that the portion of J left on the first processor is small enough to finish at instant d in the EDF schedule. As an illustration this execution control mechanism, consider again the example of Fig. 7 but now letting the tasks always be ordered according to EDF at every scheduling instant. At instant 0, a possible EDF priority order, from highest to lowest, would be τ 2 , τ 3 , τ 1 , and τ 4 . If all these tasks were scheduled by EDF on a single processor, the first job of τ 1 would miss its deadline at time 5 whereas the earlier deadlines of τ 2 and τ 3 could be met. This means that executing a portion of some of these tasks in another processor is necessary. A natural choice could be to distribute the execution of τ 1 at the boundaries of interval [0, 5) so as to avoid that it executes in parallel to itself. The execution order for tasks τ 2 and τ 3 could follow EDF. Under this strategy, the schedule generation can be carried out as follows. At instant 0, the execution of tasks τ 2 and τ 3 can be assigned to the first processor since U{τ2 ,τ3 } = 0.9. No deadline would be missed before time 5. This processor can be made fully utilized within interval [0, 5) by assigning a portion of 0.5 time unit of τ 1 ’s first job. The remainder 3.5 time units of τ 1 can be assigned to the second processor, which can also deal with the execution of τ 4 . Both portions of τ 1 can be executed at the boundaries of interval [0, 5) so as to avoid self-parallelism. This strategy produces a nonfair schedule since it is equivalent to applying EDF to the jobs or portions of jobs assigned on each processor. For example, as can be seen in Fig. 8, within [0, 5), the execution of τ 2 , τ 3 , and 0.5 time units of τ 1 follows EDF on the first processor. Within this time window, 3.5 time units of τ 1 and τ 4 are also scheduled on the second processor by EDF. The figure depicts the schedule that would be generated applying this strategy during [0, 10).

210

G. Lima et al.

Fig. 8 A Schedule produced by U-EDF for a periodic task set τ = {τ 1 : (4, 5), τ 2 : (1, 2), τ 3 : (2, 5), τ 4 : (3, 10)}. All tasks are initially released at time 0

τ1 P roc1

τ2 τ3 τ4

P roc2 0

2

4

6

8

10 time

It is worth noticing that this assignment scheme is carried out on-line at each scheduling instant. This means that at each release of a job or at each time the slot assigned to execute a job finishes, a new assignment is carried out. As each assignment requires processing all n jobs on m processors, the complexity of this assignment scheme is O(n × m). The algorithm that implements this reasonably simple scheduling scheme is named U-EDF (Nelissen et al. 2011), which stands for “Unfair scheduling algorithm based on EDF” The scheme relies on the fact that EDF, as an optimal policy for uniprocessor systems, is capable of dealing with what is assigned to each processor as long as it is feasible. Parallel execution of a migrating job is trivially avoided by the fact that jobs’ portions are executed at the boundaries between the current scheduling instant and its own deadline. For example, a job with deadline at instant d that is split into two portions at a scheduling instant t starts executing at t on one processor and finishes executing by d on another. If self-parallelism is not avoidable from t, then the job would require more than d − t time units during interval [t, d), implying that from instant t no feasible schedule exists. Compared with fairness-based scheduling, even considering the week-fair mechanism employed in EKG, U-EDF brings performance improvements in terms of the number of preemptions and migrations it generates. U-EDF has also been extended for scheduling sporadic tasks (Nelissen et al. 2012). From the description in this section, it can be highlighted that: Observation 7 (Fairness Is Not Needed for Optimality) Fairness is not necessary for designing optimal multiprocessor real-time scheduling algorithms.

3.5

Nonfair Execution Progress Via Duality

As seen in the previous section, the notion of fairness, either in its strict or relaxed forms, is not mandatory for achieving optimality. Weaker fairness principles, like in EKG, or even the absence of fairness, as shown in U-EDF, have not precluded scheduling optimality. This section stresses this fact by explaining the concept of duality, which can be used as an effective execution control mechanism. Duality can be better explained by focusing on the slacks associated with each task rather than the tasks themselves. The slack of a task is the maximum time any of its jobs can await execution without missing its deadline. Under the considered periodic task model, the slack of a task τ i : (Ci , Ti ) is Ti − Ci . Assume a set

6 Practical Considerations in Optimal Multiprocessor Scheduling

211

of periodic tasks and define a task τi∗ : (Ti − Ci , Ti ) associated with each task τ i : (Ci , Ti ) in the set. Scheduling τi∗ can thus be seen as dual-equivalent to scheduling the nonexecution of τ i . Whenever τi∗ does not execute in this dual schedule, τ i should execute to meet its deadlines in the primal schedule. Under this condition, τi∗ meets all its deadlines if and only if τ i also does so since they share the same deadlines and have complementary execution time. Indeed, scheduling τi∗ is the dual of scheduling τi ; τi∗ is thus named dual w.r.t. the primal task τ i . Although simple, this observation has shown to be very powerful in simplifying the multiprocessor scheduling problem for periodic tasks under certain special conditions, as explained next. Consider the set of tasks used in previous illustrations, namely τ = {τ 1 : (4, 5), τ 2 : (8, 10), τ 3 : (4, 10)}. Its associated set of dual tasks would be τ ∗ = τ1∗ : (1, 5) , τ2∗ : (2, 10) , τ3∗ : (6, 10) . As Uτ ∗ = 1, the dual system can be optimally and efficiently scheduled on a single processor via EDF. This schedule would define when each dual task executes, which by duality-equivalence, also informs when each primal task should not execute. Figure 9 presents a typical schedule generated for the illustrative system. Since EDF generates the dual schedule, the primal schedule does not contain any notion of fairness but provides the necessary scheduling instants and an efficient execution control mechanism. The EDF dual schedule is depicted in the figure on an extra (virtual) processor placed on the top. The execution of each dual task is being represented using the same filling patterns used for their respective primal tasks with distinct contour boxes to differentiate them. The same kind of representation will be used in other illustrations in this chapter. Unfortunately, the duality principle alone does not always work. Three problems can be identified, all of them related with the utilization of the dual task set: 1. Low utilization task. Let τi∗ be a dual task of τ i with Uτi < 1/2. In this case, Uτi ∗ > 1/2, which implies that a dual task set may require more processing resources than the original (primal) task set. That is, the presence of lowutilization tasks in the system may increase the complexity of the problem one is interested in solving in the first place. 2. Under-utilized system. Consider a set of n tasks τ to be scheduled on m processors but with utilization m − 1 < Uτ < m. In this case, the utilization of the

Fig. 9 A 2-processor schedule generated by duality-equivalence w.r.t. an EDF uniprocessor schedule. All tasks of the set of periodic tasks τ = {τ 1 : (4, 5), τ 2 : (8, 10), τ 3 : (4, 10)} are assumed to be released at time 0

P rocV τ1 τ2

P roc1

τ3

P roc2 0

2

4

6

8

10 time

212

G. Lima et al.

dual set τ ∗ is Uτ ∗ =

T i − Ci = 1− Uτi = n − Uτ Ti τ τ τ i∈T

i∈T

i∈T

and so Uτ ∗ is not a whole number. This implies that there will be idle time intervals when scheduling either τ or τ ∗ . The presence of idle time in the schedule breaks the complementarity of the dual and primal systems. During these intervals, duality does not inform how to determine the schedule of primal tasks. In Fig. 9, note that the system pair τ and τ ∗ execute all the time. 3. Nonreducible task set. The application of duality, as illustrated in Fig. 9, assumes that the dual task set is feasible on a uniprocessor system. As previously explained, the presence of low utilization tasks may make this assumption invalid. Similar difficulties may occur for certain systems that are not subject to uniprocessor reducibility via duality. An example is a task set composed of five tasks each of which with utilization 3/5. The dual task set would require two processors. Dealing with this example would require an optima 2-processor scheduling algorithm so that a correct schedule on three processors could be generated via duality. Despite the fact that duality alone does not ensure scheduling optimality, it must be emphasized that it is a simple yet powerful principle. It provides a means to get rid of any notion of fairness in implementing an efficient execution control mechanism. Observation 8 (Duality Is a Means of Obtaining Nonfairness-based Schedule) Scheduling a set of periodic tasks on multiple processors can be equivalent to scheduling their slacks on a single processor, which can be done in a nonfairnessbased manner. As duality alone cannot be used for achieving optimality, if duality is to be used, other scheduling principles need to be investigated to address the aforementioned problems. A seminal result in this respect has been named RUN (Regnier et al. 2011, 2013), which stands for “Reduction to Uniprocessor.” As will be described in more details in section “Hierarchical Nonfairness Based Approaches,” RUN shows how to jointly apply duality and aggregation for achieving scheduling optimality.

3.6

Nonfair Execution Progress Via Relaxing Partitioning

Semi-partitioned scheduling approaches, such as EKG, are built on top of a relaxation of the classical Bin-Packing problem (Coffman Jr. et al. 1997). Each task utilization represents an item to be packed into bins (i.e., processors) of capacity 1. A proper partition of the task set is a solution of the Bin-Packing problem not

6 Practical Considerations in Optimal Multiprocessor Scheduling

213

exceeding the number of bins available. If a proper partition is not found, under semi-partitioning some tasks are cut into pieces each of which is assigned to two or more processors subject to schedulability constraints. As long as the subsets of tasks and portions of them assigned to each processor can be optimally scheduled, the whole task set can also be, as is the case with EKG. All semi-partitioned scheduling algorithms have a common characteristics: when a proper partition is not found, some tasks are chosen as migrating in an off-line manner. The advantages of employing partitioning relaxation are related with reducing run-time overheads since only a few tasks migrate during their execution. Ideally, migration should be considered only when needed. Observation 9 (Partitioned Scheduling Should Be Used Whenever Possible) As far as scheduling overhead is concerned, whenever task migration is not shown necessary for ensuring schedulability, partitioned scheduling approaches are preferable. When task migration events are unavoidable, they should be minimized. Another relaxation for the Bin-Packing problem applied to real-time scheduling is carried out by the “Quasi-Partitioned Scheduling” (QPS) algorithm (Massa et al. 2014, 2016). The algorithm itself will be better described in section “Hierarchical Nonfairness Based Approaches.” Here the basic principles behind quasipartitioning will be illustrated. In a system with m processors, whenever the task set can be properly partitioned into up to m subsets, each of these partition subsets can be feasibly scheduled on a processor. In this case, both semi-partitioned approaches and QPS behave like a partitioned scheduling scheme. Otherwise, at least one of these partition subsets has utilization greater than 1 implying that some tasks must migrate during their execution. Instead of defining the migrating tasks beforehand, as it is done by the semi-partitioned approaches, QPS determines which tasks migrate at run-time. To better illustrate what lies behind quasi-partitioning and to highlight its difference with respect to semi-partitioning, consider again the set of three tasks τ = {τ 1 : (4, 5), τ 2 : (8, 10), τ 3 : (4, 10)}, to be scheduled on two processors, previously shown in Fig. 5. Under semi-partitioning a possible solution would be assigning tasks τ 1 and τ 3 to their own processors, whereas τ 2 could migrate between processors during its execution. Under quasi-partitioning, the example could be managed as follows: assign task subset τ 1 = {τ 1 } to its own processor and subset τ 2 = {τ 2 , τ 3 } to a second processor while reserving a share of the first processor to complement the execution of subset τ 2 . As Uτ 2 = 1.2, this share would correspond to 20% of a processor. In Fig. 10 this corresponds to time interval [4, 6), when only the elements of τ 2 execute. Care must be taken for not allowing either τ 2 or τ 3 to be scheduled in parallel to itself. In other words, whenever tasks in τ 2 are scheduled, either the task in τ 1 runs in parallel to some task in τ 2 or distinct tasks in τ 2 are scheduled in parallel to each other. In order to ensure that τ 2 and τ 3 can execute in parallel during 20% of the time, execution control must limit the time they do not execute in parallel. As Uτ2 = 0.8

214 Fig. 10 A schedule for τ = {τ 1 : (4, 5), τ 2 : (8, 10), τ 3 : (4, 10)} under the quasi-partitioned scheduling approach. All jobs are assumed to be released at time 0

G. Lima et al.

τ1

P roc1

τ2

  

τ3

M

σ σS

σA

σA

σB

P roc2 0

2

4

6

8

10 time

and Uτ3 = 0.4, enforcing the parallel execution of these two tasks for 20% of the time means that during 80–20% =60% of the time τ 2 should not execute in parallel with τ 3 . Likewise during 40–20% =20% of the time, τ 3 should not execute in parallel with τ 2 . That is, when they are scheduled concurrently on their dedicated processor, τ 2 and τ 3 consume at most 60% and 20% of processing resources doing so, respectively. Portions equivalent to 20% of a processor are saved for the parallel execution of the two tasks in τ 2 . In this context, the concept of servers, as previously explained, is important. Encapsulating τ 2 and τ 3 into two distinct servers σ A and σ B with utilization of 0.6 and 0.2, respectively, can fulfill what is required for concurrent execution on the same processor. That is, σ A and σ B , which are assigned to the same processor, limit the execution of τ 2 and τ 3 . They are called dedicated servers. Two other servers, σ M and σ S , both with utilization equal to 0.2, can be in charge of ensuring parallel execution. Further, making servers inherit the deadlines of their clients ensures that scheduling decisions can be locally made using EDF on each processor, similarly to partitioned approaches. A difference to partitioned EDF scheduling would be that whenever σ M is scheduled, σ S must also be scheduled so as to enforce the desired parallel execution of τ 2 and τ 3 . Due to this behavior, these servers are named master and slave in the QPS terminology, respectively. Note that this parallel execution enforcement is still compatible with the EDF priority assignment. Indeed, τ 2 and τ 3 are clients of both σ M and σ S and so they share the same deadlines (recall Definition 1). As previously observed, servers can be used to enforce some level of conservativeness as for the execution control of their clients. It can be noted now that servers’ utilization are parameters to regulate the execution of their clients. Utilization values less than what is required by their respective clients are being assigned to dedicated servers, increasing the conservativeness of their execution control. As an illustration, consider the schedule of Fig. 10. The jobs of all tasks are assumed to be released at time 0. At this time, the highest priority job (by EDF) is that of τ 1 on the first processor. All server jobs have deadlines at 10 on both processors. Task τ 1 is thus chosen to run on its processor. EDF-based choice on the second processor is arbitrary as all jobs have the same deadline. The figure shows τ 2 being chosen to run from 0. The first job of τ 1 runs until completion, finishing its execution at time 4. Then the server assigned to this processor, namely, σ M , is scheduled and runs until time 6 in parallel with server σ S on the second processor. This does not cause context-switch. As can be seen, τ 2 is kept executing

6 Practical Considerations in Optimal Multiprocessor Scheduling

215

but now as a client of σ S Indeed, at time 8, τ 2 completes its execution without suffering preemption or migration. As can be observed, there is no notion of fairness in the produced schedule. It is also worth noticing that either τ 2 or τ 3 are allowed to migrate and migration choices can be made on-line. If τ 3 were executing at the moment σ M and σ S were scheduled, τ 2 could be chosen as migrating task so as to keep τ 3 on the same processor. Some observations regarding preemption and migration overheads can be drawn from the type of schedule generated by the quasi-partitioning strategy. First, it can be noted that deadline sharing (Observation 2) is being used but in a very limited manner; it is confined within each subset of tasks that may migrate, which is τ 2 in the example of Fig. 10. Recall that global scheduling approaches such as DP-Wrap or LLREF, or even semi-partitioned approaches such as EKG, may propagate tasks deadlines across the entire system so as to define synchronized instants to take advantage of the deadline sharing principle. Doing so, they may generate too many chunks of a job so as to enforce fairness. Confining deadline sharing under quasi-partitioning is a means of reducing such overheads. Second, by not defining which specific task should migrate, quasi-partitioning may further decrease migration overhead. As any task within a subset assigned to more than one processor may migrate, the scheduler may choose the migrating tasks based on information about recently executed tasks or cache state, for example. Third, the task subsets in quasi-partitioning may contain an arbitrary number of tasks. However, scheduling decisions are made within each subset and progress is regulated by the server mechanism, which suspends the execution of their clients conservatively. The overall overhead in terms of preemption and migration is expected to be low. The description of quasi-partitioning has been made based on the assumption that the set of tasks could be partitioned so that the generated task subsets are feasible on at most two processors. This is not always possible. Take as an example a set of five tasks with utilization 0.8 each to be scheduled on four processors. Four of these tasks could be packed together in pairs, generating two task subsets each requiring 1.6 processors. According to the above explanation, two servers, with utilization of 0.6 each, would be created to deal with what exceeds one processor for each subset. These servers, however, cannot be entirely assigned to a single processor. One such server and the fifth task also exceeds the capacity of a processor. The QPS algorithm solves this problem by recursively quasi-partitioning the system tasks, as described in the next section.

4

Hierarchical Nonfairness Based Approaches

This section describes two of the aforementioned algorithms, RUN (Regnier et al. 2011, 2013) and QPS (Massa et al. 2014, 2016). Both make use of several principles previously observed. RUN transforms the multiprocessor scheduling problem into one or more uniprocessor scheduling problems. This is done by recursively applying duality and aggregation in a very effective way such that the problems pointed out in

216

G. Lima et al.

section “Nonfair Execution Progress Via Duality” are circumvented. QPS carries out quasi-partitioning recursively and also makes use of aggregation. Both approaches use the same strategy for aggregation, via a server mechanism equipped with an EDF scheduler, which has been defined in section “Fixed-rate Servers”. Also, both approaches can be seen as hierarchical: on-line scheduling decisions follow a tree structure, which is defined off-line. Sections “The RUN Algorithm” and “The QPS Algorithm” explain the specifics of each algorithm. It is assumed in these sections that the system complies with the periodic task model as stated in Definition 3. Sporadic tasks will be considered in section “Dealing with Sporadic Tasks”. It is worth pointing out that both RUN and QPS have been experimentally analyzed. It has been reported, for example, that such scheduling overheads are in general relatively low, compared to those found on nonoptimal partitioned or global EDF. Readers interested in the experimental performance analysis of these algorithms may refer to Compagnin et al. (2014, 2015), as this aspect will not be addressed here.

4.1

The RUN Algorithm

The RUN algorithm first carries out an off-line transformation of the multiprocessor system and then uses the information from this transformation to generate the schedule on-line. Both phases are now described.

4.1.1 Off-line Phase In the off-line phase, RUN carries out a series of PACK and DUAL operations for iteratively reducing the number of processors in a (virtual) multiprocessor system until an equivalent uniprocessor system is obtained. The PACK operation aggregates low-utilization tasks (or servers) into a set of high-utilization servers, improving schedulability (Observation 5). This ensures that the dual system requires less processor resources than the corresponding primal, circumventing the lowutilization task problem mentioned in section “Nonfair Execution Progress Via Duality”. In order to avoid problems related with under-utilized systems, RUN fills the system with dummy tasks so that the system utilization equals its number of processors. Doing so is not a problem because executing a dummy task on a processor during certain time interval is equivalent to keeping the processor idle in this interval. The DUAL operation creates the corresponding dual servers which require less processing resources than their primal ones provided that the PACK operation has been previously performed. By carrying out both operations in a systematic way, RUN reduces both the number of entities to be scheduled (by aggregation) and the number of processors considered (by duality). The DUAL operation on a (primal) server σ i creates a (dual) server σi∗ ; its utilization equals Uσi ∗ = 1 − Uσi and all deadlines of σ i are also deadlines of σi∗ . Hence, the execution time of σi∗ during any time window represents the slack time of σ i in that window and vice versa. Also,

6 Practical Considerations in Optimal Multiprocessor Scheduling

217

the execution of σi∗ in the dual system induces the nonexecution of σ i of the primal system and vice versa. Further, by using servers RUN relaxes the need of fairness (Observation 6) since their clients are scheduled by EDF. Applying aggregation together with duality, fairness is made not necessary. The reduction carried out by RUN was illustrated in Fig. 9. A slightly more complex example is now given for highlighting more details about the algorithm. Consider a set of seven periodic tasks all initially released at time 0. Let τ 1 , τ 2 , τ 3 , τ 7 be in the form (5, 7) and τ 4 , τ 5 , τ 6 be defined as (10, 14). The result of the off-line phase is a tree, as shown in Fig. 11. This tree is named reduction tree and expresses how a multiprocessor system has been transformed into a uniprocessor system. The tree is built by applying PACK and DUAL operations successively. The tree is then used at run-time to generate an on-line schedule. Initially, PACK does not group any system tasks for the given example because each of them has utilization greater than 0.5 and RUN packs tasks to be scheduled by servers which cannot have utilization greater than 1. The DUAL operation can be applied and it creates seven dual tasks τi∗ : (2, 7), i = 1,2,3,7 and τi∗ : (4, 14), i = 4,5,6. Applying the PACK operation on these dual tasks may group them together as follows: Tasks τ1∗ , τ2∗ , and τ3∗ can be associated to a server σ1 ; τ4∗ , τ5∗ , and τ6∗ to a server σ 2 ; and τ7∗ to server σ 3 .

EDF(1)

second reduction:

one processors ∗(1/7) s1

(6/7)

∗(5/7)

s3

(12/14)

s1

first reduction:

∗(2/14) s2

s2

(2/7)

s3

dual τ∗(2/7) tasks: 1

τ2∗(2/7)

τ3∗(2/7) τ4∗(4/14) τ5∗(4/14) τ6∗(4/14) τ7∗(2/7)

real (5/7) tasks: τ1

τ 2(5/7)

τ 3(5/7)

two processors

τ 4(10/14) τ 5(10/14) τ6(10/14)

τ7(5/7)

two processors

Fig. 11 Reduction tree created off-line by RUN for an example with seven tasks, all with utilization 5/7; τ 1 , τ 2 , τ 3 , and τ 7 have deadlines equal to 7 whereas the deadlines of τ 4 , τ 5 , τ 6 are 14. Two reduction levels are necessary. DUAL and PACK operations are indicated by arrows and horizontal lines, respectively. Solid rectangles indicate the number of processors used by pseudo-clusters: two processors for {τ 1 , τ 2 , τ 3 } and two processors for {τ 4 , τ 5 , τ 6 }; these pseudo-clusters also use 1/7 of another processor for which σ1∗ and σ2∗ are in charge of; for {τ 7 } there is no need to reserve an entire processor. It is handled via σ3∗ , which reserves 5/7 of a processor

218

G. Lima et al.

As the cumulated servers’ utilization sum more than one Uσ1 = Uσ2 = 6/7 and Uσ3 = 2/7), a second reduction level is needed. Carrying out the DUAL operation this time creates the dual system σ1∗ , σ2∗ , and σ3∗ , which can be scheduled on a single processor since Uσ1∗ = 1/7, Uσ2∗ = 2/14 and Uσ3∗ = 5/7. This ends the off-line phase. Note that there are two virtual systems, one at the first reduction level with two processors obtained by the first reduction, and another at the second reduction level with a single processor, the result of the second reduction. The former is composed of servers σ 1 , σ 2 , and σ 3 and their client tasks obtained by duality of the real tasks τ i , i = 1, 2, . . . , 7. The latter virtual system is made of servers σ1∗ , σ2∗ , and σ3∗ . During the on-line phase, all virtual and real systems are scheduled. An interesting aspect is the formation of the pseudo-clusters {τ 1 , τ 2 , τ 3 }, {τ 4 , τ 5 , τ 6 } and {τ 7 }. These are not real clusters since processors on which these tasks run are not fixed. Thinking in terms of clusters, however, helps in understanding the effect the reduction tree has on how RUN divides processing resources among system tasks. Note that these three clusters have total utilization respectively equal to 2+1/7, 2+1/7, and 5/7. A valid schedule for the system can be obtained if each of the first two clusters is assigned to two dedicated processors plus 1/7 of another processor; and the third cluster, namely {τ 7 }, receives 5/7 of a processor. Note that there is no need to assign a dedicated processor to {τ 7 } since its utilization is less than one. The processor in charge of managing cluster {τ 7 } can be shared with the other clusters for dealing with what exceeds their two dedicated processors. This is the role of servers σ1∗ , σ2∗ , which are scheduled concurrently with σ3∗ . The schedule generated by RUN follows this reasoning although, as previously mentioned, no real cluster formation is necessary.

4.1.2 On-line Phase During the on-line phase, the reduction tree is followed in a top-down manner. Servers selected at a reduction level induce the nonselection of related servers at the immediate lower level by duality. Once a server is selected at a reduction level, its highest priority client is scheduled. The decisions start at the tree root, by scheduling the earliest deadline server at this level. Figure 12 is used to illustrate the schedule generated in this phase for the example shown in Fig. 11. All reduction levels are considered so that the dual-equivalence between the levels can be observed. As the deadlines of servers’ clients are also servers’ deadlines (recall Definition 1), at time 0 the deadlines of σ1∗ and σ3∗ equal 7 (the minimum deadline of {τ 1 , τ 2 , τ 3 } and {τ 7 }, whereas that of σ2∗ is 14 (the earliest deadline of {τ 4 , τ 5 , τ 6 }). As scheduling choices must begin at the highest reduction level (in this case, the second one), Fig. 12 shows that server σ1∗ is selected (via EDF) to execute at time 0 on the single virtual processor, P rocV1 . This means that its primal, namely σ 1 , must not execute and servers σ 2 and σ 3 are then selected to execute on the two virtual processors at the first reduction  level. As σ 1is not selected at the first reduction level, none of its dual clients τ1∗ , τ2∗ and τ3∗ are scheduled at time 0 and their respective primal tasks (τ 1 , τ 2 and τ 3 ) are selected to execute at

6 Practical Considerations in Optimal Multiprocessor Scheduling

P rocV 1 σ1∗

σ3∗

σ2∗

σ2







σ1∗

σ3



219

σ3∗ σ1





Level 2



P rocV 2 σ3

σ1





σ2







Level 1

P rocV 3

P roc1 P roc2

τ1 τ2

P roc3

τ3 τ4

P roc4

τ5 τ6

P roc5

τ7

0

2

4

6

8

10

12

14 time

Fig. 12 The schedule generated by RUN for the example whose reduction tree is illustrated in Fig. 11

time 0. Servers σ 2 and σ 3 select their highest priority clients (via EDF), τ4∗ and τ7∗ , for instance. By duality, this means that tasks τ 4 and τ 7 must not be scheduled; the other tasks are then selected. The execution of σ1∗ ends at time 1. Its utilization equals 1/7 and its budget was computed at 0 as Uσ1∗ × 7. This creates a necessary preemption point at time instant 1. However, note that this preemption does not propagate through the reduction levels. At time 1, σ3∗ is selected at the second reduction level and then σ 1 and σ 2 occupy both virtual processors at the first reduction level, scheduling, respectively, their dual clients τ1∗ and τ4∗ . Hence, τ 1 and τ 4 are the only tasks in clusters {τ 1 , τ 2 , τ 3 } and {τ 4 , τ 5 , τ 6 } that do not execute, respectively. As σ 3 does not execute at the first reduction level, its only client τ7∗ cannot be selected to execute, implying that τ 7 must execute. A key feature of the reduction procedure explained above can be noticed. Consider pseudo-cluster {τ 1 , τ 2 , τ 3 } for illustration. As previously observed, its tasks require 2 + 1/7 processing resources. That is, their cumulative utilization exceeds two processors by 1/7. This excess is exactly what appears at the second reduction level as the utilization of σ1∗ . Observe that whenever σ1∗ executes, τ 1 , τ 2 ,

220

G. Lima et al.

and τ 3 also execute in parallel. In other words, σ1∗ ’s utilization can be interpreted as the need for parallel execution for cluster {τ 1 , τ 2 , τ 3 }. Thus, when σ1∗ is selected to execute at the second reduction level, RUN actually ensures that three processors are assigned to cluster {τ 1 , τ 2 , τ 3 }. Similar effects can be observed for σ2∗ , σ3∗ , and their associated pseudo-clusters (recall Fig. 11). This kind of effect resembles what is obtained via quasi-partitioning, as explained in section “Nonfair Execution Progress Via Relaxing Partitioning.” Indeed, as will be clearer next, although not using duality, QPS also manages the need for parallel execution of groups of tasks.

4.2

The QPS Algorithm

The basis of QPS is quasi-partitioning, which was briefly described in section “Nonfair Execution Progress Via Relaxing Partitioning”. Before presenting more details of the QPS algorithm, a more precise definition of quasi-partitioning is needed. Definition 4 (Quasi-partitioning, Massa et al. 2014) Let τ be a task or server set to be scheduled on m identical processors. A quasipartition of τ is a partition Q of τ such that: 1. | Q | m 2. ∀P ∈ Q, 0 < UP < 2 and 3. ∀P ∈ Q, ∀σi ∈ P , UP > 1 ⇒ Uσi > UP − 1 According to the above definition, a set of tasks (or servers) is partitioned into no more than m subsets, called execution sets in the QPS terminology. An execution set is referred to as minor if it does not require more than one processor; otherwise it is named major execution set . If P is a major execution set, it is bound to use less than two processors, as condition 2 in the definition states. Condition 3 establishes that what is required beyond the capacity of one by a major execution set P is less than what is demanded by any element in P. This last property is used for dealing with sporadic tasks, as will be explained in section “Dealing with Sporadic Tasks”. Notice that the elements in P can be tasks or servers. Since a task can be seen as a special kind of server, as mentioned in section “Fixed-rate Servers”, there is no ambiguity in denoting an element of P as σ i . Quasi-partitioning is performed off-line. Besides generating the subsets that result from the partitioning, QPS also assigns each major execution set to a set of four servers, as previously illustrated in Fig. 10. These servers are responsible for both managing the concurrent execution of the elements in the major execution set on a dedicated processor and enforcing the parallel execution of portions of its elements. Once the set of execution sets have been defined, the schedule is generated online. In the following, both phases of QPS are explained via the example used in

6 Practical Considerations in Optimal Multiprocessor Scheduling

221

the previous section. Only periodic tasks are considered. Comments on how QPS handles sporadic tasks are delayed to section “Dealing with Sporadic Tasks”.

4.2.1 Off-line Phase Consider again the example with seven periodic tasks with utilization 5/7 to be scheduled on 5 processors. Note that quasi-partitioning this set of tasks results in four subsets, three of which require 10/7 of processing resources and one with a single task. There are a number of heuristics in line with such quasipartition requirements that can be used as implementation procedure. The First-Fit Decreasing Bin-Packing heuristic can be used to base such an implementation, for instance. According to this heuristic, entities (tasks or servers) are sequenced in decreasing order of utilization and they are then packed, one at a time, into the first bin they fit; up to m bins are kept open and each bin capacity is less than 2. Each bin in QPS corresponds to an execution set, which are assigned to processors. QPS is agnostic with respect to the quasi-partitioning implementation, as long as it is in line with Definition 4. A possible implementation for quasi-partitioning the considered example could generate three major execution sets, namely {τ 1 , τ 2 }, {τ 3 , τ 4 }, {τ 5 , τ 6 }; and a minor execution set {τ 7 }. Each of these execution sets could independently be feasibly scheduled on up to two processors. However, their joint schedule on five processors is what is being searched for. Correctly handling these execution sets is thus not clear at this stage of quasi-partitioning. It is necessary to assign shares of processors to major execution sets similarly to what has been exemplified in Fig. 10. For this previous simpler case, there was only one major execution set, which was handled on two processors by four QPS servers. For the new example, the joint execution of four QPS servers associated to each major execution set should be addressed. Interestingly, the problem of assigning processor shares to handle the execution sets can be solved by further carrying out other steps of quasi-partitioning. Three steps are needed for the illustrative example. Figure 13 is used as an illustration of a

processor 5 M(3/7) s2

M(6/14)

s3

M(1/7)

s4

processor 4 M(3/7) s1

(5/7)

τ3

(10/14)

τ4

processor 2

(10/14)

τ5

(10/14)

τ6

processor 3

(5/7)

τ1

(5/7)

τ7

(5/7)

τ2

processor 1

Fig. 13 QPS off-line phase for an example with seven tasks with utilization 5/7; τ 1 , τ 2 , τ 3 , and τ 7 have deadlines equal to 7, whereas the deadlines of τ 4 , τ 5 , τ 6 , are 14. Allocated processors are represented by boxes and the arrows indicate the formed processor hierarchy

222

G. Lima et al.

possible final assignment result. Again, other results are possible depending on the Bin-Packing heuristic used. For the considered illustration, assume that the first step of quasi-partitioning produces major execution sets P1 = {τ 1 , τ 2 }, P2 = {τ 3 , τ 4 }, and P3 = {τ 5 , τ 6 }. Clearly, each major execution set Pi exceeds the capacity of a processor by xi = UPi − 1 = 3/7. Each excess of xi needs to be exported to another processor. As previously illustrated in Fig. 10, this is done via defining a master server σiM with utilization xi that will run on an extra processor. That is, after the first step of quasipartitioning, the major execution set Pi is defined along with its associated master server σiM , i = 1, 2, 3. Assume for now that Pi is correctly scheduled as long as its associated master σiM is correctly scheduled, which is actually done during the on-line phase. Thus, as Pi fully occupies a processor, the problem to be solved in the next step of quasi-partitioning is how to handle the three master servers defined in the previous phase plus τ 7 . These servers and the task jointly need two processors to be scheduled. In other words, the second step of quasi-partitioning can take into consideration only servers σ1M , σ2M , and σ3M and task τ 7 . A possible result of this

step is to pack σ1M and τ 7 together forming the major execution set P4 = σ1M , τ7 . Server σ4M with utilization x4 = 1 − UP4 = 1/7 is then defined. The last step simply

packs σ2M , σ3M , σ4M into a minor execution set since no new major execution set has been defined. Assigning each execution set to processors can be done either during the quasi-partitioning procedure or after all execution sets have been defined. An assignment is shown in Fig. 13. Carrying out the assignments and defining a master server for each major execution set does not suffice for generating a valid schedule during the on-line phase of QPS. As explained in section “Nonfair Execution Progress Via Relaxing Partitioning”, the scheduling of a major execution set Pi is jointly carried out by four servers, the master σiM , the slave σiS , and the dedicated servers σiA and σiB . They implement the execution control that together with the previously described assignment lead to scheduling optimality. These servers are defined as follows. Each major execution set Pi is bi-partitioned into two subsets Pi = Pia ∪ Pib . It suffices to assign one element of Pi to a subset and the others to another. The clients of servers σiA and σiB are respectively Pia and Pib . Their utilization are defined as Uσ A = UPia − xi and Uσ B = UP b − xi , respectively. Like the master server σiM , the i i i slave can serve any task in Pi at a rate of Uσ M = Uσi s = xi . At any time, all four i

QPS servers associated with Pi share the same deadlines. The dedicated servers, σiA and σiB , deal with the nonparallel execution of Pia and Pib while σiM and σiS deal with their parallel execution.

4.2.2 On-line Phase The assignment of tasks and servers to processors is the main result of the offline phase. During the on-line phase, QPS uses local EDF in each processor as

6 Practical Considerations in Optimal Multiprocessor Scheduling

223

a core scheduling rule. However, unlike partitioned EDF, in QPS the scheduling decisions on a processor may depend on those on others due to the relation between master and slave servers. This relation actually defines a processor hierarchy. As the selection of the master servers imposes the selection of the associated slave servers, the scheduling decisions must be taken first on processors that contain master servers. For example, in Fig. 13, at a given scheduling instant, after choosing which server should run on processor 5, it is possible to take scheduling decisions on processors 2, 3, and 4. Otherwise, if the scheduling choice is carried out on any of these three processors independently of that on processor 5, incompatible scenarios could occur. That would be the case if a dedicated server is selected on processor 2, but the master server σ2M is the one with earliest deadline on processor 5. To avoid such scenarios, the processor hierarchy formed during the off-line phase must be observed. Consider the illustrative example and assume that the processor hierarchy is taken into consideration, which implies that scheduling decisions start on processor 5. Suppose that σ2M is selected to run on processor 5 at a given time. Hence, σ2S should run on processor 2. In this case, some dedicated server can be selected to execute on processor 3 and 4. If σ3M is chosen instead, the only possible decision on processor 3 is to execute σ3S making processors 2 and 4 free to schedule one of the dedicated servers allocated to them. Likewise, the decisions on processor 1 depend on those taken on processor 4. As dedicated and slave servers share the same deadline, this scheme is in line with EDF order on each processor. Note that this processor-dependent scheduling order is a consequence of the order the execution sets were defined and allocated during the off-line phase. The minor execution set on processor 5 was the last to be handled. The assignment on processor 4 was carried out in the second phase and so on. This suggests that following a sequential ordering based on the processor hierarchy suffices. The following dispatching procedure can then be defined: (a) visit each processor in order reverse to that when their execution sets were defined; (b) for each visited processor, local EDF is used to select the highest priority server/task; (c) if a master server is selected on some processor, the associated slave server must be also selected; (d) for each selected server, its highest priority client according to EDF is selected; (e) at the end of this selection process, all selected tasks are dispatched. The schedule generated by QPS using rules (a) - (d) is depicted in Fig. 14 for the illustrative example. The allocation shown in Fig. 13 was considered. Processor 5 was the last one to be allocated and so it is visited first. Note that σ2M is selected at time 0 by EDF on this processor, which activates the selection of σ2S on processor 2. Server σ4A is chosen on processor 4. Its highest priority client (by EDF) is σ1M , enforcing the selection of σ1S on processor 1. Following the client chain for all selected servers, the actual tasks are dispatched. It is worth observing from Figs. 13 and 14 that like RUN, QPS also induces pseudo-clusters when structuring the major execution sets Pi . The groups of

224

G. Lima et al.



σ2M





σ4M σ1M

σ3M







σ4M σ1M

σ2M







P roc5 σ A σ4B σ4S

 4  σM



σ4B



σ4B







σ4S σ4B

σA

 4  σM

1   

1   

P roc4 σ3A





σ3S





σ3B







P roc3



σ2S

σA

σB

σB

σA

σ2S

2 2   2         2  







P roc2

τ1 τ2 τ3 τ4

σ1S

σ1A

σ1S

σ1A

σ1B

σ1B

6

8

σ1A

σ1S

σ1A

τ5

σ1S

τ6

P roc1

τ7 0

2

4

10

12

14 time

Fig. 14 A schedule generated by QPS taking the example and processor hierarchy depicted in Fig. 13

elements to form a cluster come always from two entities, consisting of the partition sets Pia and Pib . In the example, task sets {τ 3 , τ 4 }, {τ 5 , τ 6 } are two clusters of tasks; for each of them an entire processor plus a share of another is reserved. The set {τ 1 , τ 2 , τ 7 } also forms a cluster which occupies 2+1/7 processing resources. In this cluster, whenever σ4M is scheduled, all three tasks run in parallel.

4.3

Dealing with Sporadic Tasks

Not all scheduling algorithms mentioned in this chapter are capable of addressing sporadic tasks. Many of these algorithms rely on the knowledge of task deadlines to generate the schedule. As the arrival pattern of sporadic tasks is uncertain, so are their deadlines. Some algorithms can be extended to deal with the sporadic

6 Practical Considerations in Optimal Multiprocessor Scheduling

225

task model in a straightforward manner. This is the case of DP-Wrap for instance. Recall that DP-Wrap scheduling windows are defined by the intervals between two consecutive deadlines. By allocating a slot in these windows to each task (either active or not) proportional to its utilization, it is possible to incorporate sporadic tasks. The execution of a sporadically released task can be accommodated within the already defined window; possibly splitting the window into two in case of the new job deadline is before the end of the current window. The extension of EKG for sporadic tasks is more challenging (Andersson and Bletsas 2008). It is based on generating scheduling windows of equal size across all processors. Optimality is obtained in the limiting case of arbitrarily small windows. In summary, the difficulty in scheduling sporadic tasks strongly depends on the strategy employed by the execution control. Instead of presenting a broad discussion about how to optimally schedule sporadic tasks, this section puts the problem in the context of the two hierarchical nonfair algorithms, RUN and QPS. These algorithms, although sharing some characteristics, as previously described, are in contrast when it comes to sporadic tasks. The duality principle, based on which RUN correctness stands, brings about difficulties in extending it for sporadic tasks. QPS, on the other hand, not only maintains its optimality but also exhibits interesting adaptiveness properties when sporadic tasks are taken into consideration.

4.3.1 Sporadic Tasks in RUN The necessary complementarity between primal and dual systems makes it difficult to accommodate sporadic tasks in RUN. Indeed, by the duality principle, it is implicitly assumed that at any time either the primal or the dual of an entity is executing. However, under the sporadic task arrival pattern, there may be time instants at which such an entity is not present (not active) in either of its forms, primal, or dual. Some simple illustrations are now used to give a glimpse of possible difficulties one would face when adapting RUN to sporadic tasks. Consider an example consisting of three servers with utilization 2/3. Two of these servers release jobs at time 0 and the third arrives late, releasing its first job at time 3. All jobs are assumed to have deadlines at time 9 and so the choice of each job to execute is arbitrary under EDF. As can be observed, σ 3 is not active during interval [0, 3), a scenario in line with the sporadic task model. If the duality principle is to be preserved, Fig. 15 shows a possible schedule. The dual of σ 1 is chosen to execute on a virtual processor via EDF during [0, 3) making one of the real processors in this time interval. At time 3 all servers are active and the usual RUN algorithm applies. Inevitably this scenario yields deadline misses since at time 8 all three primal servers have still a unit of work to execute. RUN is not a work-conserving algorithm, as the schedule in Fig. 15 indicates; a processor is being kept idle while a task awaits execution. This scenario occurs under the periodic task model, when dummy tasks are being executed, and also appears with sporadic task arrival patterns. But defining dummy tasks in this case is not possible.

226

G. Lima et al.

P roc V σ1 σ2

P roc 2

σ3 P roc 1 0

2

4

6

8

time

Fig. 15 Some difficulties in extending RUN for the sporadic task model. Servers σ 1 and σ 2 are released at time 0, whereas σ 3 releases its first job later at time 3. The jobs have the same deadline at 9 and the servers have the same utilization of 2/3. If duality is strictly preserved, then some server misses its deadline

P roc V σ1 σ2

P roc 2

σ3 P roc 1 0

2

4

6

8

time

Fig. 16 Some difficulties in extending RUN for the sporadic task model. Server σ 1 is released at time 0 with deadline at time 9, whereas σ 2 and σ 3 release their jobs later at time 3 with deadlines at time 6. All servers have the same utilization of 2/3. If duality is relaxed when there is idle time, RUN fails to schedule the servers

However, simply making RUN work-conserving does not suffice to provide an effective solution, as Fig. 16 illustrates. One of the servers now is released at time 0 and the other two arrive later at time 3. Their jobs have deadlines at instants 9, 6 and 6, respectively. During interval [0, 3), duality is relaxed so as to be in line with the work-conserving property in both dual and primal systems. The dual server of σ 1 is thus entirely executed by time 3. However, note that at time 5 all dual jobs finish but their respective primal do not. Duality thus cannot be applied at time 5 for deciding which of the three servers should execute. The kind of difficulties illustrated in Figs. 15 and 16 are intrinsically more complex when considering scenarios where only some of the server clients are active. In this case, the server does not need to execute at its full rate during certain intervals. Adapting the rate or the budget of the sever dynamically, however, may not be simple; this involves keeping the dual-primal consistency along with the reduction tree. Another difficulty is related with the needed knowledge about task deadlines. When a server releases a job, it is assumed that its next deadline is known so that the job workload in both the primal and dual forms can be computed. As

6 Practical Considerations in Optimal Multiprocessor Scheduling

227

some of the clients may arrive late, the knowledge of deadlines is also not precisely known when the server releases its jobs. Up until now, SPRINT, an acronym for “Sporadic RUN for Independent Tasks” is the only known attempt to make RUN compatible with sporadic tasks (Baldovin et al. 2014). This extension is based on two main modifications in RUN at the expense of not preserving its optimality. First, the deadline d of a server at a time t is defined such that none of its clients, either active or not at time t, can have deadline less than d. That is, a server job may be released with deadline that is less than the minimum deadline of the server’s active clients. The second modification refers to the server budget adaptation previously mentioned. This was possible because the reduction tree in SPRINT is restricted to only two levels. Systems requiring more than two levels cannot be scheduled. As this is a nonoptimal scheduling approach, this scheme will not be described further.

4.3.2 Sporadic Tasks in QPS Consider the example illustrated in Fig. 14 but now assume that τ 1 is a sporadic task releasing its first job only at time 7. This release time instant is chosen for the sake of simplifying the illustration in Fig. 17. Other release time choices could give rise to more QPS jobs than what would be necessary to explain the illustration and would make the graphics in the figure unnecessarily more complex. Note that in this illustrative scenario, during time interval [0, 7), the major execution set P1 = {τ 1 , τ 2 } contains a single active task and can be dealt with by a single processor. This means that the QPS servers in charge of P1 can be deactivated, at least until time 7. Hence, the master server σ1M will not be released within [0, 7)

as well, implying that the major execution set P4 = σ1M , τ7 can be executed on a single processor during [0, 7). Consequently, the QPS servers associated with P4 can also be deactivated, leaving processor 5 containing only σ2M and σ3M as active servers during the considered interval. In other words, under QPS there is a natural adaptation to the current load of the system; QPS adapts itself at run-time, moving in between the global and partitioned schedule spectrum. Task migration can thus be minimized and is a function of the system load, in line with what is recommended in Observation 9. The effects of the adaptiveness due to this late arrival of τ 1 are illustrated in Fig. 17. This schedule can be compared with what has been previously shown in Fig. 14. As the example shows, the partitioning may take place for some parts of the system. During [0, 7) the system is scheduled using a partitioned approach for execution sets P1 and P4 , but allows for task migration for the other major execution sets. When the sporadic task τ 1 is released at time 7, the deactivated QPS servers are reactivated in response to the fact that all their clients are active again. First, those QPS servers that are in charge of P1 . In tum, the release of σ1M causes the activation of the QPS servers in charge of P4 . From time 7 onwards, the schedule is generated following the same rules explained in section “The QPS Algorithm”. The differences between the schedules shown in Figs. 14 and 17 are due to the distinct task arrival pattern.

228

G. Lima et al.



σ2M



σ3M







σ4M σ1M



σ2M





P roc5 σB

4   

σ4S

σB

σA

4     4 

σM

1   

P roc4



σ3A



σ3S







σ3A

σ3B







P roc3



σ2S



σA

σB

σB

2 2   2       

σ2A



σ2S





σ2A

τ1 τ2

P roc2

τ3 τ4 σ1B

σ1S

σ1A

τ5

σ1S

τ6

P roc1

τ7

0

2

4

6

8

10

12

14 time

Fig. 17 Adaptiveness of QPS regarding sporadic arrival patterns considering the same task system as illustrated in Fig. 14. A single task τ 1 is released late at time 7, causing a partial partitioning of the system according to which tasks τ 2 and τ 7 do not migrate during [0, 7]. Upon the release of τ 1 , the algorithm adapts again to the original configuration allowing for the migration of tasks in {τ 1 , τ 2 , τ 7 }

In the example of Fig. 17, a single sporadic task was considered. If more than one sporadic task in a major execution set is taken into consideration, the reactivation of its QPS servers occurs when the last inactive task releases its job. Notice that in practice, the system may contain several sporadic tasks, leading to scenarios where all tasks are seldom active at the same time. This means that practical applications can benefit from the adaptiveness of QPS, substantially reducing the overall runtime overhead in the system. This kind of adaptive property in multiprocessor scheduling is an innovation brought about by QPS, offering a good compromise between global and partitioned scheduling approaches. As illustrated in Fig. 17, QPS servers are activated or deactivated as a function of whether all clients are active or not, respectively. Massa et al. (2016) describe less conservative rules that may increase the time during which QPS servers are kept deactivated under the sporadic task model. These rules are based on checking

6 Practical Considerations in Optimal Multiprocessor Scheduling

229

at run-time whether the processing demand required by each major execution set exceeds the capacity of a processor. QPS servers can be activated only when this checking indicates so.

5

Final Comments

In this chapter, some of the relevant principles for scheduling a set of real-time tasks in multiprocessor systems have been summarized in an illustrative and intuitive way. A more complete comprehension about the algorithms and their properties, however, is not possible without a more formal treatment. The reader is thus invited to use this chapter as a starting point of a study, referring to the scientific papers referenced here as more precise sources of information. As for practical considerations of scheduling algorithms, many topics left behind during the preparation of this chapter can be found in other chapters of this book. For example, actual applications can rarely be modeled as a collection of independent tasks, requiring mechanisms and protocols to deal with resource sharing. The topic of semi-partitioned scheduling is also of practical relevance. Although optimality is usually not obtainable under this scheduling scheme, several semi-partitioned approaches are cost-effective in terms of schedulability performance. Further, recent trends in the application and system domains have driven the research community to explore new system models. The possibility to execute the same task in parallel to itself, for example, makes tasks being modeled as a digraph. Distinct nodes of the graph can be allowed to execute in different processors at the same time. Modern architectures may also be made of different types of processors. Under this heterogeneous processor model, there can be several estimations of worst-case execution time for the same task as a function of the processor on which it executes. These and other current trends require new scheduling mechanisms since they are a fundamental building block in the design of real-time systems. Understanding the properties and boundaries related with optimally scheduling a set of tasks on multiprocessors considering simpler models, as the ones covered in this chapter, is a necessary step towards the development of effective solutions for more complex models.

References J.H. Anderson, A. Srinivasan, Early-release fair scheduling, in Proceedings of the 12th Euromicro Conference on Real-Time Systems (ECRTS 2000), (IEEE Computer Society, Washington, 2000a), pp. 35–43 J.H. Anderson, A. Srinivasan, Pfair scheduling: beyond periodic task systems, in Proceedings of the 7th International Workshop on Real-Time Computing Systems and Applications (RTCSA 2000), (IEEE, Cheju Island, 2000b), pp. 297–306 J. Anderson, P. Holman, A. Srinivasan, Chapter 31: Fair scheduling of real-time tasks on multiprocessors, in Handbook of Scheduling: Algorithms, Models, and Performance Analysis, ed. by J. Y. Leung, (Chapman & Hall/CRC, Boca Raton, 2004), pp. 31-1–31-21

230

G. Lima et al.

B. Andersson, K. Bletsas, Sporadic multiprocessor scheduling with few preemptions, in Proceedings of the 20th Euromicro Conference on Real-Time Systems (ECRTS 2008), (IEEE, Prague, 2008), pp. 243–252 B. Andersson, E. Tovar, Multiprocessor scheduling with few preemptions, in Proceedings of the 12th IEEE Real-Time and Embedded Technology and Applications Symposium (RTCSA 2006), (IEEE, San Jose, 2006), pp. 322–334 A. Baldovin, G. Nelissen, T. Vardanega, E. Tovar, SPRINT: extending RUN to schedule sporadic tasks, in Proceedings of the 22nd International Conference on Real-Time Networks and Systems (RTNS 2014), (ACM, Versaille, 2014), pp. 321:321–321:330 S. Baruah, J. Goossens, Chapter 28: Scheduling real-time tasks: algorithms and complexity, in Handbook of Scheduling: Algorithms, Models, and Performance Analysis, ed. by J. Y. Leung, (Chapman & Hall/CRC, Boca Raton, 2004), pp. 28-1–28-21 S.K. Baruah, L.E. Rosier, R.R. Howell, Algorithms and complexity concerning the preemptive scheduling of periodic, real-time tasks on one processor. Real-Time Syst. 2(4), 301–324 (1990) S. Baruah, J. Gehrke, C.G. Plaxton, Fast scheduling of periodic tasks on multiple resources, in Proceedings of the 9th International Symposium on Parallel Processing (IPPS 1995), (IEEE Computer Society, Santa Barbara, 1995), pp. 280–288 S. Baruah, N.K. Cohen, C.G. Plaxton, D.A. Varvel, Proportionate progress: a notion of fairness in resource allocation. Algorithmica 15(6), 600–625 (1996) S.Y. Chen, C.W. Hsueh, Optimal dynamic-priority real-time scheduling algorithms for uniform multiprocessors, in Proceedings of the 29th IEEE Real-Time Systems Symposium (RTSS 2008), (IEEE, Barcelona, 2008), pp. 147–156 H. Cho, B. Ravindran, E.D. Jensen, An optimal real-time scheduling algorithm for multiprocessors, in Proceedings of the 28th IEEE Real-Time Systems Symposium (RTSS 2007), (IEEE, Tucson, 2006), pp. 101–110 M. Cirinei, T.P. Baker, EDZL scheduling analysis, in Proceedings of the 19th IEEE Euromicro Conference on Real-Time Systems (ECRTS 2007), (IEEE Computer Society, Pisa, 2007), pp. 9–18 E.G. Coffman Jr., M.R. Garey, D.S. Johnson, Approximation algorithms for bin packing: a survey, in Approximation Algorithms for NP-Hard Problems, ed. by D. S. Hochbaum, (PWS Publishing Co, Boston, 1997), pp. 46–93 D. Compagnin, E. Mezzetti, T. Vardanega, Putting RUN into practice: implementation and evaluation, in Proceedings of the 26th Euromicro Conference on Real-Time Systems (ECRTS 2014), (2014), pp. 75–84 D. Compagnin, E. Mezzetti, T. Vardanega, Experimental evaluation of optimal schedulers based on partitioned proportionate fairness, in Proceedings of the 27th Euromicro Conference on RealTime Systems (ECRTS 2015), (Lund, Sweden, 2015), pp. 115–126 R.I. Davis, A. Burns, A survey of hard real-time scheduling for multiprocessor systems. ACM Comput. Surv. 43(4), 1–44 (2011) M.L. Dertouzos, Control robotics: the procedural control of physical processes, in Proceedings of IFIP Congress (IFIP Congress 1974), (Stockholm, 1974), pp. 807–813 M. Dertouzos, A. Mok, Multiprocessor online scheduling of hard-real-time tasks. IEEE Trans. Softw. Eng. 15(12), 1497–1506 (1989) S.K. Dhall, C.L. Liu, On a real-time scheduling problem. Oper. Res. 26(1), 127–140 (1978) N. Fisher, J. Goossens, S. Baruah, Optimal online multiprocessor scheduling of sporadic real-time tasks is impossible. Real-Time Syst. 45(1), 26–71 (2010) K. Funaoka, S. Kato, N. Yamasaki, Work-conserving optimal real-time scheduling on multiprocessors, in Proceedings of the 20th Euromicro Conference on Real-Time Systems (ECRTS 2008), (IEEE, Prague, 2008), pp. 13–22 S. Funk, G. Levin, C. Sadowski, I. Pye, S. Brandt, DP-fair: a unifying theory for optimal hard real-time multiprocessor scheduling. Real-Time Syst. 47(5), 389–429 (2011) T.M. Ghazalie, T.P. Baker, Aperiodic servers in a deadline scheduling environment. Real-Time Syst. 9(1), 31–67 (1995)

6 Practical Considerations in Optimal Multiprocessor Scheduling

231

K.S. Hong, J.Y.T. Leung, On-line scheduling of real-time tasks, in Proceedings of the 9th IEEE Real-Time Systems Symposium (RTSS 1988), (Huntsville, 1988), pp. 244–250 K.S. Hong, J.Y.T. Leung, On-line scheduling of real-time tasks. IEEE Trans. Comput. 41(10), 1326–1331 (1992) W.A. Horn, Some simple scheduling algorithms. Nav. Res. Logist. Q. 21(1), 177–185 (1974) H. Kim, Y. Cho, A new fair scheduling algorithm for periodic tasks on multiprocessors. Inf. Process. Lett. 111(7), 301–309 (2011) G. Koren, A. Amir, E. Dar, The power of migration in multiprocessor scheduling of real-time systems, in Proceedings of the 9th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA 1998), (Society for Industrial and Applied Mathematics, San Francisco, 1998), pp. 226–235 G. Levin, S. Funk, C. Sadowski, I. Pye, S. Brandt, DP-FAIR: a simple model for understanding optimal multiprocessor scheduling, in Proceedings of the 20th Euromicro Conference on RealTime Systems (ECRTS 2010), (IEEE, Brussels, 2010), pp. 3–13 C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogram in a hard real-time environment. J. ACM 20(1), 40–61 (1973) E. Massa, G. Lima, P. Regnier, G. Levin, S. Brandt, Optimal and adaptive multiprocessor real-time scheduling: the quasi-partitioning approach, in Proceedings of the 26th Euromicro Conference on Real-Time Systems (ECRTS 2014), (IEEE, Madrid, 2014), pp. 291–300 E. Massa, G. Lima, P. Regnier, G. Levin, S. Brandt, Quasi-partitioned scheduling: optimality and adaptation in multiprocessor real-time systems. Real-Time Syst. 52(5), 566–597 (2016) R. McNaughton, Scheduling with deadlines and loss functions. Manag. Sci. 6, 1–12 (1959) G. Nelissen, V. Berten, J. Goossens, D. Milojevic, Reducing preemptions and migrations in realtime multiprocessor scheduling algorithms by releasing the fairness, in Proceedings of the 17th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2011), vol. 1, (IEEE, Toyama, 2011), pp. 15–24 G. Nelissen, V. Berten, V. Nélis, J. Goossens, D. Milojevic, U-EDF: an unfair but optimal multiprocessor scheduling algorithm for sporadic tasks, in Proceedings of the 24th Euromicro Conference on Real-Time Systems (ECRTS 2012), (IEEE, Pisa, 2012), pp. 13–23 G. Nelissen, H. Su, Y. Guo, D. Zhu, V. Nélis, J. Goossens, An optimal boundary fair scheduling. Real-Time Syst. 50(4), 456–508 (2014) R. Pellizzoni, M. Caccamo, M-CASH: a real-time resource reclaiming algorithm for multiprocessor platforms. Real-Time Syst. 40(1), 117–147 (2008) P. Regnier, G. Lima, E. Massa, G. Levin, S. Brandt, RUN: optimal multiprocessor real-time scheduling via reduction to uniprocessor, in Proceedings of the 32nd IEEE Real-Time Systems Symposium (RTSS 2011), (IEEE, Vienna, 2011), pp. 104–115 P. Regnier, G. Lima, E. Massa, G. Levin, S. Brandt, Multiprocessor scheduling by reduction to uniprocessor: an original optimal approach. Real-Time Syst. 49(4), 436–474 (2013) S. Sahni, Preemptive scheduling with due dates. Oper. Res. 27(5), 925–934 (1979) A. Srinivasan, J.H. Anderson, Optimal rate-based scheduling on multiprocessors, in Proceedings of the 34th Annual ACM Symposium on Theory of Computing (STOC 2002), (Montreal, 2002), pp. 189–198 J.A. Stankovic, K. Ramamritham, M. Spuri, Deadline Scheduling for Real-Time Systems: Edf and Related Algorithms (Kluwer Academic Publishers, Norwell, 1998) D. Zhu, D. Mossé, R. Melhem, Multiple-resource periodic scheduling problem: how much fairness is necessary? in Proceedings of the 24th IEEE International Real-Time Systems Symposium (RTSS 2003), RTSS 03, (IEEE, Cancun, 2003), p. 142

7

Soft Real-Time Scheduling Jeremy P. Erickson and James H. Anderson

Contents 1 2 3 4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Meeting Some Deadlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bounded Tardiness/Lateness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Review of EDF Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Work on Bounded Lateness and Bounded Tardiness Without Overload . . . . . . . . . . 5 Overload Management Using Value Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Locke’s Best-Effort Heuristic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Providing a Guarantee on Achieved Value: D∗ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Providing the Optimal Guarantee: Dover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Providing Guarantees on Multiprocessors: MOCA . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 Rate-Based Earliest Deadline Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 Schedulers Accounting for Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Overload Management by Changing Minimum Separation Times . . . . . . . . . . . . . . . . . . 7 Overload Management in Mixed-Criticality Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Techniques to Reduce Dropped Low-Criticality Jobs . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Scaling Separation Times of Low-Criticality Jobs Instead of Dropping Jobs . . . . . 8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

234 235 236 237 238 240 247 247 251 252 253 254 255 255 258 260 261 264 264

Abstract The notion of temporal correctness applicable to a hard real-time system is quite categorical: such a system is deemed to be temporally correct if and only if no task ever misses a deadline. In contrast, soft real-time systems are sometimes permitted to miss deadlines, and there are a variety of ways in which the term

J. P. Erickson · J. H. Anderson () Department of Computer Science, The University of North Carolina, Chapel Hill, NC, USA e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_4

233

234

J. P. Erickson and J. H. Anderson

“sometimes” might plausibly be defined. As a result, several different notions of soft real-time correctness have been studied in the literature. In this chapter, a survey of research results pertaining to several such notions is presented. Additionally, the related issue of overload management is considered. Overloads may be common in soft real-time systems because such systems are typically provisioned less pessimistically than hard real-time ones.

1

Introduction

The common characteristic of real-time systems, as discussed throughout this book, is that results must not only be correct but must be produced “at the right time.” The precise definition of “at the right time” depends on the type of system. A system is typically defined to be a “hard real-time (HRT)” system if each job (i.e., invocation of a program, or “task”) has a deadline by which it must complete in order for the system to be correct. This definition of correctness is needed if drastic consequences could result from a missed deadline. For example, consider a task that adjusts a rudder on an aircraft, in response to the pilot using fly-by-wire controls. This task has a hard real-time requirement, as a missed deadline could result in a crash. In order to guarantee the correctness of such a system, it is typically necessary to make highly pessimistic assumptions about system behavior, in order to ensure that a deadline cannot be missed under any possible circumstances. This usually requires over-provisioning the system. By contrast, a system is defined to be a “soft real-time (SRT)” system if it has less stringent requirements. In such a system, each job typically still has a deadline, but the system may be deemed to be correct even if some jobs miss their deadlines. As an example of a SRT deadline constraint, one might require that some fraction of all deadlines in a system be met. Such relaxed deadline constraints are often sufficient. For example, a video decoding system that operates at 50 frames per second must decode each frame within a 20 ms period, or the video may visibly skip. Such a skip is not catastrophic, and the reduced pessimism enabled by tolerating some skips can allow the system to be more fully provisioned. In this chapter, we consider several different notions of SRT correctness and survey work pertaining to these various notions. We begin in Sect. 2 by presenting basic definitions that will be used throughout this chapter. Then, in Sect. 3, we consider various definitions of SRT correctness that are similar to that considered above, where only some fraction of deadlines are required to be met. Next, in Sect. 4, we consider a definition of SRT correctness that does not require any deadline to be met but does require bounded tardiness, i.e., jobs may miss deadlines as long as the extent of miss is bounded. SRT systems are often provisioned less pessimistically than HRT ones, and as a result, the underlying hardware platform can be expected to sometimes be overloaded. In such situations, policies must be employed that ensure that overloads eventually abate by reducing computational demand. One way to reduce demand is by dropping work. In Sect. 5, we survey approaches for dealing with overload that use value functions in deciding which work to drop. Another way

7 Soft Real-Time Scheduling

235

to reduce demand is by reducing the rate at which tasks submit work. In Sect. 6, we survey work on overload management in which such an approach is taken. Finally, in systems that contain tasks of different criticalities, criticality-cognizant overload management policies can be employed. We survey work on such policies in Sect. 7.

2

Basic Definitions

Except where otherwise noted, some variant of the sporadic task model is assumed in all papers surveyed in this chapter. In order to describe this model, we depict in Fig. 2, which uses the key in Fig. 1, an example task running by itself. A task represents one process that is composed of a (potentially infinite) series of discrete jobs. When a new job of a task becomes available for execution, we say that job is released by the task. Because each task is a single process, a newly released job of a task must wait to actually begin execution if any prior jobs of the same task have not yet completed. We denote a system comprised of n sporadic tasks as τ = {τ1 , τ2 , . . . , τn }. Each task τi is specified by defining several temporal parameters. One such parameter is the worst-case execution time (WCET) of τi , denoted Ci . This parameter specifies an upper bound on the execution time for any job of τi . In Fig. 2, C1 = 2 ms, so no job runs for over 2 ms. However, some jobs run for only 1 ms, as allowed by the model. Another parameter is the minimum separation time of τi , denoted Ti . This parameter specifies the minimum amount of time between two successive job releases of τi . In Fig. 2, T1 = 3 ms, so job releases occur at least three time units apart. However, after the job release that occurs at time 9 ms, no new job is released until time 14 ms, as allowed by the model.

Fig. 1 Common key for many figures in this chapter

Fig. 2 Example of a sporadic task, with key in Fig. 1

236

J. P. Erickson and J. H. Anderson

The absolute deadline of a job is the point in time by which that job should finish. In Fig. 2, the absolute deadline of the first job is at time 2 ms. The precise interpretation of “should finish” depends on the particular definition of SRT correctness assumed. The relative deadline of a particular task τi , denoted Di , is the time between the release time and absolute deadline of each job of that task. In Fig. 2, D1 = 2 ms, so the job released at time 9 ms has its absolute deadline at time 11 ms. We often consider implicit-deadline task systems in which for each task τi , Di = Ti . However, some work is also applicable to arbitrary-deadline task systems that may violate this assumption. For the purpose of examples, we will often use the notation τi = (Ci , Ti ) for the tasks of an implicit-deadline task system. A final parameter of each task τi is its utilization, denoted Ui . A task’s utilization is simply the ratio of its WCET to its minimum separation time: Ui = CTii . The utilization of a task is significant because it indicates the long-term processor share needed by the task, in the worst case. Some SRT schedulers deal with situations of overload. In an overload situation, there is more work than can possibly be completed with reasonable time constraints. For example, two tasks with utilization greater than 0.5 cannot execute together on a uniprocessor, or jobs will miss their deadlines by increasing amounts. SRT schedulers that work in the presence of overload may employ various methods to reduce computational demand so as to encourage overloads to abate. Several such methods are reviewed later.

3

Meeting Some Deadlines

In this section, we review prior work in which a definition of SRT correctness is employed that requires some deadlines to be met. All of the papers reviewed in this section focus on uniprocessor platforms and the implicit-deadline periodic task model, where tasks have exact rather than minimum separation times. Koren and Shasha (1995a) allowed each task to have a skip factor s: each time a job of that task misses a deadline, the next s − 1 jobs must complete. The scheduler can simply skip any task that would miss a deadline, so some task sets with overload due to total utilization larger than one can be scheduled. However, Koren and Shasha showed that even on a uniprocessor, optimal scheduling with their model is NPhard. Hamdaoui and Ramanathan (1995) considered the more general (h, k) model (We have changed their notation slightly to avoid conflict with other terms.). In that model, h jobs of a task must meet their deadlines out of any consecutive k jobs of that task. Both of these types of constraints are generalized as weakly hard constraints by Bernat et al. (2001). They defined a “weakly hard real-time system” as any system with a precise bound on the distribution of met and missed deadlines. (Ordinary HRT systems are a special case, where every deadline is met.) Bernat et al. described a few variants, which can be combined with logical operators:

7 Soft Real-Time Scheduling

237

• A task can “meet any h in k deadlines,” which is identical to the (h, k) model discussed above. • A task can “meet row h in k deadlines,” meaning that it must meet h deadlines in a row in every window of k deadlines. If k = h + 1, then this scheme reduces to a skip factor of h. • A task can “miss any h in k deadlines,” meaning that it cannot miss more than h deadlines in a window of k. • A task can “miss row h in k deadlines,” meaning that it cannot miss more than h deadlines in a row in a window of k. (The window size k is not actually required to express this condition.) A weaker form of the (h, k) model, the window-constrained task model, was described by West and Poellabauer (2000). In that model, the time line is segmented into periodic windows, each containing k consecutive jobs of a given task, and within each window, h jobs of that task must meet their deadlines. (Any task system that is schedulable using the (h, k) model is also schedulable using the windowconstrained model.) Lin and Natarajan (1988) proposed the imprecise computation model for tasks that compute numerical results. Under that model, each job has a mandatory part that must complete before its deadline under any circumstances and an optional part that can be interrupted at any time. The mandatory part guarantees an approximate solution, and the precision of the solution must be nondecreasing as the optional part executes. The task must be defined to conform to these requirements. Ideally, every task would run its optional part to completion, but part of that computation can be cancelled when that is not possible. This model is not sufficient to provide a welldefined scheduling problem, because there must be some mechanism to determine which optional parts to execute. Several potential strategies, such as minimizing the number of dropped optional portions or minimizing the maximum error, were discussed by Liu et al. (1991). Aydin et al. (2001) proposed a metric where a reward is assigned for completing each job, varying based on how much of the optional part is allowed to execute. They assumed linear or concave (nonincreasing derivative) nondecreasing reward functions and periodic tasks. They demonstrated that the maximum reward can provably be achieved by a system where the same amount of optional computation happens for each job of a task. They then provided a system of equations (linear in the case of linear reward functions) that can be solved to determine the optimal amount of optional computation for each task.

4

Bounded Tardiness/Lateness

In this section, we review work that uses a notion of SRT correctness that requires “bounded tardiness” or “bounded lateness.” In order to do so, we will first introduce some additional definitions that are used in these works. Suppose a job is released at time r, has an absolute deadline at time d, and completes at time t. Then, as depicted in Fig. 3, its response time is

238

J. P. Erickson and J. H. Anderson

Fig. 3 Response time, lateness, and tardiness. If t were before d, then lateness would be negative, while tardiness would be zero

t − r, its lateness is t − d, and its tardiness is max{0, t − d}. Observe that, if a job completes no earlier than its deadline, then its lateness and tardiness are identical and nonnegative. Otherwise, its lateness is negative and its tardiness is zero. With these definitions in place, we now specify the definition of SRT that we focus on in this section: bounded lateness. If a task has an upper bound on the lateness of any of its jobs, then such a bound is called a lateness bound. If all tasks have lateness bounds, then the system has bounded lateness. Bounded tardiness (with tardiness bounds) and bounded response times (with response-time bounds) are equivalent to bounded lateness in the sense that a system has bounded lateness if and only if it has bounded tardiness and if and only if it has bounded response times. All three of these criteria are useful because each guarantees that each task receives a sufficient processor share in the long term. Some of the works in this section has used the bounded tardiness criterion for SRT. Other more recent works reviewed here have used bounded lateness because lateness bounds can indicate that jobs must finish before their deadlines, whereas tardiness bounds cannot. Work on bounded tardiness and bounded lateness has typically been performed on multiprocessor systems, primarily due to the relative simplicity of optimal schedulers on uniprocessors.

4.1

Review of EDF Scheduling

A widely studied uniprocessor scheduling algorithm is the earliest-deadline-first (EDF) scheduling algorithm, in which jobs are prioritized by absolute deadline, with ties broken arbitrarily but consistently. Most of the work described in this section is based on schedulers derived from EDF. In order to describe the properties of EDF that make it useful, we first define some terms. When considering HRT scheduling, a schedule is said to be HRT correct if no job misses its deadline. When considering the type of SRT scheduling described in this section, a schedule is said to be SRT correct if it has bounded lateness. A task system is HRT (respectively, SRT) feasible if some scheduling algorithm can generate an HRT- (respectively, SRT-) correct schedule. A scheduler is said to be HRT (respectively, SRT) optimal if it generates an HRT- (respectively, SRT-) correct schedule for every HRT- (respectively, SRT-) feasible task system.

7 Soft Real-Time Scheduling

239

Fig. 4 EDF schedule of τ1 = (2, 4) and τ2 = (4, 8)

Fig. 5 Correct (both HRT and SRT) schedule of a system with three tasks where each τi = (2, 3)

On uniprocessor platforms, EDF is both HRT optimal and SRT optimal. In particular, EDF can correctly schedule any implicit-deadline task system with  U ≤ 1. An example EDF schedule is depicted in Fig. 4. i τi ∈τ In the rest of this section, we mainly consider multiprocessor platforms and use m to denote the number of processors. There are multiple ways to extend EDF scheduling to a multiprocessor setting. One method is partitioned EDF (P-EDF). Under P-EDF, each task is statically assigned to a processor, and each processor schedules its tasks using EDF. For implicit-deadline task systems, assigning tasks to processors is equivalent to solving a bin-packing-like problem. The items are the n tasks, with weights equal to utilizations, and the bins are the m processors, each with capacity one. The primary limitation of P-EDF is related to the bin-packing problem: there are task systems that are feasible on m processors with techniques other than partitioning, but that cannot be partitioned onto the same set of processors. As an example, consider the task system with three identical tasks (2, 3). Each task has a utilization of 23 , so no two tasks can be allocated on the same processor and three processors are required. However, this task system is actually feasible using only two processors. As an example, Fig. 5 depicts an HRT-correct schedule for this task system on only two processors when all jobs are released as early as possible. Notice that in this schedule, jobs of τ3 migrate between processors during execution. An alternative to P-EDF is global EDF (G-EDF), in which all processors share a global run queue and the m jobs with the soonest deadlines execute. A G-EDF schedule of our running example (as in Fig. 5) is depicted in Fig. 6. Unfortunately, as can be seen in the figure, all jobs of τ3 miss their deadlines. This demonstrates that

240

J. P. Erickson and J. H. Anderson

Fig. 6 G-EDF schedule of the same system as Fig. 5. This schedule is SRT correct, but not HRT correct

G-EDF is not HRT optimal. However, notice that no job of τ3 misses its deadline by more than 1 ms. In fact, Devi and Anderson (2008) demonstrated that G-EDF is in fact SRT optimal. Schedulers that are HRT optimal for implicit-deadline sporadic task systems do exist, e.g., Anderson and Srinivasan (2004), Baruah et al. (1996), Compagnin et al. (2014), Funk et al. (2011, 2012), Megel et al. (2010), Nelissen et al. (2012a, b, 2014), Regnier et al. (2011), and Zhu et al. (2011). However, most such schedulers are difficult to implement in practice and all cause jobs to frequently be preempted by other jobs or migrated between CPUs. Even the schedule in Fig. 5, which is for a very simple task system, requires each of τ3 ’s jobs to incur a migration. Furthermore, in order to achieve optimality, it is necessary to change the relative priorities of jobs while those jobs are running. In Fig. 5, each of τ3 ’s jobs initially has a higher priority than the corresponding job of τ2 , but only for 1 ms. This type of priority change, which does not occur under G-EDF, can cause problems for locking protocols (Brandenburg 2011). Therefore, G-EDF remains a good choice for SRT systems for which bounded tardiness is acceptable. On systems with a large number of processing cores, the overheads incurred by locking and maintaining a global run queue may result in large overheads (Bastoni et al. 2010). Therefore, a compromise between P-EDF and G-EDF called clustered EDF (C-EDF), where tasks are partitioned onto clusters of CPUs and G-EDF is used within each cluster, is preferable in such cases. Because G-EDF is used within each cluster, work analyzing G-EDF can also be applied in a straightforward manner to C-EDF.

4.2

Work on Bounded Lateness and Bounded Tardiness Without Overload

The seminal work on bounded tardiness was that by Devi and Anderson (2008), who considered G-EDF scheduling. They compared G-EDF to an ideal scheduler that continuously maintains for each task a processor share equal to its utilization. The difference in allocation between what a task receives under G-EDF and under the

7 Soft Real-Time Scheduling

241

ideal scheduler is called lag. Lag can be analyzed at various points in the schedule in order to derive tardiness bounds. The most significant time instants in the analysis occur when all CPUs become simultaneously busy at that very instant. Because some processor was idle, there can be at most m − 1 tasks that have remaining work just before such a time. That insight allowed Devi and Anderson to define a value x such that the tardiness of a task τi is at most x + Ci . The value of x they defined is as follows: x

Csum − Cmin , m − Usum

where Csum is the sum of the m − 1 largest values of Ci , Cmin is the smallest value of Ci , and Usum is the sum of the m − 2 largest values of Ui . Bounded tardiness is established by mathematical induction over a set of jobs. We denote job k of task τi with Ji,k . When analyzing a job Ji,k with a deadline at di,k , jobs with lower priority than di,k can be ignored. Induction begins with the highest-priority job in the system, and the inductive assumption is that no job with priority higher than Ji,k has tardiness larger than stated in the proof. The lag is tracked inductively at key points in the execution of the system, so that a bound on the lag of the system at di,k can be determined. From that lag bound, the tardiness bound for di,k is established. Leontyev and Anderson (2010) performed significant extensions to Devi and Anderson’s initial work. Rather than limiting their analysis to G-EDF, they considered a broader class of window-constrained schedulers. Under such a scheduler, jobs are prioritized on the basis of a priority point (PP), and the system executes the eligible jobs with the earliest PPs. Furthermore, a job’s PP may change with time, but there must exist constants φi and ψi such that, if a job of task τi has a release at time r, a deadline at time d, and a PP at time y (priority), then r − φi ≤ y ≤ d + ψi holds. By using the absolute deadline of each job as its PP, we see that G-EDF is a window-constrained scheduling algorithm. Leontyev and Anderson also considered situations in which processing supply may be restricted. Such restrictions are conceptualized by defining a service function (following from Chakraborty et al. 2003) βp (Δ) for each CPU p, indicating that in any interval of length Δ, at least βp (Δ) units of time on CPU p are available to execute tasks. The form of the service functions used by Leontyev and Anderson is depicted in Fig. 7. Each CPU p has an available utilization uˆ p and a blackout time σp , so that βp (Δ)  max{0, uˆ p · (Δ − σp )}. In Fig. 7, we assume that the same pattern of supply restriction continues indefinitely; in this case, uˆ p = 12 and σp = 3. uˆ p indicates the long-term utilization of processor p. For example, in Fig. 7, half of the CPU time is occupied by supply restriction. σp is set to the x-intercept necessary in order for βp (Δ) to lower bound the actual supply, when the slope of βp (Δ) is uˆ p .

242

J. P. Erickson and J. H. Anderson

Fig. 7 Depiction of the service functions used by Leontyev and Anderson (2010)

The proof structure used by Leontyev and Anderson is similar to that used by Devi and Anderson, but much additional complexity is added by the generalizations applied. For the same reasons, the tardiness bounds are significantly more complex, so we refer the reader to Leontyev and Anderson (2010) for full expressions. Leontyev et al. (2011) considered a task model that is more general than the sporadic task model, using a framework called real-time calculus. They considered delay bounds, which correspond to response-time bounds under the sporadic task model. As discussed above, requiring bounded response times is equivalent to requiring bounded lateness and bounded tardiness. Leontyev et al. provided a method to determine whether a given set of response-time bounds could be met. Again, the expressions are complex, so we refer the reader to Leontyev et al. (2011) for details. Leontyev et al. also provided a method to determine lateness bounds for a family of G-EDF-like (GEL) schedulers. Recall that, under G-EDF, jobs are prioritized based on their absolute deadlines, and the absolute deadline of each job of τi is Di units of time after its release. Under a GEL scheduler, jobs are prioritized based on fixed (nonchanging) PPs that may differ from absolute deadlines. In an analogous manner to G-EDF and using absolute deadlines, a job under a GEL scheduler has a higher priority than another if it has an earlier PP. A per-task constant Yi (priority) takes the place of Di : the PP of each job is Yi time units after its release. The implementation of any GEL scheduler is identical to that of G-EDF, except that Yi is used for prioritization in place of Di . An example comparing two GEL schedulers is depicted in Fig. 8. Figure 8a depicts G-EDF itself, where Yi = Di for all i, and Fig. 8b depicts a different GEL scheduler, the global fair lateness (G-FL) scheduler proposed by Erickson et al. (2014), as discussed below. While Leontyev et al. (2011) provided analysis for arbitrary GEL schedulers, they did not provide substantial guidance on how to select values of Yi in order to

7 Soft Real-Time Scheduling

243

(a)

(b)

Fig. 8 Comparison of two GEL schedules of the same task system, with τ1 = τ2 = (2, 4) and τ3 = (8, 8). (a) G-EDF schedule, where Yi = Di for all i. (b) A different GEL schedule (in this case, G-FL) of the same task system

obtain desired scheduler characteristics. Furthermore, although they allowed delay bounds to be specified, they did not provide an efficient method to obtain the tightest possible delay bounds using their analysis, and the bounds provided are not as tight as possible for sporadic task systems given the more general task model considered. Erickson et al. (2014) addressed these limitations using an analysis framework similar to that of Devi and Anderson (2008). Compared to Devi and Anderson (2008), Erickson et al. provided further improvements on the tightness of tardiness/lateness bounds and also provided a way to handle arbitrary deadlines (deadlines may differ from minimum separation times) and arbitrary GEL schedulers. Their method does not require the additional pessimism from the more general models considered by Leontyev and Anderson (2010) and Leontyev et al. (2011). Erickson et al. also provided methods to choose the best lateness bounds by optimizing parameters such as maximum or average lateness. As discussed above, Devi and Anderson define the tardiness bound for τi as x + Ci , with a single value of x for the entire task system. One fundamental change in Erickson et al.’s analysis is to define a separate xi for each τi . They also allow for relative PPs that differ from minimum separation times, which allows consideration of both arbitrary deadlines and arbitrary GEL schedulers.

244

J. P. Erickson and J. H. Anderson

The tardiness bound x + Ci from Devi and Anderson is equivalent to a responsetime bound of Di + x + Ci . In the analysis of Erickson et al., Yi replaces Di , so response-time bounds are of the form Yi + xi + Ci . Stated as lateness bounds, they are of the form Yi + xi + Ci − Di . Erickson et al. defined a term   Yi , Si (Yi )  Ci · max 0, 1 − Ti that accounts for the difference between Yi and Ti , and they use it to provide the following bound on xi .  xi ≥

m−1 largest (xj Uj

+ Cj − Sj (Yj )) + m



τj ∈τ

Sj (Yj ) − Ci

(1)

Notice that xi effectively appears on both sides of (1), so (1) cannot be used directly to compute xi . However, Erickson et al. showed how to define a linear program in order to determine the smallest values of xi that satisfy (1) for all i. Furthermore, if each Yi is treated as a variable rather than as a constant, one can also use linear programming to select Yi values in order to optimize any linear criterion of lateness bounds, such as minimizing the maximum or average lateness bound. Erickson et al. also proposed G-FL, the same scheduler that was depicted in Fig. 8b. Under G-FL, for each τi , Yi  Di −

m−1 · Ci . m

As can be seen in Fig. 8, G-FL can provide better observed lateness than G-EDF. Additionally, it can provide better lateness bounds. Erickson et al. also showed that it provably provides the smallest possible maximum lateness bound, given their analysis. For the particular case of G-EDF, Valente (2016) provided a method to tighten tardiness bounds further. He used a lag proof similar to that of Devi and Anderson (2008). He demonstrated that lags for different tasks within a task system have a “balancing” effect on each other. Using this observation, he was able to provide tighter bounds for G-EDF than were possible with earlier research, albeit using an algorithm that requires exponential time to compute them in the worst case. Erickson and Anderson (2011) proposed a task system modification that can further reduce lateness. Recall that, because a task is a single-threaded process, each job must wait to begin executing until its predecessor completes. This is an intratask precedence constraint. If jobs run in separate threads, however, this constraint can be removed, and multiple jobs of the same task can execute at the same time on different processors. Doing so can further reduce lateness bounds. Some of the pessimism in previous lateness bounds results directly from the fact that work can be backed up within a task, even when there are idle CPUs. It is

7 Soft Real-Time Scheduling

245

possible that a task has several jobs that have sufficient priority to run, but only one can make progress. Without the intra-task precedence constraint, however, multiple pending jobs from the same task can make progress at the same time. This change allows for smaller bounds. Furthermore, in the presence of the intra-task precedence constraint, the amount by which a task is backed up can grow unboundedly even when there are idle CPUs. Therefore, it is necessary that Ui ≤ 1 holds for every task. However, without the intra-task precedence constraint, this  requirement is no longer necessary, and the simple system utilization requirement τj ∈τ Uj ≤ m is sufficient. Erickson and Anderson (2012) proposed another modification to the scheduler to improve lateness bounds. The lateness bounds from Erickson et al. (2014) depend heavily on task execution times. A task’s execution time can be reduced by an integral factor if each of its jobs is split. For example, a task that has a WCET of 2 ms and a period of 4 ms could have its jobs split in half, resulting in a task with a WCET of 1 ms and a period of 2 ms. Notice that the utilization of the task remains constant. Each consecutive pair of subjobs in the split task corresponds to a real job in the original task. An example of job splitting under G-EDF is depicted in Fig. 9. Figure 9a depicts an example schedule in the absence of splitting. Notice that J3,0 completes 4 ms late. Figure 9b depicts the schedule where jobs of τ3 are split into two subjobs. Ji,j,k is used to denote subjob k of Ji,j . Notice that J3,0 now completes only 3 ms late. Job splitting becomes more complicated in the presence of critical sections, because many locking protocols require that job priorities do not change during execution, but every time a subjob ends, the priority of the underlying job changes. However, this problem can be overcome by not allowing a subjob to end while holding or waiting for a lock, reducing the length of the subsequent subjob. This procedure is depicted in Fig. 9c, where J3,0,0 runs for 8 ms instead of 7 ms, and J3,0,1 then runs for only 6 ms. In the absence of overheads and critical sections, because task utilizations remain constant with splitting, lateness bounds could be made arbitrarily close to zero. However, on a real system, more overheads are incurred as a result of job splitting. Whenever a subjob ends, the operating system must decide what job should subsequently be scheduled, creating more scheduling decisions. Additionally, jobs may be preempted at subjob completion, rather than only at job releases, causing a potential loss of cache affinity. These additional overheads effectively increase a task’s utilization, so it is necessary to account for these overheads in order to determine the actual benefits of job splitting. Erickson and Anderson’s lateness analysis remains correct if jobs are allowed to begin execution prior to their proper release times, as long as job PPs are determined based on their proper release times. Therefore, when one subjob completes, it is sufficient to simply lower the priority of the underlying job. It is not necessary to unconditionally preempt the job. Furthermore, even if the job does need to be preempted, it can simply be added to the ready queue immediately; it is not necessary to set a timer for a future release. This approach significantly limits the additional overheads that splitting creates.

246

J. P. Erickson and J. H. Anderson

(a)

(b)

(c)

Fig. 9 Schedules of a task system with τ1 = (4, 6), τ2 = (9, 12), and τ3 = (14, 24), to illustrate job splitting. (a) No splitting. (b) Each job of τ3 split into two subjobs. (c) Each job of τ3 split into two subjobs, in the presence of critical sections

Provisioning SRT applications based upon the worst case may be overkilled in many settings. Indeed, by inspecting the tardiness and lateness bounds given above, it is evident that such bounds can be reduced if tasks are provisioned using averagecase execution times rather than worst-case times. Mills and Anderson (2011) explored this possibility and showed that the prior tardiness analysis of Devi and Anderson (2008) can be extended so that only average-case task execution times are assumed. The basic idea is to encapsulate each task within a single-task server that

7 Soft Real-Time Scheduling

247

is sporadically allocated execution budget based on that task’s provisioned averagecase execution time. A single job of a task may require budget from multiple server invocations to complete. Mills and Anderson showed that such an approach allows tardiness to be bounded in expectation. In later work, Liu et al. (2014) revisited the independence assumptions applied in the analysis of Mills and Anderson and showed that such assumptions can be relaxed.

5

Overload Management Using Value Functions

In this section, we discuss prior work on scheduling algorithms that use value functions to define correct behavior during overload.

5.1

Locke’s Best-Effort Heuristic

Locke (1986) considered a system that resembles the sporadic task model, scheduled globally on a multiprocessor. Most of the other papers in this section are written for special cases of this model, so we review it in some detail. However, rather than having a per-task upper bound on job execution times, there is a stochastic pertask distribution of execution times. Similarly, rather than having a per-task lower bound on separation time between job releases, job releases follow a stochastic pertask distribution. Given these modifications to the task system, it is possible for the system to experience overload if there is a burst of jobs that either are released closer together than generally expected or that run for longer than generally expected. Locke (1986) assigned to each task a value function that specifies the value to a system of completing a job at a particular time after its release. “Value” is a unit-less quantity that can be compared between jobs, to determine which job to complete in the event of an overload. Ideally, the system should accrue as much total value as possible. Examples of value functions are depicted in Fig. 10. In each example, the x axis represents the completion time of a job after its release, while the y axis represents the value to the system from completing that job. For example, suppose τi is the task considered in Fig. 10a. If some Ji,k completes before the time marked “Critical Time,” then the system achieves some constant value. However, if the job completes after that time, the system receives no value whatsoever. Thus, the system should only execute Ji,k if it is possible for Ji,k to complete before its critical time. Furthermore, suppose there are two tasks τi and τj that each have value functions of this form and that at time t there are ready jobs Ji,k and Jj, . If it is possible to complete either Ji,k or Jj, before its respective critical time, but not to complete both before their respective critical times, then Ji,k should generally be selected if τi has a higher constant value than τj , and Jj, should be selected if the reverse is true. (This is not strictly true because the choice of Ji,k or Jj, may affect the ability to complete other jobs at appropriate times.)

248

J. P. Erickson and J. H. Anderson

(b)

(a)

Critical Time Value

Value

Critical Time

Time

Time

(d)

(c)

Critical Time Value

Value

Critical Time

Time

Time

Fig. 10 Example value functions from Locke (1986). (a) Value function with step at critical time. (b) Value function with exponential drop-off after critical time. (c) Value function with quadratic drop-off after critical time. (d) Value function with a specific target completion time, and quadratic increase and drop-off before and after that time, respectively

Although not required by the definition of “value function,” for tractability Locke (1986) considered value functions that are continuous and have continuous first and second derivatives, except for (possibly) a single discontinuity at the critical time. This is why the time of the discontinuity in Fig. 10a is labelled as the “critical time.” Although the step function discussed above is the simplest value function, Locke proposed others. Figure 10b depicts a value function that drops off exponentially after the critical time, indicating that there is still some value to completing jobs late, but this value rapidly drops off as jobs complete later. Figure 10c depicts a value function that drops off more slowly after the critical time, indicating that completing jobs slightly late has a smaller impact than for the value function in Fig. 10b. Finally, as depicted in Fig. 10d, it is also possible to use value functions to indicate that a job should not complete too early. In this case, a job that finishes very quickly will achieve zero value, just as if the job finished very late. The system should try to achieve the maximum cumulative value even if an overload occurs. However, there are two difficulties that arise in attempting to do so: uncertainty about system behavior and the intractability of the scheduling problem. Locke assumed that the system does not know the timing of job releases until they occur and does not know the actual run time of each job until it completes. We show by example that even the first assumption is itself sufficient to prevent the system from always maximizing the cumulative value. Consider the task system with value functions depicted in Fig. 11, as scheduled on a uniprocessor. Suppose that τ1 releases J1,0 and τ2 releases J2,0 at time 0 and that no other job is released before time 15. Further suppose that J1,0 is known to require 14 ms of execution, while the job of J2,0 is known to require 7 ms of execution. This scenario is depicted in Fig. 12b, c. Because these two jobs together require 21 ms of execution, while their last critical time is at time 15, the system cannot complete both jobs before

7 Soft Real-Time Scheduling

249

(a) 5 Value

4 3 2 1 0 0

2

4

6

8

(b)

10

12

14

16

18

10

12

14

16

18

10

12

14

16

18

Time 5

Value

4 3 2 1 0 0

2

4

6

8 Time

(c) 5 Value

4 3 2 1 0 0

2

4

6

8 Time

Fig. 11 Value functions for an example task system. (a) Value function for τ1 . (b) Value function for τ2 . (c) Value function for τ3

their critical times. It is therefore better for it to select J1,0 as in Fig. 12b, in order to achieve a cumulative value of three, rather than selecting J2,0 as in Fig. 12c, which would only achieve a cumulative value of one. Suppose, however, that τ3 actually releases J3,0 at time 8, and that J3,0 is known to require 6 ms of execution. Because J3,0 can complete with a value of 4, which is greater than the value that can be achieved by either J1,0 or J2,0 , the system should execute J3,0 to maximize the cumulative value. If the system initially chose to execute J1,0 , as depicted in Fig. 12d, then because J1,0 does not actually complete, the cumulative value achieved is only four. However, if the system initially chose to execute J2,0 , as depicted in Fig. 12e, then because J1,0 completes, the cumulative value achieved is five. Therefore, the optimal choice at time 0 depends on whether J3,0 is released at time 8, so making an optimal choice is impossible under Locke’s

250

J. P. Erickson and J. H. Anderson

(a)

(b)

(c)

(d)

(e)

Fig. 12 Several possible schedules for the task system with value functions depicted in Fig. 11. J1,0 is released at time 0 and is known to have an execution time of 14. J2,0 is also released at time 0 and is known to have an execution time of 7. In (d) and (e), J3,0 is released at time 8 and is known to have an execution time of 6. (a) Key for schedules in this figure. (b) Schedule running only the job from τ1 , with a cumulative value of 3. (c) Schedule running only the job from τ2 , with a cumulative value of 1. (d) Schedule running jobs from τ1 (though not to completion) and τ3 , with a cumulative value of 4. (e) Schedule running jobs from τ2 and τ3 , with a cumulative value of 5

assumptions. A similar example could be constructed if the execution times were unknown. Locke also noted that, even if optimal decision-making were possible, the problem is likely to be NP-complete. However, the results of this decision-making process are most important precisely when the system is already overloaded and cannot complete all jobs. Furthermore, running the scheduling algorithm requires the same computing resource as the jobs themselves. Therefore, running an optimal scheduling algorithm would cause more harm than it prevents. Thus, Locke could have chosen to develop either a heuristic algorithm or an approximation algorithm with a corresponding provable bound on achieved value, but he chose the former. Locke’s heuristic algorithm is based on the assumption that, under typical circumstances, it will be possible for nearly every job to complete at a time that allows it to achieve nearly all of its possible value. This assumption simply means that the system was properly provisioned for the common case. In order to exploit this assumption, Locke assigned for each job a deadline that is the latest time it can complete while continuing to achieve a user-configurable fraction of its maximum

7 Soft Real-Time Scheduling

251

achievable value. In the case of a step value function, as in Fig. 10a, a job’s deadline is simply its critical time. However, under any of the other types of value functions depicted in Fig. 10, a job’s deadline is usually after its critical time. Locke’s heuristic simply prioritizes all jobs by deadline until the probability of a deadline miss exceeds a user-configurable threshold. Once a deadline miss is likely, the system switches prioritization to a heuristic based on value density. The value density for Ji,k at time t is computed as follows. r (t) be the expected remaining execution time for J Let ei,k i,k at time t, conditioned on how long it has already executed. The expected value V (t) of Ji,k at time t is r (t). defined to be the value that Ji,k will accumulate if it completes at time t + ei,k r The value density of Ji,k at time t is simply V (t)/ei,k (t). For example, consider the schedule in Fig. 12d. At time t = 0, J1,0 is expected to have 14 units of execution remaining, completing at time 14, and has an expected value of 3, resulting in a value density of 3/14. At time t = 8, J1,0 is expected to have 14−8 = 6 units of execution remaining, still completing at time 14, and has an expected value of 3. Its value density is now 3/6 = 1/2. The heuristic that the system uses during overload, when it is likely that some job will miss its deadline, is to prioritize jobs by decreasing value density. Locke demonstrated the effectiveness of his heuristic through experiments that simulate global multiprocessor schedules where one CPU is dedicated to making scheduling decisions for the rest of the system. He demonstrated that his scheme provides significantly higher achieved value than other considered schedulers in the presence of overload while also meeting most deadlines in the absence of overload. However, he did not provide any theoretical guarantees comparing the achieved value to the maximum achievable value.

5.2

Providing a Guarantee on Achieved Value: D∗

Unless otherwise noted, all papers discussed in the remainder of Sect. 5 consider only step value functions, as depicted in Fig. 10a. In such cases, we say that the deadline of each job is simply its critical time, and that its value is the value that it achieves if it completes before its critical time. Furthermore, the job’s value density is simply its value divided by its total execution time. (This differs from the notion of “value density” used by Locke (1986), who used remaining execution time.) We use the constant q to denote the importance ratio or the ratio of the largest value density in the system to the smallest value density in the system (Several of the papers cited herein use k for the importance ratio, but we use q (quotient) to avoid conflict with the job index k.). Baruah et al. (1991) considered scheduling on uniprocessors. They observed that Locke (1986) provided only heuristics but did not provide any guarantee about the value that could be achieved during an overload. In order to provide such a guarantee, they developed a new scheduling algorithm, D∗ . They assumed that job release times are not known ahead of time, but that the exact execution time of each job is known upon release.

252

J. P. Erickson and J. H. Anderson

D∗ is similar to the later-proposed earliest deadline until zero laxity (EDZL) scheduling algorithm (Baker et al. 2008; Lee 1994). A job’s laxity is the time until its deadline minus its remaining execution time. If it reaches a zero-laxity state, then it must be scheduled immediately, or it will miss its deadline. Like EDZL, D∗ behaves identically to EDF until some Ji,k reaches a zero-laxity state. If no other job is in a zero-laxity state when this occurs, then Ji,k runs immediately. To handle the case when some Jj, is already in a zero-laxity state, D∗ maintains the sum of the values of all jobs that have been preempted in a zero-laxity state since the last successful job completion. Such preempted jobs have been abandoned, as it was impossible for them to meet their deadlines. If Ji,k has a value greater than this sum plus the value of Jj, , then Ji,k preempts Jj, , Jj, is abandoned, and the sum is updated. Otherwise, Ji,k is abandoned. Baruah et al. (1991) proved that, if value densities are normalized such that the smallest is at least one, the total value achieved during an overloaded interval using D∗ is at least 1/5 the length of that interval. Although this value is small, they proved that no algorithm can guarantee more than 1/4 of the length of such an interval without knowing job releases ahead of time. Baruah et al. also showed experimentally that D∗ performs similarly to Locke’s best effort scheduler in the common case but provides drastically better behavior in certain pessimistic cases.

5.3

Providing the Optimal Guarantee: Dover

Koren and Shasha (1995b) provided a scheduler Dover that can guarantee an achieved value of 1/4 of the length of an overloaded interval, closing the gap between D∗ and the theoretical limit. The design of Dover , like the design of D∗ , is based on EDF and is identical to EDF until an overload occurs. Even during underload, Dover maintains two sets of ready jobs, not including the currently running job: waiting jobs and privileged jobs. If a job is preempted by a normal job release, then it becomes a privileged job. The system keeps track of the amount of time that a newly arriving job can execute without causing the current job or any privileged job to miss its deadline. When a new job arrives, if its execution cost is less than this time, it preempts the current job. Otherwise, because adding the new job could cause some existing job to miss its deadline, an overload has occurred. Therefore, the new job is instead added to the queue of waiting jobs. This strategy ensures that a privileged job can never reach a zero-laxity state. Let Vj, denote the value of Jj, . When waiting Ji,k reaches a zero-laxity state, then either it must be scheduled immediately or it is not worth running at all. However, running it may prevent other jobs from running. To determine whether  √ is worth running, its value is compared to (1 − q) · ( Ji,k ∈Θ Vj, ), where Θ is the set containing all privileged jobs and the currently running job. If its value is larger than this expression, then Ji,k preempts the currently running job, and all privileged jobs become waiting jobs. Otherwise, Ji,k is discarded.

7 Soft Real-Time Scheduling

253

Koren and Shasha (1995b) also demonstrated that Dover achieves the optimal 1 competitive ratio of (1+√ . In other words, Dover is guaranteed to achieve at least q)2 1 √ (1+ q)2

times as much value in an overloaded interval as could be achieved by a clairvoyant algorithm. Baruah et al. (1991) demonstrated that no better competitive ratio is possible.

5.4

Providing Guarantees on Multiprocessors: MOCA

While D∗ and Dover provide guarantees on a uniprocessor, Koren and Shasha (1994) proposed the multiprocessor on-line competitive algorithm (MOCA) to provide such guarantees on a multiprocessor. MOCA requires an even number of processors and works by dividing the system into m/2 bands of two processors, as depicted in Fig. 13. ψ of the bands are designated with specific value densities, and ω form a central pool. It must be the case that ψ + ω = m/2, so that each CPU is assigned to exactly one band. Each band contains a safe processor for executing jobs that can be guaranteed to meet their deadlines and a risky processor for executing jobs for which such a guarantee cannot be made. When a job is released, the system first tries to assign it to the band designated for its value density. If it can be assigned to the safe processor without compromising the guarantees made to other jobs that are already on that safe processor, the system assigns it there. Otherwise, the system tries to assign it to the safe processor for a band designated for lower value density, considering such bands in decreasing value density order. If even that fails, the system then tries to assign it to a safe processor in the central pool, considering such processors in arbitrary order. If all else fails, the system adds it to a list of waiting jobs and does not consider it until it reaches a zero-laxity state. When a waiting job Ji,k reaches a zero-laxity state, the system tries to schedule it on a risky processor. Bands are considered in the same order as for safe processors. If it finds an idle risky processor, it begins executing Ji,k there. Otherwise, it considers the same set of risky processors as before and finds the one running the Jj, with the earliest deadline. If Ji,k has a later deadline than Jj, , then Jj, is abandoned, and Ji,k begins running in its place. Otherwise, Ji,k is abandoned. This heuristic is used to minimize the risk of unnecessary idleness on a risky processor, as a job in a zero-laxity state will run continuously until its deadline. Whenever some safe processor becomes idle, the safe and risky processors within that band switch roles. This guarantees that the job running on the risky processor will complete (as it is now on a safe processor) and ensures that an idle risky processor is now ready to schedule a waiting job that reaches a zero-laxity state. Koren and Shasha (1994) also showed that no scheduler executing on m processors can achieve a competitive ratio above q −1 1

qm · (q m − 1)

,

254

J. P. Erickson and J. H. Anderson

Fig. 13 Grouping of CPUs used by MOCA

and that MOCA achieves a competitive ratio of ⎛

1

⎜ ⎜ 1 + 2m · ⎜max1≤i≤ψ ⎝

⎞. ⎟ ⎟ ⎟ i ψ q −1 ⎠ i

qψ ω+

1 −1 qψ

ψ should be chosen to maximize this ratio. Observe that MOCA is not necessarily optimal in the sense of achieving the best possible competitive ratio. However, unlike heuristic approaches, it does provide a guarantee.

5.5

Rate-Based Earliest Deadline Scheduling

Buttazzo and Stankovic (1995) proposed the robust earliest-deadline (RED) scheduler, which uses a model based on value functions. Each task has an associated deadline, value, and deadline tolerance. It has a step value function with the critical

7 Soft Real-Time Scheduling

255

time at the deadline plus deadline tolerance. However, scheduling decisions are based only on deadline, without accounting for deadline tolerance. Under RED, each task has a WCET that will not be exceeded, but the arrival pattern of jobs is not known. In this respect, its assumptions are like those used by D∗ , Dover , and MOCA. When a job is released, it can be accepted or rejected. If it is rejected, it will not run unless slack is created in the future by jobs that underrun their WCETs. In addition to considering value, RED also divides tasks into two classes: hard and critical. If a hard job is accepted, then it must complete unless overload later occurs. If a critical job is accepted, then it must complete under all circumstances. At runtime, RED keeps a list of all unfinished accepted jobs, both hard and critical, ordered by deadline. Whenever a new Ji,k is released, RED uses the list to determine whether adding Ji,k will cause a deadline miss. If it will not, Ji,k is immediately accepted. Otherwise, RED will attempt to find one or more hard jobs that can be dropped. Dropped jobs may still be completed if other jobs complete early. RED always executes the job at the beginning of its list of accepted jobs, thus running the job with the earliest deadline. In the absence of overload, RED reduces simply to EDF. Buttazzo and Stankovic (1995) provided experimental evidence that RED can achieve significantly higher value than other schedulers such as EDF when an overload occurs. Spuri et al. (1995) proposed the robust total bandwidth (RTB) scheduler, a similar scheduler to RED. RTB also supports a class of guaranteed periodic tasks that are not subject to being rejected. (Spuri et al. 1995 use the term “hard periodic” for these tasks, but we use “guaranteed” here to avoid confusion with hard RED tasks.) It does so by scheduling the aperiodic tasks (i.e., the same types of tasks as the hard and critical tasks under RED) inside a server. A server is a budgeted container for other tasks. The server can be scheduled with EDF, using a budget to guarantee that it will not interfere with guaranteed periodic tasks. When RTB chooses to schedule that server, it actually executes one of the aperiodic jobs running inside that server. Tasks are accepted or rejected using a similar strategy to RED.

5.6

Schedulers Accounting for Dependencies

Some work has been performed on scheduling with value functions in the presence of dependencies such as shared resources. These schedulers have additional constraints they must consider, such as needing to let a critical section finish in order to free the resource for another job. For examples, see Cho (2006), Clark (1990), Garyali (2010), Li (2004), and Li et al. (2006).

6

Overload Management by Changing Minimum Separation Times

Most of the overload management techniques surveyed thus far in this chapter have worked by dropping certain jobs. An alternative technique is to adjust the minimum separation time of a task, slowing down the rate at which it releases jobs.

256

J. P. Erickson and J. H. Anderson

Adaptive scheduling algorithms allow such a scaling of minimum separation times. Such algorithms were surveyed in detail by Block (2008). However, most of these algorithms are intended for use in systems where high variability in job execution times is expected, and minimum separation times must be decided online for that reason. We are concerned primarily with systems that are provisioned for the common case but that need to recover from transient overloads. The related problem of choosing new minimum separation times was addressed by Buttazzo et al. (2002), who proposed the elastic model. Under the elastic model, tasks are assigned initial and maximum periods, as well as elasticity factors that are used to determine the extent of “stretching” of each task. During a transient overload, minimum separation times can be determined based on elasticity factors. One adaptive scheduling algorithm, the earliest eligible virtual deadline first (EEVDF) algorithm (Stoica et al. 1996), uses a notion of virtual time. We provide a description of EEVDF here. EEVDF is a proportional share scheduling algorithm. Each task is assigned a weight, and each task should receive a processor share that is commensurate with its weight. For example, consider the task system in Fig. 14. The actual progression of time is graphed on the bottom axis. From time 0 to time 2, only τ1 is present in the system. Therefore, it receives all of the CPU time. At time 2, τ2 enters the system. Because τ1 has a weight of 4 and τ2 has a weight of 2, τ1 receives twice as much processor time as τ2 . Until τ3 arrives at time 8, τ1 receives 2/3 of the processor time and τ2 receives 1/3. As long as some task is present, the CPU is never idle. In order to distribute processor time in accordance with the weights, EEVDF maintains the current virtual time. The speed of virtual time relative to actual time depends on the total weight of all tasks in the system. Specifically, if A(t) is the set

Fig. 14 EEVDF schedule of a task system. τ1 has a weight of 4 and always issues requests of size 2 ms. τ2 has a weight of 2 and always issues requests of size 2 ms, although its second request issued at actual time 8 completes early. τ3 has a weight of 2 and always issues requests of size 1 ms

7 Soft Real-Time Scheduling

257

of active tasks at time t and Wi is the weight of τi , then the speed of virtual time at actual time t is  1 W , and the virtual time v(t) corresponding to actual time t is τi ∈A(t)

i



t

v(t) = 0



1 τi ∈A(t) Wi

dt.

For example, between time 0 and time 2 in Fig. 14, only τ1 is present, with a weight of 4. Therefore, the speed of virtual time in this interval is 14 , and v(2) = 2 1 0 4 dt = 0.5. Each task repeatedly makes requests for CPU time, making a new request as soon as its previous request has completed (unless it instead exits the system at that time). When a task enters the system, it makes its first request. That request is said to have an eligible time at that time. Each request also has an associated size s, indicating the amount of actual time desired for computation. However, it is possible for the task to complete executing its request before it has used a full s units of execution, as τ2 does in Fig. 14 for the request issued at virtual time 1.5. Once a task completes executing its request, it usually initiates another request. If the just-finished request had an eligible virtual time of r and an actual execution time of a, the new request has an eligible time at virtual time r + Wai . Alternatively, the task may exit the system at the time its next request would otherwise be eligible, as τ1 does in Fig. 14 at virtual time 2.5 (Stoica et al. 1996 provide more complex rules that allow a task to leave at other times, but we do not consider those here.). For example, the first request of τ1 in Fig. 14 has an eligible virtual time of 0 and executes for 2 ms. Therefore, the eligible virtual time for the second request is 0 + 24 = 0.5. Similarly, the second request of τ1 has an eligible virtual time of 0.5, as just computed, and also executes for 2 ms. Thus, the eligible virtual time for the third request is 0.5 + 24 = 1. Observe that the difference between eligible virtual times is 0.5 ms in both cases, but the difference between eligible actual times is 2 ms between the first and second request, but 3 ms between the second and third requests. This occurs because the virtual time clock runs more slowly once τ2 enters the system. Each virtual request has a virtual deadline that is used to determine scheduling priority. If the request has a virtual eligible time of r and a request size of s, then its virtual deadline is at time d = r + Ws i . For example, the first request of τ1 in Fig. 14 has a virtual eligible time of 0 and a request size of 2 ms, so its virtual deadline is 0 + 24 = 0.5. If a request runs for its full request size, then its virtual deadline is identical to the virtual eligible time of the next request. However, if a request completes early, as happens to the second request of τ2 that completes at virtual time 2, then the virtual eligible time of the next request may be earlier than the virtual deadline of the just-finished request. EEVDF prioritizes requests by earliest virtual deadline, considering only requests that have reached their eligible times but have not completed. For example, at virtual time 0.5 in Fig. 14, τ1 has a request with a virtual deadline of 1, and τ2 has a request with a virtual deadline of 1.5. Because τ1 has an earlier virtual deadline,

258

J. P. Erickson and J. H. Anderson

its request runs for the requested 2 ms. The next request of τ1 does not have an eligible time until virtual time 1, so τ2 ’s request runs until that time. In Fig. 14, deadline ties are broken by task index, so when τ1 ’s third request becomes eligible at virtual time 1, it preempts the executing request of τ2 . Observe in Fig. 14 that τ3 and τ2 receive the same processor share, even though their request sizes differ. The request size of τ2 is always 2 ms (even though the full size may not be used), and the request size of τ3 is always 1 ms. However, from virtual time 1.5 onward (when τ3 enters the system), τ3 releases jobs twice as frequently as τ2 , except for the shift in release time for τ2 caused by the early completion. This occurs because both tasks have the same weight.

7

Overload Management in Mixed-Criticality Scheduling

Sometimes different applications that will be run on the same physical machine have different requirements for timing correctness. For example, some applications have HRT constraints (requiring all deadlines to be met), while others have SRT constraints (where bounded lateness is acceptable). An example of a system with this sort of requirement is next-generation unmanned air vehicles (UAVs), which will have tasks with different requirements that will realize in software functionality that has traditionally been performed by humans. For example, safety-critical software performing functions such as flight control has stringent HRT constraints, whereas mission-critical software performing planning functions has only SRT constraints. Running both sets of software on the same machine could significantly reduce the size, weight, and power required for the aircraft. Furthermore, there may be further distinctions in requirements than simply the difference between HRT and SRT constraints. For example, some tasks may be so critical that it is necessary to use WCET estimates determined by a tool that provides a provable upper bound on execution time, in order to provide the strongest possible guarantee that no WCET is exceeded. Such a level of certainty may be necessary in order for the system to be acceptable to a relevant certification authority. However, for other tasks, it may be sufficient to use less pessimistic WCET estimates, such as those determined by measuring the largest execution on a real system and multiplying by a safety factor. Under most real-time scheduling analysis, the system can only be deemed correct if it can be proven to be correct even using the most pessimistic assumptions for all tasks. For example, in order to prove that the flight control software will behave correctly, it is necessary to use highly pessimistic WCET estimates for the mission-control software as well. This may result in a system that is unnecessarily underutilized. Mixed-criticality scheduling algorithms and analysis address this problem. Vestal (2007) proposed that a single scheduling algorithm could be analyzed under multiple sets of assumptions about WCET estimates. The system has a finite number of criticality levels, and each task is assigned a criticality level and, for each criticality level in the system including its own, a provisioned execution time (PET).

7 Soft Real-Time Scheduling

259

(a)

(b)

Fig. 15 Possible schedules for a uniprocessor mixed-criticality system with two criticality levels, A (high) and B (low), both with HRT requirements. Level-A τ1 has a minimum separation time of 4 ms, a level-A PET of 3 ms, and a level-B PET of 2 ms. Level-B τ2 has a minimum separation time of 8 ms, a level-A PET of 4 ms, and a level-B PET of 3 ms. τ1 is statically prioritized over τ2 . (a) Level-B worst-case behavior. (b) Level-A worst-case behavior

For arbitrary level , the system is considered to be correct at level- if all tasks with a criticality level at or above level  are scheduled correctly, assuming that no job of any task exceeds its level- PET. An example is depicted in Fig. 15 with two criticality levels, A (high) and B (low). Figure 15a depicts the worst-case behavior assuming that no job of any task exceeds its level-B PET, and Fig. 15b depicts the worst-case behavior assuming that no job of any task exceeds its level-A PET. Observe that deadlines are only missed in Fig. 15b, that only τ2 (which is a level-B task) has jobs that miss their deadlines, and that this schedule involves jobs exceeding their level-B PET. As depicted in Fig. 15, statically prioritizing τ1 over τ2 correctly schedules the task system. Observe that guarantees at level  are conditioned on all jobs running for at most their respective level- PETs. However, it is possible that some task’s level- PET was insufficiently pessimistic and is overrun by some job. This is a form of overload. As Santy et al. (2012) pointed out, many mixed-criticality scheduling algorithms respond to such a PET overrun by simply dropping all jobs of level- tasks from that point forward. However, this is usually an unacceptable response. In Sect. 7.1, we survey some methods that reduce the number of low-criticality jobs that are dropped, and in Sect. 7.2, we survey some methods that scale minimum separation times as an alternative to dropping jobs. In Sect. 7.2.1 we discuss how to handle PET overruns in a scheduler called MC2 . For a more comprehensive survey of recent work on mixed-critical scheduling, see Burns and Davis (2017).

260

7.1

J. P. Erickson and J. H. Anderson

Techniques to Reduce Dropped Low-Criticality Jobs

Baruah et al. (2010) introduced the own-criticality based priority (OCBP) technique for determining static task priorities for mixed-criticality scheduling. Traditionally, when some job scheduled using this technique overruns its level- PET, all jobs at levels  and below are dropped from that point forward. However, Santy et al. (2012) proposed three improvements to this technique. For each, suppose that some job Ji,k of τi overruns its PET. 1. If some τj has a lower criticality but a higher priority than τi , it is not necessary to drop jobs from τj . This follows from a property of the analysis. 2. It is possible to set an allowance for each such τi and criticality level  below that of τi , so that if Ji,k exceeds its PET by less than that allowance, it is not necessary to drop jobs at level . This technique is based on the work of Bougueroua et al. (2007) and is enforced by the Latest Completion Time (LCT) mechanism that Santy et al. propose. 3. If no jobs at the level of τi are eligible for execution, then jobs no longer need to be dropped, and the system can be returned to normal operation. Santy et al. demonstrated that these techniques can significantly reduce the number of dropped jobs, primarily due to the ability to only temporarily drop jobs from a task. Santy et al. (2013) proposed two similar mechanisms to stop dropping jobs for low-criticality tasks, but on multiprocessors. The first mechanism Santy et al. (2013) proposed applies to fixed-priority systems. In order to restore the system to level , the system keeps track of a series of times fi , ordered by decreasing task priority. f0 is the last completion time of a job that overran its level- PET. For i > 0, fi is the earliest time not earlier than  such that there is no active job of τ . Once f  has been detected, where n is the fi−1 i n number of tasks, all tasks with criticalities at least  can execute jobs. Furthermore, Santy et al. demonstrated that summing bounds on the response time of all tasks provides a bound on the time it will take for such an fn to occur after an overload finishes. The second mechanism Santy et al. (2013) proposed applies to any system where job priorities are fixed. The mechanism to return the system to level  works by tracking the actual schedule relative to a reference schedule in which all jobs run for their level- PETs. In order to do so, the system must simulate the reference schedule and compare the remaining execution for each job between the actual schedule and the reference schedule. Once all jobs have sufficiently short remaining execution to complete ahead of the reference schedule, all tasks with criticalities at least  can execute jobs. These mechanisms prevent low-criticality tasks from being permanently impacted by an overload. However, they do not allow these tasks to run at all for a period of time.

7 Soft Real-Time Scheduling

7.2

261

Scaling Separation Times of Low-Criticality Jobs Instead of Dropping Jobs

Su and Zhu (2013) proposed an alternative task model that allows for lowcriticality tasks to have both a desired period and a maximum period. For a properly provisioned system, it is possible to guarantee that low-criticality tasks can execute with their maximum periods even when high-criticality tasks run for their full PETs , while executing tasks at or close to their desired periods in the expected case. This task model is called the elastic mixed-criticality (E-MC) task model. Unlike the similarly named model from Buttazzo et al. (2002), E-MC does not use an elasticity factor to determine the extent of scaling of each task. In order to schedule E-MC task systems, Su and Zhu (2013) also proposed a modified version of the earliest deadline first with virtual deadlines (EDF-VD) scheduler (Baruah et al. 2012), called the early-release EDF (ER-EDF) scheduler. ER-EDF maintains a set of wrapper-tasks (Zhu and Aydin 2009) that keep track of the slack that is created when high-criticality jobs finish ahead of their highlevel PETs. Each low-criticality job is guaranteed to release no later than its task’s maximum period after the release of its predecessor. However, such a job also has a set of early release points. Each time such a point arrives, if there is enough slack (as indicated by the wrapper-tasks) for the job to be released early, ER-EDF does so. In the common case, high-criticality jobs usually run for less than their high-level PETs, so low-criticality jobs run more frequently than their minimum guarantee. However, even during an overload, low-criticality jobs continue to receive a minimum level of service. Su et al. (2013) later extended this work to multicore systems. The extension is basically a partitioned variant of ER-EDF. Su et al. considered partitioning the task system using several different partitioning heuristics. For high-criticality tasks, they used utilizations based on high-criticality PETs, and for low-criticality tasks, they used utilizations based on low-criticality PETs and maximum periods. A worstfit decreasingheuristic based on those utilizations, ignoring criticalities, tended to perform the best and to significantly outperform the global EDF-VD algorithm (Li and Baruah 2012). Su et al. also considered two different techniques to reclaim slack. The simplest is to use the same strategy as ER-EDF, allowing low-criticality tasks to reclaim slack from high-criticality tasks on the same processor. They also considered a global slack reclamation technique. Under that technique, when there is not enough slack to release a job early on the core to which its task has been assigned, if there is enough slack on a remote processor, then that single job is migrated to the remote processor. Su et al. demonstrated that this technique can significantly improve the performance of their algorithm. Jan et al. (2013) provided a different mechanism to minimize the separation time of low-criticality releases. They assumed that high-criticality jobs are statically prioritized over low-criticality jobs, and that the system optimistically schedules low-criticality jobs with deadlines that match their desired separation times. How-

262

J. P. Erickson and J. H. Anderson

ever, when a likely deadline miss is expected, the deadline is pushed back at that time. Jan et al.’s task model provides per-task parameters to specify how much deadline stretching is allowable, as well as which tasks to scale back first.

7.2.1 Overload and MC2 Motivated by UAV systems, Herman et al. (2012) proposed a specific scheduler, the mixed-criticality on multicore (MC 2 ) scheduler, which supports four criticality levels, A through D. (An earlier version of MC2 that supports five criticality levels was proposed by Mollison et al. 2010.) The architecture of MC2 is depicted in Fig. 16. Each criticality level is scheduled independently, and higher criticality levels are statically prioritized over lower criticality levels. Level A has HRT requirements. Tasks are partitioned onto CPUs and scheduled using a per-CPU table with a precomputed schedule. Level B also has HRT requirements and requires tasks to bepartitioned onto CPUs but uses P-EDF for scheduling. Level C has SRT requirements, and tasks are scheduled using G-EDF. Finally, level D is best effort, which means that it has no real-time guarantees. Level D can be scheduled using the general purpose scheduler provided by the underlying operating system (OS). Erickson (2014) and Erickson et al. (2015) considered the problem of overload within MC2 . In order to address scheduling in MC2 , Erickson (2014) added restricted supply to the analysis of GEL schedulers. The basic strategy for handling restricted supply is like that of Leontyev and Anderson (2010), but because Erickson does not use the full generality of window-constrained scheduling, the resulting bounds are tighter. Because level-C PETs are not as pessimistic as level-A or level-B PETs, it is possible that jobs at any level may overrun their level-C PETs. (MC2 can optionally enforce job budgets to ensure that jobs do not overrun their PETs at their own criticality levels, but even if this feature is enabled, level-A and level-B jobs can still overrun their level-C PETs.) The effects of overload are depicted in Fig. 17, which depicts an MC2 system that has only level-A and level-C tasks. For this example, level-A tasks are depicted using the notation (CiC , CiA , Ti ), where CiC is its level-C PET and CiA is its level-A PET, while level-C tasks are depicted using the notation (CiC , Ti , Yi ).Figure 17a depicts a schedule in the absence of overload, while Fig. 17b depicts the results of some level-A jobs running for their full level-A PETs. As a result of the overload, all future job release times are impacted.

Fig. 16 Architecture of MC2

7 Soft Real-Time Scheduling

263

(a)

(b)

(c)

Fig. 17 Example MC2 task system, illustrating overload and recovery. (a) Example MC2 schedule in the absence of overload, illustrating bounded response times. (b) The same schedule in the presence of overload caused by level-A jobs starting at time 20 running for their full level-A PETs. Notice that response times of level-C jobs settle into a pattern that is degraded compared to (a). For example, consider J2,6 , which is released at actual time 36. In (a), it completes at actual time 43 for a response time of 7, but in this schedule it does not complete until actual time 46, for a response time of 10. (c) The same schedule in the presence of overload and the recovery techniques from Erickson (2014). Notice that response times of level-C jobs settle into a pattern that is more like (a) than like (b)

To analyze this situation, Erickson generalizes both the restricted supply model and the task model. He then describes a technique that can be used to recover from such an overload situation. His technique is depicted in Fig. 17c. He uses a notion of virtual time, as originally introduced by Zhang (1990) and used in uniprocessor realtime scheduling by Stoica et al. (1996). Essentially, there is a secondary “virtual”

264

J. P. Erickson and J. H. Anderson

clock that, at actual time t, is operating at a speed of s(t) relative to the actual clock. In the absence of overload, s(t) = 1, so that the two clocks operate at the same speed. However, after an overload occurs, the operating system can choose to use a slower speed, as occurs from actual time 19 to actual time 29 in Fig. 17c. Erickson’s technique does not prescribe a particular choice of s(t), but Erickson et al. (2015) provide experimental results that provide guidance. Additionally, Erickson et al. demonstrate that the system can recover relatively quickly under experimental conditions. Job minimum separation times and relative PPs are defined in terms of the virtual clock, rather than the actual clock. This has the effect of reducing the number of level-C job releases for an interval of time and allows the system to recover from overload. The time required to do so is called a dissipation time. Erickson derives dissipation bounds or upper bounds on the dissipation time.

8

Summary

In this chapter, we reviewed prior work on SRT scheduling and overload. We discussed both prior SRT work using the bounded tardiness model and prior SRT work using other models of SRT. We then focused in more detail on prior work dealing with overload management, including those focusing on MC systems.

References J. Anderson, A. Srinivasan, Mixed pfair/erfair scheduling of asynchronous periodic tasks. J. Comput. Syst. Sci. 68(1), 157–204 (2004) H. Aydin, R. Melhem, D. Mosse, P. Mejia-Alvarez, Optimal reward-based scheduling for periodic real-time tasks. IEEE Trans. Comput. 50(2), 111–130 (2001) T. Baker, M. Cirinei, M. Bertogna, Edzl scheduling analysis. Real-Time Syst. 40(3), 264–289 (2008) S. Baruah, G. Koren, B. Mishra, A. Raghunathan, L. Rosier, D. Shasha, On-line scheduling in the presence of overload, in Proceedings of the 32nd Annual Symposium on Foundations of Computer Science, 1991, pp. 100–110 S. Baruah, N. Cohen, C. Plaxton, D. Varvel, Proportionate progress: a notion of fairness in resource allocation. Algorithmica 15(6), 600–625 (1996) S. Baruah, V. Bonifaci, G. D’Angelo, H. Li, A. Marchetti-Spaccamela, N. Megow, L. Stougie, Scheduling real-time mixed-criticality jobs, in Mathematical Foundations of Computer Science, ed. by P. Hlin˘eený, A. Ku˘cera. Lecture Notes in Computer Science, Springer, vol. 6281 (2010), pp. 90–101 S. Baruah, V. Bonifaci, G. D’Angelo, H. Li, A. Marchetti-Spaccamela, S. Van der Ster, L. Stougie, The preemptive uniprocessor scheduling of mixed-criticality implicit-deadline sporadic task systems, in Proceedings of the 24th Euromicro Conference on Real-Time Systems, 2012, pp. 145–154 A. Bastoni, B. Brandenburg, J. Anderson, An empirical comparison of global, partitioned, and clustered multiprocessor EDF schedulers, in Proceedings of the 31st Real-Time Systems Symposium, 2010, pp. 14–24 G. Bernat, A. Burns, A. Llamosi, Weakly hard real-time systems. IEEE Trans. Comput. 50(4), 308–321 (2001)

7 Soft Real-Time Scheduling

265

A. Block, Adaptive multiprocessor real-time systems. Ph.D. thesis, The University of North Carolina at Chapel Hill, 2008 L. Bougueroua, L. George, S. Midonnet, Dealing with execution-overruns to improve the temporal robustness of real-time systems scheduled FP and EDF, in Proceedings of the 2nd International Conference on Systems, 2007, p. 52 B. Brandenburg, Scheduling and locking in multiprocessor real-time operating systems. Ph.D. thesis, The University of North Carolina at Chapel Hill, 2011 A. Burns, R. Davis, Mixed criticality systems – a review, 2017. http://www-users.cs.york.ac.uk/~ burns/review.pdf G. Buttazzo, J. Stankovic, Adding robustness in dynamic preemptive scheduling, in Responsive Computer Systems: Steps Toward Fault-Tolerant Real-Time Systems, ed. by D.S. Fussell, M. Malek. The Springer International Series in Engineering and Computer Science, Springer, vol. 297 (1995), pp. 67–88 G. Buttazzo, G. Lipari, M. Caccamo, L. Abeni, Elastic scheduling for flexible workload management. IEEE Trans. Comput. 51(3), 289–302 (2002) S. Chakraborty, S. Kunzli, L. Thiele, A general framework for analysing system properties in platform-based embedded system designs, in Proceedings of the 2003 Design, Automation and Test in Europe Conference and Exhibition, 2003, pp. 190–195 H. Cho, Utility accrual real-time scheduling and synchronization on single and multiprocessors: models, algorithms, and tradeoffs. Ph.D. thesis, Virginia Polytechnic Institute and State University, 2006 R. Clark, Scheduling dependent real-time activities. Ph.D. thesis, Carnegie Mellon University, 1990 D. Compagnin, E. Mezzetti, T. Vardanega, Putting run into practice: implementation and evaluation, in Proceedings of the 26th Euromicro Conference on Real-Time Systems, 2014, pp. 75–84 U. Devi, J. Anderson, Tardiness bounds under global EDF scheduling on a multiprocessor. RealTime Syst. 38(2), 133–189 (2008) J. Erickson, Managing tardiness bounds and overload in soft real-time systems. Ph.D. thesis, The University of North Carolina at Chapel Hill, 2014 J. Erickson, J. Anderson, Response time bounds for G-EDF without intra-task precedence constraints, in Proceedings of the 15th International Conference on Principles of Distributed Systems, 2011, pp. 128–142 J. Erickson, J. Anderson, Fair lateness scheduling: reducing maximum lateness in G-EDF-like scheduling, in Proceedings of the 24th Euromicro Conference on Real-Time Systems, 2012, pp. 3–12 J. Erickson, J. Anderson, B. Ward, Fair lateness scheduling: reducing maximum lateness in GEDF-like scheduling. Real-Time Syst. 50(1), 5–47 (2014) J. Erickson, N. Kim, J. Anderson, Recovering from overload in multicore mixed-criticality systems, in Proceedings of the 2015 IEEE International Parallel and Distributed Processing Symposium, 2015, pp. 775–785 S. Funk, G. Levin, C. Sadowski, I. Pye, S. Brandt, Dp-fair: a unifying theory for optimal hard real-time multiprocessor scheduling. Real-Time Syst. 47(5), 389 (2011) S. Funk, V. Berten, C. Ho, J. Goossens, A global optimal scheduling algorithm for multiprocessor low-power platforms, in Proceedings of the 20th International Conference on Real-Time and Network Systems, 2012, pp. 71–80 P. Garyali, On best-effort utility accrual real-time scheduling on multiprocessors. Master’s thesis, The Virginia Polytechnic Institute and State University, 2010 M. Hamdaoui, P. Ramanathan, A dynamic priority assignment technique for streams with (m, k)firm deadlines. IEEE Trans. Comput. 44(12), 1443–1451 (1995) J. Herman, C. Kenna, M. Mollison, J. Anderson, D. Johnson, RTOS support for multicore mixedcriticality systems, in Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications Symposium, 2012, pp. 197–208 M. Jan, L. Zaourar, M. Pitel, Maximizing the execution rate of low-criticality tasks in mixed criticality systems, in Proceedings of the 1st Workshop on Mixed Criticality Systems, 2013, pp. 43–48

266

J. P. Erickson and J. H. Anderson

G. Koren, D. Shasha, MOCA: a multiprocessor on-line competitive algorithm for real-time system scheduling. Theor. Comput. Sci. 128(1–2), 75–97 (1994) G. Koren, D. Shasha, Skip-over: algorithms and complexity for overloaded systems that allow skips, in Proceedings of the 16th IEEE Real-Time Systems Symposium, 1995a, pp. 110–117 G. Koren, D. Shasha, Dover : an optimal on-line scheduling algorithm for overloaded uniprocessor real-time systems. SIAM J. Comput. 24(2), 318–339 (1995b) S. Lee, On-line multiprocessor scheduling algorithms for real-time tasks, in Proceedings of IEEE Region 10’s Ninth Annual International Conference, vol. 2, 1994, pp. 607–611 H. Leontyev, J. Anderson, Generalized tardiness bounds for global multiprocessor scheduling. Real-Time Syst. 44(1–3), 26–71 (2010) H. Leontyev, S. Chakraborty, J. Anderson, Multiprocessor extensions to real-time calculus. RealTime Syst. 47(6), 562–617 (2011) H. Li, S. Baruah, Global mixed-criticality scheduling on multiprocessors, in Proceedings of the 24th Euromicro Conference on Real-Time Systems, 2012, pp. 166–175 P. Li, Utility accrual real-time scheduling: Models and algorithms. Ph.D. thesis, Virginia Polytechnic Institute and State University, 2004 P. Li, H. Wu, B. Ravindran, E. Jensen, A utility accrual scheduling algorithm for real-time activities with mutual exclusion resource constraints. IEEE Trans. Comput. 55(4), 454–469 (2006) K. Lin, S. Natarajan, Expressing and maintaining timing constraints in flex, in Proceedings of the 9th IEEE Real-Time Systems Symposium, 1988, pp. 96–105 J. Liu, K. Lin, W. Shih, A. Yu, J. Chung, W. Zhao, Algorithms for scheduling imprecise computations. Computer 24(5), 58–68 (1991) R. Liu, A. Mills, J. Anderson, Independence thresholds: balancing tractability and practicality in soft real-time stochastic analysis, in Proceedings of the 35th IEEE Real-Time Systems Symposium, 2014, pp. 314–323 C. Locke, Best-effort decision making for real-time scheduling. Ph.D. thesis, Carnegie Mellon University, 1986 T. Megel, R. Sirdey, V. David, Minimizing task preemptions and migrations in multiprocessor optimal real-time schedules, in Proceedings of the 31st IEEE Real-Time Systems Symposium, 2010, pp. 37–46 A. Mills, J. Anderson, A multiprocessor server-based scheduler for soft real-time tasks with stochastic execution demand, in Proceedings of the 17th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2011, pp. 207–217 M. Mollison, J. Erickson, J. Anderson, S. Baruah, J. Scoredos, Mixed-criticality real-time scheduling for multicore systems, in Proceedings of the IEEE International Conference on Embedded Software and Systems, 2010, pp. 1864–1871 G. Nelissen, V. Berten, V. Nelis, J. Goossens, D. Milojevic, U-EDF: an unfair but optimal multiprocessor scheduling algorithm for sporadic tasks, in Proceedings of the 24th Euromicro Conference on Real-Time Systems, 2012a, pp. 13–23 G. Nelissen, S. Funk, J. Goossens, Reducing preemptions and migrations in ekg, in Proceedings of the 2012 IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2012b, pp. 134–143 G. Nelissen, H. Su, Y. Guo, D. Zhu, V. Nélis, J. Goossens, An optimal boundary fair scheduling. Real-Time Syst. 50(4), 456–508 (2014) P. Regnier, G. Lima, E. Massa, G. Levin, S. Brandt, Run: optimal multiprocessor real-time scheduling via reduction to uniprocessor, in Proceedings of the 32nd IEEE Real-Time Systems Symposium (RTSS), 2011, pp. 104–115 F. Santy, L. George, P. Thierry, J. Goossens, Relaxing mixed-criticality scheduling strictness for task sets scheduled with FP, in Proceedings of the 24th Euromicro Conference on Real-Time Systems, 2012, pp. 155–165 F. Santy, G. Raravi, G. Nelissen, V. Nelis, P. Kumar, J. Goossens, E. Tovar, Two protocols to reduce the criticality level of multiprocessor mixed-criticality systems, in Proceedings of the 21st International Conference on Real-Time Networks and Systems, 2013, pp. 183–192

7 Soft Real-Time Scheduling

267

M. Spuri, G. Buttazzo, F. Sensini, Robust aperiodic scheduling under dynamic priority systems, in Proceedings of the 16th IEEE Real-Time Systems Symposium, 1995, pp. 210–219 I. Stoica, H. Abdel-Wahab, K. Jeffay, S. Baruah, J. Gehrke, C. Plaxton, A proportional share resource allocation algorithm for real-time, time-shared systems, in Proceedings of the 17th IEEE Real-Time Systems Symposium, 1996, pp. 288–299 H. Su, D. Zhu, An elastic mixed-criticality task model and its scheduling algorithm, in Proceedings of the 2013 Design, Automation Test in Europe Conference Exhibition, 2013, pp. 147–152 H. Su, D. Zhu, D. Mosse, Scheduling algorithms for elastic mixed-criticality tasks in multicore systems, in Proceedings of the 19th IEEE International Conference on Embedded and RealTime Computing Systems and Applications, 2013, pp. 352–357 P. Valente, Using a lag-balance property to tighten tardiness bounds for global EDF. Real-Time Syst. 52(4), 486–561 (2016) S. Vestal, Preemptive scheduling of multi-criticality systems with varying degrees of execution time assurance, in Proceedings of the 28th IEEE Real-Time Systems Symposium, 2007, pp. 239–243 R. West, C. Poellabauer, Analysis of a window-constrained scheduler for real-time and besteffort packet streams, in Proceedings of the 21st IEEE Real-Time Systems Symposium, 2000, pp. 239–248 L. Zhang, Virtual clock: a new traffic control algorithm for packet switching networks, in Proceedings of the 5th ACM Symposium on Communications Architectures & Protocols, 1990, pp. 19–29 D. Zhu, H. Aydin, Reliability-aware energy management for periodic real-time tasks. IEEE Trans. Comput. 58(10), 1382–1397 (2009) D. Zhu, X. Qi, D. Mossé, R. Melhem, An optimal boundary fair scheduling algorithm for multiprocessor real-time systems. J. Parallel Distrib. Comput. 71(10), 1411–1425 (2011)

8

Hierarchical Scheduling Jin Hyun Kim, Deepak Gangadharan, Kyong Hoon Kim, Insik Shin, and Insup Lee

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Uniprocessor Hierarchical Scheduling Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Compositional Framework for HSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Demand Bound Functions for EDF and RM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Interface and Resource Supply Task in Compositional Framework . . . . . . . . . . . . . 3.3 Compositional Framework Based on Bounded Delay Resource Model . . . . . . . . . . 3.4 Compositional Framework Based on Periodic Resource Model . . . . . . . . . . . . . . . . 3.5 Compositional Framework Based on Explicit Deadline Periodic Resource Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Real-Time Calculus for HSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Workload and Service Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Schedulability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Compositional Analysis for Hierarchical Scheduling Systems . . . . . . . . . . . . . . . . . 5 Comparison of Compositional and RTC Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

270 271 273 274 274 275 282 289 294 295 296 297 298

J. H. Kim Department of Information and Communication Engineering, Gyeongsang University, Jinju, Gyeongnam, South Korea e-mail: [email protected]; [email protected] D. Gangadharan · I. Lee () Department of Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA e-mail: [email protected]; [email protected] K. H. Kim Department of Informatics, Gyeongsang National University, Jinju, Gyeongnam, South Korea e-mail: [email protected]; [email protected] I. Shin Korea Advanced Institute of Science and Technology (KAIST), Daejeon, Yuseong-gu, South Korea e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_6

269

270

J. H. Kim et al.

6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

300 300

Abstract This chapter presents two hierarchical scheduling analysis paradigms for a uniprocessor hierarchical scheduling system: compositional framework (CF) and real-time calculus (RTC). Each paradigm uses different techniques for resource models and schedulability analysis: CF uses supply-bound functions (sbf) and demand-bound functions (dbf), whereas RTC computes a lower-bound of service curve that satisfies the demand of a given workload. This chapter describes both CF and RTC approaches and various schedulability analysis techniques for hierarchical scheduling systems. These techniques are described based on bounded delay resource model, periodic resource model, explicit deadline periodic model, and arrival and service curves. Finally, this chapter also describes optimality results and compares CF and RTC approaches.

1

Introduction

The increasing complexity of real-time systems such as Cyber-Physical Systems (CPS) demands scalable design and analysis methods to assure various properties of the systems. Large-scale complex real-time systems are developed using components that are integrated horizontally and vertically. Such component-based approach can be effective in coping with scalability based on the notion of compositionality, which is one of the most fundamental principles (e.g., dividend conquer) used in computer and network engineering to deal with large-scale systems. To address one of the scalability challenges of complex real-time systems, researchers have been developing the concept of compositional real-time scheduling theory to support compositional schedulability analysis. The compositional framework developed by Shin and Lee (2003) is based on the demand-supply interfaces that hide implementation details, capturing only essential timing and resource requirements of components. Here, the component computational demand can be abstracted to a scheduling demand interface such that schedulability analysis of composed components simplifies to checking if there are sufficient resource supplies to meet the demands of the components. The salient aspect of the work is that global timing properties can be established by combining local timing properties of subsystems. This compositional reasoning approach has resulted in design-analysis tools (e.g., (Chadli et al. 2016; Phan et al. 2011) to tackle the growing complexity of real-time systems: the analysis of a complex system can be achieved by first defining interfaces for its subsystems, which capture their resource and timing requirements while hiding their complex internal details, and then reasoning about the composition of their interfaces. This approach can also used hierarchically by reducing each subsystem to a simple interface, with significant reduction in the complexity of the system analysis at higher layers of integration.

8 Hierarchical Scheduling

271

A hierarchical scheduling system (HSS) comprises one or more components in a scheduling hierarchy. Each component recursively encapsulates one or more child components and has its own scheduling algorithm. Resources are supplied from a single parent component to multiple child components. A child component exposes its resource requirements through an interface to its enclosing-level component, called parent component. A parent component executes one or more resourcesupply tasks that individually allocate resources to their child components. The resource demand of a component is satisfied by a resource supply of its parent component, meaning that all tasks in the component are schedulable, i.e., no task enclosed by the component misses its deadline. The compositional framework has been developed to support various ways for building and analyzing schedulable components hierarchically. It is based on interface models that capture the resource demand and supply of a component. The rest of this chapter is organized as follows: Sect. 2 formally defines the HSS and presents properties to be analyzed in the compositional framework. Sect. 3 describes the compositional framework analysis techniques based on various resource models. In Sect. 4, we present RTC-based compositional analysis techniques. Sect. 5 compares the compositional framework and RTC-based techniques.

2

Uniprocessor Hierarchical Scheduling Systems

This section presents the notion of a hierarchical scheduling system (HSS) and then describes steps to construct a schedulable HSS. We also present analysis techniques that are necessary for constructing a schedulable HSS. An HSS consists of a set of components, each of which is a scheduling system. Each component uses its own scheduling algorithm to run a set of tasks. The scheduling system of an HSS differs from the classical scheduling system in that it uses the notion of a hierarchical resource share between higher and lower-level components in a vertical way. In the classical non-hierarchical scheduling system, a resource is shared horizontally by a set of tasks on the same level. In an HSS, a resource is shared vertically by different level of system, so a component, except the root component, can run only while its parent component is running. A component M = (W, A) consists of a workload W, a set of tasks, and a scheduling algorithm A. The interface I of a component abstracts the resource demand of all workload tasks in a component. Its purpose is to capture the demand of a component and represent the demand, while hiding task-level details, to its parent component. A scheduling unit S is defined by a triple (W, R, A) with workload W, resource supply R, and scheduling algorithm A. As we will see later in this chapter, there are many resource modeling paradigms for describing resource supply. There are three resource modeling paradigms considered in this chapter: Bounded-Delay Resource (BDR) model, Periodic Resource Model (PRM), and Explicit Deadline Periodic (EDP) resource model. We use X for resource modeling paradigm. A resource supply task R is thus an instance of X with concrete parameters of the resource

272

J. H. Kim et al.

Table 1 Symbol definitions Symbol A τ i = (Ci , Ti , Di ) τ i = (Ci , Ti ) W = {τ i } M = (W, A) X = {BDR, PRM, EDP} S = (W, R, A) BDR, R = (α, Δ) PRM, R = (, Π ) EDP, R = (Θ, Π , Δ) I sbfX (R, t) dbfA (W, t) UW

Definition Scheduling algorithm Explicit deadline task i with the Ci worst-case execution time, Ti period, and Di deadline Implicit deadline task i with the Ci worst-case execution time and Ti period. It is assumed that Ci ≤ Ti Workload with a set of tasks τ i . It is assumed that there are finite number of tasks Component of a hierarchical scheduling system with W scheduled by A The set of resource modeling paradigms considered in this chapter Scheduling unit, where R is a resource supply represented using the resource modeling paradigm X Bounded-Delay Resource model (BDR) R with α availability factor and  partition delay Periodic Resource Model (PRM) R with the Θ worst-case execution time and Π period Explicit Deadline Periodic (EDP) resource model R with the Θ worst-case execution time, Π period, and  deadline Component interface Supply bound function of the resource supply R in model X Demand bound function of the demand of W under scheduling algorithm A Utilization of workload W

modeling paradigm X. A resource modeling paradigm is also used to represent the interface I of a component. A scheduling unit S = (W, R, A) is said to be schedulable if no task of W scheduled by A under the resource supply of R misses the deadline. Note that this paper assumes that the workload W and the resource supply task R are not synchronized. In other words, whenever the resource is provided, the workload needs to use it; Otherwise, the provided resource is wasted. Table 1 lists the symbols used in this chapter. Figure 1 presents an example of an HSS, where each component consists of periodic tasks that are scheduled according to the scheduling algorithm of the component. The interface of the component captures the resource requirements of its tasks. For instance, I1 of M1 represents the resource requirements of τ 3 , τ 4 , and τ 5 when they are scheduled by RM. The parent component M0 converts the interface I1 to a resource supply task τ 1 such that when M0 schedule τ 1 for execution, it is sufficient to meet the resource demanded by I1 . The interface I2 and the task τ 2 are similarly related. We say that a component is schedulable if all tasks in the component never miss deadlines. In HSS, the schedulability of components is achieved recursively starting from the root component. If the parent component M0 can schedule τ 1 and τ 2 under

8 Hierarchical Scheduling

273

Fig. 1 The running example of a hierarchical scheduling system

EDF scheduling algorithm, the child component M1 whose resource is supplied by τ 1 successfully schedules τ 3 , τ 4 , and τ 5 using RM. Similarly, M2 is schedulable if τ 2 is schedulable. Consequently, the schedulability of the whole HSS in Fig. 8 is reduced to checking the schedulability of M0 . Our schedulability analysis is based on the demand bound and supply bound functions and Eq. 1. For a component (W, A), the demand-bound function dbfA (W, t) computes the maximum resource demand by W under A for a time interval t. For a resource supply task R, the supply bound function sbfX (R, t) computes the minimum possible resource supply that X provides during a time interval t. Using these two functions, a scheduling unit is proven schedulable by showing that the minimum possible resource supply satisfies the maximum possible resource demand over all possible time as follows: ∀t ≥ 0 dbfA (W, t) ≤ sbfX (R, t)

(1)

The effectiveness of HSS in terms of resource utilization depends on resource model paradigms. This chapter explains various compositional analysis techniques, which are based on three resource models, Bounded-Delay Resource Model (BDR), Periodic Resource Model (PRM), and Explicit-Deadline Periodic resource model (EDP).

3

Compositional Framework for HSS

This section explains the compositional framework in terms of the demand abstraction and resource supply patterns. Since the resource demand of a component depends on a scheduling algorithm, we first explain the demand bound functions for EDF and RM. We then explain how to derive resource supply based on resource modeling paradigms.

274

3.1

J. H. Kim et al.

Demand Bound Functions for EDF and RM

The notion of demand bound function (dbf) is commonly used to compute the maximum resource demand for a set of tasks executing under a scheduling algorithm. For an implicit-deadline periodic task set W = {(Ci , Ti )} under EDF and a time interval t, the demand-bound function dbfEDF (W, t) computes the worst-case resource demand of W (Baruah et al. 1990) as follows: 



dbfEDF (W, t) =

(Ci ,Ti )∈W

t Ti

 · Ci

(2)

where dbfEDF (W, t) computes cumulative resources demanded by all tasks of W during the time interval t. For an explicit-deadline periodic task set W = {(Ci , Ti , Di )}, the demand-bound function dbfEDF (W, t) is defined in Baruah et al. (1990) as follows:   t + Ti − D i  · Ci dbfEDF (W, t) = Ti

(3)

τi ∈W

For a given implicit-deadline periodic task set W = {(Ci , Ti )} under RM and a time interval t, the demand-bound function dbfRM (W, t, i) computes the worst-case demand of task i that includes the cumulative resource demands of higher priority tasks (Lehoczky et al. 1989). It is defined as follows: dbfRM (W, t, i) = Ci +

 (Ck ,Tk )∈H PW (i)



 t .Ck Tk

(4)

where HPW (i) denotes tasks whose priorities in W are higher than task i’s priority.

3.2

Interface and Resource Supply Task in Compositional Framework

In the literature (Easwaran et al. 2007; Mok et al. 2001; Shin and Lee 2003), a resource model is used to denote a resource provided with a certain supply pattern to a sub-component running within a component. Another notion is the interface of a component for resource requirements of a component that needs to be met by its resource-supplying parent component. In some papers, the interface is also used as a resource supplier for a child component, which make distinctions vague. To avoid this confusion, this chapter was organized and written to clearly distinguish between the component interface and the resource supply task. Here, a component interface is used to capture the resource requirement of a component, while a resource supply task denotes a task of the parent component that provides

8 Hierarchical Scheduling

275

resources to a child component. In HSS, a component can contain also other components in addition to its tasks. In principle, an interface of a sub-component or child component is obtained by computing the collective resource requirements of tasks in a workload. Then, the resource supply task to service the child component is obtained based on the interface. There are two approaches for deriving an interface of a component depending on resource modeling paradigms. The first approach is to derive an interface with consideration of the resource modeling paradigm being used. Given a component M = (W, A) and a resource modeling paradigm X, a resource supply task R is derived so that the scheduling unit S = (W, R, A) is schedulable. Here, we can use R as the interface (i.e., I = R) of the component. This approach is used with the BDR and PRM resource modeling paradigms in Sects. 3.3.3 and 3.4.3, respectively. The second approach is to derive an interface without consideration of the resource modeling paradigm being used. For a given component M = (W, A), an interface I is generated so that I combines all the real-time requirements of tasks in W executed using the scheduling algorithm A. Then, with consideration of the resource modeling paradigm, the parent component finds a resource supply task R that can satisfy the interface I. The approach is used with the EDP resource modeling paradigm as described in Sect. 3.5.3. In the EDP resource modeling paradigm, the interface and the resource supply task are separately computed so that the interface and the corresponding resource supply task can be different (i.e., I = R). This chapter was written to clarify these difference as much as possible and also try to unify notations used in the different papers. For this reason, we have slightly modified the definitions and theorem statements to be consistent with notations used in this chapter.

3.3

Compositional Framework Based on Bounded Delay Resource Model

Traditional real-time system models and scheduling problems (Liu and Layland 1973) assume that the CPU resources are dedicated exclusively to execute a set of tasks. This assumption, however, implies that if a system consists of multiple components, the tasks of all the components need to be considered together for schedulability analysis. In order to preserve components during schedulability analysis, the notion of real-time virtual resource was introduced in Mok et al. (2001), called static resource partition (SRP) model which assigns a static temporal resource partitioning to each component. Here, each component has its own set of tasks and is scheduled by its own scheduler as if it has exclusive access to the physical resource. Then, the second level scheduler co-ordinates the sharing of the resource by the components. This enables separation of concerns (Mok et al. 2001), i.e., scheduling at the resource partition level and scheduling at the task level can be considered separately. Since the SRP model fixes the resource partitioning statically, the second-level (or partition-level) scheduler has little flexibility in resource allocation other than

276

J. H. Kim et al.

shifting the partition. In order to overcome this inflexibility, Mok et al. (2001) generalize the SRP model in a way that the time intervals of a resource partition are not explicitly specified. They provide the bounded-delay resource (BDR) model, where each component accesses a virtual resource that operates at a fraction of the rate at which the physical resource operates. If infinite time slicing is possible, then each component has exclusive access to the virtual resource with uniform rate and zero delay bound. In practice, this is not achievable because small delay bounds incur large partition scheduling overheads and therefore delay bounds should not be smaller than what is necessary to accommodate jitter. The BDR model bounds this type of uncertainty with the delay bound D, which is the maximum time a component may have to wait to get access to the physical resource over any time interval. This means that if an event e occurs x time units from another event e , assuming that the virtual resource operates at uniform rate, then e and e will be at most x + D time units apart in real time.

3.3.1 Static Resource Partition Model Mok et al. (2001) introduce the notion of resource partition that assigns time intervals to partitions. Definition 1 Mok et al. (2001) A static resource partition (SRP) is a tuple (Γ , P), where P is the partition period and Γ is a sequence of N time pairs {(S1 , E1 ), (S2 , E2 ), . . . , (SN , EN )} that satisfies (0 ≤ S1 < E1 < S2 < E2 < . . . < SN < EN ≤ P for some N ≥ 1. (S1 , S2 , . . . , SN ) and (E1 , E2 , . . . , EN ) are start times and end times, respectively, for access to the physical resource. The physical resource is available to the component only during the intervals (Si + j × P, Ei + j × P), where 1 ≤ i ≤ N, j ≥ 0. The following example illustrates the concept of resource partition. Example 1 A SRP, R1 = ({(1, 2), (5, 7)}, 8), is a resource partition with the period equal to 8 and this partition has access to the physical resource from 1 to 2 time units and from 5 to 7 time units. The resource-supply pattern is repeated every 8 time units. Figure 2a illustrates this partition. Since a SRP, R = (Γ , P), repeats the same resource supply pattern Γ every P time units, the resource supply function of R starting from t0 to t, denoted as sft0 (R, t), is determined by the pattern. For example, consider the supply function starting from time 2 (shown in Fig. 2a). After the delay of 3 time units, the resource is supplied for 2 time units. Then, after 2 time-unit delay, the resource is supplied for one time unit. Since this pattern is repeated, sf2 (R1 , t) can be computed, which is plotted as shown in Fig. 2b. Similarly, sf7 (R1 , t) is drawn in Fig. 2b. For each resource supply interval (Si , Ei ) of the SRP, the worst-case supply occurs when the supply starts at the end of the previous resource partition. The supply bound function (In Mok et al. (2001), it is called the least supply function and denoted as S* (t)) is derived from the minimum of all supply functions as follows:

8 Hierarchical Scheduling

277

Fig. 2 An example SRP R1 = ({(1, 2), (5, 7)}, 8)

N   sbfSRP (R, t) = min sfEi (R, t) i=1

(5)

In Example 1, the SRP model R1 contains two resource intervals whose supply functions are shown in Fig. 2a. Thus, the supply bound function of R1 is the minimum between two supply functions, which is drawn as a dashed line in Fig. 2b.

3.3.2 Bounded Delay Resource Model Mok et al. (2001) abstracts the SRP model with two parameters: availability factor and delay and calls it Bounded Delay Resource (BDR) model. For a given SRP model (Γ , P), the availability factor or resource supply rate to a component is defined by the resource amount per the resource period P. For instance, the availability factor of Example 1 is given by 38 . The delay parameter indicates the smallest time interval after which such availability factor is guaranteed by the SRP model.

278

J. H. Kim et al.

Definition The availability factor (rate) of a SRP model R is 2n Mok et al. (2001) α(R) = − S /P . (E ) i i i=1 Definition 3 Mok et al. (2001) The partition delay  of a SRP model R is the smallest δ so that for any t0 and t, (t0 ≥ 0, t ≥ 0), (t − δ) × α(R) ≤ sft0 (R, t) ≤ (t + δ) × α(R). Definition 4 Mok et al. (2001) If h is the execution rate of a resource supply on which the SRP model R is implemented, then the normalized execution of the SRP model R is an allocation of resource time to R at a uniform, uninterrupted rate of (α(R) × h). The partition delay is a measure of the largest deviation of a partition in any time interval with respect to the resource supply being behind or ahead of its normalized execution. The bounded delay resource model is defined as follows. Definition 5 Mok et al. (2001) A bounded-delay resource (BDR) model is a tuple (α, ), where α is the rate of the partition and  is the partition delay. Then, the supply bound function of the BDR model R = (α, ) can be defined as follows: sbfBDR (R, t) =

α (t − ) if t ≥  0 otherwise

(6)



The BDR model of the SRP R1 Example 1 is 38 , 10 3 . As shown in Fig. 3a,

 3 the partition delay  = 10 3 can be obtained from the closest line of rate 8 to the supply bound function sbfSRP (R1 , t). For example, the smallest delay occurs when 3 the line passes the point (6, 1) so that  is equal to 10 3 by solving 1 = 8 (6 − ) 

from Eq. 6. The BDR model 38 , 10 3 implies that the component is supplied with a resource at the rate of

3 8

after the delay time

10 3 .

Example 2 Consider M = (W, EDF) with W = {(2,15,15), (3,20,20), (2,30,30)} and EDF algorithm. The resource is supplied with the BDR model 

scheduling implemented by the SRP model in Fig. 2a. Figure 3b shows the R1 = 38 , 10 3 supply bound function of the BDR model and the demand bound function of the workload under EDF. As shown in Fig. 3b, the demand of the workload is satisfied by (i.e., less than or equal to) the supply bound of the BDR model R1 , which means the schedulability of the component is guaranteed by the resource supply provided by the BDR model.

8 Hierarchical Scheduling

Fig. 3 An example of the bounded delay model

279

280

J. H. Kim et al.

Fig. 4 The running example of a hierarchical scheduling system under BDR model

3.3.3 Hierarchical Partition Scheduling A resource partition can also reside inside another partition, thereby forming a hierarchy of partitions. The schedulability of a hierarchical partition based on the BDR model is derived by the following theorem. Theorem 1 Feng and Mok (2002) In the BDR model, a resource

partition group {Ri (α i , i )}(1 < i ≤ n) is schedulable on a partition R (α, ) if ni=1 αi ≤ α and i >  for all i. The above theorem states that for a group of partitions to be schedulable inside a parent partition, (i) the sum of the availability factors of the partitions in the group must be no greater than the availability factor of the parent partition and (ii) the bounded delay of each partition in the group must be greater than the partition delay of the parent. For example, Fig. 4 shows how the BDR model is used for hierarchical scheduling of the example in Fig. 1. As shown in Fig. 5a (Note that dbfRM (W, t, i) for RM is drawn only from 0 to Ti in the figure), for each task τ i in the component M1 , there exists t ≤ Ti such that dbfRM (W, t, i) ≤ sbfBDR ((0.35,80), t), which implies the guarantee of the schedulability by the BDR model R = (0.35,80) under RM algorithm. Similarly, Fig. 5b shows that the demand bound function is no greater than the supply bound function of the BDR model (0.4, 100) under EDF algorithm. Thus, we can use (0.35, 80) and (0.4, 100) as the BDR interface models of two components, denoted as I1 and I2 , respectively. In addition, Theorem 1 implies that these two BDR interfaces are also schedulable by the upper-layer component BDR interface model I0 = (0.8,60) because the sum of two availability factors is less than that of I0 , (0.35 + 0.4 < 0.8) and the delay is less than each delay (60 < 80 and 60 < 100). Furthermore, an algorithm to transform schedulable resource partitions into schedulable tasks in an upper-layer component is provided in Feng and Mok (2002). First, Theorem 2 defines the transformation of a sub-partition on the normalized execution of a given resource partition, where the resource rate is shared among all sub-components. Then, the normalized partition is converted into a resourcesupply task (It is called virtual task in Mok et al. (2001)) using half-half algorithm

8 Hierarchical Scheduling

281

Fig. 5 Supply and demand bound analysis of M1 and M2 in Fig. 4

(Mok et al. 2001) in which the resource supply task satisfies both partition delay  and availability factor α for a given BDR model (α, ). Theorem 2 Feng and Mok (2002) Given a set of BDR resource supplies {Ri (α i , i )}(1 < i ≤ n) to be scheduled on a BDR resource supply of R(α, ).  Let Sn denote a scheduler of scheduling Ri (α i /α, i − ) on a dedicated resource with capacity of the same as the normalized execution of R. Also let Sp denote the virtual time Sn scheduler of scheduling Ri on R. Then Sp is valid if Sn is valid.

282

J. H. Kim et al.

Theorem 3 Mok et al.

 (2001) (Half-half algorithm) A resource supply task τk =   α × 2(1−α) can support the resource supply of the BDR model (α, ). , 2(1−α) Example 3 Let us consider the example in Fig. 4. Two schedulable subcomponents of BDR resource interfaces I1 = (0.35,80) and I2 = (0.4,100) for the given BDR component interface I0 = (0.8,60) are transformed to I1 = (0.35/0.8, 80 − 60) = (0.4375, 20) and I2 = (0.4/0.8, 100 − 60) = (0.5, 40), respectively, by Theorem 2. The half-half algorithm converts a component interface (α, ) into a virtual periodic task (α × /2(1 − α), /2(1 − α)). Thus, two transformed interfaces I1 and I2 are converted into resource supply tasks τ 1 = (7.8,17.8) and τ 2 = (20, 40), respectively. Because the utilization of two resource supply tasks is 0.938 on the normalized execution of the BDR model, which is less than one, they are schedulable by EDF on a partition I0 = (0.8,60). Figure 6 shows four resource supply and demand bound functions related to component M2 . The demand bound function of τ 2 is delayed to 60 and slower to the rate of 0.8 due to the bounded-delay model of I0 = (0.8,60), which is drawn as a thick line in Fig. 6. This demand bound function is no greater than the supply bound function of the BDR model I2 = (0.4,100) which satisfies the requirement of demand of M2 . Therefore, the resource supply task τ 2 = (20,40) in the upper-layer component M0 meets the schedulability of M2 in the BDR model.

3.4

Compositional Framework Based on Periodic Resource Model

The periodic task model (Liu and Layland 1973) has been commonly used to describe periodic real-time jobs. A periodic task model is defined by τ = (C, T), which assumes an implicit deadline, which is the same as its period. The

Fig. 6 Relation among the normalized executed resource supply and the demand of M2

8 Hierarchical Scheduling

283

compositional framework based on periodic resource model adopts the periodic task model to capture the resource demand of a component and the resource supply to a component.

3.4.1 Periodic Resource Model A periodic resource model (PRM) paradigm is represented by (Θ, Π ) where Π is a period and Θ is a resource budget available every period Π . It is used to describe a resource supply to a component. It can also be used to describe the resource demand of tasks within a component. Here, it is called the interface of the component. For example, the periodic interface I = (Θ, Π ) of a component represents that the collective resource demand of the tasks within the component is Θ time units every Π period. The difference between the periodic resource supply task and the periodic interface model is that the resource supply task is in terms of supply and the interface model is in terms of demand. The schedulability analysis of a component is based on supply and demand by checking if its resource supply is sufficient for its resource demand. Figure 7 shows the worst-case resource supply of PRM, R = (2, 5). Note that the resource supplies during the second and third periods are delayed by Ψ = 6 (i. e., 2 × (Π − Θ) = 2 × (5 − 2)) since Θ could be supplied at any time within the period Π . Based on this observation (Shin and Lee 2008), defines the supply bound function sbfPRM (R, t) to compute the minimum resource supply of PRM R = (Θ, Π ) where 0 < Θ ≤ Π during a given time interval t as follows: sbfPRM (R, t) t − (k − 1) · (Π − Θ) if t ∈ [(k + 1) · Π − 2 · Θ, (k + 1) · Π − Θ]) = otherwise (k − 1) · Θ (7) where k = max ((t − (Π − Θ))/Π ) , 1) , which computes the maximum number of periods within t. The first case computes the total resource supply where the last period overlapping t contribute to the resource supply. The second case computes

Fig. 7 A resource supply of PRM, R = (Θ, Π )

284

J. H. Kim et al.

the total resource supply where the last period does not contribute to the resource supply. The supply bound function sbfPRM (R, t) is lower bounded by the linear function lsbfPRM (R, t) (Shin and Lee 2008), which is defined as follows: lsbfPRM (R, t) =

Θ

(t − 2 (Π − Θ)) if t ≥ 2 · (Π − Θ) 0 otherwise Π

(8)

In the following section, we explain the schedulability conditions using sbfPRM , dbfEDF and dbfRM .

3.4.2 Schedulability Conditions for PRM For a scheduling unit S = (W, R, A), where resource supply is represented using PRM (Shin and Lee 2008), defines the schedulability conditions for an HSS scheduling unit under EDF and RM, respectively, as follows Theorem 4 Shin and Lee (2008) Scheduling unit S = (W, R, EDF) is schedulable, where W = {τ i |τ i = (Ci , Ti )} and R = (Θ, Π ), iff ∀t s.t.0 < t ≤ LCMW , dbfEDF (W, t) ≤ sbfPRM (R, t)

(9)

where LCMW is the least common multiple of Ti for all τ i ∈ W. Theorem 5 Shin and Lee (2008) Scheduling unit S = (W, R, RM) is schedulable, where W = {τ i |τ i = (Ci , Ti )} and R = (Θ, Π ) iff ∀τi ∈ W, ∃ti ∈ [0, Ti ] dbfRM (W, ti , i) ≤ sbfPRM (R, ti )

(10)

The schedulability conditions for PRM above are used to check the component with respect to both a resource supply task R and I. Example 4 The component M1 in Fig. 8 executes a workload under RM. It can be shown schedulable by using Eq. 10 as follow: Fig. 9a shows that the supply graph crosses the demand graph of dbfRM (W, t, 3) at around 150 time units, which means that the resource supply task τ 1 = (36,100) supplies sufficient resource to complete τ 3 before the end of its period 250. τ 4 and τ 5 are also satisfied by with supply of I = (36,100) before the end of their individual periods. The component M1 is thus shown to be schedulable. Using Eq. 9, the schedulability of M2 under EDF can be shown by checking the supply provided by τ 2 = (55,120) is greater than the collective demand of M2 ’s workload until LCMW .

3.4.3 PRM Interface Generation: Periodic Capacity Bounds of PRM In this section, we explain computation techniques for generating an interface for a component. Basically, the interface of components abstracts resource requirements

8 Hierarchical Scheduling

285

Fig. 8 The running example of a hierarchical scheduling system using the PRM model

Fig. 9 Schedulability analysis by using sbfPRM and dbfA

of individual tasks into a collective representation. In other words, the supply of the interface is also proved to satisfy the demand of the workload. The supply of an interface I = (Θ, Π ) is a resource supplier in terms of its workload, thus I can be found in such a way that for a given W, the a scheduling unit S = (W, I, A) replacing R with I is found such that the minimum bandwidth of I is

286

J. H. Kim et al.

the minimum and W is schedulable by Theorems 4 or 5 according to A. We assume that Π of I is given with the workload W of a component. Then, the problem of computing the interface I for a W and Π is to find the minimum resource of Θ that satisfies the workload W. The schedulability conditions of Theorems 4 and 5 depends, respectively, on LCMW and the period of workload tasks. Hence (Shin and Lee 2003), introduces interface computation techniques that do not depend on the length of LCMW or period of workload tasks. They introduced the notion of the periodic capacity bound of a workload PCBW (Π , A), which bounds the maximum demand bound of W under A for a period Π . In other words, for a workload W, PCBW (Π , A) computes a bandwidth of Θ/Π that satisfies W. The interface I is selected such that Θ/Π of PCBW (Π , A) is the minimum. As a result, Θ and Π of the minimum Θ/Π from PCBW (Π , A) is set to I. For a period Π , a periodic capacity bound PCBW (Π , A) is defined such that a scheduling unit S = (W, I = (Θ, Π ), A) is schedulable if PCBW (Π, A) ≤

Θ Π

(11)

Using PCBW (Π , A), it can be determined whether or not an interface I = (Θ, Π ) can satisfy the resource demand of W under A. In the following, the interface of component under EDF and RM is derived from Eq. 11. First, the optimal (minimal) periodic capacity bound PCB∗W (Π, EDF) for a given Π is defined as follows: PCB∗W (Π, EDF) =

Θ∗ Π

(12)

where Θ * is the smallest possible Θ such that ∀0 < t ≤ LCMW , dbfEDF (W, t) ≤ sbfPRM (I, t)

(13)

Then, a scheduling unit S = (W, I = (Θ, Π ), EDF) is schedulable if and only if PCB∗W (Π, EDF) ≤ Θ/Π . Second, a function to compute a periodic capacity bound is derived as follows. For a workload W and a period Π of interface I = (Θ, Π ), I satisfies W if dbfEDF (W, t) ≤ lsbfPRM (I, t) =

Π (t − 2 · Π + 2 · Θ) ≤ sbfPRM (I, t) Θ

(14)

Notice that lsbfPRM (I, t) is introduced to Eq. 13. From Eq. 14, the following inequality can be obtained:  Θ≥

(t − 2 · Π )2 + 8 · Π · dbfEDF (W, t) − (t − 2 · Π ) 4

(15)

8 Hierarchical Scheduling

287

Let Θ + be the smallest possible Θ satisfying Eq. 15. Then, S = (W, I = (Θ + , Π ), EDF) is schedulable. For a given workload W under EDF and a period Π , I = (Θ + , Π ) can be obtained using PCBW (Π , EDF) as follows: Theorem 6 Shin and Lee (2003) For a given periodic workload W under EDF a periodic capacity bound PCBW (Π , EDF) computes the utilization bound of interface I = (Θ, Π ) that schedules the workload W. It is defined by Θ+ , where PCBW (Π, EDF) = Π   (t − 2 · Π )2 + 8 · Π · dbfEDF (W, t) − (t − 2 · Π ) + Θ = max (16) 0  for all I = (Θ, Π ,  ) such  is bandwidth optimal for M. that IEDP Definition 7 defines the minimal bandwidth of EDP interface that schedules M without accounting for the deadline. Definition 8 defines the minimal bandwidth of EDP resource model that schedules M accounting for the deadline, so that the EDP resource model has the minimum bandwidth and the largest deadline among interfaces that schedule M with the same Θ and Π . Using these two properties, an EDP interface can be generated such that the bandwidth of the interface is minimal and the deadline is the longest out of possible EDP interfaces.

3.5.3 EDP Interface Generation As described in Sects. 3.3.3 and 3.4.3, for BDR and PRM, the interface of a component is generated by first computing a sufficient resource supply for the component’s workload and then use the resource supply parameters as the interface. In contrast, for EDP the interface of a component is first generated by computing the dbf of the component. Then, the resource supply task for the component is generated from the interface and using the properties of EDP. For a component M and interface period Π , the bandwidth-deadline optimal interface of M can be computed by the following two steps: (i) find a bandwidth optimal interface that schedules M with the assumption of Θ =  and (ii) find a bandwidth-deadline optimal interface by gradually increasing the deadline as long as the schedulability is preserved. At each step, ensure the schedulability using the schedulability conditions Eqs. 24 and 25. More specifically, the interface of a component under EDF (Easwaran et al. 2007) is generated as follows: Step 1 Set  to Θ. Check Eq. 24 over all interval length (LCMW ) and search for the minimum Θ(=Θ m ) over the interval length that always schedules M i.e., find a bandwidth-optimal interface for M. Step 2 Set Θ to Θ m . Check Eq. 24 over all interval length (LCMW ) and search for the maximum (=m ) over the interval length. Then, Im = (Θ, Π m , m ) is the bandwidth-deadline optimal interface for M under EDF. The interface of a component under DM (Easwaran et al. 2007) is generated as follows: Step 1 Set  to Θ. Check Eq. 25 for each task up to its deadline and search for the minimum Θ = Θim over the interval length. Let Θ m = maxi Θim Step 2 Set Θ to Θ m Check Eq. 25 for each task up to its deadline and search for the maximum  = m over the interval length. Let m = mini m i i Then, m m m I = (Θ , Π ,  ) is the bandwidth-deadline optimal interface for M under DM. The difference of the interface generation between EDF and DM is that the schedulability condition for the component under DM requires to check the schedulability of each task up to its deadline.

8 Hierarchical Scheduling

293

The two interfaces I1 and I2 in Fig. 10 are computed using these algorithms and thus optimal. A more efficient computation algorithm for generating EDP interfaces can be found in Easwaran et al. (2007).

3.5.4 Exact Transformation of Interfaces in EDP This section discusses how to generate a resource model that can supply resource needed from the demand interface of a component. Suppose that there is the workload of a component schedulable by I = (5,2,5). The parameter values of the interface I is directly used for the associated resource supply task τ = (5,2,5). Then, τ demands resources to its upper-level component, as shown in Fig. 13, and a supply of τ ’s parent component satisfying τ should provide more resources than I should actually provide. On the other hand, τ  = (5,2,8) requires the exact amount of resources from its parent component that satisfies I supply amount of resources from the parent component that satisfies I = (5,2,5). Based on this observation, the exact transformation of an interface model into an interface task under EDF and DM serviced by EDP interfaces are defined in Easwaran et al. (2007). Let TA be a function that transforms an EDP interface into an interface task τ under scheduling algorithm A. Then, the transformation function TEDF for a given EDP interface is defined as follows: Definition 9 Easwaran et al. (2007) For a given EDP interface I = (Θ, Π , ), the transformation function is defined by TEDF (I ) = (Θ, Π, Π +  − Θ). The interface task generated by TEDF is demand-supply optimal for I in that it requires the least resources among all interface tasks that satisfy I (Easwaran et al. 2007). The transformation function TDM returns a demand-supply optimal interface task     τ under DM for an EDP interface I. Let I = (Θ , Π ,  ) be the interface of a component that encloses the resource supply task τ that would be built from EDP interface I. Definition 10 Easwaran et al. (2007) For an EDP interface I = (Θ, Π , ) and a  period Π  , the bandwidth-optimal resource supply R∗ = (Θ ∗ , Π , Θ ∗ ) under DM

Fig. 13 Resource supplies of sbfEDP(5,2,5) and its resource supply tasks

294

J. H. Kim et al.

is such that



Θ =

where β ∈ 0,

k·(k=1)



⎧ ⎨Θ + ⎩

Θ k

k·Θ 

ΘC

Π  = Π + k, k ≥ 0 Π  = Πk , k ≥ 2 Π  = Πk + β, k ≥ 2

and k is an integer. If there exits n ∈ 

(26)

−Θ −Θ k·β , k·β

 + Π  +1

such that n · k · β − ( − Θ) = l · Π + ϒ and n is the smallest integer satisfying β·Θ n·Θ Θ ϒ ≥ n·Θ+ϒ n·k−l , then ΘC = n·k−(l+1) . Otherwise, ΘC = k + Π . 

Based on the bandwidth optimal resource supply R∗ = (Θ ∗ , Π , Θ ∗ ), the transformation function TDM returns an interface task under DM is defined as follows: Definition 11 Easwaran et al. (2007) For a given EDP interface I = (Θ, Π , ) and period Π  , the transformation function TDM I, Π  = Θ ∗ , Π  , Π  . Figure 10 shows the hierarchical scheduling system that updates the running example of Fig. 8 with the EDP resource model. Notice that the interface I1 and I2 have deadlines different from their interface tasks’ deadlines.

4

Real-Time Calculus for HSS

There are several system level performance analysis techniques in literature, which are simulation based approaches, formal approaches, or a hybrid of the two approaches. Real-Time Calculus (RTC) (Chakraborty et al. 2003; Thiele et al. 2000) is a deterministic formal performance analysis technique, which provides worst-case bounds for the system parameters analyzed. Real-Time Calculus has its theoretical roots in Network Calculus (Le Boudec and Thiran 2001), which is used to analyze timing properties of application flows. The analysis based on Network Calculus utilizes cumulative function of event arrivals and number of resources provided on a node to determine the delays incurred in processing an event stream. In contrast, RTC uses interval bound functions to capture event arrivals as well as available resources. These interval bound functions for event arrivals and available resources are termed arrival curves and service curves, respectively. The cumulative function and interval bound function for a given event stream are illustrated in Fig. 14. The event stream arrival is shown in Fig. 14a, where the x-axis is the time t. In Fig. 14b, the cumulative function A(t) of the event arrival is shown for any time t, which shows how many events arrived from zero to time t. The interval bound function shown in Fig. 14c gives the upper (α u ()) and lower bound (α l ()) on the number of event arrivals in any time interval . For each , a sliding window of width  is traversed over the entire event stream to find the maximum and minimum number of events that arrived in any time interval .

8 Hierarchical Scheduling

295

Fig. 14 Illustration of cumulative and interval bound functions

4.1

Workload and Service Model

The workload model captures the event arrivals that need to be processed on a computation node. This workload can be captured in terms of the number of events that arrive in a time interval or the number of processor cycles required to process the events in a time interval. In RTC, the workload is captured in terms of the arrival curve, which is defined below. Definition 12 (Arrival Curve) Let A(t) denote the number of events that arrive in time interval (0, t). Then, the incoming workload is bounded by the arrival curve α = [α u , α l ] iff for all arrival patterns A(t): α l () ≤ A (t + ) − A(t) ≤ α u ()

(27)

for all  ≥ 0. In other words, α u () and α l () give the maximum and minimum number of events that can arrive over any interval of length  across the entire stream. The above definition of arrival curve is more specifically termed the event-based arrival curve. The arrival curve can also be characterized in terms of the processor time required to execute the task events in a time interval. This is referred to as the resource-based arrival curve. If the worst-case execution time (WCET) and bestcase execution time (BCET) of processing an event are emax and emin , respectively, then the resource-based arrival curve α u , α l can be derived from the event-based arrival curve using the transformations: α u = α u × emax and α l = α l × emin . The service model captures the number of units of a resource provided in a given time interval  using service curve. This resource-based service curve is defined below.

296

J. H. Kim et al.

Definition 13 (Service Curve) Let C(t) denote the number of processing or communication units available from a resource in time interval (0, t). Then, β = ! u l β , β is a service curve of the processor iff for all service patterns C(t): l

u

β () ≤ C (t + ) − C(t) ≤ β () u

(28)

l

for all  ≥ 0. In other words, β () and β () denote the upper and lower bounds on the processing/communication units available from a resource over any interval of time  across the entire event stream. The service curve can also be characterized in terms of the number of task events processed in a time interval, which is referred to as the event-based service curve. The event-based service curve can be derived from the resource-based service curve u l using the transformations: β u = β /emin and β l = β /emax .

4.2

Schedulability Analysis

Given a set of tasks {τ i } executed on a uniprocessor, the minimum service required to ensure schedulability of jobs of each task depends on the scheduling algorithm employed. For a periodic task τ i = (Ci , Ti , Di ) (or sporadic task), the upper bound on arrival curve for each task can be obtained using the task’s real time parameters, such as period (or minimum inter arrival distance) and WCET as follows  α ui () =

  × Ci Ti

(29)

EDF schedulability : In order for the task to be schedulable, i.e., for execution of each job of the task to finish before the deadline Di , the service required in case of l EDF scheduling is given by β i () ≥ α ui ( − Di ). The following theorem presents the lower bound of service required for the schedulability of a set of tasks under EDF (Stoimenov et al. 2009). Theorem 12 Under EDF scheduling, the lower bound of service required for schedulability of

l tasks in the set τ i with deadline Di is given by β () = α ui ( − Di ). ∀i

Fixed Priority Schedulability: Under FP scheduling with pre-emption, within any interval , the lower priority tasks get the remaining service that is left over after servicing the tasks of higher priority. The lower bound of service required by l∗ task τ i alone is given by β i () = α ui ( − Di ). The following theorem presents the lower bound of service required by task τ i in the presence of a lower priority task τ i + 1 (Chakraborty et al. 2006).

8 Hierarchical Scheduling

297

Theorem 13 If task τ i has higher priority than task τ i+1 , the lower bound of service curve required by τ i is given by

"  # l l l∗ ∀ ≥ 0 : β i () = max Servmin β i+1 () , α ui () , β i ()

(30)

 l l where Servmin β i+1 (), α ui () = β i+1 ( − λ) + α ui ( − λ) and λ = " $ # l $ l sup ε $β i+1 ( − ε) = β i+1 () .

 l The function Servmin β i+1 () , α ui () is the smallest service curve required by a task with arrival curve α ui () such that the remaining service curve after l

processing the task is at least β i+1 (). Let us assume a set of m tasks τ i with the priority decreasing with increasing value of i. Then, the lower bound of service l u required for schedulability of task

τ m is given  by β m = α m ( − Dm ). The lower l

bound of service for task τm−1 β m−1 () can be obtained using Theorem 13. This procedure can be repeated and the schedulability of the task set is ensured l if the total service provided is greater than or equal to β 1 (), which is the service requirement of task τ 1 . The idea behind the computation of lower bound on service for the task set under fixed priority preemptive scheduling is that each task must have just enough service available in every time interval  to ensure its schedulability. This means that the lower bound of service available to a task must be such that the task is schedulable and the remaining service left after processing the task is just enough to ensure schedulability of all the lower priority tasks. Therefore, the lower bound of service available to the highest priority task must be such that the schedulability of all lower priority tasks is ensured along with its schedulability.

4.3

Compositional Analysis for Hierarchical Scheduling Systems

In this section, we present the steps of how compositional analysis is performed for hierarchical scheduling systems using RTC. Principally, the interface-based technique used by RTC is similar to the one used by compositional approaches

 using l PRM and EDP. However, RTC uses the lower bound of service curve β in the interface of a component, which is different from the interface parameters used by l compositional approaches using PRM and EDP. Once the interface parameter β is obtained for each component, the schedulability of the component can be verified by ensuring that the next higher level component in the hierarchy satisfies the required interface parameter. We explain this procedure using the hierarchical scheduling system shown in Fig. 8.

298

J. H. Kim et al.

In Fig. 8, there are two levels in the hierarchy. Levell includes the leaf nodes with components M1 and M2 . Component M1 encapsulates tasks τ 3, τ 4 and τ 5 scheduled using RM, whereas component M2 includes tasks τ 6, τ 7 and τ 8 scheduled using EDF. For component M2 , we can derive the lower bound of service required considering the three tasks that it includes using Theorem 12. Let us denote the l resultant lower bound of service for component M2 as β M2 . Similarly, the lower

 l bound of service for component M1 β M1 can be obtained using Theorem 13. l

l

The interface parameters of M1 and M2 are β M1 and β M2 respectively. The lower bound of service provided by component M0 at level 0 (or root level) must ensure that the interface requirement of components M1 and M2 are satisfied. The interface l l parameters β M1 and β M2 can be considered as the workload for component M0 . In order to compute the interface of component M0 given the period for the interfaces of components M1 and M2 , the arrival curves α uM1 and α uM2 are calculated by finding the least execution times for the interface periods such that α uM1 in component M0 (given by Eq. 29) is greater than or equal to the interface parameter l l β M1 and α uM2 is greater than or equal to the interface parameter β M2 . This ensures that the arrival curves corresponding to components M1 and M2 upper bound the l l interface parameters β M1 and β M1 , respectively. With the arrival curves of the child

 l components and their interface periods, the interface parameter of M0 β M0 can be computed using Theorem 12.

5

Comparison of Compositional and RTC Frameworks

Compositional Scheduling and RTC based analysis techniques propose distinct approaches to hierarchical scheduling analysis. Conceptually, the computed interface and the technique to compute the interface are different in the compositional framework when compared to the RTC framework. For hierarchical scheduling analysis, the compositional framework derives an interface parameter (Θ, Π ) (for PRM) or (Θ, Π , ) (for EDP) for each component in the hierarchy, which denotes how much budget (Θ) the component requires in every period (Π ) time units. The interface parameter is derived using the dbf and sbf functions, which are time interval based functions. The dbf value for a set of tasks is a function of the workload of the tasks and the scheduling policy used. The sbf value is a function of the resource model used, i.e., PRM or EDP. On the contrary, the interface parameter that is derived in RTC framework for schedulability of a component is the required lower bound on service curve (β l ). The interface parameter β l is derived from the workload of the tasks given by the arrival curve α and the scheduling policy. Therefore, one thing significant to note is that RTC framework inherently does not use a resource model to derive β l and sbf from compositional framework cannot be compared with any quantity in RTC framework unless we derive a service curve that takes the resource model into consideration.

8 Hierarchical Scheduling

299

Fig. 15 Comparison between β l and dbf for M1 and M2

But, it tums out that the lower bound on service curve considering the resource model would be exactly the same as the sbf function. Further, conceptually β l is analogous to the dbf used in compositional framework as both are derived from the workload and the scheduling policy used. Hence, we present couple of plots to show how β l compares to dbf for the workload in components M1 and M2 from Fig. 8. Figure 15 shows two comparisons between the service curves of β l and the resource demands of dbf for M1 and M2 from Fig. 8. Note that Fig. 15b shows that β l and dbf for M2 exactly overlap each other, showing that the interface β l of RTC computes the exact upper-bound of dbf for M2 under EDF. Figure 15a shows the comparison between β l and dbf for M1 under RM (Rate Monotonic). dbf individually computes each demand of the tasks of M1 under RM while β l collectively computes the lower-bound of service curve satisfying the same workload. However, the lowerbound service curve satisfies the schedulability condition of Eq. 10 that requires the demand of every task in the workload is satisfied at least once up to the deadlines of individual tasks. According to this observation, the service curve in β l can be used as dbf so that it is checked against a given supply bound function to check the schedulability of HSS components. Thus, if the service curve can compute

300

J. H. Kim et al.

more optimal resource requirements than dbf, it is possible to find a more optimal hierarchical scheduling system using the service curve of RTC than the classical compositional framework.

6

Summary

This chapter presents the compositional framework depending on resource modeling paradigms (namely BDR, PRM, EDP) and the RTC-based techniques independent from resource models for hierarchical scheduling analysis. The EDP resource model extends PRM with deadlines such that a workload is satisfied with less resource allocations when compared to PRM. The RTC-based technique computes a lower-bound of service curve that satisfies a given workload. The lower-bound of service curve of RTC is analogous to demand-bound functions of the compositional framework, and thus, we posit that it can be used together with supply bound functions to find more resource-optimal hierarchical scheduling systems.

References S.K. Baruah, L.E. Rosier, R.R. Howell, Algorithms and complexity concerning the preemptive scheduling of periodic, real-time tasks on one processor. Real-Time Syst. 2(4), 301–324 (1990) M. Chadli, J.H. Kim, A. Legay, L.M. Traonouez, S. Naujokat, B. Steffen, K.G. Larsen, A modelbased framework for the specification and analysis of hierarchical scheduling systems, in International workshop on formal methods for industrial critical systems (Springer, 2016), Cham, pp. 133–141 S. Chakraborty, S. Künzli, L. Thiele, A general framework for analysing system properties in platform-based embedded system designs, in Proceedings of Design Automation and Test in Europe (DATE) (2003) pp. 190–195 S. Chakraborty, Y. Liu, N. Stoimenov, L. Thiele, E. Wandeler, Interface-based rate analysis of embedded systems, in Proceedings of 27th IEEE Real-Time Systems Symposium (RTSS) (2006). pp. 25–34 A. Easwaran, M. Anand, I. Lee, Compositional analysis framework using edp resource models, in Real-Time Systems Symposium. RTSS 2007. 28th IEEE International (IEEE, 2007). pp. 129–138 X. Feng, A.K. Mok, A model of hierarchical real-time virtual resources, in Proceedings of 23rd IEEE Real-Time Systems Symposium (RTSS) (2002). pp. 26–35 J.Y. Le Boudec, P. Thiran, Network Calculus: A Theory of Deterministic Queuing Systems for the Internet, vol 2050 (Springer Science & Business Media, Berlin/Heidelberg, 2001) J. Lehoczky, L. Sha, Y. Ding, The rate monotonic scheduling algorithm: exact characterization and average case behavior, in Real Time Systems Symposium, 1989, Proceedings (IEEE, 1989). pp. 166–171 C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973). https://doi.org/10.1145/321738.321743 A.K. Mok, X. Feng, D. Chen, Resource partition for real-time systems, in Proceeding of 7th IEEE Real-Time Technology and Applications Symposium (RTAS) (2001). pp. 75–84 L.T. Phan, J. Lee, A. Easwaran, V. Ramaswamy, S. Chen, I. Lee, O. Sokolsky, CARTS: a tool for compositional analysis of real-time systems. ACM SIGBED Rev. 8(1), 62–63 (2011) I. Shin, I. Lee, Periodic resource model for compositional real-time guarantees, in RTSS (2003). pp. 2–13

8 Hierarchical Scheduling

301

I. Shin, I. Lee, Compositional real-time scheduling framework with periodic model. ACM Trans. Embed. Comput. Syst. (TECS) 7(3), 30 (2008) N. Stoimenov, S. Perathoner, L. Thiele, Reliable mode changes in real-time systems with fixed priority or edf scheduling, in Proceedings of Design, Automation and Test in Europe (DATE) (2009). pp. 99–104 L. Thiele, S. Chakraborty, M. Naedele, Real-time calculus for scheduling hard real-time systems, in Proceedings of IEEE International Symposium on Circuits and Systems (ISCAS) (2000). pp. 101–104

9

Mixed-Criticality Uniprocessor Scheduling Sanjoy Baruah

Contents 1 2 3 4

Introduction and Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Model and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Uniprocessor Scheduling of Collections of MC Jobs . . . . . . . . . . . . . . . . . . . . . . . . . The Uniprocessor Scheduling of Collections of MC Tasks . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Fixed Priority Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Dynamic Priority Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

304 307 310 313 313 316 319 319

Abstract Mixed-criticality scheduling theory is a subdiscipline of real-time scheduling theory that has been developed for the analysis of real-time systems possessing two additional characteristics: (1) not all parts of the system are equally critical and (2) the system’s run-time behavior cannot be specified precisely prior to runtime but must instead be estimated. This chapter provides a basic introduction to mixed-criticality scheduling theory and provides an overview of some relevant results concerning the preemptive uniprocessor scheduling of mixed-criticality real-time systems.

S. Baruah () Department of Computer Science and Engineering, Washington University in St. Louis, St. Louis, MO, USA e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_8

303

304

1

S. Baruah

Introduction and Motivation

Mixed-criticality scheduling theory specializes “regular” real-time scheduling theory to account for two additional features that are becoming increasingly prevalent in real-time systems: • Many real-time systems are responsible for multiple functionalities, not all of which are equally important (or critical); and • Although many real-time systems are expected to have their correctness validated prior to deployment, the values of some parameters characterizing a real-time system’s run-time behavior cannot be determined precisely prior to run-time but must instead be estimated for the purposes of performing such pre-run-time validation. We illustrate with an example. Real-time systems are often modeled as comprising collections of independent jobs that are to execute upon a shared platform. Each job is characterized by the three parameters release time, worst-case execution time (WCET), and deadline. A job Ji is thus specified by specifying the 3-tuple (ri , ci , di ); the intended interpretation is that the job may need to execute for a duration up to ci time units over the interval [ri , di ]. Consider an instance comprising the three jobs J1 , J2 , and J3 depicted in (the first four columns of) Table 1, to be executed upon a single preemptive unit-speed processor. Job J1 is to be scheduled for one unit of execution over the interval [0, 4), job J2 is to be scheduled for four units of execution over the interval [0, 6), and job J3 is to be scheduled for two units of execution over the interval [1, 6). Since executing all these jobs correctly requires that we accommodate seven units of execution over the time interval [0, 6], it is immediately evident that a correct schedule for this instance cannot be constructed: in the terminology of real-time scheduling theory, such an instance is therefore considered infeasible. Mixed-criticality scheduling theory suggests an approach to scheduling some such instances that would traditionally be deemed infeasible, by extending the semantics of the job model to recognize a couple of ground realities – first, all jobs may not be equally critical, and second, in many situations, the exact value of the WCET parameter of jobs is not known exactly beforehand but must instead be Table 1 An example real-time instance comprising three jobs. The columns labeled “release time”, “WCET”, and “deadline” characterize these jobs using a traditional scheduling model; columns 5–7 characterize it in mixed-criticality terms

J1 J2 J3

Release time (ri ) 0 0 1

WCET (ci ) 1 4 2

Deadline (di ) 4 6 6

Criticality (χi ) LO HI HI

LO-criticality WCET (ci (LO)) 1 4 1

HI-criticality WCET (ci (HI)) 1 4 2

9 Mixed-Criticality Uniprocessor Scheduling

305

estimated (by, for instance, the use of appropriate WCET estimation tools Wilhelm et al. 2008). The job model described above is therefore modified to allow for the specification of (i) a criticality level for each job and (ii) multiple WCET estimates per job, one at a level of assurance that corresponds to each criticality level. The intended interpretation of these parameters is that each job Ji should be verified as executing correctly (i.e., completing by its deadline) provided all the jobs in the instance complete upon executing for no more than their WCETs estimated at a level of assurance corresponding to Ji ’s criticality level. Returning to our example, let us suppose that it is determined that jobs J2 and J3 are more critical than job J1 . This is expressed by assigning jobs J1 , J2 , and J3 criticality levels χ1 ← LO, χ2 ← HI, and χ3 ← HI (as listed in the fifth column in Table 1); here, the intended interpretation is that LO-criticality job is less critical than a HI-criticality one. Also, two separate WCET estimates, ci (LO) and ci (HI), are determined for each job Ji : the estimate ci (HI) is determined using a WCET estimation tool that is considered acceptable for the analysis of HIcriticality systems, while the estimate ci (LO) is determined using a (presumably less conservative) WCET estimation tool that is considered acceptable for the analysis of LO-criticality systems. Let us suppose that the values determined by these tools are as specified in the last two columns of Fig. 1: c1 (LO) = c1 (HI) = 1; c2 (LO) = c2 (HI) = 4; and c3 (LO) = 1, while c3 (HI) = 2. (Thus, the job WCET numbers specified earlier – as listed in the third column of Table 1 – are the HI-criticality WCETs, the ci (HI) values.) These parameters have the following interpretation: 1. If during run-time each job Ji does in fact complete upon executing for no more than ci (LO) units, then all jobs should complete execution prior to their deadlines. 2. If however some job Ji does not complete upon being allowed to execute for up to ci (LO) units, but each job Ji completes if allowed to execute for up to ci (HI) units, then all those jobs designated as HI-criticality jobs (i.e., all jobs Ji for which χi ≡ HI) should complete execution prior to their deadlines. This mixed-criticality instance can be scheduled correctly by, for example, the following run-time scheduling strategy (see Fig. 1): 1. Execute job J2 over the time interval [0, 1) and job J3 over the time interval [1, 2).

J2

0

J3 (J1 if J3 has completed)

J3

1

2

J2

3

4

Fig. 1 A mixed-criticality scheduling strategy for the instance of Table 1

5

6

306

S. Baruah

2. By time-instant 2, job J3 would have received c3 (LO) = 1 units of execution; what we do next depends upon whether it has completed execution or not. • If J3 completes execution by time-instant 2, then execute job J1 over the time interval [2, 3). • Else continue executing J3 over the time interval [2, 3). 3. Finally, execute job J2 over the time interval [3, 6). It may be verified that the scheduling strategy above completes all three jobs by their deadlines if each completes upon executing for no more than its LO-criticality WCET and completes both the HI-criticality jobs (but not the LO-criticality one) by their deadlines if each completes upon executing for no more than its HI-criticality WCET. Motivation for this model The mixed-criticality job model informally described above was motivated by the recognition that modern computing platforms tend to exhibit wide variations in behavior with respect to extra-functional properties such as execution time: on different runs, the same piece of code, executing upon the same platform, may execute for durations that vary very considerably. Different WCET estimation tools have therefore been developed that determine a WCET parameter for a piece of code that we may trust to different levels of assurance (i.e., at different degrees of confidence) – see Wilhelm et al. (2008) for a survey. Very conservative tools, often based on static analysis of code, yield very large estimates of the WCET parameter that we can trust to a very high level of assurance, while less conservative tools, typically measurement-based, may yield far smaller estimates that we may trust to lesser levels of assurance. Current industrial practice in the validation of mixed-criticality systems is to validate the entire system at a level of assurance consistent with the highest criticality level in the system; (Hence, for example, in Table 1, we have used the values from the ci (HI) column in the column labeled ci , when representing our mixed-criticality jobs under the “traditional” (i.e., non-mixed-criticality) model.) this can lead to platform resource underutilization since less critical functionalities are validated under unnecessarily conservative assumptions. Mixed-criticality scheduling theory seeks to ameliorate such underutilization by developing a framework that enables each functionality to be validated under assumptions that are made at the appropriate degree of conservatism and no more. That such an enhancement in efficiency may be possible was first articulated in a seminal paper by Vestal (2007), which put forth the “conjecture that the higher the degree of assurance required that actual task execution times will never exceed the WCET parameters used for analysis, the larger and more conservative the latter values become in practice. For example, at low criticalities the worst time observed during tests of normal operational scenarios might be used. At higher criticalities the worst time observed during more exhaustive tests specifically constructed for this purpose might be used. At the highest criticality, some code flow analysis and worst-case instruction cycle counting might be done.” The subdiscipline of mixed-criticality scheduling theory

9 Mixed-Criticality Uniprocessor Scheduling

307

may be considered to have emerged as a deeper and broader exploration of this conjecture. Organization of this chapter The remainder of this chapter is organized as follows. In Sect. 2 we present formal models that are used for representing mixedcriticality workloads comprising both collections of independent jobs and collections of recurrent tasks. In Sect. 3 we present results concerning the preemptive uniprocessor scheduling of mixed-criticality systems modeled as collections of independent jobs; in Sect. 4, we survey a selection of results concerning the preemptive uniprocessor scheduling of systems modeled as collections of recurrent tasks. In Sect. 5 we list additional sources of information on mixed-criticality scheduling.

2

Model and Definitions

Although there were just two criticality levels in the example that we considered above, there may in general be more criticality levels defined. For instance, the RTCA DO178-B standard, widely used in the aviation industry, specifies five different criticality levels, with the system designer expected to assign one of these criticality levels to each job. The ISO 26262 standard, used in the automotive domain, specifies four criticality levels, known in the standard as “safety integrity levels" or SILs. Accordingly, formal models for mixed-criticality workloads allow for the specification of arbitrarily many criticality levels. Let L ∈ N+ denote the number of distinct criticality levels in the mixed-criticality (henceforth, often abbreviated as MC) system being modeled. A job in this MC system is characterized by a 4-tuple of parameters, Jj = (rj , dj , χj , cj ), where: rj ∈ Q+ is the release time of the job. dj ∈ Q+ is its deadline, dj ≥ rj . χj ∈ {1, 2, . . . , L} is the criticality of the job. Dual-criticality instances – instances for which L = 2 – have been widely studied. For such instances, the mnemonics “LO” and “HI” are typically used to represent the lower ( = 1) and higher ( = 2) criticality levels, respectively. • cj ∈ QL + is a vector, the ’th coordinate of which specifies the worst-case execution time (WCET) estimate of job Jj at criticality level . We often represent cj by listing its constituent components: cj (1), . . . , cj (L).

• • •

We will, for the most part, assume that cj () is monotonically non-decreasing with increasing . This is a reasonable assumption: these cj () values represent upper bounds, at different degrees of confidence, on the WCET of the job. Larger values of  correspond to greater degrees of confidence and are therefore likely to be larger.

308

S. Baruah

An MC instance I = {J1 , J2 , . . . , Jn } consists of a collection of n MC jobs executing upon a shared platform. We now define the intended semantics of the MC job model. Each job Jj requires an amount of execution time γj within its scheduling window [rj , dj ]. The value of γj is not known from the specification of Jj but is only discovered by actually executing the job until it signals that it has completed execution. We call a collection of realized values (γ1 , γ2 , . . . , γn ) a behavior of instance I . We define the criticality level, or simply criticality, of a behavior (γ1 , γ2 , . . . , γn ) of I as the smallest integer  such that γj ≤ cj () for all j = 1, . . . , n. If there is no such , we define that behavior to be erroneous. Definition 1 (Correct schedule). A schedule for a behavior (γ1 , γ2 , . . . , γn ) of criticality  is correct if every job Jj with χj ≥  receives execution time γj within the time interval [rj , dj ].

A clairvoyant scheduling algorithm is one that always knows the behavior of I , i.e., the values (γ1 , γ2 , . . . , γn ), prior to determining a schedule for I . Definition 2 (Clairvoyant schedulability). An instance I is clairvoyantly schedulable if there exists a correct schedule for each non-erroneous behavior of I

By contrast, an on-line scheduling algorithm discovers the value of γj only by executing Jj until it signals completion; thus, the criticality level of the behavior becomes known only by executing jobs. At each time instant, scheduling decisions can be based only on the partial information revealed thus far. Definition 3 (Correct scheduling algorithm). An on-line scheduling algorithm is correct for instance I if it generates a correct schedule for every non-erroneous behavior of instance I .

Definition 4 (A-schedulability). An instance I is said to be A-schedulable if the on-line scheduling algorithm A is correct for I .

Definition 5 (MC-schedulability). An instance I is MC-schedulable if it is A-schedulable for some on-line scheduling algorithm A.

Mixed-criticality tasks Models for representing recurrent workloads, such as the periodic and the sporadic task models, are widely studied in real-time scheduling theory (see, e.g., Stigge and Yi 2013; Stigge 2014 for a survey). Such recurrent models, too, have been generalized to the mixed-criticality context; below, we define the mixed-criticality generalization of a particularly well-known recurrent task model, the 3-parameter sporadic task model (Liu and Layland 1973; Mok 1983).

9 Mixed-Criticality Uniprocessor Scheduling

309

As above, let L ∈ N+ denote the number of distinct criticality levels. A mixedcriticality sporadic task τi is characterized by a 4-tuple (χi , Ci , Di , Ti ), where: • χi ∈ {1, 2, . . . , L} is the criticality level of the task (as with jobs, the mnemonics LO and HI are often instead used with respect to dual-criticality systems) • Ci = Ci (1), Ci (2), . . . , Ci (L) is a vector of worst-case execution times (WCET), one for each criticality level in the system. We assume that Ci (1) ≤ Ci (2) ≤ . . . ≤ Ci (L). • Di ∈ Q+ is the relative deadline parameter of task τi ; • Ti ∈ Q+ is the minimum inter-arrival separation parameter of task τi . (For historical reasons, Ti is often referred to as the period of τi .) Task τi generates an unbounded sequence of jobs (Ji1 , Ji2 , . . .), with each job Jij = (rij , dij , χij , cij ) characterized by a release time, a deadline, a criticality level, and a WCET vector (as discussed earlier). The values for these job parameters are determined as follows: 1. The release time of the first job Ji1 that is generated by task τi may have any nonnegative value; successive release times are separated by at least Ti time units: ri(j +1) ≥ rij + Ti 2. The deadline of each job is Di time units after its arrival dij = aij + Di 3. Jij ’s criticality level is set to that of task τi : χij = χi 4. The WCET vector of Jij is equal to the WCET vector of task τi : ∀  : 1 ≤  ≤ L : cij () = Ci () Note that the release times of the jobs – the rij values – are not known beforehand but only become revealed during run-time: the release time rij of job Jij becomes known at the time-instant rij . A mixed-criticality sporadic task system τ comprises a collection of mixedcriticality sporadic tasks, each characterized as described above. Since the release times of the jobs of each task are not fixed beforehand, any such task system may in general generate arbitrarily many different instances of jobs during run-time, these different instances being characterized by different values for the job release times (the rij values).

310

S. Baruah

Concepts analogous to those in Definitions 2, 3, 4, and 5 may be defined for mixed-criticality sporadic task systems: Definition 6 (terminology for sporadic tasks). • Mixed-criticality sporadic task system τ is clairvoyantly schedulable if there exists a correct schedule for every non-erroneous behavior of every instance of jobs generated by τ . • An on-line scheduling algorithm is correct for a mixed-criticality sporadic task system τ if the algorithm generates a correct schedule for every non-erroneous behavior of every instance of jobs generated by τ . • Mixed-criticality sporadic task system τ is A-schedulable if A is an on-line scheduling algorithm that is correct for τ . • Mixed-criticality sporadic task system τ is MC-schedulable if it is A-schedulable for some on-line scheduling algorithm A.

3

The Uniprocessor Scheduling of Collections of MC Jobs

In this section, we present some results concerning the scheduling of mixedcriticality systems that are represented as collections of independent mixedcriticality jobs. For the most part in the remainder of this chapter, we will simply state results and discuss their significance, citing appropriate references where proofs may be found; however, we do include an occasional proof in order to provide a flavor for the kinds of techniques that are used in deriving results in mixed-criticality scheduling theory. Result 1 (From Baruah et al. 2012a). All job instances that are MC-schedulable are also clairvoyantly schedulable. There are dual-criticality instances (Recall that for such dual-criticality instances, the mnemonics LO and HI represent the lower and higher criticality levels, respectively.) that are clairvoyantly schedulable on a preemptive√uniprocessor but that are not MC-schedulable on a processor that is less than (1 + 5)/2 times as fast. Proof. It is obvious that an MC-schedulable instance is also clairvoyantly schedulable. To see the result in the other direction, let σ denote any number greater than one, and consider the instance depicted in Table 2. It is easily verified that this instance is clairvoyantly schedulable on a unit-speed processor: J1 could be executed followed by J2 in any LO-criticality behavior, while only J2 would be executed in any HI-criticality behavior. Table 2 A dual-criticality instance of jobs that is used in the proof of Result 1

J1 J2

ri 0 0

di 1 σ

χi LO HI

ci (LO) 1 (σ − 1)

ci (HI) 1 σ

9 Mixed-Criticality Uniprocessor Scheduling

311

To analyze its MC-schedulability, consider its scheduling upon a speed-s processor, for any value of s > 1. • If J1 receives one entire unit of execution before J2 receives (σ − 1) units of execution, then the behavior is revealed to be a HI-criticality one: J2 needs σ units of execution in order to signal completion. The total amount on execution is therefore (1 + σ ); upon a speed-s processor, this will complete by time-instant (1 + σ )/s. In order for J2 to complete by its deadline, we need  1+σ 1 ≤σ ⇔ s ≥1+ s σ

(1)

• Otherwise, J2 receives (σ − 1) units of execution before J1 has received one complete unit of execution. J2 signals completion upon receiving (σ − 1) units of execution, thereby revealing this behavior to be a LO-criticality one. J1 must therefore complete by its deadline, and the total amount of execution needed by both jobs together is (σ − 1) + 1 or σ . In order for J1 to complete by its deadline of 1 upon a speed-s processor, we need   σ ≤1⇔ s≥σ (2) s Since at least one of Condition (1) or (2) must necessarily be satisfied if this instance is to be scheduled correctly, it is necessary that  1  s ≥ min 1 + , σ . σ Observe that (1 + σ1 ) decreases, while σ (obviously!) increases, with increasing σ . The smallest value of s satisfying this is therefore the solution to 1+

1 =σ σ

⇔ σ2 − σ − 1 = 0 √ which is the constant ( 5 + 1)/2, commonly referred to as the golden ratio.



As was pointed out in Baruah et al. (2012a), the problem of determining clairvoyant schedulability is easily reduced to the problem of determining schedulability of non-MC instances: for each criticality level , we need to simply verify whether all jobs of criticality level  or greater can be successfully scheduled if each executes for up to its level- WCET parameter estimate. In particular, this implies that clairvoyant schedulability upon a preemptive uniprocessor can be verified in polynomial time. What about MC-schedulability? Determining this is not quite as tractable, as stated in the following result.

312

S. Baruah

Result 2 (From Baruah et al. 2012a). The problem of determining whether a mixed-criticality instance is MC-schedulable is NP-hard in the strong sense, even when all release times are identical and there are only two criticality levels.

The result above indicates that we are unlikely to be able to have a polynomialtime on-line scheduling algorithm that is correct for all MC instances. A polynomial-time algorithm called OCBP (for Own Criticality Based Priority) was proposed in Baruah et al. (2010) that is correct for some MC instances. OCBP’s effectiveness was characterized in the following manner (a brief description of the algorithm follows this characterization): Result 3 (From Baruah et al. 2012a). If instance I with L criticality levels is MCschedulable on a given processor, then I is OCBP-schedulable on a processor that is sL times as fast, with sL equal to the root of the equation x L = (1 + x)L−1 , and this factor is tight. Furthermore, it holds that sL = Θ(L/ ln L). For the special case of L = 2 (i.e., for dual-criticality instances), √ the root of the equation x 2 = (1 + x)2−1 or x 2 = (1 + x) is the golden ratio, ( 5 + 1)/2.

We now provide a brief description of OCBP. In order to schedule an MC instance I , OCBP first determines, prior to run-time, a total priority ordering of the jobs. During run-time it simply executes at each moment in time the currently active job with the highest priority. The priority ordering is constructed recursively using the approach that is commonly referred to in the real-time scheduling literature as the “Audsley approach” (Audsley 1991, 1993). (We point out that, while this is essentially the same as the technique that had been introduced in 1973 by Lawler (1973), it was developed independently of Lawler’s work in Audsley (1991, 1993).) First, we determine the lowest-priority job: job Ji may be assigned the lowest priority if there is at least ci (χi ) time between its release time and its deadline available when every other job Jj is executed with greater priority than Ji , for a duration cj (χi ) time units (i.e., the WCET of job Jj according to the criticality level of job Ji ). This can be determined by simulating the behavior of the schedule under the assumption that every job other than Ji has priority over Ji (and ignoring whether these other jobs meet their deadlines or not – i.e., they may execute under any relative priority ordering and will continue executing even beyond their deadlines). Once a lowestpriority job has been identified in this manner, the procedure is recursively called on the set of jobs excluding the one identified as the lowest-priority job, until all jobs are ordered, or at some iteration, a lowest-priority job cannot be identified. The correctness of OCBP is proved in Baruah et al. (2010). As to its running time, it is evident that the OCBP priority list for an instance of n jobs can be determined in time polynomial in n: at most n jobs need be tested to determine whether they can be the lowest-priority job; at most (n − 1) jobs whether they can be the 2ndlowest priority jobs; etc. Therefore, at most n + (n − 1) + · · · + 3 + 2 + 1 = O(n2 ) simulations need be run, and each simulation takes polynomial time.

9 Mixed-Criticality Uniprocessor Scheduling

313

Some improvements to OCBP have subsequently been proposed. An algorithm called mixed-criticality EDF (MCEDF) was presented in Socci et al. (2013) for dual-criticality instances (i.e., instances with L = 2) and shown to strictly dominate OCBP: although its worst-case performance is no better than as characterized by Result 2 above, there are MCEDF-schedulable instances that are not OCBP-schedulable. A generalization of MCEDF that is capable of handling precedence constraints among the jobs in the instance was presented in Socci et al. (2015); however, no nontrivial quantitative characterization of this algorithm’s effectiveness upon such precedence-constrained jobs is known. (For the special case of no precedence constraints, this generalization reduces to MCEDF.)

4

The Uniprocessor Scheduling of Collections of MC Tasks

In this section, we will present a selection of results taken from the vast literature on the scheduling of systems of mixed-criticality sporadic tasks. A collection of additional results may be found in the rather comprehensive survey paper by Burns and Davis (2016). Many run-time scheduling algorithms are priority based: a priority is associated with each job at each instant in time, and the highest-priority available job is selected for execution. Such priority-based algorithms for scheduling systems of sporadic tasks may be classified as fixed-priority or dynamic-priority algorithms. In fixedpriority scheduling algorithms, a distinct priority is associated with each sporadic task, and all the jobs generated by the task are assigned the task’s priority. In dynamic-priority scheduling algorithms, by contrast, different jobs of the same task may be assigned different priorities (and indeed the priority of a job may change dynamically during run-time). We start out considering the fixed-priority scheduling of MC sporadic task systems in Sect. 4.1; dynamic-priority scheduling is considered in Sect. 4.2.

4.1

Fixed Priority Scheduling

Vestal’s seminal paper on mixed-criticality scheduling (Vestal 2007) considered the fixed-priority scheduling of systems of sporadic tasks upon a preemptive uniprocessor platform. It proposed that the Audsley approach (Audsley 1991, 1993) be applied to determine a priority assignment to the tasks (as we had seen in Sect. 3, the Audsley approach was also used to assign priorities to jobs in the OCBP algorithm for scheduling mixed-criticality instances comprising collections of independent jobs). Specifically, a task that would execute correctly if assigned lowest priority is identified and assigned lowest priority and the process recursively applied to the remaining collection of tasks. We illustrate the procedure on the simple example task system of Table 3. 1. We first seek to determine which task may be assigned lowest priority. It is evident that neither τ1 nor τ2 are candidates, since τ3 ’s WCET estimate at either

314

S. Baruah

Table 3 A system of three dual-criticality sporadic tasks, discussed in Sects. 4.1 and 4.2

χi τ1 τ2 τ3

LO HI HI

Ci (LO) 2 3 20

Ci (HI) 3 4 20

Di 4 20 500

Ti 4 20 500

criticality level is larger than D1 and equal to D2 . To determine whether τ3 may be assigned lowest criticality, we must check to see whether jobs of τ3 would meet their deadlines at lowest priority when all higher-priority jobs execute for a duration equal to their WCETs estimated at τ3 ’s criticality level, i.e., HI . This is easily verified by using the standard techniques of response time analysis (Joseph and Pandya 1986; Lehoczky et al. 1989); the response-time recurrence for τ3 ’s worst-case response time is given by R3 = C3 (HI) + = 20 +

R 

R  3

4

3

T1

× C1 (HI) +

×3+

R  3

20

R  3

T2

× C2 (HI)

×4

which has a fixpoint at R3 = 400. Since this is ≤ D3 , response time analysis leads us to conclude that τ3 may indeed be assigned lowest priority. 2. Next, we seek to determine which of τ1 , τ2 may be assigned lower priority. If τ1 were assigned lower priority than τ2 , the recurrence for τ1 ’s worst-case response time is given by R1 = C1 (LO) + = 2+

R  1

20

R  1

T2

× C2 (LO)

(3)

×3

which has its earliest fixpoint at R1 = 5. Since this exceeds D1 , we conclude that τ1 may not be assigned lower priority than τ2 and so must check whether τ2 may be assigned lower priority than τ1 . If τ2 were assigned lower priority than τ1 , the recurrence for τ2 ’s worst-case response time is given by R2 = C2 (HI) + = 4+

R 

R  2

4

2

T1

× C1 (HI)

(4)

×3

the smallest fixpoint of which, at R2 = 16, is not larger than D2 ; hence, τ2 may indeed be assigned lower priority than τ1 . 3. The final priority ordering is therefore: τ1 gets highest priority, τ2 is next, and τ3 has lowest priority.

9 Mixed-Criticality Uniprocessor Scheduling

315

It was suggested in Baruah et al. (2011b) that run-time mechanisms, capable of monitoring and preventing jobs for executing beyond a specified “budget”, are needed for many mixed-criticality systems. If available, such monitoring mechanisms could be used to prevent any job from executing for a duration greater than its WCET estimated at a level of assurance corresponding to its own criticality level (If a job Ji fails to complete upon executing for ci (χi ) units, the behavior is of a criticality level greater than χi , and hence MC correctness does not require this job to complete execution. The run-time algorithm may therefore drop the job without violating MC correctness criteria.); that is, for all tasks, we would be able to enforce the property that For all  ≥ χi : Ci () = Ci (χi )

(5)

Observe that τ1 in the task system listed in Table 3 does not currently satisfy this constraint: even though it is a LO-criticality task, its HI-criticality WCET, at 3, is larger than its LO-criticality WCET (which is 2). Let us modify this task system by changing C1 (HI) to 4 from its current value of 3; it may be verified that the system becomes unschedulable under fixed-priority scheduling – Recurrence (3) above remains unchanged, meaning that τ1 cannot be assigned lower priority than τ2 , while Recurrence (4) changes in the following manner: R2 = C2 (HI) + = 4+

R  2

R  2

4

T1

× C1 (HI)

×4

which has no finite fixpoint. In the presence of run-time monitoring mechanisms that can cap the execution of each job of τ1 at C1 (LO) = 2 in all behaviors, including HI-criticality ones, however, Recurrence (4) is as follows: R2 = C2 (HI) + = 4+

R 

R  2

4

2

T1

× C1 (HI)

×2

the smallest fixpoint of which is at R2 = 8 which is ≤ D2 , thus indicating that τ2 may be assigned lower priority than τ1 . The modification of Vestal’s algorithm to the case where run-time monitoring ensures that Condition (5) holds for all tasks was called Static Mixed Criticality (SMC) in Baruah et al. (2011c) and studied extensively there for the case of two criticality levels. Another algorithm, Adaptive Mixed Criticality (AMC), was also introduced in Baruah et al. (2011c) and shown to strictly dominate SMC, at the cost of greater computational complexity. Two “flavors” of AMC – AMC-rtb and

316

S. Baruah

AMC-max – were defined; AMC-max was shown to dominate AMC-rtb, but it is computationally significantly more expensive.

4.2

Dynamic Priority Scheduling

We now consider dynamic-priority algorithms for scheduling mixed-criticality sporadic task systems upon a preemptive uniprocessor. Most such algorithms are generalizations of the Earliest Deadline First (EDF) scheduling algorithm (Liu and Layland 1973; Dertouzos 1974) that has been widely studied in the context of scheduling non-MC real-time workloads. To our knowledge, the first EDF-based algorithm for scheduling mixed-criticality sporadic task systems is EDF-VD (for EDF with Virtual Deadlines). EDF-VD was first introduced in Baruah et al. (2011a) for scheduling implicit-deadline sporadic task systems – sporadic task systems satisfying the additional property that for each task τi , we have Di = Ti (hence, the example task system of Table 3 is an implicitdeadline sporadic task system). Let us first discuss EDF-VD in the context of dual-criticality systems. The essential idea behind EDF-VD is to have HI-criticality jobs complete well before their deadlines, while system behavior is compliant with LO-criticality specifications – this guarantees that if the behavior ceases to be compliant with the LO-criticality specifications, there is sufficient computing capacity available to nevertheless complete all HI-criticality jobs by their deadlines (after discarding all LO-criticality jobs). More specifically, suppose that at some time instant t ∗ a job of some task τi does not complete despite having received Ci (LO) units of execution. The behavior is no longer compliant with LO-criticality specifications; hence MC correctness does not require the correct execution of LO-criticality tasks, and we may therefore discard all LO-criticality jobs. Informally, EDF-VD seeks to ensure for each HI-criticality task τi (see Fig. 2) that is active –arrived but not completed execution– at time t ∗ that there is enough capacity available on the processor to enable τi ’s currently active job to complete execution by its deadline, provided only HI-criticality jobs execute henceforth. To achieve this, it will ensure that as long as the system is behaving according to its LO-criticality specifications, τi ’s job would have completed well before its actual HI-criticality deadline (by d  in Fig. 2, where the actual deadline is denoted d). It will thus ensure that if it is active at time instant t ∗ , there is sufficient computing capacity freed up by the discarded LO -criticality tasks over the interval [d  , d), to schedule τi ’s job to completion by its actual deadline at d. In order to achieve this, EDF-VD defines several utilization parameters for y implicit-deadline sporadic task system τ : for each x, y ∈ {LO, HI}, Ux is defined in the following manner: y

Ux =

 τi ∈τ ∧χi =x

Ci (y) Ti

9 Mixed-Criticality Uniprocessor Scheduling

 6 

Ti ≤ x × Ti

-

?

t∗

to

317

d

? d

Fig. 2 A job of HI-criticality task τi arrives at time to and therefore has a deadline at d = to + Ti . But it is scheduled assuming a deadline at d  ← to + x × Ti (for a computed value of x that is < 1). The criticality level change is triggered at t ∗ ≤ d 

LO Thus for example, UHI denotes the sum of the utilizations of all the HI-criticality tasks in τ , under the assumption that each job of each task executes for no more than its LO-criticality WCET. For instance, for our example implicit-deadline sporadic task system of Table 3, we would have

LO ULO =

2 3 20 LO = = 0.5, and UHI + = 0.19 4 20 500

Algorithm EDF-VD is now defined as comprising the following steps: 1. Prior to run-time, Algorithm EDF-VD computes a scaling factor x using these utilization parameters, as follows: x←

 U LO  HI LO 1 − ULO

(6)

For the example system of Table 3, x←

 0.19  = 0.38 1 − 0.5

2. During run-time, the system is initially assumed to be exhibiting LO-criticality behavior. Suppose that a job of τi arrives at time-instant to . a. If τi is a LO-criticality task, then this job is assigned a scheduling deadline at to + Ti . b. Else τi is a HI-criticality task, and this job is assigned a scheduling deadline at to + x Ti . Admitted jobs are scheduled according to the EDF scheduling discipline: at each instant in time, the currently admitted available job with the earliest assigned deadline is selected for execution (ties broken arbitrarily). 3. If during run-time a job fails to signal completion despite having executed for an amount equal to its LO-criticality WCET, then HI-criticality behavior is identified. The following actions are taken: a. All LO-criticality jobs immediately discarded; henceforth no LO-criticality jobs will be admitted, and

318

S. Baruah

b. all previously admitted and future-arriving HI-criticality jobs are scheduled by EDF using their actual deadlines, rather than their scaled ones (i.e., a job of τi that arrives at time to is considered by EDF to have a scheduling deadline to + Ti ). It was proved in Baruah et al. (2011a) that a sufficient condition for EDF-VD to successfully schedule τ is that HI ≤1 x + UHI

A better condition was subsequently derived (Baruah et al. 2012b): LO HI + UHI ≤1 xULO

(7)

LO is necessarily ≤ 1 in order that τ be feasible upon a uniprocessor, it is (Since ULO evident that this second condition is better than the first – any task system satisfying the first condition also satisfies the second, while the converse is not true.) Based on Condition (7) above, the following result was obtained in Baruah et al. (2012b).

Result 4 (From Baruah et al. 2012b). If a dual-criticality implicit-deadline sporadic task system is MC-schedulable upon a particular preemptive processor, then it is EDF-VD schedulable upon a processor that is 4/3 times as fast.

This result was subsequently generalized in Baruah et al. (2015) to systems with > two criticality levels. For systems with three criticality levels (L = 3), it was shown that EDF-VD has a speedup bound equal to two: any MC-schedulable 3-level implicit-deadline sporadic task system is EDF-VD schedulable upon a processor that is twice as fast. For systems with more than three criticality levels, speedup bounds for EDF-VD were expressed as the solution of a nonlinear optimization problem that can be solved using numerical techniques. An extension of EDF-VD that is applicable to MC sporadic task systems that are not implicit-deadline – i.e., the Di and Ti parameters of tasks are not required to be equal – was introduced in Li (2013) and Baruah et al. (2015); for dual-criticality systems (i.e., if L = 2), this generalization was shown to have a speedup bound of approximately 1.866: Result 5 (From Li 2013; Baruah et al. 2015). If a dual-criticality arbitrarydeadline sporadic task system is MC-schedulable upon a particular preemptive √ processor, then it is EDF-VD schedulable upon a processor that is (1 + 3/2), i.e., ≈ 1.866, times as fast. As was described above, the EDF-VD algorithm computes a scaling factor x and uses this to scale the duration of the scheduling windows – the interval between a job’s release and its scheduling deadline – of all HI-criticality jobs in LO-criticality

9 Mixed-Criticality Uniprocessor Scheduling

319

behaviors. Ekberg and Yi (2012) and Guan et al. (2011) considered approaches in which different scaling factors could be used for different HI-criticality tasks; although they do not provide quantitative metrics of worst-case performance (such as the speedup factors characterizing EDF-VD), they report experimental evidence, based upon simulations of randomly generated workloads, which indicate superior performance. Several extensions to the approach of applying nonuniform scaling factors have been considered in, e.g., Ekberg and Yi (2014), Easwaran (2013), Chen et al. (2014), Müller and Masrur (2014), Masrur et al. (2015) that consider tradeoffs between the poorer computational complexity of these approaches vis-à-vis EDFVD and their superior performance on randomly generated workloads.

5

Further Information

Since its origins in the year 2007, mixed-criticality scheduling theory has proved to be a rich and intellectually rewarding subdiscipline of real-time computing. This chapter has attempted to provide a flavor of the subdiscipline as it pertains to preemptive uniprocessor systems – it is not intended to be a comprehensive guide. The following is a (non-comprehensive) list of valuable sources of additional information: 1. The survey paper by Burns and Davis (2016) that is maintained on-line currently (February 2017.) in its seventh edition lists a large number of research papers devoted to this topic. 2. The seminal paper on mixed-criticality scheduling by Vestal (2007) was published in the proceedings of the IEEE Real-Time Systems Symposium (RTSS). RTSS and the Euromicro Conference on Real-Time Systems (ECRTS) are widely accepted as being the premier international conferences on real-time scheduling; most editions of both conferences in recent years (since 2008) have had one to several papers dealing with mixed-criticality scheduling and implementation. 3. An international workshop, the Workshop on Mixed-Criticality Systems (WMC), has been held annually since 2013. The WMC proceedings from these years provide a nice overview of the evolving state of research on mixed-criticality scheduling. In this chapter, we have, for the most part, presented results but omitted their proofs, preferring to instead discuss the significance of the presented results. All proofs may be found in the cited primary sources from which the results are taken.

References N.C. Audsley, Optimal priority assignment and feasibility of static priority tasks with arbitrary start times. Tech. rep., The University of York, England (1991) N.C. Audsley, Flexible scheduling in hard-real-time systems. Ph.D. thesis, Department of Computer Science, University of York (1993)

320

S. Baruah

S. Baruah, H. Li, L. Stougie, Towards the design of certifiable mixed-criticality systems, in Proceedings of the IEEE Real-Time Technology and Applications Symposium (RTAS) (IEEE, 2010) S. Baruah, V. Bonifaci, G. D’Angelo, A. Marchetti-Spaccamela, S. van der Ster, L. Stougie, Mixedcriticality scheduling of sporadic task systems, in Proceedings of the 19th Annual European Symposium on Algorithms (Springer, Saarbrucken, 2011a), pp. 555–566 S. Baruah, A. Burns, Implementing mixed criticality systems in Ada, in Proceedings of Reliable Software Technology – Ada Europe 2011. LNCS, vol. 6652, ed. by A. Romanovsky, T. Vardanega (Springer, 2011b), pp. 174–188 S. Baruah, A. Burns, R. Davis, Response-time analysis for mixed criticality systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS) (IEEE Computer Society Press, Vienna, 2011c) S.K. Baruah, V. Bonifaci, G. D’Angelo, H. Li, A. Marchetti-Spaccamela, N. Megow, L. Stougie, Scheduling real-time mixed-criticality jobs. IEEE Trans. Comput. 61(8), 1140–1152 (2012a) S. Baruah, V. Bonifaci, G. D’Angelo, H. Li, A. Marchetti-Spaccamela, S. van der Ster, L. Stougie, The preemptive uniprocessor scheduling of mixed-criticality implicit-deadline sporadic task systems, in Proceedings of the 2012 24th Euromicro Conference on Real-Time Systems, ECRTS ’12 (IEEE Computer Society, Pisa, 2012b) S. Baruah, V. Bonifaci, G. D’Angelo, H. Li, A. Marchetti-Spaccamela, S. van der Ster, L. Stougie, Preemptive uniprocessor scheduling of mixed-criticality sporadic task systems. J. ACM 62(2), 14:1–14:33 (2015). https://doi.org/10.1145/2699435 A. Burns, R. Davis, Mixed-Criticality Systems: A Review, 7th edn. (2016). http://www-users.cs. york.ac.uk/~burns/review.pdf (Accessed on 16 July 2016) Y. Chen, Q. Li, Z. Li, H. Xiong, Efficient schedulability analysis for mixed-criticality systems under deadline-based scheduling. Chin. J. Aeronautics 27(4), 856–866 (2014). https://doi.org/ 10.1016/j.cja.2014.05.003. //www.sciencedirect.com/science/article/pii/S1000936114001022 M. Dertouzos, Control robotics: the procedural control of physical processors, in Proceedings of the IFIP Congress, 1974, pp. 807–813 A. Easwaran, Demand-based scheduling of mixed-criticality sporadic tasks on one processor, in 2013 IEEE 34th Real-Time Systems Symposium, 2013, pp. 78–87. https://doi.org/10.1109/ RTSS.2013.16 P. Ekberg, W. Yi, Bounding and shaping the demand of mixed-criticality sporadic tasks, in Proceedings of the 2012 24th Euromicro Conference on Real-Time Systems, ECRTS ’12 (IEEE Computer Society Press, Pisa, 2012) P. Ekberg, W. Yi, Bounding and shaping the demand of generalized mixed-criticality sporadic task systems. Real-Time Syst. 50(1), 48–86 (2014). https://doi.org/10.1007/s11241-013-9187-z N. Guan, P. Ekberg, M. Stigge, W. Yi, Effective and efficient scheduling for certifiable mixed criticality sporadic task systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS) (IEEE Computer Society Press, Vienna, 2011) M. Joseph, P. Pandya, Finding response times in a real-time system. Comput. J. 29(5), 390–395 (1986) E.L. Lawler, Optimal sequencing of a single machine subject to precedence constraints. Manage. Sci. 19(5), 544–546 (1973) J. Lehoczky, L. Sha, Y. Ding, The rate monotonic scheduling algorithm: exact characterization and average case behavior, in Proceedings of the Real-Time Systems Symposium (IEEE Computer Society Press, Santa Monica, 1989), pp. 166–171 H. Li, Scheduling mixed-criticality real-time systems. Ph.D. thesis, Department of Computer Science, The University of North Carolina at Chapel Hill (2013) C. Liu, J. Layland, Scheduling algorithms for multiprogramming in a hard real-time environment. J. ACM 20(1), 46–61 (1973) A. Masrur, D. Müller, M. Werner, Bi-level deadline scaling for admission control in mixedcriticality systems, in 2015 IEEE 21st International Conference on Embedded and Real-Time Computing Systems and Applications, 2015, pp. 100–109. https://doi.org/10.1109/RTCSA. 2015.35

9 Mixed-Criticality Uniprocessor Scheduling

321

A. Mok, Fundamental design problems of distributed systems for the hard-real-time environment. Ph.D. thesis, Laboratory for Computer Science, Massachusetts Institute of Technology (1983). Available as Technical Report No. MIT/LCS/TR-297 D. Müller, A. Masrur, The schedulability region of two-level mixed-criticality systems based on EDF-VD, in Proceedings of the Conference on Design, Automation and Test in Europe (DATE), Dresden, 2014 D. Socci, P. Poplavko, S. Bensalem, M. Bozga, Mixed critical earliest deadline first, in Proceedings of the 2013 25th Euromicro Conference on Real-Time Systems, ECRTS ’13 (IEEE Computer Society Press, Paris, 2013) D. Socci, P. Poplavko, S. Bensalem, M. Bozga, Multiprocessor scheduling of precedenceconstrained mixed-critical jobs, in 2015 IEEE 18th International Symposium on Real-Time Distributed Computing, 2015, pp. 198–207. https://doi.org/10.1109/ISORC.2015.18 M. Stigge, W. Yi, Models for real-time workload: a survey, in Proceedings of a Conference Organized in Celebration of Professor Alan Burns’ Sixtieth Birthday, 2013, p. 133 M. Stigge, Real-time workload models: expressiveness vs. analysis efficiency. Ph.D. thesis, Uppsala University (2014) S. Vestal, Preemptive scheduling of multi-criticality systems with varying degrees of execution time assurance, in Proceedings of the Real-Time Systems Symposium (IEEE Computer Society Press, Tucson, 2007), pp. 239–243 R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, P. Stenström, The worstcase execution-time problem – overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7(3), 36:1–36:53 (2008)

Probabilistic Analysis

10

Dorin Maxim, Liliana Cucu-Grosjean, and Robert I. Davis

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Probabilistic Terminology and Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Probabilistic Task Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Probabilistic Real-Time Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Schedulability Analysis for Probabilistic Real-Time Tasks . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Probabilistic Response Time Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Detailed Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Optimal Priority Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Priority Assignment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Optimal Priority Assignment Using Audsley’s Algorithm . . . . . . . . . . . . . . . . . . . . 4 Complexity of Probabilistic Schedulability Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Review of Prior Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusions and Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

324 325 327 329 331 331 332 334 334 335 336 338 341 343

Abstract The classical model of a real-time system consists of a number of tasks, each of which has an execution time which is upper bounded by a constant, referred to as the worst-case execution time (WCET). Further, jobs of each task execute

D. Maxim University of Lorraine, Nancy, France L. Cucu-Grosjean Inria, Paris, France e-mail: [email protected] R. I. Davis () University of York, York, UK e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_9

323

324

D. Maxim et al.

periodically or sporadically, subject to some minimum inter-arrival time. Task execution is controlled by a real-time scheduler that determines, at any given time, which of the ready jobs the processor will execute. For such a model, schedulability analysis provides an a priori mathematical verification indicating whether or not all of the jobs of each task can be guaranteed to meet their deadlines under the particular scheduling policy used. This analysis is typically achieved by determining the worst-case scenario that leads to the worst-case response time (from the release to the completion of any job of the task), calculating the worst-case response time, and comparing it with the task’s deadline. Probabilistic real-time systems differ from this classical model in two main ways. Firstly, at least one parameter of the tasks (e.g., execution time) is modeled as a random variable, i.e., described by a probability distribution. Secondly, rather than requiring an absolute guarantee that all deadlines must be met, timing constraints are specified in terms of a threshold on the acceptable probability of a deadline miss for each task. This chapter focuses on research into scheduling and specifically schedulability analysis for probabilistic real-time systems.

1

Introduction

Real-time systems are characterized not only by the need for functional correctness but also by the need for timing correctness. Classically, applications have been categorized as either hard real-time, when failure to meet a deadline constitutes a failure of the application, or soft real-time, where completion beyond the deadline leads only to a degraded quality of service. Determining timing correctness for a hard real-time system typically requires two steps: • Timing Analysis is used to determine the maximum amount of time which each software task can take to execute on the hardware platform, referred to as the worst-case execution time (WCET) (Wilhelm et al. 2008). • Schedulability Analysis is then used to determine the worst-case response time (WCRT) of each task, taking into account the scheduling policy and thus any interference between the tasks. This analysis typically assumes that every job of a task executes for its WCET. The WCRT is then compared to the task’s deadline to determine if it is schedulable (Davis 2014). The concept of a probabilistic real-time system differs from the classical model in two main ways. Firstly, at least one parameter of the tasks (e.g., execution time) is modeled as a random variable, i.e., described by a probability distribution with distinct probabilities associated with each possible discrete value for the parameter. Secondly, rather than requiring an absolute guarantee that all deadlines must be met, timing constraints are specified in terms of a threshold on the acceptable probability of a deadline miss for each task.

10 Probabilistic Analysis

325

Determining the timing correctness of a probabilistic real-time system typically also requires two steps: • Probabilistic Timing Analysis is used to determine the probabilistic worst-case execution time (pWCET) distribution for each task. This may be obtained either via analytical techniques referred to as static probabilistic timing analysis (SPTA) (Cazorla et al. 2013; Davis et al. 2013; Altmeyer and Davis 2014; Altmeyer et al. 2015; Lesage et al. 2015, 2018) or via statistical methods referred to as measurement-based probabilistic timing analysis (MBPTA) (Cucu-Grosjean et al. 2012; Wartel et al. 2013; Santinelli et al. 2014, 2017; Lima et al. 2016; Lima and Bate 2017). • Probabilistic Schedulability Analysis is then used to determine the probabilistic worst-case response time (pWCRT) distribution of each task, taking into account the scheduling policy and thus any interference between the tasks (Maxim and Cucu-Grosjean 2013). The pWCRT distributions are then compared to the deadlines to determine if the tasks can be guaranteed to meet their timing requirements, described in terms of acceptable deadline miss probabilities. The remainder of this section introduces the key concepts, terminology, and notation needed to describe probabilistic real-time systems. The following sections present the state-of-the-art probabilistic schedulability analysis techniques for the commonly used fixed priority preemptive scheduling policy. Section 2 presents schedulability analysis for single processor systems with task execution times described by random variables. Section 3 presents results on efficient priority assignment policies which can determine an optimal priority assignment, ensuring that all tasks will meet their timing constraints whenever there is some priority assignment that can provide such a guarantee. Section 4 considers the complexity of probabilistic schedulability analysis and discusses practical methods of improving the efficiency of the analysis. In a brief chapter such as this, detailed information can necessarily only be provided on specific results; however, Sect. 5 complements this via a brief overview of prior work in the field. Section 6 concludes with a discussion of open problems.

1.1

Probabilistic Terminology and Notation

This subsection introduces the basic notation for random variables and operations upon them. A random variable X has an associated probability function (PF) fX (.) with fX (x) = P (X = x). The possible values X0 , X1 , · · · , Xk of X belong to the interval [Xmin , Xmax ], where k is the number of possible values of X . (Note discrete random variables are assumed.) Probabilities are associated with the possible values of a random variable X using the following notation:

326

D. Maxim et al.

 X =

 X0 = Xmin X1 · · · Xk = Xmax , fX (Xmin ) fX (X1 ) · · · fX (Xmax )

(1)

 where kj =0 fX (Xj ) = 1. A random variable may also be specified using its  cumulative distribution function (CDF) FX (x) = xz=Xmin fX (z). For example,   1 2 5 the random variable X = has a cumulative distribution function 0.9 0.05 0.05 ⎧ if x = 1; ⎨ 0.9, FX (x) = 0.95, if x = 2; . ⎩ 1, otherwise Throughout this chapter, cursive characters are used to denote random variables. Definition 1 Two random variables X and Y are (probabilistically) independent if they describe two events where the result of one of the events has no effect on the other. For example, if the execution time observed for one job of a task has no impact on the probability of obtaining any particular execution time for the next (or subsequent) job of the task, then the execution times of the jobs are said to be independent. (Note that in practice the execution times of jobs are typically dependent.) Note that for independent random variables, the conditional probability of X = x given that Y = y is simply the probability of X = x i.e., P (X = x|Y = y) = P (X = x), and similarly, the conditional probability of Y = y given X = x is simply the probability of Y = y, i.e., P (Y = y|X = x) = P (Y = y). Definition 2 The sum Z of two independent random variables X and Y is given by their convolution X ⊗ Y where P (Z = z) = k=+∞ k=−∞ P (X = k)P (Y = z − k).  For example, the convolution of X =

3 7 0.1 0.9



 and Y =

0 4 0.9 0.1

 is equal

to  Z =

3 7 0.1 0.9



 ⊗

0 4 0.9 0.1



 =

3 7 11 0.09 0.82 0.09



Definition 3 The coalescence of two partial random variables, denoted by the operator ⊕, represents the combination of the two partial random variables into a single (partial) random variable so that values that appear multiple times are kept only once gathering the summed probability mass of the respective values. (Note a partial random variable has probabilities that sum to less than 1.)

10 Probabilistic Analysis

327

 For example, coalescing two partial random variables A1 =   5 6 A2 = is equal to 0.72 0.08 

5 8 0.18 0.02



 ⊕

5 6 0.72 0.08



 =

5 6 8 0.9 0.08 0.02

5 8 0.18 0.02

 and



Definition 4 (Diaz et al. 2004; López et al. 2008) Let X1 and X2 be two random variables. The variable X2 is greater than or equal to X1 , denoted by X2  X1 , if FX1 (x) ≤ FX2 (x), ∀x. Stated otherwise, the CDF of X1 is never above that of X2 . Note the relation  between two random variables is not total, i.e., for two random variables X3 and X4 it is possible that X3  X4 and X4  X3 .

1.2

Probabilistic Task Model

This subsection defines a probabilistic real-time task model with task parameters described by random variables. Let τ be a task set comprising n tasks {τ1 , τ2 , . . . , τn }, where each task τi generates a potentially unbounded number of successive jobs Ji,j , with j = 1, . . . , ∞. Definition 5 The probabilistic execution time (pET) of a specific job of a task describes the probability that the execution time of the job is equal to a given value. For example, the j th job Ji,j of a task τi may have a pET as follows:  j

Ci =

2 3 5 6 105 0.7 0.2 0.05 0.04 0.01

 (2)

If fC j (2) = 0.7, then the execution time of the job Ji,j has a probability of 0.7 of i being equal to 2. Note that the pET of a job typically depends on the set of input values for that specific job. Definition 6 The probabilistic worst-case execution time (pWCET) Ci of a task is a tight upper bound on the pET of all possible jobs of that task. The pWCET j can be described by the relation  where Ci  Ci , ∀j . The CDF of the pWCET is defined by taking the point-wise minimum values from the CDFs of the pETs of

328

D. Maxim et al.

all of the jobs. Equivalently, the 1 – CDF of the pWCET is defined by taking the point-wise maximums from the 1 – CDFs of all of the jobs. The probabilistic worst-case execution time Ci of task τi can be written as:  Ci =

where

ki

j j =0 fCi (Ci )

Ci0 = Cimin Ci1 · · · Ciki = Cimax fCi (Cimin ) fCi (Ci1 ) · · · fCi (Cimax )

= 1.

For example, a task τi can have a pWCET of Ci =



,

(3)

 2 3 25 ; then 0.5 0.45 0.05

fCi (2) = 0.5, fCi (3) = 0.45 and fCi (25) = 0.05. The relation between the pWCET of a task and the pETs of its jobs is illustrated j in Fig. 1. On this graph of 1 – CDF, the pWCET Ci is greater than or equal to Ci , ∀j . Note that in practice, a precise (tight) pWCET may not necessarily be obtained; however, any upper bound (in terms of the 1 – CDF) on all pETs is valid; the tighter the bound the less pessimism there will be in the subsequent analysis. In the remainder of this chapter, pWCET is used to refer to a valid upper bound. It is important to note that the random variables describing the pWCETs C1 and C2 of two tasks τ1 and τ2 are independent due to the definition of the pWCETs as upper bounds. By contrast, the pETs of two jobs of the same or different tasks are typically dependent. A task is referred to as periodic if releases of its jobs occur with a fixed interval of time between them. Alternatively, a task is referred to as sporadic if job releases

Fig. 1 The pWCET of a task is an upper bound on the pETs of all the jobs

10 Probabilistic Analysis

329

are separated by some minimum inter-arrival time but may also be released with a larger separation. A probabilistic real-time task τi can therefore be defined by a tuple (Ci , Ti , Di ) where the random variable Ci gives the pWCET of the task, Ti is the minimum inter-arrival time or period, and Di is the relative deadline. Note that when the pWCET distribution is degenerate (i.e., only has a single value), then the model effectively reduces to the classical periodic or sporadic task model for hard real-time systems.

1.3

Probabilistic Real-Time Constraints

The previous subsection defined the parameters of probabilistic real-time tasks. This subsection defines the corresponding probabilistic time constraints. In classical hard real-time systems, the response time of a job is the time between its release and completion of its execution, while the worst-case response time of a task is the longest response time of any of its jobs. This is compared to the relative deadline of the task to determine if it is schedulable. In a probabilistic real-time system, the probabilistic response time (pRT) of a job and the probabilistic worst-case response time (pWCRT) of a task are described by random variables. Definition 7 The probabilistic Response Time (pRT) of a job Ji,j of task τi , denoted by Ri,j , describes the probability distribution of the response time of that job. Definition 8 The probabilistic worst-case response time (pWCRT) of a task τi , denoted by Ri , is an upper bound on the pRTs of all of its jobs Ri,j , ∀j described by the relation  with Ri  Ri,j , ∀j . Graphically, this implies that the 1 – CDF of Ri is never below the 1 – CDF of Ri,j , ∀j . Probabilistic real-time constraints are expressed in the form of a threshold ρi specifying the maximum acceptable probability of a deadline miss for task τi with relative deadline Di . Typically, the value of the threshold is very small e.g., 10−4 to 10−9 , since it is expected that deadline failures should be rare events. In the literature, there are two ways in which the probability of a deadline miss may be calculated for a task: • The Deadline Miss Probability (DMP) for a task is calculated by taking the average of the probability of a deadline miss for its jobs over some long interval of time; typically the least common multiple (LCM) of the task periods (Diaz et al. 2004; López et al. 2008). • The Worst-Case Deadline Failure Probability (WCDFP) of a task is upper bounded by directly comparing the pWCRT distribution of the task (valid for any job) with its deadline (Maxim and Cucu-Grosjean 2013).

330

D. Maxim et al.

Note that the latter method potentially introduces some pessimism, since, for example, the relationship between task periods means that not all jobs of a task may be subject to the maximum interference from other tasks and so have a pRT distribution that equates to the pWCRT distribution of the task; however, it provides a valid upper bound on the probability of deadline misses. Definition 9 The deadline miss probability for a job Ji,j , denoted by DMPi,j , is the probability that the j th job of task τi misses its deadline and is given by: DMPi,j = P (Ri,j > Di ).

(4)

where Ri,j is the pRT distribution for the j th job of the task τi . If the tasks studied are periodic, then the deadline miss probability for a task is equal to the average of the deadline miss probabilities of all its jobs activated during the Least Common Multiple of task periods. Definition 10 The deadline miss probability for a periodic task τi and a time interval [a, b] equating to the LCM of task periods, denoted by DMPi (a, b), is given by:

DMPi (a, b) =

n[a,b] P (Ri[a,b] > Di ) 1

= DMPi,j n[a,b] n[a,b]

(5)

j =1

where n[a,b] is the number of jobs of task τi activated during the interval [a, b]. Note that the above definition is only valid for tasks that are periodic. Sporadic behavior of higher priority tasks, resulting in intervals between jobs that exceed the minimum inter-arrival time, can, in some cases, result in a higher deadline miss probability for the task under analysis. Definition 11 The worst-case deadline failure probability for a task τi , denoted by W CDF Pi , is an upper bound on the probability that the task misses its deadline. It is computed directly from the pWCRT and the deadline of the task and is given by: W CDF Pi = P (Ri > Di ) where Ri is the pWCRT distribution for task τi , and Di is its relative deadline.

(6)

10 Probabilistic Analysis

2

331

Schedulability Analysis for Probabilistic Real-Time Tasks

This section describes the state-of-the-art probabilistic response time analysis for tasks which have probabilistic worst-case execution times (pWCETs). It is a simplified form of the analysis derived by Maxim and Cucu-Grosjean (2013). The system is assumed to comprise n tasks {τ1 , τ2 , . . . , τn } scheduled on a single processor according to a fixed priority preemptive scheduling policy. Each task is assumed to have a unique priority. Without loss of generality, τi is assumed to have a higher priority than τj for i < j . Further, hp(i) is used to denote the set of tasks with higher priorities than τi . The tasks are sporadic and thus may all be released at the same time (assumed to be time t = 0). Task τi is represented by a tuple (Ci , Ti , Di , ρi ), where Ci is its pWCET, Ti is its minimum inter-arrival time, Di is its relative deadline, and ρi is the threshold giving the maximum acceptable deadline failure probability. The deadline is assumed to be constrained; hence Di ≤ Ti , for all tasks. At runtime, it is assumed that any job that reaches its deadline without completing is aborted. Maxim and Cucu-Grosjean (2013) proved that the critical instant, which yields the largest response time distribution for any job of a task, occurs when all the tasks are released simultaneously. (Here, largest is defined with respect to the relation .) Since the response time distribution of the first job upper bounds the response time distribution of any other job of the same task, it therefore gives the pWCRT distribution for the task (Ri = Ri,1  Ri,j ∀j ). The pWCRT distribution Ri of the task can then be compared with its deadline to obtain the worst-case deadline failure probability W CDF Pi , which can be compared with the threshold ρi to determine if the task is schedulable.

2.1

Probabilistic Response Time Analysis

The following analysis computes the worst-case response time distribution for a given task τi . The worst-case response time distribution for task τi is first initialized to: Ri0 = Bi ⊗ Ci

(7)

where the backlog Bi at the release of τi is given by: Bi =



Cj

(8)

j ∈hp(i)

The worst-case response time is then updated iteratively for each preemption as follows:

332

D. Maxim et al. pr

Rim = (Rim−1,head ⊕ (Rim−1,tail ⊗ Ck ))

(9)

Here, m is the index of the iteration. Rim−1,head is the part of the distribution Rim−1 that is not affected by the preemption under consideration (i.e., it only contains values ≤ tm where tm is the time of the preemption). Rim−1,tail is the remaining part pr of the distribution Rim−1 that may be affected by the preemption. Finally, Ck is the pWCET distribution of the preempting task τk . Iteration ends when there are no releases left from jobs of higher priority tasks at time instants smaller than the largest value in the response time distribution currently obtained. Iteration may also be terminated once any new preemptions are beyond the deadline of the task. Once iteration is complete, the worst-case deadline failure probability valid for any job of task τi is given by: W CDF Pi = P (Ri > Di )

(10)

The task is then deemed schedulable if the worst-case deadline failure probability does not exceed the required threshold. W CDF Pi ≤ ρi

(11)

Hypothesis of (probabilistic) independence Equations (7) and (9) are based on the operation of convolution ⊗ that requires probabilistic independence between Ci , ∀i. For this reason, it is important that the probability distributions used for Ci are upper bound pWCET distributions, and not pET distributions which typically would not be independent.

2.2

Detailed Example

The example below illustrates the operation of probabilistic response time analysis. Example 1 Assume a  task set Γ = {τ1 , τ2 }, with task τ1 defined by   1 2 3 4 5 , 5, 5, 1 and task τ2 by , 12, 12, 0.005 . Note that 0.6 0.3 0.1 0.7 0.3 task τ1 is required to always meet it’s deadline (ρ1 = 1), while task τ2 has an acceptable threshold of ρ2 = 0.005 on deadline failure. The response time computation for task τ2 starts by initializing the response time j distribution with the pWCET of the task under analysis. (Ri denotes the current response time distribution of task τi at step j of the analysis.)  R20

=

4 5 0.7 0.3

 (12)

10 Probabilistic Analysis

333

Then the interference from higher priority tasks at t = 0 is included to account for the synchronous release of jobs of all tasks:  R21

=

R20



1 2 3 0.6 0.3 0.1



 =

5 6 7 8 0.42 0.39 0.16 0.03

 (13)

Once the interference due to synchronous releases has been taken into account, the preemptions can be included and the response time distribution updated. As task τ1 has an arrival at t = 5, then the current response time distribution is split into two parts, one containing values less than or equal to 5, which is referred to as the head of the distribution R21,head :  R21,head

=

5 0.42

 (14)

and another part containing values strictly larger than 5, which is referred to as the tail of the distribution R21,tail :  R21,tail

=

6 7 8 0.39 0.16 0.03

 (15)

The head of the distribution contains stable response time values and associated probabilities that are not modified in the subsequent steps of the analysis. The tail of the distribution is updated to take into account the preemption at t = 5. After the tail is updated, it is coalesced with the head to once again form a complete distribution R22 which can subsequently be split at the appropriate point to account for further preemptions:  R22 = R21,head ⊕ R21,tail ⊗

1 2 3 0.6 0.3 0.1





7 8 9 10 11 0.234 0.213 0.105 0.025 0.003   5 7 8 9 10 11 = 0.42 0.234 0.213 0.105 0.025 0.003



= R21,head ⊕

(16)

Similarly, task τ2 may be preempted by task τ1 at t = 10. The current response time distribution R22 is split into the head R22,head , containing values less than or equal to 10, and the tail R22,tail containing values larger than 10. The tail part is then updated to include the second preemption from τ1 :  R22,head

=

5 7 8 9 10 0.42 0.234 0.213 0.105 0.025

 (17)

334

D. Maxim et al.

 R22,tail

=

11 0.003

 (18) 

1 2 3 0.6 0.3 0.1   12 D2+ ⊕ 0.0018 0.0012



R23 = R22,head ⊕ R22,tail ⊗ = R22,head  =

5 7 8 9 10 12 D2+ 0.42 0.234 0.213 0.105 0.025 0.0018 0.0012

 (19)

Note D2+ collects the probability mass for all values beyond the task deadline. Since the deadline of task τ2 is 12, and there are no further preemptions before t = 15, which is in any case beyond the end of the response time distribution, iteration can stop at this point. The WCDFP corresponds to the probability mass of the response time distribution R22 that exceeds 12, which is 0.0012. Since this value is less than the threshold ρ2 = 0.005, then task τ2 is schedulable; it meets its probabilistic timing constraints.

3

Optimal Priority Assignment

For the classical real-time task model, it is well-known that rate-monotonic (Liu and Layland 1973) and deadline-monotonic (Leung and Whitehead 1982) priority assignment are optimal for task sets with implicit and constrained deadlines, respectively. As shown by Maxim et al. (2011), this is not however the case for task sets with parameters described by random variables and time constraints given as thresholds on acceptable deadline failure probabilities.

3.1

Priority Assignment Example

A simple example suffices to show that neither rate-monotonic nor deadlinemonotonic priority assignments are optimal for systems with parameters described by random variables and timing constraints given by thresholds on acceptable deadline failure probabilities. Consider the following set of two sporadic tasks, which may share a common release time at t = 0. Let Γ = {τ1 , τ2 } be a task set such that each task is characterized by (C , T , D, ρ). Recall that ρ is the threshold on the acceptable deadline miss

10 Probabilistic Analysis

335



  2 3 , 8, 6, 0.7 and τ2 by 0.5 0.5

probability for the task. Thus τ1 is defined by    3 5 , 10, 7, 0.2 . 0.5 0.5 According to deadline-monotonic priority assignment, τ1 has the highest priority and  τ2 thelowest priority. In this case the response time of task τ1 is equal to R1 = 2 3 and the probability of a deadline miss is zero. 0.5 0.5   5 6 7 D2+ The response time of task τ2 is equal to R2 = , having a 0.25 0.25 0.25 0.25 worst-case deadline failure probability W CDF P2 = 0.25, which is greater than the threshold ρ2 = 0.2. This means that the priority assignment is not feasible. The alternative priority assignment has τ2 at the highest priority and  τ1 at the  3 5 lowest priority. In this case the response time of task τ2 is equal to R2 = , 0.5 0.5 and the probability of a deadline miss is zero.   5 6 D1+ , having a worstThe response time of task τ1 is equal to R1 = 0.25 0.25 0.5 case deadline failure probability W CDF P2 = 0.5, which is less than the threshold ρ1 = 0.7. This means that the priority assignment is feasible. This simple example shows that neither rate-monotonic (the same result is obtained with the task periods set equal to the deadlines) nor deadline-monotonic priority assignment is optimal for task sets with parameters described by random variables and time constraints given as thresholds on acceptable deadline miss probabilities.

3.2

Optimal Priority Assignment Using Audsley’s Algorithm

Davis and Burns (2011) proved three conditions for the applicability of Audsley’s algorithm (Audsley 2001) with a schedulability test S: 1. The schedulability of a task may, according to test S, be dependent on the set of higher-priority tasks, but not on the relative priority ordering of those tasks. 2. The schedulability of a task may, according to test S, be dependent on the set of lower-priority tasks, but not on the relative priority ordering of those tasks. 3. When the priorities of any two tasks of adjacent priority are swapped, the task being assigned the higher priority cannot become unschedulable according to test S, if it was previously schedulable at the lower priority. (As a corollary, the task being assigned to the lower priority cannot become schedulable according to test S, if it was previously unschedulable at the higher priority.) These conditions may be lifted to the problem of tasks with parameters described by random variables. In this case, the concept of a task being schedulable corre-

336

D. Maxim et al.

sponds to meeting its probabilistic time constraints, i.e., having a WCDFP that is below the acceptable threshold for the task. The schedulability test given in Sect. 2.1 meets both Conditions 1 and 2, since there is no dependency on the order of lower- or higher-priority tasks. Further, Maxim and Cucu-Grosjean (2013) showed that the pWCRT distribution for a task τh at a higher priority is greater than that of a task τi at a lower priority (i.e., Rh  Ri ). It follows that Condition 3 also holds. This means that for task systems analyzed using the schedulability test given in Sect. 2.1, Audsley’s algorithm can be used to find an optimal priority assignment with respect to that test. The algorithm guarantees to find a priority ordering that is schedulable according to the test if such an ordering exists. Further, for a set of n tasks, it does so in at most n(n + 1)/2 task schedulability tests; a large improvement on having to potentially check all n! possible priority orderings. Algorithm 1 sets out Audsley’s optimal priority assignment algorithm for this problem.

Algorithm 1: Audsley’s Optimal Priority Assignment algorithm. The function feasibility verifies that for task τi , W CDF Pi < pi Input: Γ = {τi , i ∈ 1..n} /* initial set of tasks */ Output: Φ /* ordered set of tasks */ Φ ← () ; for l ∈ n..1 do assignment ← F ALSE ; for τi ∈ Γ do /* feasibility function such that W CDF Pi < pi */;

if f easible(τi , Φ) then Φ ← Φ.τi ; Γ ← Γ \{τi } ; assignment ← T RU E ; break; if assignment = F ALSE then /* no task is suitable for this priority level */;

break;

Proof that deadline-monotonic priority assignment is not optimal for this problem and that Audsley’s algorithm is applicable was first given by Maxim et al. (2011).

4

Complexity of Probabilistic Schedulability Analyses

Compared to classical response time analysis for tasks with deterministic parameters, probabilistic response time analysis for tasks with execution times described by random variables, i.e., pWCET distributions, may have much higher computational

10 Probabilistic Analysis

337

complexity. This is due to two factors, the additional information in the pWCET distributions and the effects of the convolution operator ⊗. When convolving two distributions that have m and n values, respectively, the resulting distribution can have up to m × n values. This is true when the two distributions that are convolved are very different from one another, for example, the gaps between each pair of values in one distribution are larger than the maximum value in the other distribution. In other cases, for example, when the distributions are dense with all values separated by 1, then the resulting distribution can have no more than m + n − 1 values. In general, probabilistic response time analysis could produce a pWCRT distribution which contains the largest value equal to the deterministic response time that would be obtained by considering the largest value in each pWCET distribution (the so-called limit condition) and nearly all values below it. This distribution could easily be too large to handle efficiently in practice. One way of dealing with this complexity problem is through resampling (Maxim et al. 2012). Resampling can be used to reduce the number of values within the pWCET distributions of the tasks and also within the intermediate distributions used in the pWCRT calculation. Definition 12 (Sound resampling) Let Ci be a distribution with n values describing the pWCET of a task τi . The process of resampling involves the approximation of Ci by some other distribution C i that has k < n values and is greater than or equal to Ci , i.e., C i  Ci . Sound resampling ensures that if C i is used in place of Ci in probabilistic response time analysis, then the resulting pWCRT distribution R i obtained will be an upper bound on the pWCRT distribution Ri obtained using Ci (Diaz et al. 2004). Many forms of sound resampling are possible, since a sound resampling simply moves probability mass from smaller to larger values. Maxim et al. (2012) explored a number of different resampling strategies, the most effective of which is domain quantization. Domain quantization not only reduces the number of values in each distribution; it also reduces the number of values in the resulting distribution after convolution. The idea is to quantize the values to some multiple of a base quantum. The approach is best illustrated via an example. Assume there are two tasks with pWCET distributions  as follows:  2 3 6 8 9 C1 = 0.1 0.2 0.3 0.1 0.3   10 11 12 17 19 20 C2 = 0.1 0.25 0.35 0.15 0.10 0.05 Convolving these two distributions gives the following distribution:  12 13 14 15 16 17 18 19 20 21 22 23 R2 = 0.01 0.045 0.085 0.07 0.03 0.075 0.115 0.07 0.14 0.115 0.025 0.055  25 26 27 28 29 0.045 0.06 0.01 0.035 0.015

338

D. Maxim et al.

Applying with  domain quantization  a quantum of 3 gives:  3 6 9 12 18 21 C1 = and C2 = 0.3 0.3 0.4 0.7 0.15 0.15 Note that the probability mass is collected at the next value which is a multiple of the quantum (i.e., a multiple of 3), including in the case of C2 a value of 21 which is larger than the maximum in the original distribution.  Convolving these two  15 18 21 24 27 30 distributions gives: R2 = 0.21 0.21 0.325 0.09 0.105 0.06 Note that R2  R2 . Further, as all of the values in R2 are multiples of the quantum, subsequent convolution with distributions that have been resampled via domain quantization with a quantum of 3 can only produce values that are also multiples of the quantum, limiting the increase in the number of values in the distribution. Choosing the quanta to be used is an important problem, since it determines the number of samples to be kept per distribution, scaling a distribution with a large number of values to a large quanta means that few values are kept out of the initial number, and so the loss in precision is potentially large; on the other hand, scaling a large distribution to a small quanta results in keeping too many values, which makes the resampling inefficient. This problem can be solved by taking advantage of the fact that convolution is commutative, so, when there are multiple distributions to be convolved with each other, which is often the case in probabilistic response time analysis, first the small distributions (representing tasks with relatively short execution times) are convolved among themselves until they become bigger, and they can be convolved with larger distributions. To facilitate this, Maxim et al. (2012) recommend setting the quanta for each distribution to the smallest power of 2 (e.g., 1, 2, 4, 8. . . ) that results in at most k samples. Resampling to a smaller number of values trades off between analysis precision and runtime complexity. Note that with a sound resampling, the pWCRT distributions obtained are always upper bounds, and so the computed values for the worst-case deadline failure probability are valid but potentially pessimistic.

5

Review of Prior Work

This section briefly reviews research on probabilistic response time analysis. Note other forms of probabilistic schedulability analysis also exist, for example, (i) for systems where servers are used to manage task execution (Abeni and Buttazzo 1998, 1999; Abeni et al. 2012; Palopoli et al. 2012; Frias et al. 2017), (ii) based on real-time queuing theory (Lehoczky 1996; Hansen et al. 2002), and (iii) where the response time distribution is obtained directly via statistical methods based on measurements (Lu et al. 2010, 2012; Maxim et al. 2015). These areas are not covered in detail here. Woodbury and Shin (1988) provided analysis that computes the probability of deadline failure for periodic tasks. They assumed that each task has multiple paths

10 Probabilistic Analysis

339

each with a fixed execution time and a probability of occurrence. They computed the response time distribution for each job over the hyperperiod and hence the deadline miss probability for each task. Tia et al. (1995) proposed a probabilistic time-demand analysis (PTDA) based on the time-demand analysis technique given for the simpler case of deterministic execution times by Lehoczky et al. (1989). At each scheduling point, the cumulative probability distribution is computed for all job releases up to that point, via convolution. This enables a bound to be computed on the probability that the task can meet its deadline. Gardner and Liu (1999) presented stochastic time-demand analysis (STDA) which computes a lower bound on the probability that jobs of a task will meet their deadlines under fixed priority scheduling. They note an issue with the prior work of Tia et al. (1995) in that it is only valid if there is no backlog at the deadline of a task. Gardner and Liu (1999) solve this problem by considering busy periods and the backlog present at subsequent releases of each job. Diaz et al. (2002) introduced a method of computing the response time distribution for all of the jobs in the hyperperiod for a set of periodic tasks scheduled using fixed priorities or EDF. They note that earlier work (Tia et al. 1995; Gardner and Liu 1999) assumes that the worst case occurs for a job in the first busy period following synchronous release; however, this is not necessarily correct when the worst-case utilization exceeds 1. Diaz et al. (2002) show that the backlog at the start of each hyperperiod is stationary provided that the average utilization is less than 1. They give a method to find this stationary backlog and hence compute the worst-case response time distribution for each job in the hyperperiod. Diaz et al. (2004) introduced the concept of greater than or equal to between random variables X  Y . They note that any approximations in the analysis must result in distributions that are greater than or equal to the exact distribution in order to ensure soundness. Diaz et al. (2004) also highlighted and addressed issues with their previous work (Diaz et al. 2002) in relation to the tractability of the backlog computation. They also provided a sketch proof that the priority assignment algorithm of Audsley (2001) is optimal when execution times are described by random variables. This was later confirmed by the work of Maxim et al. (2011). López et al. (2008) extended earlier work (Diaz et al. 2004), providing a set of transformations that can be made to the parameters of a system which are guaranteed to result in a response time distribution greater than or equal to (i.e., ) that for the original system. Kim et al. (2005) built upon the analysis framework of Diaz et al. (2002, 2004). They discussed methods for obtaining the stationary backlog, including an exact solution which has a very high computational cost, and two approximate solutions. Cucu and Tovar (2006) introduced a method of computing the probabilistic worst-case response time distribution for tasks with constant execution times but inter-arrival times modeled via random variables. Kaczynski et al. (2007) later addressed the more complex model where tasks have both execution times and arrival times modeled via random variables.

340

D. Maxim et al.

Ivers and Ernst (2009) presented analysis that accounts for the effect of unknown statistical dependencies between the execution times of jobs of the same task and jobs of different tasks, with the execution times modeled as random variables. Cucu-Grosjean (2013) considered different types of independence in the context of probabilistic real-time systems. A key aspect of this work is the discussion covering the definition of and the differences between probabilistic execution time distributions (pET) and probabilistic worst-case execution time distributions (pWCET). Maxim and Cucu-Grosjean (2013) introduced probabilistic response time analysis for tasks which may have their worst-case execution times, inter-arrival times, and deadlines all described by random variables. Tanasa et al. (2015) studied the problem of determining probabilistic worstcase response time distributions for a set of periodic tasks with execution times described by random variables. This work differs from prior publications in that it describes the distributions via continuous functions and tightly approximates them with polynomial functions. Ben-Amor et al. (2016) derived probabilistic schedulability analysis for tasks with precedence constraints and execution times described by random variables, scheduled under EDF. Chen and Chen (2017) considered the complexity involved in repeated use of the convolution operator in probabilistic response time analysis. They proposed a more efficient way of computing the probability of deadline misses, based on the moment generating function of random variables, and Chernoff bounds for the probability that the sum of a number of random variables (e.g., the execution times of multiple jobs) exceeds some bound (e.g., the deadline). The evaluation shows that this method is effective in determining slightly pessimistic bounds on the probability of deadline misses without the need to derive the whole response time distribution, which can be very inefficient. Criticality is a designation of the level of assurance needed against failure. A mixed criticality system is a system that contains tasks of two or more criticality levels. Draskovic et al. (2016) examined fixed priority preemptive scheduling of mixed criticality periodic tasks with execution times described by random variables. They employed the method of Diaz et al. (2002) to compute the probability of a deadline miss for every job in the hyperperiod. Maxim et al. (2016, 2017) adapted probabilistic response time analysis (Maxim and Cucu-Grosjean 2013) to scheduling of mixed criticality systems using the Adaptive Mixed Criticality (AMC) and Static Mixed Criticality (SMC) schemes (Baruah et al. 2011). Abdeddaim and Maxim (2017) derived probabilistic response time analysis for mixed criticality tasks under fixed priority preemptive scheduling, allowing for multiple criticality levels.

10 Probabilistic Analysis

6

341

Conclusions and Open Problems

This chapter presented the key concepts underpinning schedulability analysis for probabilistic real-time systems, including probabilistic worst-case execution time (pWCET) distributions and probabilistic worst-case response time (pWCRT) distributions. Deadline miss probabilities (DMP) for jobs and worst-case deadline failure probabilities (WCDFP) for tasks were also defined. Section 2 presented probabilistic response time analysis for tasks with execution times modeled as independent random variables via a pWCET distribution, scheduled using fixed priority preemptive scheduling. This analysis computes the pWCRT distribution valid for any job of the task. Comparing this distribution with the task’s deadline enables its WCDFP to be computed. Section 3 discussed priority assignment for probabilistic real-time systems, showing that policies which are optimal for conventional task models, such as rate-monotonic and deadline-monotonic, are no longer optimal in this case. However, Audsley’s optimal priority assignment algorithm can be applied. Section 4 discussed the complexity of probabilistic response time analysis and ways in which it can be reduced in practice via resampling. Finally, Sect. 5 gave a brief overview of related research. Recent results have begun to extend probabilistic schedulability analysis to mixed criticality task models. Other avenues for future research include extensions to multiprocessor scheduling.

Appendix: Task Set Generation This appendix details a simple approach to generating task sets with probabilistic parameters that are suitable for empirical assessment of the performance of different scheduling algorithms and probabilistic schedulability analyses. STEP 1 Generate the worst-case utilizations (Ui = Cimax /Ti ) for each of the n tasks using the UUnifast algorithm (Bini and Buttazzo 2005) to give an unbiased distribution of maximum utilization values. STEP 2 Generate the task periods according to a log-uniform distribution (Emberson et al. 2010). For example, the range of task periods may span two orders of magnitude, e.g., from 10 to 1000 ms. STEP 3 Obtain the worst-case execution time of each task from its utilization and period as follows: Cimax = Ui Ti . STEP 4 The best case execution time of each task may be obtained by using a fixed multiplier on the worst-case execution time, Cimin = SF · Cimax , where SF is the scaling factor.

342

D. Maxim et al.

STEP 5 Task deadlines can be implicit, i.e., equal to the task period or constrained, i.e., no larger than the period. Constrained deadlines may be chosen from a uniform distribution in the range [Cimax , Ti ]. STEP 6 The size of the pWCET distribution is given as an input parameter to the probabilistic real-time task generator. If the size is 1, then the distribution has a single value, i.e., Cimax = Cimin , with probability equal to 1. STEP 7 The probability associated with Cimax can also be given as input to the task generator. It is expected that this value is small, for example, in the range [10−6 , 10−12 ], since it is expected that the probability of extreme execution times is very small (Cucu-Grosjean et al. 2012). The pWCET distribution for each task can then be generated via extrapolation from the Cimin and Cimax parameter values, using the probability for the maximum value, and assuming that the distribution has an exponential tail. Thus the 1-CDF of the pWCET, plotted on an exceedance graph with probabilities given on a log scale, is as depicted in Fig. 2. Each line ends with the right most point at Cimax and connects the intermediate points via a straight line (exponential tail). The left most point, at Cimin , collects the remaining part of the distribution so that the probability mass sums to 1. (Note the longer lines are for a scaling factor of SF = 0.33 and thus show more execution time variation than the shorter lines which are for SF = 0.73.) STEP 8 Task priorities may be set using the algorithm presented in Sect. 3.

Fig. 2 Example of possible pWCET distributions

10 Probabilistic Analysis

343

References Y. Abdeddaim, D. Maxim, Probabilistic schedulability analysis for fixed priority mixed criticality real-time systems, in Proceedings of the Conference on Design, Automation and Test in Europe (DATE), 2017 L. Abeni, G. Buttazzo, Integrating multimedia applications in hard real-time systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 1998, pp. 4–13. https:// doi.org/10.1109/REAL.1998.739726 L. Abeni, G. Buttazzo, Qos guarantee using probabilistic deadlines, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), 1999, pp. 242–249. https://doi.org/ 10.1109/EMRTS.1999.777471 L. Abeni, N. Manica, L. Palopoli, Efficient and robust probabilistic guarantees for real-time tasks. J. Syst. Softw. 85(5), 1147–1156 (2012). ISSN:0164-1212. https://doi.org/10.1016/j.jss.2011. 12.042 S. Altmeyer, R.I. Davis, On the correctness, optimality and precision of static probabilistic timing analysis, in Proceedings of the Conference on Design, Automation and Test in Europe (DATE), 2014, pp. 26:1–26:6. ISBN:978-3-9815370-2-4. http://dl.acm.org/citation.cfm?id=2616606. 2616638 S. Altmeyer, L. Cucu-Grosjean, R.I. Davis, Static probabilistic timing analysis for real-time systems using random replacement caches. Springer Real-Time Syst. 51(1), 77–123 (2015). ISSN:1573-1383. https://doi.org/10.1007/s11241-014-9218-4 N. Audsley, On priority assignment in fixed priority scheduling. Info. Process. Lett. 79(1), 39– 44 (2001). ISSN:0020-0190. https://doi.org/10.1016/S0020-0190(00)00165-4. http://www. sciencedirect.com/science/article/pii/S0020019000001654 S.K. Baruah, A. Burns, R.I. Davis, Response-time analysis for mixed criticality systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2011), pp. 34–43 S. Ben-Amor, D. Maxim, L. Cucu-Grosjean, Schedulability analysis of dependent probabilistic real-time tasks, in Proceedings of the International Conference on Real-Time Networks and Systems (RTNS) (ACM, 2016), pp. 99–107. ISBN:978-1-4503-4787-7. https://doi.org/10.1145/ 2997465.2997499 E. Bini, G. Buttazzo, Measuring the performance of schedulability tests. Real-Time Syst. 30(1–2), 129–154 (2005) F.J. Cazorla, E. Quiñones, T. Vardanega, L. Cucu, B. Triquet, G. Bernat, E. Berger, J. Abella, F. Wartel, M. Houston, L. Santinelli, L. Kosmidis, C. Lo, D. Maxim, Proartis: probabilistically analyzable real-time systems. ACM Trans. Embed. Comput. Syst. 12(2s), 94:1–94:26 (2013). ISSN:1539-9087. https://doi.org/10.1145/2465787.2465796 K.H. Chen, J.J. Chen, Probabilistic schedulability tests for uniprocessor fixed-priority scheduling under soft errors, in Proceedings of the IEEE International Symposium on Industrial Embedded Systems (SIES), June 2017, pp. 1–8. https://doi.org/10.1109/SIES.2017.7993392 L. Cucu, E. Tovar, A framework for the response time analysis of fixed-priority tasks with stochastic inter-arrival times. SIGBED Rev. 3(1), 7–12 (2006). ISSN:1551-3688. https://doi. org/10.1145/1279711.1279714 L. Cucu-Grosjean, Independence a misunderstood property of and for probabilistic real-time systems, in Real-Time Systems: The Past, the Present and the Future, 2013, pp. 29–37 L. Cucu-Grosjean, L. Santinelli, M. Houston, C. Lo, T. Vardanega, L. Kosmidis, J. Abella, E. Mezzetti, E. Quinones, F.J. Cazorla, Measurement-based probabilistic timing analysis for multi-path programs, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), July 2012, pp. 91–101. https://doi.org/10.1109/ECRTS.2012.31 R.I. Davis, A review of fixed priority and EDF scheduling for hard real-time uniprocessor systems. ACM SIGBED Rev. 11(1), 8–19 (2014) R.I. Davis, A. Burns, Improved priority assignment for global fixed priority pre-emptive scheduling in multiprocessor real-time systems. Real-Time Syst. 47(1), 1–40 (2011)

344

D. Maxim et al.

R.I. Davis, L. Santinelli, S. Altmeyer, C. Maiza, L. Cucu-Grosjean, Analysis of probabilistic cache related pre-emption delays, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), July 2013, pp. 168–179. https://doi.org/10.1109/ECRTS.2013.27 J.L. Diaz, D.F. Garcia, K. Kim, C.-G. Lee, L.L. Bello, J.M. Lopez, S.L. Min, O. Mirabella, Stochastic analysis of periodic real-time systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), 2002, pp. 289–300. https://doi.org/10.1109/REAL.2002.1181583 J.L. Diaz, J.M. Lopez, M. Garcia, A.M. Campos, K. Kim, L.L. Bello, Pessimism in the stochastic analysis of real-time systems: concept and applications, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 2004, pp. 197–207. https://doi.org/10.1109/REAL.2004.41 S. Draskovic, P. Huang, L. Thiele, On the safety of mixed-criticality scheduling, in Proceedings of Workshop on Mixed Criticality (WMC), 2016 P. Emberson, R. Stafford, R.I. Davis, Techniques for the synthesis of multiprocessor tasksets, in Proceedings 1st International Workshop on Analysis Tools and Methodologies for Embedded and Real-time Systems (WATERS 2010), 2010, pp. 6–11 B. Frias, L. Palopoli, L. Abeni, D. Fontanelli, Probabilistic real-time guarantees: there is life beyond the i.i.d. assumption, in Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Apr 2017 M.K. Gardner, J.W.S. Liu, Analyzing Stochastic Fixed-Priority Real-Time Systems (Springer, Berlin/Heidelberg, 1999), pp. 44–58. ISBN:978-3-540-49059-3. https://doi.org/10.1007/3-54049059-0_4 J.P. Hansen, J.P. Lehoczky, H. Zhu, R. Rajkumar, Quantized EDF scheduling in a stochastic environment, in Proceedings of the 16th International Parallel and Distributed Processing Symposium, IPDPS’02 (IEEE Computer Society, Washington, DC, 2002), p. 279. ISBN:07695-1573-8. http://dl.acm.org/citation.cfm?id=645610.660905 M. Ivers, R. Ernst, Probabilistic Network Loads with Dependencies and the Effect on Queue Sojourn Times (Springer, Berlin/Heidelberg, 2009), pp. 280–296. ISBN:978-3-642-10625-5. https://doi.org/10.1007/978-3-642-10625-5_18 G.A. Kaczynski, L.L. Bello, T. Nolte, Deriving exact stochastic response times of periodic tasks in hybrid priority-driven soft real-time systems, in Proceedings of the IEEE Conference on Emerging Technologies Factory Automation (ETFA), Sept 2007, pp. 101–110. https://doi.org/ 10.1109/EFTA.2007.4416759 K. Kim, J.L. Diaz, L. Lo Bello, J.M. Lopez, C.-G. Lee, S.L. Min, An exact stochastic analysis of priority-driven periodic real-time systems and its approximations. IEEE Trans. Comput. 54(11), 1460–1466 (2005). ISSN:0018-9340. https://doi.org/10.1109/TC.2005.174 J.P. Lehoczky, Real-time queueing theory, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 1996, pp. 186–195. https://doi.org/10.1109/REAL.1996.563715 J. Lehoczky, L. Sha, Y. Ding, The rate monotonic scheduling algorithm: exact characterization and average case behavior, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 1989, pp. 166–171. https://doi.org/10.1109/REAL.1989.63567 B. Lesage, D. Griffin, S. Altmeyer, R.I. Davis, Static probabilistic timing analysis for multi-path programs, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 2015, pp. 361–372. https://doi.org/10.1109/RTSS.2015.41 B. Lesage, D. Griffin, S. Altmeyer, L. Cucu-Grosjean, R.I. Davis, On the analysis of random replacement caches using static probabilistic timing methods for multi-path programs. RealTime Syst. Apr 2018, 54(2), 307–388. https://doi.org/10.1007/s11241-017-9295-2 J.Y.-T. Leung, J. Whitehead, On the complexity of fixed-priority scheduling of periodic, real-time tasks. Perform. Eval. 2(4), 237–250 (1982). ISSN:0166-5316. https://doi.org/10.1016/01665316(82)90024-4. http://www.sciencedirect.com/science/article/pii/0166531682900244 G. Lima, I. Bate, Valid application of evt in timing analysis by randomising execution time measurements, in Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Apr 2017 G. Lima, D. Dias, E. Barros, Extreme value theory for estimating task execution time bounds: a careful look, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), July 2016

10 Probabilistic Analysis

345

C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973). ISSN:0004-5411. https://doi.org/10.1145/321738. 321743 J.M. López, J.L. Díaz, J. Entrialgo, D. García, Stochastic analysis of real-time systems under preemptive priority-driven scheduling. Springer Real-Time Syst. 40(2), 180–207 (2008). ISSN:1573-1383. https://doi.org/10.1007/s11241-008-9053-6 Y. Lu, T. Nolte, J. Kraft, C. Norstrom, Statistical-based response-time analysis of systems with execution dependencies between tasks, in Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), Mar 2010, pp. 169–179. https://doi. org/10.1109/ICECCS.2010.55 Y. Lu, T. Nolte, I. Bate, L. Cucu-Grosjean, A statistical response-time analysis of real-time embedded systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 2012, pp. 351–362. https://doi.org/10.1109/RTSS.2012.85 D. Maxim, L. Cucu-Grosjean, Response time analysis for fixed-priority tasks with multiple probabilistic parameters, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), 2013 D. Maxim, O. Buffet, L. Santinelli, L. Cucu-Grosjean, R. Davis, Optimal priority assignments for probabilistic real-time systems, in Proceedings of the International Conference on Real-Time Networks and Systems (RTNS), 2011 D. Maxim, M. Houston, L. Santinelli, G. Bernat, R.I. Davis, L. Cucu-Grosjean, Re-sampling for statistical timing analysis of real-time systems, in Proceedings of the International Conference on Real-Time Networks and Systems (RTNS), 2012 D. Maxim, F. Soboczenski, I. Bate, E. Tovar, Study of the reliability of statistical timing analysis for real-time systems, in Proceedings of the International Conference on Real-Time Networks and Systems (RTNS), 2015, pp. 55–64. ISBN:978-1-4503-3591-1. https://doi.org/10.1145/2834848. 2834878 D. Maxim, R.I. Davis, L. Cucu-Grosjean, A. Easwaran, Probabilistic analysis for mixed criticality scheduling with SMC and AMC, in Proceedings of Workshop on Mixed Criticality (WMC), 2016 D. Maxim, R.I. Davis, L. Cucu-Grosjean, A. Easwaran, Probabilistic analysis for mixed criticality systems using fixed priority preemptive scheduling, in Proceedings of the International Conference on Real-Time Networks and Systems (RTNS) (ACM, 2017), pp. 237–246 L. Palopoli, D. Fontanelli, N. Manica, L. Abeni, An analytical bound for probabilistic deadlines, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), July 2012, pp. 179–188. https://doi.org/10.1109/ECRTS.2012.19 L. Santinelli, J. Morio, G. Dufour, D. Jacquemart, On the sustainability of the extreme value theory for WCET estimation, in Proceedings of the Workshop on Worst-Case Execution Time Analysis (WCET), 2014, pp. 21–30. https://doi.org/10.4230/OASIcs.WCET.2014.21 L. Santinelli, F. Guet, J. Morio, Revising measurement-based probabilistic timing analysis, in Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Apr 2017 B. Tanasa, U.D. Bordoloi, P. Eles, Z. Peng, Probabilistic response time and joint analysis of periodic tasks, in Proceedings of the Euromicro Conference on Real-Time Systems (ECRTS), July 2015, pp. 235–246. https://doi.org/10.1109/ECRTS.2015.28 T.S. Tia, Z. Deng, M. Shankar, M. Storch, J. Sun, L.C. Wu, J.W.S. Liu, Probabilistic performance guarantee for real-time tasks with varying computation times, in Proceedings of the IEEE RealTime and Embedded Technology and Applications Symposium (RTAS), May 1995, pp. 164–173. https://doi.org/10.1109/RTTAS.1995.516213 F. Wartel, L. Kosmidis, C. Lo, B. Triquet, E. Quinones, J. Abella, A. Gogonel, A. Baldovin, E. Mezzetti, L. Cucu, T. Vardanega, F.J. Cazorla, Measurement-based probabilistic timing analysis: lessons from an integrated-modular avionics case study, in Proceedings of the IEEE International Symposium on Industrial Embedded Systems (SIES), June 2013, pp. 241–248. https://doi.org/10.1109/SIES.2013.6601497

346

D. Maxim et al.

R. Wilhelm, J. Engblom, A. Ermedahl, N. Holsti, S. Thesing, D. Whalley, G. Bernat, C. Ferdinand, R. Heckmann, T. Mitra, F. Mueller, I. Puaut, P. Puschner, J. Staschulat, P. Stenström, The worstcase execution-time problem overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. 7(3), 36:1–36:53 (2008). ISSN:1539-9087. https://doi.org/10.1145/1347375. 1347389 M.H. Woodbury, K.G. Shin, Evaluation of the probability of dynamic failure and processor utilization for real-time systems, in Proceedings of the IEEE Real-Time Systems Symposium (RTSS), Dec 1988, pp. 222–231. https://doi.org/10.1109/REAL.1988.51117

Multiprocessor Real-Time Locking Protocols

11

Björn B. Brandenburg

Contents 1 2

3

4

5

6

7

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Multiprocessor Real-Time Locking Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Common Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Key Design Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Analysis and Optimization Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Historical Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Progress Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Priority Inversion on Uniprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Priority Inversion on Multiprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Non-preemptive Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Priority Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Allocation Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Priority Boosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Restricted Priority Boosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8 Priority Raising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spin-Lock Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Spin-Lock Protocols for Partitioned Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Spin-Lock Protocols for Global Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Semaphore Protocols for Mutual Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Suspension-Oblivious Analysis of Semaphore Protocols . . . . . . . . . . . . . . . . . . . 5.2 Suspension-Aware Analysis of Semaphore Protocols . . . . . . . . . . . . . . . . . . . . . . Centralized Execution of Critical Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Advantages and Disadvantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Centralized Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Blocking Optimality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Independence Preservation: Avoiding the Blocking of Higher-Priority Tasks . . . . . . . . . 7.1 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Fully Preemptive Locking Protocols for Partitioned and Clustered Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

348 349 350 352 354 356 357 357 358 360 364 365 366 367 368 369 370 378 380 383 390 399 400 401 403 403 404 405

B. B. Brandenburg () Max Planck Institute for Software Systems (MPI-SWS), Kaiserslautern, Germany e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_10

347

348

B. B. Brandenburg

8

Protocols for Relaxed Exclusion Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Phase-Fair Reader-Writer Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2 Multiprocessor Real-Time k-Exclusion Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 9 Nested Critical Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1 Coarse-Grained Nesting with Group Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2 Early Protocol Support for Nested Critical Sections . . . . . . . . . . . . . . . . . . . . . . . 9.3 Recent Advances in Fine-Grained Multiprocessor Real-Time Locking . . . . . . . . 10 Implementation Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Spin-Lock Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 Avoiding System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3 Implementations of Allocation Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.4 RTOS and Programming Language Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Conclusion, Further Directions, and Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Further Research Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

411 412 413 415 416 417 421 427 427 429 431 431 434 434 436 437

Abstract We systematically survey the literature on analytically sound multiprocessor realtime locking protocols from 1988 until the end of 2017, covering the following topics: • • • • • • •

Progress mechanisms that prevent the lock-holder preemption problem Spin-lock protocols Binary semaphore protocols Independence-preserving (or fully preemptive) locking protocols Reader-writer synchronization k-exclusion synchronization Support for nested critical sections

A special focus is placed on the suspension-oblivious and suspension-aware analysis approaches for semaphore protocols, their respective notions of priority inversion, optimality criteria, and lower bounds on maximum priority inversion blocking, as well as matching asymptotically optimal locking protocols.

1

Introduction

In contrast to the thoroughly explored and well-understood uniprocessor real-time synchronization problem, the multiprocessor case considered herein is still the subject of much ongoing work. In particular, on uniprocessors, real-time locking protocols that are both optimal and practical are readily available since the late 1980s and early 1990s (Theodore 1991; Rajkumar 1991a; Sha et al. 1990); can flexibly support mutual exclusion, reader-writer synchronization, and multiunit resources; and have by now also been widely adopted and deployed in industry (i.e., in POSIX, OSEK/AUTOSAR, etc.). Not so on multiprocessors, there is no

11 Multiprocessor Real-Time Locking Protocols

349

widely agreed-upon standard protocol or approach, most proposals have focused exclusively on mutual exclusion to date (with works on reader-writer, k-exclusion, and multiunit synchronization starting to appear only in the past decade), and questions of optimality, practicality, and industrial adoption are still the subject of ongoing investigation and debate. Another major difference to the uniprocessor case is the extent to which nested critical sections are supported: a large fraction of the work on multiprocessor realtime locking to date has simply disregarded (or defined away) fine-grained nesting (i.e., cases where a task holding a resource may dynamically acquire a second resource), though notable exceptions exist (discussed in Sect. 9). No such limitations exist in the state of the art on uniprocessor real-time synchronization. We can thus expect the field to continue to evolve rapidly: it is simply not yet possible to provide a “final” and comprehensive survey on multiprocessor real-time locking as many open problems remain to be explored. Nonetheless, a considerable number of results have accumulated since the multiprocessor real-time locking problem was first studied more than three decades ago. The purpose of this survey is hence to provide a systematic review of the current snapshot of this body of work, covering most papers in this area published until the end of 2017. We restrict the scope of this survey to real-time locking protocols for sharedmemory multiprocessors (although some of the techniques discussed in Sect. 6 could also find applications in distributed systems) and do not consider alternative synchronization strategies such as lock- and wait-free algorithms, transactional memory techniques, or middleware (or database) approaches that provide a higherlevel transactional interface or multi-versioned data store abstraction (as any of these techniques warrants a full survey on its own). We further restrict the focus to runtime mechanisms as commonly provided by real-time operating systems (RTOSs) or programming language runtimes for use in dynamically scheduled systems and exclude fully static planning approaches (e.g., as studied by Xu 1993) that resolve (or avoid) all potential resource conflicts statically during the construction of the static system schedule so that no runtime resource arbitration mechanisms are needed. Our goal is to structure the existing body of knowledge on multiprocessor realtime locking protocols to aid the interested reader in understanding key problems, established solutions, and recurring themes and techniques. We therefore focus primarily on ideas, algorithms, and provable guarantees and place less emphasis on empirical performance comparisons or the chronological order of developments.

2

The Multiprocessor Real-Time Locking Problem

We begin by defining the core problems and objectives, summarizing common assumptions, and surveying key design parameters. Consider a shared-memory multiprocessor platform consisting of m identical processors (or cores) hosting n sequential tasks (or threads) denoted as τ1 , . . . ,τn . Each activation of a task is called a job. In this document, we use the terms “processor” and “core” interchangeably

350

B. B. Brandenburg

and do not precisely distinguish between jobs and tasks when the meaning is clear from context. The tasks share a number of software-managed shared resources 1 , 2 , 3 , . . . that are explicitly acquired and released with lock() and unlock() calls. Common examples of such resources include shared data structures, OS internal structures such as the scheduler’s ready queue(s), I/O ports, memory-mapped device registers and ring buffers, etc. that must be accessed in a mutually exclusive fashion (we consider weaker exclusion requirements later in Sect. 8). (There also exist a number of hardware-managed, implicitly shared resources in multicore platforms such as shared last-level caches (LLCs), memory buses, DRAM banks, etc.; techniques for managing such hardware resources are not the subject of this survey.) The primary objective of the algorithms considered herein is to serialize all resource requests – that is, each task’s critical sections surrounded by matching lock() and unlock() calls – such that the timing constraints of all tasks are met, despite the blocking delays that tasks incur when waiting to gain access to a contested resource. In particular, in order to give nontrivial response-time guarantees, it must be possible to bound the maximum (i.e., worst-case) blocking delay incurred by any task due to contention for shared resources. To this end, a multiprocessor real-time locking protocol determines which type of locks are used, the rules that tasks must follow to request a lock on a resource, and how locks interact with the scheduler. We discuss these design questions in more detail below.

2.1

Common Assumptions

Although there exists much diversity in system models and general context, most surveyed works share the following basic assumptions (significant deviations will be noted where relevant). Tasks are typically considered to follow a periodic or sporadic activation pattern, where the two models can be used largely interchangeably since hardly any work on multiprocessor real-time locking protocols to date has exploited the knowledge of future periodic arrivals. The timing requirements of the tasks are usually expressed as implicit or constrained deadlines (rather than arbitrary deadlines), since arbitrary deadlines that exceed a task’s period (or minimum inter-arrival time) allow for increased contention and cause additional analytical complications. For the purpose of schedulability analysis, but not for the operation of a locking protocol at runtime, it is required to know a worst-case execution time (WCET) bound for each task, usually including the cost of all critical sections (but not including any blocking delays), and also individually for each critical section (i.e., a maximum critical section length must be known for each critical section). Furthermore, to enable a meaningful blocking analysis, the maximum number of critical sections in each job (i.e., the maximum number of lock() calls per activation of each task) must be known on a per-resource basis.

11 Multiprocessor Real-Time Locking Protocols

351

While it is generally impossible to make strong a priori response-time guarantees without this information (for at least some of the tasks), to be practical, it is generally desirable for a locking protocol to work as intended even if this information is unknown at runtime. For example, RTOSs are typically used for many purposes, and not all workloads will be subject to static analysis – the implemented locking protocol should function correctly and predictably nonetheless. Similarly, during early prototyping of a system, sound bounds are usually not yet available, but the RTOS is expected to behave just as it will in the final version of the system. With regard to scheduling, most of the covered papers assume either partitioned or global multiprocessor scheduling. Under partitioned scheduling, each task is statically assigned to exactly one of the m processors (i.e., its partition), and each processor is scheduled using a uniprocessor policy such as fixed-priority (FP) scheduling or earliest-deadline first (EDF) scheduling. The two most prominent partitioned policies are partitioned FP (P-FP) and partitioned EDF (P-EDF) scheduling. Under global scheduling, all tasks are dynamically dispatched at runtime, migrate freely, and may execute on any of the m processors. Widely studied examples include global FP (G-FP) and global EDF (G-EDF) scheduling, as well as optimal policies such as Pfair scheduling (Baruah et al. 1996; Srinivasan and Anderson 2006). A third, more general notion is clustered scheduling, which generalizes both global and partitioned scheduling. Under clustered scheduling, the set of m cores is split into a number of disjoint clusters (i.e., disjoint subsets of cores), tasks are statically assigned to clusters, and each cluster is scheduled locally and independently using a “global” scheduling policy (w.r.t. the cores that form the cluster). We let c denote the number of cores in a cluster. Global scheduling is a special case of clustered scheduling where m = c, and partitioned scheduling is the other extreme where c = 1. While clustered scheduling is a more general assumption (i.e., any locking protocol designed for clustered scheduling also works for global and partitioned scheduling), it also comes with the combined challenges of both global and partitioned scheduling and is hence generally much more difficult to deal with. Historically, most authors have thus focused on either global or partitioned scheduling. Under partitioned and clustered scheduling, it is useful to distinguish between global and local resources. Under partitioned (respectively, clustered) scheduling, a shared resource is considered local if it is accessed only by tasks that are all assigned to the same core (respectively, cluster). In contrast, a resource is global if it is accessed by at least two tasks assigned to two different partitions (respectively, clusters). The advantage of this distinction is that local resources can be managed with existing, simpler, and often more efficient protocols: • Under partitioned scheduling, local resources can be managed using one of the known, optimal uniprocessor protocols (e.g., the PCP (Sha et al. 1990) or the SRP (Theodore 1991)).

352

B. B. Brandenburg

• Under clustered scheduling, local resources can be managed using a (usually simpler) protocol for global scheduling (instantiated within each cluster). In the following, we therefore consider only global resources, which are more challenging to manage.

2.2

Key Design Choices

Given the common setting outlined above, there are a number of key design questions that any multiprocessor real-time locking protocol must answer. We next provide a high-level overview of these issues.

2.2.1 Request Order The first key design parameter is the serialization order for conflicting requests. Whenever two or more requests for a resource are simultaneously blocked, the protocol must specify a policy for sequencing the waiting requests. The two most common choices are FIFO queuing, which ensures basic fairness (i.e., non-starvation) and is easy to implement and analysis friendly, and priority queuing, which allows control over the amount of blocking incurred by different tasks. As a third choice, there also exist some situations (discussed in Sect. 5.1) in which the use of hybrid queues consisting of both FIFO- and priority-ordered segments can be advantageous. When using priority queues, each request must be associated with a priority to determine its position in the wait queue. The common choice is to use a task’s scheduling priority, but it is also possible to use a separate request priority, which can be selected on a per-resource or even on a per-critical section basis. The latter obviously provides a considerable degree of flexibility but is not commonly considered since it introduces a nontrivial configuration problem; FIFO and priority queuing can be generalized in a straightforward way by requiring that equal-priority requests are satisfied in FIFO order. Finally, implementation concerns may sometimes necessitate the use of unordered locks (e.g., primitive test-and-set spin locks), which do not provide any guarantees regarding the order in which conflicting critical sections will execute. 2.2.2 Spinning vs. Suspending The second main question is how tasks should wait in case of contention. The two principal choices are busy-waiting (i.e., spinning) and suspending. In the case of busy-waiting, a blocked task continues to occupy its processor and simply executes a tight delay loop, continuously checking whether it has been granted the lock, until it gains access to the shared resource. Alternatively, if tasks wait by suspending, a blocked task yields the processor and is taken out of the scheduler’s ready queue until it is granted the requested resource.

11 Multiprocessor Real-Time Locking Protocols

353

This is not an easy choice, as there are many advantages and disadvantages associated with either approach. On the one hand, suspension-based waiting is conceptually more efficient: busy-waiting obviously wastes processor cycles, whereas suspension-based waiting allows the wait times of one task to be overlaid with useful computation by another task. On the other hand, busy-waiting is easier to implement and easier to analyze and requires less OS support, and the cost of suspending and resuming a task can easily dwarf typical critical section lengths. Spin locks also provide predictability advantages that can aid in the static analysis of the system (e.g., a busy-waiting task “protects” its processor and cache state, whereas it is generally difficult to predict the cache contents encountered by a resuming task). Whether spinning or suspending is more efficient ultimately depends on workload and system characteristics, such as the cost of suspending and resuming tasks relative to critical section lengths, and it is impossible to categorically declare one or the other to be the “best” choice. Generally speaking, “short” critical sections favor busy-waiting, whereas “long” critical sections necessitate suspensions, but the threshold between “short” and “long” is highly system- and application-specific. We discuss spin-based locking protocols in Sects. 4, 7, and 8 and suspension-based locking protocols in Sects. 5, 6, 7, and 8.

2.2.3 Progress Mechanism A third major choice is the question of how to deal with the lock-holder preemption problem, which is tightly coupled to the choice of scheduler, the employed analysis approach, and the constraints of the target workload. If a lock-holding task is preempted by a higher-priority task, then any other task waiting for the resource held by the preempted task is transitively delayed as well. This can give rise to (potentially) unbounded priority inversions (i.e., excessive delays that are difficult to bound), which must be avoided in a real-time system. To this end, it is at times necessary to (selectively) force the execution of lock-holding tasks by means of a progress mechanism. As this is a crucial aspect of multiprocessor real-time locking protocols, we dedicate Sect. 3 to this issue and common solutions. 2.2.4 Support for Fine-Grained Nesting Fine-grained locking, where a task concurrently acquires multiple locks in a nested, incremental fashion, is a major source of complications in both the analysis and the implementation of multiprocessor real-time locking protocols. In particular, it comes with the risk of potential deadlock, and even if application programmers are careful to avoid deadlocks, nesting still introduces intricate transitive blocking effects that are extremely challenging to analyze accurately and efficiently. Furthermore, in many cases, support for fine-grained nesting leads to substantially more involved protocol rules and more heavyweight OS support. As a result, as already mentioned in Sect. 1, many works on multiprocessor realtime locking protocols simply disallow the nesting of critical sections altogether or under partitioned scheduling restrict nesting to local resources only, where it can be resolved easily with classic uniprocessor solutions (Theodore 1991; Rajkumar 1991a; Sha et al. 1990).

354

B. B. Brandenburg

Another common approach is to sidestep the issue by relying on two-phase locking schemes with all-or-nothing semantics (i.e., a task either atomically acquires all requested locks or holds none) or simple group lock approaches that automatically aggregate fine-grained, nested critical sections into coarse-grained, non-nested lock requests. From an analysis point of view, two-phase locking and group locking are conveniently similar to protocols that disallow nesting altogether, but from an application point of view, they impose limitations that may be difficult to accommodate in practice. Only recently have there been renewed efforts toward full, unrestricted support for fine-grained nesting (e.g., Biondi et al. 2016; Ward and Anderson 2012), and there remains ample opportunity for future work. We discuss the issues surrounding fine-grained nesting and the state of the art in Sect. 9 and until then focus exclusively on non-nested critical sections.

2.2.5 In-Place vs. Centralized Critical Sections The final choice is where to execute a critical section once the lock has been acquired. In shared-memory systems, the typical choice is to execute critical sections in place, meaning that a task executes its critical sections as part of its regular execution, on the processor that it is (currently) assigned to by the scheduler. However, that is not the only choice. It is also possible to a priori designate a synchronization processor for a particular resource, to the effect that all critical sections (pertaining to the resource) must be executed on the designated synchronization processor. This can yield analytical benefits (i.e., less blocking in the worst case Brandenburg 2013b), a reduction in worst-case overheads (Cerqueira et al. 2014), and throughput benefits due to improved cache affinity (Lozi et al. 2012). Furthermore, for specialized hardware resources, such as certain I/O devices, it might simply be unavoidable on some platforms (e.g., in a heterogeneous multiprocessor platform, one processor might be a designated I/O processor). We discuss protocols that rely on designated synchronization processors in Sect. 6 and for now focus exclusively on in-place execution.

2.3

Analysis and Optimization Problems

In addition to the just-discussed design choices, which determine the runtime behavior of the protocol, there are also a number of challenging design-time problems related to the a priori timing and schedulability analysis of the system, fundamental optimality questions, and system optimization and design-space exploration problems. Most prominently, as a prerequisite to schedulability analysis, the blocking analysis problem asks to bound the worst-case delay due to resource conflicts. That is, given a workload, a multiprocessor platform, and a specific multiprocessor realtime locking protocol, the objective is to compute a safe (and as accurate as possible) upper bound on the maximum additional delay encountered by a given task in any possible execution of the system. Once such a bound is known for each task, hard

11 Multiprocessor Real-Time Locking Protocols

355

timing guarantees can be made with a blocking-aware schedulability or responsetime analysis. In some instances, it can be more accurate to carry out both the blocking analysis and the blocking-aware schedulability analysis jointly in a single step (e.g., Yang et al. 2015). A large number of ad hoc, protocol-specific blocking analyses have been developed over the years. Additionally, a more general holistic blocking analysis framework (Brandenburg 2011) and a blocking analysis approach based on linear programming (LP) and mixed integer linear programming (MILP) have been introduced to systematically reduce analysis pessimism (Biondi and Brandenburg 2016; Biondi et al. 2016; Brandenburg 2013b; Wieder and Brandenburg 2013b; Yang et al. 2015). These more recent analysis frameworks represent a general approach that can be (and has been) applied to many different locking protocols; we will note their use and discuss advantages in the context of specific locking protocols in Sects. 4.1, 5.2.2, 5.2.3, and 9. Clearly, it is generally desirable for blocking bounds to be as low as possible. However, if locks are used to resolve contention at runtime, it is also obvious that, in the worst case, some delays are inevitable. This observation naturally leads to the question of asymptotic blocking optimality: generally speaking, what is the least bound on maximum blocking that any protocol can achieve? This question has been studied primarily in the context of suspension-based locking protocols (since the spin-based case is relatively straightforward), and a number of protocols with provably optimal asymptotic blocking bounds have been found. We will discuss this notion of optimality and the corresponding protocols in Sect. 5. Another notion of optimality that has been used to characterize multiprocessor real-time locking protocols is resource augmentation and processor speedup bounds, which relate a protocol’s timing guarantees to that of a hypothetical optimal one in terms of the additional resources (or processor speed increases) needed to overcome the protocol’s nonoptimality. While this is a stronger notion of optimality than asymptotic blocking optimality – speedup and resource-augmentation results consider both blocking and scheduling, whereas asymptotic blocking optimality is concerned solely with the magnitude of blocking bounds – existing speedup and resource-augmentation results have been obtained under very restrictive assumptions (e.g., only one critical section per task) and yield quite large augmentation and speedup factors. We briefly mention some relevant works in Sect. 11.1. Last but not least, a large number of challenging system optimization and design-space exploration problems can be formalized under consideration of synchronization constraints. Prominent examples include: • The task mapping problem – given a processor platform, a scheduling policy, and a locking protocol, find an assignment of tasks to processors (or clusters) that renders the system schedulable potentially while optimizing some other criteria (e.g., average response times, memory needs, energy or thermal budgets, etc.). • Resource mapping problems – select for each shared resource a designated synchronization processor such that the system becomes schedulable.

356

B. B. Brandenburg

• Platform minimization problems – given a workload, scheduling policy, and locking protocol, minimize the number of required cores. • Policy selection problems – given a workload and a platform, identify (potentially on a per-resource basis) a locking protocol (or an alternative synchronization approach) that renders the system schedulable again potentially while simultaneously optimizing for other criteria. • Many variations and combinations of these and similar problems. Not surprisingly, virtually all interesting problems of these kinds are NP-hard since they typically involve solving one or more bin-packing-like problems. While a detailed consideration of optimization techniques is beyond the scope of this survey, we briefly mention some representative results that exemplify these types of system integration and optimization problems in Sect. 11.1.

2.4

Historical Perspective

Historically, the field traces its roots to the 1980s. While a discussion of the challenges surrounding multiprocessor synchronization in real-time systems, including a discussion of the respective merits of spin- and suspension-based primitives, can be already found in an early critique of ADA (Roberts et al. 1981) published in 1981, the first multiprocessor real-time locking protocol backed by a sound schedulability analysis taking worst-case blocking delays into account is Rajkumar et al.’s Distributed Priority Ceiling Protocol (DPCP) (Rajkumar et al. 1988), which appeared in 1988. This result was followed in 1990 by the Multiprocessor Priority Ceiling Protocol (MPCP) (Rajkumar 1990), the second foundational protocol that had (and continues to have) a large impact on the field and which in many ways still represents the prototypical suspension-based protocol for partitioned scheduling (which however should not obscure the fact that many other also well-performing alternatives have been proposed since). Throughout the 1990s, a number of protocols and lock implementations appeared; however, as multiprocessor real-time systems were still somewhat of a rarity at the time, multiprocessor synchronization was not yet a major concern in the real-time community. This fundamentally changed with the advent of multicore processors and multiprocessor system-on-a-chip (MPSoC) platforms in the early to mid-2000s. Motivated by these trends and the desire to minimize the use of stack memory in such systems, Gai et al. published a highly influential paper in 2001 proposing the Multiprocessor Stack Resource Policy (MSRP) (Gai et al. 2001). While Gai et al.’s schedulability and blocking analysis has since been superseded by later, more accurate analyses (Biondi and Brandenburg 2016; Biondi et al. 2016; Brandenburg 2011; Wieder and Brandenburg 2013b), the MSRP remains the prototypical spin-based multiprocessor real-time locking protocol. Another influential paper motivated by the widespread emergence of multicores as the standard computing platform was published in 2007 by Block et al., who introduced the Flexible Multiprocessor Locking Protocol (FMLP) (Block et al. 2007), which

11 Multiprocessor Real-Time Locking Protocols

357

combined many of the advantages of the MPCP and the MSRP and which was the first to provide full support for both global and partitioned scheduling. The FMLP paper marked the beginning of the recent surge in interest in multiprocessor real-time locking: since 2007, every year has seen more than a dozen publications in this area – about 140 in total in the past decade, which is almost three times as many as published in the 20 years prior – with no signs of a slowdown in sight. We dedicate the rest of this survey to a systematic review (rather than a chronological one) of this vibrant field.

3

Progress Mechanisms

At the heart of every effective multiprocessor real-time locking protocol is a progress mechanism to expedite the completion of critical sections that otherwise might cause excessive blocking to higher-priority or remote tasks. More specifically, a progress mechanism forces the scheduling of lock-holding tasks (either selectively or unconditionally), thereby temporarily overriding the normal scheduling policy. In this section, we review the major progress mechanisms developed to date and provide example schedules that illustrate key ideas. As a convention, unless noted otherwise, we use fixed-priority (FP) scheduling in our examples and assume that tasks are indexed in order of strictly decreasing priority (i.e., τ1 is always the highest-priority task). All examples in this section further assume the use of basic suspension- or spin-based locks (i.e., raw locks without additional protocol rules); by design the specifics are irrelevant.

3.1

Priority Inversion on Uniprocessors

To understand the importance of progress mechanisms and why multiprocessorspecific mechanisms are needed, it is helpful to first briefly review the threat of “unbounded priority inversions” on uniprocessors and how it is mitigated in classic uniprocessor real-time locking protocols. Figure 1 shows the classic “unbounded priority inversion” example of three tasks under FP scheduling. At time 1, the lowest-priority task τ3 locks a resource that it shares with the highest-priority task τ1 . When τ1 is activated at time 2, it also tries to lock the resource (at time 3) and thus becomes blocked by τ3 ’s critical section, which intuitively constitutes a priority inversion since τ1 is pending (i.e., it has unfinished work to complete before its deadline) and has higher priority than τ3 , but τ3 is scheduled instead of τ1 . When the “middle-priority” task τ2 is activated at time 4, it preempts the lock-holding, lower-priority task τ3 , which delays the completion of τ3 ’s critical section, which in turn continues to block τ1 , until τ2 completes and yields the processor at time 19 (at which point τ1 has already missed its deadline). Since τ2 has lower priority than the pending (but not scheduled) τ1 , this delay also constitutes a priority inversion. And since the length of this priority inversion is determined by τ2 ’s WCET, which in general could be arbitrarily large, this

358

B. B. Brandenburg

scheduled release

critical section (on processor 1)

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

τ1 τ2 τ3 0

5

10

15

20

25

30

time

Fig. 1 Example FP schedule of three tasks demonstrating an “unbounded” priority inversion on a uniprocessor. Irrelevant deadlines are omitted from this and all following figures to reduce clutter

is traditionally considered to be an “unbounded” priority inversion (even though technically it is bounded by the maximum scheduling interference incurred by τ3 ). That is, a priority inversion is traditionally considered “bounded” only if a bound on its maximum duration can be expressed as a function of only the maximum critical section length and the number of concurrent critical sections, and which is independent of all tasks’ WCETs, since WCETs are expected to usually be (much) larger than typical critical section lengths. To summarize, on uniprocessors, “unbounded” priority inversion arises as a consequence of the lock-holder preemption problem, and it is problematic because it renders the response times of high-priority tasks (e.g., τ1 ’s in 1) dependent on lower-priority tasks’ WCETs (e.g., τ2 ’s in Fig. 1). This contradicts the purpose of priority-driven scheduling, where higher-priority tasks should remain largely independent of the processor demands of lower-priority tasks (or jobs). On uniprocessors, classic progress mechanisms such as priority inheritance (Sha et al. 1990) or priority-ceiling protocols (Theodore 1991; Sha et al. 1990) avoid unbounded priority inversion, either by raising the priority of lock-holding tasks or by delaying the release of higher-priority tasks.

3.2

Priority Inversion on Multiprocessors

The lock-holder preemption problem of course also exists on multiprocessors. For example, Fig. 2 shows a situation comparable to Fig. 1 involving four tasks on m = 2 processors under G-FP scheduling. Analogously to the uniprocessor example, the lock-holding task τ4 is preempted due to the arrival of two higher-priority tasks at times 2 and 3, respectively, which in turn induces an “unbounded” priority inversion (i.e., an unwanted dependency on the WCETs of lower-priority tasks) in the highestpriority (and blocked) task τ1 . However, in addition to creating an unwanted dependency of high- on lowpriority tasks (or jobs), an untimely preemption of a lock holder can also induce undesirable dependencies on remote tasks or jobs. For instance, consider the example in Fig. 3, which shows a partitioned fixed-priority (P-FP) schedule illustrating an

11 Multiprocessor Real-Time Locking Protocols

359

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

blocked (shared resource locked)

release

lock attempt

deadline

completion

unlocked

locked

τ1 τ2 τ3 τ4 0

5

10

15

20

25

time

30

Fig. 2 Example G-FP schedule of four tasks on two processors demonstrating an “unbounded” priority inversion on a globally scheduled multiprocessor

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

blocked (shared resource locked)

release

lock attempt

deadline

completion

unlocked

locked

τ1 τ2 τ3 0

5

10

15

20

25

30

time

Fig. 3 Example P-FP schedule of three tasks on two processors demonstrating an “unbounded” priority inversion due to a remote task under partitioned scheduling

“unbounded” priority inversion due to a remote task. Compared to the uniprocessor example in Fig. 1, the roles of τ2 and τ1 have been switched, and τ2 has been assigned (by itself) to processor 2. Again, the lock-holding task τ3 is preempted at time 3 by a higher-priority task (τ1 in this case). As a result, task τ2 incurs a transitive delay proportional to τ1 ’s WCET, even though τ1 is an unrelated remote task (from the point of view of τ2 ) that τ2 ’s response time intuitively should not depend on. Specifically, even though τ1 may have a numerically higher priority, when analyzing each processor as a uniprocessor system (the standard approach under partitioned scheduling), the delay transitively incurred by τ2 due to τ1 must be considered an extraordinary source of interference akin to a priority inversion since there is no local higher-priority task that executes on processor 2 while τ2 is pending. As a result, multiprocessor systems require a more general notion of “priority inversion.” To capture delays due to remote critical sections, the definition of priority inversion under partitioned scheduling must include not only the classic case where a (local) lower-priority task is scheduled instead of a pending, but blocked (local) higher-priority task, but also the case where a processor idles despite the presence of a pending (but remotely blocked) higher-priority task. Analogously,

360

B. B. Brandenburg

under global scheduling on an m-processor platform, any situation in which fewer than m higher- or equal-priority tasks are scheduled while some task is waiting constitutes a priority inversion. Both cases (partitioned and global scheduling) can be captured precisely with the following definition. Recall that clustered scheduling generalizes both global and partitioned scheduling. Definition 1 A job J of task τi , assigned to a cluster C consisting of c cores, suffers priority inversion blocking (pi-blocking) at time t if and only if: 1. J is pending (i.e., released and incomplete) at time t. 2. J is not scheduled at time t. 3. Fewer than c jobs, of tasks assigned to cluster C, with priority equal or higher than J are scheduled on processors belonging to τi ’s assigned cluster C. Under partitioned scheduling c = 1, and under global scheduling c = m. We prefer the specific term “pi-blocking” rather than the more common but also somewhat vague term “blocking” since the latter is often also used in an OS context to denote suspensions of any kind, whereas we are explicitly interested only in delays that constitute a priority inversion. Note that Definition 1 is defined in terms of jobs (and not tasks) to cover the full range of job-level fixed-priority (JLFP) policies and in particular earliest-deadline first (EDF) scheduling. We will further refine Definition 1 in Sect. 5 to take into account further subtleties related to the analysis of self-suspensions. Applying Definition 1 to the example in Fig. 1, we observe that τ1 indeed incurs pi-blocking from time 3 until time 20, since τ1 is pending, but not scheduled, and fewer than c = 1 higher-priority jobs are scheduled, matching the intuitive notion of “priority inversion.” In Fig. 2, τ1 suffers pi-blocking from time 2 until time 19 since fewer than c = m = 2 higher-priority jobs are scheduled, while τ1 waits to acquire the resource shared with τ4 (under global scheduling, any lockinginduced suspension constitutes a priority inversion for the top m highest-priority jobs). Similarly, in Fig. 3, τ2 suffers pi-blocking from time 2 until time 19 since in its cluster (i.e., its assigned core) it is pending and not scheduled and fewer than c = 1 higher-priority jobs are scheduled (in fact, none are scheduled at all).

3.3

Non-preemptive Sections

Several mechanisms (i.e., scheduling rules) have been proposed to ensure a bounded maximum (cumulative) duration of pi-blocking. The most simple solution is to let tasks spin and make every lock request a non-preemptive section: if tasks execute critical sections non-preemptively, then it is simply impossible for a lock holder to be preempted within a critical section. Figure 4 illustrates how turning critical sections into non-preemptive sections prevents “unbounded” pi-blocking in the example scenario previously shown in Fig. 3. In Fig. 4, because τ3 cannot be preempted from time 1 until time 4, the

11 Multiprocessor Real-Time Locking Protocols

361

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

1 2 3

0

5

10

15

20

25

30

time

Fig. 4 Example P-FP schedule of three tasks on two processors assuming non-preemptive critical sections

preemption due to the arrival of τ1 is deferred, which ensures that the lock is released in a timely manner, and so τ2 can meet its deadline at time 16. However, the delay now incurred by τ1 during the interval [3,4) also constitutes pi-blocking. This highlights an important point: progress mechanisms do not come “for free.” Rather, they must strike a balance between the delay incurred by tasks waiting to acquire a resource (e.g., τ2 in Fig. 4) and the delay incurred by higherpriority tasks (e.g., τ1 in Fig. 4) when the completion of critical sections is forced (i.e., when the normal scheduling order is overridden). Executing lock requests as non-preemptive sections is also effective under clustered scheduling (and hence also under global scheduling). However, there exists a subtlety w.r.t. how delayed preemptions are realized that does not arise on uniprocessors or under partitioned scheduling. Consider the example schedules in Figs. 5 and 6, which show two possible variants of the scenario previously depicted in Fig. 2. In particular, since τ4 executes its critical section non-preemptively from time 1 to time 4, τ2 cannot preempt τ4 – the lowest-priority scheduled task – at time 3. However, there does exist another lower-priority task that can be preempted at the time, namely, τ3 . Should τ2 immediately preempt τ3 or should it wait until time 4, when τ4 , which intuitively should have been the preemption victim, finishes its nonpreemptive section? Both interpretations of global scheduling are possible (Block et al. 2007; Brandenburg 2011). The former approach is called eager preemptions; the latter is conversely lazy preemptions (Brandenburg 2011) or link-based global scheduling (Block et al. 2007). Whereas eager preemptions are easier to implement from an OS point of view, this approach suffers from the disadvantage that a job can suffer pi-blocking repeatedly due to non-preemptive sections in any unrelated lower-priority tasks and unpredictably at any point during its execution: in the worst case, a job can be preempted and suffer pi-blocking whenever a higher-priority job is released (such as τ3 at time 3 in Fig. 5), which is difficult to analyze and bound accurately. In contrast, on a uniprocessor (and under partitioned scheduling), in the absence of self-suspensions, a job suffers pi-blocking due to a lower-priority job’s non-

362

B. B. Brandenburg

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

τ1 τ2 τ3 τ4 0

5

10

15

20

25

30

time

Fig. 5 Example G-FP schedule of four tasks on two processors assuming non-preemptive critical sections with eager preemptions

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

τ1 τ2 τ3 τ4 0

5

10

15

20

25

30

time

Fig. 6 Example G-FP schedule of four tasks on two processors assuming non-preemptive critical sections with lazy preemptions (i.e., assuming link-based global scheduling)

preemptive section at most once (i.e., immediately upon its release, or not at all), a property that greatly aids worst-case analysis. The lazy preemption approach, aiming to restore this convenient property, reduces the number of situations in which a job is repeatedly preempted due to a non-preemptive section in a lower-priority job (Block et al. 2007; Brandenburg 2011). While the lazy preemption approach cannot completely eliminate the occurrence of repeated preemptions in all situations (Brandenburg and Anderson 2014), under a common analysis approach – namely, if task execution times are inflated to account for delays due to spinning and priority inversions (discussed in Sects. 4 and 5.1) – it does ensure that pi-blocking due to a non-preemptive section in a lower-priority job has to be accounted for only once per job (in the absence of self-suspensions) (Block et al. 2007; Brandenburg 2011; Brandenburg and Anderson 2014), analogously to the reasoning in the case of uniprocessors or

11 Multiprocessor Real-Time Locking Protocols

363

partitioned scheduling. In other words, lazy preemption semantics ensure analysis conditions that are favorable for inflation-based analysis. Link-based global scheduling (Block et al. 2007; Brandenburg 2011), which realizes lazy preemptions, derives its name from the fact that it establishes a “link” between a newly released job and the non-preemptively executing job that it should have preempted (if any); the deferred preemption is then enacted as soon as the linked job exits its non-preemptive section, which can be implemented efficiently (Brandenburg 2011). Link-based global scheduling has been implemented and evaluated in a real OS (Brandenburg 2011; Brandenburg et al. 2008) and is available as part of LITMUSRT (See http://www.litmus-rt.org.). Non-preemptive execution can be achieved in several ways, depending on the OS and the environment. In a microcontroller setting and within OS kernels, preemptions are typically avoided by disabling interrupts. In UNIX-class RTOSs with a user-mode/kernel-mode divide, where code running in user mode cannot disable interrupts, non-preemptive execution can be easily emulated by reserving a priority greater than that of any “regular” job priority for tasks within critical sections. Regardless of how non-preemptive sections are realized, the major drawback of this progress mechanism is that it can result in unacceptable latency spikes, either if critical sections are unsuitably long or if (some of the) higher-priority tasks are particularly latency-sensitive. For example, consider the scenario shown in Fig. 7, which is similar to the one depicted in Fig. 4, with the exception that another highpriority task with a tight relative deadline of only two time units has been introduced as τ1 on processor 1. Since this task has very little tolerance for any kind of delay, it is clearly infeasible to just turn τ4 ’s request into non-preemptive section since it is “too long” relative to τ1 ’s latency tolerance, as shown in Fig. 7. However, not doing anything is also not a viable option since then τ2 would transitively cause τ3 to miss its deadline at time 16, similarly to the scenario shown in Fig. 3.

Fig. 7 Example P-FP schedule of four tasks, one of which is particularly latency-sensitive, on two processors assuming non-preemptive critical sections

364

B. B. Brandenburg

3.4

Priority Inheritance

Since it is hardly a new observation that “long” non-preemptive sections are problematic in the presence of tight latency constraints, better solutions have long been known in the uniprocessor case, namely, the classic priority inheritance and priority ceiling protocols (Sha et al. 1990). Unfortunately, these protocols transfer to the multiprocessor case only partially, in the sense that they are not always effective w.r.t. bounding the maximum duration of pi-blocking. Priority inheritance is a good match for global scheduling and is indeed used in multiprocessor real-time locking protocols for global scheduling (as discussed in Sects. 5.1.2 and 5.2.2). For example, Fig. 8 illustrates that priority inheritance is effective under global scheduling. Recall that with priority inheritance, a lockholding task τi ’s effective priority is the maximum of its own base priority and the effective priorities of all tasks that are waiting to acquire a lock that τi currently holds (Sha et al. 1990). Figure 8 shows the same scenario as Fig. 2. However, with the priority inheritance rule in place, τ4 remains scheduled at time 4 when the higher-priority τ2 is released since τ4 inherits the priority of τ1 , the maximum priority in the system, during the interval [2,4). As a result, the unrelated task τ3 is preempted instead, similar to the eager preemption policy in the case of nonpreemptive sections as illustrated in Fig. 5. (To date, no analogous rule to the lazy preemption policy discussed in Sect. 3.3 has been explored in the context of priority inheritance.) Again, this highlights that the progress mechanisms used to mitigate unbounded priority inversions are themselves a source of bounded priority inversions that must be carefully taken into account during blocking analysis. Unfortunately, priority inheritance (Sha et al. 1990) works only under global scheduling: it is ineffective (from the point of view of worst-case blocking analysis) when applied across cores (respectively, clusters) under partitioned (respectively, clustered) scheduling. The reason can be easily seen in Fig. 3: even though the priority inheritance rule is applied across cores, τ3 ’s priority is merely raised to that of τ2 , which does not prevent the preemption by τ1 at time 3 (recall that tasks are indexed in order of strictly decreasing priority). For the same reason, classic

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

1 2 3 4

0

5

10

15

20

25

30

Fig. 8 Example G-FP schedule of four tasks on two processors assuming priority inheritance

time

11 Multiprocessor Real-Time Locking Protocols

365

ceiling-based protocols like the PCP (Sha et al. 1990) and the SRP (Theodore 1991) are ineffective, too: given that τ1 does not access the shared resource, the ceiling priority of the shared resource is lower than τ1 ’s priority. Fundamentally, the root cause is that numeric priority values are, analytically speaking, incomparable across processor (respectively, cluster) boundaries since partitions (respectively, clusters) are scheduled independently.

3.5

Allocation Inheritance

The solution to this problem is an idea that has appeared several times in different contexts and under various names: spinning processor executes for preempted processors (SPEPP) (Takada and Sakamura 1997), local helping (Hohmuth and Härtig 2001; Hohmuth and Peter 2001), allocation inheritance (Holman and Anderson 2002b, 2006; Holman 2004), multiprocessor bandwidth inheritance (Faggioli et al. 2010, 2012), and migratory priority inheritance (Brandenburg 2013a; Brandenburg and Bastoni 2012). The essential common insight is that a preempted task’s critical section should be completed using the processing capacity of cores on which the blocked tasks would be allowed to run (if they were not blocked). That is, a blocking task should inherit not only a blocked task’s priority but also the “right to execute” on a particular core, which serves to restore analytical meaning to the inherited priority: to obtain a progress guarantee, a preempted lock holder must be able to migrate to the core where the pi-blocking is incurred. Note that it follows from Definition 1 that if a task τi incurs pi-blocking at a time t, then its priority is sufficiently high to ensure that the lock holder can be scheduled on τi ’s processor (or cluster) if it inherits τi ’s priority, since the fact that τi incurs piblocking indicates the absence of runnable higher-priority tasks (recall Clause 3 in Definition 1). An example of this approach is shown in Fig. 9, which shows the same scenario involving a latency-sensitive task previously shown in Fig. 7, In contrast to the example in Fig. 7, at time 1,5, when the latency-sensitive task τ1 is activated, the lock-holding task is preempted (just as it would be in the case of priority inheritance). However, when τ3 blocks on the resource held by τ4 at time 3, τ4 inherits the right to use the priority of τ3 on τ3 ’s assigned processor (which is processor 2, whereas τ4 is assigned to processor 1). Consequently, τ4 migrates from processor 1 to processor 2 to continue its critical section. When τ4 finishes its critical section at time 4,5, it ceases to inherit the priority and right to execute on processor 2 from τ3 and thus cannot continue to execute on processor 2. Task τ4 hence migrates back to processor 1 to continue its execution at time 18 when τ2 completes. Overall, τ1 suffers no latency penalty when it is released at time 1,5, but task τ3 also suffers no undue delays while waiting for τ4 to release the shared resource. As already mentioned, several different names have been used in the past to describe progress mechanisms based on this principle. We adopt the term “allocation inheritance” (Holman and Anderson 2002b, 2006; Holman 2004) since it clearly describes the idea that processor time originally allocated to blocked tasks is

366

B. B. Brandenburg

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

1 2 3 4

0

5

10

15

20

25

30

time

Fig. 9 Example P-FP schedule of four tasks, one of which is particularly latency-sensitive, on two processors assuming migratory priority inheritance

used toward the completion of the blocking task’s critical section. The name also highlights the fact that this approach is a generalization of the classic priority inheritance idea. In fact, under event-driven global scheduling and on uniprocessors (the two cases where priority inheritance is effective), allocation inheritance in fact reduces to priority inheritance since all tasks are eligible to execute on all cores anyway. From a purely analytical point of view, allocation inheritance is elegant and highly attractive: as evident in Fig. 9, it has no negative latency impact, while ensuring guaranteed progress, thus restoring the strong analytical foundation offered by priority inheritance on uniprocessors. Put differently, allocation inheritance is the natural multiprocessor extension of classic priority inheritance that allows the idea to work under any multiprocessor scheduling approach. However, from a systems point of view, it can be difficult to support allocation inheritance efficiently: either it introduces task migrations (and the associated kernel complexities and cache overheads) into partitioned systems that otherwise would need none or there must be some other, resource-specific way for remote processors to continue (or safely duplicate) the operation that the preempted task was trying to accomplish (Burns and Wellings 2013b; Takada and Sakamura 1997), which can be difficult (or even impossible) to achieve for certain kinds of resources (e.g., hardware resources such as I/O ports). In particular, if the latter approach is feasible (i.e., helping operations to complete without requiring a complete task migration), it is also possible to implement completely wait-free solutions, which might be an overall preferable solution in such cases. We discuss allocation inheritance, protocols built on top of it, and practical implementations in Sects. 7 and 10.3.

3.6

Priority Boosting

The most commonly used progress mechanism is priority boosting, which is conceptually quite similar to non-preemptive sections and also a much older idea

11 Multiprocessor Real-Time Locking Protocols

367

than allocation inheritance. Simply put, priority boosting requires that each critical section (pertaining to a global resource) is executed at a boosted priority that exceeds the maximum regular (i.e., non-boosted) scheduling priority of any task. As a result, newly released jobs, which do not yet hold any resources, cannot preempt critical sections, just as with non-preemptive sections. In fact, applying priority boosting to the examples shown in Figs. 2 and 3 would yield exactly the same schedules as shown in Figs. 5 and 4, respectively. However, in contrast to non-preemptive sections, tasks remain preemptive in principle, and since different critical sections may be executed with non-equal boosted priorities, it is possible that a task executing a critical section may be preempted by another task also executing a critical section (pertaining to a different resource). In essence, priority boosting establishes a second priority band on top of regular task priorities that is reserved for lock-holding tasks. Priority boosting is easy to support in an RTOS and easy to emulate in usermode frameworks and applications if not explicitly supported by the RTOS. It can also be considered the “original” progress mechanism, as its use (in uniprocessor contexts) was already suggested multiple times by 1980 (Lampson and Redell 1980; Leinbaugh 1980) and because the two first multiprocessor realtime locking protocols backed by analysis, the DPCP (Rajkumar et al. 1988) and the MPCP (Rajkumar 1990), rely on it. However, while it is conveniently simple, priority boosting also comes with major latency penalty similar to nonpreemptive sections, which limits its applicability in systems with tight latency constraints.

3.7

Restricted Priority Boosting

Priority boosting as described so far, and as used in the DPCP (Rajkumar et al. 1988), MPCP (Rajkumar 1990), and many other protocols, is unrestricted, in the sense that it applies to all tasks and critical sections alike, regardless of whether or not a task is actually causing some other task to incur pi-blocking. In contrast, both priority and allocation inheritance kick in only reactively (Spliet et al. 2014), when contention leading to pi-blocking is actually encountered at runtime. This unrestricted nature of priority boosting can be problematic from an analytical point of view since it can result in a substantial amount of unnecessary pi-blocking. To overcome this limitation, several restricted (i.e., selectively applied) versions of priority boosting have been derived in work on locking protocols that ensure asymptotically optimal pi-blocking bounds, such as priority donation (Brandenburg 2011; Brandenburg and Anderson 2011, 2013), restricted segment boosting (Brandenburg 2014c), and replica-request priority donation (Ward et al. 2012). We will discuss these more sophisticated progress mechanisms in the context of the protocols in which they were first used in Sects. 5.1, 5.2, and 8.2.

368

B. B. Brandenburg

3.8

Priority Raising

As a final consideration, one can pragmatically devise a rule to the effect that critical sections are executed unconditionally at an elevated priority that, in contrast to priority boosting, is not necessarily higher than the maximum regular scheduling priority but still higher than most regular scheduling priorities. The intended effect is that tasks with “large” WCETs cannot preempt critical sections, whereas lightweight latency-sensitive tasks (e.g., critical interrupt handlers) with minuscule WCETs are still permitted to preempt critical sections. For example, consider the schedule shown in Fig. 10, which shows the same scenario previously depicted in Figs. 7 and 9. Suppose the critical section priority for the resource shared by τ3 and τ4 is chosen to be higher than the priority τ2 but below the priority of τ1 . As a result, when τ1 is activated at time 1.5, it simply preempts the in-progress critical section of τ4 , which transitively causes some piblocking for τ3 . However, this extra delay is small relative to the critical section length of τ4 and the execution requirement of τ3 . Importantly, when τ2 is released at time 5, it is not able to preempt the in-progress critical section of τ4 , which ensures that τ3 does not suffer an excessive amount of pi-blocking. Again, this causes some pi-blocking to τ2 , which however is minor relative to its own WCET. To reiterate, this pragmatic scheme avoids both the need to migrate tasks (i.e., allocation inheritance) and the latency degradation due to non-preemptive sections and priority boosting by raising the priority of short critical sections so that it exceeds the priorities of all tasks with “substantial” WCETs while also keeping it below that of latency-sensitive tasks. Since latency-sensitive tasks must have relatively high priorities anyway and since latency-sensitive tasks usually do not have large WCETs in practice, this scheme has the potential to work for a wide range of workloads. However, it violates a strict interpretation of the common notion of “bounded priority inversions” since now the pi-blocking bounds of remote

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

release

blocked (shared resource locked)

lock attempt

deadline

completion

locked

unlocked

1 2 3 4

0

5

10

15

20

25

30

time

Fig. 10 Example P-FP schedule of four tasks, one of which is particularly latency-sensitive, on two processors assuming the critical section priority is raised to an intermediate level in between the priorities of tasks τ1 and τ2

11 Multiprocessor Real-Time Locking Protocols

369

lower-priority tasks depend on the WCETs of high-priority latency-sensitive tasks (e.g., in Fig. 10, the pi-blocking bound of τ3 on Processor 2 depends on the WCET of τ1 on Processor 1). The “priority raising” approach is thus not frequently considered in the academic literature. This concludes our review of progress mechanisms. We next start our review of multiprocessor locking protocols and begin with spin-lock protocols, as they are conceptually simpler and easier to analyze than semaphore protocols.

4

Spin-Lock Protocols

The distinguishing characteristic of a spin lock is that a waiting task does not voluntarily yield its processor to other tasks. That is, in contrast to suspension-based locks, spin locks do not cause additional context switches. (Based on this definition, we do not consider approaches such as “virtual spinning” (Lakshmanan et al. 2009) (discussed in Sect. 5.2) to constitute proper spin locks, precisely because under “virtual spinning” tasks still self-suspend upon encountering contention.) However, the use of spin locks does not necessarily imply the absence of preemptions altogether; preemptable spin locks permit regular preemptions (and thus context switches) as required by the scheduler during certain phases of the protocol. Such preemptions, however, do not constitute voluntary context switches, and a task that is preempted while spinning does not suspend; rather, it remains ready in the scheduler’s run queue. All protocols considered in this section force the uninterrupted execution of critical sections, by means of either non-preemptive execution or priority boosting, which simplifies both the analysis and the implementation. There also exist spinbased protocols under which tasks remain preemptable at all times (i.e., that allow tasks to be preempted even within critical sections); such protocols usually require allocation inheritance and are discussed in Sect. 7. In the analysis of spin locks, it is important to clearly distinguish between two different cases of “blocking,” as illustrated in Fig. 11. First, since jobs execute the protocol in part or in whole non-preemptively, higher-priority jobs that are released while a lower-priority job is executing a spin-lock protocol can be delayed. As already discussed in Sect. 3.3, this is a classic priority inversion due to nonpreemptive execution as covered by Definition 1; recall that we refer to this kind of delay as pi-blocking. Definition 1, however, does not cover the delay that jobs incur while spinning because it applies only to jobs that are not scheduled, whereas spinning jobs are being delayed despite being scheduled. To clearly distinguish this kind of delay from pi-blocking, we refer to it as spin blocking (s-blocking) (Brandenburg 2011). Note that if jobs spin non-preemptably, then the s-blocking incurred by a lower-priority job can transitively manifest as pi-blocking experienced by a local higher-priority job. A sound blocking analysis must account for both types of blocking.

370

B. B. Brandenburg

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2) release

critical section (on processor 2) lock attempt

deadline

completion

spinning (shared resource locked) locked

unlocked

1 pi-blocking

2 s-blocking

3

0

5

10

15

20

25

30

time

Fig. 11 Example P-FP schedule of three tasks on two processors illustrating the difference between s-blocking (i.e., delays due to spinning) and pi-blocking (i.e., delays due to priority inversion)

4.1

Spin-Lock Protocols for Partitioned Scheduling

The first spin-lock protocol backed by a sound blocking and schedulability analysis is due to Gai et al. (2001), who presented the now-classic Multiprocessor Stack Resource Policy (MSRP) in 2001. While a number of authors had previously explored real-time and analysis-friendly spin-lock implementations (which we discuss in Sect. 10.1), Gai et al. were the first to leverage a particular class of spin-lock implementations, namely, non-preemptive FIFO spin locks, to arrive at an analytical sound protocol (i.e., the set of rules that determine how such locks should be used in a real-time system) and corresponding blocking and schedulability analyses. The MSRP is a protocol for partitioned scheduling and can be used with both FP and EDF scheduling (on each core). As earlier suspension-based protocols for partitioned scheduling (Rajkumar 1990, 1991a, Rajkumar et al. 1988), the MSRP distinguishes between local and global resources (recall Sect. 2.1). Local resources are dealt with by means of the classic SRP (Theodore 1991) and are of no concern here. Global resources are protected with non-preemptive FIFO spin locks. When a task seeks to acquire a shared resource, it first becomes non-preemptable (which resolves any local contention) and then executes a spin-lock algorithm that ensures that conflicting requests by tasks on different processors are served in FIFO order. The exact choice of FIFO spin-lock algorithm is irrelevant from a real-time point of view; many suitable choices with varying implementation trade-offs exist (see Sect. 10.1). Figure 12 depicts an example MSRP schedule, where τ2 ’s request is satisfied after τ4 ’s request because τ4 issued its request slightly earlier. The highest-priority task τ1 incurs considerable pi-blocking upon its release at time 2 since the local

11 Multiprocessor Real-Time Locking Protocols

371

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

scheduled (on processor 3)

critical section (on processor 3)

release

lock attempt

deadline

completion

spinning (shared resource locked)

locked

unlocked

τ1 τ2 τ3 τ4 0

5

10

15

20

25

30

time

Fig. 12 Example P-FP schedule of four tasks on three processors sharing a global resource according to the rules of the MSRP (Gai et al. 2001)

lower-priority task τ2 is spinning non-preemptively. Here, τ1 is transitively blocked by τ3 and τ4 ’s critical sections while τ2 incurs s-blocking. The fact that tasks remain continuously non-preemptable both while busywaiting and when executing their critical sections has several major implications. In conjunction with the FIFO wait queue order, it ensures that any task gains access to a shared resource after being blocked by at most m – 1 critical sections, where m in this context denotes the number of processors on which tasks sharing a given resource reside. This property immediately ensures starvation freedom and provides a strong progress guarantee that allows for a simple blocking analysis (Gai et al. 2001). However, as apparent in Fig. 12, it also causes O(m) latency spikes, which can be highly undesirable in hard real-time systems (Brandenburg 2013a; Craig 1993; Takada 1996; Takada and Sakamura 1994, 1996, 1997) and which implies that the MSRP is suitable only if it can be guaranteed that critical sections are short relative to latency expectations, especially on platforms with large core counts. From an implementation point of view, simply making the entire locking protocol non-preemptive is attractive because it completely decouples the scheduler implementation from locking protocol details, which reduces implementation complexity, helps with maintainability, and lessens overhead concerns. In fact, of all protocols discussed in this survey, the MSRP arguably carries the least implementation burden and is the easiest to integrate into an OS. Gai et al. presented a simple blocking analysis of the MSRP (Gai et al. 2001), which relies on execution-time inflation and bounds pi-blocking and s-blocking in a bottom-up fashion. First, Gai et al.’s analysis considers each critical section in isolation and determines the maximum s-blocking that may be incurred due to the specific, single critical section, which is determined by the sum of the maximum critical section lengths (pertaining to the resource under consideration) on all other processors. A task’s cumulative s-blocking is then simply bounded by the sum of the per-request s-blocking bounds. Finally, a task’s inflated WCET is the sum of its cumulative s-blocking bound and its original (i.e., non-inflated) WCET. Existing schedulability analysis can then be applied to the inflated WCET bounds.

372

B. B. Brandenburg

While Gai et al.’s original analysis (Gai et al. 2001) is simple and convenient, it comes with substantial structural pessimism. In particular, a major source of pessimism is that the maximum critical section lengths (on remote cores) are overrepresented in the final bound. Effectively, every blocking remote critical section is considered to exhibit the length of the longest critical section, which is clearly pessimistic for shared resources that support multiple operations of various costs. For example, consider a producer-consumer scenario where multiple tasks share a sorted list of work items that may include up to 100 elements that is accessed by two types of critical sections: (i) removal of the first element and (ii) an orderpreserving insertion. When performing a blocking analysis, it is clearly undesirable to account for each O(1) dequeue operation as an O(n) enqueue operation. To lessen the impact of this source of pessimism, a holistic blocking analysis of the MSRP was developed (Brandenburg 2011) that analyzes all critical sections of a task together and directly derives an overall per-task s-blocking bound (rather than attributing s-blocking to individual critical sections and then summing up the individual bounds). Holistic blocking analysis is already quite effective in avoiding the overcounting of long critical sections in the analysis of a single task. However, because it proceeds on a task-by-task basis and relies on inflated execution times to account for transitive s-blocking, the holistic approach (Brandenburg 2011) still overrepresents long critical sections if multiple local tasks access the same global resource, because then the longest critical section is reflected in multiple inflated WCETs. In fact, Wieder and Brandenburg showed that any blocking analysis that relies on execution-time inflation is asymptotically suboptimal due to the fundamental structural pessimism (Wieder and Brandenburg 2013b). To avoid such structural pessimism altogether, Wieder and Brandenburg developed a novel MILP-based blocking analysis for spin-lock protocols under P-FP scheduling that categorically prevents any critical sections from being accounted for more than once in the final aggregate pi-and s-blocking bound (Wieder and Brandenburg 2013b). Crucially, Wieder and Brandenburg’s analysis does not rely on execution-time inflation to implicitly account for transitive s-blocking delays (i.e., lower-priority tasks being implicitly delayed when local higher-priority tasks spin). Rather, it explicitly models both transitive and direct s-blocking, as well as pi-blocking, and directly derives a joint bound on all three kinds of delay by solving a MILP optimization problem (Wieder and Brandenburg 2013b). Biondi and Brandenburg (Biondi and Brandenburg 2016) recently provided an equivalent analysis for P-EDF scheduling. Overall, if critical sections are relatively short and contention does not represent a significant schedulability bottleneck, then Gai et al.’s original analysis (Gai et al. 2001) or the holistic approach (Brandenburg 2011) is sufficient. However, in systems with many critical sections, high-frequency tasks, or highly heterogeneous critical section lengths, Wieder and Brandenburg and Biondi and Brandenburg’s LP-based approaches are substantially more accurate (Biondi and Brandenburg 2016; Wieder and Brandenburg 2013b). In his thesis (Wieder 2018),

11 Multiprocessor Real-Time Locking Protocols

373

Wieder discusses further optimizations, including a significant reduction in the number of variables and how to convert the MILP-based analysis into an LP-based approach without loss of accuracy.

4.1.1 Non-FIFO Spin Locks While FIFO-ordered wait queues offer many advantages – chiefly among them starvation freedom, ease of analysis, and ease of implementation – there exist situations in which FIFO ordering is not appropriate or not available. For instance, if space overheads are a pressing concern (e.g., if there are thousands of locks) or in systems with restrictive legacy code constraints, it may be necessary to resort to unordered spin locks such as basic test-and-set (TAS) locks, which can be realized with a single bit per lock. In other contexts, for example, given workloads with highly heterogeneous timing requirements, it can be desirable to use priority-ordered spin locks, to let urgent tasks acquire contended locks more quickly. Implementation-wise, the MSRP design – SRP for local resources, nonpreemptive spin locks for global resources – is trivially compatible with either unordered or priority-ordered locks (instead of FIFO-ordered spin locks). The resulting analysis problem, however, is far from trivial and does not admit a simple per-resource approach as followed in Gai et al.’s original analysis of the MSRP (Gai et al. 2001). This is because individual critical sections are, in the worst case, subject to starvation effects, which can result in prolonged s-blocking. Specifically, in priority-ordered locks, a continuous stream of high-priority critical sections can delay a low-priority critical section indefinitely, and in unordered locks, any request may starve indefinitely as long as there is contention. The lack of a strong per-request progress guarantee fundamentally necessitates a “big picture” view as in the holistic approach (Brandenburg 2011) to bound s-blocking across all of a job’s critical sections. Suitable analyses for priorityordered spin locks were proposed by Negrean and Ernst (2012) and Wieder and Brandenburg (2013b). Additionally, Wieder and Brandenburg also proposed the first analysis applicable to unordered spin locks (Wieder and Brandenburg 2013b). While unordered locks are traditionally considered to be “unanalyzable” and thus unsuitable for realtime systems, Wieder and Brandenburg made the observation that unordered spin locks are analytically equivalent to priority-ordered spin locks if each task is analyzed assuming that all local tasks issue requests with the lowest-possible priority, whereas all remote tasks issue high-priority requests, which maximizes the starvation potential. 4.1.2 Preemptable Spinning The most severe drawback of non-preemptive FIFO spin locks (and hence the MSRP) is their O(m) latency impact (Brandenburg 2013a; Craig 1993; Takada 1996; Takada and Sakamura 1994, 1996, 1997). One approach to lessen this latency penalty without giving up too much desirable simplicity is to allow tasks to remain preemptable while busy-waiting, as illustrated in Fig. 13, while still

374

B. B. Brandenburg

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

scheduled (on processor 3)

critical section (on processor 3)

release

lock attempt

deadline

completion

spinning (shared resource locked)

locked

unlocked

τ1 τ2 τ3 τ4 0

5

10

15

20

25

30

time

Fig. 13 Example P-FP schedule of four tasks on three processors illustrating preemptable spinning with request cancelation

requiring critical sections to be executed non-preemptively (to avoid the lock-holder preemption problem). This has the benefit that preemptions are delayed by at most one critical section – the latency impact is reduced to O(1) – which greatly improves worst-case scalability (Craig 1993; Takada 1996; Takada and Sakamura 1994, 1996, 1997). Preemptable spinning poses two major challenges. The first challenge is the implementation: while preemptable spinning can be easily integrated into unordered TAS locks, it requires substantially more sophisticated algorithms to realize FIFOor priority-ordered spin locks that support preemptable spinning (Anderson et al. 1998; Craig 1993; Holman and Anderson 2002b; Takada and Sakamura 1994, 1997). The reason is that preempted, busy-waiting jobs must be removed from the spin queue, or marked as preempted and skipped, to avoid the lock-holder preemption problem. As a result, preemptable spinning poses analytical problems, which is the second major challenge. When a job continues execution after having been preempted, it may find itself dequeued from the spin queue – that is, a preempted job may find that its lock request was canceled while it was preempted – to the effect that it must reissue its canceled lock request, which carries the risk of encountering additional contention. Furthermore, in the worst case, the job may be preempted again while waiting for its reissued lock request to be satisfied, which will necessitate it to be reissued yet again, and so on. The additional delays that arise from the cancelation of preempted requests are hence difficult to analyze on a per-request basis and inherently require a holistic analysis approach that avoids execution-time inflation. Appropriate blocking analysis for FIFO- and priority-ordered spin locks, as well as unordered spin locks, was first proposed by Wieder and Brandenburg for P-FP scheduling (Wieder and Brandenburg 2013b) and recently extended to P-EDF scheduling by Biondi and Brandenburg (Biondi and Brandenburg 2016). Alfranseder et al. (2014) also proposed a protocol based on FIFO spin locks and preemptable spinning.

11 Multiprocessor Real-Time Locking Protocols

375

In systems with quantum-driven schedulers, where the scheduler preempts jobs only at well-known times, and not in reaction to arbitrarily timed events, the cancelation penalty is reduced because it can be assumed that no request must be reissued more than once (Anderson et al. 1998). As a result, it is possible (Anderson et al. 1998) to apply execution-time inflation approaches similar to the original MSRP analysis (Gai et al. 2001). Nonetheless, since every job release causes at most one cancelation (in the absence of self-suspensions) (Wieder and Brandenburg 2013b) and since critical sections typically outnumber higher-priority job releases, it is still preferable to apply more modern, inflation-free analyses (Biondi and Brandenburg 2016; Wieder and Brandenburg 2013b) even in quantumdriven systems.

4.1.3 Spin-Lock Protocols Based on Priority Boosting Exploring a different direction, Alfranseder (2016) recently introduced a variation of the preemptable spinning approach in which jobs initially remain preemptable even when executing critical sections but become priority-boosted as soon as contention is encountered. If non-preemptive execution is applied unconditionally (as in the MSRP Gai et al. 2001), then lock-holding jobs cannot be preempted and thus cause a latency impact even if there is actually no contention for the lock (i.e., even if there is no lock-holder preemption problem to mitigate). Since in most systems lock contention is rare, the latency impact of non-preemptive execution, though unavoidable from a worst-case perspective, may be undesirable from an averagecase perspective. As an alternative, Alfranseder thus proposed the Forced Execution Protocol (FEP), which uses on-demand priority boosting (instead of unconditional nonpreemptive execution) to expedite the completion of critical sections only when remote jobs actually become blocked on a resource and start to spin. This design choice has the benefit of reducing the average priority inversion duration (i.e., the average latency impact), but it comes at a high price, namely, increased worstcase pi-blocking, because high-priority jobs may be delayed by multiple preempted critical sections. This effect is illustrated in Fig. 14. The use of non-preemptive execution in the MSRP (Gai et al. 2001) ensures that on each processor and at any point in time, at most one critical section is in progress. In contrast, since the FEP (Alfranseder 2016) allows incomplete critical sections to be preempted, a single job of a higher-priority task (e.g., τ1 in Fig. 14) may suffer the aggregate pi-blocking caused by multiple preempted lower-priority critical sections if a remote task forces their completion (e.g., τ5 in Fig. 14). Allowing critical sections to be preempted, only to be forced later, thus makes the worst case worse. We discuss protocols that avoid this effect by using allocation inheritance rather than priority boosting in Sect. 7. So far we have discussed two cases at opposite ends of the preemption spectrum: either jobs spin non-preemptively as in the MSRP or they remain preemptable w.r.t. all higher-priority jobs while spinning. However, it is also possible to let waiting jobs spin at some other predetermined intermediate priority. Afshar et al. (2014) observed that this flexibility allows for a generalized view on both spin locks and suspension-

376

B. B. Brandenburg

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2)

critical section (on processor 2)

completion

release

lock attempt

deadline

spinning (shared resource locked) locked

unlocked

τ1 τ2

3

τ3

2

τ4

1

τ5

1

0

5

2

10

3

15

20

25

30

time

Fig. 14 Example P-FP schedule of five tasks on two processors illustrating repeated pi-blocking under Alfranseder’s (FEP) (Alfranseder 2016)

based protocols. In particular, Afshar et al. noted that jobs that spin at maximum priority are effectively non-preemptive, whereas jobs that spin at minimum priority are – from an analytical point of view – essentially suspended, in the sense that they neither prevent other jobs from executing nor issue further lock requests. Afshar et al. combined this observation with (unconditional) priority boosting and FIFO-ordered spin locks into a flexible spin-lock protocol (Afshar 2017; Afshar et al. 2014) that can be tuned (Afshar et al. 2017) to resemble either the MSRP (Gai et al. 2001), FIFO-ordered suspension-based protocols like the partitioned FMLP for long resources (Block et al. 2007) (discussed in Sects. 5.1.3 and 5.2.3), or some hybrid of the two. In Afshar et al.’s flexible spin-lock protocol (Afshar 2017; Afshar et al. 2014), requests of spinning jobs that are preempted are not canceled, which allows for multiple critical sections to be simultaneously outstanding on the same core. As discussed above in the case of Alfranseder’s FEP (Alfranseder 2016), increasing the number of incomplete requests that remain to be boosted at a later time increases the amount of cumulative pi-blocking that higher-priority jobs may be exposed to. For example, Fig. 15 depicts an example schedule in which tasks τ2 , τ3 , and τ4 spin at their regular priority. Jobs of all three tasks block on a resource held by a job of task τ5 , and thus when τ5 releases the lock, the highest-priority task τ1 suffers pi-blocking due to the back-to-back execution of three priority-boosted critical sections. This highlights that indiscriminately lowering the priority at which tasks spin is not always beneficial; rather, a good trade-off must be found (Afshar et al. 2017). For instance, in Fig. 15, the back-to-back pi-blocking of τ1 could be avoided by letting τ2 , τ3 , and τ4 all spin at the priority of τ2 .

4.1.4 Non-preemptive Critical Sections with Allocation Inheritance It is also possible to achieve universally low blocking bounds without requiring workload-specific parameters. Exploring an unconventional alternative to classic spin locks, Takada and Sakamura (1997) proposed an elegant protocol that achieves

11 Multiprocessor Real-Time Locking Protocols

scheduled (on processor 1)

critical section (on processor 1)

scheduled (on processor 2) release

377

critical section (on processor 2) lock attempt

deadline

completion

spinning (shared resource locked) locked

unlocked

τ1 τ2 τ3 τ4 τ5 0

5

10

15

20

25

30

time

Fig. 15 Example P-FP schedule of five tasks on two processors illustrating preemptable spinning without request cancelation and priority boosting (Afshar et al. 2014)

preemptable spinning with O(1) maximum pi-blocking, FIFO-ordering of critical sections, and s-blocking bounds just as good and a progress guarantee just as strong, as provided by the MSRP. Takada and Sakamura’s solution, called the Spinning Processor Executes for Preempted Processors (SPEPP) protocol (Takada and Sakamura 1997), is based on the idea that the processors of blocked jobs should work toward completion of the blocking critical section, rather than just idling away cycles in a spin loop. In a regular FIFO-ordered spin lock, a job enqueues itself in a spin queue, busy-waits, and then executes its own critical section when it finally holds the lock. Takada and Sakamura’s SPEPP protocol changes this as follows. A job first enqueues the operation that it intends to carry out on the shared object, as well as any associated data (i.e., in programming language terms, a closure), in a wait-free FIFO queue, and then proceeds to acquire the actual lock. As it acquires the lock, the job becomes non-preemptable and proceeds to dequeue and execute operations from the FIFO-ordered operations queue until its own operation has been completed. Crucially, whenever the job finishes an operation, it checks for deferred preemptions and interrupts and releases the lock and becomes preemptable if any are pending. As a result, maximum pi-blocking is limited to the length of one operation (i.e., one critical section length) (Takada and Sakamura 1997), and the time that jobs spend being s-blocked is used to complete the operations of preempted jobs, which can be understood as an instance of the allocation inheritance principle (as discussed in Sect. 3.5). An interesting corner case occurs when both a preempted and the preempting job seek to access the same resource. In this case, simply following the above protocol (i.e., if the preempting job just appends its operation) could lead to the buildup of long queues, which would result in excessively pessimistic s-blocking bounds (i.e., O(n) s-blocking in the worst case). Takada and Sakamura devised a better solution: by letting the preempting job steal the preempted job’s slot in the queue, O(m) maximum queue length is ensured (Takada and Sakamura 1997). As this effectively cancels the preempted job’s request, it must reissue its request when it resumes.

378

B. B. Brandenburg

However, in contrast to the preemptable spin locks discussed in Sect. 4.1.2, this does not cause additional s-blocking – as Takada and Sakamura argue, any additional s-blocking incurred by the preempted job upon reissuing its request is entirely offset by a reduction in the s-blocking incurred by the preempting job (which benefits from stealing a slot that has already progressed through the FIFO queue). As a result, there is no additional net delay: Takada and Sakamura’s SPEPP protocol ensures O(1) maximum pi-blocking with O(m) maximum s-blocking (Takada and Sakamura 1997).

4.2

Spin-Lock Protocols for Global Scheduling

Holman and Anderson (Holman and Anderson 2002a, 2006; Holman 2004) were the first to consider spin-based real-time locking protocols under global scheduling. In particular, Holman and Anderson studied synchronization in systems scheduled by an optimal Pfair scheduler (Baruah et al. 1996; Srinivasan and Anderson 2006) and introduced the important distinction between short and long shared resources. A shared resource is considered “short” if all critical sections that access it are (relatively speaking) short and “long” if some related critical sections are (relatively) long, where the exact threshold separating “short” and “long” is necessarily application- and system-specific. To synchronize access to short resources, Holman and Anderson proposed two protocols based on FIFO spin locks, which we discuss next. (For long resources, Holman and Anderson proposed allocation inheritance and semaphore protocols, as discussed in Sect. 7.) Without getting into too much Pfair-specific detail (Baruah et al. 1996; Srinivasan and Anderson 2006), it is important to appreciate some specific challenges posed by this optimal scheduling approach. Pfair scheduling is quantum-based, which means that it reschedules tasks regularly at all multiples of a system quantum Q. The magnitude of this system quantum is typically in the range from a few hundred microseconds to a few milliseconds. As a consequence, all but the shortest jobs span multiple quanta and thus are likely to be preempted and rescheduled multiple times during their execution. To avoid problematic lock-holder preemptions, which are prone to occur if critical sections cross quantum boundaries, Holman and Anderson introduced the notion of a frozen zone, or blocking zone, at the end of each scheduling quantum: if a job attempts to commence the execution of a critical section in this zone (i.e., at a point in time less than a given threshold prior to the next quantum boundary), then its lock request is automatically blocked until the beginning of its next quantum of execution, regardless of the availability of the shared resource. If critical sections are shorter than the system quantum length Q – which is arguably the case for any reasonable threshold for “short” critical sections – then such a zone-based protocol ensures that no job is ever preempted while holding a spin lock (Holman and Anderson 2002a, 2006; Holman 2004).

11 Multiprocessor Real-Time Locking Protocols

379

The remaining question is then how to deal with jobs that attempted to lock an unavailable resource before the start of the automatic blocking zone, and which are still spinning at the end of the current quantum, or which are granted the requested resource inside the automatic blocking zone. Holman and Anderson considered two solutions to this problem. Under the skip protocol, such a job remains in the spin queue and retains its position but is marked as inactive and can be skipped over by later-enqueued active jobs. When a preempted, inactive job receives the next processor quantum of service, it is reactivated and becomes again eligible to acquire the resource. Furthermore, if a job is at the head of the FIFO spin queue, then it immediately acquires the lock since all spin locks are available at the beginning of each quantum in zone-based protocols (Holman and Anderson 2002a, 2006; Holman 2004). The primary advantage of Holman and Anderson’s skip protocol is that it is starvation-free since preempted jobs retain their position in the FIFO queue. However, this also has the consequence that a job is blocked by potentially n – 1 other jobs in the spin queue (i.e., every other task) – that is, unlike in the case of the MSRP (Gai et al. 2001), the number of processors m does not imply a bound on the maximum spin delay. Since typically n > m, this leads to more pessimistic s-blocking bounds. Holman and Anderson’s second protocol, called the rollback protocol (Holman and Anderson 2002a, 2006; Holman 2004), restores m – 1 as a bound on the maximum number of blocking critical sections but is applicable only under certain restrictions. Whereas the skip protocol requires only that the maximum critical section length, denoted Lmax , does not exceed the quantum length Q (i.e., Lmax ≤ Q), the rollback protocol further requires that m × Lmax ≤ Q. This constraint yields the property that if tasks on all processors attempt to execute a critical section at the beginning of a quantum, then each task will have finished its critical section by the end of the quantum. As a result, there is no need to maintain a preempted job’s queue position to guarantee progress, and instead a spinning job’s request is simply canceled when it is preempted at the end of a quantum (i.e., the job is removed from the spin queue). The rollback protocol ensures on the one hand that no spin queue contains more than m jobs at the same time and, on the other hand, that any lock attempt is guaranteed to succeed at the latest in the job’s subsequent quantum, because a preempted job immediately reissues its request when it continues execution after a preemption and because m × Lmax ≤ Q (Holman and Anderson 2002a, 2006; Holman 2004). Holman and Anderson (2002a, 2006; Holman 2004) presented blocking analyses for both the rollback and the skip protocol. While Pfair is not widely used in practice today, Holman and Anderson’s concept of an automatic blocking zone at the end of a job’s processor allocation has been reused in many locking protocols for reservation-based (i.e., hierarchically scheduled) systems, in both uniprocessor and multiprocessor contexts (as mentioned in Sect. 11.1).

380

B. B. Brandenburg

Both the skip and the rollback protocol require spinning jobs to remain preemptable. Non-preemptable spinning makes little sense in a Pfair context because quantum boundaries cannot be changed without prohibitive schedulability penalties. Non-preemptable spinning can make sense, however, under event-driven global policies such as G-EDF or G-FP scheduling. Corresponding analyses of nonpreemptive FIFO spin locks were presented by Devi et al. (2006) and Chang et al. (2010), respectively. Most recently, in work targeting another optimal multiprocessor real-time scheduler, Bonato et al. (2014) proposed a spin-lock protocol for systems scheduled according to the optimal RUN policy (Regnier et al. 2011). As already mentioned Sect. 2.4, in 2007, Block et al. introduced the Flexible Multiprocessor Locking Protocol (Block et al. 2007), which is actually a consolidated family of related protocols for different schedulers and critical section lengths. In particular, the FMLP supports both global and partitioned scheduling (with both fixed and EDF priorities) and also adopts Holman and Anderson’s distinction between short and long resources (Holman and Anderson 2002a). For each of the resulting four combinations, the FMLP includes a protocol variant. For short resources, the FMLP relies on non-preemptive FIFO spin locks. Specifically, for short resources under partitioned scheduling, the FMLP essentially integrates the MSRP (Gai et al. 2001), and for short resources under global scheduling, the FMLP integrates Devi et al.’s proposal and analysis (Devi et al. 2006). For long resources, the FMLP relies on semaphores, as we will discuss in the next section.

5

Semaphore Protocols for Mutual Exclusion

The distinguishing characteristic of suspension-based locks, also commonly referred to as semaphores or mutexes, is that tasks that encounter contention selfsuspend to yield the processor to other, lower-priority tasks, which allows wait times incurred by one task to be overlaid with useful computation by other tasks. Strictly speaking, the suspension-based locks considered in this section correspond to binary semaphores; the suspension-based k-exclusion protocols discussed in Sect. 8.2 correspond to counting semaphores. We simply say “semaphore” when the type of protocol is clear from context. As mentioned in Sect. 2.2.5, in the case of semaphores, there exist two principal ways in which critical sections can be executed: either in place (i.e., on a processor on which a task is also executing its noncritical sections) or on a dedicated synchronization processor. We focus first on the more common in-place execution in this section and consider protocols for dedicated synchronization processors in Sect. 6. In principle, semaphores are more efficient than spin locks: since wait times of higher-priority jobs can be “masked” with useful computation by lower-priority jobs, no processor cycles are wasted, and the processor’s (nearly) full capacity is available to the application workload. However, there are major challenges that limit the efficiency of semaphores in practice.

11 Multiprocessor Real-Time Locking Protocols

381

First, in practical systems, suspending and resuming tasks usually come with nontrivial costs due to both OS overheads (e.g., ready queue management, invocations of the OS scheduler, etc.) and micro-architectural overheads (e.g., loss of cache affinity, disturbance of branch predictor state, etc.). Thus, if the expected wait time is shorter than the cumulative overheads of suspending, then spinning can be more efficient in practice. Whether or not runtime overheads make spinning more attractive depends on a number of factors, including the length of critical sections (relative to overhead magnitudes), the degree of contention (likelihood of spinning), and the magnitude of OS and architectural overheads. As our focus is on analytical concerns, we do not consider this aspect any further. The second major challenge is that semaphores are subject to more intense worstcase contention because they allow other tasks to execute and issue additional lock requests while a task is waiting. That is, compared to non-preemptive spin locks, wait queues can become much longer as the number of concurrent requests for any resource is no longer implicitly upper-bounded by the number of processors (as in the case of, e.g., the MSRP (Gai et al. 2001); recall Sect. 4.1). Hence accurate blocking analysis is even more important for semaphores than for spin locks, as otherwise any practical efficiency gains are at risk of being overshadowed by analysis pessimism. For instance, consider the following (exaggerated) illustrative example: suppose there are n tasks sharing a single resource on m = 2 processors, where n  m, and that each critical section is of unit length L = 1. With non-preemptive FIFO spin locks (e.g., the MSRP Gai et al. 2001), the maximum spin time in any possible schedule is trivially upper-bounded by (m – 1) × L = L, and the maximum piblocking time is upper-bounded by m × L = 2 L (Gai et al. 2001, 2003). If we instead change the system to use FIFO semaphores (e.g., the FMLP Block et al. 2007), then it is easy to construct pathological schedules in which n – 1 tasks are simultaneously suspended, waiting to acquire the single shared resource (i.e., the maximum pi-blocking duration is lower-bounded by (n − 1) × L  2L). This places semaphore protocols at an analytical disadvantage. And while we have chosen FIFO queueing in this example for simplicity, this effect is not specific to any particular queue order; in particular, similar examples can be constructed for protocols that employ priority queues, too (Brandenburg and Anderson 2010a). Another complication that suspension-based locking protocols must address is that tasks are inherently not guaranteed to be scheduled when they become the lock owner. That is, if a task encounters contention and self-suspends, then it will certainly not be scheduled when it receives ownership of the lock, and worse, it may remain unscheduled for a prolonged time if higher-priority task(s) started executing in the meantime. Of course, the implied delay poses a risk of substantial transitive pi-blocking if other blocked tasks are still waiting for the same lock. Real-time semaphore protocols hence generally require a progress mechanism that ensures that lock-holding tasks can (selectively) preempt higher-priority tasks when waking up from a self-suspension. In contrast, simple non-preemptive spin locks do not have to take resuming lock holders into account.

382

B. B. Brandenburg

Finally, and most importantly, while semaphores allow wait times to be potentially overlaid with useful computation, showing that this actually happens in the worst case (i.e., showing that the processor does not just idle while tasks suspend) is not always possible. And even when it is theoretically possible, it is an analytically difficult problem that requires identifying (or safely approximating) the worst-case self-suspension pattern, which has proven to be a formidable challenge (Chen et al. 2017). More precisely, on multiprocessors, an accurate analysis of semaphores generally requires the use of a suspension-aware (s-aware) schedulability test, that is, an analysis that applies to a task model that incorporates an explicit bound on a task’s maximum self-suspension time. In contrast, most schedulability analyses published to date are suspension-oblivious (s-oblivious), in the sense that they make the modeling assumption that tasks never self-suspend (i.e., jobs are either ready to execute or complete). S-oblivious schedulability analyses can still be employed if tasks (briefly) selfsuspend (Chen et al. 2017), but any self-suspension times must be pessimistically modeled as computation times during analysis (i.e., execution-time inflation must be applied). For example, if a task τi with WCET Ci self-suspends for at most Si time units, then it would be modeled and analyzed as having a WCET of Ci + Si when applying s-aware schedulability analysis – the task’s processor demand is safely, but pessimistically, over-approximated. Given that the primary feature of s-based locking protocols is that tasks do not occupy the processor while waiting to acquire a lock, it is clearly undesirable to model and analyze suspension times as processor demand. However, s-aware schedulability analyses are unfortunately difficult to obtain and can be very pessimistic. Case in point, prior work on s-aware schedulability analysis for uniprocessor fixed-priority scheduling was found to be flawed in several instances (Chen et al. 2017), and the best correct analyses available today are known to be only sufficient, but not exact (in contrast to response-time analysis for non-selfsuspending tasks, which is exact on uniprocessors). Another example that highlights the challenge of finding efficient s-aware schedulability analysis is G-EDF scheduling, for which effective s-oblivious analysis was available (Bertogna et al. 2005) long before the first s-aware test for G-EDF was proposed (Liu and Anderson 2013), which then was also found to be more pessimistic than a simple s-oblivious approach when applied in the context of an s-based locking protocol (Brandenburg 2014c). As a result of the challenges surrounding s-aware analysis and the pessimism present in today’s analyses, s-oblivious approaches can be competitive with s-aware analyses and at times even yield superior performance in empirical comparisons (Brandenburg 2011; Brandenburg and Anderson 2013). It is hence worthwhile to study both approaches. In fact, when it comes to analyzing the maximum cumulative duration of pi-blocking (recall Sect. 2), there exist fundamental differences between the s-oblivious and s-aware approaches (Brandenburg 2011; Brandenburg and Anderson

11 Multiprocessor Real-Time Locking Protocols

383

2010a, 2013). As result of these differences, Definition 1 must be refined for the s-oblivious case. Perhaps surprisingly, with the refined definition in place (Definition 2 below), the inherently pessimistic treatment of suspension times in s-oblivious schedulability analyses allows some of this pessimism to be “recycled,” in the sense that less pessimistic assumptions have to be made when analyzing priority inversions in the s-oblivious case. More formally, consider maximum pi-blocking, which for a given task set τ is the amount of pi-blocking incurred by the task that suffers the most from priority inversion: max{Bi | τi ∈ τ }, where Bi is the pi-blocking bound for task τi (Brandenburg and Anderson 2010a). Interestingly, the two different analysis assumptions yield asymptotically different bounds on maximum pi-blocking (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013). Specifically, there exist semaphore protocols that ensure that any task will incur at most O(m) pi-blocking in the s-oblivious sense (Brandenburg and Anderson 2010a, 2013), whereas no semaphore protocol can generally guarantee pi-blocking bounds better than (n) in the s-aware case (Brandenburg 2014c; Brandenburg and Anderson 2010a) (recall that m denotes the number of processors and n the number of tasks, where typically n > m). In the following, we review these bounds and the protocols that achieve them. We first discuss locking protocols intended for s-oblivious analysis because they are simpler in nature and easier to analyze, and then consider locking protocols intended for s-aware analysis thereafter.

5.1

Suspension-Oblivious Analysis of Semaphore Protocols

Under s-oblivious schedulability, self-suspensions are modeled as execution time during analysis. However, at runtime, tasks of course self-suspend; the distinction between the s-oblivious and s-aware approaches is purely analytical. In fact, it is possible to analyze any protocol using either approach, and strictly speaking the protocols themselves are neither “suspension-oblivious” nor “suspension-aware.” However, certain protocols are easier to analyze, or can be more accurately analyzed, under one of the two analysis approaches, which gives rise to the commonly used terminology of s-oblivious and s-aware semaphore protocols. In this section, we review s-oblivious locking protocols, i.e., semaphore protocols that are primarily analyzed using s-oblivious analysis and that in many cases were designed specifically with s-oblivious analysis in mind.

5.1.1 Suspension-Oblivious Analysis and Blocking Optimality The key insight underlying the analysis of s-oblivious locking protocols is that since s-oblivious schedulability analysis pessimistically over-approximates any self-suspension times as processor demand, it is possible to reclaim some of this pessimism by specializing the definition of pi-blocking (Definition 1) to this modeling assumption. More precisely, “suspension-oblivious pi-blocking” is defined such that any times during which both:

384

B. B. Brandenburg

1. A job is self-suspended while waiting to acquire a semaphore. 2. This delay can be attributed to higher-priority tasks (under the “suspended tasks create processor demand” analysis assumption). are not counted as pi-blocking, which allows tighter pi-blocking bounds to be established (without endangering soundness of the analysis). Intuitively, this works as follows. Consider clustered scheduling and a task τi assigned to a cluster consisting of c processor cores. First, suppose a job J is waiting to acquire some semaphore and there are (at least) c higher-priority ready jobs, that is, J is self-suspended, and there are c higher-priority jobs occupying the processors in J’s cluster. In this situation, J does not incur pi-blocking according to Definition 1 (although it is waiting to acquire a semaphore) since it would not be scheduled even if it were ready, due to the presence of c higher-priority ready jobs. In other words, the self-suspension does not have to be accounted for as additional delay in this case because J would be delayed anyway. Now consider the following alternative scenario: J is self-suspended, and there are c higher-priority jobs in J’s cluster, but all higher-priority jobs are also selfsuspended, each waiting to acquire some semaphore (possibly, but not necessarily, the same that J is waiting for). That is, the higher-priority jobs in J’s cluster are pending, but not ready. In this case, if J were ready, it would be scheduled immediately since in the real system the suspended higher-priority jobs do not occupy any processors, and hence intuitively this situation represents a priority inversion for J (and also according to Definition 1). However, under s-oblivious analysis, the self-suspension times of higher-priority jobs are modeled as execution time. Hence, in the analyzed model of the system, the pending higher-priority jobs are analyzed as if they were occupying all processors, and hence J incurs no additional delay in this situation under the s-oblivious analysis assumption. The following definition exploits this observation. Definition 2 A job J of task τi , assigned to a cluster C consisting of c cores, suffers s-oblivious pi-blocking at time t if and only if: 1. J is pending at time t 2. Not scheduled at time t (i.e., it is self-suspended or preempted) 3. Fewer than c jobs, of tasks assigned to cluster C, with priority equal or higher than J are pending on processors belonging to τi ’s assigned cluster C Note that Definitions 1 and 2 differ in clause (3) w.r.t. whether the higher-priority jobs are required to be pending (Definition 2) or scheduled (Definition 1). Based on this definition, the suspension-oblivious schedulability analysis approach can be summarized as follows. (This description is somewhat simplified because it considers only self-suspensions and ignores priority inversions due to progress mechanisms to simplify the explanation. Any additional priority inversions (e.g., due to non-preemptive execution) are handled analogously by inflation.)

11 Multiprocessor Real-Time Locking Protocols

385

• Suppose we are given a self-suspending task set τ = {τ1 , . . . , τn }, where each task τi = (Ci , Di , Ti , Si ) in τ is characterized by its WCET Ci , a relative deadline Di , a period Ti , and a bound Si on the maximum cumulative self-suspension duration of any of its jobs. • Further suppose that Bi denotes a bound on the maximum cumulative duration of suspension-oblivious  pi-blocking incurred by any of τi ’s jobs (where Bi ≤ Si).  • Let τ  = τ1 , . . . τn denote the corresponding inflated, suspension-free task set, where each τi = (Ci + Bi , Di , Ti ). • Then the actual task set τi does not miss any deadline in the presence of selfsuspensions if the inflated, suspension-free task set τ is feasible. The correctness of this approach can be shown with a simple reduction (or schedule transformation) argument. Suppose a job misses a deadline in the real system, and consider the trace resulting in the deadline miss (i.e., a concrete schedule of the given task set τ ). This trace consists of a set of self-suspending jobs with concrete release, execution, and self-suspension times (i.e., discard any knowledge of locks; for this transformation we require only self-suspension times). Now repeatedly transform this trace as follows until no self-suspensions remain. For each job J in the trace, in order of decreasing priority, and for each point in time t at which J is suspended, if there are fewer than c higher-priority jobs in J’s cluster occupying a processor at time t, then transform J’s self-suspension at time t into execution time. Otherwise, simply discard J’s self-suspension at time t (i.e., reduce J’s self-suspension length by one time unit) since it is not scheduled at time t anyway. This step does not decrease J’s response time, nor does it decrease the response time of any other job. After this transformation, we obtain a trace in which both (i) no job self-suspends and (ii) a deadline is still being missed. Furthermore, let τi denote the task of J: since Bi is a bound on the maximum amount of s-oblivious pi-blocking as defined by Definition 2, (iii) the number of times that job J’s suspension is converted to execution time is bounded by Bi . From (i) and (iii), it follows that the transformed trace is a valid schedule of τ  , and hence from (ii) we have that τ misses a deadline only if there exists a schedule in which τ  misses a deadline. Conversely, if it can be shown that τ  does not miss any deadlines, then τ also does not miss any deadlines. Given Definition 2, a natural question to ask is: What is the least upper bound on maximum s-oblivious pi-blocking (i.e., the least Bi ) that any locking protocol can guarantee in the general case? In other words, what amount of s-oblivious pi-blocking is unavoidable, in the sense that there exist pathological task sets that exhibit at least this much s-oblivious pi-blocking no matter which locking protocol is employed? Clearly, this bound cannot be zero, as some blocking is unavoidable under any mutual exclusion scheme. It is in fact trivial to construct task sets in which a job exhibits (m) s-oblivious pi-blocking under any locking protocol (i.e., any pi-blocking bound is necessarily linear in the number of processors): if a lock is requested simultaneously by tasks on all m processors, then m (unit length) critical

386

B. B. Brandenburg

sections must be serialized in some order and hence whichever task acquires the lock last is blocked by (at least) m – 1 critical sections. If there are exactly c tasks assigned to each cluster (i.e., if there are only m tasks in total), then according to Definition 2, any self-suspension results in s-oblivious pi-blocking, and the lower bound trivially follows (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013). While this lower bound on maximum s-oblivious pi-blocking is straightforward, finding a matching upper bound is less obvious. Given that up to n jobs can simultaneously contend for the same lock, one might wonder whether this is even possible. However, as we review next, it is in fact possible to construct locking protocols that ensure O(m) s-oblivious pi-blocking for any sporadic task set (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013), which establishes that, under s-oblivious schedulability analysis, (m) pi-blocking is fundamental (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013 ).

5.1.2 Global Scheduling The earliest semaphore protocols for global scheduling are due to Holman and Anderson (2002a, b, 2006), who introduced support for lock-based synchronization in Pfair-scheduled systems. However, due to the quantum-based nature of Pfair, their analysis is not s-oblivious in the sense of Definition 2; we hence defer a discussion of their work until Sect. 7. The first multiprocessor real-time semaphore protocol explicitly studied using the s-oblivious analysis approach is Block et al.’s FMLP (Block et al. 2007). As already discussed in Sect. 4, the FMLP is actually a family of related protocols for different scheduling approaches and incorporates both spin- and suspension-based variants. Aiming for simplicity in both implementation and analysis, the FMLP for long resources (i.e., the semaphore variant) for global scheduling combines priority inheritance (recall Sect. 3.4) with simple FIFO wait queues. Priority inheritance ensures that a lock-holding job is scheduled whenever another job that it blocks is incurring s-oblivious pi-blocking. This is easy to see: under global scheduling (i.e., if there is only one cluster of size m), a job incurs s-oblivious pi-blocking only if it is among the m highest-priority pending jobs (Definition 2), and thus the lock-holding job is guaranteed to inherit a priority that allows it to be immediately scheduled (Block et al. 2007). Combined with the strong progress guarantee of FIFO wait queues, the long FMLP for global scheduling ensures that a job incurs s-oblivious pi-blocking for the duration of at most n – 1 = O(n) critical section lengths while waiting to acquire a lock. While more accurate analyses taking actual request patterns into account are possible (Brandenburg 2011), the FMLP does not ensure asymptotically optimal maximum s-oblivious pi-blocking, and in fact no protocol relying exclusively on FIFO or priority queues can be optimal in this regard (Brandenburg and Anderson 2010a). The first asymptotically optimal protocol is the O(m) Locking Protocol (OMLP) (Brandenburg 2011; Brandenburg and Anderson 2010a, 2011, 2013), which, as the name suggests, ensures O(m) maximum s-oblivious pi-blocking for any task set.

11 Multiprocessor Real-Time Locking Protocols

387

Like the FMLP, the OMLP is also a family of protocols for global, partitioned, and clustered scheduling, which we review in turn. The OMLP variant for global scheduling (i.e., the global OMLP) (Brandenburg and Anderson 2010a) also relies on priority inheritance, like the earlier global FMLP (Block et al. 2007). To achieve optimality, it replaces the FMLP’s simple FIFO queue with a hybrid wait queue, which consists of a bounded FIFO segment of length m and a priority-ordered tail queue that feeds into the FIFO segment. Jobs that request the lock enqueue directly in the FIFO segment if there is space (i.e., if fewer than m jobs are contending for the resource) and otherwise in the tail queue, which is ordered by job priority. The job at the head of the FIFO queue holds the lock; when it releases the lock, it is dequeued from the FIFO queue, ownership is passed to the new head of the FIFO queue (if any), and the highestpriority job presently waiting in the tail queue (if any) is transferred to the FIFO queue. This combination of queues ensures that a job incurs s-oblivious pi-blocking for the duration of at most 2 m – 1 = O(m) critical sections per lock request. Clearly, once a job enters the bounded-length FIFO queue, at most m – 1 critical sections of jobs ahead in the FIFO queue cause pi-blocking. Additionally, a job incurs s-oblivious pi-blocking for the cumulative duration of at most m critical sections while it waits in the priority-ordered tail queue. The latter bound follows from the following observation (Brandenburg and Anderson 2010a). Suppose a job J that is waiting in the tail queue is skipped over m times (i.e., at least m times another job is moved to the end of the FIFO queue while J is waiting). Since the tail queue is priority-ordered, each job that skipped ahead has a higher priority than J. Furthermore, since the FIFO queue has a capacity of exactly m jobs, it follows that there are m higher-priority pending jobs, which implies that J incurs no s-oblivious pi-blocking after it has been skipped over at least m times (recall clause (3) of Definition 2). Thus, in total, a job incurs s-oblivious pi-blocking for a duration of at most 2 m – 1 = O(m) critical sections while moving through both queues, 2×(m−1)+1 1 which is within a factor of 2m−1 = 2 + m−1 ≈ 2 of the lower bound m−1 = m−1 and thus asymptotically optimal (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013). Fine-grained (i.e., non-asymptotic) analyses of the global OMLP taking into account actual request patterns are available as well (Brandenburg 2011; Brandenburg and Anderson 2013).

5.1.3 Partitioned Scheduling In the case of partitioned scheduling, priority inheritance is ineffective (Sect. 3.4), with priority boosting being the traditional alternative (Sect. 3.6). This choice was also adopted in the design of the long FMLP for partitioned scheduling (Block et al. 2007), which was the first semaphore protocol for partitioned scheduling to be analyzed under the s-oblivious approach. Like all other FMLP variants, the long FMLP for partitioned scheduling relies on FIFO queues. One additional twist that arises in conjunction with priority boosting is that a tie-breaking policy is required to determine which job to schedule if there are

388

B. B. Brandenburg

multiple lock-holding jobs on the same processor. In the interest of simplicity, the FMLP favors whichever job first acquired its respective lock (i.e., “earliest-resumed job first”) (Block et al. 2007). This later turned out to be a non-ideal choice in the context of suspension-aware analysis (discussed in Sect. 5.2.3) and was changed to an earliest-issued request first policy in the later FMLP+ (Brandenburg 2011). However, under s-oblivious analysis, either tie-breaking rule is problematic, as unrestricted priority boosting generally prevents optimal s-oblivious pi-blocking (regardless of the order in which blocked jobs wait), which can be inferred from the following simple example. Consider a job J that is the highest-priority job on its processor, and suppose for the sake of illustration that n – 1 tasks reside on job J’s processor, with the remaining task located on a second processor. Now suppose that just before J is released, the remote task first acquires a shared lock, and then all other tasks on J’s processor suspend while waiting for the same lock. If lockholding jobs are unconditionally priority-boosted, then J will be preempted for the duration of a critical section by each of the n – 2 other tasks on J’s processor, which results in (n) s-oblivious pi-blocking even if J itself does not acquire any locks itself. As a result of this effect and because FIFO queues allow for pi-blocking due to up to n – 1 critical sections per critical section, jobs incur s-oblivious pi-blocking of up to (n – 2) + (n – 1) = 2n – 3 critical section lengths under the long FMLP for partitioned scheduling, which is not asymptotically optimal. The partitioned OMLP (Brandenburg and Anderson 2010a) solves this problem with a token mechanism to limit the number of tasks that can simultaneously request global resources, which implicitly restricts the maximum delay due to priority boosting and which also ensures that global wait queues remain short. Under the partitioned OMLP, there is a single contention token associated with each processor. A processor’s contention token is a local (virtual) resource that is managed using an optimal uniprocessor protocol (such as the PCP (Sha et al. 1990) or the SRP (Theodore 1991)). Furthermore, each global resource is associated with a FIFO wait queue, and jobs holding (global) resources are priority-boosted, just as in the earlier FMLP. However, the key OMLP rule is that a task must hold its local contention token before it may issue a request for a global resource. As a result, only at most m tasks compete for global resources at any time, which in conjunction with FIFO queues and priority boosting immediately yields a pi-blocking bound of m – 1 critical section lengths once a job holds its local contention token. Additionally, a job may incur pi-blocking while it is waiting to acquire a contention token, which however is also limited to m critical section lengths (including any priority boosting effects) (Brandenburg and Anderson 2010a). As a result, the partitioned OMLP guarantees a bound on s-oblivious pi-blocking for the duration of m – 1 critical sections per request, plus s-oblivious pi-blocking for the duration of up to m critical sections of pi-blocking due to competition for the local contention token and priority boosting, for a total of 2 m – 1 (for a task that issues one request per job), which is within 2m−1 m−1 ≈ 2 of the lower bound and thus asymptotically optimal (Brandenburg 2011; Brandenburg and Anderson 2013).

11 Multiprocessor Real-Time Locking Protocols

389

A fine-grained (i.e., non-asymptotical) analysis of the partitioned OMLP is available as well (Brandenburg and Anderson 2011, 2013).

5.1.4 Clustered Scheduling The case of “true” clustered scheduling, where there are multiple clusters (unlike the special case of global scheduling) and each cluster contains more than one processor (unlike the special case of partitioned scheduling), is particularly challenging because it combines the challenges of both global and partitioned scheduling. In particular, priority inheritance across clusters is ineffective (Sect. 3.4), but priority boosting, even if restricted by a token mechanism as in the partitioned OMLP, makes it difficult to obtain asymptotically optimal s-oblivious pi-blocking bounds. For this reason, a new progress mechanism called priority donation was developed for the clustered OMLP (Brandenburg 2011 ; Brandenburg and Anderson 2011, 2013). As already mentioned in Sect. 3.7, priority donation can be understood as a form of restricted priority boosting. However, the key difference to the token mechanism used in the partitioned OMLP is that there exists an explicit relationship between the lock-holding job that is forced to be scheduled (i.e., the priority recipient) and the job that is not scheduled as a result (i.e., the priority donor). In contrast, priority boosting just prescribes that a job is scheduled but leaves unspecified which other job is not scheduled as a result, which causes analytical complications if there is more than one processor in a cluster (i.e., if there is a choice in which job to preempt). Priority donation maintains the invariant that in each cluster and for each lockholding job J, J is either among the c highest-priority jobs in its cluster, or there exists a job among the c highest-priority jobs that is the unique and exclusive priority donor for J. As a result of this invariant, contention for global locks is limited to at most m concurrent lock requests, and lock-holding jobs are guaranteed to make progress toward releasing the lock (i.e., lock holders are never preempted). A job can become priority donor only once, immediately upon its release (i.e., before it starts executing). While it serves as priority donor, it is suspended to make a processor for the priority recipient available and thus incurs s-oblivious pi-blocking. Priority donation ceases when the critical section of the priority recipient ends. The maximum request duration – from the time that a lock is requested until the time that the lock is released – thus also determines the amount of s-oblivious pi-blocking transitively incurred by the priority donor. Under the clustered OMLP, each resource is associated with a simple FIFO wait queue (Brandenburg 2011; Brandenburg and Anderson 2011, 2013). Since priority donation guarantees that lock-holding jobs are scheduled and since there are at most m concurrent requests for global resources in progress at any time, a job is delayed by at most m – 1 earlier critical sections per lock request. This in turn implies that priority donors incur s-oblivious pi-blocking for the cumulative duration of at most m critical sections (Brandenburg and Anderson 2011). The blocking bound for the clustered OMLP is thus equivalent to that of the partitioned OMLP, and it is hence also asymptotically optimal within a factor of roughly two of the lower bound (Brandenburg and Anderson 2011, 2013).

390

B. B. Brandenburg

Additional protocols designed specifically for s-oblivious analysis are discussed in Sects. 7 and 8.2. None of these protocols, nor any OMLP variant, are closer to the known lower bound on s-oblivious pi-blocking than within a factor of roughly two. It is presently unknown whether it is possible to close this gap in the general case.

5.2

Suspension-Aware Analysis of Semaphore Protocols

Under s-aware analysis, any self-suspension times and priority inversions due to progress mechanisms are explicitly modeled and accounted for by the schedulability test. Hence there is no opportunity to “recycle” pessimism, no “analysis trick,” as in the s-oblivious case – when targeting s-aware analysis, the goal of the locking protocol designer is simply to bound maximum delays as tightly as possible. The potential upshot is that the underlying s-aware schedulability analyses have the potential to be much more accurate and substantially less pessimistic in terms of system utilization, especially if self-suspensions are relatively long, since execution times are not being inflated. For instance, s-aware analysis becomes essential when synchronizing access to graphics processors (GPUS), where critical section lengths can easily reach dozens or even hundreds of milliseconds (Elliott and Anderson 2012a). In comparison, when considering shared data structures, where critical sections are typically just a few microseconds long (Anderson et al. 1998; Brandenburg et al. 2008), the s-oblivious utilization impact is minor. However, while historically the first multiprocessor real-time locking protocols (Rajkumar 1990, 1991a; Rajkumar et al. 1988; Roux and Martineau 1995) have all been intended for s-aware analysis, the understanding of self-suspensions from a schedulability point of view has only recently begun to mature, and a number of misunderstandings and misconceptions have been identified in earlier analyses of task sets with self-suspensions (Chen et al. 2017). Multiprocessor locking protocols for s-aware analysis, and the required s-aware analyses themselves, are thus presently still active areas of research. In the following, we provide an overview of the current state of the art, starting with a brief review of the definition of s-aware pi-blocking, known asymptotic bounds, and (non-)optimality results, and then summarize major binary semaphore protocols for global, partitioned, and clustered scheduling.

5.2.1

Suspension-Aware Schedulability Analysis and Blocking Optimality In the case of s-aware schedulability analysis, any delay that does not result from the execution of higher-priority jobs constitutes a priority inversion that must be explicitly accounted for. This is captured by the following definition. Definition 3 A job J of task τi , assigned to a cluster C consisting of c cores, suffers s-aware pi-blocking at time t if and only if

11 Multiprocessor Real-Time Locking Protocols

391

1. J is pending at time t. 2. J is not scheduled at time t (i.e., it is self-suspended or preempted). 3. Fewer than c jobs, of tasks assigned to cluster C, with priority equal or higher than J are scheduled on processors belonging to τi ’s assigned cluster C. Notably, Definition 3 is equivalent to the classic uniprocessor notion of pi-blocking (Definition 1). The key difference to the s-oblivious case (Definition 2) is that under Definition 3, only the presence of c scheduled higher-priority jobs prevents a delay from being considered a priority inversion, whereas under Definition 2, a priority inversion is ruled out if there are c pending higherpriority jobs. Since any scheduled job is also pending, Definition 3 is weaker than Definition 2, and consequently any bound on s-aware pi-blocking is also a bound on s-oblivious pi-blocking (but the converse does not hold) (Brandenburg 2011; Brandenburg and Anderson 2010a). The fundamental lower bound on s-aware pi-blocking is (n) (Brandenburg 2011; Brandenburg and Anderson 2010a), which can be easily shown with a task set in which all n tasks simultaneously compete for a single shared resource (Brandenburg and Anderson 2010a), so that whichever task acquires the resource last is subject to an (n) delay. While the lower bound is rather intuitive, the true challenge is again to construct locking protocols that asymptotically match this lower bound, that is, to find protocols that ensure O(n) maximum s-aware pi-blocking for any task set. In fact, from a blocking optimality point of view, the s-aware case is much more challenging to deal with than the well-understood s-oblivious case and required several attempts until it was solved (Brandenburg 2011, 2014c; Brandenburg and Anderson 2010a). To date, while there exists a protocol for clustered scheduling that achieves O(n) maximum s-aware pi-blocking – namely, the generalized FMLP+ (Brandenburg 2014c) – which suffices to establish asymptotic tightness of the lower bound under global and partitioned scheduling, no protocol with asymptotically optimal s-aware pi-blocking bounds is known specifically for global scheduling (Brandenburg 2011, 2014c; Yang et al. 2015). The search for practical protocols that are also asymptotically optimal with regard to maximum s-aware pi-blocking is complicated by several nonoptimality results. For one, any protocol relying exclusively on priority queues is generally subject to an (m × n) lower bound on maximum s-aware pi-blocking due to starvation effects (Brandenburg and Anderson 2010a). Furthermore, under global scheduling, any protocol relying on priority inheritance or (unrestricted) priority boosting is subject to an (φ) lower bound on maximum s-aware pi-blocking (Brandenburg 2011, 2014c), where φ corresponds to the ratio of the longest to the shortest period of the task set (and which in general cannot be bounded in terms of m or n). The generalized FMLP+ (Brandenburg 2014c), which we discuss in Sect. 5.2.5 below, thus requires rather more sophisticated machinery to achieve its O(n) bound.

392

B. B. Brandenburg

5.2.2 Global Scheduling Virtually all major semaphore protocols designed specifically for global scheduling rely on priority inheritance. As already mentioned in the discussion of the s-oblivious case (Sect. 5.1.2), Block et al.’s global FMLP for long resources (Block et al. 2007), based on FIFO wait queues, was the first protocol in this category, and even though the initial analysis was s-oblivious (Block et al. 2007) (no s-aware analysis for global scheduling was known at the time), the protocol itself works well under s-aware analysis, too, and an effective s-aware analysis has been presented by Yang et al. (2015) for G-FP scheduling. The classic Priority Inheritance Protocol (PIP) (Sha et al. 1990), which combines priority inheritance (the progress mechanism) with priority-ordered wait queues, was initially analyzed under G-FP scheduling by Easwaran and Andersson (2009). In more recent work, Easwaran and Andersson’s original analysis has been subsumed by Yang et al.’s more accurate analysis of the PIP (and several other protocols) (Yang et al. 2015) by transferring the state-of-the-art analysis technique based on linear programming (Brandenburg 2013b) to G-FP scheduling. Nemati and Nolte (2011) transferred Easwaran and Andersson’s original analysis of the PIP (Easwaran and Andersson 2009) to a variant of the protocol that they called Immediate PIP (I-PIP) (Nemati and Nolte 2011), which retains the use of priority-ordered wait queues but replaces priority inheritance with priority boosting. They further derived bounds on the maximum resource-hold times under both the original PIP and the I-PIP, as well as heuristics for reducing resource-hold times without violating schedulability (Nemati and Nolte 2011). Motivated by their analysis of the PIP, Easwaran and Andersson (2009) also proposed a new semaphore protocol that they called the Parallel Priority-Ceiling Protocol (P-PCP) (Easwaran and Andersson 2009), which is also based on priority inheritance and priority-ordered wait queues. Additionally, inspired by the classic uniprocessor PCP (Sha et al. 1990), the P-PCP introduces rules that prevent jobs from acquiring available resources to limit, at each priority level, the maximum number of lower-priority jobs that may simultaneously hold locks. Intuitively, such a rule can help to limit the amount of pi-blocking caused by the progress mechanism, but it introduces considerable complexity and has to be carefully balanced with the extra delay introduced by withholding available resources. Easwaran and Andersson (2009) did not provide an empirical comparison of the PIP and the P-PCP; a later evaluation by Yang et al. (2015) based on a more accurate reanalysis of both protocols found that the P-PCP offers no substantial benefits over the (much simpler) PIP and FMLP protocols. Yang et al. (2015) also compared the long FMLP and the PIP and found the two protocols to be incomparable: fundamentally, some real-time workloads require the non-starvation guarantees of the FMLP’s FIFO queues, whereas other workloads require that urgent jobs are prioritized over less-urgent jobs. In practice, it is thus preferable for a system to offer both FIFO- and priority-ordered wait queues, and it

11 Multiprocessor Real-Time Locking Protocols

393

would not be difficult to combine Yang et al.’s analyses of the FMLP and the PIP to analyze such a hybrid protocol.

5.2.3 Partitioned Scheduling The category of multiprocessor real-time semaphore protocols for partitioned scheduling with in-place execution of critical sections has received by far the most attention in prior work. The classic, prototypical protocol in this domain is Rajkumar’s Multiprocessor Priority Ceiling Protocol (MPCP) for P-FP scheduling (Rajkumar 1990, 1991a). The MPCP is a natural extension of uniprocessor synchronization principles, is appealingly simple in design, and has served as a template for many subsequent protocols. To ensure lock-holder progress, the MPCP relies on priority boosting (Sect. 3.6). Specifically, for each resource, the protocol determines a ceiling priority that exceeds the priority of any regular task, and the effective priority of resource-holding tasks is unconditionally boosted to the corresponding ceiling priority. To resolve contention, each shared resource is associated with a priority-ordered wait queue, in which blocked tasks wait in order of their regular scheduling priority. From a blocking optimality point of view, this choice prevents asymptotic optimality (Brandenburg 2011; Brandenburg and Anderson 2010a). However, empirically, the MPCP is known to perform well for many (but not all) workload types (Brandenburg 2013b). Priority-boosted tasks remain preemptable under the MPCP. Resource-holding jobs can thus be preempted by other resource-holding jobs. The choice of ceiling priorities therefore has a significant impact on blocking bounds. Rajkumar’s original proposal (Rajkumar 1990, 1991a) did not provide a specific rule for determining ceiling priorities; rather, it specified certain conditions for acceptable ceiling priorities, which left some degree of choice to the implementor. Later works (Lakshmanan et al. 2009; Müller et al. 2014) have simply assumed that the priority ceiling of a global resource is the maximum priority of any task accessing the resource, offset by a system-wide constant to ensure priority boosting semantics (as discussed in Sect. 3.6). Since the MPCP is the original shared-memory multiprocessor real-time locking protocol, it unsurprisingly has received considerable attention in subsequent works. Lortz and Shin (1995) studied the choice of queue order in the MPCP and observed that assigning tasks explicit synchronization priorities (differing from their scheduling priorities) that reflect each task’s blocking tolerance can significantly improve schedulability (Lortz and Shin 1995). Furthermore, Lortz and Shin observed that simply using a FIFO queue instead of a priority-ordered wait queue can yield substantial schedulability improvements (Lortz and Shin 1995), which is consistent with observations made later in the context of the FIFO-based FMLP and FMLP+ (Brandenburg 2011, 2013b, 2014c; Brandenburg and Anderson 2008a). A variant of the MPCP with FIFO queues was later also studied by Carminati and de Oliveira (Carminati and de Oliveira 2012), as well as a variant in which priority

394

B. B. Brandenburg

boosting is replaced with non-preemptive execution of critical sections (Carminati and de Oliveira 2012). In work primarily aimed at the task-mapping problem (discussed in Sect. 11.1), Lakshmanan et al. (2009) also proposed a variant of the MPCP based on virtual spinning. In this approach, blocked jobs do not actually spin (rather, they suspend at runtime as in other semaphore protocols), but the resulting protocol can be analyzed using a WCET-inflation approach as commonly used in the analysis of spin locks (recall Sect. 4.1). While the term was not yet in widespread use at the time, Lakshmanan et al.’s “virtual spinning” approach is in fact an s-oblivious analysis of the MPCP, together with a protocol tweak to simplify said analysis. Specifically, at most one job per core may issue a request for a global resource at any time (as is the case with non-preemptive spin locks) (Lakshmanan et al. 2009). Contention for global resources is thus first resolved locally on each core, similar to the token mechanism in the partitioned OMLP (Brandenburg and Anderson 2010a) already discussed in Sect. 5.1.3, which limits global contention. However, in both Lakshmanan et al.’s own evaluation (Lakshmanan et al. 2009) and in later comparisons (Brandenburg 2011; Brandenburg and Anderson 2011, 2013), it was observed that the “virtual spinning” variant of the MPCP performs poorly compared to both the regular MPCP (under s-aware analysis) and the partitioned and clustered OMLP variants, which are optimized for s-oblivious analysis (Brandenburg 2011; Brandenburg and Anderson 2011, 2013). A number of blocking and integrated schedulability analyses of the MPCP have been proposed over the years (Brandenburg 2013b; Lakshmanan et al. 2009; Rajkumar 1990, 1991a), including analyses for arbitrary (i.e., non-sporadic, nonperiodic) activation models (Negrean et al. 2009; Schliecker et al. 2009). However, it should be noted that also a number of misconceptions have been corrected over the years related to the critical instant (Yang et al. 2017), the non-applicability (Chen and Brandenburg 2017) of the period enforcer technique (Rajkumar 1991b) to shape locking-induced self-suspensions, as well as the proper accounting of selfsuspensions in response-time analyses (Chen et al. 2017). These corrections should be carefully consulted before building upon or applying existing analyses. The most accurate and most extensible blocking analysis of the MPCP available today (Brandenburg 2013b) models the blocking analysis problem as a linear program, which allows for the systematic avoidance of structural pessimism such as the repeated overcounting of long critical sections in blocking bounds (Brandenburg 2013b) (as already discussed in Sect. 4.1). In particular, the LP-based approach allows for a much more accurate analysis of critical sections that contain selfsuspensions (e.g., due to accesses to devices such as GPUS) by cleanly separating the time that a job holds a resource from the time that a job executes while being priority-boosted (Brandenburg 2013b). Recently, Patel et al. expressed very similar ideas using more conventional notation (Patel et al. 2018) but unfortunately did not compare their proposal against the earlier LP-based analysis of the MPCP (Brandenburg 2013b). A substantially different, early proposal for a predictable multiprocessor realtime locking protocol – almost as old as the MPCP, but known not nearly as well –

11 Multiprocessor Real-Time Locking Protocols

395

is due to Zhou (1992), who developed a real-time threading package (Schwan and Zhou 1992; Zhou 1992) on top of the Mach microkernel’s thread interface. In Zhou’s protocol, critical sections are executed non-preemptively, and blocked threads wait in FIFO order. As an interesting twist, Zhou introduced the notion of dynamic blocking analysis, where threads specify a maximum acceptable wait time when requesting a resource and where the real-time resource management subsystem performs an online blocking analysis that takes current contention conditions into account. This allows the system to dynamically determine whether the specified maximum acceptable wait time can be exceeded and to reject the request if so before any delay is actually incurred. Such a mechanism of course comes with non-negligible runtime overheads and has some impact on system complexity and has been absent from later proposals. In work targeting P-EDF, Chen et al. developed the Multiprocessor Dynamic Priority Ceiling Protocol (MDPCP) (Chen et al. 1994), which despite its name is quite different from the earlier MPCP. The MDPCP ensures progress by letting jobs holding global resources execute non-preemptively and orders jobs in per-resource wait queues in order of decreasing priority (i.e., increasing deadlines). Additionally, the MDPCP defines for each resource a current priority ceiling, which is defined “as the maximum priority of all jobs that are currently locking or will lock” the semaphore (Chen et al. 1994). As a result, the MDPCP is fundamentally tied to the periodic task model. (In a sporadic setting under P-EDF scheduling, it is impossible to accurately determine the set of jobs and their priorities that will lock a resource in the future.) The MDPCP includes a non-work-conserving rule akin to the uniprocessor PCP (Sha et al. 1990) that prevents jobs with insufficiently high priorities (i.e., insufficiently urgent deadlines) from acquiring resources that might still be needed by higher-priority jobs (i.e., jobs with earlier deadlines). More precisely, a job on processor P is allowed to lock a global resource only if its own priority exceeds (i.e., its deadline is earlier than) the maximum priority ceiling of any resource currently in use on any of the processors that P might conflict with, where two processors “might conflict with” each other if there exists some resource that is accessed by tasks on both processors (Chen et al. 1994). This rule is required to avoid deadlock in the presence of nested requests, as will be discussed in Sect. 9. In an accompanying tech report (Chen and Tripathi 1994), Chen and Tripathi further defined a second variant of the MDPCP based on priority boosting (rather than non-preemptive execution); this MDPCP version is also tied to the periodic task model. Block et al.’s partitioned FMLP (Block et al. 2007) (previously discussed in Sect. 5.1.3) was also applied to P-FP scheduling and analyzed in an s-aware manner (Brandenburg and Anderson 2008b). Recall that the FMLP variant for long resources under partitioned scheduling relies on per-resource FIFO queues to resolve contention and on priority boosting to ensure lock-holder progress. While priority boosting is conceptually simple, a key detail is how to order simultaneously priority-boosted jobs (i.e., what to do if multiple tasks assigned to the same processor hold a resource at the same time). The original FMLP (Block et al. 2007) pragmatically gives priority to whichever job acquired its resource first (which

396

B. B. Brandenburg

greedily minimizes the number of preemptions). This choice, however, turned out to be problematic from a blocking optimality point of view (Brandenburg 2011; Brandenburg and Anderson 2010a), and a refined version of the partitioned FMLP for long resources, called the partitioned FMLP+ , was introduced (Brandenburg 2011). Like its predecessor, the partitioned FMLP+ uses per-resource FIFO queues to resolve contention and priority boosting to ensure lock-holder progress. However, it uses a subtly different tie-breaking rule: among priority-boosted jobs, the job with the first-issued (rather than the first-granted) lock request is given priority (i.e., priority-boosted jobs are scheduled in order of increasing lock-request times) (Brandenburg 2011). To avoid preemptions in the middle of a critical section, the FMLP+ optionally also supports non-preemptive critical sections (Brandenburg 2011). In contrast to all prior semaphore protocols for partitioned multiprocessor scheduling, the partitioned FMLP+ (with both preemptive and non-preemptive critical sections) ensures asymptotically optimal maximum s-aware pi-blocking (Brandenburg 2011). Specifically, due to the use of FIFO queues and the FIFO-based priority boosting order, the FMLP+ ensures that each time a job executes a critical section, it is delayed by at most n – 1 = O(n) earlier-issued requests (assuming preemptive critical sections). Additionally, a job may incur s-aware pi-blocking due to at most n – 1 = O(n) requests of lower-priority tasks that were issued before its release, and assuming non-preemptive critical sections adds only a constant amount of blocking (Brandenburg 2011). The FMLP+ hence ensures maximum s-aware piblocking within a factor of roughly two of the known lower bound (Brandenburg 2011). In addition to the optimality result, several fine-grained (i.e., non-asymptotic) s-aware blocking analyses of the FMLP+ have been presented (Brandenburg 2011, 2013b, 2014c), with the LP-based analysis (Brandenburg 2013b) again yielding the most accurate results and offering the greatest flexibility, including support for selfsuspensions in critical sections. Overall, the FMLP+ is simple, requires no configuration or a priori knowledge (such as priority ceilings), and has been implemented in LITMUSRT (Brandenburg 2011) and shown to be practical (Brandenburg 2013b). In a comparison with the MPCP, the two protocols were shown to be incomparable: the FMLP+ outperforms the MPCP for many (but not all) workloads and vice versa (Brandenburg 2013b). Patel et al. observed similar trends in their comparison of the two protocols (Patel et al. 2018). As in the global case (Sect. 5.2.2), it would be best to develop a hybrid protocol that integrates the advantages of the FIFO-based FMLP+ (Brandenburg 2011) with optional prioritization as in the MPCP (Rajkumar 1990, 1991a) for the most urgent tasks. Such a protocol could be easily analyzed by merging the existing LP-based analyses (Brandenburg 2013b) of the MPCP and the FMLP+ . Targeting P-FP scheduling in conjunction with a somewhat different system model, Nemati et al. (2011b) considered the consolidation of legacy uniprocessor systems onto shared multicore platforms, where each core is used to host a mostly

11 Multiprocessor Real-Time Locking Protocols

397

independent (uniprocessor) application consisting of multiple tasks. Whereas intraapplication synchronization needs can be resolved with existing uniprocessor protocols (as previously employed in the individual legacy systems), the move to a shared multicore platform can create new inter-application synchronization needs (e.g., due to shared platform resources in the underlying RTOS). To support such inter-application resource sharing, Nemati et al. (2011b) developed the Multiprocessors Synchronization Protocol for Real-Time Open Systems (MSOS) protocol (Nemati et al. 2011b), with the primary goal of ensuring that the temporal correctness of each application can be assessed without requiring insight into any other application (i.e., applications are assumed to be opaque and may be developed by independent teams or organizations). To this end, the MSOS protocol uses a two-level, multi-tailed hybrid queue for each resource. Similar to the partitioned OMLP (Brandenburg and Anderson 2010a) (discussed in Sect. 5.1.3), contention for global (i.e., inter-application) resources is first resolved on each core, such that at most one job per core and resource can contend for global resources. Since the MSOS protocol resolves inter-application contention with FIFO queues, this design allows for the derivation of blocking bounds without knowledge of any application internals, provided the maximum per-application resource-hold time is known (for which Nemati et al. provide a bound Nemati et al. 2011b). The intraapplication queues can be either FIFO or priority-ordered queues (Nemati et al. 2011b), and lock-holder progress is ensured via priority boosting as in the MPCP (Rajkumar 1990). Chen et al. (2017) correct an oversight in the analysis of the MSOS protocol (Nemati et al. 2011b) related to the worst-case impact of selfsuspensions.

5.2.4 Semi-partitioned Scheduling Semi-partitioned multiprocessor scheduling (Anderson et al. 2005) is a hybrid variant of partitioned scheduling, where most tasks are assigned to a single processor each (as under partitioned scheduling) and a few migratory tasks receive allocations on two or more processors (i.e., their processor allocations are effectively split across processors). Semi-partitioned scheduling has been shown to be an effective and highly practical technique to circumvent bin-packing limitations without incurring the complexities and overheads of global or clustered scheduling (Bastoni et al. 2011; Brandenburg and Gül 2016). From a synchronization point of view, however, semi-partitioned scheduling has not yet received much attention. A notable exception is Afshar et al.’s work (Afshar et al. 2012) on semaphore protocols for semi-partitioned fixed-priority (SP-FP) scheduling. Since known techniques for partitioned scheduling are readily applicable to nonmigratory tasks, the novel challenge that must be addressed when targeting semi-partitioned systems is migratory tasks. To this end, Afshar et al. (2012) proposed two protocol variants, both using priority-ordered wait queues and priority boosting. In the first protocol variant, the Migration-Based Locking Protocol Under SemiPartitioned Scheduling (MLPS) (Afshar et al. 2012), each task is assigned a marked processor on which it must execute all its critical sections. This approach simplifies the problem, as it ensures that all of a task’s critical sections are executed on a

398

B. B. Brandenburg

statically known processor, which reduces the analysis problem to the partitioned case. However, it also introduces additional task migrations, as a migratory task that currently resides on the “wrong” (i.e., non-marked) processor must first migrate to its marked processor before it can enter a critical section and then back again to its non-marked processor when it releases the lock. As an alternative, Afshar et al.’s Non-Migration-Based Locking Protocol Under Semi-Partitioned Scheduling (NMLPS) (Afshar et al. 2012) lets migratory tasks execute their critical sections on their current processor (i.e., on whichever processor they happen to be executing at the time of lock acquisition). This avoids any superfluous migrations but causes greater analysis uncertainty as it is now unclear on which processor a critical section will be executed. Additional complications arise when a resource-holding migratory task should, according to the semi-partitioning policy, be migrated in the middle of a critical section. At this point, there are two choices: either let the task finish its critical section before enacting the migration, which may cause it to overrun its local budget, or instead preempt the execution of the critical section, which causes extra delays and makes the analysis considerably more pessimistic. Afshar et al. (2012) chose the former approach in the NMLPS, which means that budget overruns up to the length of one critical section must be accounted for in all but the last segments of migratory tasks.

5.2.5 Clustered Scheduling Like the semi-partitioned case, the topic of s-aware semaphore protocols for clustered scheduling has not received much attention to date. The primary works are an extension of Nemati et al.’s MSOS protocol (Nemati et al. 2011b), called the clustered MSOS (C-MSOS) protocol (Nemati and Nolte 2013), and the generalized FMLP+ (Brandenburg 2014c), which establishes asymptotic tightness of the known lower bound on s-aware pi-blocking (recall Sect. 5.2.1). Under the C-MSOS, legacy applications are allowed to span multiple cores (i.e., there is one application per cluster). Local (i.e., intra-application) resources are managed using the PIP (Easwaran and Andersson 2009; Sha et al. 1990) (as discussed in Sect. 5.2.2). Global (i.e., inter-application) resources are managed using a two-stage queue as in the MSOS protocol (Nemati et al. 2011b). However, in the C-MSOS protocol, each resource’s global queue can be either a FIFO queue (as in the MSOS protocol Nemati et al. 2011b) or a round-robin queue. As before, the per-application queues can be either FIFO or priority queues, and lock-holder progress is ensured via priority boosting (which prevents asymptotic optimality w.r.t. maximum s-aware pi-blocking under global and clustered scheduling (Brandenburg 2011, 2014c). The generalized FMLP+ (Brandenburg 2014c) was designed specifically to close the “s-aware optimality gap” (Brandenburg 2011), i.e., to provide a matching upper bound of O(n) s-aware pi-blocking under clustered (and hence also global) scheduling, thereby establishing the known (n) lower bound (Brandenburg 2011; Brandenburg and Anderson 2010b) to be asymptotically tight (Brandenburg 2014c). The name derives from the fact that the generalized FMLP+ produces the same schedule as the partitioned FMLP+ when applied to partitioned scheduling

11 Multiprocessor Real-Time Locking Protocols

399

(Brandenburg 2014c). However, despite this lineage, in terms of protocol rules, the generalized FMLP+ (Brandenburg 2014c) differs substantially from the (much simpler) partitioned FMLP+ (Brandenburg 2011). The generalized FMLP+ (Brandenburg 2014c) resolves contention with simple per-resource FIFO queues, as in the prior FMLP (Block et al. 2007) and the partitioned FMLP+ (Brandenburg 2011). The key challenge is to ensure lock-holder progress, since neither priority inheritance nor (unrestricted) priority boosting can yield asymptotically optimal s-aware pi-blocking bounds under global and clustered scheduling (Brandenburg 2011, 2014c). Intuitively, the main problem is that raising the priority of a lock holder (via either inheritance or boosting) can cause other, unrelated higher-priority jobs to be preempted. Furthermore, in pathological cases, it can cause the same job to be repeatedly preempted, which gives rise to asymptotically nonoptimal s-aware pi-blocking (Brandenburg 2011, 2014c). The generalized FMLP+ overcomes this effect by employing a progress mechanism tailored to the problem, called restricted segment boosting (RSB) (Brandenburg 2014c). Under the RSB rules, in each cluster, only the (single) job with the earliestissued request benefits from priority boosting (with any ties in request-issue time broken arbitrarily). In addition to this single boosted lock holder, certain nonlock-holding jobs are co-boosted, specifically to prevent repeated preemptions in the pathological scenarios that cause the nonoptimality of priority inheritance and priority boosting (Brandenburg 2011, 2014c). Based on RSB, the generalized FMLP+ ensures asymptotically optimal s-aware pi-blocking under clustered scheduling (Brandenburg 2014c) and hence also under global scheduling, which closes the s-aware optimality gap (Brandenburg 2011). However, in an empirical comparison under global scheduling (Yang et al. 2015), the generalized FMLP+ performed generally worse than protocols specifically designed for global scheduling, which indicates that the generalized FMLP+ (Brandenburg 2014c) is primarily of interest from a blocking optimality point of view. In contrast, the simpler partitioned FMLP+ (Brandenburg 2011), which is designed specifically for partitioned scheduling and hence avoids the complexities resulting from clustered and global scheduling, is known to empirically perform very well and to be practical (Brandenburg 2013b).

6

Centralized Execution of Critical Sections

In the preceding two sections, we have considered protocols for in-place execution of critical sections, where jobs directly access shared resources. Under in-place protocols, the critical sections pertaining to each (global) resource are spread across multiple processors (i.e., wherever the tasks that share the resource happen to be executing). For spin locks (Sect. 4), this is the natural choice. In the case of semaphores, however, this is not the only possibility, nor is it necessarily the best. Instead, as discussed in Sect. 2.2.5, it is also possible to centralize the execution of all critical sections onto a designated processor, the synchronization processor of the resource. In fact, the very first multiprocessor real-time semaphore protocol, namely, the DPCP (Rajkumar et al. 1988), followed exactly this approach.

400

B. B. Brandenburg

Protocols that call for the centralized execution of critical sections are also called distributed multiprocessor real-time locking protocols, because the centralized approach does not necessarily require shared memory (as opposed to the in-place execution of critical sections, which typically relies on cache-consistent shared memory). From a systems point of view, there are three ways to interpret such protocols. Let a job’s application processor be the processor on which it carries out its regular execution (i.e., where it executes its noncritical sections). In the first interpretation, which is consistent with a distributed systems perspective, each critical section of a task is seen as a synchronous remote procedure call (RPC) to a resource server executing on the synchronization processor. The resource server, which itself may be multi-threaded, is in charge of serializing concurrent RPC calls. A job that issues an RPC to the synchronization processor self-suspends after sending the RPC request and resumes again when the resource server’s response is received by the application processor. The job’s self-suspension duration thus includes both the time required to service its own request plus any delays due to contention for the resource (i.e., blocking due to earlier-serviced requests). Additionally, in a real system, any communication overheads contribute to a job’s self-suspension time (e.g., transmission delays if the RPC request is communicated over a shared interconnect, argument marshaling and unmarshaling costs, etc.). In the second interpretation, which is typically adopted in a shared-memory context, jobs are considered to migrate from the application processor to the synchronization processor when they attempt to lock a shared resource and to migrate back to their application processor when unlocking the resource. All resource contention is hence reduced to a uniprocessor locking problem. However, from a schedulability analysis point of view, the time that the job resides on the synchronization processor still constitutes a self-suspension w.r.t. to the analysis of the application processor. Finally, the third interpretation, which is appropriate for both shared-memory and distributed systems, is to see each job as a sequence (i.e., as a linear DAG) of subjobs with precedence constraints with an end-to-end deadline (Sun et al. 1994), where different subjobs are spread across multiple processors. In this view, the synchronization problem is again reduced to a uniprocessor problem. The end-toend analysis, however, must deal with the fact that each DAG visits the application processor multiple times, which can give rise to pessimism in the analysis. From an analytical point of view – i.e., for the purpose of schedulability and blocking analysis – the first two interpretations are equivalent, that is, identical analysis problems must be solved and (ignoring overheads) identical bounds are obtained, regardless of how the protocol is actually implemented. The third approach provides some additional flexibility (Sun et al. 1994; Tia and Liu 1994).

6.1

Advantages and Disadvantages

Multiprocessor real-time locking protocols that centralize the execution of critical sections offer a number of unique advantages. For one, they can be easily applied

11 Multiprocessor Real-Time Locking Protocols

401

to heterogeneous multiprocessor platforms, where only specific cores may possess the ability to execute certain critical sections (e.g., compute kernels can run only on GPUs). Similarly, if certain shared devices are accessible only from specific processors (e.g., if there is a dedicated I/O processor), then those processors naturally become synchronization processors for critical sections pertaining to such devices. Furthermore, centralizing all critical sections is also attractive in noncache-coherent systems, since it avoids the need to keep a shared resource’s state consistent across multiple memories. In fact, even in cache-coherent shared-memory systems, it can be beneficial to centralize the execution of critical sections to avoid cache-line bouncing (Lozi et al. 2012). And last but not least, from a realtime perspective, the centralized approach allows the reuse of well-established uniprocessor protocols, which for some workloads can translate into significant schedulability improvements over in-place approaches (Brandenburg 2013b). Centralized protocols, however, also come with a major downside. Whereas schedulability and blocking analysis is typically concerned with worst-case scenarios, many systems also require excellent average-case performance, and this is where in-place execution of critical sections has a major advantage. In well-designed systems, resource contention is usually rare, which means that uncontested lock acquisitions are the common case that determines average-case performance. In a semaphore protocol based on in-place execution, uncontested lock acquisitions do not cause self-suspensions and can further be optimized to incur very acquisition and release overheads (see Sect. 10.2). In contrast, in protocols based on the centralized approach, every critical section necessarily involves a self-suspension (with the exception of the corner case when a job’s application processor is also the shared resource’s synchronization processor), which is likely to have a significant negative impact on average-case performance.

6.2

Centralized Protocols

The original protocol for the centralized execution of critical sections, and in fact the first multiprocessor real-time locking protocol altogether, is the Distributed Priority Ceiling Protocol (DPCP) (Rajkumar 1991a; Rajkumar et al. 1988). Unfortunately, there is some confusion regarding the proper name of the DPCP. The protocol was originally introduced as the “Multiprocessor Priority Ceiling Protocol” and abbreviated as “MPCP” (Rajkumar et al. 1988) but then renamed to “Distributed Priority Ceiling Protocol,” properly abbreviated as “DPCP,” shortly thereafter (Rajkumar 1991a). To make matters worse, the shared-memory protocol now known as the MPCP (discussed in Sect. 5.2.3) was introduced in the meantime (Rajkumar 1990). However, the authors of several subsequent works remained unaware of the name change for some time, and hence a number of later publications, including a popular textbook on real-time systems (Liu 2000), refer to the DPCP (Rajkumar et al. 1988) by the name “MPCP.” We follow the modern terminology (Rajkumar 1991a) and denote by “DPCP” the original protocol (Rajkumar et al. 1988), which is based on the centralized execution of critical sections, and reserve the abbreviation

402

B. B. Brandenburg

“MPCP” to refer to the later shared-memory protocol (Rajkumar 1990), which is based on the in-place execution of critical sections. The DPCP has been designed for P-FP scheduling. As the name suggests, the DPCP relies on the classic PCP (Sha et al. 1990) to arbitrate conflicting requests on each synchronization processor. To ensure resource-holder progress, that is, to avoid lock-holding jobs from being preempted by non-lock-holding jobs if the sets of synchronization and application processors are not disjoint, the DPCP relies on priority boosting. As a result of reusing the uniprocessor PCP, the DPCP effectively uses a priority-ordered wait queue (i.e., conflicting requests from two remote jobs are served in order of their regular scheduling priorities). This simple design has proven to be highly effective and practical even in modern systems (Brandenburg 2013b). A number of s-aware blocking analyses of the DPCP have been presented in the literature (Brandenburg 2013b; Huang et al. 2016; Rajkumar 1991a; Rajkumar et al. 1988), with an LP-based approach (Brandenburg 2013b) yielding the most accurate bounds. Recent works (Chen and Brandenburg 2017; Yang et al. 2017) documented some misconceptions in the original analyses (Rajkumar 1991a; Rajkumar et al. 1988). Ras and Cheng (2008) investigated a variant of the DPCP that uses the SRP (Theodore 1991) instead of the PCP (Sha et al. 1990) on each core. The resulting protocol, which they called the Distributed Stack Resource Policy (DSRP) (Ras and Cheng 2008), has the advantage of integrating better with P-EDF scheduling (since the underlying SRP is well-suited for EDF). Just as the FIFO-ordered FMLP+ complements the priority-ordered MPCP in the case of in-place critical sections, the Distributed FIFO Locking Protocol (DFLP) (Brandenburg 2013b, 2014b) is a FIFO-ordered protocol for centralized critical section execution that complements the priority-ordered DPCP. The DFLP works in large parts just like the DPCP, with the exception that it does not use the PCP to manage access to global resources. Instead, it adopts the design first introduced with the partitioned FMLP+ (Brandenburg 2011) (discussed in Sect. 5.2.3): conflicting lock requests are served in FIFO order, lock-holding jobs are (unconditionally) priority-boosted, and jobs priority-boosted simultaneously on the same synchronization processor are scheduled in order of the times at which they issued their lock requests (i.e., the tie-breaking rule favors earlier-issued requests). Blocking under the DFLP has been analyzed using an s-aware, LP-based approach (Brandenburg 2013b). In an empirical comparison under P-FP scheduling based on an implementation in LITMUSRT (Brandenburg 2013b), the DFLP and DPCP were observed to be incomparable: the DFLP performs better than the DPCP for many (but not all) workloads and vice versa. Similarly, both protocols were observed to be incomparable with their in-place counterparts (i.e., the partitioned FMLP+ (Brandenburg 2011) and the MPCP (Rajkumar 1990), respectively). In contrast to the DPCP, which is defined only for P-FP scheduling, the DFLP can also be combined with P-EDF or clustered scheduling (Brandenburg 2014b).

11 Multiprocessor Real-Time Locking Protocols

6.3

403

Blocking Optimality

Centralized locking protocols have also been studied from the point of view of blocking optimality (Brandenburg 2011; Brandenburg and Anderson 2010a), and asymptotically tight bounds on maximum pi-blocking have been obtained for both the s-aware and s-oblivious cases (Brandenburg 2014b). Interestingly, the way in which resources and tasks are assigned to synchronization and application processors, respectively, plays a major role. If some tasks and resources are co-hosted, that is, if the sets of synchronization and application processors are not disjoint, then maximum pi-blocking is asymptotically worse than in the shared-memory case: a lower bound on maximum pi-blocking of ( × n) has been established (Brandenburg 2014b), where  denotes the ratio of the maximum response time and the minimum period of any task. Notably, this bound holds under both s-aware and s-oblivious analysis due to the existence of certain pathological cases in which jobs are repeatedly preempted (Brandenburg 2014b). Both the DPCP (Rajkumar 1991a; Rajkumar et al. 1988) and the DFLP (Brandenburg 2013b, 2014b) ensure O( × n) maximum s-aware pi-blocking and are hence asymptotically optimal in the case with co-hosted tasks and resources (Brandenburg 2014b). In contrast, if the sets of synchronization and application processors are disjoint (i.e., if no processor serves both regular tasks and critical sections), then the same bounds as with in-place critical sections apply (Brandenburg 2014b): (n) under s-aware analysis and (m) under s-oblivious analysis. The DFLP (Brandenburg 2013b, 2014b) ensures O(n) maximum s-aware pi-blocking in the disjoint case under clustered (and hence also partitioned) scheduling and hence is asymptotically optimal under s-aware analysis (Brandenburg 2014b). Asymptotic tightness of the (m) bound on maximum s-oblivious piblocking was established with the Distributed OMLP (D-OMLP) (Brandenburg 2014b), which transfers techniques introduced with the OMLP family for in-place critical section execution to the centralized setting.

7

Independence Preservation: Avoiding the Blocking of Higher-Priority Tasks

All of the locking protocols discussed so far use either priority inheritance, nonpreemptive sections, unconditional priority boosting, or a restricted variant of the latter (such as priority donation or RSB). Of these, priority inheritance has a unique and particularly attractive property: independent higher-priority jobs are not affected by the synchronization behavior of lower-priority jobs. For example, consider three tasks τ1 , τ2 , and τ3 under uniprocessor fixed-priority scheduling, and suppose that τ2 and τ3 share a resource 1 that the higher-priority task τ1 does not require. If the tasks follow a protocol based on priority inheritance, then the response time of τ1 is completely independent of the lengths of the

404

B. B. Brandenburg

critical sections of τ2 and τ3 , which is obviously desirable. In contrast, if τ2 and τ3 synchronize by means of non-preemptive critical sections, then τ1 ’S response time, and ultimately its temporal correctness, depends on the critical section lengths of lower-priority tasks. In other words, the use of non-preemptive sections induces a temporal dependency among logically independent tasks. Unfortunately, priority boosting, priority donation, and RSB similarly induce temporal dependencies when they force the execution of lock-holding lower-priority jobs. Since on multiprocessors priority inheritance is effective only under global scheduling (recall Sect. 3.4), this poses a significant problem for multiprocessor real-time systems that do not use global scheduling (of which there are many in practice). In response, a number of multiprocessor real-time locking protocols have been proposed that avoid introducing temporal dependencies in logically unrelated jobs. We use the term independence preservation (Brandenburg 2012, 2013a, 2014a) to generally refer to the desired isolation property and this class of protocols.

7.1

Use Cases

Independence preservation is an important property in practice, but it has received relatively little attention compared to the classic spin and semaphore protocols discussed in Sects. 4, 5, and 6. To highlight the concept’s significance, we briefly sketch four contexts in which independence preservation is essential. First, consider multi-rate systems with a wide range of activation frequencies. For instance, in automotive systems, it is not uncommon to find tasks periods ranging from as low as 1 ms to as high as 1000 ms or more. Now, if a 1000 ms task has a utilization of only 10%, and if each job spends only 1% of its execution time in a critical section, then a single such critical section is already long enough (1 ms) to render any 1 ms task on the same core infeasible. This shows the importance of independence preservation in the face of highly heterogeneous timing requirements. A more detailed discussion of this motivation has been presented previously (Brandenburg 2013a). As a second example, consider an infrequently triggered sporadic event handler that must react within, say, 100 μs (e.g., a critical interrupt handler with a tight latency constraint). Now assume the system is deployed on an eight-core platform, and consider a shared memory object accessed by all cores (e.g., an OS data structure) that is protected with a non-preemptive FIFO spin lock (e.g., as used in the MSRP (Gai et al. 2001); recall Sect. 4.1). Even if each critical section is only 20 μs long, when accounting for the transitive impact of spin delay, the worstcase latency on every core is at least 160 μs, which renders the latency-sensitive interrupt task infeasible. Generally speaking, if job release latency is a concern, then non-independence-preserving synchronization methods must be avoided. Case in point: the PREEMPT_RT real-time patch for the Linux kernel converts most nonpreemptive spin locks in the kernel to suspension-based mutexes for precisely this reason. In other words, none of the protocols discussed in Sects. 4, 5, and 6 based on

11 Multiprocessor Real-Time Locking Protocols

405

priority boosting or non-preemptive execution is appropriate for general use in the Linux kernel. Takada and Sakamura highlighted the negative impact of real-time synchronization on interrupt latency as a major problem in multiprocessor RTOS kernels already more than 20 years ago (Takada 1996; Takada and Sakamura 1994, 1995, 1996, 1997). Third, consider open systems, where at design time it is not (fully) known which applications will be deployed and composed at runtime. Non-preemptive sections and priority boosting are inappropriate for such systems, because the pi-blocking that they induce is a global property, in the sense that it affects all applications, and because the maximum critical section length in newly added applications is not always known. Independence preservation ensures temporal isolation among independent applications, which greatly simplifies the online admission and composition problem. Faggioli et al. argue this point in much more detail (Faggioli et al. 2010, 2012). As a fourth and final example, independence preservation is also important in the context of mixed-criticality systems (Burns and Davis 2018), where it is highly desirable to ensure that critical components do not depend on noncritical ones. Specifically, if the temporal correctness of a highly critical task is dependent on the critical section length in a lower-criticality task, then there essentially exists an illicit trust relationship pertaining to the correct operation of the lower-critical task. Independence preservation can help to avoid such dependencies. A detailed argument along these lines has been presented in prior work (Brandenburg 2014a).

7.2 Fully Preemptive Locking Protocols for Partitioned and Clustered Scheduling Since priority inheritance ensures independence preservation under global scheduling, we focus on partitioned or (non-global) clustered scheduling (and in-place critical sections). Recall from Sect. 3 that the fundamental challenge under partitioned scheduling can be described as follows: a lock-holding task τl on processor P1 is preempted by a higher-priority task τh , while τl blocks a remote task τb located on processor P2 . There are fundamentally only three choices: 1. Priority-boost τl to expedite the completion of its critical section, in which case τh is delayed. 2. Do nothing and accept that τ b’s blocking bound depends on τ h’s execution cost. 3. Use processor time originally allocated to τ b on processor P2 to finish τ l’s critical section: allocation inheritance, as discussed in Sect. 3.5. Option (1) violates independence preservation, option (2) results in potentially “unbounded” blocking, and hence all protocols considered in this section rely on option (3).

406

B. B. Brandenburg

Allocation inheritance can be combined with both spin- and suspension-based waiting. In both cases, lock-holding tasks remain fully preemptable at all times and continue to execute with their regular (i.e., non-boosted) priorities, which yields the desired independence-preservation property. Hohmuth and Peter (2001) were the first to describe an independence-preserving multiprocessor real-time synchronization protocol, which they realized in the Fiasco L4 microkernel under the name local helping. Given that microkernels in the L4 family rely exclusively on IPC, the shared resource under contention is in fact a single-threaded resource server that synchronously responds to invocations from client tasks, thereby implicitly sequencing concurrent requests (i.e., the execution of the server’s response handler forms the “critical section”). Hohmuth and Peter’s solution (Hohmuth and Peter 2001) is based on earlier work by Hohmuth and Härtig (2001), who described an elegant way to realize temporally predictable resource servers on uniprocessors that is analytically equivalent to the better-known (uniprocessor) Bandwidth Inheritance (BWI) protocol (Lamastra et al. 2001) (which was independently proposed in the same year). Hohmuth and Härtig’s solution rests on a mechanism that they called helping: whenever a blocked client (i.e., a client thread that seeks to rendezvous with the server while the server is not waiting to accept a synchronous IPC message) is selected by the scheduler, the server process is dispatched instead (Hohmuth and Härtig 2001) (see also time-slice donation Steinberg et al. 2010). Hohmuth and Peter extended Hohmuth and Härtig’s helping approach to multiprocessors (under P-FP scheduling) and systematically considered key design choices and challenges. Specifically, with local helping (Hohmuth and Peter also describe a variant called remote helping where the blocked client is migrated to the core assigned to the server (Hohmuth and Peter 2001), which however is not an attractive solution from an analytical point of view and thus not further considered here.), a preempted resource server is migrated (i.e., pulled) to the core of the blocked client, at which point the uniprocessor helping mechanism (Hohmuth and Härtig 2001) can be applied – an instance of the allocation inheritance principle (Sect. 3.5). However, two interesting challenges arise: 1. What should blocked clients do when the resource server is already executing on a remote core? 2. How does a blocked client learn that the resource server was preempted on a remote core? Hohmuth and Peter considered two fundamental approaches. In the first approach, which they termed polling (Hohmuth and Härtig 2001), the blocked client simply executes a loop checking whether the resource server has become available for dispatching (i.e., whether it has been preempted), which addresses both questions. This polling approach is equivalent to preemptable spinning (i.e., it is conceptually a busy-wait loop that happens to spin on the process state of the server process), with the typical advantage of avoiding

11 Multiprocessor Real-Time Locking Protocols

407

self-suspensions and the typical disadvantage of potentially wasted processor cycles. As an alternative, Hohmuth and Peter considered a sleep and callback (Hohmuth and Peter 2001) approach, where the blocked client registers its willingness to help in a data structure and then self-suspends. When the server process is preempted, the register of potential helpers is consulted, and one or more blocked clients are woken up by triggering their callback functions, which requires sending an inter-processor interrupt (IPI) to the core on which they are hosted. The sleep and callback approach is equivalent to self-suspending clients, with the typical advantage that blocked clients yield the processor to lower-priority tasks and also the typical analytical and overhead disadvantages. Since Hohmuth and Peter expected critical sections (i.e., server request handlers) in their system to be relatively short and due to implementation challenges associated with the sleep and callback approach, Hohmuth and Peter chose the polling approach in their implementation (Hohmuth and Peter 2001). Given that synchronous IPC (with single-threaded processes) and mutual exclusion are duals of each other, Hohmuth and Peter’s work (Hohmuth and Peter 2001) directly applies to the multiprocessor real-time locking problem, and in fact their combination of local helping and synchronous IPC can be considered a multiprocessor real-time locking protocol that combines priority-ordered wait queues with allocation inheritance under P-FP scheduling. Not long after Hohmuth and Peter (2001), in work targeting global, optimal multiprocessor scheduling, Holman and Anderson (2002b, 2006; Holman 2004) proposed the use of allocation inheritance to realize a predictable suspensionbased locking protocol for Pfair scheduling (Baruah et al. 1996; Srinivasan and Anderson 2006). While Pfair is a global scheduler, it is not compatible with priority inheritance due to its much more nuanced notion of “priority.” Holman and Anderson hence proposed allocation inheritance as a generalization of the priorityinheritance principle that neither assumes priority-driven scheduling nor requires a priority concept. As already mentioned in Sect. 3.5, Holman and Anderson also coined the term “allocation inheritance,” which we have adopted to refer to the general idea of dynamically repurposing processor time allocations to ensure progress and resolve contention. Holman and Anderson further considered two alternatives to allocation inheritance named rate inheritance and weight inheritance (Holman and Anderson 2002b, 2006; Holman 2004), which are both specific to Pfair scheduling and not further considered here. Much later, Faggioli et al. (2010, 2012) extended the uniprocessor bandwidth inheritance protocol (Lamastra et al. 2001) to multiprocessors, targeting in particular multiprocessors under reservation-based scheduling. The resulting protocol, the Multiprocessor Bandwidth Inheritance (MBWI) protocol (Faggioli et al. 2010, 2012), combines allocation inheritance with FIFO-ordered wait queues and busywaiting. Faggioli et al. observed that since the allocation inheritance principle is not specific to any particular scheduling algorithm, the MBWI protocol may be

408

B. B. Brandenburg

employed without any modifications or adaptations under partitioned, global, or clustered scheduling (Faggioli et al. 2010, 2012). In fact, it can even be used in unchanged form under semi-partitioned scheduling or in the presence of tasks with arbitrary processor affinities (APAS). Like Hohmuth and Peter (2001), Faggioli et al. chose to follow the polling approach in their implementation of the MBWI protocol in LITMUSRT (Faggioli et al. 2012). As an interesting practical tweak, polling jobs detect when the lockholding job self-suspends (e.g., due to I/O) and then self-suspend accordingly, to prevent wasting large amounts of processor time when synchronizing access to resources that induce self-suspensions within critical sections (e.g., such as GPUS) (Faggioli et al. 2010, 2012). Nonetheless, the MBWI protocol is fundamentally a spin-based protocol (Faggioli et al. 2010, 2012). In work targeting Linux with the PREEMPT_RT patch, Brandenburg and Bastoni (2012) proposed to replace Linux’s implementation of priority inheritance with allocation inheritance (which they referred to as migratory priority inheritance Brandenburg and Bastoni 2012) because priority inheritance is ineffective in the presence of tasks with disjoint processor affinities, which Linux supports. In contrast to Faggioli et al.’s MBWI protocol (Faggioli et al. 2010, 2012) and Hohmuth and Peter’s local helping implementation in Fiasco (Hohmuth and Peter 2001), Brandenburg and Bastoni (2012) proposed to retain Linux’s usual semaphore semantics wherein blocked tasks self-suspend. Similarly to Hohmuth and Peter’s work (Hohmuth and Peter 2001), and unlike the MBWI protocol (Faggioli et al. 2010, 2012), Brandenburg and Bastoni’s proposal (Brandenburg and Bastoni 2012) is based on priority-ordered wait queues. The O(m) Independence-preserving Protocol (OMIP) (Brandenburg 2012, 2013a) for clustered scheduling is the only protocol based on allocation inheritance that achieves asymptotic blocking optimality under s-oblivious analysis. Recall that the only other protocol for clustered scheduling that is asymptotically optimal w.r.t. maximum s-oblivious pi-blocking is the clustered OMLP (Brandenburg 2011; Brandenburg and Anderson 2011, 2013), which relies on priority donation, a restricted variant of priority boosting, and which hence is not independence preserving. The OMIP improves upon the clustered OMLP by replacing priority donation with allocation inheritance, which ensures that lock-holding tasks remain preemptable at all times. As a result of this change in progress mechanism, the OMIP requires a multistage hybrid queue (Brandenburg 2012, 2013a) similar to the one used in the global OMLP (Brandenburg and Anderson 2010a), in contrast to the simple FIFO queues used in the clustered OMLP (Brandenburg and Anderson 2011). In fact, in the special case of global scheduling, the OMIP reduces to the global OMLP and hence can be understood as a generalization of the global OMLP (Brandenburg 2012, 2013a). This also underscores that allocation inheritance is a generalization of priority inheritance (Sect. 3.5). The OMIP, which has been prototyped in LITMUSRT (Brandenburg 2013a), is suspension-based and hence requires the implementation to follow a sleep and callback approach (Hohmuth and Peter 2001). However, because the available

11 Multiprocessor Real-Time Locking Protocols

409

blocking analysis is s-oblivious (Brandenburg 2013a), which already accounts for suspension times as processor demand (Sect. 5.1), it can be trivially (i.e., without any changes to the analysis) changed into a spin-based protocol. Similarly, the OMIP’s multistage hybrid queue could be combined with the MBWI protocol (Faggioli et al. 2010, 2012) to lower the MBWI protocol’s bounds on worst-case s-blocking (i.e., O(m) bounds as in the OMIP rather than the MBWI protocol’s O(n) bounds). One unique feature of the OMIP worth noting is that since the blocking bounds are completely free of any terms depending on the number of tasks n, it does not require any trust on the maximum number of tasks sharing a given resource. This makes it particularly interesting for open systems and mixed-criticality systems, where the final workload composition and resource needs are either not known or not trusted. Exploiting this property, as well as a close correspondence between s-oblivious analysis and certain processor reservation types, the OMIP has been used to derive a locking protocol for Virtually Exclusive Resources (VXR) (Brandenburg 2012) and a synchronous Mixed-Criticality IPC (MC-IPC) protocol (Brandenburg 2014a). Three key features of the VXR and MC-IPC protocols that aid system integration in a mixed-criticality context are that: 1. The number of tasks sharing a given resource needs not be known for analysis purposes and no trust is implied. 2. Different maximum critical section lengths may be assumed in the analysis of high- and low-criticality tasks. 3. Even non-real-time, best-effort background tasks may access shared resources in a mutually exclusive way without endangering the temporal correctness of highcriticality tasks (Brandenburg 2014a). Concurrently with the OMIP (Brandenburg 2013a), Burns and Wellings (2013b) proposed the Multiprocessor Resource Sharing Protocol (MrsP) for PFP scheduling. The MrsP combines allocation inheritance with FIFO-ordered spin locks and local per-processor (i.e., uniprocessor) priority ceilings. Specifically, each global resource is protected with a FIFO-ordered spin lock as in the MSRP (Gai et al. 2001) (recall Sect. 4.1), but jobs remain fully preemptable while spinning or holding a resource’s spin lock, which ensures independence preservation. To ensure progress locally, each resource is further managed, independently and concurrently on each processor, with a local priority ceiling protocol (either the PCP (Sha et al. 1990) or SRP (Theodore 1991)). From the point of view of the local ceiling protocol, the entire request for a global resource, including the spinlock acquisition and any spinning, is considered to constitute a single “critical section,” which is similar to the use of contention tokens in the partitioned OMLP (Brandenburg and Anderson 2010a). Naturally, when determining a resource’s local, per-processor priority ceiling, only local tasks that access the resource are considered.

410

B. B. Brandenburg

The MrsP employs allocation inheritance to ensure progress across processors. Instead of literally spinning, waiting jobs may thus be replaced transparently by the lock holder or otherwise contribute toward completing the operation of the lock-holding job (as in the SPEPP protocol Takada and Sakamura 1997), which means that an implementation of the MrsP can follow the simpler polling approach (Hohmuth and Peter 2001). Burns and Wellings (2013b) motivate the design of the MrsP with the observation that blocking bounds for the MrsP can be stated in a way that is syntactically virtually identical with the classic uniprocessor response-time analysis equation for the PCP and SRP. For this reason, Burns and Wellings consider the MrsP to be particularly “schedulability compatible” and note that the MrsP is the first protocol to achieve this notion of compatibility. While this is certainly true in a narrow, syntactical sense, it should also be noted that every other locking protocol discussed in this survey is also “schedulability compatible” in the sense that the maximum blocking delay can be bounded a priori and incorporated into a response-time analysis. Furthermore, the “schedulability compatible” blocking analysis of the MrsP presented by Burns and Wellings (2013b) is structurally similar to Gai et al.’s original analysis of the MSRP (Gai et al. 2001) and relies on execution-time inflation (which is inherently pessimistic (Wieder and Brandenburg 2013b); recall Sect. 4.1). More modern blocking analysis approaches avoid execution-time inflation altogether (Wieder and Brandenburg 2013b) and have a more detailed model of contention (e.g., holistic blocking analyses (Brandenburg 2011; Patel et al. 2018) or LP-based analyses (Brandenburg 2013b; Wieder and Brandenburg 2013b)). A less-pessimistic analysis of the MrsP using state-of-the-art methods would similarly not resemble the classic uniprocessor response-time equation in a one-to-one fashion; “schedulability compatibility” could thus be argued to be less a property of the protocol and more one of the particular analysis (which admittedly is possible in this form only for the MrsP). Recently, Zhao et al. introduced a new blocking analysis of the MrsP (Zhao et al. 2017) that avoids execution-time inflation using an analysis setup adopted from Wieder and Brandenburg’s LP-based analysis framework (Wieder and Brandenburg 2013b). However, in contrast to Wieder and Brandenburg’s analysis, Zhao et al.’s analysis is not LP-based. Rather, Zhao et al. follow a notationally more conventional approach based on the explicit enumeration of blocking critical sections, which however has been refined to match the accuracy of Wieder and Brandenburg’s LP-based analysis of the MSRP (Gai et al. 2001). While Zhao et al.’s new analysis (Zhao et al. 2017) is not “schedulability compatible” according to Burns and Wellings’s syntax-centric definition (Burns and Wellings 2013b), the new analysis has been shown (Zhao et al. 2017) to be substantially less pessimistic than Burns and Wellings’s original inflation-based analysis (Burns and Wellings 2013b).

11 Multiprocessor Real-Time Locking Protocols

8

411

Protocols for Relaxed Exclusion Constraints

In the preceding sections, we have focused exclusively on protocols that ensure mutual exclusion. However, while mutual exclusion is without doubt the most important and most widely used constraint in practice, many systems also exhibit resource-sharing problems that call for relaxed exclusion constraints to allow for some degree of concurrency in resource use. The two relaxed exclusion constraints that have received most attention in prior work are reader-writer (RW) exclusion and k-exclusion (KX). RW synchronization is a classic synchronization problem (Courtois et al. 1971) wherein at any time a shared resource may be used either exclusively by a single writer (which may update the resource’s state) or in a shared manner by any number of readers (that do not affect the resource state). RW synchronization is appropriate for shared resources that are rarely updated and frequently queried. For instance, an in-memory data store holding sensor values, route information, mission objectives, etc. that is used by many subsystems is a prime candidate for RW synchronization. Similarly, at a lower level, the list of topic subscribers in a publish/subscribe middleware is another example of rarely changing, frequently queried shared data that must be synchronized properly. KX synchronization is a generalization of mutual exclusion to replicated shared resources, where there are multiple identical copies (or replicas) of a shared resource and jobs may use any one copy at a time. Replicated resources can be managed with counting semaphores but require special handling in multiprocessor real-time systems to ensure analytically sound pi-blocking bounds. Examples where KX synchronization arises in real-time systems include multi-GPU systems (where any task may use any GPU, but each GPU must be used by at most one task at a time) (Elliott and Anderson 2012a), systems with multiple DMA engines (where again any task may program any DMA engine, but each DMA engine can carry out only one transfer at a time), and also virtual resources such as cache partitions (Ward et al. 2013). Since both RW and KX synchronization generalize mutual exclusion, any of the locking protocols discussed in the previous sections may be used to solve RW or KX synchronization problems. This, however, would be needlessly inefficient. The goal of locking protocols designed specifically for RW and KX synchronization is both (i) to increase parallelism (i.e., avoid unnecessary blocking) and (ii) to reflect this increase in parallelism as improved worst-case blocking bounds. Goal (ii) sets real-time RW and KX synchronization apart from classic (non-real-time) RW and KX solutions, since in a best-effort context it is sufficient to achieve a decrease in blocking on average. We acknowledge that there is a large body of prior work on relaxed exclusion protocols for non-real-time and uniprocessor systems and focus exclusively on work targeting multiprocessor real-time systems in this chapter.

412

8.1

B. B. Brandenburg

Phase-Fair Reader-Writer Locks

The first multiprocessor real-time RW protocol achieving both goals (i) and (ii) was proposed by Brandenburg and Anderson (2009). Prior work on RW synchronization on uniprocessors and in general-purpose systems had yielded three general classes of RW locks: 1. Reader-preference locks, where pending writers gain access to a shared resource only if there are no pending read requests 2. Conversely writer-preference locks 3. Task-fair locks (or FIFO RW locks), where tasks gain access to the shared resource in strict FIFO order, but consecutive readers may enter their critical sections concurrently From a worst-case perspective, reader-preference locks are undesirable because reads are expected to be frequent, which gives rise to prolonged writer starvation, which in turn manifests as extremely pessimistic blocking bounds (Brandenburg and Anderson 2010b). Writer-preference locks are better suited to real-time systems but come with the downside that if there are potentially multiple concurrent writers, the worst-case blocking bound for each reader will pessimistically account for rare scenarios in which a reader is blocked by multiple consecutive writers. Finally, taskfair locks degenerate to regular mutex locks in the pathological case when readers and writers are interleaved in the queue; consequently, task-fair locks improve average-case parallelism, but their worst-case bounds do not reflect the desired gains in parallelism. Brandenburg and Anderson introduced phase-fair locks (Brandenburg and Anderson 2009, 2010b), a new category of RW locks better suited to worst-case analysis. In a phase-fair lock, reader and writer phases alternate, where each reader phase consists of any number of concurrent readers and a writer phase consists of a single writer. Writers gain access to the shared resource in FIFO order w.r.t. other writers. Importantly, readers may join an ongoing reader phase only if there is no waiting writer; otherwise newly arriving readers must wait until the next reader phase, which starts after the next writer phase. These rules ensure that writers do not starve (as in a writer-preference or taskfair lock) but also ensure O(1) blocking for readers as any reader must await the completion of at most one reader phase and one writer phase before gaining access to the shared resource (Brandenburg and Anderson 2009, 2010b). As a result, phasefair locks yield much improved blocking bounds for both readers and writers if reads are significantly more frequent than updates (Brandenburg and Anderson 2009, 2010b). Several phase-fair spin-lock algorithms have been presented, including compact (i.e., memory-friendly) spin locks (Brandenburg 2011; Brandenburg and Anderson 2010b), ticket locks (Brandenburg 2011; Brandenburg and Anderson 2009, 2010b), and cache-friendly scalable queue locks (Brandenburg 2011; Brandenburg and

11 Multiprocessor Real-Time Locking Protocols

413

Anderson 2010b). Concerning semaphores, the clustered OMLP (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013) based on priority donation includes a phase-fair RW variant, which also achieves asymptotically optimal maximum s-oblivious pi-blocking (Brandenburg 2011; Brandenburg and Anderson 2010a, 2013).

8.2

Multiprocessor Real-Time k-Exclusion Protocols

As already mentioned, in best-effort systems, KX synchronization can be readily achieved with counting semaphores. Furthermore, in the case of non-preemptive spin locks, it is trivial to generalize classic ticket locks to KX locks. We hence focus in the following on semaphore-based protocols for multiprocessor real-time systems. Given the strong progress guarantees offered by priority donation (discussed in Sect. 5.1.4), it is not difficult to generalize the clustered OMLP to KX synchronization (Brandenburg 2011; Brandenburg and Anderson 2011, 2013), which yields a protocol that is often abbreviated as CK-OMLP in the literature. Since it derives from the clustered OMLP, the CK-OMLP applies to clustered scheduling and hence also supports global and partitioned scheduling. Furthermore, under s-oblivious analysis, it ensures asymptotically optimal maximum pi-blocking (Brandenburg 2011; Brandenburg and Anderson 2011, 2013). As such, it covers a broad range of configurations. However, as it relies on priority donation to ensure progress, it is not independence-preserving (recall Sect. 7), which can be a significant limitation especially when dealing with resources such as GPUs, where critical sections are often naturally quite lengthy. Subsequent protocols seek to overcome specifically this limitation of the CK-OMLP. Elliott and Anderson considered globally scheduled multiprocessors and proposed the Optimal k-Exclusion Global Locking Protocol (O-KGLP) (Elliott and Anderson 2011, 2013). In contrast to the CK-OMLP, their protocol is based on priority inheritance, which is possible due to the restriction to global scheduling and which enables the O-KGLP to be independence-preserving. In the context of KX synchronization, applying priority inheritance is not as straightforward as in the mutual exclusion case because priorities must not be “duplicated.” That is, while there may be multiple resource holders (if k > 1), only at most one of them may inherit a blocked job’s priority at any time, as otherwise analytical complications similar to those caused by priority boosting arise (including the loss of independence preservation). The challenge is thus to determine, dynamically at runtime and with low overheads, which resource-holding job should inherit which blocked job’s priority. To this end, Elliott and Anderson (2011, 2013) proposed a multi-ended hybrid queue consisting of a shared priority queue that forms the tail (as in the global OMLP Brandenburg and Anderson 2010a) and a set of per-replica FIFO queues (each of length mk ) that serve to serialize access to specific replicas. A job Ji holding

414

B. B. Brandenburg

a replica xq inherits the priorities of the jobs in the FIFO queue corresponding to the xth replica of resource q , and additionally the priority of one of the k highestpriority jobs in the priority tail queue. Importantly, if Ji inherits the priority of a job Jh in the priority tail queue, then Jh is called the claimed job of xq and moved to the FIFO queue leading to xq when Ji releases xq . This mechanism ensures that priorities are not “duplicated” while also ensuring progress. In fact, Elliott and Anderson established that the O-KGLP is asymptotically optimal w.r.t. s-oblivious maximum pi-blocking (Elliott and Anderson 2011, 2013). In work on predictable interrupt management in multi-GPU systems (Elliott and Anderson 2012b), Elliott and Anderson further proposed a KX variant of the FMLP (for long resources) (Block et al. 2007). This variant, called k-FMLP, simply consists of one instantiation of the FMLP for each resource replica (i.e., each resource replica is associated with a replica-private FIFO queue that does not interact with other queues). When jobs request access to a replica of a k-replicated resource, they simply enqueue in the FIFO queue of the replica that ensures the minimal worstcase wait time (based on the currently enqueued requests). While the k-FMLP is not asymptotically optimal under s-oblivious analysis (unlike the O-KGLP and the CK-OMLP), it offers the advantage of being relatively simple to realize (Elliott and Anderson 2012b) while also ensuring independence preservation under global scheduling (unlike the CK-OMLP). Ward et al. (2012) realized that blocking under the O-KGLP (Elliott and Anderson 2011, 2013) could be further improved with a more nuanced progress mechanism, which they called Replica-Request Priority Donation (RRPD) (Ward et al. 2012), and proposed the Replica-Request Donation Global Locking Protocol (R2 DGLP) based on RRPD (Ward et al. 2012). As the name suggests, RRPD transfers the ideas underlying priority donation (Brandenburg 2011; Brandenburg and Anderson 2011, 2013) to the case of priority inheritance under global scheduling. Importantly, whereas priority donation applies to all jobs (regardless of whether they request any shared resource), RRPD applies only to jobs that synchronize (i.e., that actually request resource replicas). This ensures that RRPD is independencepreserving (in contrast to priority donation); however, because RRPD incorporates priority inheritance, it is effective only under global scheduling. Like the O-KGLP, the R2 DGLP is asymptotically optimal w.r.t. to maximum s-oblivious pi-blocking. Furthermore, when fine-grained (i.e., non-asymptotic) pi-blocking bounds are considered, the R2 DGLP ensures higher schedulability due to lower s-oblivious pi-blocking bounds (i.e., the R2 DGLP achieves better constant factors than the O-KGLP) (Ward et al. 2012). Another CK-OMLP variant is the PK-OMLP due to Yang et al. (2013). Priority donation as used by the CK-OMLP ensures that there is at most one resourceholding job per processor at any time. For resources such as GPUs, where each critical section is likely to include significant self-suspension times, this is overly restrictive. The PK-OMLP, which is intended for partitioned scheduling, hence improves upon the CK-OMLP by allowing multiple jobs on the same processor to hold replicas at the same time (Yang et al. 2013). Furthermore, Yang et al. presented

11 Multiprocessor Real-Time Locking Protocols

415

an s-aware blocking analysis of the PK-OMLP, which enables a more accurate treatment of self-suspensions within critical sections. As a result, the PK-OMLP usually outperforms the CK-OMLP when applied in the context of multi-GPU systems (Yang et al. 2013). More recently, Yang et al. presented a KX locking protocol specifically for P-FP scheduling and s-aware analysis that forgoes asymptotic optimality in favor of priority-ordered wait queues and non-preemptive critical sections (Yang et al. 2016). Finally, all discussed KX protocols only ensure that no more than k tasks enter critical sections (pertaining to a given resource) at the same time. This, however, is often not enough: to be practical, a KX protocol must also be paired with a replica assignment protocol to match lock holders to replicas. That is, strictly speaking a KX algorithm blocks a task until it may use some replica, but it usually is also necessary to quickly resolve exactly which replica a task is supposed to use. To this end, Nemitz et al. (2016) introduced several algorithms for the k-exclusion replica assignment problem, with the proposed algorithms representing different trade-offs w.r.t. optimality considerations and overheads in practice (Nemitz et al. 2016).

9

Nested Critical Sections

Allowing fined-grained, incremental nesting of critical sections – that is, allowing tasks already holding one or more locks to issue further lock requests – adds another dimension of difficulties to the multiprocessor real-time locking problem. Foremost, if tasks may request locks in any order, then allowing tasks to nest critical sections can easily result in deadlock. However, even if programmers take care to manually avoid deadlocks by carefully ordering all requests, the blocking analysis problem becomes much more challenging. In fact, in the presence of nested critical sections, the blocking analysis problem is NP-hard even in extremely simplified settings (Wieder and Brandenburg 2014), while it can be solved in polynomial time on both uniprocessors (even in the presence of nesting) and multiprocessors in the absence of nesting (at least in simplified settings) (Wieder and Brandenburg 2014; Wieder 2018). As a result, today’s nesting-aware blocking analyses either are computationally highly expensive or yield only coarse, structurally pessimistic bounds. Furthermore, authors frequently exclude nested critical sections from consideration altogether (or allow only coarse-grained nesting via group locks; see Sect. 9.1). In the words of Rajkumar in his original analysis of the MPCP (Rajkumar 1990): “[s]ince nested global critical sections can potentially lead to large increases in blocking durations, [ . . . ] global critical sections cannot nest other critical sections or be nested inside other critical sections.” In the more than two decades since Rajkumar proposed the MPCP, many authors have adopted this expedient assumption. The aspect unique to nesting that makes it so difficult to derive accurate blocking bounds is transitive blocking, where jobs are transitively delayed due to contention for resources that they (superficially) do not even depend on. For example, if a job

416

B. B. Brandenburg

J requires only resource 1 but another job holds 1 while trying to acquire another resource 2 in a nested fashion, then J is exposed to delays due to any contention for 2 even though it does not need 2 . While this is a trivial example, such transitive blocking can arise via long transitive blocking chains involving arbitrarily many resources and jobs on potentially all processors. Characterizing the effects of such chains in a safe way without accruing excessive pessimism is a very challenging analysis problem indeed. Biondi et al. (2016) provide more detailed examples of key challenges. Nonetheless, despite all difficulties, fine-grained lock nesting arises naturally in many systems (Biondi et al. 2016) and is usually desirable (or even unavoidable) from an average-case perspective, too. That is, even though fine-grained locking may not be advantageous from a worst-case blocking perspective, the alternative – coarse-grained locking, where lock scopes are chosen to protect multiple resources such that tasks must never acquire more than lock – is usually much worse in terms of average-case contention, attainable parallelism, scalability, and ultimately throughput. Robust and flexible support for fine-grained nesting is thus indispensable. While the current state of the art, as discussed in the following, may not yet fully meet all requirements in practice, nesting support is an active area of investigation, and we expect capabilities to continue to improve in the coming years.

9.1

Coarse-Grained Nesting with Group Locks

One easy way of allowing at least some degree of “nested” resource usage, without incurring the full complexity of fine-grained locking, is to (automatically) aggregate fine-grained resource requests into coarser resource groups protected by group locks. That is, instead of associating a lock with each resource (which is the usual approach), the set of shared resources is partitioned into disjoint resource groups, and each such resource group is associated with a group lock. Under this approach, prior to using a shared resource, a task must first acquire the corresponding group lock. Conversely, holding a resource group’s lock entitles a task to use any resource in the group. To eliminate lock nesting, resource groups are defined such that if any task ever requires access to two resources a and b simultaneously, then a and b are part of the same resource group. More precisely, resource groups are defined by the transitive closure of the “may be held together” relation (Block et al. 2007). As a result, no task ever holds more than one group lock. The use of group locks was first proposed by Rajkumar (1990) in the context of the MPCP and repopularized in recent years by the FMLP (Block et al. 2007). Both protocols rely exclusively on group locks, in the sense that to date no analysis with support for fine-grained nesting has been presented for either protocol. From an analysis point of view, group locks are extremely convenient – the synchronization problem (at runtime) and the blocking analysis problem (at design time) both fully reduce to the non-nested cases. As a result, any of the protocols and

11 Multiprocessor Real-Time Locking Protocols

417

analyses surveyed in the preceding sections can be directly applied to the analysis of group locks. However, there are also obvious downsides in practice. For one, resource groups must be explicitly determined at design time, and group membership must be known at runtime (or compiled into the system), so that tasks may acquire the appropriate group lock when requesting a resource, which from a software development point of view is at least inconvenient and may actually pose significant engineering challenges for more complex systems. Furthermore, since its very purpose is to eliminate incremental lock acquisitions, group locking comes with all the scalability and performance problems associated with coarse-grained synchronization. Last but not least, for certain resources and systems, it may not be possible to define appropriate resource groups. As a pathological example, assume a UNIX-like kernel, and consider the file system’s inode objects, which are typically arranged in a tree that reflects the file system’s hierarchy. Importantly, certain file system procedures operate on multiple inodes at once (e.g., the inodes for a file and its parent directory), and since files may be moved dynamically at runtime (i.e., inodes may show up at any point in the tree), virtually any two inodes could theoretically be held simultaneously at some point. As a result, the set of all inodes collapses into a single resource group, with obvious performance implications. Thus, while group locks can help to let programmers express resource usage in a fine-grained manner, clearly more flexible solutions are needed. For performance and scalability reasons, nonconflicting requests for different resources should generally be allowed to proceed in parallel, even if some task may simultaneously hold both resources at some other time. We next discuss multiprocessor real-time locking protocols that realize this to varying degrees.

9.2

Early Protocol Support for Nested Critical Sections

Research on support for fine-grained nesting in real-time multiprocessor locking protocols can be grouped into roughly two eras: a period of initial results that lasted from the late 1980S until the mid-1990S and a recently renewed focus on the topic, which started to emerge in 2010. We discuss protocols from the initial period next and then discuss the more recent developments in Sect. 9.3. The first multiprocessor real-time locking protocol, the DPCP (Rajkumar et al. 1988), was in fact also the first protocol to include support for fine-grained nesting, albeit with a significant restriction. Recall from Sect. 6 that the DPCP executes critical sections centrally on designated synchronization processors. Because the DPCP relies on the uniprocessor PCP on each synchronization processor and since the PCP supports nested critical sections (and prevents deadlocks) (Sha et al. 1990), it is in fact trivial for the DPCP to support nested critical sections as long as nesting occurs only among resources assigned to the same processor. Resources assigned to different synchronization processors, however, are not allowed to be nested under the DPCP (Rajkumar 1991a; Rajkumar et al. 1988).

418

B. B. Brandenburg

Consequently, the DPCP’s support for fine-grained nesting is actually not so different from group locks – all nesting must be taken into account up front, and resources assigned to the same synchronization processor form essentially a resource group. In fact, just as there is no parallelism among nonconflicting requests for resources protected by the same group lock, under the DPCP, there is no parallelism in case of (otherwise) nonconflicting requests for resources assigned to the same synchronization processor. (Conversely, group locks could also be thought of as a kind of “virtual synchronization processors.”) The approach followed by the DPCP thus is attractively simple, but not substantially more flexible than group locks. The DPCP’s same-processor restriction was later removed by Rhee and Martin (1995), who in 1995 proposed a protocol that fully generalizes the DPCP and supports fine-grained nesting for all resources. As with the DPCP, for each resource, there is a dedicated synchronization processor responsible for sequencing conflicting requests. However, unlike the DPCP, Rhee and Martin’s protocol (Rhee and Martin 1995) does not require all critical sections pertaining a resource to execute on the synchronization processor; rather, the protocol allows for full flexibility: any critical section may reside on any processor. As a result, nested sections that access multiple resources managed by different synchronization processors become possible. Rhee and Martin’s protocol (Rhee and Martin 1995) works as follows. To ensure mutual exclusion among distributed critical sections and to prevent deadlock, Rhee and Martin introduced a pre-claiming mechanism that realizes conservative twophase locking: when a task seeks to enter a critical section, it first identifies the set of all resources that it might require while executing the critical section and then for each such resource sends a request message to the corresponding synchronization processor. Each synchronization processor replies with a grant message when the resource is available, and once grant messages have been received for all requested resources, the task enters its critical section. As resources are no longer required, the task sends release messages to the synchronization processors; the critical section ends when all resources have been released. To avoid deadlock, synchronization processors further send preempt messages if a request message from a higher-priority task is received after the resource has been already granted to a lower-priority task (and no matching release message has been received yet). There are two possibilities: either the lower-priority task has already commenced execution of its critical section, in which case the preempt message is safely ignored as it will soon release the resource anyway, or it has not yet commenced execution, in which case it releases the resource immediately and awaits another grant message for the just released resource. Deadlock is impossible because of the protocol’s all-or-nothing semantics: tasks request all resources up front, commence execution only when they have acquired all resources, and while executing a critical section may only release resources (i.e., conservative two-phase locking). Compared to the DPCP (Rajkumar et al. 1988), Rhee and Martin’s protocol (Rhee and Martin 1995) is a significant improvement in terms of flexibility and

11 Multiprocessor Real-Time Locking Protocols

419

versatility. However, while their protocol allows tasks to use multiple shared resources at once, it does not allow tasks to lock multiple resources incrementally. From a programmer’s point of view, it can be cumbersome (or even impossible) to determine all resources that will be required prior to commencing a critical section. Specifically, if the current state of one of the requested resources impacts which other resources are also needed (e.g., if a shared object contains a pointer to another, a priori unknown resource), then tasks may be required to initially lock the superset of all resources that might be required, only to then immediately release whichever resources are not actually needed. In the worst case, this leads to a lot of unnecessary blocking, and conservative two-phase locking is known to result in performance penalties even in the average case. The first work-conserving protocol – in the sense that it always allows nonconflicting requests to proceed in parallel – was developed already in 1992 and is due to Schwan and Zhou (1992; Zhou 1992). AS previously discussed in Sect. 5.2.3, Schwan and Zhou’s protocol includes an online admission test, which rejects lock requests that cannot be shown (at runtime, based on current contention conditions) to be satisfied within a specified waiting-time bound (Zhou 1992). As a result, Schwan and Zhou’s protocol prevents deadlock – even if tasks request resources incrementally – as any request that would cause deadlock will certainly be denied by the admission test. It should be noted that from the programmer’s point of view, this notion of deadlock avoidance is significantly different from deadlock avoidance under the classic PCP (Sha et al. 1990) and SRP (Theodore 1991) uniprocessor protocols: whereas the PCP and SRP defer potentially deadlock-causing resource acquisitions, which is transparent to the task, Schwan and Zhou’s protocol outright rejects such lock requests (Zhou 1992), so that lock-acquisition failures must be handled in the task’s logic. Concerning blocking bounds, Zhou’s analysis (Zhou 1992) requires that the bound on the maximum length of outer critical sections must include all blocking incurred due to inner (i.e., nested) critical sections. This assumption, common also in later analyses (Burns and Wellings 2013b; Garrido et al. 2017b), leads unfortunately to substantial structural pessimism. For example, consider a scenario in which a job J1 repeatedly accesses two resources 1 and 2 in a nested fashion (i.e., J1 locks 1 first and then locks 2 and does so multiple times across its execution). Now suppose there’s another job J2 on a remote core that accesses 2 just once. Since J1 can incur blocking due to J2 ’s infrequent critical section when it tries to acquire 2 while already holding 1 , it follows that J1 ’s maximum critical section length w.r.t. 1 must include J2 ’s maximum critical section length w.r.t. 2 . Thus, if J1 accesses 1 and 2 in a nested fashion r times, then J2 ’ s critical section will be overrepresented in J1 ’s responsetime bound by a factor of r – a safe but pessimistic bound that grossly overstates the actual blocking penalty due to transitive blocking. Another early protocol that supports fine-grained nesting is Chen et al.’s MDPCP (Chen et al. 1994) for periodic tasks. Due to the underlying careful definition of inter-processor priority ceilings (which, as discussed in Sect. 5.2.3, rests on the

420

B. B. Brandenburg

restriction to periodic tasks), the MDPCP is able to prevent transitive blocking and deadlocks (Chen and Tripathi 1994) analogously to the PCP (Sha et al. 1990). Furthermore, for the priority ceilings to work correctly, the MDPCP requires that any two resources that might be held together must be shared by exactly the same sets of processors (Chen et al. 1994). Finally, in 1995, Takada and Sakamura (1995) made an important observation concerning the worst-case s-blocking in the presence of nested non-preemptive FIFO spin locks. Let d denote the maximum nesting depth (i.e., the maximum number of FIFO spin locks that any task holds at a time), where 2 ≤ d. Takada and Sakamura (1995) showed that under maximum contention, tasks may incur s-blocking for the combined duration of (md ) critical sections (Takada and Sakamura 1995). That is, given that the maximum s-blocking bound in the nonnested case is simply O(m) (recall Sect. 4.1), the potential for accumulated transitive blocking makes the worst-case s-blocking bound in the presence of nesting exponentially worse (w.r.t. the maximum nesting depth d). Intuitively, this effect arises as follows. Let us say that an outermost (i.e., nonnested) critical section is of level 1 and that any critical section immediately nested in a level 1 critical section is of level 2 and so on. Consider a tower of critical sections, that is, a level 1 critical section, containing exactly one level 2 critical section, containing exactly one level 3 critical section, and so on up to level d. Observe that: 1. A job J blocked on the level 1 lock can be directly delayed by m – 1 earlierenqueued jobs. 2. Each of which can be directly delayed by m – 2 earlier-enqueued jobs when trying to enter the level 2 nested critical section. 3. Each of which can be directly delayed by m – 3 earlier-enqueued jobs when trying to enter the level 3 nested critical section. 4. And so on up to level d. Crucially, all the direct s-blocking incurred by various jobs in steps (2)–(4) also transitively delays J, which thus accumulates all delays and therefore incurs s-blocking exponential in d. We note that the actual construction of Takada and Sakamura (1995) used to establish the (md ) bound is more nuanced than what is sketched here because non-preemptive execution can actually reduce blocking (a job occupying a processor by spinning on a level x lock prevents it from running jobs that generate contention for level y locks, where y > x). Obviously, even in the most basic case (i.e., simple immediate nesting), where no task ever holds more than two locks at the same time (d = 2), having a worstcase s-blocking bound that is quadratic in the number of cores is undesirable from a worst-case scalability point of view, especially in times of ever-growing core counts. Fortunately, Takada and Sakamura (1995) also proposed an ingenious solution that, to some extent, brings worst-case s-blocking back under control. In particular, for the special case of d = 2, their solution is highly practical: instead of using FIFOordered spin locks, Takada and Sakamura (1995) proposed to simply use priority-

11 Multiprocessor Real-Time Locking Protocols

421

ordered spin locks but with a twist. Instead of using scheduling priorities, Takada and Sakamura let jobs use time stamps as priorities – more precisely, a job’s locking priority is given by the time at which it issued its current outermost lock request (i.e., nested requests do not affect a job’s current locking priority), with the interpretation that an earlier time stamp implies higher priority (i.e., FIFO w.r.t. time stamps). The necessary time stamps need not actually reflect “time” and can be easily obtained from an atomic counter, such as those used in a ticket lock. For the outermost lock (i.e., the level 1 lock), this prioritization rule is actually equivalent to FIFO. The key difference is the effect on the queue order in nested locks: when using FIFO-ordered spin locks, a job’s “locking priority” is effectively given by the time of its nested lock request; with Takada and Sakamura’s scheme (Takada and Sakamura 1995), the job’s locking priority is instead given by the time of its outermost, non-nested lock request and remains invariant throughout all nested critical sections (until the outermost lock is released). Because at most m jobs are running at any time, Takada and Sakamura’s definition of locking priorities ensures that there are never more than m – 1 jobs with higher locking priorities (i.e., earlier time stamps). In the special case of d = 2, this suffices to restore an O(m) upper bound on maximum s-blocking. In the general case (d > 2), however, additional, more heavyweight techniques are required (Takada and Sakamura 1995), and even then Takada and Sakamura’s method (Takada and Sakamura 1995) unfortunately does not achieve an O(m) bound. One may conclude that it is generally a good system design practice to avoid deep lock nesting whenever possible. In this regard, it is interesting to note that Takada and Sakamura report that they were able to construct a multiprocessor RTOS kernel with a maximum nesting depth of d = 2 (Takada and Sakamura 1995).

9.3

Recent Advances in Fine-Grained Multiprocessor Real-Time Locking

Renewed interest in fine-grained locking emerged again in 2010 with Faggioli et al.’s MBWI protocol (Faggioli et al. 2010, 2012), which explicitly supports finegrained locking and nested critical sections, albeit without any particular rules to aid or restrict nesting. In particular, the MBWI (i) does not prevent deadlock and (ii) uses FIFO queues even for nested requests. As a result of (ii), Takada and Sakamura’s observation regarding the exponential growth of maximum blocking bounds (Takada and Sakamura 1995) also transfers to nesting under the MBWI protocol. However, the impact of Takada and Sakamura’s observation (Takada and Sakamura 1995) is lessened somewhat in practice once fine-grained blocking analyses (rather than coarse, asymptotic bounds) are applied to specific workloads, since Takada and Sakamura’s lower bound is based on the assumption of extreme, maximal contention, whereas lock contention in real workloads (and hence worst-case blocking) is constrained by task periods and the number of critical sections per job.

422

B. B. Brandenburg

Concerning (i), programmers are expected to arrange all critical sections such that the “nested in” relation among locks forms a partial order – which prevents cycles in the wait-for graph and thus prevents deadlock. This is a common approach and widely used in practice. For instance, the Linux kernel relies on this wellordered nesting principle to prevent deadlock and (as a debugging option) employs a locking discipline checker called lockdep to validate at runtime that all observed lock acquisitions are compliant with some partial order. Notably, to prevent deadlock, it is sufficient for such a partial order to exist; it need not be known (and for complex systems such as Linux it generally is not, at least not in its entirety). For blocking analysis purposes, however, all critical sections and all nesting relationships must of course be fully known, at which point it is trivial to infer the nesting partial order. For simplicity, we assume that resources are indexed in accordance with the partial order (i.e., a job may lock x while already holding q only if q < x). Assuming that all nesting is well-ordered, Faggioli et al. (2012) presented a novel blocking analysis algorithm for nested critical sections that characterizes the effects of transitive blocking much more accurately than the crude, inflation-based bounds used previously (e.g., recall the discussion of Schwan and Zhou’s protocol (Schwan and Zhou 1992; Zhou 1992) and Zhou’s analysis (Zhou 1992) in Sect. 9.2). Aiming for this level of accuracy was a major step forward, but unfortunately Faggioli et al.’s algorithm exhibits super-exponential runtime complexity (Faggioli et al. 2012). As already mentioned, unrestricted nesting is inherently difficult to analyze accurately (Wieder and Brandenburg 2014). Fortunately, in 2012, Ward and Anderson (2012) presented a surprising breakthrough, showing that with a few careful restrictions it is possible to bring transitive blocking back under control and thereby ensure favorable – in fact, asymptotically optimal – worst-case blocking bounds. Specifically, Ward and Anderson introduced the Real-time Nested Locking Protocol (RNLP) (Ward and Anderson 2012), which is actually a meta-protocol that can be configured with several progress mechanisms and rules to yield either a spin- or suspension-based protocol that supports finegrained, incremental, and yet highly predictable nested locking. In particular, Ward and Anderson demonstrated configurations of the RNLP that achieve asymptotically optimal maximum s-oblivious pi-blocking, as well as (other) configurations that achieve asymptotically optimal maximum s-aware pi-blocking, both in the presence of well-ordered nested critical sections (for any nesting depth d). Furthermore, the RNLP is widely applicable: it supports clustered JLFP scheduling (Recall from Sect. 3 that “JLFP” denotes the class of job-level fixed-priority schedulers, which includes both EDF and FP scheduling.) and hence also covers the important special cases of G-EDF, G-FP, P-EDF, and P-FP scheduling. Specifically, if applied on top of priority donation (Brandenburg and Anderson 2011) (respectively, RSB Brandenburg 2014c), the RNLP yields an O(m) (respectively, O(n)) bound on maximum s-oblivious (respectively, s-aware) pi-blocking under clustered JLFP scheduling (Ward and Anderson 2012). Practically more relevant, the RNLP can also be instantiated on top of priority boosting similarly to the FMLP+ (Brandenburg 2011) under partitioned JLFP scheduling to ensure O(n)

11 Multiprocessor Real-Time Locking Protocols

423

maximum s-aware pi-blocking (Ward and Anderson 2012) and on top of priority inheritance under global JLFP scheduling to ensure O(m) maximum s-oblivious piblocking (Ward and Anderson 2012). Analogously to the s-oblivious case, the RNLP can also be configured to use non-preemptive execution and spin locks to obtain an O(m) bound on maximum s-blocking (again for any nesting depth d) (Ward and Anderson 2012). As this contrasts nicely with Takada and Sakamura’s (md ) lower bound in the case of unrestricted nesting (Takada and Sakamura 1995) and since the spin-based RNLP is slightly easier to understand than configurations of the RNLP optimized for, respectively, s-oblivious and s-aware analysis, we will briefly sketch the spin-based RNLP variant in the following. The RNLP does not automatically prevent deadlock and requires all tasks to issue only well-ordered nested requests (w.r.t. a given partial order). The RNLP’s runtime mechanism consists of two main components: a token lock and a request satisfaction mechanism (RSM). Both are global structures, that is, all requests for any resource interact with the same token lock and RSM. The token lock is a k-exclusion lock that serves two purposes: (i) it limits the number of tasks that can concurrently interact with the RSM, and (ii) it assigns each job a time stamp that indicates when the job acquired its token (similar to the time-stamping of outermost critical sections in Takada and Sakamura’s earlier priority-ordered spin-lock protocol Takada and Sakamura 1995). If the RNLP is instantiated as a spin-based protocol or for s-oblivious analysis, then k = m (Ward and Anderson 2012). (Otherwise, in the case of s-aware analysis, k = n Ward and Anderson 2012.) To enter an outermost critical section (i.e., when not yet holding any locks), a job must first acquire a token from the token lock. Once it holds a token, it may interact with the RSM. In particular, it may repeatedly request resources from the RSM in an incremental fashion, acquiring and releasing resources as needed, as long as nested requests are well-ordered. Once a job releases its last resource (i.e., when it leaves its outermost critical section), it also relinquishes its token. In the spin-based configuration of the RNLP, jobs become non-preemptable as soon as they acquire a token and remain non-preemptable until they release their token. Since non-preemptive execution already ensures that at most m = k tasks can be non-preemptive at the same time, in fact no further KX synchronization protocol is required; Ward and Anderson refer to this as a trivial token lock (TTL) (Ward and Anderson 2012). A TTL simply records a time stamp when job becomes nonpreemptable, at which point it may request resources from the RSM. The specifics of the RSM differ in minor ways based on the exact configuration of the RNLP, but all RSM variants share the following key characteristics of the spinbased RSM. As part of the RSM, there is a wait queue for each resource q , and when a job requests q , it enters the wait queue for q . As previously seen in Takada and Sakamura’s protocol (Takada and Sakamura 1995) based on priority-ordered spin locks, jobs are queued in order of increasing time stamps. In the absence of nesting, this reduces again to FIFO queues, but when issuing nested requests, jobs

424

B. B. Brandenburg

may benefit from an earlier time stamp and “skip ahead” of jobs that acquired their tokens at a later time. However, there is a crucial deviation from Takada and Sakamura’s protocol (Takada and Sakamura 1995) that makes all the difference: whereas in Takada and Sakamura’s protocol a job at the head of a queue automatically acquires the resource, the RNLP’s RSM may choose to not satisfy a request for a resource q even though it is available (Ward and Anderson 2012). That is, the RNLP is non-work-conserving and may elect to withhold currently uncontested resources in anticipation of a potential later request that must not be delayed (not unlike the use of priority ceilings in the classic PCP Sha et al. 1990). Specifically, a job Ji at the head of a resource q ’s queue may not acquire q if there still exists another tokenholding job Jh with an earlier token time stamp that might still request q (Ward and Anderson 2012). As a result of this non-work-conserving behavior and the use of time stampordered wait queues, the RNLP ensures that no job is ever blocked by a request of a job with a later token time stamp, even when issuing nested requests. This property suffices to show O(m) maximum s-blocking per outermost critical section (because there can be at most m – 1 jobs with earlier token time stamps). It bears repeating that the RNLP’s bound holds for any nesting depth d, whereas Takada and Sakamura’s work-conserving protocol (Takada and Sakamura 1995) ensures O(m) maximum s-blocking only for d = 2, and even then Takada and Sakamura’s protocol exhibits worse constant factors (i.e., is subject to additional s-blocking). The RNLP’s non-work-conserving RSM behavior has two major implications: first, all potential nesting must be known at runtime (i.e., the partial nesting order must not only exist, it must also be available to the RNLP). This is required so that the RSM can appropriately reserve resources that may be incrementally locked at a later time (i.e., to deny resources that might still be needed to jobs with later token time stamps). In practical terms, the need to explicitly determine, store, and communicate the partial nesting order may impose some additional software engineering effort (e.g., at system integration time). And second, while the RNLP controls worst-case blocking (asymptotically) optimally, it does so at the price of a potential increase in average-case blocking when jobs are denied access to rarely nested but frequently accessed resources. Overall, the RNLP represents the state of the art w.r.t. support for fine-grained nested critical sections without excessive transitive blocking. Perhaps most importantly, with the RNLP, Ward and Anderson (2012) established that O(m) maximum s-blocking, O(m) maximum s-oblivious pi-blocking, and O(n) s-aware pi-blocking are possible in the presence of nested critical sections (even with arbitrary nesting depth d), which was far from obvious at the time (and might reasonably have been considered unlikely, given prior negative results Takada and Sakamura 1995). In 2013, in work aimed at making the RNLP more versatile and efficient for practical use, Ward and Anderson (2013) introduced a number of extensions and refinements of the RNLP. Most significantly, they introduced the notion of dynamic group locks (DGLS) (Ward and Anderson 2013) to the RNLP. As the name suggests, a DGL allows tasks to lock multiple resources in one operation with all-or-nothing

11 Multiprocessor Real-Time Locking Protocols

425

semantics, similarly to a (static) group lock (recall Sect. 9.1), but without the need to define groups a priori and without requiring that groups be disjoint. In some sense, DGLs are not unlike the pre-claiming mechanism of Rhee and Martin (1995), but there is one important difference: whereas Rhee and Martin enforce conservative two-phase locking semantics – once a task holds some resources, it cannot acquire any additional locks – in the RNLP, tasks are free to issue as many DLG requests as needed in an incremental fashion. That is, the RNLP supports truly nested, finegrained DGLs. Notably, introducing DGLs does not negatively affect the RNLP’s blocking bounds, and the original RNLP (Ward and Anderson 2012) can thus be understood as a special case of the DGL-capable RNLP (Ward and Anderson 2013) where each DGL request pertains to just a single resource (i.e., a singleton “group” lock). Additionally, Ward and Anderson (2013) introduced the possibility to apply the RNLP as a KX synchronization protocol (also with asymptotically optimal blocking bounds). In particular, KX synchronization is possible in conjunction with DGLs, so that tasks can request multiple replicas of different resources as one atomic operation. Last but not least, Ward and Anderson (2013) proposed another extension of great practical importance, namely, the ability to combine both spin- and suspensionbased locks in a way such that requests for spin locks are not blocked by requests for semaphores (called “short-on-long blocking” Ward and Anderson 2013), since critical sections pertaining to suspension-based locks are likely to be much longer (possibly by one or more orders of magnitude) than critical sections pertaining to spin locks. In 2014, in a further major broadening of the RNLP’s capabilities (Ward and Anderson 2012, 2013), Ward and Anderson presented the Reader-Writer RNLP (RW-RNLP) (Ward and Anderson 2014) for nested RW synchronization. Building on the principles of the RNLP and phase-fair locks (Brandenburg 2011; Brandenburg and Anderson 2009, 2010b), Ward and Anderson derived a RW protocol that achieves asymptotically optimal maximum pi- or s-blocking (like the RNLP) and O(1) per-request reader blocking (phase-fairness) while allowing for a great deal of flexibility: tasks may arbitrarily nest read and write critical sections, upgrade read locks to write locks, and lock resources incrementally. While a discussion of further details is beyond the scope of this survey, we note that integrating RW semantics into the RNLP, in particular without giving up phase-fairness, is a very much nontrivial “extension” that required substantial advances in techniques and analysis (Ward and Anderson 2014). In 2015, Jarrett et al. (2015) introduced a contention-sensitive variant of the RNLP (Ward and Anderson 2012), denoted C-RNLP. In contrast to the original RNLP, and the vast majority of other protocols considered herein, the C- RNLP exploits knowledge of maximum critical section lengths at runtime to react dynamically to actual contention levels. (Schwan and Zhou’s protocol (Schwan and Zhou 1992; Zhou 1992) also uses maximum critical section lengths at runtime.) At a high level, the C-RNLP dynamically overrides the RNLP’s regular queue order to lessen the blocking caused by the RNLP’s non-work-conserving behavior but only if it can

426

B. B. Brandenburg

be shown that doing so will not violate the RNLP’s guaranteed worst-case blocking bounds. Since heavy resource contention is usually rare in practice, contention sensitivity as realized in the C-RNLP stands to achieve substantially lower blocking in many systems. As trade-offs, the C-RNLP unsurprisingly comes with higher lock acquisition and release overheads and the need to make accurate information on worst-case critical section lengths available at runtime, which can be inconvenient from a software engineering perspective. Concerning locking protocols that allow for unrestricted nesting (i.e., non-RNLP protocols), two spin-based protocols have been investigated in recent work. First, Burns and Wellings’s MrsP (Burns and Wellings 2013b) includes support for fine-grained, well-ordered nesting. While the initial version of the protocol (Burns and Wellings 2013b) already offered basic support for nesting, the original analysis (which heavily relies on inflation, similar to Zhou’s approach (Zhou 1992)) left some questions pertaining to the correct accounting of transitive blocking unanswered (Biondi et al. 2016). A revised and clarified version of the MrsP with better support for nested critical sections was recently presented by Garrido et al. (2017b), including a corrected analysis of worst-case blocking in the presence of nested critical sections (Garrido et al. 2017b). Garrido et al.’s revised analysis is still based on execution-time inflation and thus subject to the same structural pessimism as Zhou’s approach (Zhou 1992) (as discussed in Sect. 9.2). In particular, Garrido et al.’s revised analysis (Garrido et al. 2017b) does not yet incorporate Zhao et al.’s recently introduced, less pessimistic, inflation-free analysis setup (Zhao et al. 2017), whereas Zhao et al.’s improved analysis (Zhao et al. 2017) does not yet support finegrained nesting. Finally, Biondi et al. (2016) developed a MILP-based blocking analysis of the MSRP (Gai et al. 2001) with unrestricted well-ordered nesting. In Gai et al.’s original definition of the MSRP (Gai et al. 2001), nesting of global resources is explicitly disallowed. However, as long as all nesting is well-ordered, the protocol is capable of supporting fine-grained nesting – the lack of nesting support in the original MSRP is simply a matter of missing analysis, not fundamental incompatibility, and can be explained by the fact that analysis techniques had not yet sufficiently progressed at the time to enable a reasonably accurate analysis. Leveraging a modern MILP- based approach inspired by earlier LP- and MILP-based analyses of non-nested protocols (Biondi and Brandenburg 2016; Brandenburg 2013b; Wieder and Brandenburg 2013b; Yang et al. 2015), Biondi et al. (2016) provided such an analysis for P-FP scheduling. As a result, the MSRP may now be employed without any fine-grained nesting restrictions (other than the well-ordered nesting principle to prevent deadlock). In particular, while the MSRP uses non-preemptive FIFO spin locks, which is precisely the type of lock that Takada and Sakamura (1995) showed to be vulnerable to excessive transitive blocking, Biondi et al.’s MILP-based analysis (Biondi et al. 2016) is effective in analyzing transitive blocking without excessive pessimism because the MILP-based approach inherently avoids accounting for any critical section more than once (Biondi et al. 2016). Thus, while in theory FIFOordered spin locks cannot prevent substantial transitive blocking when faced with

11 Multiprocessor Real-Time Locking Protocols

427

pathological amounts of contention, this is less of a concern in practice given a sufficiently accurate analysis (i.e., if the analysis does not overestimate contention) since practical systems are usually designed to minimize contention. While MILP solving is computationally quite demanding (Biondi et al. 2016), Biondi et al.’s analysis offers the advantage of resting on a solid formal foundation that offers a precise, graph-based abstraction for reasoning about possible blocking delays and which ultimately enables rigorous individual proofs for each MILP constraint. Given the challenges inherent in the analysis of transitive blocking, Biondi et al.’s formal foundation and MILP-based analysis approach provide good starting points for future analyses of fine-grained nesting in the context of other multiprocessor real-time locking protocols.

10

Implementation Aspects

While our focus in this survey is algorithmic properties and analytical guarantees, there also exists a rich literature pertaining to the implementation of multiprocessor real-time locking protocols and their integration with programming languages. In the following, we provide a brief overview of key topics.

10.1

Spin-Lock Algorithms

The spin-lock protocols discussed in Sect. 4 assume the availability of spin locks with certain “real-time-friendly” properties (e.g., FIFO-ordered or priority-ordered locks). Widely used spin locks in practice include Mellor-Crummey and Scott’s scalable MCS queue locks (Mellor-Crummey and Scott 1991a), simple ticket locks (Lamport 1974; Mellor-Crummey and Scott 1991a), and basic TAS locks, where the former two are instances of FIFO-ordered spin locks and the latter is an unordered lock (i.e., not exactly “real-time-friendly” but easy to implement and still analyzable Wieder and Brandenburg 2013b). These lock types are well-known and covered by excellent prior surveys on shared-memory synchronization (Anderson et al. 2003; Raynal 1986). We focus here on spin-lock algorithms designed specifically for use in real-time systems. The most prominent example in this category is priority-ordered spin locks, which are only rarely (if ever) used in general-purpose systems. The first such locks are due to Markatos and Leblanc (Markatos 1991; Markatos and Leblanc 1991), who offered a clear specification for “priority-ordered spin locks” and proposed two algorithms that extend two prior FIFO-ordered spin locks, by respectively Burns (1978) and Mellor-Crummey and Scott (1991a), to respect request priorities. Several authors continued this line of research and proposed refined priorityordered spin locks in subsequent years. In particular, Craig (1993) proposed several scalable FIFO- and priority-ordered queue lock algorithms. Craig also presents several extensions of the basic algorithms that add support for time-outs, preemptable spinning, and memory-efficient lock nesting (i.e., without requiring a separate queue

428

B. B. Brandenburg

element for each lock). Takada and Sakamura (1994) similarly proposed a scheme for spinning jobs to be preempted briefly by interrupt service routines, with goal of ensuring low interrupt latencies in the kernel of a multiprocessor RTOS. Wang et al. (1996) considered nested priority-ordered spin locks and observed that they can give rise to starvation effects that ultimately lead to unbounded priority inversion. Specifically, they identified the following scenario: when a high-priority job Jh is trying to acquire a lock q that is held by a lower-priority job Jl and Jl is in turn trying to acquire a (nested) lock p that is continuously used by (at least two) middle-priority jobs (in alternating fashion) located on other processors, then Jl (and implicitly Jh ) may remain indefinitely blocked on p (respectively, on q ). To overcome this issue, Wang et al. proposed two spin-lock algorithms that incorporate priority inheritance. The first algorithm – based on Markatos and Leblanc’s algorithm (Markatos 1991; Markatos and Leblanc 1991) – is simpler; however, it is not scalable (i.e., it is not a local-spin algorithm). The second proposed algorithm restores the local-spin property. To improve overhead predictability, Johnson and Harathi (1997) proposed a priority-ordered spin lock that, in contrast to earlier algorithms, ensures that critical sections can be exited in constant time. To this end, Johnson and Harathi’s algorithm maintains a pointer to the highest-priority pending request, which eliminates the need to search the list of pending requests when a lock is released. Finally, and much more recently, Huang and Jayanti (2016) proposed a strengthened definition of “priority-ordered spin locks” that forbids races among simultaneously issued requests of different priorities and presented an algorithm that satisfies this stricter specification. Concerning FIFO-ordered spin locks that support preemptable spinning, as assumed in Sect. 4.1.2, several authors have proposed suitable algorithms (Anderson et al. 1998; Craig 1993; Kontothanassis et al. 1997; Takada and Sakamura 1994). Furthermore, in their proposal of the SPEPP approach (which also relies on preemptable spinning, as discussed in Sect. 4.1.4), Takada and Sakamura (1997) provided two implementations of their SPEPP approach (Takada and Sakamura 1997), one based on MCS locks (Mellor-Crummey and Scott 1991a) and one based on TAS locks. Notably, even the implementation based on TAS locks ensures FIFOordered execution of critical sections because all posted operations (i.e., closures) are processed in the order in which they were enqueued (though not necessarily by the processor that enqueued them) (Takada and Sakamura 1997). With regard to RW locks, Mellor-Crummey and Scott provided the canonical implementation of task-fair (i.e., FIFO) RW locks (Mellor-Crummey and Scott 1991b) as an extension of their MCS queue locks (Mellor-Crummey and Scott 1991a). Several practical phase-fair RW lock implementations were proposed and evaluated by Brandenburg and Anderson (Brandenburg 2011; Brandenburg and Anderson 2009, 2010b). Bhatt and Jayanti subsequently proposed a stricter specification of “phase fairness” and proposed a matching lock algorithm (Bhatt and Jayanti 2011). Finally, while not aimed specifically at real-time systems, it is worth pointing out a recent work of Dice and Harris (2016) in which they aim to circumvent the

11 Multiprocessor Real-Time Locking Protocols

429

lock-holder preemption problem without resorting to non-preemptive sections or heavyweight progress mechanisms by leveraging emerging hardware support for transactional memory (HTM). With a sufficiently powerful HTM implementation, it may be possible to encapsulate entire critical sections pertaining to shared data structures (but not I/O devices) in a HTM transaction, which would then allow preempted critical sections to be simply aborted, and any changes to the shared resource would be rolled backed automatically. As a result, lock holders can be preempted without the risk of delaying remote tasks. However, HTM support is not yet widespread in the processor platforms typically used in real-time systems, and it still remains to be seen whether it will become a de facto standard in future multicore processors.

10.2

Avoiding System Calls

In an operating system with a clear kernel-mode/user-mode separation and protection boundary, the traditional way of implementing critical sections in user mode is to provide lock and unlock system calls. However, system calls typically impose non-negligible overheads (compared to regular or inlined function calls) and hence represent a significant bottleneck. In particular, this poses a problem for spin-lock protocols, as one of the primary benefits of spin locks compared to semaphores is that spin locks incur much lower overheads. If each critical section requires a system call to indicate the beginning of non-preemptive execution and another system call to indicate the re-enabling of preemptions, then the overhead advantage will be substantially reduced. To avoid such overheads, LITMUSRT version 2010.1 introduced a mechanism (Brandenburg 2011) that allows tasks to communicate non-preemptive sections to the kernel in a way that requires a system call only in the infrequent case of a deferred preemption. The approach works by letting each task share a page of memory, called the task’s control page, with the kernel, similar to the notion of a userspace thread control block (UTCB) found in L4 microkernels. To enter a non-preemptive section, a task simply sets a flag in its control page, which it clears upon exiting the non-preemptive section. To indicate a deferred preemption, the kernel sets another flag in the control page. At the end of each nonpreemptive section, a task checks the deferred preemption flag and, if set, triggers the scheduler (e.g., via the sched_yield() system call). To prevent runaway tasks or attackers from bringing down the system, the kernel can simply stop honoring a task’s non-preemptive section flag if the task fails to call sched_yield() within a pre-determined time limit (Brandenburg 2011), which makes the mechanism safe to use even if userspace tasks are not trusted. The control page mechanism thus allows spin locks to be implemented efficiently in userspace, requiring no kernel intervention even when inter-core lock contention occurs. A similar problem exists with semaphores in user mode. However, since blocking is realized by suspending in semaphores, in the worst case (i.e., if contention is

430

B. B. Brandenburg

encountered), the kernel is always involved. Nonetheless, the avoidance of system calls in user-mode semaphores is still an important average-case optimization. Specifically, since lock contention is rare in well-designed systems, avoiding system calls in the case of uncontested lock and release operations (i.e., in the common case) is key to maximizing throughput (i.e., minimize mean overhead) in applications with a high frequency of critical sections. Semaphore implementations that do not involve the kernel in the absence of contention are commonly called futexes (fast userspace mutexes), a name popularized by the implementation in Linux. From a real-time perspective, the main challenge in realizing futexes is maintaining a protocol’s predictability guarantees (i.e., to avoid invalidating known worst-case blocking bounds). With regard to this problem, Spliet et al. (2014) distinguish between reactive and anticipatory progress mechanisms (Spliet et al. 2014), where the former take effect only when contention is encountered, whereas the latter conceptually require actions even before a conflicting lock request is issued. For instance, priority inheritance is a reactive progress mechanism, whereas priority boosting is an anticipatory progress mechanism since a job’s priority is raised unconditionally whenever it acquires a shared resource. It is easy to combine futexes with reactive mechanisms since the kernel is involved anyway in the case of contention (to suspend the blocking task). In contrast, anticipatory protocols are more difficult to support since the protocol’s unconditional actions must somehow be realized without invoking the kernel in the uncontended case. Likely for this reason, Linux supports priorityinheritance futexes but currently does not offer a futex implementation of ceiling protocols. Despite such complications, it is fortunately still possible to realize many anticipatory protocols as futexes by deferring task state updates until the kernel is invoked anyway for some other reason (e.g., a preemption due to the release of a higher-priority job), as has been shown by a number of authors (Almatary et al. 2015; Spliet et al. 2014; Züpke 2013; Züpke et al. 2014). In a uniprocessor context, Züpke (2013) and Züpke et al. (2014) considered how to implement predictable real-time futexes in an efficient and certifiable way in the context of a high-assurance, resource-partitioned separation kernel. Their approach is also relevant in a multiprocessor context because it allows for an efficient, futexcompatible implementation of priority boosting under partitioned scheduling by means of deferred priority changes (Züpke et al. 2014). Almatary et al. (2015) later explored similar protocols for uniprocessor FP and EDF scheduling and verified their correctness with a model checker. Targeting multiprocessor systems, Spliet et al. (2014) systematically explored the aforementioned classes of reactive and anticipatory real-time locking protocols (Spliet et al. 2014) and concretely proposed real-time futex implementations of the PCP (Sha et al. 1990), the MPCP (Rajkumar 1990), and the partitioned FMLP+ (Brandenburg 2011), which were shown to be highly efficient in practice.

11 Multiprocessor Real-Time Locking Protocols

10.3

431

Implementations of Allocation Inheritance

Allocation inheritance is the progress mechanism that is the most difficult to support on multiprocessors, in particular when realized as task migrations, since it implies dynamic and rapid changes in the set of processors on which a lock-holding job is eligible to execute. While this results in nontrivial synchronization challenges, allocation inheritance has been implemented and shown to be practical in several systems. As already mentioned in Sects. 4.1.4 and 10.1, Takada and Sakamura (1997) provided efficient implementations of the allocation inheritance principle that avoid task migrations. However, Takada and Sakamura’s algorithms still require that critical sections be executed non-preemptively (i.e., they are not independencepreserving). Concerning realizations of allocation inheritance that allow tasks to remain fully preemptable at all times, Steinberg et al. (2010) describe an elegant way of implementing allocation inheritance on uniprocessors and mention that their implementation extends to multiprocessors (but do not give details). Hohmuth and Peter discuss implementation and design choices in a multiprocessor context but do not report on implementation details. Both Steinberg et al. and Hohmuth and Peter consider microkernel systems, which are particularly well-suited to allocation inheritance due to their minimalistic kernel environment and emphasis on a clean separation of concerns. In work on more complex monolithic kernels, Brandenburg and Bastoni (2012) discuss a prototype implementation in Linux. Allocation inheritance has also been realized several times in the Linux-based LITMUSRT : by Faggioli et al. when implementing the spin-based MBWI protocol (Faggioli et al. 2012), by Brandenburg for the suspension-based OMIP (Brandenburg 2013a) and MC-IPC protocols (Brandenburg 2014a), and by Catellani et al. for the spin-based MrsP (Catellani et al. 2015). Catellani et al. also presented an implementation of the MrsP and allocation inheritance in RTEMS, a static real-time OS without a kernel-mode/user-mode divide targeting embedded multiprocessor platforms, and compared and contrasted the two implementations in LITMUSRT and RTEMS (Catellani et al. 2015 ).

10.4

RTOS and Programming Language Integration

Over the years, a number of works have explored the question of how to best integrate real-time locking protocols into RTOSs and popular programming languages, to which extent existing theory meets the needs of real systems, and techniques for efficient implementations of real-time locking protocols. In the following, we provide a high-level overview of some of the considered directions and questions.

432

B. B. Brandenburg

Criticism of programming language synchronization facilities from a multiprocessor real-time predictability perspective dates all the way back to 1981, when Roberts et al. (1981) reviewed the then-nascent ADA standard. Interestingly, Roberts et al. already argued for the introduction of spin-based synchronization (rather than exclusively relying on suspension-based methods) to avoid scheduler invocations (Roberts et al. 1981). More than 20 years later, Naeser (2005) considered possible undesirable blocking effects on multiprocessors due to ADA 95’s protected actions. Specifically, Naeser identified that if low-priority tasks spread across several processors issue a continuous stream of requests for a certain type of ADA operations (namely, entries protected by barriers) to be carried out on a protected object currently locked by a higher-priority task, then, according to the language standard, these operations could potentially all be serviced by the higher-priority task in its exit path (i.e., when trying to release the protected object’s lock) (Naeser 2005), which theoretically can lead to unbounded delays. As an aside, Takada and Sakamura’s SPEPP approach (Takada and Sakamura 1997) offers an elegant potential solution to this problem since it is starvation-free. Similarly, the MrsP (Burns and Wellings 2013b) could be applied in this context, as suggested by Burns and Wellings (2013a) in their investigation of protected objects in ADA 2012. And even today, predictable multiprocessor synchronization in ADA remains a point of discussion. Lin et al. (2013a, b; Lin 2013) revisited the support for analytically sound multiprocessor real-time synchronization in ADA 2012 and still found it to be wanting. At the same time, they found the multiprocessor real-time locking protocols available in the literature unsatisfactory, in the sense that there is no clear “best” protocol that could be included in the standard to the exclusion of all others. To resolve this mismatch in needs and capabilities, Lin et al. argued in favor of letting programmers provide their own locking protocols, so that each application may be equipped with a protocol most suitable for its needs, and presented a flexible framework for this purpose as well as a number of reference implementations of well-known protocols on top of the proposed framework (Lin et al. 2013a, b; Lin 2013). Most recently, Garrido et al. (2017a) investigated the question of predictable multiprocessor real-time locking within the constraints of the ADA Ravenscar profile (Burns 1999) for safety-critical hard real-time systems. In particular, they compared implementations of the MSRP (Gai et al. 2001) (based on nonpreemptive sections) and the MrsP (Burns and Wellings 2013b) (based on allocation inheritance) and found that the simpler MSRP is preferable in the restricted Ravenscar context, whereas the MrsP is suitable for a general, full-scope ADA system. In work on other programming environments and languages, Zhang and Cordes (2004, 2006) investigated a range of multiprocessor real-time locking protocols in the context of CORBA middleware, and Strøm and Schoeberl (2015) and Strøm et al. (2017) proposed and evaluated hardware implementations of real-time synchronization primitives in a native Java processor for embedded safety-critical systems. Also targeting Java, Wellings et al. (2011) studied the multiprocessor real-

11 Multiprocessor Real-Time Locking Protocols

433

time locking problem from the point of view of the needs and requirements of the Real-Time Java (RTSJ) and Safety-Critical Java (SCJ) specifications and found a considerable gap between the (restrictive) assumptions underlying the (at the time) state-of-the-art real-time locking protocols and the broad flexibility afforded by the RTSJ and, to a lesser degree, SCJ specifications. As a step toward closing this gap, Wellings et al. (2011) suggested changes to the RTSJ and SCJ specifications that would ease a future integration of analytically sound multiprocessor real-time locking protocols. The first to discuss in detail the implementation of a multiprocessor realtime locking protocol in an actual RTOS were Schwan and Zhou (1992) and Zhou (1992), who proposed a real-time thread package, including support for predictable synchronization as discussed in Sect. 5.2.3, on top of the Mach microkernel. Takada and Sakamura considered the design of a multiprocessor RTOS from the point of view of the scalability of worst-case behavior (Takada 1996; Takada and Sakamura 1996). Among other techniques, they proposed a scheme called local preference locks (Takada and Sakamura 1996), where resources local to a particular processor are protected with priority-ordered spin locks, but request priorities do not depend on task priorities. Instead, the local processor accesses a local preference lock with higher priority than remote processors, which ensures that processors quickly gain access to local resources (i.e., with O(1) s-blocking) even if they are shared with multiple remote processors. In work throughout the past decade, many locking protocols have been implemented and evaluated in LITMUSRT (Brandenburg 2011; Elliott 2015). Already in 2008, Brandenburg and Anderson (2008b) provided a detailed discussion of the implementations of several locking protocols, including the FMLP and the MPCP. Several authors have reported on MPCP implementations. In work targeting Linux with the PRE-EMPT_RT patch, Carminati et al. (2014) provided details on in-kernel implementations of the FMLP (Block et al. 2007) and a non-preemptive MPCP variant (Carminati and de Oliveira 2012). A particularly low-overhead implementation of the MPCP for microcontrollers that avoids the need for expensive wait-queue manipulations was proposed by Muller et al. (2014). Targeting a very different system architecture, Ishibashi et al. implemented the MPCP on top of a CAN bus to realize mutual exclusion in a distributed shared memory (DSM) (Ishibashi et al. 2017). In recent implementation-oriented work, Nemitz et al. (2017) added a fastpath to the RNLP (Ward and Anderson 2012) to optimize for the common case of nonnested lock acquisitions, and Afshar et al. (2016b) presented an implementation of spin locks with flexible spin priorities (Afshar et al. 2014). To date, multiprocessor real-time locking protocols have received scant attention from a WCET analysis perspective, with Gerdes’s thesis (Gerdes 2013) being a notable exception. Last but not least, Gadia et al. (2016) recently reported on a verified implementation of priority inheritance with support for nested critical sections in RTEMS.

434

11

B. B. Brandenburg

Conclusion, Further Directions, and Open Issues

Predictable synchronization is one of the central needs in a multiprocessor real-time system, and it is thus not surprising that multiprocessor real-time locking protocols, despite having received much attention already in the past, are still a subject of ongoing research. In fact, the field has seen renewed and growing interest in recent years due to the emergence and proliferation of multicore processors as the de facto standard computing platform. Looking back at its history over the course of the past three decades – starting with Rajkumar et al.’s pioneering results (Rajkumar 1990, 1991a; Rajkumar et al. 1988) – it is fair to say that the community has gained a deeper understanding of the multiprocessor real-time locking problem and amassed an already substantial body of relevant knowledge. In this survey, we have attempted to document, structure, and organize this knowledge and the relevant literature, in hopes of making it more easily accessible to researchers and practitioners alike.

11.1

Further Research Directions

In addition to the topics discussed in detail in the preceding sections, there are many further research directions related to multiprocessor real-time locking protocols that have been explored in the past. While these topics are beyond the scope of this already long survey, we do mention a few representative publications in these areas to provide interested readers with some initial pointers. One important resource in many multiprocessor real-time systems that we have excluded from consideration herein is energy. Energy management, in particular schemes that change processor speeds, can have a significant impact on synchronization (Chen et al. 2008; Fan et al. 2013; Han et al. 2012b; Tsai et al. 2016; Wu 2017). Targeting high-integrity systems subject to both real-time and security requirements, Völp et al. (2013) studied a number of real-time locking protocols (including the MPCP Rajkumar 1990 and the clustered OMLP Brandenburg and Anderson 2011) from a timing channel perspective and identified suitably confidentialitypreserving progress mechanisms and locking protocols. A number of authors have studied multiprocessor real-time synchronization problems from a more foundational perspective and have obtained speedup and resource augmentation results for a number of protocols (Andersson and Raravi 2014; Huang et al. 2016; Raravi 2013; Raravi et al. 2011, 2012). These results are largely based on rather limiting assumptions (e.g., only a single critical section per job) and in several instances study protocols purposefully designed to obtain a speedup or resource augmentation result, which has limited practical relevance. All of the protocols discussed in this survey assume sequential tasks. Going beyond this standard assumption, Holenderski et al. (2012) studied the multiproces-

11 Multiprocessor Real-Time Locking Protocols

435

sor real-time locking problem in the context of parallel real-time tasks (Holenderski 2012; Holenderski et al. 2012). Over the years, many results pertaining to the task and resource mapping problems and related optimization problems have appeared (Al-bayati et al. 2015; Bonato et al. 2014; Fauberteau and Midonnet 2010, 2011; Han et al. 2012b, 2014b, 2017; Hoottger et al. 2017; Hsiu et al. 2011; Huang et al. 2016; López et al. 2004; Nemati 2012; Nemati et al. 2009a, 2010; Raravi et al. 2011; Shekhar et al. 2014; Sun et al. 1994; Tia and Liu 1994; von der Brüggen et al. 2017; Wieder and Brandenburg 2013a). Particularly well-known is Lakshmanan et al.’s task-set partitioning heuristic for use with the MPCP (Lakshmanan et al. 2009). Alternative heuristics and strategies have been proposed by (among others) Nemati et al. (2010), Wieder and Brandenburg (2013a), and Al-bayati et al. (2015). Of particular interest with regard to the task and resource mapping problems in the context of the DPCP are proposals that apply techniques for scheduling task graphs with precedence constraints and end-to-end deadline constraints in distributed systems (Sun et al. 1994; Tia and Liu 1994). Another system configuration problem that has received considerable attention is the policy selection problem, where the goal is to choose an appropriate synchronization method for a given set of tasks, a set of shared resources, and the tasks’ resource needs (Afshar et al. 2015; Al-bayati et al. 2015; Behnam et al. 2011; Biondi and Brandenburg 2016; Brandenburg et al. 2008; Han et al. 2012a, 2014a). Brandenburg et al. (2008) compared spin- and suspension-based locking protocols (namely, the FMLP variants for short and long resources Block et al. 2007) in LITMUSRT under consideration of overheads with each other and also against non-blocking synchronization protocols. The choice between a spin-based locking protocol and non-blocking alternatives has also recently been considered by Al-bayati et al. (2015) and Biondi and Brandenburg (2016). In work on the consolidation and integration of legacy systems on multicore platforms, Afshar et al. (2013), Nemati and Nolte (2013), and Nemati et al. (2011a) explored the use of abstract interfaces that allow representing a component’s resource needs and locking behavior without revealing detailed information about the component’s internals. Finally, several authors have considered synchronization needs in hierarchical multiprocessor systems (Afshar et al. 2016a; Biondi et al. 2015; Kim et al. 2014; Nemati et al. 2009a, b), where there exists a hierarchy of schedulers. In such systems, tasks are typically encapsulated in processor reservations, resource servers, or, in the case of virtualization, virtual machines and thus prone to preemptions in the middle of critical sections. As first studied by Holman and Anderson (2002a) in the context of Pfair-scheduled systems, this poses considerable challenges from a locking point of view (Holman and Anderson 2002a, b, 2006; Holman 2004) and requires special rules to either prevent lock acquisitions shortly before a job or reservation’s (current) budget allocation is exhausted (Holman and Anderson 2002a) or acceptance of (and appropriate accounting for) the fact that jobs or reservations may overrun their allocated budget by the length of one critical section (Biondi et al. 2015).

436

11.2

B. B. Brandenburg

Open Problems

As already mentioned in Sect. 1, the “last word” on multiprocessor real-time resource sharing has not yet been spoken and will likely not be spoken for a long time to come. Without seeking to detract from other, no less interesting directions, we briefly highlight three largely unexplored opportunities for future work. First, there is a need for more flexible blocking analyses that can handle multiple lock types simultaneously. Practical systems typically use multiple types of locks for different purposes (e.g., both spin locks and semaphores), and while many lock types and real-time locking protocols have been investigated and analyzed in isolation, few results in the literature explicitly account for effects that arise from the combination of different lock types (e.g., blocking bounds for semaphores in the presence of non-preemptive sections due to spin locks Block et al. 2007). Worse, of the existing analyses focused on individual lock types and protocols, few (if any) compose soundly without modification. To better support the needs of real-world systems, clearly further advances will be required in this direction. Second, all major existing blocking analyses pertain to the worst case. While this is clearly required for true hard real-time systems, given that average-case contention in well-designed systems is usually low, the resulting bounds can be extremely pessimistic relative to observable blocking delays. For firm real-time systems that do not require hard guarantees or for systems where there are strong economic incentives to not provision based on an absolute worst-case basis (which is arguably the majority of systems in practice), there is unfortunately little support in the existing literature. Thus, practitioners today must choose between hard realtime, often pessimistic blocking bounds that tend to result in over-provisioning or no analysis at all (i.e., rely purely on measurements instead). To extend the range of systems to which analytically sound blocking bounds are applicable, it would be desirable to develop means for reasoning about anticipated blocking delays that are both more rigorous than average-case observations and less taxing than hard real-time analyses that assume worst-case contention at every step. Last but not least, we would like to highlight the need for a rigorous foundation and formal proofs of correctness for blocking analyses. In particular for worst-case blocking analyses, which by their very nature are intended to be used in critical systems, it is essential to have utmost confidence into the soundness of the derived bounds. However, as blocking bounds become more accurate, task models more detailed, and synchronization techniques more advanced, the required blocking analyses also become more tedious to derive, more challenging to validate, and ultimately more error-prone. If the goal is to support safety-critical systems in practice and to use multiprocessor real-time locking protocols and their analyses as evidence of system safety in certification processes, then this is a very dangerous trend, in particular in the light of prior missteps that have only recently come to light (Chen and Brandenburg 2017; Chen et al. 2017; Garrido et al. 2017b; Yang et al. 2017). As a first step toward a higher degree of confidence into the correctness of advanced blocking analyses, recent LP- and MILP-based blocking analyses (Biondi and Brandenburg 2016; Brandenburg 2013a; Wieder and Brandenburg 2013b; Yang

11 Multiprocessor Real-Time Locking Protocols

437

et al. 2015) offer the advantage that each constraint can be checked and proven correct individually (rather than having to reason about the entire analysis as a whole), which simplifies the problem considerably. However, while this is a much needed improvement, it is clearly not yet enough. In the long term, it will be highly desirable (if not at some point outright required) for analyses and protocols intended for use in safety-critical systems – such as blocking bounds for multiprocessor realtime locking protocols – to come with a machine-checked proof of soundness or other equivalent soundness guarantees backed by formal verification methods. Much interesting and challenging work remains to be done before a full formal verification of multiprocessor real-time locking protocol becomes reality.

References S. Afshar, Lock-based resource sharing for real-time multi-processors. Ph.D thesis, Mälardalen University (2017) S. Afshar, F. Nemati, T. Nolte, Resource sharing under multiprocessor semi-partitioned scheduling, in Proceedings of the 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA) (IEEE, 2012), pp. 290–299 S. Afshar, M. Behnam, T. Nolte, Integrating independently developed real-time applications on a shared multi-core architecture. ACM SIGBED Rev 10(3), 49–56 (2013) S. Afshar, M. Behnam, R.J Bril, T. Nolte, Flexible spin-lock model for resource sharing in multiprocessor real-time systems, in Proceedings of the 9th IEEE International Symposium on Industrial Embedded Systems (SIES). (IEEE, 2014), pp. 41–51 S. Afshar, N. Khalilzad, F. Nemati, T. Nolte, Resource sharing among prioritized real-time applications on multiprocessors. ACM SIGBED Rev 12(1), 46–55 (2015) S. Afshar, N. Khalilzad, M. Behnam, R.J. Bril, T. Nolte, Intra-component resource sharing on a virtual multiprocessor platform. ACM SIGBED Rev 13(3), 31–32 (2016a) S. Afshar, M.P.W. Verwielen, P. Gai, M. Behnam, R.J. Bril, An implementation of the flexible spinlock model in ERIKA enterprise on a multi-core platform, in Proceedings of the 12th Annual Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), 2016b, pp. 55–60 S. Afshar, M. Behnam, R.J. Bril, T. Nolte, An optimal spin-lock priority assignment algorithm for real-time multi-core systems, in Proceedings of the 23rd IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA) (IEEE, 2017), pp. 1–11 Z. Al-bayati, Y. Sun, H. Zeng, M. Di Natale, Q. Zhu, B. Meyer, Task placement and selection of data consistency mechanisms for real-time multicore applications, in Proceedings of the 21st IEEE Real-Time Embedded Technology and Applications Symposium (RTAS) (IEEE, 2015), pp. 172–181 M. Alfranseder, Efficient and Robust Dynamic Scheduling and Synchronization in Practical Embedded Real-time Multiprocessor Systems. Ph.D thesis, Technische Universität Clausthal, 2016 M. Alfranseder, M. Deubzer, B. Justus, J. Mottok, C. Siemers, An efficient spin-lock based multicore resource sharing protocol, in Proceedings of the 33rd IEEE International Performance Computing and Communications Conference (IEEE, 2014), pp. 1–7 H Almatary, N.C. Audsley, A. Burns, Reducing the implementation overheads of IPCP and DFP, in Proceedings of the 36th IEEE Real-Time Systems Symposium (RTSS), 2015, pp. 295–304 J. Anderson, R. Jain, K. Jeffay, Efficient object sharing in quantum-based real-time systems, in Proceedings of the 19th IEEE Real-Time Systems Symposium (RTSS), 1998, pp. 346–355

438

B. B. Brandenburg

J.H. Anderson, Y.-J. Kim, T. Herman, Shared-memory mutual exclusion: major research trends since 1986. Distrib. Comput. 16(2), 75–110 (2003) J.H. Anderson, V. Bud, U.M.C. Devi, An EDF-based scheduling algorithm for multiprocessor soft real-time systems, in Proceedings of the 17th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2005), pp. 199–208 B. Andersson, G. Raravi, Real-time scheduling with resource sharing on heterogeneous multiprocessors. Real Time Syst. 50(2), 270–314 (2014) S.K. Baruah, N.K. Cohen, C.G. Plaxton, D.A. Varvel, Proportionate progress: A notion of fairness in resource allocation. Algorithmica 15(6), 600–625 (1996) A. Bastoni, B.B. Brandenburg, J.H Anderson, Is semi-partitioned scheduling practical? in Proceedings of the 23rd Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2011), pp. 125–135 M. Behnam, F. Nemati, T. Nolte, H. Grahn, Towards an efficient approach for resource sharing in real-time multiprocessor systems, in Proceedings of the 6th IEEE International Symposium on Industrial Embedded Systems (SIES) (IEEE, 2011), pp. 99–102 M. Bertogna, M. Cirinei, G. Lipari, Improved schedulability analysis of edf on multiprocessor platforms, in Proceedings of the 17th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2005), pp. 209–218 V. Bhatt, P. Jayanti, Specification and constant RMR algorithm for phase-fair reader-writer lock, in Proceedings of the 12th International Conference on Distributed Computing and Networking (ICDCN) (Springer, 2011), pp. 119–130 A. Biondi, B. Brandenburg, Lightweight real-time synchronization under P-EDF on symmetric and asymmetric multiprocessors, in Proceedings of the 28th Euromicro Conference on RealTime Systems (ECRTS), 2016, pp. 39–49 A. Biondi, G.C. Buttazzo, M. Bertogna, Supporting component-based development in partitioned multiprocessor real-time systems, in Proceedings of the 27th Euromicro Conference on RealTime Systems (ECRTS) (IEEE, 2015), pp. 269–280 A. Biondi, B. Brandenburg, A. Wieder, A blocking bound for nested FIFO spin locks, in Proceedings of the 37th IEEE Real-Time Systems Symposium (RTSS), 2016, pp. 291–302 A. Block, H. Leontyev, B. Brandenburg, J. Anderson, A flexible real-time locking protocol for multiprocessors, in Proceedings of the 13th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 2007, pp. 47–57 L. Bonato, E. Mezzetti, T. Vardanega, Supporting global resource sharing in RUN-scheduled multiprocessor systems, in Proceedings of the 22nd International Conference on Real-Time Networks and Systems (ACM, 2014), pp. 109–118 B. Brandenburg, Scheduling and Locking in Multiprocessor Real-Time Operating Systems. Ph.D thesis, UNC Chapel Hill, 2011 B. Brandenburg, Virtually exclusive resources. Technical Report MPI-SWS-2012–005, MPI-SWS, 2012 B. Brandenburg, A fully preemptive multiprocessor semaphore protocol for latency-sensitive realtime applications, in Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS), 2013a, pp. 292–302 B. Brandenburg, Improved analysis and evaluation of real-time semaphore protocols for P-FP scheduling, in Proceedings of the 19th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS), 2013b, pp. 141–152 B. Brandenburg, A synchronous IPC protocol for predictable access to shared resources in mixedcriticality systems, in Proceedings of the 35th IEEE Real-Time Systems Symposium (RTSS), 2014a, pp. 196–206 B. Brandenburg, Blocking optimality in distributed real-time locking protocols. Leibniz Transactions on Embedded Systems 1(2), 1–22 (2014b) B. Brandenburg, The FMLP+ : an asymptotically optimal real-time locking protocol for suspension aware analysis, in Proceedings of the 26th Euromicro Conference on Real-Time Systems (ECRTS), 2014c, pp. 61–71

11 Multiprocessor Real-Time Locking Protocols

439

B. Brandenburg, J. Anderson, A comparison of the M-PCP, D-PCP, and FMLP on LITMUSRT , 2008a, pp. 105–124 B. Brandenburg, J. Anderson, An implementation of the PCP, SRP, D-PCP, M-PCP, and FMLP real-time synchronization protocols in LITMUSRT , in Proceedings of the 14th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 2008b, pp. 185–194 B. Brandenburg, J. Anderson, Reader-writer synchronization for shared-memory multiprocessor real-time systems, in Proceedings of the 21st Euromicro Conference on Real-Time Systems (ECRTS), 2009, pp. 184–193 B. Brandenburg, J. Anderson, Optimality results for multiprocessor real-time locking, in Proceedings of the 31st IEEE Real-Time Systems Symposium (RTSS), 2010a, pp. 49–60 B. Brandenburg, J. Anderson, Spin-based reader-writer synchronization for multiprocessor realtime systems. Real-Time Syst. 46(1), 25–87 (2010b) B. Brandenburg, J. Anderson, Real-time resource-sharing under clustered scheduling: mutex, reader-writer, and k-exclusion locks, in Proceedings of the 11th International Conference on Embedded Software (EMSOFT), 2011, pp. 69–78 B. Brandenburg, J. Anderson, The OMLP family of optimal multiprocessor real-time locking protocols. Des. Autom. Embed. Syst. 17(2), 277–342 (2013) B.B. Brandenburg, J.H. Anderson, A clarification of link-based global scheduling. Technical Report MPI-SWS-2014–007, Max Planck Institute for Software Systems, 2014 B.B. Brandenburg, A. Bastoni, The case for migratory priority inheritance in Linux: bounded priority inversions on multiprocessors, in Proceedings of the 14th Real-Time Linux Workshop (RTLWS). Citeseer, 2012 B.B. Brandenburg, M. Gül, Global scheduling not required: simple, near-optimal multiprocessor real-time scheduling with semi-partitioned reservations, in Proceedings of the 37th IEEE RealTime Systems Symposium (RTSS) (IEEE, 2016), pp. 99–110 B. Brandenburg, J. Calandrino, A. Block, H. Leontyev, J. Anderson. Synchronization on real-time multiprocessors: to block or not to block, to suspend or spin? in Proceedings of the 14th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS), 2008, pp. 342–353 J.E. Burns, Mutual exclusion with linear waiting using binary shared variables. ACM SIGACT News 10(2), 42–47 (1978) A. Burns, The ravenscar profile. ACM SIGAda Ada Lett. 19(4), 49–52 (1999) A. Burns, R. Davis, Mixed criticality systems – a review. Technical Report 10th edition, Department of Computer Science, University of York, Jan 2018 A. Burns, A.J. Wellings, Locking policies for multiprocessor Ada. ACM SIGAda Ada Lett. 33(2), 59–65 (2013a) A. Burns, A.J. Wellings, A schedulability compatible multiprocessor resource sharing protocol – MrsP, in Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2013b), pp. 282–291 A. Carminati, R.S. de Oliveira, On variations of the suspension-based multiprocessor priority ceiling synchronization protocol, in Proceedings of the 17th IEEE Conference on Emerging Technologies and Factory Automation (ETFA) (IEEE, 2012), pp. 1–4 A. Carminati, R.S. De Oliveira, L.F. Friedrich, Exploring the design space of multiprocessor synchronization protocols for real-time systems. J. Syst. Architect. 60(3), 258–270 (2014) S. Catellani, L. Bonato, S. Huber, E. Mezzetti, Challenges in the implementation of MrsP, in Proceedings of the 20th International Conference on Reliable Software Technologies (ADA Europe) (Springer, 2015), pp. 179–195 F. Cerqueira, M. Vanga, B.B. Brandenburg, Scaling global scheduling with message passing, in Proceedings of the 20th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS) (IEEE, 2014), pp. 263–274 Y. Chang, R. Davis, A. Wellings, Reducing queue lock pessimism in multiprocessor schedulability analysis, in Proceedings of the 18th International Conference on Real-Time Networks and Systems (RTNS), 2010, pp. 99–108

440

B. B. Brandenburg

J.-J. Chen, B. Brandenburg, A note on the period enforcer algorithm for self-suspending tasks. Leibniz Trans. Embed. Syst. (LITES) 4(1), 01:1–01:22 (2017) C-M. Chen, S.K. Tripathi, Multiprocessor priority ceiling based protocols. Technical Report CSTR-3252, Department of Computer Science, University of Maryland, 1994 C-M. Chen, S.K. Tripathi, A. Blackmore, A resource synchronization protocol for multiprocessor real-time systems, in Proceedings of the 23rd International Conference on Parallel Processing (IEEE, 1994), pp. 159–162 Y-S. Chen, Li-P. Chang, T-W. Kuo, Multiprocessor frequency locking for real-time task synchronization, in Proceedings of the 23rd Annual ACM Symposium on Applied Computing (ACM, 2008), pp. 289–293 J.-J. Chen, G. Nelissen, W-H. Huang, M. Yang, B. Brandenburg, K. Bletsas, C. Liu, P. Richard, F. Ridouard, N. Audsley, R. Rajkumar, D. de Niz, G. von der Brüggen, Many suspensions, many problems: a review of self-suspending tasks in real-time systems. Technical Report 854, Department of Computer Science, TU Dortmund, 2017 P.-J. Courtois, F. Heymans, D.L. Parnas, Concurrent control with “readers” and “writers”. Commun. ACM 14(10), 667–668 (1971) T.S Craig, Queuing spin lock algorithms to support timing predictability, in Proceedings of the 14th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 1993), pp. 148–157 U.M.C. Devi, H. Leontyev, J.H. Anderson, Efficient synchronization under global EDF scheduling on multiprocessors, in Proceedings of the 18th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2006), pp. 75–84 D. Dice, T. Harris, Lock holder preemption avoidance via transactional lock elision, in Proceedings of the 11th ACM SIGPLAN Workshop on Transactional Computing (TRANSACT), 2016 A. Easwaran and B. Andersson. Resource sharing in global fixed-priority preemptive multiprocessor scheduling, in Proceedings of the 30th IEEE Real-Time Systems Symposium (RTSS), 2009, pp. 377–386 G.A. Elliott, Real-time scheduling for GPUs with applications in advanced automotive systems. Ph.D thesis, The University of North Carolina at Chapel Hill, 2015 G.A. Elliott, J.H. Anderson, An optimal k-exclusion real-time locking protocol motivated by multiGPU systems, in Proceedings of the 19th International Conference on Real-Time Networks and Systems (RTNS), 2011, pp. 15–24 G.A. Elliott, J.H. Anderson, Globally scheduled real-time multiprocessor systems with GPUs. Real-Time Syst. 48(1), 34–74 (2012a) G.A. Elliott, J.H. Anderson, Robust real-time multiprocessor interrupt handling motivated by GPUs, in Proceedings of the 24th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2012b), pp. 267–276 G.A. Elliott, J.H. Anderson, An optimal k-exclusion real-time locking protocol motivated by multiGPU systems. Real Time Syst. 49(2), 140–170 (2013) D. Faggioli, G. Lipari, T. Cucinotta, The multiprocessor bandwidth inheritance protocol, in Proceedings of the 22nd Euromicro Conference on Real-Time Systems (ECRTS), 2010, pp. 90–99 D. Faggioli, G. Lipari, T. Cucinotta, Analysis and implementation of the multiprocessor bandwidth inheritance protocol. Real Time Syst. 48(6), 789–825 (2012) L-F. Fan, T-H. Tsai, Y-S. Chen, and S-S. Shyu, Energy-aware real-time task synchronization in multi-core embedded systems, in Proceedings of the 28th Annual ACM Symposium on Applied Computing (ACM, 2013), pp. 1493–1498 F. Fauberteau, S. Midonnet, Robust partitioned scheduling for static-priority real-time multiprocessor systems with shared resources, in Proceedings of the 18th International Conference on Real-Time Networks and Systems (RTNS), 2010, pp. 217–225 F. Fauberteau, S. Midonnet, Robust partitioning for real-time multiprocessor systems with shared resources, in Proceedings of the 26th Annual ACM Symposium on Applied Computing (ACM, 2011), pp. 71–76 S. Gadia, C. Artho, G. Bloom, Verifying nested lock priority inheritance in RTEMS with Java Pathfinder, in Proceedings of the 18th International Conference on Formal Engineering Methods (ICFEM) (Springer, 2016), pp. 417–432

11 Multiprocessor Real-Time Locking Protocols

441

P. Gai, G. Lipari, M. Di Natale, Minimizing memory utilization of real-time task sets in single and multi-processor systems-on-a-chip, in Proceedings of the 22nd IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2001), pp. 73–83 P. Gai, M. di Natale, G. Lipari, A. Ferrari, C. Gabellini, P. Marceca, A comparison of MPCP and MSRP when sharing resources in the Janus multiple processor on a chip platform, in Proceedings of the 9th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS), 2003, pp. 189–198 J. Garrido, J. Zamorano, A. Alonso, A Juan, Evaluating MSRP and MrsP with the multiprocessor Ravenscar profile, in Proceedings of the 22nd International Conference on Reliable Software Technologies (ADA Europe) (Springer, 2017a), pp. 3–17 J. Garrido, S. Zhao, A. Burns, A. Wellings, Supporting nested resources in MrsP, in Proceedings of the 22nd International Conference on Reliable Software Technologies (ADA Europe) (Springer, 2017b), pp. 73–86 M. Gerdes, Timing Analysable Synchronisation Techniques for Parallel Programs on Embedded Multi-Cores. Ph.D thesis, University of Augsburg, 2013 G. Han, J. Lu, B. Li, J. Wang, G. Wu, W Dou, A new communication mechanism for multi-core systems in industrial design, in Proceedings of the 3rd International Conference on System Science, Engineering Design and Manufacturing Informatization (ICSEM), vol. 2 (IEEE, 2012a), pp. 1–4 J.-J. Han, X. Wu, D. Zhu, H. Jin, L.T. Yang, J.-L. Gaudiot, Synchronization-aware energy management for VFI-based multicore real-time systems. IEEE Trans. Comput. 61(12), 1682– 1696 (2012b) G. Han, H. Zeng, M. Di Natale, L. Xue, W. Dou, Experimental evaluation and selection of data consistency mechanisms for hard real-time applications on multicore platforms. IEEE Trans. Ind. Inf. 10(2), 903–918 (2014a) J.-J. Han, D. Zhu, X. Wu, L.T. Yang, H. Jin, Multiprocessor real-time systems with shared resources: Utilization bound and mapping. IEEE Trans. Parallel Distrib. Syst. 25(11), 2981– 2991 (2014b) J. Han, X. Tao, D. Zhu, L. Yang, Resource sharing in multicore mixed-criticality systems: Utilization bound and blocking overhead. IEEE Transactions on Parallel and Distributed Systems (2017) M. Hohmuth, H. Härtig, Pragmatic nonblocking synchronization for real-time systems, in Proceedings of the 2001 USENIX Annual Technical Conference, 2001, pp. 217–230 M. Hohmuth, M. Peter, Helping in a multiprocessor environment, in Proceedings of the 2nd Workshop on Common Microkernel System Platforms, 2001 M.J. Holenderski, Multi-resource management in embedded real-time systems. Ph.D thesis, Eindhoven University of Technology, 2012 M. Holenderski, R.J. Bril, J.J. Lukkien, Parallel-task scheduling on multiple resources, in Proceedings of the 24th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2012), pp. 233–244 P.L. Holman, On the implementation of pfair-scheduled multiprocessor systems. Ph.D thesis, University of North Carolina at Chapel Hill, 2004 P. Holman, J.H. Anderson, Locking in pfair-scheduled multiprocessor systems, in Proceedings of the 23rd IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2002a), pp. 149–158 P. Holman, J.H. Anderson, Object sharing in pfair-scheduled multiprocessor systems, in Proceedings of the 14th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2002b), pp. 111–120 P. Holman, J.H. Anderson, Locking under Pfair scheduling. ACM Trans. Comput. Syst. 24(2), 140–174 (2006) R. Hoottger, B. Igel, O. Spinczyk, On reducing busy waiting in AUTOSAR via task-release-deltabased runnable reordering, in Proceedings of the 2017 Conference on Design, Automation and Test in Europe (DATE) (IEEE, 2017), pp. 1510–1515

442

B. B. Brandenburg

P-C. Hsiu, D-N. Lee, T-W. Kuo, Task synchronization and allocation for many-core realtime systems, in Proceedings of the 11th International Conference on Embedded Software (EMSOFT) (ACM, 2011), pp. 79–88 C-C Huang, P. Jayanti, Priority mutual exclusion: specification and algorithm, in Proceedings of the 30th International Symposium on Distributed Computing (DISC) (Springer, 2016), pp. 385–398 W-H. Huang, M. Yang, J-J. Chen, Resource-oriented partitioned scheduling in multiprocessor systems: how to partition and how to share? in Proceedings of the 37th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2016), pp. 111–122 K. Ishibashi, M. Yoo, T. Yokoyama, A real-time operating system with can-based inter-node shared resource management and distributed shared memory, in Proceedings of IEEE Trustcom/BigDataSE/ICESS 2017 (IEEE, 2017), pp. 798–805 C.E. Jarrett, B.C. Ward, J.H. Anderson, A contention-sensitive fine-grained locking protocol for multiprocessor real-time systems, in Proceedings of the 23rd International Conference on RealTime Networks and Systems (RTNS) (ACM, 2015), pp. 3–12 T. Johnson, K. Harathi, A prioritized multiprocessor spin lock. IEEE Trans. Parallel Distrib. Syst. 8(9), 926–933 (1997) H. Kim, S. Wang, R. Rajkumar, vMPCP: a synchronization framework for multi-core virtual machines, in Proceedings of the 35th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2014), pp. 86–95 L.I. Kontothanassis, R.W. Wisniewski, M.L. Scott, Scheduler-conscious synchronization. ACM Trans. Comput. Syst. 15(1), 3–40 (1997) K. Lakshmanan, D. Niz, R. Rajkumar, Coordinated task scheduling, allocation and synchronization on multiprocessors, in Proceedings of the 30th IEEE Real-Time Systems Symposium (RTSS), 2009, pp. 469–478 G. Lamastra, G. Lipari, L. Abeni, A bandwidth inheritance algorithm for real-time task synchronization in open systems, in Proceedings of the 22nd IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2001), pp. 151–160 L. Lamport, A new solution of dijkstra’s concurrent programming problem. Commun. ACM 17(8), 453–455 (1974) B.W. Lampson, D.D. Redell, Experience with processes and monitors in mesa. Commun. ACM 23(2), 105–117 (1980) D.W. Leinbaugh, Guaranteed response times in a hard-real-time environment. IEEE Trans. Softw. Eng. 1, 85–91 (1980) S. Lin, A Flexible Multiprocessor Resource Sharing Framework for Ada. Ph.D thesis, University of York, 2013 S. Lin, A.J. Wellings, A. Burns, Ada 2012: resource sharing and multiprocessors. ACM SIGAda Ada Letters 33(1), 32–44 (2013a) S. Lin, A. Wellings, A. Burns, Supporting lock-based multiprocessor resource sharing protocols in real-time programming languages. Concurrency Comput. Pract. Exp. 25(16), 2227–2251 (2013b) J.W.S. Liu, Real-Time Systems (Prentice Hall, Upper Saddle River, 2000) C. Liu, J.H. Anderson, Suspension-aware analysis for hard real-time multiprocessor scheduling, in Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2013), pp. 271–281 J.M. López, J.L. Díaz, D.F. García, Utilization bounds for EDF scheduling on real-time multiprocessor systems. Real Time Syst. 28(1), 39–68 (2004) V.B. Lortz, K.G. Shin, Semaphore queue priority assignment for real-time multiprocessor synchronization. IEEE Trans. Softw. Eng. 21(10), 834–844 (1995) J-P. Lozi, F. David, G. Thomas, J.L. Lawall, G. Muller, et al, Remote core locking: migrating critical-section execution to improve the performance of multithreaded applications, in Proceedings of the 2012 USENIX Annual Technical Conference, 2012, pp. 65–76 E.P. Markatos, Multiprocessor synchronization primitives with priorities. IFAC Proceedings Volumes 24(2), 1–6 (1991)

11 Multiprocessor Real-Time Locking Protocols

443

E.P. Markatos, T.J Leblanc, Multiprocessor synchronization primitives with priorities, in Proceedings of the 8th Workshop on Real-Time Operating Systems and Software, 1991, pp. 148–157 J.M. Mellor-Crummey, M.L. Scott, Algorithms for scalable synchronization on shared-memory multiprocessors. ACM Trans. Comput. Syst. 9(1), 21–65 (1991a) J.M. Mellor-Crummey, M.L. Scott, Scalable reader-writer synchronization for shared-memory multiprocessors, in ACM SIGPLAN Notices, vol. 26 (ACM, 1991b), pp. 106–113 R. Müller, D. Danner, W.S. Preikschat, D. Lohmann, MULTI SLOTH: an efficient multi-core RTOS using hardware-based scheduling, in Proceedings of the 26th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2014), pp. 189–198 G. Naeser, Priority inversion in multi processor systems due to protected actions. ACM SIGAda Ada Lett. 25(1), 43–47 (2005) M. Negrean, R. Ernst, Response-time analysis for non-preemptive scheduling in multi-core systems with shared resources, in Proceedings of the 7th IEEE International Symposium on Industrial Embedded Systems (SIES) (IEEE, 2012), pp. 191–200 M. Negrean, S. Schliecker, R. Ernst, Response-time analysis of arbitrarily activated tasks in multiprocessor systems with shared resources, in Proceedings of the 2009 Conference on Design, Automation and Test in Europe (DATE) (European Design and Automation Association, 2009), pp. 524–529 F. Nemati, Resource Sharing in Real-Time Systems on Multiprocessors. Ph.D thesis, Mälardalen University, 2012 F. Nemati, T. Nolte, Resource hold times under multiprocessor static-priority global scheduling, in Proceedings of the 17th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), vol 1 (IEEE, 2011), pp. 197–206 F. Nemati, T. Nolte, Resource sharing among real-time components under multiprocessor clustered scheduling. Real Time Syst. 49(5), 580–613 (2013) F. Nemati, M. Behnam, T. Nolte, Multiprocessor synchronization and hierarchical scheduling, in Proceedings of the 38th International Conference on Parallel Processing Workshops (IEEE, 2009a), pp. 58–64 F. Nemati, M. Behnam, T. Nolte, R.J. Bril, Investigation of implementing a synchronization protocol under multiprocessors hierarchical scheduling, in Proceedings of the 14th IEEE Conference on Emerging Technologies and Factory Automation (ETFA) (IEEE, 2009b), pp. 1–4 F. Nemati, T. Nolte, M. Behnam, Partitioning real-time systems on multiprocessors with shared resources, in Proceedings of the 14th International Conference on Principles of Distributed Systems (OPODIS), 2010, pp. 253–269 F. Nemati, M. Behnam, T. Nolte, Sharing resources among independently-developed systems on multi-cores. ACM SIGBED Rev. 8(1), 46–53 (2011a) F. Nemati, M. Behnam, T. Nolte, Independently-developed real-time systems on multi-cores with shared resources, in Proceedings of the 23rd Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2011b), pp. 251–261 C.E. Nemitz, K. Yang, M. Yang, P. Ekberg, J.H. Anderson, Multiprocessor real-time locking protocols for replicated resources, in Proceedings of the 28th Euromicro Conference on RealTime Systems (ECRTS) (IEEE, 2016), pp. 50–60 C.E. Nemitz, T. Amert, J.H. Anderson, Real-time multiprocessor locks with nesting: optimizing the common case, in Proceedings of the 25th International Conference on Real-Time Networks and Systems (RTNS), 2017 P. Patel, I. Boaek, H. Kim, R. Rajkumar, Analytical enhancements and practical insights for MPCP with self-suspensions, in Proceedings of the 24th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS), 2018, pp. 177–189 R. Rajkumar, Real-time synchronization protocols for shared memory multiprocessors, in Proceedings of the 10th International Conference on Distributed Computing Systems (ICDCS) (IEEE, 1990), pp. 116–123 R. Rajkumar, Synchronization in Real-Time Systems – A Priority Inheritance Approach (Kluwer Academic Publishers, Boston, 1991a)

444

B. B. Brandenburg

R. Rajkumar, Dealing with suspending periodic tasks. Technical report, IBM Thomas J. Watson Research Center, 1991b R. Rajkumar, L. Sha, J.P. Lehoczky, Real-time synchronization protocols for multiprocessors, in Proceedings of the 9th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 1988), pp. 259–269 G. Raravi, Real-time scheduling on heterogeneous multiprocessors. Ph.D thesis, Universidade do Porto (Portugal), 2013 G. Raravi, B. Andersson, K. Bletsas, Provably good scheduling of sporadic tasks with resource sharing on a two-type heterogeneous multiprocessor platform, in Proceedings of the 15th International Conference on Principles of Distributed Systems (OPODIS) (Springer, 2011), pp. 528–543 G. Raravi, V. Nélis, B. Andersson, Real-time scheduling with resource sharing on uniform multiprocessors, in Proceedings of the 20th International Conference on Real-Time Networks and Systems (RTNS) (ACM, 2012), pp. 121–130 J. Ras, A.M.K. Cheng, Real-time synchronization on distributed architecture with ada-2005. ACM SIGAda Ada Lett. 28(3), 75–84 (2008) M. Raynal, Algorithms for Mutual Exclusion (The MIT Press, Cambridge, 1986) P. Regnier, G. Lima, E. Massa, G. Levin, S. Brandt, RUN: optimal multiprocessor real-time scheduling via reduction to uniprocessor, in Proceedings of the 32nd IEEE Real-Time Systems Symposium (RTSS) (IEEE, 2011), pp. 104–115 I. Rhee, G.R. Martin, A scalable real-time synchronization protocol for distributed systems, in Proceedings of the 16th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 1995), pp. 18–27 E.S. Roberts, A. Evans, C.R. Morgan, E.M. Clarke, Task management in ada – a critical evaluation for real-time multiprocessors. Softw. Pract. Exp. 11(10), 1019–1051 (1981) O.H. Roux, P. Martineau, Deadlock prevention in a distributed real-time system. IFAC Proc. Vol. 28(22), 123–128 (1995) S. Schliecker, M. Negrean, R. Ernst, Response time analysis on multicore ecus with shared resources. IEEE Trans. Ind. Inf. 5(4), 402–413 (2009) K. Schwan, H. Zhou, Multiprocessor real-time threads. ACM SIGOPS Oper. Syst. Rev. 26(1), 54–65 (1992) L. Sha, R. Rajkumar, J.P. Lehoczky, Priority inheritance protocols: An approach to real-time synchronization. IEEE Trans. Comput. 39(9), 1175–1185 (1990) M. Shekhar, H. Ramaprasad, F. Mueller, Semi-partitioned scheduling for resource sharing hardreal-time tasks. Technical report, North Carolina State University. Department of Computer Science, 2014 R. Spliet, M. Vanga, B. Brandenburg, S. Dziadek, Fast on average, predictable in the worst case: Exploring real-time futexes in LITMUSRT , in Proceedings of the 35th IEEE Real-Time Systems Symposium (RTSS), 2014, pp. 96–105 A. Srinivasan, J.H. Anderson, Optimal rate-based scheduling on multiprocessors. J. Comput. Syst. Sci. 72(6), 1094–1117 (2006) U. Steinberg, A. Böttcher, B. Kauer, Timeslice donation in component-based systems, in Proceedings of the 6th Annual Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), 2010, pp. 16–23 T.B. Strøm, M. Schoeberl, Multiprocessor priority ceiling emulation for safety-critical java, in Proceedings of the 13th International Workshop on Java Technologies for Real-Time and Embedded Systems (JTRES). ACM, 2015 T.B. Strøm, W. Puffitsch, M. Schoeberl, Hardware locks for a real-time java chip multiprocessor. Concurrency Comput. Pract. Exp. 29(6), e3950 (2017) J. Sun, R. Bettati, J.W-S. Liu, An end-to-end approach to schedule tasks with shared resources in multiprocessor systems, in Proceedings of the 11th Workshop on Real-Time Operating Systems and Software (IEEE, 1994), pp. 18–22 H. Takada, Studies on Scalable Real-Time Kernels for Function-Distributed Multiprocessors. Ph.D thesis, University of Tokyo, 1996 H. Takada, K. Sakamura, Predictable spin lock algorithms with preemption, in Proceedings of the 11th Workshop on Real-Time Operating Systems and Software (IEEE, 1994), pp. 2–6

11 Multiprocessor Real-Time Locking Protocols

445

H. Takada, K. Sakamura, Real-time scalability of nested spin locks, in Proceedings of the 2nd International Workshop on Real-Time Computing Systems and Applications (RTCSA) (IEEE, 1995), pp. 160–167 H. Takada, K. Sakamura, Inter-and intra-processor synchronizations in multiprocessor real-time kernel, in Proceedings of the 4th International Workshop on Parallel and Distributed Real-Time Systems (IEEE, 1996), pp. 69–74 H. Takada, K. Sakamura, A novel approach to multiprogrammed multiprocessor synchronization for real-time kernels, in Proceedings of the 18th IEEE Real-Time Systems Symposium (RTSS) (IEEE, 1997), pp. 134–143 P. Theodore, Baker. Stack-based scheduling of realtime processes. Real Time Syst. 3(1), 67–99 (1991) T-S. Tia, J.W-S. Liu, Task and resource assignment in distributed real-time systems, in Proceedings of the 2nd Workshop on Parallel and Distributed Real-Time Systems (WPDRTS) (IEEE, 1994), pp. 43–51 T.-H. Tsai, L.-F. Fan, Y.-S. Chen, T.-S. Yao, Triple speed: Energy-aware realtime task synchronization in homogeneous multi-core systems. IEEE Trans. Comput. 65(4), 1297–1309 (2016) M. Völp, B. Engel, C-J. Hamann, H. Härtig, On confidentiality preserving real-time locking protocols, in Proceedings of the 19th IEEE Real-Time Embedded Technology and Applications Symposium (RTAS) (IEEE, 2013), pp. 153–162 G. von der Brüggen, J-J. Chen, W.-H. Huang, M. Yang, Release enforcement in resourceoriented partitioned scheduling for multiprocessor systems, in Proceedings of the 25th International Conference on Real-Time Networks and Systems (RTNS), 2017, pp. 287–296. https://doi.org/10.1145/3139258.3139287 C-D. Wang, H. Takada, K. Sakamura, Priority inheritance spin locks for multiprocessor realtime systems, in Proceedings of the 2nd International Symposium on Parallel Architectures, Algorithms, and Networks, 1996, pp. 70–76 B.C. Ward, J.H. Anderson, Supporting nested locking in multiprocessor real-time systems, in Proceedings of the 24th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2012), pp. 223–232 B.C. Ward, J.H. Anderson, Fine-grained multiprocessor real-time locking with improved blocking, in Proceedings of the 21st International Conference on Real-Time Networks and Systems (RTNS) (ACM, 2013), pp. 67–76 B.C. Ward, J.H. Anderson, Multi-resource real-time reader/writer locks for multiprocessors, in Proceedings of the 28th IEEE International Parallel and Distributed Processing Symposium (IPDPS)) (IEEE, 2014), pp. 177–186 B.C. Ward, G.A. Elliott, J.H. Anderson, Replica-request priority donation: a realtime progress mechanism for global locking protocols, in Proceedings of the 18th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA) (IEEE, 2012), pp. 280–289 B.C. Ward, J.L. Herman, C.J. Kenna, J.H. Anderson, Making shared caches more predictable on multicore platforms, in Proceedings of the 25th Euromicro Conference on Real-Time Systems (ECRTS) (IEEE, 2013), pp. 157–167 A.J. Wellings, S. Lin, A. Burns, Resource sharing in RTSJ and SCJ systems, in Proceedings of the 9th International Workshop on Java Technologies for Real-Time and Embedded Systems (JTRES) (ACM, 2011), pp. 11–19 A. Wieder, Blocking Analysis of Spin Locks under Partitioned Fixed-Priority Scheduling. Ph.D thesis, Saarland University, Saarbrücken, 2018 A. Wieder, B. Brandenburg, Efficient partitioning of sporadic real-time tasks with shared resources and spin locks, in Proceedings of the 8th IEEE International Symposium on Industrial Embedded Systems (SIES), 2013a, pp. 49–58, A. Wieder, B. Brandenburg, On spin locks in AUTOSAR: blocking analysis of FIFO, unordered, and priority-ordered spin locks, in Proceedings of the 34th IEEE Real-Time Systems Symposium (RTSS), 2013b, pp. 45–56

446

B. B. Brandenburg

A. Wieder, B. Brandenburg, On the complexity of worst-case blocking analysis of nested critical sections, in Proceedings of the 35th IEEE Real-Time Systems Symposium (RTSS), 2014, pp. 106–117 J. Wu, A survey of energy-efficient task synchronization for real-time embedded systems, in Proceedings of the 23rd IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA) (IEEE, 2017), pp. 1–6 J. Xu, Multiprocessor scheduling of processes with release times, deadlines, precedence, and exclusion relations. IEEE Trans. Softw. Eng. 19(2), 139–154 (1993) M. Yang, H. Lei, Y. Liao, F. Rabee, PK-OMLP: an OMLP based k-exclusion real-time locking protocol for multi-GPU sharing under partitioned scheduling, in Proceedings of the 11th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC) (IEEE, 2013), pp. 207–214 M. Yang, A. Wieder, and B. Brandenburg, Global real-time semaphore protocols: a survey, unified analysis, and comparison, in Proceedings of the 36th IEEE Real-Time Systems Symposium (RTSS), 2015, pp. 1–12 M.-L. Yang, H. Lei, Y. Liao, Z.-W. Chen, Partitioned k-exclusion real-time locking protocol motivated by multicore multi-GPU systems. J. Electron. Sci. Technol. 14(3), 193–198 (2016) M. Yang, J.-J. Chen, W.-H. Huang, A misconception in blocking time analyses under multiprocessor synchronization protocols. Real Time Syst. 53(2), 187–195 (2017) C. Zhang, D. Cordes, Simulation of resource synchronization in a dynamic real-time distributed computing environment. Concurrency Comput. Pract. Exp. 16(14), 1433–1451 (2004) C. Zhang, D. Cordes, Resource access control for dynamic priority distributed real-time systems. Real Time Syst. 34(2), 101–127 (2006) S. Zhao, J. Garrido, A. Burns, A. Wellings, New schedulability analysis for MrsP, in Proceedings of the 23rd IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA) (IEEE, 2017), pp. 1–10 H. Zhou, Task scheduling and synchronization for multiprocessor real-time systems. Ph.D thesis, Georgia Institute of Technology, 1992 A. Züpke, Deterministic fast user space synchronization, in Proceedings of the 9th Annual Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), 2013 A. Züpke, M. Bommert, R. Kaiser, Fast user space priority switching, in Proceedings of the 10th Annual Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), 2014

Parallel Real-Time Scheduling

12

Jing Li, Kunal Agrawal, and Chenyang Lu

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Models of Parallel Real-Time Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Parallel Job Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Parallel Real-Time System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Decomposition-Based Scheduling of Parallel Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Theoretical Results for Parallel Synchronous Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Theoretical Results for Parallel DAG Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Implementations and Practical Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Global Scheduling of Parallel Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Theoretical Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Schedulability Test and Response Time Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Implementations and Practical Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Federated-Based Scheduling of Parallel Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Theoretical Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Implementations and Practical Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Mixed-Criticality Scheduling of Parallel Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

448 450 450 453 455 455 456 457 457 458 458 460 460 461 462 463 465 465

J. Li () New Jersey Institute of Technology, Newark, NJ, USA e-mail: [email protected] K. Agrawal · C. Lu Washington University in St. Louis, St. Louis, MO, USA e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_28

447

448

J. Li et al.

Abstract This chapter of the survey provides a basic introduction to real-time scheduling for parallel tasks on multicore platforms and gives an overview of the relevant results. Parallel real-time tasks are the tasks that can utilize multiple cores at the same time to complete more computation with the same real-time constraints than sequential tasks. For parallel real-time systems, researchers have studied three types of scheduling strategies: decomposition-based scheduling, global scheduling, and federated scheduling. The survey summarizes the results of these three types of scheduling strategies, including results for different parallel task models, different response time analyses, and theoretical bounds, as well as system implementation and empirical evaluations. In addition, the survey also covers some work for mixed-criticality systems that have parallel tasks.

1

Introduction

During the last decade, the increase in performance of processor chips has come primarily from increasing numbers of processors and cores. This has led to extensive work on real-time scheduling techniques that can exploit multicore and multiprocessor systems. Most prior work has concentrated on inter-task parallelism, where each task runs sequentially (and therefore can only run on a single processor) and multiple processors are exploited by increasing the number of tasks. This type of scheduling is called multiprocessor scheduling. When a model is limited to inter-task parallelism, jobs can only be executed sequentially and use one processor at a time. Hence, the system can only exploit parallelism by running multiple jobs simultaneously on a multiprocessor system. Therefore, increasing the number of processors allows us to increase the number of jobs the system can schedule, but the computational requirement of a single job is still limited by the capacity of a single processor. For example, in real-time hybrid simulation (Ferry et al. 2013), the degree of accuracy of analyzing a building’s structural properties is based on a numerical model. Hence, when the experiment needs to be executed at a high sampling frequency, the model must be simplified (at the cost of increased modeling error) in order to meet deadlines in a system with only inter-task parallelism, no matter how many processors are available on the machine. However, many of today’s real-time applications, such as those in autonomous vehicles, robotics, video games, and real-time clouds, have increasingly complex functionalities, which results in a significant increase in their computational demands. To complete higher computational demands within the same or even more stringent timing constraints, real-time systems must exploit the intra-task parallelism, where individual tasks are parallel programs and can potentially utilize more than one processor in parallel. Scheduling a single parallel program has been studied extensively in the parallel computing literature. Many languages and libraries, such as Cilk (Blumofe et al.

12 Parallel Real-Time Scheduling

449

1996), Intel Cilk Plus (CilkPlus 2013), Intel Threading Building Blocks (Reinders 2010), OpenMP (2013), Microsoft’s Task Parallel Library (Leijen et al. 2009), and IBM X10 (Tardieu et al. 2012), have been designed to allow programmers to write parallel programs. Using these languages, the programmers only need to express algorithmic parallelism, but do not need to provide any mapping from subcomputations to processors – it is the job of the parallel runtime systems to execute the work of each job on multiple processors efficiently. Parallel programs under this approach are also known as dynamic multithreaded programs. In a parallel real-time system, multiple parallel applications share the common multiprocessor platform and demand different real-time guarantees. The fundamental research question in this area is how to design, analyze, and implement parallel real-time scheduling strategies that can exploit the internal parallelism of real-time tasks and efficiently utilize the multiprocessor machines. This survey covers the research results on parallel real-time scheduling, from different parallel task models to different scheduling strategies. Modeling Parallel Real-Time Tasks One of the most fundamental issues when considering the real-time scheduling of parallel applications is how we model the parallel tasks. In real-time scheduling, the execution requirement of a sequential task is typically modeled using a single parameter, namely its worst-case execution time (WCET) on a single processor. However, for a parallel task, such a single parameter is no longer sufficient, since the execution time of a parallel program on some number of processors, say p, depends on the actual structure of dependencies between the various parts of the parallel task. Making things more complex, one cannot infer the execution time of the parallel program on p processors if we only know the execution time on p’ processors (e.g., the WCET on one processor). Given these complications, there are two fundamental ways in which researchers have modeled parallel programs. The early works on parallel real-time scheduling used a fully specified or structural model of the parallel tasks. In these works, the schedulability analysis (and the scheduler) knows and makes use of the exact structure of dependencies of parallel tasks. For instance, a parallel task can be modeled as a directed acyclic graph (DAG) where each node is a sequential strand of computation and each edge represents the dependency between the two connected nodes. Under the fully specified DAG model, the worst-case execution time of each node, together with the exact and fixed DAG structure, is specified and used in the schedulability analysis. In addition to the general DAG structure, there are also some schedulers designed for certain types of parallel structures, which follow certain restrictions. More details about these modeling differences are explained in Sect. 2. Another model that can be used when analyzing schedulers for parallel realtime tasks is the parameterized model (also called the measurement-based model in Agrawal and Baruah (2018)). In this model, the schedulability analysis and the scheduler do not know the entire structure of dependencies of a parallel task before execution. Instead, it only knows a small number of parameters of a parallel task. Typically, it assumes the knowledge of only two parameters: the worst-case work (total execution time) – the worst-case execution time of a task on one processor, and the worst-case critical-path length (span) – the worst-case execution time of

450

J. Li et al.

the task on an infinite number of processors. The schedulability analysis and the scheduler must decide how to schedule the parallel real-time tasks only given these two parameters without knowing the actual structures of the tasks. There are pros and cons of both models. On the one hand, the parameterized model introduces some pessimism, by definition, since it does not have full information and must assume the worst-case structure of dependencies given particular values of the parameters. On the other hand, it is often more robust since each job of a particular task can have different structures during runtime, as long as the actual work and span of each job are below the worst-case values. In addition, it is typically expensive to define each task in terms of its full structural complexity and it is not clear how to extract this structural information from a given parallel application. In contrast, the parameters of the parameterized model can often be inferred using extensive measurements. Scheduling Strategies The earliest work for scheduling parallel real-time tasks develops a technique called task decomposition, to directly apply the analysis of multiprocessor scheduling of sequential real-time tasks. In this line of research, parallel tasks are decomposed into a set of sequential subtasks. Since each subtask is properly assigned with intermediate release time and subdeadlines, its precedence relation in the original parallel structure is implicitly maintained. Therefore, known scheduling strategies and analyses for scheduling sequential tasks on multiprocessor machines can be used directly on these subtasks. This survey discusses results on different decomposition-based schedulers in Sect. 3. More recently, there has been a lot of effort in designing and analyzing schedulers that can execute parallel tasks without decomposition. Classic global schedulers, such as global earliest deadline first and global rate monotonic schedulers, have been studied for parallel tasks with different parallel structures, which is summarized in Sect. 4. After summarizing the results on global schedulers, in Sect. 5 this survey introduces studies on a new scheduling paradigm, namely federated scheduling, which is the generalization of partitioned scheduling to parallel real-time tasks. This is followed by the results on mixed-criticality systems with parallel tasks, which are covered in Sect. 6.

2

Models of Parallel Real-Time Tasks

First, this section provides a brief introduction to the different parallel real-time task models used in parallel real-time scheduling research.

2.1

Parallel Job Model

In real-time systems, parallel programs can be written using parallel languages and libraries, such as Cilk (Blumofe et al. 1996), Intel Cilk Plus (CilkPlus 2013), Threading Building Blocks (Reinders 2010), OpenMP (OpenMP 2013), Microsoft’s Task Parallel Library (Leijen et al. 2009), IBM X10 (Tardieu et al. 2012). In these

12 Parallel Real-Time Scheduling

451

languages, the programmer expresses algorithmic parallelism, through linguistic constructs such as “spawn” and “sync,” “fork” and “join,” or parallel-for loops. Exploiting the algorithmic parallelism, these parallel programs are able to be executed on multiple processors (cores) simultaneously to complete more computation within the same time than sequential programs. These programs can be modeled using directed acyclic graphs (DAGs). Each node (subtask) in the DAG represents a sequence of instructions and each edge represents a dependency between nodes. A node (subtask) is ready to be executed when all its predecessors have been executed. Multiple ready nodes for the same job can be scheduled simultaneously, but each core can only execute one node at a time. A job is completed only once all of the nodes in its DAG have been completely processed. Figure 1 shows an example DAG job with six nodes. Most research in this area adopts the parameterized model where it assumes that the scheduler knows the ready nodes for a job at a point in time, but does not know the DAG structure a priori; the DAG unfolds dynamically as the job executes. Therefore, it is not necessary to build the analysis based on the specific structure of the DAG. Instead, only two parameters related to the execution pattern of job Ji are defined: • Total execution time (or work) Ci of job Ji : This is the summation of the execution times of all the subtasks of job Ji . • Critical-path length (or span) Li of job Ji : This is the length of the critical-path in the given DAG. Critical-path length is the execution time of the job on an infinite number of cores. Note that by this definition, critical-path length of a sequential job is equal to its work. Figure 1 shows an example of DAG job with the critical-path annotated following the dashed line.

Fig. 1 A directed acyclic graph (DAG) job J1 with six nodes. The execution time of each node is annotated in the center of the node. The total work C1 is the sum of the execution times of all nodes, which is 12. The critical-path, that is, the longest path in the DAG, is annotated using the dashed line. The critical-path length L1 is 10

452

J. Li et al.

Both the work and critical-path length of a job can be measured by profiling tools. For example, both parameters of a Cilk Plus program can be measured using Cilkview (He et al. 2010) or Cilkprof (Schardl et al. 2015). In general, parallel programs can have arbitrary DAG structures. In real-time scheduling, researchers have given special consideration to a subset of DAGs, where the programs only use the parallel-for construct and do not nest these parallel-for loops. This restriction generates a special type of DAG, which is called synchronous DAG. Each parallel for-loop is represented by a segment – a segment contains a set of nodes (subtasks) that can be executed in parallel with each other. The end of each segment is a synchronization point and the next segment can begin only after all subtasks of the current segment are completed. A sequential region of code is simply a segment with one subtask. Each synchronous job is a sequence of such segments. Synchronous jobs are also called Fork/Join jobs in some publications. Figure 2 shows an example of a synchronous job with five segments; two of them are parallel segments, and the remaining three are sequential segments. This synchronous structure can be generated from a simple program shown in Fig. 3, where parallel-for constructs can be Cilk Plus’ cilk_for constructs or OpenMP’s omp for directives.

Fig. 2 A synchronous task with two parallel-for loops. The execution time of each node is annotated in the center of the node. The second segment contains 20 nodes

1 1

4

3 5

3 2

main ( ) { / / Do some s e q u e n t i a l work foo ( ) ; / / Do t h e f i r s t p a r a l l e l s e g m e n t p a r a l l e l f o r ( i = 1 ; i Di , we can evaluate this test in pseudo-polynomial time. From Theorem 3 it is also clear that the FP-schedulability problem for implicit or constrained deadlines is in NP because a collection of small fixed points for Eq. 9 serves as a polynomial-time verifiable witness of schedulability. For arbitrary deadlines, there are no pseudo-polynomial-time tests known, but Theorem 4 provides a test that can be evaluated in exponential time because Ni will never be larger than the number of jobs from τi in a single hyper-period assuming U(τ ) ≤ 1 and for Eq. 11 it is enough to consider integer values of t. While not stated by Lehoczky (1990), it is not difficult to see from Theorem 4 that the FPschedulability problem with arbitrary deadlines must be in the complexity class Π2P at the second level of the polynomial hierarchy. (To see this, note that a task set τ is schedulable if for all τi ∈ τ and for all k ≤ Ni there exists a value for t such that the expression in Eq. 11 is small enough.) It can be noted that these upper bounds hold both if we ask about the FPschedulability of a task set τ with a given priority ordering or if we ask whether there exists a priority ordering with which τ is FP-schedulable. The reason the upper bounds hold in both cases is because it is possible to identify a priority ordering for which a task set is FP-schedulable with little overhead if one exists. In the case with implicit or constrained deadlines, we know that rate-monotonic (RM) and deadline-monotonic (DM) are optimal, respectively (Liu and Layland 1973; Leung and Whitehead 1982). With arbitrary deadlines we can use the general

14 Complexity of Uniprocessor Scheduling Analysis

495

method of Audsley (1991) together with the test from Theorem 4 to generate a priority ordering. Theorem 5 gives a polynomial-time test for the narrow special case of task sets with implicit deadlines, RM priority ordering, and utilization bounded from above by limn→∞ n(21/n − 1) = ln 2 ≈ 0.693.

2.1.2 Lower Bounds We will now summarize the lower bounds known on the complexity of these problems. For EDF-schedulability, these lower bounds come from Ekberg and Yi (2015a, b), where the former deals with the general case and the latter with the special case with bounded utilization. (The first of these subsumes prior results by Eisenbrand and Rothvoß 2010). Theorem 6 (Ekberg and Yi 2015b). The problem of deciding whether a task set of synchronous periodic or sporadic tasks with constrained or arbitrary deadlines is EDF-schedulable (or, equivalently, feasible) on a preemptive uniprocessor is strongly coNP-hard. Theorem 7 (Ekberg and Yi 2015a). The problem of deciding whether a task set of synchronous periodic or sporadic tasks with constrained or arbitrary deadlines and utilization bounded by any constant c, where 0 < c < 1, is EDF-schedulable (or, equivalently, feasible) on a preemptive uniprocessor is weakly coNP-hard. The above result of Ekberg and Yi (2015b) was achieved by relating the EDFschedulability problem to the simultaneous congruences problem (SCP). SCP is a number theoretic decision problem that was first used by Leung and Whitehead (1982) to show lower bounds on the complexity of FP-schedulability for asynchronous periodic tasks. Leung and Whitehead (1982) showed that SCP is weakly NP-complete by a reduction from CLIQUE, but this result was later improved by Baruah et al. (1990b) who showed that SCP is in fact strongly NP-complete by an alternative reduction from 3-SAT. Ekberg and Yi (2015b) presented a pseudopolynomial transformation (as defined by Garey and Johnson (1978)) from SCP to the complement of the EDF-schedulability problem, which demonstrated the strong coNP-hardness of EDF-schedulability. This holds even if all tasks have unit execution times (i.e., Ci = 1 for all τi ∈ τ ). Combined with the upper bound provided by Theorem 2, we can conclude that this problem is strongly coNPcomplete. Eisenbrand and Rothvoß (2010) had previously shown weak coNPhardness for the EDF-schedulability problem by relating it to inapproximability results of Diophantine approximation. The strong coNP-hardness of the EDF-schedulability problem for constrained and arbitrary deadlines means it cannot have a pseudo-polynomial-time test unless P = NP. However, from Theorem 2 we know that this problem does have a pseudo-polynomial-time test in the special case restricted to task sets with utilization bounded by a constant c, where c < 1. Ekberg and Yi (2015a) showed that this restricted case is weakly coNP-hard for any choice of c such that 0 < c < 1

496

P. Ekberg and W. Yi

and therefore that the pseudo-polynomial-time test is in a sense the best possible unless P = NP. This result was achieved by reducing the general case of the EDF-schedulability problem to the restricted case with bounded utilization. This reduction causes an exponential blowup of numerical task parameters, which is why it shows only weak coNP-hardness for the special case even though the general case is strongly coNP-hard. For FP, the best-known lower bounds come from Ekberg and Yi (2017). Theorem 8 (Ekberg and Yi 2017). The problem of deciding whether a task set of synchronous periodic or sporadic tasks is FP-schedulable on a preemptive uniprocessor is weakly NP-hard, even if restricted to either of the following special cases. 1. Implicit deadlines and RM priority ordering. 2. Constrained deadlines, DM priority ordering and utilization bounded by constant c, such that 0 < c < 1. This result was found by reducing the special case of the EDF-schedulability problem with bounded utilization to the complement of the FP-schedulability problem, exploiting a duality which exists between the conditions in Eqs. 3 and 8 when tasks have pairwise coprime periods. An intermediate result of Ekberg and Yi (2017) was to show that the EDF-schedulability problem with bounded utilization remains hard when restricted to such periods. As the RM and DM priority orderings are optimal in these settings, a corollary of the above is that the FP-schedulability problem is NP-hard also if we ask if there exists a priority ordering with which the task set is schedulable. From Theorems 3 and 8, we can conclude that the FP-schedulability problem is weakly NP-complete for implicit and constrained deadlines. We can therefore conclude that the pseudo-polynomial-time test yielded by Theorem 3 is in a sense the best possible. Membership in NP is not known for arbitrary deadlines, so in that case there is a gap between upper and lower bounds. Theorem 8 also tells us that FP-schedulability remains hard even with bounded utilization as long as deadlines are constrained or arbitrary, mirroring the case for EDF. For the case with implicit deadlines and utilization bounded by a constant c, Theorem 5 gives a trivial polynomial-time algorithm for FP-schedulability when c ≤ ln 2 and RM priority ordering is used. It remains open if it can also be solved in polynomial time for ln 2 < c < 1 or for other priority orderings.

2.1.3 Other Results In addition to the upper and lower bounds described above, there are many other interesting results known. Here we review some of them. Eisenbrand and Rothvoß (2008) showed that for FP-scheduling, it is not even possible to approximate the worst-case response time (i.e., the smallest fixed point Ri in Eq. 9) of a given task within a constant factor unless P = NP. However, this does not imply the NP-hardness of FP-schedulability testing (though this was

14 Complexity of Uniprocessor Scheduling Analysis

497

later shown to be the case by Ekberg and Yi 2017) as the reduction used to show the hardness of such approximation can construct higher-priority tasks that are themselves clearly unschedulable. For another type of approximation, where the approximated quantity is the speed of the processor, Albers and Slomka (2004) and Fisher and Baruah (2005) gave fully polynomial-time approximation schemes for schedulability testing with EDF and FP, respectively. Given a task set of n tasks and a constant , where 0 <  < 1, these tests correctly identify in time bounded by a polynomial in n/ any task sets that are unschedulable on a unit-speed processor as well as any task sets that are schedulable on a slower processor of speed 1 − . Task sets that are schedulable on a unit-speed processor but not on a (1 − )-speed processor may be misclassified as unschedulable. Task sets are called harmonic if for each pair of tasks, the period of one task divides the period of the other. Bonifaci et al. (2013) presented polynomial-time schedulability tests for both EDF and FP for harmonic task sets with constrained deadlines.

2.2

Asynchronous Periodic Tasks

As asynchronous periodic tasks are a generalization of synchronous periodic tasks, their schedulability problems must be at least as hard, and therefore all the lower bounds from the previous section carry over here. At the same time, we know that the job sequence generated by a synchronous periodic task set is at least as difficult to schedule for both EDF and FP as the job sequence generated by a corresponding asynchronous periodic task set on a preemptive uniprocessor. By a corresponding asynchronous task set we mean a task set with exactly the same parameters, except it may have non-zero offsets. From this is follows that any schedulability test for synchronous periodic (or sporadic) tasks is still sufficient, but not necessarily exact, for asynchronous periodic tasks. In fact, the only test described in the previous section that remains exact for asynchronous periodic tasks is that of Theorem 1 for EDF-schedulability of task sets with implicit deadlines. (We know it must be sufficient, and its condition clearly remains necessary.) For EDF-schedulability with constrained and arbitrary deadlines, Baruah et al. (1990b) also gave an exact test for the asynchronous case that is very similar to the test of Theorem 2 for synchronous periodic and sporadic tasks. Theorem 9 (Baruah et al. 1990b). A task set τ of asynchronous periodic arbitrary-deadline tasks is EDF-schedulable (or, equivalently, feasible) on a preemptive uniprocessor if and only if U(τ ) ≤ 1 and ∀t1 , t2 ∈ {0, 1, . . . , B} such that t1 < t2 , where

dbf(τ, t1 , t2 ) ≤ t2 − t1 .

(13)

498

P. Ekberg and W. Yi

       t2 − Oi − D i t1 − Oi dbf(τ, t1 , t2 ) = max 0, − max 0, + 1 Ci Ti Ti τi ∈ τ (14) is the demand bound function of τ in the time interval [t1 , t2 ] and where def



B = max{Oi | τi ∈ τ } + 2P(τ ). def

(15)

This theorem clearly demonstrates that the EDF-schedulability problem for asynchronous periodic tasks is also in coNP. A major difference between Theorems 2 and 9 is that we here have to consider all possible time intervals contained in [0, B], while for Theorem 2 we implicitly only considered time intervals starting at time point zero. In terms of our complexity classification, however, the important difference is that the value of B here is not bounded by any polynomial function in the size of the representation of τ and its largest numerical parameter, which is the case in Theorem 2 when restricted to the special case of task sets with utilization bounded by a constant c < 1. Theorem 9 therefore does not provide any pseudopolynomial-time test, even in the case with bounded utilization. Indeed, Baruah et al. (1990b) showed that even the bounded case of this problem is strongly coNP-hard. Leung and Merrill (1980) had already shown that it was weakly coNP-hard by reducing the simultaneous congruences problem (SCP) to the complement of it. At the time, SCP was only known to be weakly NP-hard, but this was improved to strong NP-hardness by Baruah et al. (1990b). In combination with the previous reduction of Leung and Merrill (1980), which do not cause exponential blowup of numerical parameters, the strong coNP-hardness of the EDF-schedulability problem followed. Theorem 10 (Leung and Merrill 1980; Baruah et al. 1990b). The problem of deciding whether a task set of asynchronous periodic tasks with constrained or arbitrary deadlines and utilization bounded by any constant c, where 0 < c < 1, is EDF-schedulable (or, equivalently, feasible) on a preemptive uniprocessor is strongly coNP-complete. For FP, the complexity of the schedulability problems in all the cases in Fig. 2 is still open, though we have some bounds already. Because Theorem 5 must still provide a sufficient condition, the case with implicit deadlines and utilization bounded by a constant c remains easy as long as we have RM priorities and c ≤ ln 2. All other cases in Fig. 2 must be NP-hard as the lower bounds of Ekberg and Yi (2017) are carried over from the synchronous periodic case. In addition, these same problems are also coNP-hard, as was shown by Leung and Whitehead (1982). Similar to the case with EDF, Leung and Whitehead (1982) first demonstrated weak coNP-hardness by a reduction from SCP. Their result is easily improved to strong coNP-hardness given that Baruah et al. (1990b) have since shown SCP to be strongly NP-hard. While not stated by Leung and Whitehead

14 Complexity of Uniprocessor Scheduling Analysis

Implicit deadlines (Di = Ti )

Constrained deadlines (Di ≤ Ti )

Arbitrary deadlines (Di , Ti unrelated)

In EXP

In EXP

In EXP

Weakly NP-hard and strongly coNP-hard

Weakly NP-hard and strongly coNP-hard

Weakly NP-hard and strongly coNP-hard

In EXP

In EXP

EDF / feasibility

FP

Arbitrary utilization

499

In EXP

Utilization bounded by a constant c

In P for c ≤ ln 2 and RM priorities

Weakly NP-hard and strongly coNP-hard for 0 < c < 1

Weakly NP-hard and strongly coNP-hard for 0 < c < 1

Arbitrary utilization

In P

Strongly coNP-complete

Strongly coNP-complete

Utilization bounded by a constant c

In P

Strongly coNP-complete

Strongly coNP-complete

Fig. 2 State of the art in the complexity of preemptive schedulability problems for asynchronous periodic tasks. Darker cells have open problems

(1982), it is not difficult to see from their proofs that their results apply also to the case with bounded utilization if deadlines are constrained or arbitrary. Theorem 11 (Leung and Whitehead 1982; Baruah et al. 1990b). The problem of deciding whether a task set of asynchronous periodic tasks is FP-schedulable with a given priority ordering on a preemptive uniprocessor is strongly coNP-hard, even if restricted to (i) implicit deadlines or (ii) constrained deadlines and utilization bounded by a constant c, such that 0 < c < 1. As seen above, most of the FP-schedulability problems for asynchronous periodic tasks are both NP-hard and coNP-hard. It therefore seems unlikely any of them are NP- or coNP-complete as that would imply NP = coNP (It is unknown if NP = coNP, but it is generally conjectured that NP = coNP.). The FPschedulability of asynchronous periodic tasks can be tested in exponential time, even for arbitrary deadlines as shown by Goossens (1999). For a task set τ , this

500

P. Ekberg and W. Yi

essentially amounts to computing the response times of all jobs up to time point max{Oi | τi ∈ τ } + 2P(τ ).

3

Task Models with Complex Job-Release Patterns

Here we consider task models where tasks can generate more complex job sequences than those generated by sporadic tasks but where each job J is still an independent unit of work expressed by a release time r, a worst-case execution time c, and an absolute deadline d. The task models considered in this section form of hierarchy with respect to their expressiveness. We say that a task model MA generalizes a task model MB if there exists a (total) function f mapping tasks from model MB to model MA , such that for any task τ of model MB , the set of possible job (sub-)sequences generated by τ and f (τ ) are exactly the same, modulo dummy jobs with zero execution time. Intuitively, this means that anything that can be modeled in MB can also be modeled in MA , making the latter at least as expressive. Such a generalization relation must be transitive. For any pair of the task models considered in this section where such a mapping f is known, f can easily be computed in polynomial time. Consequently, if MA generalizes MB , any upper bounds on the computational complexity of schedulability problems for MA can also be applied to MB , while any lower bound for MB can be applied to MA . The following is a list of the task models that we fit into a hierarchy, with the abbreviations that we will use for them. The list does not try to be exhaustive with respect to the task models than could be included. MF GMF ncGMF RB RRT ncRRT DRT EDRT

The multiframe task model (Mok and Chen 1997) The generalized multiframe task model (Baruah et al. 1999) The noncyclic GMF task model (Tchidjo Moyo et al. 2010) The recurring branching task model (Baruah 1998) The recurring real-time task model (Baruah 2003) The noncyclic RRT task model (Baruah 2010) The digraph real-time task model (Stigge et al. 2011b) The extended DRT task model (Stigge et al. 2011a)

We will not describe the syntax and semantics of each of these task models. Most of them can be readily understood as graph-based task models restricted to particular classes of graphs. We refer the reader to the survey of Stigge and Yi (2015) for more details. In addition, we include sporadic tasks with implicit, constrained, and arbitrary deadlines. We also include a restricted case of EDRT, called k-EDRT, which only allows tasks with at most k “global” constraints, for a constant k. The k-EDRT task model is relevant because it is the most general in this hierarchy that has efficient

14 Complexity of Uniprocessor Scheduling Analysis Fig. 3 A hierarchy of task models. Here we have lifted some restrictions on the relation between different task parameter values and also assume that those parameters are natural numbers. (Figure adapted from Stigge 2014)

501 EDRT k-EDRT DRT

RRT ncRRT RB ncGMF GMF arbitrary-deadline sporadic MF

constrained-deadline sporadic implicit-deadline sporadic

schedulability tests in some settings (Stigge et al. 2011a). Another interesting property of k-EDRT is that it generalizes RRT already for k = 1. The hierarchy of task models is captured by Fig. 3, where an arrow from task model MB to MA means that MA generalizes MB . For the sake of brevity, we have here lifted restrictions on the relation of task parameter values that were assumed in some of the original formulations of these task models, so that most of them here generalize arbitrary-deadline sporadic tasks. We assume that the numerical task parameters in all models are natural numbers. Some were originally specified with real numbers as parameters, but this is not a good choice if we want to reason about their related computational problems.

3.1

EDF-Schedulability

Because tasks in all these task models generate independent jobs in a way that is unaffected by scheduling decisions, EDF is still an optimal scheduling algorithm (Dertouzos 1974). Many of the papers in which these task models are presented also give EDF-schedulability tests, but thanks to the hierarchy in Fig. 3, a few of those subsume the rest in terms of complexity classification. Most of the EDFschedulability tests use some variant of the test in Theorem 2 based on demand bound functions, with a bound on the time intervals to test that is basically an extension of B2 in Eq. 7. This often provides pseudo-polynomial-time tests when restricted to task sets τ with U(τ ) ≤ c, for a constant c < 1. However, for many of the task models, there is no alternative presented to bound B1 in Theorem 2. As a

502

P. Ekberg and W. Yi

consequence, these tests only target the case with bounded utilization and may not work at all if U(τ ) = 1 where a bound like B2 is not defined. In the following, for the complexity of EDF-schedulability, we only consider the case that is restricted to task sets with utilization bounded by a constant c, where 0 < c < 1. Figure 4 shows the best-known upper and lower bounds on the complexity of the EDF-schedulability problem with bounded utilization for task models in the hierarchy. The upper bounds can be found in three places (subsuming previous bounds). First, there is the (trivial) polynomial-time test of Liu and Layland (1973) for implicit-deadline sporadic tasks. Second, there is the pseudo-polynomial-time test for k-EDRT task sets for any constant k by Stigge et al. (2011a), which yields tests of the same complexity for all task sets generalized by k-EDRT. Last, the EDF-schedulability problem for RB task sets is in coNP. This was not stated by Baruah (1998) but follows easily from the test described. It is an open problem whether the EDF-schedulability problems for more general task models are also in coNP. The bounds for P and coNP in Fig. 4 would hold also without the restriction to bounded utilization, but the bound for pseudo-polynomial time would not hold assuming P = NP. The lower bounds on the complexity of the EDF-schedulability problem with utilization bounded by c come from two sources. First, Stigge et al. (2011a) show that it is strongly coNP-hard for the EDRT task model, for any c where 0 < c < 1. It can be noted that this result also holds when the EDRT task model is restricted to the equivalent of constrained deadlines. Second, from Ekberg and Yi (2015a), we know that the problem is weakly coNP-hard already for constrained-deadline sporadic task sets and for any 0 < c < 1 (see Theorem 7). From Ekberg and Yi

k-EDRT

en

tia

lt

im

k-EDRT

e

EDRT

Weakly coNP-hard

St ron gly coN P-hard

EDRT

Ex

pon

DRT

DRT

RRT

RRT ncRRT

RB

RB ncGMF

Pol yn o

Pseudo-poly nomial time

coNP

ncRRT

ncGMF

GMF

GMF arbitrary-deadline sporadic

MF

arbitrary-deadline sporadic MF

constrained-deadline sporadic

e tim implicit-deadline al mi sporadic

constrained-deadline sporadic implicit-deadline sporadic

Fig. 4 Currently best-known upper bounds (left) and lower bounds (right) on the complexity of the EDF-schedulability problem (or, equivalently, the feasibility problem) when restricted to task sets with utilization bounded by a constant c < 1

14 Complexity of Uniprocessor Scheduling Analysis

503

(2015b), we also know that the EDF-schedulability problem is strongly coNP-hard already for constrained-deadline sporadic task sets and up if we do not bound the utilization by a constant.

3.2

FP-Schedulability

k-EDRT

k-EDRT

DRT

DRT

RRT

RRT ncRRT

ncRRT

RB

RB ncGMF

ncGMF

GMF

GMF arbitrary-deadline sporadic

MF

e . tim oly al -p nti udo e n e po ps Ex and P N

Strongly co

EDRT

Weakly NP-hard

EDRT

NP-hard

Schedulability testing for FP is generally harder than for EDF because exact tests seemingly need to consider a large number of combinations of concrete job sequences. In contrast to EDF, where the local worst case for each task is easily combined to a global worst case for the task set (e.g., by the summation in Eq. 4), exact FP-schedulability tests that have been presented for more general task models must try different combinations of per-task behaviors. This generally leads to tests with very high worst-case complexity. The best-known upper and lower bounds for FP-schedulability are shown in Fig. 5. For upper bounds, we have mainly the results from Theorem 3, which show that the problems for implicit- and constrained-deadline sporadic tasks are in NP and can be solved in pseudo-polynomial time. For the remaining task models, their FP-schedulability problems can be seen to be in EXP by arguments of exhaustive simulation. The lower bounds come from two sources. Ekberg and Yi (2017) show weak NP-hardness already for implicit-deadline sporadic tasks (see Theorem 8). Stigge (2014) shows strong coNP-hardness for the MF task model by a reduction from the complement of the strongly NP-complete 3-PARTITION problem. As can be seen in

constrained-deadline sporadic

e tim implicit-deadline sporadic

arbitrary-deadline sporadic MF constrained-deadline sporadic implicit-deadline sporadic

Fig. 5 Currently best-known upper bounds (left) and lower bounds (right) on the complexity of the FP-schedulability problem

504

P. Ekberg and W. Yi

Fig. 5, the FP-schedulability problems for many task models are both NP-hard and coNP-hard and therefore cannot be in NP or coNP unless NP = coNP. Despite the high complexity of some of these task models, Stigge and Yi (2013) presented an FP-schedulability test for constrained-deadline DRT task sets based on the technique of iterated abstraction refinement. While this test has a high worstcase complexity, empirical evaluations by Stigge and Yi (2013) show that it in practice outperforms the pseudo-polynomial-time test for EDF-schedulability for the same task model.

4

Conclusions

In this chapter we have reviewed the current state of the art in classifying the complexity of schedulability problems on preemptive uniprocessors. For the sake of brevity, the focus was on task models that generate simple independent jobs, though this only represents a part of the task models that have been considered in the literature. Task models with locked mutually exclusive resources or with selfsuspensions are examples of models not considered here, although some results regarding their complexity are also known. Other models of workload can be seen to have schedulability problems that are equivalent to those of task models discussed in this chapter and so have the same complexity. An example of this is the scheduling of sporadic servers that in the right circumstances is equivalent to scheduling of ordinary periodic tasks, as shown by Sprunt et al. (1989). A take-away from this review is the observation that almost all real-time schedulability problems, even very basic ones, are computationally intractable in some sense. Even so, many of these are routinely solved exactly. For example, the FP-schedulability problem for implicit-deadline sporadic tasks is (weakly) NP-complete, but despite this, very few seem to think that the response-time analysis of Theorem 3 is impractically slow, at least for offline analysis. Also EDFschedulability of constrained-deadline sporadic tasks—a strongly coNP-complete problem—is often solved without any problems without a priori restricting it to task sets with utilization bounded by a constant. It seems therefore as if we should not automatically settle for approximate solutions to problems that we know are NPor coNP-hard out of a concern for efficiency. Some of these problems are likely genuinely difficult to solve also in practice, but others may well allow practically efficient exact solutions. Another take-away is that complexity does not end at NP or coNP. Many of the problems seen in this chapter, such as FP-schedulability for asynchronous periodic tasks or for task models that generalize the multiframe model, are known to be both NP- and coNP-hard. Assuming the widely held conjecture in complexity theory that NP = coNP, these problems are not in NP or coNP. They may be hard for larger complexity classes, such as higher levels of the polynomial hierarchy or PSPACE. Actually pinpointing the complexity of these problems is a worthwhile effort. Acknowledgments The authors want to thank Martin Stigge for helpful discussions on this topic.

14 Complexity of Uniprocessor Scheduling Analysis

505

References K. Albers, F. Slomka, An event stream driven approximation for the analysis of real-time systems, in Proceedings of the 16th Euromicro Conference on Real-Time Systems (ECRTS), June 2004, pp. 187–195 N. Audsley, Optimal priority assignment and feasibility of static priority tasks with arbitrary start times. Technical report, University of York, England, 1991 S.K. Baruah, Feasibility analysis of recurring branching tasks, in Proceedings of the 10th Euromicro Workshop on Real-Time Systems (EWRTS), 1998, pp. 138–145 S.K. Baruah, Dynamic- and static-priority scheduling of recurring real-time tasks. Real-Time Syst. 24(1), 93–128 (2003) S.K. Baruah, The non-cyclic recurring real-time task model, in Proceedings of the 31st Real-Time Systems Symposium (RTSS), 2010, pp. 173–182 S. Baruah, A.K. Mok, L.E. Rosier, Preemptively scheduling hard-real-time sporadic tasks on one processor, in Proceedings of the 11th Real-Time Systems Symposium (RTSS), 1990a, pp. 182–190 S. Baruah, L.E. Rosier, R.R. Howell, Algorithms and complexity concerning the preemptive scheduling of periodic, real-time tasks on one processor. Real-Time Syst. 2(4), 301–324 (1990b) S. Baruah, D. Chen, S. Gorinsky, A.K. Mok, Generalized multiframe tasks. Real-Time Syst. 17, 5–22 (1999) V. Bonifaci, A. Marchetti-Spaccamela, N. Megow, A. Wiese, Polynomial-time exact schedulability tests for harmonic real-time tasks, in Proceedings of the 34th Real-Time Systems Symposium (RTSS), Dec 2013, pp. 236–245 M.L. Dertouzos, Control robotics: the procedural control of physical processes, in Proceedings of the IFIP Congress, vol 74, 1974, pp. 807–813 F. Eisenbrand, T. Rothvoß, Static-priority real-time scheduling: response time computation is NP-hard, in Proceedings of the 29th Real-Time Systems Symposium (RTSS) (IEEE Computer Society, 2008), pp. 397–406 F. Eisenbrand, T. Rothvoß, EDF-schedulability of synchronous periodic task systems is coNPhard, in Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), 2010, pp. 1029–1034 P. Ekberg, W. Yi, Uniprocessor feasibility of sporadic tasks remains coNP-complete under bounded utilization, in Proceedings of the 36th Real-Time Systems Symposium (RTSS), 2015a, pp. 87–95. https://doi.org/10.1109/RTSS.2015.16 P. Ekberg, W. Yi, Uniprocessor feasibility of sporadic tasks with constrained deadlines is strongly coNP-complete, in Proceedings of the 27th Euromicro Conference on Real-Time Systems (ECRTS), 2015b, pp. 281–286 P. Ekberg, W. Yi, Fixed-priority schedulability of sporadic tasks on uniprocessors is NP-hard, in Proceedings of the 38th Real-Time Systems Symposium (RTSS), 2017, pp. 139–146. https://doi. org/10.1109/RTSS.2017.00020 N. Fisher, S. Baruah, A fully polynomial-time approximation scheme for feasibility analysis in static-priority systems with arbitrary relative deadlines, in Proceedings of the 17th Euromicro Conference on Real-Time Systems (ECRTS), July 2005, pp. 117–126 M.R. Garey, D.S. Johnson, Strong NP-completeness results: motivation, examples, and implications. J. ACM 25(3), 499–508 (1978) J. Goossens, Scheduling of Hard Real-Time Periodic Systems with Various Kinds of Deadline and Offset Constraints. PhD thesis, Université libre de Bruxelles, 1999 M. Joseph, P. Pandya, Finding response times in a real-time system. Comput. J. 29(5), 390–395 (1986) J.P. Lehoczky, Fixed priority scheduling of periodic task sets with arbitrary deadlines, in Proceedings of the 11th Real-Time Systems Symposium (RTSS), Dec 1990, pp. 201–209 J.Y.-T. Leung, M. Merrill, A note on preemptive scheduling of periodic, real-time tasks. Inf. Process. Lett. 11(3), 115–118 (1980)

506

P. Ekberg and W. Yi

J.Y.-T. Leung, J. Whitehead, On the complexity of fixed-priority scheduling of periodic, real-time tasks. Perform. Eval. 2(4), 237–250 (1982) C.-L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973) A.K. Mok, D. Chen, A multiframe model for real-time tasks. IEEE Trans. Softw. Eng. 23(10), 635–645 (1997) B. Sprunt, L. Sha, J. Lehoczky, Aperiodic task scheduling for hard-real-time systems. Real-Time Syst. 1(1), 27–60 (1989) M. Stigge, Real-Time Workload Models: Expressiveness vs. Analysis Efficiency. PhD thesis, Uppsala University, Department of Information Technology, 2014 M. Stigge, W. Yi, Combinatorial abstraction refinement for feasibility analysis, in Proceedings of the 34th Real-Time Systems Symposium (RTSS), 2013, pp. 340–349 M. Stigge, W. Yi, Graph-based models for real-time workload: a survey. Real-Time Syst. 51(5), 602–636 (2015) M. Stigge, P. Ekberg, N. Guan, W. Yi, On the tractability of digraph-based task models, in Proceedings of the 23rd Euromicro Conference on Real-Time Systems (ECRTS), July 2011a, pp. 162–171 M. Stigge, P. Ekberg, N. Guan, W. Yi, The digraph real-time task model, in Proceedings of the 17th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), 2011b, pp. 71–80 N. Tchidjo Moyo, E. Nicollet, F. Lafaye, C. Moy, On schedulability analysis of non-cyclic generalized multiframe tasks, in Proceedings of the 22nd Euromicro Conference on Real-Time Systems (ECRTS), 2010, pp. 271–278

Part III Real-Time Systems Jiong Jin

Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

15

Mehdi Korki, Jiong Jin, and Yu-Chu Tian

Contents 1 2 3 4 5 6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Real-Time Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements and Components of Real-Time CPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Topics to Real-Time CPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications of Real-Time CPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Intelligent Manufacturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Vehicular Systems and Intelligent Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Medical and Healthcare Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4 Smart Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.5 Smart Buildings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.6 Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Challenges of Real-Time CPSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

510 511 512 515 521 523 523 524 525 526 527 528 528 534 535

Abstract The real-time cyber-physical systems (CPSs) describe a wide range of complex and interdisciplinary engineered systems that integrate real-time embedded computing and control technologies (cyber component) into physical world. To further understand real-time CPSs, this chapter presents a brief survey of the rele-

M. Korki () · J. Jin School of Science, Computing and Engineering Technologies, Swinburne University of Technology, Melbourne, VIC, Australia e-mail: [email protected]; [email protected] Y.-C. Tian School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_37

509

510

M. Korki et al.

vant work, exploring the emergence of real-time CPSs, the system requirements, the relation to other research areas, similar and prevalent concepts, and important practical applications. In addition, this chapter lists several important technical challenges and elaborates insightful concepts by utilizing specific applications. Real-time CPSs have various applications spanning different scales due to their very broad research areas. The future and next-generation technologies are anticipated to have a significant impact on real-time CPS applications. Hence, all real-time CPS applications are required to be developed and designed taking into account advanced technologies, essential system requirements, and overall influence on physical world.

Keywords Real-timeliness · Real-time cyber-physical system (CPS) · Embedded computing technologies · System-level requirements

1

Introduction

Real-time and embedded systems are utilized in diverse application domains that need timely processing of huge amount of real-time data. Examples of real-time data include sensor data in sensor networks, positions of aircrafts in an air traffic control system, and temperature as well as air pressure in an engine control environment. Real-time data are usually stored in real-time database system (RTDBS). Such data are utilized to model the current status of components in the system. The major difference between the real-time data and traditional data stored in databases is that the real-time data have sampled values which are valid for only a certain time interval (Ramamritham 1993; Locke 1997; Stankovic et al. 1999). The emergence of real-time systems is related to the evolution of the computer. The state-of-the-art real-time systems utilized in monitoring and controlling military aircraft weapons systems, or medical monitoring equipment, are complex and still demonstrate the features of the developed systems between the 1940s and 1960s (Laplante 2004). In the last two decades, the Internet and embedded systems have been revolutionized, and many devices have been connected to the Internet. This increases the interaction of people with physical world. The advancement and the emergence of modern solutions in information technology resulted in modern intelligent solutions on cyber-physical systems (CPSs). CPSs integrate computing, communication, and storage capability with monitoring. CPSs offer advantages such as efficiency and safety. In addition, they allow individual entities to form complex systems with new capacities. A state-of-the-art complex system which has interfaces with physical world and computing components running software with time-critical applications is an example of a CPS. CPSs are often safety-critical. That is if they miss time deadlines or in case of component failures, the consequences are life-threatening. Such systems are referred to as real-time CPSs. Hence, the real-time CPSs are governed

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

511

by strict timing deadlines. Based on the degree of criticality of the application and the task deadline, we can further categorize the real-time CPSs as hard, firm, or soft real-time CPSs. As some examples for such real-time CPSs, we can refer to antilock braking system (ABS) in automotive, temperature/pressure control systems in manufacturing plants, laboratory robotics, and flight controls in avionics. This chapter first introduces the real-time systems and the various kinds of realtime systems. It then explains the real-time CPSs, their requirements, and important components. Some similar concepts to real-time CPSs are introduced and important applications are discussed. Finally, some challenges of real-time CPSs conclude this chapter.

2

Real-Time Systems

Real-time systems (RTS) are the computing (or information processing) systems which must respond to inputs within a specified time frame. As much as the correct processing and response is important, the time at which the results are generated is also essential. One simple example of a real-time system is a video game. In this RTS, the system receives the inputs from the user, and after processing, it updates the game state for the user and displays it on the screen. Another example is in the airport when a passenger has a flight departure in an hour from Melbourne to Sydney in Australia. The passenger approaches the airline reservation counter to collect his/her boarding pass. At the counter, the ticket agent inserts the passenger’s information in the computer and the boarding pass is issued within seconds. Finally, consider the digital fly-by-wire flight control system with a computer as its main processing system. There are many control systems in the aircraft including control surfaces (e.g., rudders, ailerons, elevators, etc.). These control systems consist of variety of controllers and sensors. The computer receives the electronic signals from these control systems. These signals are processed by the computer, and the controlling signals are transmitted to the actuators (control surfaces) and the results further displayed on pilot screen. Too many delays in different control signal processing by the computer in different tasks might result in airplane instability and possible crash. The main common characteristic of the aforementioned examples is that the system must generate the output within a specified time frame. Clearly, failure to meet such a requirement results in a consequence. How severe the consequence is depends on the system. If the game player is slow, the user will lose interest in the game and there is no catastrophic consequence. However, if the fly-by-wire flight control system fails to meet many deadlines in response to the inputs, it can lead to the airplane crash. Based on the consequences of the response time, RTS are categorized as (Kopetz 2011): – Safety-critical systems: include all types of real-time systems which can lead to catastrophic consequences if the systems fail to function properly. – Hard real-time systems: guarantee to meet the required deadlines in completion of all real-time tasks. Failure to meet a single deadline can lead to catastrophic

512

M. Korki et al.

consequences such as physical damage or loss of life. Hard real-time systems are safety-critical systems. – Firm real-time systems: allow the occurrence of a few number of missing deadlines. More than a specific number of missed deadlines will result in total system failure or catastrophic consequences. – Soft real-time systems: prioritize the real-time tasks over non-real-time tasks. Low performance of the system is allowed with several number of missing deadlines; however, there are no failure (or catastrophic) consequences due to missing deadlines. Among the aforementioned examples, the airport example and digital fly-by-wire flight control system are hard real-time systems, and video game is a soft real-time system. A simple example for firm real-time system is weather forecast system. In the information age, the Internet has transformed the way we search for new information, we study, we run our business, and even we entertain. That is, very quick interaction with other people and obtaining our required information (in a very short time) is feasible using the Internet. However, there are still some gaps between the cyber world (i.e., the digital environment of information, computations, and computers) and the physical world (real-world networks and systems). Hence, with the aid of technological advances, a new generation of systems (e.g., self-optimizing transportation systems, energy efficient and sustainable airplane and automobile, etc.), which are called cyber-physical systems (CPSs), emerged. The CPSs introduce the integration of information and networking into physical objects. By integrating information and communications into such systems, a new generation of intelligent and autonomous systems could be developed. These kinds of systems fall in RTS category and termed real-time cyber-physical systems (RTCPSs).

3

Real-Time Cyber-Physical Systems

Cyber-physical systems (CPSs) consist of cyber systems and physical systems. Cyber systems include software, embedded computation, or network systems with computation, communication, and control procedures. Physical systems are either natural or man-made systems which can be analyzed by the laws of physics and operate in continuous time domain. The example of physical systems are power grids, transportation networks (e.g., airlines and highways, etc.), factories, etc. Hence, the CPSs introduce a tight integration of communication and control, information, and computation into physical systems as shown in Fig. 1. Definition 1. Real-Time CPS: A real-time CPS integrates computing, communication, and storage capabilities with monitoring and/or control of physical objects and must do so reliably, safely, securely, and efficiently and in real time, whose main characteristics are as follows (see Fig. 2) (Sanislav and Miclea 2012):

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

513

Computation

Information

Systems

Fig. 1 Structure of cyber-physical system

Fig. 2 Structure of real-time cyber-physical system

Operating Environment

Actuators

Controlled Plant

Sensors

Server

Real-time monitoring

User

– Communication of input and feedback from/to the physical environment, which requires secure channels – Management and distributed control and monitoring – Real-time performance requirements – Wide geographical distribution without distributed physical security components – Very large-scale control systems

514

M. Korki et al.

The real-time CPSs are safe, efficient, and reliable, which makes them advantageous. They are hierarchical, distributed (networked) control systems with particular “self”-features, e.g., self-optimization to alleviate the effects of disturbance, selfconfiguration for manageability and resilience, etc. (Kovácsházy 2018). Real-time CPSs have variety of applications including avionics, transportation, manufacturing processes, energy systems, healthcare, assisted living, social networking and gaming, agriculture, etc. The most recent applications of real-time CPSs are autonomous vehicles, smart infrastructure (i.e., smart cities), and Industry 4.0 (Kovácsházy 2018; Lu et al. 2016). Most of real-time CPS applications require the strict deadlines in performing real-time activities. For instance, the activities such as steering and acceleration/braking involved in an autonomous car must be performed with receiving real-time data with deadlines in the range of milliseconds for distributed architecture of modern cars. As real-time CPS systems are time sensitive, to guarantee a deterministic behavior of CPSs, deterministic real-time networks with bounded delay and delay variance (jitter) are required. The examples of such networks are real-time Ethernet fieldbus solutions, e.g., EtherCAT, PROFINET IRT, SERCOS III, etc. However, none of them are standardized by IEEE and none of them are completely ready for real-time CPS applications (Kovácsházy 2018). Hence, IEEE developed the IEEE 802 standard with real-time features under time-sensitive networking (TSN) standard, and this has been first started for IEEE 802.3, Ethernet networks. To achieve deterministic network delay and jitter for time-sensitive traffic, TSN aims to eliminate the nondeterministic queuing delays in network elements. TSN is analogous to a complex Ethernet fieldbus; however, it can provide the low-level, real-time, dynamic, virtualized, and distributed architecture for future wired CPS systems. Some features of TSN can also be utilized for IEEE 802.11 (Wi-Fi). The most important standards in TSN are: – – – – – – –

P802.1 AS, Revision, Timing, and Synchronization P802.1 Qcc, Stream Reservation Protocol IEEE 802.1Qbv-2015, Enhancements for Schedules Traffic IEEE 802.1CB-2017, Frame Replication and Elimination for Reliability IEEE 801.1 Qch-2017, Cyclic Queuing and Forwarding IEEE 801.1 Qci-2017, Per-Stream Filtering and Policing IEEE 801.1 Qbu-2016, Frame Preemption

One of the important applications of real-time CPSs is in Industry 4.0. For instance, wireless sensor-actuator networks (WSANs) for industrial control systems are one of the important types of real-time CPSs which have been emerged in the dawn of Industry 4.0 (Lu et al. 2016). Industry 4.0 or fourth industrial revolution introduced by German government in 2012 is mainly based on the application of real-time CPSs to manufacturing processes via high-tech strategies (Li and Lau 2018). This enables manufacturers to visualize the manufacturing processes including order fulfillment, mass production, machinery maintenance, machine

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

515

failure prediction, etc. Therefore, various electrical and electronic devices, e.g., personal computers, smartphones, smartwatches, machinery robotics, and enterprise resource planning (ERP) systems, are integrated together and communicated with each other to offer an optimal solution for improving productivity through the Internet. In fact, Industry 4.0 is the transformation of traditional plants into smart factories. This significantly impacts the value chain of companies and causes the disruption of traditional production in the factories. The combination of Internet of Things (IoT), digital services, and real-time CPSs utilizes the information and communication for the integration of physical, virtual, and digital worlds (Pisching et al. 2018). The manufacturing and production based on Industry 4.0 considers the products as smart components capable of communicating (the information by the integration of physical and digital systems) with shop floor machines to meet customer needs in on-demand production. As the real-time CPSs are the important parts of the Industry 4.0 and industrial automation applications, it is necessary to investigate the requirements and components of CPSs, which will be studied in the next section.

4

Requirements and Components of Real-Time CPSs

Real-time CPSs integrate computing and communication capabilities with monitoring and control of entities in the physical world. Hence, these systems usually comprised a set of networked agents, e.g., sensors, actuators, control processing units, digital signal processing (DSP) units, and communication devices, which turn the real-time CPSs into complex systems and result in difficulties in the requirements engineering process. This is because the requirements are also conflicting, redundant, and complex, which increase the time and cost of developing the realtime CPS. Elicitation phase is an essential part of the requirement engineering, due to its vital role in the whole development life cycle (Penzenstadler and Eckhardt 2012). Elicitation phase is a collection of activities which include gathering information from stakeholders and classify those requirements based on priority into normal, expected, and exciting requirements. Normal requirements must be achieved by the developers. These types of requirement are explicit agreement between stakeholders and development team. Expected requirements are essential for the system to work properly. Exciting requirements are extra features to promote the complete satisfaction of users/clients. The identification and refinement of the requirements for real-time CPSs are difficult tasks as real-time CPSs are complex and distributed systems. However, if the requirements are properly collected and refined, the development of such systems will be easier. Hence, the collection and refinement processes of the requirements for CPSs are essential parts of the system development. In general, based on existing literature, the requirements for developing real-time CPSs can be categorized into two major groups: time-related requirements and generic requirements.

516

M. Korki et al.

– Time-Related Requirements: Time is a necessary requirement for development of real-time CPSs, which makes the system to be predictable, reliable, and deterministic. The author in Lee (2008) has studied the design challenges of real-time CPSs and has investigated the adequacy of the computing and networking technologies for developing real-time CPSs. In order to satisfy the time requirement of real-time CPS, Edward E. Lee has suggested to gradually improve the technologies and computer OS (operating system) architecture. CPSs need to deal with huge amount of data in a timely and secure fashion. The authors in Kang and Son (2008) have proposed an information-centric approach for timely and secure real-time data services in CPSs. In this approach, network-enabled real-time embedded databases (nRTEDBs) communicate (with each other and) with wireless sensors in a secure and timely manner. Hence, the overall timeliness, security, and efficiency of the system will be enhanced. The problem of optimizing the spatiotemporal distribution of real-time CPSs has been investigated in Kong et al. (2010). The authors have proposed an optimal approximation spatial distribution for stationary nodes, and they have also developed a cooperative movement algorithm on nodes for achieving a curvature-weighted distribution pattern. This method helps obtain the crucial data for optimal environment abstraction. The authors in Ahmadi et al. (2010) have suggested congestion control mechanism for accurate estimation of spatiotemporal phenomena in wireless sensor networks performing monitoring applications. This approach emphasizes the importance of data not only by deadline but also by the dynamic state of the physical world. The design, implementation, and the evaluation of systems and algorithms that enable predictable and scalable realtime data services for real-time CPSs are investigated in Kang (2009). However, the predictability of time and deadlines for real-time CPSs is difficult due to the complex hardware and software (e.g., programming language nature) of CPSs. Further, more requirements rather than time should be considered for the requirement engineering process of real-time CPS design. – Generic Requirements: One of the critical requirements for real-time CPSs is reliability. An unreliable real-time CPS can result in system malfunctions, service disruptions, financial losses, and even human-life losses. The authors in Leon and Kaiser (2013) have proposed Failure Analysis and Reliability Estimation (FARE) framework, which is utilized for benchmarking reliability of real-time CPSs. FARE framework provides a CPS reliability model, a set of methods and metrics on the evaluation environment selection, failure analysis, and reliability estimation for benchmarking real-time CPS reliability. The requirement engineering of real-time CPSs deals with variety of stakeholders with their different objectives, which is challenging for requirement elicitation, documentation, and management. One solution to this challenge is to utilize an artifact-oriented requirement engineering approach which emphasizes on artifact and dependencies rather than processes and methods of creating the artifact. A content model based on artifact has been proposed in Penzenstadler and Eckhardt (2012), which facilitates the collaboration between stakeholders from 30 companies in ARAMiS project for real-time CPSs.

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

517

An approach on how the requirements will be collected and how the requirements are organized as well as optimized in the requirements engineering process for real-time CPSs has been developed in Rahman and Nower (2017). At the elicitation phase, this approach introduces the following requirements in the development of real-time CPSs: 1. Business Domain Analysis: This category of requirements comprises problem statement, mission/vision statement, objectives of the system, rationality of the approach, benefits of all relevant stakeholders, performance measurement, risk management, work plan and time line, team role, cost estimation and fund, etc. Business domain analysis renders the developer useful resources to analyze various requirements after collecting them from stakeholders. 2. Collect System Requirements: During the collaboration with stakeholders, system requirements are collected and listed, which include conflicting requirements, e.g., response time vs output data volume, and common requirements, e.g., system protection from other accesses and authentication. In order to optimize the various requirements and to reduce the cost and development time, this category of requirements should be managed carefully. 3. Remove Conflict Requirements and Grouping the Requirements as: It is necessary to remove the conflict requirements and to merge the common requirements. After optimizing the requirements, they can be refined into: a. Normal/Essential: This type of requirements is explicitly described by stakeholders and must be met in developing the system. b. Expected: Without this type of requirements, the system will be operating improperly and incompletely, and thus this requirement must also be met in the development of the system. c. Exciting: This type of requirements offers extra satisfaction to clients. 4. Cluster the Requirements: As real-time CPSs are complex systems, containing various modules (e.g., computation, communication, and control), it is helpful to cluster the requirements according to different modules which helps distributing the workload among developers evenly. This in turn reduces the development time. The real-time CPSs may consist of sensor networks such as wireless sensor networks (WSNs). In addition to the abovementioned requirements, in Ali et al. (2015), the authors listed the technical requirements of the CPSs, which include the following: 1. Network Formation: a. Network formation may contain several overlapping networks with different applications. b. It also supports dynamic joining and leaving of a network. 2. Communication Pattern: a. Communication pattern supports intra-WSN communication.

518

3.

4.

5.

6.

7.

M. Korki et al.

b. It also includes frequent cross-layer interaction support for control over numerous actuators and quality of service (QoS) provisioning. Power Management: a. CPS is supported by web cloud in most cases where power concerns may not be as critical due to abstraction of middleware network. b. The monitoring station and actuation center might need to be active most of the time. Network Coverage: a. CPSs have broader coverage and connectivity options that lie outside of WSN domain. This is because CPSs may contain several WSNs. Node Mobility: a. Node mobility may include mobile and static node networks. b. It may also include data from nodes of hybrid interconnected networks collected in dynamic and random fashion. Knowledge Mining: a. Knowledge mining encompasses more elaborate information gathering and knowledge base population. b. It also includes intelligent decision-making platforms dedicated to analyzing information. Quality of Service: a. Compared to WSNs, QoS for CPS relates to a higher-level cross-layered approach. b. In CPSs, security and confidentiality are important service aspects.

The authors in Gunes et al. (2014) have categorized the components of real-time CPSs into three main groups: physical world, interfaces, and cyber systems (Fig. 3). The physical world is the phenomenon which is intended to be monitored or controlled. The cyber systems are embedded devices which perform computation, process information, and communicate with their distributed environments. The interfaces include communication networks and other intermediate components such as interconnected sensors, actuators, analog-to-digital converters (ADC), and digital-to-analog converters (DAC), which connect the cyber systems with the physical world. Sensors and actuators are in charge to convert other forms of energy to analogue signal (e.g., voltages) and vice versa, respectively. ADCs and DACs are in charge of converting continuous analogue signals to discrete digital signals, respectively. In real-time CPSs, it is probable to have shared sensor and actuator networks (SANs), which makes resource scheduling a challenging task in real-time CPS operation. Therefore, it is vital to perform actuation coordination to determine which actuators must be scheduled to perform a particular action or how to manage control actions properly. When control tasks are allocated to particular actuator, several parameters including actuator capabilities, real-time guarantee, task completion time, energy consumption of each actuator, and the physical system requirements must be taken into account (Mo et al. 2014). Unlike the cyber systems which mostly have the reversibility or preemption of actuator operations (e.g., preemption

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

519

PHYSICAL WORLD Sensing

Actuation Sensor Node

Sensor Node

Sensor Node

Sensor Network

Actuator Node

Sensor Node

Actuator Network

Actuator Node

Actuator Node

Sensor Node

Sensed Data

Actuate Command

Communication Network

Decision Making

CYBER SYSTEMS

Fig. 3 Components of real-time CPS (Gunes et al. 2014)

is available for databases or bus access protocols), in real-time CPSs, the rollback operation and preemption is unavailable, i.e., physical operations executed by actuators typically are irreversible. That is, for the operations of the actuators according to erroneous data, it is usually very challenging or almost impossible to roll back the actuation performed. The specific example relevant to healthcare applications has been discussed in Luo et al. (2012). Further, irreversible operations in real-time CPSs affect real-time scheduling in the scenarios where several tasks are managed on a shared platform. Particularly, the hard real-time tasks could be blocked by low-priority processes in case a shared actuation resource access is irreversible. A specific example has been discussed in Springer et al. (2014) for a satellite communication system. The control components are one of the essential parts in real-time CPSs. This is because the control laws of physical phenomena and the theory behind control systems are the fundamental aspects for all modern continuous time dynamical systems. For conventional systems, control policies and laws are implemented and applied after manufacturing the system prototype (Erdem et al. 2010), and thus they

520

M. Korki et al.

are separate from the system infrastructure. However, this approach is infeasible to meet the requirements of the CPSs because they are complex and dynamic in nature. To meet the requirements of CPSs and implement complex control laws, the physical system and its dependency on control laws should be well defined and modeled (Zhou and Baras 2013). One of the vital aspects of real-time CPSs is their real-time operations. Hence, the real-time control components are the essential parts of real-time CPSs. The conventional real-time control strategies are implemented through open-loop control, feed-forward control, and feedback control mechanism. The open-loop control mechanism needs the operator adjustment because it exploits only the input signal to actuate the output according to the control strategy and it requires the feedback mechanism to adjust the output of the system (Hopgood 2012). The feed-forward control mechanism takes into account the environmental factors which are measured by sensors in the physical system. Then, the feed-forward mechanism predicts the relationship between the physical system and its environment, and the control action is adjusted by the controller component accordingly (Hopgood 2012). The feedback control mechanism which is also known as “closed-loop” control mechanism adjusts the output signal according to the error signal between the feedback signal from the output and the input signal. As both physical system and controller component affect each other, it is called closed-loop control mechanism. All of the environmental factors which influence the physical system are considered through feedback signal (Hopgood 2012). As the physical world (i.e., physical system/environment) is one of the main components of real-time CPSs and they interact with physical systems without human intervention (via physical awareness capabilities), many of real-time CPSs are capable of utilizing both feed-forward and feedback control mechanism together. In case the feedback control of a system is closed via a shared network, the system is called networked control system (NCS). In NCS, the control input/plant output signal is passed through interconnected components, e.g., sensors, controllers, and actuators (Gupta and Chow 2010). Supervisory control and data acquisition (SCADA) is a common control system (component). These types of control systems are used for monitoring and controlling processes such as industrial processes, infrastructure, and facility-based processes that exist in the physical world. The SCADA system collects data in real-time fashion from the remote or local sensors and sends the data to a central fusion for processing, controlling equipment/conditions, and taking the necessary actions. However, the requirements of real-time CPSs are far beyond the NCS and SCADA. The sensor nodes and sensor networks in the sensor network technologies are closely related to some core concept in real-time CPSs. A sensor node comprises sensors, actuators, computing elements, e.g., processors, memories, communication modules, and batteries. The sensor network consists of many sensor nodes which are interconnected through wireless or wired connection (Golatowski et al. 2003). The integration of a large number of sensor nodes via wireless network connection is called wireless sensor network (WSN). In WSN, some nodes may transfer raw data to the other nodes in charge of data processing, which are called data fusion

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

521

centers. This type of WSNs consume more power and communication bandwidth. If the fusion centers fail, all the network is interrupted. In contrast, in distributed WSNs, all the nodes process the raw data by themselves, due to their computing and data processing capabilities, and relay the required part of processed data to the other sensor nodes (Zayyani et al. 2016a, b, 2017; Korki and Zayyani 2019). As the real-time operation is vital in real-time CPS, distributed WSN is beneficial for these kind of systems.

5

Related Topics to Real-Time CPSs

This section presents the various research areas and prevalent concepts, which are related to real-time CPSs. These are: – Big Data: The datasets that are too large and complex to collect, store, manage (organize), and analyze with standard methods and database tools are called Big Data (Suciu et al. 2018). A large-scale real-time CPS can be considered as millions of networked nodes including smart devices, sensors, and actuators, which sense, process, and communicate data all over the network (Atat et al. 2018). The huge data transactions between these embedded networked smart devices contribute to Big Data available. Based on the number of smart devices and the size of datasets, the size of Big Data varies between multiple terabytes to many petabytes, i.e., 1024 terabytes (Sheth et al. 2013). – Cloud: Cloud is a recent terminology emanating from the information and communications technology (ICT), through which the users are allowed to have an on-demand access to a shared pool of customizable computing resources such as software applications, stored information, services, hardware, etc. (Monica et al. 2013). Cloud computing enables the users to have broad network access to resources, to optimally use and control the resources, and to manage the hardware and software resources, services, etc., without human interactions. Cloud computing allows the real-time CPSs to improve their capabilities through the management and processing of aggregated sensor data using a cloud model. – Systems of Systems (SoS): SoS are large and heterogeneous systems which are networked together to perform a common task. SoS comprise autonomous components with capability of independent operation and management (Lu et al. 2010; Jamshidi 2008). This terminology has been utilized by systems engineering community, which implies the concept of large-scale systems with significant economical and societal impacts, such as critical infrastructure, intelligent transportation, emergency response, etc. (Samad and Annaswamy 2011). – Mechatronics: Mechatronics is a term which is comprised of two terms: “mecha” and “tronics.” Mecha refers to mechanical systems or mechanical engineering and tronics refers to electronics systems or engineering. Due to the evolution of software and information technology, mechatronics has been evolved over the last decades, although it has first been utilized in the late 1960s. Hence, mechatronics is a systematic approach to design, develop, and implement

522









M. Korki et al.

complex engineering systems by incorporating information technologies into physical systems (Bradley and Russel 2010). Cybernetics: Cybernetics is the study of communications and control strategies in machines, systems, and living creatures. It explains the relationship between the whole system behavior and the system components (Tsien 1954). In the design of real-time CPSs, the theory of cybernetics and the practical aspects of mechatronics system design can be utilized (Suh et al. 2014). Internet of Things (IoT): The term Internet of Things (IoT) emanated from the idea of interconnecting smart devices as a network, and IoT term was coined in 1999. IoT reflects the future of radio-frequency identification (RFID) technology which allows the physical objects (or products) to be identified automatically via a small electronic chip called RFID tag. IoT helps observe and identify the things (RFID tagged objects) by capturing their data. This in turn improves the efficiency and accountability of different businesses (Ashton 2009; Caceres and Friday 2012). IoT is closely related to real-time CPS. This is because IoT enables us to observe the things in the physical world, to exploit the communications capabilities, and to collect data which are required to control and manage the things more effectively (Ashton 2009). The original version of IoT aimed to identify and monitor various technologies; however, recently IoT targeted the control of physical systems by incorporating the RFID systems and sensor networks, which are called RFID sensor networks (Al-Fagih et al. 2012). The authors in Atzori et al. (2010) investigated different aspects of IoT, revision and improvements of its enabling technologies. Further, the idea of interconnecting heterogeneous real-time CPSs under a large-scale universal network such as the Internet has been investigated in Koubaa and Andersson (2009). This idea is called Cyber-Physical Internet (CPI). Machine-to-Machine (M2M) Communication: Machine-to-Machine (M2M) communication is a combination of smart devices including computers, embedded processors, smart sensors, actuators, and mobile devices which are connected and transferring data together through communication networks (Watson et al. 2004). M2M communication is a subcategory of IoT and real-time CPS. The architecture, standard development, and applications of M2M communication have been discussed in Chen et al. (2012). The authors in Chen et al. (2012) have also suggested to integrate intelligent road and unmanned vehicle with wireless sensor networks (WSNs) navigation as the real-time CPS. M2M communication in conjunction with IoT enables us to use new business models by rendering smart services to customers to improve efficiency and provide automation and low-cost systems in the area of e-commerce (Caceres and Friday 2012). Machine Learning: Combining the machine learning approaches and artificial intelligence methods with real-time CPS has many advantages. Machine learning methods can be utilized in control and monitoring system of real-time CPSs for detection, control, execution, and communication (Lv et al. 2021). For instance, the deep neural network (DNN) can be used to enhance the level of autonomy in real-time CPSs (Cai et al. 2020). Also, for improving the security of real-

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

523

time CPSs, deep learning-based methods can be used for anomaly detection (Luo et al. 2021). Further, the generative adversarial networks (GANs) can be used for fault and cyberattack detection in real-time CPSs by dimensionality reduction (Farajzadeh-Zanjani et al. 2021). Among the abovementioned concepts, IoT and real-time CPS are the two major disruptive civil technologies with potential impacts on the US interest (Disruptive Civil Technologies 2008). Real-time CPS and IoT are the two emerging technologies which can represent an automatic network of connected sensors, actuators, and hardware devices (Ur Rehman and Gruhn 2018). The next-generation Internet technologies will have great impact on IoT and CPS research areas. In the way the conventional Internet revolutionized our interactions with each other, the IoT and real-time CPS will revolutionize our interactions with physical world (Paul et al. 2011).

6

Applications of Real-Time CPSs

Due to their unique characteristics, real-time CPSs have been utilized in many domains (Khaitan and McCalley 2015). In the sequel, we briefly review some of these applications.

6.1

Intelligent Manufacturing

Intelligent manufacturing (IM) is deploying the embedded software and hardware technologies to optimize the manufacturing of goods and service delivery (Koziolek et al. 2011; Yao et al. 2019). Intelligent factory is another terminology which is used for next-generation IM. One of the major applications of real-time CPSs is the IM. This is because mass production, domestic and international marketing, and economic growth are all parts of IM. In Europe and the USA, CPSs have been characterized for IM. The Industry 4.0 project started in Germany, which represents a major opportunity for manufacturing of the future. The Industry 4.0 is provisioned to be the leading in manufacturing of the future. The core of Industry 4.0 is real-time CPS to achieve intelligent factory. The dynamic configuration of production is the major component of Industry 4.0. Unlike the traditional production methods, the dynamic configuration in the manufacturing process is capable of changing the original design at any time. In the intelligent factory of Industry 4.0, the fixed production line has been replaced by the dynamically modular production. The Industry 4.0 is aimed to improve the automation, operational efficiency, and effectiveness. The virtual reality, artificial intelligence, industrial Internet, industrial Big Data, industrial robot, 3D printing, cloud computing, knowledge work automation, and industrial network security are essential technologies which have been utilized in Industry 4.0. Further, these technologies will create various business opportunities.

524

M. Korki et al.

The Industry 4.0 includes a set of future industrial developments such as cyberphysical systems (CPSs), the Internet of Things (IoT), the Internet of Services (IoS), robotics, Big Data, cloud manufacturing, and augmented reality. The utilization of these technologies helps develop more IM processes, which include devices, machines, production modules, and products that are able to independently exchange information, trigger actions, and control each other, thus enabling an IM environment (Nagi et al. 2018). In future, the manufacturing and production will experience a high demand of flexibility. However, the safety makes it very challenging to meet the requirements of these demands. The lack of safety is due to the close interaction between machines and human experts without adequate sensors and intelligent devices to avoid possible accidents (Gide 2013). Real-time CPSs in intelligent manufacturing will enhance safety, productivity, and efficiency by integrating embedded system production technologies to increase the flexibility of work flow and new form of collaboration (Trade&Invest 2013).

6.2

Vehicular Systems and Intelligent Transportation

Almost all modern vehicles are real-time CPSs, which include advanced navigation systems, displays, and entertainment and manage the motion and the energy consumption of the vehicle. The functionality of real-time CPS has been utilized in various aspects of vehicular system including data fusion in distributed CPS, public transport, design of cyber-physical vehicles, electrical vehicle charging, and road monitoring. The AUTomotive Open System ARchitecture (AUTOSAR), which offers realtime cyber infrastructure in modern automotive platform, has been introduced in Bhatia et al. (2010). AUTOSAR meets the system analysis and implementation, which are the requirements of the system development. AUTOSAR is a modular system including the software components, operating system, and communication model. The human-centric data fusion in distributed vehicular CPS has been discussed in Wagh et al. (2011). This model is a design architecture that considers human factors and employs safety applications to improve the safety of the drivers. This model includes a fusion center to fuse and process multiple messages and extract useful information from those messages. The advantages of this design include preventing positional negative effects of cyber applications on driver, e.g., information overload, confusion, and distraction. A system performance optimization model for unmanned vehicle CPS with wireless sensor network (WSN) navigation has been introduced in Yan et al. (2012). The vehicle receives the collected data from WSN to determine the direction of movements. To increase the accuracy of positioning, the real-time, fast communication and response of the vehicle is essential. Toward this end, the particle swarm optimization algorithm is used in this model. The design of a system for facilitating public transportation has been discussed in Lau et al. (2011). This system, which is called ContriSenseCloud, is based on client-server model, in which the data is collected and processed by

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

525

public masses. This system comprises interactive participatory sensor network, which enables users to collect, analyze, and share local knowledge. Hence, the journey plan of the users is formed by the information distributed from usercontributed data. Intelligent transportation system (ITS) deploys advanced technologies such as sensing, communication, computation, and control mechanisms in transportation systems to enhance safety, coordination, and services in traffic management with real-time information sharing. ITS helps facilitate both ground and sea transportation through information sharing over satellites. It further provides a communication network between vehicles, the infrastructure, and passengers’ portable devices. ITS connects pedestrians, vehicles, sensors, roadside infrastructures, traffic management centers, satellites, and other transportation system components by utilizing variety of wireless communication technologies and standards (Qu et al. 2010). In addition, the next-generation ITSs enable the authorities to monitor real-time traffic; to increase safety in transportation and comfort through information exchange among traffic users; to optimize traffic management; to prevent collision; and to utilize the satellite-based technology to connect drivers, roads, and vehicles smoothly. With the integration of real-time CPS into infrastructures, vehicles, and roadways, ITSs can achieve driver assistance, collision avoidance or notification, improvements in travel time without fear of unexpected delays, reductions in congestion, and advanced control over infrastructure and vehicles for energy saving (Networking and Information 2011). ITSs benefit from both advanced sensor and embedded computer systems technology, and wireless, cellular, and satellite technologies for vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), and vehicle-to-infrastructure (V2I) communication to better manage complex traffic flow, ensure safety, and extend situational awareness.

6.3

Medical and Healthcare Systems

Medical and healthcare systems address different aspects of the patient’s physiology, in which real-time CPSs provide important roles. Medical applications of real-time CPSs include implantable/life support medical devices, robot-assisted operation, development of medical application platform, technologies related to home care, assisted living, smart operating room, smart medical devices (e.g., pacemaker, medical ventilator, infusion pump, etc.), and smart prescription (Baheti and Gill 2011; Kim and Kumar 2012). The challenges and research trends in the design and development of the real-time Cyber-Physical Medical System (CPMS) are discussed in Sokolsky (2011). These research trends demonstrate an increase in developing reliable software-based systems, connectivity of medical devices equipped with network interfaces, and continuous demand for patient monitoring such as home care, assisted living, telemedicine, sport activity monitoring, etc. It is worth noting that modeling and model-driven engineering has a great impact on the development of real-time CPMS (Sokolsky 2011). An example for real-time CPMS is the Medical Device Plug-and-Play (MD PnP) (Goldman et al. 2005), which provides

526

M. Korki et al.

a framework for a safe interconnectivity and interoperability of medical devices. The available interoperability in MD PnP helps increase patient safety, enable new treatment options and proliferation of technology, and improve existing medical practice. The real-time CPSs can be utilized in the design of healthcare systems for disabled people and frail elderly people (Lim et al. 2011), in the development of controlled artificial legs (Huang et al. 2010), and in the design and analysis of body area networks (BAN) (Banerjee et al. 2012a). The next-generation CPMSs should render extensive data integration and access, comprehensive data acquisition and analysis, closed-loop control capabilities, energy efficiency, real-time visualization, and plug-and-play capability with interoperable medical devices.

6.4

Smart Grid

Smart grids refer to electric networks that deploy advanced monitoring, control, and communication technologies to deliver reliable and secure energy supply, improve operational efficiency of generators and distributors, and provide flexible choices for consumers. Smart grids are comprised of complex network systems and cyberphysical systems, which encounter several technological challenges. The smart grids introduce the transformation from a centralized, producer-controlled electric grid to distributed, cooperative, responsive, and consumer-interactive grid by integrating future information and communication technologies for grid modernization (Farhangi 2010). The advantages of smart grids include real-time load monitoring, distribution, and planning at utility level; a balance of supply and demand at the device level; two-way flow of information (i.e., real-time communication between the consumer and utility); the integration of existing energy resources into the grid; large-scale grid awareness and ability to switch between high-level (e.g., state-wide) and low-level (e.g., street-wide) grid exploration; real-time integration of sensor data with geographical information; power quality and blackouts monitoring; and prevention or minimization of a potential outage. The smart grids demonstrate the typical features of real-time CPSs due to integration of the physical systems (power network infrastructure) and cyber systems (sensors and ICT). The typical real-time CPS-based features of smart grids include (Zhao et al. 2010): – Real-time integration of real and virtual worlds in a flexible and dynamic environment, where the physical systems scenarios as the input are supplied to the control center of CPSs, to enhance the performance of simulation models in the prediction of physical system behavior in future times – Flexible and dynamic connections and interactions between physical and cyber systems via ad hoc communication networks with timely responses as their dynamic cooperation – Requirement of real-time parallel computation and distributed information processing of Big Data and data streams to improve the time response of smart grid operation to transient, distribution, and scheduling layers through the CPS

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

527

– Self-configuration, self-adaption, self-organization, and self-learning which reduce the CPS response time to faults, attacks, and emergencies to improve the smart grid resilience, and security and safety of energy supply The components of cyber technologies including communication networks and sensing devices are unchangeable on power systems and incapable of adapting to suit power system features. Hence, in order to meet the safety and security requirements of smart grids, they need calibrations and patching fixtures. The applications of real-time CPSs in electric power grid and energy systems include enhancing the sustainability of power system by optimizing resource utilization and management; modeling the complex interactions between physical and cyber components, i.e., electric grids; and monitoring infrastructure, maintaining the security of the energy system against cyber threats. The security includes detection, prevention, mitigation, and restoration. The current cyber security research in energy system includes mostly vulnerability/attack detection and prevention. However, mitigation of the attacks and restoration of the energy systems are also important. In Saber and Venayagamoorthy (2010), the authors proposed an integrated electricity and transportation infrastructure for utilizing renewable energy sources (RESs). They presented the energy system as a CPS, where the physical components include RESs, gridable vehicles (GVs), and thermal power plants. The cyber component is an onboard system in a GV, which communicates with utility and vehicle owner’s preferences, for better functionality. The resource utilization using CPS-based method has been described in Zhang et al. (2009). The authors proposed a dynamic model of battery to demonstrate the capacity behavior of a battery under timevarying discharge current. In this CPS-based model, the trend of the drawn current from the batteries is determined by the control strategies and online scheduling algorithms, based on the processor and state of the plant. Therefore, the battery model proposed in Zhang et al. (2009) determines the optimal discharge profile for a square wave current. An effective model that represents a CPS-based energy system has been suggested in Ilic et al. (2010). All the physical components of this model are modules interconnected by an electric network. In this CPS-based model, all components are represented as cyber-physical module, which are all specified by the cyber and physical input–output signals, internal dynamics, local sensing, and actuation. It is worth noting that the modular components are integrated to the CPS-based system according to network topology and constraints.

6.5

Smart Buildings

Smart building is based on utilizing various sensors, actuators, and distributed control systems to provide optimum control and automation of heating, ventilation, and air-conditioning (HVAC), lighting, fire prevention, and security systems in the buildings. Smart building is the complement for smart grid and smart city concepts. IoT and real-time CPSs introduce new applications in the smart buildings through various smart building appliances such as entertainment media which

528

M. Korki et al.

require interaction patterns for realizing such systems (Chatzigiannakis et al. 2014). The next-generation smart buildings are expected to connect the smart grids with smart living environments and predicting their living patterns to ensure comfortable living environments. Smart networks including home area networks (HANs), neighborhood area networks (NANs), and wide area networks (WANs) can be utilized in the next-generation smart power distribution network to ensure twoway flow of electricity and information. HAN in smart buildings can deliver data traffic and control instructions between both the smart utilities (e.g., smart meters) and the residents’ smart devices, and the residents’ smart devices themselves (Meng et al. 2014).

6.6

Data Centers

A data center can be modeled as a real-time CPS. This is because the data center includes online applications and services to ensure correct functioning. The complicated interaction of cyber and physical components in huge data centers requires the principles of real-time CPS design to resolve the issues in data center management. The authors in Parilini et al. (2010) proposed an approach for data centers to optimize the quality of computational services while keeping the energy costs for computation and cooling minimal. The proposed model includes the interaction between cyber components, i.e., the computational network representing the distribution and flow of computational tasks, and physical network component, i.e., the thermal network characterizing the distribution of thermal energy. Cyber and physical systems have close interactions in data centers. For instance, workscheduling algorithms affect temperature distribution. In Li et al. (2011), the authors proposed a temperature predicting model to predict the temperatures near the servers in a data center based on continuous streams of temperature and airflow measurements. The approach, which utilizes physical laws and sensor observations in the data center, uses the data obtained from the sensor to learn the parameters of a data center’s CPS.

7

Challenges of Real-Time CPSs

Real-time CPSs transform the human interaction with physical world. However, this transformation incurs some costs. There exist several significant challenges for implementing real-time CPSs, which should be addressed to facilitate adoption of real-time CPSs in real-world scenarios. This section presents the most important system-level challenges. Figure 4 shows the main real-time CPS challenges. In the sequel, we present an overview of the challenges in the real-time CPSs. 1. Dependability: The specific property of a system to function without significant degradation in its performance is called dependability. The degree of the reliability of the whole system is described by its dependability. A system

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends Fig. 4 Real-time CPS challenges (Gunes et al. 2014)

Interoperability

Security

Dependability

529

Predictability

Reliability

CPS Challenges

Sustainability

which operates without intrusion and failure and delivers the required services accurately is a highly dependable system. Before the actual system operation, it is very difficult to ensure whether the system is dependable. For instance, time delay in sensor data reading and actuator operation may degrade dependability and result in unpredictable consequences. The physical and cyber components of the real-time CPSs are inherently interdependent. As the underlying components are likely interconnected dynamically during system operation, the analysis of the dependability becomes very difficult. To resolve this issue, common terminologies and semantics for describing dependability-related information across constituent systems/underlying components should be developed in the design stage of the real-time CPSs (Denker et al. 2012; Guan et al. 2020; Xu et al. 2020). The attributes of dependability include: – Availability: This property of a CPS should ensure the readiness of the system even during the faulty conditions. According to this property, a highly available system is capable of isolating malfunctioning portion from itself and properly operating without it. Destructive cyberattacks such as denial of service attacks significantly hinder the system availability. For instance, in real-time Cyber-Physical Medical Systems, medical data is of highly importance, on which necessary action for saving patient’s life should be taken. Hence, destructive attacks or system/component failure leads to unavailability of such data, which in turn poses risk on the patient’s life (Haque et al. 2014). – Safety: Safety is an important feature of a system, which prevents any harm, hazard, or risk inside or outside of the system during its operation. A highly safe system must comply the safety regulations and employ safety assurance mechanisms in fault condition. In intelligent manufacturing, real-time tracking of sustainable production and real-time management of processes results in improved safety. Automation of process control via embedded control systems and real-time data collection via sensors (across

530

M. Korki et al.

the manufacturing enterprise) will highly improve the safety of manufacturing plants. Implementation of wireless sensor networks will help in the detection of operational failures and prevention of catastrophic consequences. 2. Reliability: This property refers to the degree of the correctness in the functionality of the system. As real-time CPSs must operate reliably in open and uncertain environments with uncertain knowledge, attribute (e.g., timing), or outcome of a process, it is essential to quantify uncertainties during CPS design stage. Thus, the uncertainty analysis renders real-time CPS efficient reliability features. In addition, the accurate functionality of physical and cyber components, potential errors in the design, and ad hoc cross-domain network connections reduce the real-time CPS reliability. The reliability of a real-time CPS is described as follows: – Robustness: Robustness is an important feature of a system which describes the capability of the system to maintain its stable configuration and withstand any failure. Therefore, a highly robust system should maintain its functionality in the presence of any failure without major changes to its original configuration. Further, a highly robust system avoids any hindrance in its operation due to any failures. In addition, possible disturbances emanating from sensor noises, actuator inaccuracies, faulty communication channels, potential hardware errors, or software bugs may reduce the overall robustness of real-time CPS. Several factors such as modeling integrated system dynamics (e.g., actual ambient conditions in which CPSs operate), evolved operational environment, or unforeseen events may affect the run time of realtime CPSs and thus should be considered in the design of the robust real-time CPSs (Rungger and Rungger 2016; Finkbeiner et al. 2021). 3. Predictability: Predictability is the qualitative or quantitative degree of predicting state/behavior/functionality of a system. A highly predictable system should guarantee the specific behavior/functionality of the system in real-time operation, while all system requirements are met. For instance, in real-time Cyber-Physical Medical Systems, intelligent medical devices with advanced control technologies are expected to adjust themselves based on patient’s conditions, predict patient’s movements, and change their features based on the conditions of the surrounding environment. Although many intelligent medical devices operate in real time and demonstrate various sensitivity to timing uncertainties (e.g., delays, jitters, etc.), some components of real-time CPMS are unpredictable in time. Hence, along with effective programming and networking abstractions, new resource allocation and scheduling strategies should be developed to guarantee predictable end-to-end timing constraints (Mubeen et al. 2020). The following attributes describe the predictability of a real-time CPS: – Accuracy: Accuracy is a metric to compare the degree of closeness of a measured/observed outcome of a system to its actual/calculated outcome. A highly accurate system is capable of obtaining the actual outcome which is very close to the observed or measured outcome. In particular, for real-time CPS applications, where even slight inaccuracies may lead to system failure, the high accuracy becomes of great importance. For instance, in a real-time

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

531

motion-based object tracking system, if the sensor operates imperfectly, it will result in incorrect object position estimation, leading to the system failure (Gunes et al. 2013). – Compositionality: How well the nature of a system can be understood by investigating every constituent of it is determined by compositionality of the system. In a highly compositional system, the behavior of its components provides the detailed behavior of the whole system. Designing a highly compositional real-time CPS is very challenging because the behavior of underlying physical components is chaotic. Thus, in designing a compositional real-time CPS, it is required to analyze the behavior of all cyber and physical components and devise cyber-physical methodologies for assembling CPSs from individual cyber and physical components. Further, it is essential to design standard test benches for the evaluation of all the components, and holistic mathematical model of the overall system and its components. 4. Sustainability: The capability of a system in surviving without compromising its requirements and concurrently renewing its resources and utilizing them efficiently refers to sustainability. A highly sustainable system is an enduring system with self-healing and dynamic tuning properties under evolving conditions. Sustainability is an important feature in real-time CPSs such as energy systems in terms of energy provision and management policies. For instance, the smart grid provides energy distribution, management, and customization by integrating the renewable energy sources (RESs). However, the intermittent properties of RESs and unknown load characterization impede the long-term sustainability of the smart grid. To maintain sustainability, it requires planning and operation, real-time CPS performance measurements, dynamic optimization techniques for energy management, and designing and developing autonomous micro grids (Banerjee et al. 2012b; Momoh 2010). Adaptability, resilience, reconfigurability, and efficiency are the major attributes of the sustainability of a real-time CPS: – Adaptability: The capability of a system to adjust its state to endure by changing its own configuration against different circumstances in the environment is called adaptability of the system (Audrito et al. 2021). A highly adaptable system is capable of quickly adapting to evolving requirements/situations. For instance, adaptability is one of the important features in the next-generation air transportation systems. In the next-generation air transportation, the airspace performance is improved by its automatic air transportation network, which enables air vehicles to accommodate themselves to evolving operational environment such as weather conditions, air vehicle routing and other pertinent flight trajectory patterns over satellites, air traffic congestion, and issues related to security (Agarwal 2012). – Resilience: If a system is capable of keeping its quality operation and delivery of service in the exposure to any disturbance (which is well below its endurance limit), e.g., sudden defect, malfunctioning components, rising workload, etc., it is called a resilient system. A highly resilient system has the properties of self-healing, early detection, and fast recovery in case failures occur. The resilience capability is of great importance in safety-

532

M. Korki et al.

critical systems such as automated brake control in vehicular CPS, air and oxygen flow control over an automated medical ventilator, etc. Safety-critical CPSs are often required to operate even if some components are disrupted. Therefore, designing a perfect resilient real-time CPS needs comprehensive contingency analysis, the resilience features of the relevant application, and system evolution as a result of dynamic nature of operational environment (Denker et al. 2012; Kim et al. 2021). – Reconfigurability: If a system is capable of changing its own configuration in the context of a failure or on request, it is called reconfigurable system (Isern et al. 2020). However, to be a highly reconfigurable system, it should be self-configurable, i.e., capable of dynamic fine-tuning itself. A realtime CPS can be considered as an autonomously reconfigurable engineered system. In some real-time CPS applications, real-time and remote monitoring, and control mechanism are essential, e.g., international border monitoring, wildfire emergency management, gas pipeline monitoring, etc. According to the specific application, the operational requirements such as security threat level updates, regular code updates, efficient energy management, etc. may change in such applications, which require substantial reconfiguration of the deployed sensor/actuator nodes or even the entire network to comply with the quality of service (QoS) regulations (Sanjay and Eronu 2012). – Efficiency: The amount of resources such as energy, cost, time, etc., which is required by a system to provide specific functionalities, refers to efficiency (Bayhan et al. 2020). A highly efficient system is capable of operating appropriately with optimum amount of resources. Efficiency is of great importance for energy management in real-time CPS applications like smart buildings. For instance, smart buildings can turn off HVAC (heating, ventilation, and airconditioning) units if the building is detected as vacant to save more energy. In addition, the smart buildings can provide automatic pre-heating or pre-cooling services according to the occupancy prediction techniques (Scott et al. 2011). 5. Security: Security is one the important features of a system, which controls access to the system components and resources and monitors sensitive information and protects them from unauthorized access. Thus, a highly secure system offers sophisticated protection mechanism against unauthorized modification of information and unauthorized withholding of resources and should prevent the disclosure of sensitive information (Humayed et al. 2017; Olowononi et al. 2021). Some properties of real-time CPSs, such as scalability, complexity, and dynamic characteristic, make them vulnerable to cyber and physical attacks and failure (Ding et al. 2018; Li et al. 2015; Mitchell and Chen 2016). Eavesdropping, denial of service, and injecting fake sensor measurements or actuation requests related to cyber or physical components to disrupt the system operation or to steal sensitive information are some examples of malicious attacks. Utilizing largescale networks (e.g., power grid or Internet), using unreliable communication protocols, and rapid adoption of commercial off-the-shelf (COTS) technologies are also the major factors which cause security threats to real-time CPSs (Anwar and Ali 2012). The security is attributed by:

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

533

– Integrity: Integrity is a feature of a system to protect itself and the information within it from unauthorized modification to maintain the accuracy of the information. A system with high integrity offers hierarchy level of authorization and consistency check mechanisms. Integrity is an essential feature of a realtime CPS. It is important to develop effective integrity check mechanisms for real-time CPSs in network packets, distinguishing malicious behaviors from the ambient noise, identifying false data injection and compromised sensor/actuator components, etc. Toward this end, it is important to investigate the characteristics of both cyber and physical components of real-time CPSs to develop a high integrity assurance (Mo and Sinopoli 2012). – Confidentiality: Confidentiality of a system only allows authorized parties to access classified and sensitive information within the system. Therefore, a highly confidential system employs very secure mechanisms and protocols to protect itself from unauthorized access, disclosure, or tampering. In real-time CPS applications, data confidentiality is of great importance. For instance, in emergency sensor network, attacks on confidential transmitted data may disrupt the emergency system or may degrade the performance of the emergency system. Sensitive information and confidential data which are transmitted via attacked sensor nodes can cause potential eavesdropping of critical data and can create fake node identities to be generated in the network. In addition, false/corrupted date can flow in the network over the fake nodes. Thus, the confidentiality of data over the network should be kept in an appropriate level (Loukas et al. 2013; Hou et al. 2020). 6. Interoperability: The capability of the systems to interact with each other, exchange data/information, and use this data/information to deliver services refers to interoperability. A highly interoperable system is capable of supplying or accepting services via communications and interoperation among components (Fatima et al. 2020). Unmanned aerial vehicles (UAVs) are among those systems that calls for seamless communication between each other and various ground operating vehicles (Korki et al. 2019). However, the lack of interoperability standards leads to ineffective complicated and critical missions. In smart grids, also dynamic standard should be developed to guarantee the interoperability of its components. Interoperability has the following attributes: – Composability: The capability of merging different components within a system and interrelationships refers to composability (Tolk 2020). If a given system is capable of recombining its components repeatedly to meet the specific requirements, it is called highly composable. Composability should be investigated in different aspects such as device composability, code composability, service composability, and system composability. Among these aspects, system composability is more challenging, and thus it needs to appropriately define composition methodologies that follow composition features. Further, requirements, tests, and evaluations should follow composition properties. Therefore, it is of great importance to incrementally add emerging systems/components to next-generation real-time CPSs without degrading the operation of the resulting system.

534

M. Korki et al.

– Heterogeneity: Heterogeneity is an important feature of a system to form a complex whole by integrating a set of various interacting and interconnected components (Keshk et al. 2021). Real-time CPSs are intrinsically heterogeneous due to constituent physical dynamics, computational elements, control logic, and deployment of diverse communication technologies. Thus, realtime CPSs require heterogeneous composition of all system components. Future medical devices as real-time CPSs are likely to be interconnected in complex open systems with a plug-and-play property and thus necessitate a heterogeneous control network and closed-loop control of interconnected devices. However, those kinds of medical devices have a highly dynamic configuration according to patient-specific medical considerations. The ever increasing emerging technologies transform the next-generation medical systems to the systems that offer situation-aware component autonomy, cooperative coordination, real-time guarantee, and heterogeneous personalized configurations more complex than that of current medical systems. – Scalability: The capability of a system to continue its operation even when its size or workload is increased/decreased is called scalability (Zou 2021). Accordingly, the increase in system resources should lead to increase in the system throughput. A highly scalable system is capable of distributing and collecting mechanisms to balance its workload and finding effective communication protocols to enhance its performance. In real-time CPSs, scalable embedded components with programmable interconnected network can be employed to compensate for increasing computation demand in realtime CPSs (Gunes and Givargis 2014). In addition, in order to enable the real-time CPS components to join and leave the existing network dynamically, a high performance and highly scalable infrastructure is essential. Toward this end, dynamic software updates facilitate the dynamic update of real-time CPS applications and make utilizing real-time CPS resources more productively (Park et al. 2010). In general, the challenges/attributes of real-time CPSs are related to each other. In Fig. 4 we highlight the overall view of system requirements/challenges for real-time CPS applications. However, real-time CPSs are a broad area of research and thus have various applications with different scales. All of real-time CPS applications are required to be designed and developed taking into account their impact on realworld and essential system-level challenges/requirements.

8

Conclusions

The real-time cyber-physical system (CPS) is a promising model for the design and development of current and next-generation engineered systems and is anticipated to have significant impact on human interaction with physical world. The real-time

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

535

CPS replaces the idea of independent cyber or physical system with integrated system design using computation and communication components. This chapter presents the relevant terminology, related topics, significant challenges, practical applications, and dominant research domains of real-time CPSs. Due to its broad area of research, real-time CPSs span diverse applications in different scales. For each application unique challenges and the integration of modern technologies into relevant application are essential. We have also highlighted that the existing systems include limited perception of the real-time CPS requirements, and extensive design and development approaches are essential to achieve the overall system objectives.

References R.K. Agarwal, Review of technologies to achieve sustainable (green) aviation, in Recent Advances in Aircraft Technology, Chapter 19 (Intechopen, 2012), InTech Europe, London, pp. 427–464 H. Ahmadi, A. Tarek, G. Indranil, Congestion control for spatio-temporal data in cyber-physical systems, in 1st ACM/IEEE International Conference on Cyber-Physical Systems (2010), pp. 89–98 A.E. Al-Fagih, S.M.A. Oteafy, H.S. Hassanein, A pricing scheme for porter based delivery in integrated RFID-Sensor Networks, in 37th Annual IEEE Conference on Local Computer Networks-Workshops (2012), pp. 827–834 S. Ali, S.B. Qaisar, H. Saeed, M.F. Khan, M. Naeem, A. Anpalagan, Network challenges for cyber physical systems with tiny wireless devices: a case study on reliable pipeline condition monitoring. Sensors (Basel) 15(4), 7172–7205 (2015) R.W. Anwar, S. Ali, Trust based secure cyber physical systems, in Workshop on Trustworthy Cyber-Physical System in Conjunction with CONCUR (2012), pp. 1–11 K. Ashton, That ‘Internet of Things’ thing. RFID J. 22, 97–114 (2009) R. Atat, L. Liu, J. Wu, G. Li, C. Ye, Y. Yang, Big Data meet cyber-physical systems: a panoramic survey. IEEE Access 6, 73603–73636 (2018) L. Atzori, A. Iera, G. Morabito, The internet of things: a survey. Elsevier Comput. Netw. 54(15), 2787–2805 (2010) G. Audrito, R. Casadei, F. Damiani, V. Stolz, M. Viroli, Adaptive distributed monitors of spatial properties for cyber–physical systems. J. Syst. Softw. 175, 110908 (2021) R. Baheti, H. Gill, Cyber-physical systems. The Impact of Control Technology, IEEE (2011), pp. 161–166 A. Banerjee, S. Kandula,, T. Mukherjee, S.K.S. Gupta, BAND-AiDe: a tool for cyber-physical oriented analysis and design of body area networks and devices. ACM Trans. Embed. Comput. Syst. (TECS) 11, 49 (2012a) A. Banerjee, K.K. Venkatasubramanian, T. Mukherjee, S.K.S. Gupta, Ensuring safety, security, and sustainability of mission-critical cyber-physical systems. Proc. IEEE 100(1), 283–299 (2012b) H. Bayhan, M. Meißner, P. Kaiser, M. Meyer, M. ten Hompel, Presentation of a novel real-time production supply concept with cyber-physical systems and efficiency validation by process status indicators. Int. J. Adv. Manuf. Technol. 108(1), 527–537 (2020) G. Bhatia, K. Lakshmanan, R. Rajkumar, An end-to-end integration framework for automotive cyber-physical systems using SysWeaver, in AVICPS (2010), p. 23 D. Bradley, D.W. Russel, Mechatronics in Action (Springer, London, 2010) R. Caceres, A. Friday, Ubicomp systems at 20: progress, opportunities, and challenges. IEEE Pervasive Comput 11(1), 14–21 (2012)

536

M. Korki et al.

F. Cai, J. Li, X. Koutsoukos, Detecting adversarial examples in learning-enabled cyber-physical systems using variational autoencoder for regression, in 2020 IEEE Security and Privacy Workshops (SPW) (2020), pp. 208–214 I. Chatzigiannakis, J.P. Drude, H. Hasemann, A. Kröller, Developing smart homes using the internet of things: how to demonstrate your system. Distrib. Ambient Pervasive Interact. 8530(16), 415–426 (2014). Springer International Publishing M. Chen, J. Wan, F. Li, Machine-to-machine communications: architectures, standards and applications,. KSII Trans. Internet Inf. Syst. 6(2), 480–497 (2012) G. Denker, N. Dutt, S. Mehrotra, M.-O. Stehr, C. talcott, N. Venkatasubramanian, Resilient dependable cyber-physical systems: a middleware perspective. J. Internet Serv. Appl. 3(1), 41–49 (2012) D. Ding, Q.-L. Han, Y. Xiang, X. Ge, X.-M. Zhang, A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018) Disruptive Civil Technologies, Disruptive Civil Technologies: Six Technologies with Potential Impacts on US Interests Out to 2025 (National Intelligence Council (U.S.), Washington, DC, 2008) E.Y. Erdem, Y.-M. Chen, M. Mohebbi, J.W. Suh, G.T.A. Kovacs, R.B. Darling, K.F. Böhringer, Thermally actuated omnidirectional walking microrobot. J. Microelectromech. Syst. 19(3), 433–442 (2010) M. Farajzadeh-Zanjani, E. Hallaji, R. Razavi-Far, M. Saif, Generative adversarial dimensionality reduction for diagnosing faults and attacks in cyber-physical systems. Neurocomputing 440, 101–110 (2021) H. Farhangi, The path of the smart grid,. IEEE Power Energy Mag. 8(1), 18–28 (2010) I. Fatima, S.R. Malik, A. Anjum, N. Ahmad, Cyber physical systems and IoT: architectural practices, interoperability, and transformation. IT Professional 22(3), 46–54 (2020) B. Finkbeiner, A. Keller, J. Schmidt, M. Schwenger, Robust monitoring for medical cyber-physical systems, in Proceedings of the Workshop on Medical Cyber Physical Systems and Internet of Medical Things (2021), pp. 17–22 L. Gide, Embedded/cyber-physical systems ARTEMIS major challenges: 2014–2020. Draft Addendum to the ARTEMIS-SRA 2011, 2013. Retrieved on 14 July 2019 from http://www.artemis-ia.eu/publication/download/publication/910/file/ARTEMISIA_SRA_ Addendum.pdf (2013) F. Golatowski, J. Blumenthal, M. Handy, M. Haase, H. Burchardt, D. Timmermann, Serviceoriented software architecture for sensor networks, in International Workshop on Mobile Computing (IMC) (2003), pp. 93–98 J.M. Goldman, R.A. Schrenker, J.L. Jackson, S.F. Whitehead, Plug-and-play in the operating room of the future. Biomed. Instrum. Technol. 39(3), 194–199 (2005) Y. Guan, J. Zhang, Z. Shi, Y. Wang, Y. Li, Formalization of continuous Fourier transform in verifying applications for dependable cyber-physical systems. J. Syst. Archit. 106, 1–707 (2020) V. Gunes, T. Givargis, XGRID: a scalable many-core embedded processor, in 11th IEEE International Conference on Embedded Software and Systems (ICESS) (2014), pp. 1143–1146 V. Gunes, S. Peter, T. Givargis, Modeling and mitigation of faults in cyber-physical systems with binary sensors, in 2013 IEEE 16th International Conference on Computational Science and Engineering (2013), pp. 515–522 V. Gunes, S. Peter, T. Givargis, F. Vahid, A survey on concepts, applications, and challenges in cyber-physical systems. KSII Trans. Internet Inf. Syst. 8(12), 4242–4268 (2014) R.A. Gupta, M.-Y. Chow, Networked control system: overview and research trends. IEEE Trans. Ind. Electron. 57(7), 2527–2535 (2010) S.A. Haque, S.M. Aziz, M. Rahman, Review of cyber-physical system in healthcare. Int. J. Distrib. Sensor Netw. 10(4), 1–20 (2014) A.A. Hopgood, Intelligent Systems for Engineers and Scientists, 3rd edn. (CRC Press, Boca Raton, 2012) J. Hou, Q. Li, S. Cui, S. Meng, S. Zhang, Z. Ni, Y. Tian, Low-cohesion differential privacy protection for industrial internet. J. Supercomput. 76(11), 8450–8472 (2020)

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

537

H. Huang, L. Sun, Q.X. Yang, F. Zhang, Integrating neuromuscular and cyber systems for neural control of artificial legs, in 2010 ACM/IEEE ICCPS (2010), pp. 129–138 A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security–a survey. IEEE Internet Things J. 4(6), 1802–1831 (2017) M. Ilic, X. Le, U.A. Khan, J.M.F. Moura, Modeling of future cyber–physical energy systems for distributed sensing and control. IEEE Trans. Syst. Man Cybern. Part A: Syst. Hum. 40(4), 825–838 (2010) J. Isern, F. Barranco, D. Deniz, J. Lesonen, J. Hannuksela, R.R. Carrillo, Reconfigurable cyberphysical system for critical infrastructure protection in smart cities via smart video-surveillance. Pattern Recogn. Lett. 140, 303–309 (2020) M. Jamshidi, System of Systems Engineering: Innovations for the 21st Century (Wiley, Hoboken, 2008) K.D. Kang, S.H. Son, Real-time data services for cyber physical systems, in 2008 The 28th International Conference on Distributed Computing Systems Workshops (2008), pp. 483–488 W. Kang, Adaptive Real-Time Data Management for Cyber-Physical Systems. PhD thesis, University of Virginia, Charlottesville, 2009 M. Keshk, B. Turnbull, E. Sitnikova, D. Vatsalan, N. Moustafa, Privacy-preserving schemes for safeguarding heterogeneous data sources in cyber-physical systems. IEEE Access 9, 55077– 55097 (2021) S.K. Khaitan, J.D. McCalley, Design techniques and applications of cyberphysical systems: a survey. IEEE Syst. J. 9(2), 350–365 (2015) K.-D. Kim, P.R. Kumar, Cyber–physical systems: a perspective at the centennial. Proc. IEEE Special Centennial Issue 100, 1287–1308 (2012) S. Kim, Y. Eun, K.-J. Park, Stealthy sensor attack detection and real-time performance recovery for resilient CPS. IEEE Trans. Ind. Inform. 17, 7412–7422 (2021) L. Kong, D. Jiang, M.Y. Wu, Optimizing the spatio-temporal distribution of cyber-physical systems for environment abstraction, in 2010 IEEE 30th International Conference on Distributed Computing Systems (2010), pp. 179–188 H. Kopetz, Real-Time Systems Design Principles for Distributed Embedded Applications (Springer, London, 2011) M. Korki H. Zayyani, Weighted diffusion continuous mixed p-norm algorithm for distributed estimation in non-uniform noise environment. Signal Process. 164, 225–233 (2019) M. Korki, N.D. Shankar, R. Naymeshbhai Shah, S.M. Waseem, S. Hodges, Automatic fault detection of power lines using unmanned aerial vehicle (UAV), in 2019 1st International Conference on Unmanned Vehicle Systems-Oman (UVS) (2019), pp. 1–6 A. Koubaa, B. Andersson, A vision of cyber physical internet, in Proceedings of the 8th International Workshop on Real-Time Networks (2009) T. Kovácsházy, Distributed architecture for real-time cyber-physical system, time-sensitive networks, in 2018 19th International Carpathian Control Conference (ICCC) (2018), pp. 1–3 H. Koziolek, R. Weiss, Z. Durdik, J. Stammel, K. Krogmann, Towards software sustainability guidelines for long-living industrial systems, in 3rd Workshop of GI Working Group ’LongLiving Software Systems (L2S2)’: Design for Future 2011 (DFF’11) (2011), pp. 47–58 P.A. Laplante, Real-Time Systems Design and Analysis (Wiley, Chichester, 2004) J. Lau, C. Tham, T. Luo, Participatory cyber physical system in public transport application, in 2011 Fourth IEEE International Conference on Utility and Cloud Computing (2011), pp. 355–360 E.A. Lee, Cyber physical systems: design challenges, in 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC) (2008), pp. 363–369 W. Leon, G. Kaiser, FARE: a framework for benchmarking reliability of cyber-physical systems, in 2013 IEEE Long Island Systems, Applications and Technology Conference (LISAT) (2013), pp. 1–6 C.H. Li, H.K. Lau, Integration of industry 4.0 and assessment model for product safety, in 2018 IEEE Symposium on Product Compliance Engineering (ISPCE) (2018), pp. 1–5

538

M. Korki et al.

L. Li, C.-J.M. Liang, J. Liu, ThermoCast: a cyber-physical forecasting model for data centers, in KDD (2011), pp. 1370–1378 Y. Li, L. Shi, P. Cheng, J. Chen, D.E. Quevedo, Jamming attacks on remote state estimation in cyber-physical systems: a game-theoretic approach. IEEE Trans. Autom. Control 60(10), 2831–2836 (2015) S. Lim, L. Chung, O. Han, J. Kim, An interactive cyber-physical system (CPS) for people with disability and frail elderly people, in 5th International Conference on Ubiquitous Information Management and Communication (2011), p. 113 D. Locke, Real-time databases: real-world requirements, in Real-Time Database Systems: Issues and Applications, ed. by A. Bestavros, K.-J. Lin, S.H. Son (Kluwer Academic Publishers, Boston/Dordrecht, 1997), pp. 83–91 G. Loukas, D. Gan, T. Vuong, A review of cyber threats and defense approaches in emergency management. Futur. Internet 5(2), 205–236 (2013) C. Lu, A. Saifullah, B. Li, S. Mo, H. Gonzalez, D. Gunatilaka, C. Wu, L. Nie, Y. Chen, Real-time wireless sensor-actuator networks for industrial cyber-physical systems. Proc. IEEE 104(5), 1013–1024 (2016) Y. Lu, L. Chang, K. Yang, Q. Zhao, Y. Chen, Study on system of systems capability modeling framework based on complex relationship analyzing, in 2010 IEEE International Systems Conference (2010), pp. 23–28 Y. Luo, K. Chakrabarty, T.-Y. Ho, A cyberphysical synthesis approach for error recovery in digital microfluidic biochips, in 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE) (2012), pp. 1–6 Y. Luo, Y. Xiao, L. Cheng, G. Peng, D. Yao, Deep learning-based anomaly detection in cyberphysical systems: progress and opportunities. ACM Comput. Surv. (CSUR) 54(5), 1–36 (2021) Z. Lv, D. Chen, R. Lou, A. Alazab, Artificial intelligence for securing industrial-based cyber– physical systems. Future Gener. Comput. Syst. 117, 291–298 (2021) W. Meng, R. Ma, H.-H. Chen, Smart grid neighborhood area networks: a survey. IEEE Netw. 28(1), 24–32 (2014) R. Mitchell, I.-R. Chen, Modeling and analysis of attacks and counter defense mechanisms for cyber physical systems. IEEE Trans. Reliab. 65(1), 350–358 (2016) L. Mo, X. Cao, J. Chen, Y. Sun, Collaborative estimation and actuation for wireless sensor and actuator networks, in 19th World Congress the International Federation of Automatic Control (2014), pp. 5544–5549 Y. Mo, B. Sinopoli, Integrity attacks on cyber-physical systems, in 1st ACM International Conference on High Confidence Networked Systems (HiCoNS) (2012), pp. 47–54 J.A. Momoh, Fundamentals of analysis and computation for the smart grid, in IEEE Power and Energy Society General Meeting (2010), pp. 1–5 R. Monica, H.A. Dinesha, V.K. Agrawa, Cloud computing – phone call as a service: a concept, in 2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI) (2013), pp. 236–242 S. Mubeen, E. Lisova, A. Vulgarakis Feljan, Timing predictability and security in safety-critical industrial cyber-physical systems: a position paper. Appl. Sci. 10(9), 3125 (2020) J. Nagi, J. Olah, E. Erdei, D. Mate, J. Popp, The role and impact of industry 4.0 and the internet of things on the business strategy of the value chain–the case of Hungary. Sustainability 10(3491), 1–25 (2018) Networking and Information, Winning the future with science and technology for 21st century Smart systems. Networking and Information Technology Research and Development (NITRD) Program. Retrieved on 14 July 2019 from http://www.nitrd.gov/nitrdgroups/images/1/12/CPS_ OSTP_ResponseWinningTheFuture.pdf (2011) F.O. Olowononi, D.B. Rawat, C. Liu, Federated learning with differential privacy for resilient vehicular cyber physical systems, in 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC) (2021), pp. 1–5 L. Parilini, N. Tolia, B. Sinopoli, B.H. Krogh, A cyber-physical systems approach to energy management in data centers, in ACM/IEEE ICCPS (2010), pp. 168–177

15 Real-Time Cyber-physical Systems: State-of-the-Art and Future Trends

539

M.J. Park, D.K. Kim, W.-T. Kim, S.-M. Park, Dynamic software updates in cyber-physical systems, in IEEE International Conference on Information and Communication Technology Convergence (ICTC) (2010), pp. 425–426 S. Paul, J. Pan, R. Jain, Architectures for the future networks and the next generation Internet: a survey. Comput. Commun. 34(1), 2–42 (2011) B. Penzenstadler, J. Eckhardt, A requirements engineering content model for cyber-physical systems, in 2012 Second IEEE International Workshop on Requirements Engineering for Systems, Services, and Systems-of-Systems (RESS) (2012), pp. 20–29 M.A. Pisching, M.A.O. Pessoa, F. Junqueira, P.E. Miyagi, PFS/PN technique to model industry 4.0 systems based on RAMI 4.0, in 2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA) (2018), pp. 1153–1156 F. Qu, F.-Y. Wang, L. Yang, Intelligent transportation spaces: vehicles, traffic, communications, and beyond. IEEE Commun. Mag. 48(11), 136–142 (2010) M.M. Rahman, N. Nower, Requirements model for cyber-physical system. Archive (2017) K. Ramamritham, Real-time databases. Distrib. Parallel Databases Special Issue: Res. Top. Distrib. Parallel Databases 1(2), 199–226 (1993) M. Rungger, P. Rungger, A notion of robustness for cyber-physical systems. IEEE Trans. Autom. Control 61(8), 2108–2123 (2016) A.Y. Saber, G.K. Venayagamoorthy, Efficient utilization of renewable energy sources by gridable vehicles in cyber-physical energy systems. IEEE Syst. J. 4(3), 285–294 (2010) T. Samad, A.M. Annaswamy, Systems of systems, in The Impact of Control Technology (2011), pp. 175–183 T. Sanislav, L. Miclea, Cyber-physical systems-concept, challenges and research areas. J. Control Eng. Appl. Inf. 14(2), 28–23 (2012) M. Sanjay, E. Eronu, Implementing reconfigurable wireless sensor netwoks: the embedded operating system approach, in Embedded Systems – High Performance Systems, Applications and Projects, Chapter 11 (Intechopen, 2012), London, pp. 221–232 J. Scott, A.J. Brush, J. Krumm, B. Meyers, M. Hazas, S. Hodges, N. Villar, PreHeat: controlling home heating using occupancy prediction, in 13th ACM International Conference on Ubiquitous Computing (2011), pp. 281–290 A. Sheth, P. Anantharam, C. Henson, Physical-cyber-social computing: an early 21st century approach. IEEE Intell. Syst. 28(1), 78–82 (2013) O. Sokolsky, Medical cyber-physical systems, in 2011 18th IEEE International Conference and Workshops on Engineering of Computer-Based Systems (2011), pp. 743–748 T. Springer, S. Peter, T. Givargis, Resource synchronization in hierarchically scheduled real-time systems using preemptive critical sections, in 2014 IEEE 17th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing (2014), pp. 293–300 J.A. Stankovic, S.H. Son, J. Hansson, Misconceptions about real-time databases. Computer 32(6), 29–36 (1999) G. Suciu, M. Anwar, I. Rogojanu, A. Pasat, A. Stanoiu, Big data technology for scientific applications, in 2018 Conference Grid, Cloud High Performance Computing in Science (ROLCG) (2018), pp. 1–4 S.C. Suh, U.J. Tanik, J.N. Carbone, A. Eroglu (eds.), Applied Cyber-Physical Systems (Springer, New York, 2014) A. Tolk, Composability challenges for effective cyber physical systems applications in the domain of cloud, edge, and fog computing, in Simulation for Cyber-Physical Systems Engineering (2020), pp. 25–42 Germany Trade&Invest, Industrie 4.0 – smart manufacturing for the future. Draft Addendum to the ARTEMIS-SRA 2011, 2013. Retrieved on July 14, 2019 from https://www.its-owl.de/fileadmin/ PDF/News/2014-01-14-Industrie_4.0-Smart_Manufacturing_for_the_Future_German_Trade_ Invest.pdf (2013) H.S. Tsien, Engineering Cybernetics (McGraw-Hill, Intech Europe, 1954) New York S. Ur Rehman, V. Gruhn, An approach to secure smart homes in cyber-physical systems/Internetof-Things, in 2018 Fifth International Conference on Software Defined Systems (SDS) (2018), pp. 126–129

540

M. Korki et al.

A. Wagh, X. Li, J. Wan, C. Qiao, C. Wu, Human centric data fusion in vehicular cyber-physical systems, in 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (2011), pp. 684–689 D.S. Watson, M.A. Piette, O. Sezgen, N. Motegi, Machine to machine (M2M) technology in demand responsive commercial buildings, in 2004 ACEEE Summer Study on Energy Efficiency in Buildings (2004), pp. 22–27 S. Xu, I. Koren, C.M. Krishna, Enhancing dependability and energy efficiency of cyber-physical systems by dynamic actuator derating. Sustain. Comput. Inform. Syst. 28, 100–411 (2020) H. Yan, J.F. Wan, H. Suo, Adaptive resource management for cyber-physical systems. Appl. Mech. Mater. 158, 747–751 (2012) X. Yao, J. Zhou, Y. Lin, Y. Li, H. Yu, Y. Liu, Smart manufacturing based on cyber-physical systems and beyond. J. Intell. Manuf. 30, 2805–2817 (2019) H. Zayyani, F. Haddadi, M. Korki, Double detector for sparse signal detection from one-bit compressed sensing measurements. IEEE Sig. Process. Lett. 23(11), 1637–1641 (2016a) H. Zayyani, M. Korki, F. Marvasti, A distributed 1-bit compressed sensing algorithm robust to impulsive noise. IEEE Commun. Lett. 20(6), 1132–1135 (2016b) H. Zayyani, R. Sari, M. Korki, A distributed 1-bit compressed sensing algorithm for nonlinear sensors with a Cramer–Rao bound. IEEE Commun. Lett. 21(12), 2626–2629 (2017) F. Zhang, Z. Shi, W. Wolf, A dynamic battery model for co-design in cyber-physical systems, in IEEE International Conference on Distributed Computing Systems Workshops (2009), pp. 51–56 F. Zhao, F. Wen, Y. Xue, X. Li, Z. Dong, Cyber physical power systems: architecture, implementation techniques and challenges. Dianli Xitong Zidonghua/Autom. Electr. Power Syst. 34(16), 1–7 (2010) Y. Zhou, J.S. Baras, CPS Modeling Integration Hub and Design Space Exploration with Application to Microrobotics (Springer International Publishing, Heidelberg, 2013), pp. 23–42 A. Zou, Efficient and Scalable Computing for Resource-Constrained Cyber-Physical Systems: A Layered Approach. PhD thesis, Washington University in St. Louis, 2021

Real-Time Data Analytics in Internet of Things Systems

16

Tianqi Yu and Xianbin Wang

Contents 1 Introduction to Real-Time Data Analytics in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Fundamentals of IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Data Analytics in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Architectures for Real-Time Data Analytics in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . 2.1 Cloud-Based IoT System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Edge-Cloud Collaborative IoT System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 3 Applications of Real-Time Data Analytics in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Smart City . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Smart Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Smart Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Social Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Environmental Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Industrial IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Challenges and Future Research Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Optimized Collaboration Between Edge and Cloud Computing . . . . . . . . . . . . . . . . 4.2 Autonomous Collaborations Among IoT End Devices . . . . . . . . . . . . . . . . . . . . . . . 4.3 Cost-Efficient Event Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Real-Time Security and Privacy Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

542 542 544 548 548 550 551 552 553 555 555 558 558 560 561 562 563 564 566 566

Abstract With the pervasive deployment of the Internet of Things (IoT) technology, the number of connected IoT end devices increases in an explosive trend, which continuously generates a massive amount of data. Real-time analytics of the

T. Yu () · X. Wang Department of Electrical and Computer Engineering, Western University, London, ON, Canada e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_38

541

542

T. Yu and X. Wang

IoT data can timely provide useful information for decision-making in the IoT systems, which can enhance both system efficiency and reliability. More specifically, real-time data analytics in IoT systems is utilized to effectively process the discrete IoT data series within a bounded completion time and provide services such as data classification, pattern analysis, and tendency prediction. However, the continuous generation of IoT data from heterogeneous devices brings huge technical challenges to real-time analytics. Thus, how to timely process the massive and heterogeneous IoT data needs to be seriously considered in the design of IoT systems. This chapter provides a comprehensive study of real-time data analytics in IoT systems. The characteristics of realtime analytics in IoT systems are firstly elucidated. Suitable architectures of IoT systems that can support real-time data analytics are thoroughly analyzed. Afterward, a comprehensive survey on the existing applications of real-time analytics in IoT systems is conducted from the perspectives of system design and shortcomings of performance. Finally, the main challenges remaining in the application of real-time analytics in IoT systems are pointed out, and the future research directions of related areas are also identified.

Keywords Real-time analytics · Big data analytics · Edge computing · Cloud computing · Internet of Things (IoT)

1

Introduction to Real-Time Data Analytics in IoT Systems

With the rapid development of communications, computing, and embedded systems technologies, Internet of Things (IoT) systems have been pervasively deployed in different kinds of application scenarios, such as smart home, smart healthcare, and intelligent transportation, as presented in Fig. 1 (Gubbi et al. 2013). Therefore, the number of involving IoT end devices keeps increasing in an explosive trend, which is expected to reach 18 billion in 2022 (Qureshi 2014). These devices directly interact with the real world and continuously generate a massive amount of IoT data, which brings huge challenges to the data analytics in IoT systems, particularly the data analytics with a critical requirement of completion time. Thus, real-time data analytics needs to be seriously considered in the IoT systems. In this section, the conceptual architecture of IoT systems is firstly introduced, which provides a blueprint of the whole system. Data analytics in the IoT systems is further analyzed from the perspectives of IoT data characteristics and taxonomy of IoT data analytics, where real-time analytics is highlighted.

1.1

Fundamentals of IoT Systems

The fundamentals of IoT systems are introduced here with the conceptual system architecture. As shown in Fig. 2, an IoT system generally consists of three major components, namely, sensing layer, communication layer, and analytics layer.

16 Real-Time Data Analytics in Internet of Things Systems

543

Industry 4.0 Smart Home

Smart Healthcare

IoT Applications

Intelligent Transportation

Fig. 1 Applications of IoT systems, such as smart healthcare, smart home, and intelligent transportation Analytics Data center, edge/cloud computing

Communication Multiservices gateways

Sensing

Heterogeneous Smart Devices

Vehicular Ad Hoc Networks

Wireless Sensor Networks

Fig. 2 Conceptual architecture of IoT systems

• Sensing layer composed of IoT end devices is the most fundamental component in the IoT systems, which is responsible for sensing and collecting the environmental information and also reacting to the feedback and instructions received from the upper layers. In heterogeneous IoT systems, IoT end devices are in high diversity and have different capabilities of computing, communication, and storage. Besides, these devices can be self-organized into several subnets, such as vehicular ad hoc networks (VANETs) and wireless sensor networks (WSNs). Therefore, it is a tough task to effectively coordinate and manage the massive amount of heterogeneous IoT end devices and subnets in the sensing layer.

544

T. Yu and X. Wang

• Communication layer supported by multi-services gateways is the core network for IoT data communications, including the uplink for the uploading of sensing data and the downlink for the delivery of feedback. Given the heterogeneous IoT end devices, multiple kinds of communication protocols are involved in the IoT systems. Thus, multi-services gateways are needed to facilitate the data communications throughout the systems, such as the micro base station, wireless access point, and mobile gateway (e.g., unmanned aerial vehicle (UAV)). • Analytics layer is responsible for IoT data processing and analysis. In the IoT systems, data analytics can be flexibly located. IoT data can be locally processed at the IoT end devices, though the IoT end devices are with limited resources and can only provide elementary processing. IoT data can also be uploaded to the remote data center or cloud computing platform for comprehensive processing and analysis, while processing and communication from the remote platform can lead to high latency. Thus, edge computing has been introduced into the IoT systems as a compromise, which is closer to the IoT end devices and can provide real-time responses to the local devices. The specific design of system architecture for the support of real-time data analytics in the IoT systems is analyzed in the Sect. 2 with more details.

1.2

Data Analytics in IoT Systems

With the tremendous increment in the number of IoT end devices, a massive amount of IoT data are generated as a consequence. However, due to the unique characteristics of IoT data, data analytics in IoT systems is not identical to the conventional big data analytics. Thus, the characteristics of IoT data are firstly identified in this subsection. The taxonomy of IoT data analytics is further analyzed, where the focus of this chapter, namely, real-time analytics, is highlighted.

1.2.1 IoT Data Characteristics The renowned properties of big data are the three Vs, namely, volume, velocity, and variety, as depicted in Fig. 3 (Russom et al. 2011). Though they have three Vs in common, IoT data still have several aspects different from the conventional big data (Mohammadi et al. 2018). The unique characteristics of IoT data are listed as follows (Chen et al. 2014): • Large scale: With the pervasive deployment of large-scale IoT systems, a large number of IoT end devices are involved in the systems and continuously generate a massive amount of data. In most of IoT systems, not only the real-time data but also the historical data are needed to provide the descriptions of user patterns, environmental trends, etc. Thus, both the real-time and historical data have to be processed, analyzed, and stored in the IoT systems, which finally labels the characteristic of large-scale to IoT data.

16 Real-Time Data Analytics in Internet of Things Systems

545

VOLUME • • • •

Amount of data generated. Online and offline transactions. In kilobytes or terabytes. Saved in records, tables, files.

VELOCITY • • • •

Speed of generating data. Generated in real time. Online and offline data. In streams, batch or bits.

BIG DATA • • • •

VARIETY

Structured and unstructured. Online images and videos. Human generated texts. Machine generated readings.

Fig. 3 Three Vs of big data: volume, velocity, and variety

• Heterogeneity: The sensing layer of an IoT system as shown in Fig. 2 is in high diversity, which comprises heterogeneous devices and subnets. Different from the traditional homogeneous wireless networks, data generated by the heterogeneous IoT end devices are not identical in formats and even unstructured, which finally results in heterogeneity. • Temporal and spatial correlation: IoT data are generally labeled with both location information and timestamp, as most of the IoT systems are contextaware. The labeled IoT data are highly correlated in temporal and spatial domains because the environmental parameters sensed and sampled by the IoT end devices are varied in mild trends. Providing the statistical characteristic of temporal and spatial correlation, IoT data can be easily processed with both the statistical tools and the machine learning methods. • Taint: Due to the low-cost feature of IoT end devices, these tiny devices are vulnerable to different kinds of attacks and also self-malfunctions, which can finally lead to abnormal IoT data. Therefore, data pre-processing, particularly data cleaning, is generally needed before eventually performing data analysis.

546

T. Yu and X. Wang

1.2.2 Taxonomy of IoT Data Analytics Analytics refers to “the scientific process of transforming data into insights for the purpose of making better decisions” (INFORMS 2012). In terms of IoT data analytics, it is the computational process of transforming the IoT data collected from the heterogeneous IoT end devices into insights through data processing and analysis, for decision-making in the IoT systems. The history of IoT data analytics is as long as the emergence of IoT systems. Therefore, several efforts have been spared on the processing and analysis of IoT data. According to the different requirements of dataset and completion time, data analytics in IoT systems can be classified into historical analytics and real-time analytics as shown in Fig. 4. Moreover, in conventional big data analytics, considering the different processing stages, the analytics can be categorized into four types, namely, descriptive analytics, diagnostic analytics, predictive analytics, and prescriptive analytics (Bekker 2017). These four types are also integrated into the taxonomy diagram of IoT data analytics, according to the type of dataset usage, the requirement of processing time, and the stage of the processing procedure. Historical Analytics Historical analytics is based on the IoT data that have been collected and stored in the database for a certain while, which can be further classified into descriptive analytics and diagnostic analytics. Descriptive analytics is the fundamental of IoT data processing, which uncovers the patterns behind the raw data. Diagnostic analytics is used to find out the reasons behind certain patterns. • Descriptive analytics: Descriptive analytics is the process of transforming raw data collected from multiple data sources into useful information, which describes the past. For example, a clinic records the number of patients that were hospitalized last month. However, the findings of the descriptive analytics simply describe the fact, without inferring the reasons behind. Therefore, descriptive analytics only can hardly support the highly data-driven application scenarios of the IoT systems, where other types of data analytics are still needed.

Descriptive Analytics Historical Analytics Diagnostic Analytics IoT Data Analytics Predictive Analytics Real-Time Analytics Prescriptive Analytics Fig. 4 Taxonomy of data analytics in IoT systems

16 Real-Time Data Analytics in Internet of Things Systems

547

• Diagnostic analytics: At the stage of diagnostic analytics, historical data from multiple data sources are jointly analyzed with the diagnostic tools to find out the reasons behind the facts provided by descriptive analytics. By exploitation of diagnostic analytics, it is possible to identify the hiding data patterns and underlying relations among data, which can provide in-depth insights into a particular problem. In the meantime, IoT systems should have detailed information at their disposal; otherwise, data collection may turn out to be individual for every issue and time-consuming. Real-Time Analytics Real-time analytics in IoT systems focuses on the design of IoT system architecture that must complete the data analytics and return responses within a certain time frame, which is known as the deadline. According to the requirements of different applications, the deadline could range from nanosecond in computer network communications to millisecond in medical diagnosis. Missing the deadline will violate the system requirements, while completion of a task much earlier than the deadline may consume extra system resources and deteriorate the overall performance of the multitasking systems. Fast responses and precise timing control are typical features of real-time analytics. Real-time analytics can be further classified into predictive analytics and prescriptive analytics, which have more critical requirements on real-time responses as compared to descriptive and diagnostic analytics. Besides, instead of the historical data stored in the database, predictive and prescriptive analytics rely more on the real-time data continuously and timely collected from the IoT end devices. Based on the patterns identified by descriptive analytics, predictive analytics can predict future patterns by using real-time data. Prescriptive analytics is the final stage of IoT data analytics, which makes decisions based on the results of predictive analytics and provides the corresponding reaction and feedback. • Predictive analytics: Based on the findings of descriptive and diagnostic analytics, predictive analytics serves as a forecasting tool, which can support the detection of tendencies and the prediction of future trends. Taking advantage of the predictive analytics, an industrial IoT system, for instance, can identify the machines that are most likely to break down and prepare reactions in advance to minimize the potential loss. Although predictive analytics has numerous advantages, it is worth being aware of the risks of wrong predictions, since the accuracy of prediction highly depends on the data quality and stability of the situation. Therefore, it is necessary to treat the prediction carefully and optimize it continuously. • Prescriptive analytics: The objective of prescriptive analytics is to prescribe what actions to take so that a potential issue can be eliminated and a promising trend can be fully utilized. An example of prescriptive analytics is that a large-scale IoT surveillance system can timely prevent the occurrence of bad accidents and react to unpreventable emergencies with prepared plans. However, prescriptive analytics requires not only historical data but also external information due to

548

T. Yu and X. Wang

the nature of statistical algorithms. Furthermore, prescriptive analytics generally uses sophisticated tools, such as the deep learning methods, which brings high computational complexity to the system. Therefore, the design of an IoT system should jointly consider the expected added values brought by prescriptive analytics and the additional consumption alongside.

2

Architectures for Real-Time Data Analytics in IoT Systems

The design of system architecture determines the dataflow in the IoT systems, which finally affects the processing and completion time of data analytics. Therefore, the architecture design needs to be seriously considered for real-time analytics in IoT systems. In this section, the general architectures of IoT systems that can support real-time data analytics are extensively surveyed and analyzed, which migrates from the traditional cloud-orchestrated architecture to the newly developed edge-cloud collaborative architecture.

2.1

Cloud-Based IoT System Architecture

In the initial deployment phase of IoT systems, the cloud-based IoT system architecture is the dominating architecture. As shown in Fig. 5, it consists of two major parts, namely, IoT end devices and the cloud computing platform. • IoT end devices and the self-organized subnets are the fundamental components of the IoT systems, which have direct interactions with the physical environments through sensors and actuators. For example, in the case of a smart home, temperature sensors sample the indoor temperature and upload the measurements to the cloud through either a wired gateway or wireless access point. The air conditioner reacts to the feedback from the cloud and adjusts the temperature accordingly. • Cloud computing platform is the remote data and control center in the IoT systems. IoT data collected from the IoT end devices are comprehensively processed in the cloud, while the results are sent back to the IoT end devices as feedback. Given the strong computing capability of the cloud server, it can deal with comprehensive IoT data analytics and the massive amount of IoT data storage. However, with the tremendous increase in the number of IoT end devices, the cloud-enabled IoT systems have met the following limitations which prevent them from being pervasively deployed in the large-scale application scenarios with critical requirements of real-time processing and analysis (Yu et al. 2017a):

16 Real-Time Data Analytics in Internet of Things Systems

549

Cloud Server

Vehicular Ad Hoc Networks

Heterogeneous Smart Devices

Wireless Sensor Networks

Fig. 5 Cloud-based IoT system architecture

• Unstable cloud connection: The cloud platform is remotely located, which can lead to the weak stability of the connections between cloud and IoT end devices. For example, in VANETs, handover of the fast-moving vehicles can result in the temporary absence of cloud computing service. The unstable cloud connection can lead to messy coordination of smart vehicles and finally incur bad traffic accidents. Thus, the IoT systems face a huge challenge – how to ensure normal operations in the absence of cloud connection. • Limited bandwidth: Although the cloud server has the capability of processing the massive amount of data, the procedure of data uploading still challenges the bandwidth of the trunk link. In the case of industrial IoT systems, the huge amount of data imposes a heavy burden on the underlying network bandwidth, while overwhelming data can finally lead to system crash. Therefore, it is necessary to pre-process, especially effectively compress the IoT data first, instead of simply uploading all the data to the cloud. • High latency: The data processing, analysis, and storage center is remotely located at the cloud server, which incurs unavoidable latency due to the procedure of data processing and communication. While in some systems, for instance, smart healthcare, real-time responses are needed for emergency cases, especially for elders living alone. Hence, how to reduce latency and provide real-time responses is also a critical challenge in certain IoT systems. Due to the technical limitations, the cloud-based architecture can hardly meet the critical requirements of real-time analytics in large-scale IoT systems. In this condition, edge computing has been introduced into the system as a promising solution, which enables local and real-time processing for IoT end devices (Shi et al. 2016). The correspondingly developed edge-cloud collaborative IoT system architecture is presented in the next subsection.

550

2.2

T. Yu and X. Wang

Edge-Cloud Collaborative IoT System Architecture

A general edge-cloud collaborative system architecture for real-time analytics in heterogeneous IoT systems is depicted in Fig. 6 (Sharma and Wang 2017). The system architecture mainly consists of heterogeneous IoT end devices, edge computing devices, and the cloud computing platform, which are detailed as follows: • Heterogeneous IoT end devices and subnets still function as the fundamental layer in the edge-cloud collaborative architecture and directly interact with the physical environments. Due to the pervasive deployments of IoT systems, IoT end devices are heterogeneous with quite different capabilities (e.g., computing, communication, and storage). Hence, device-to-device (D2D) communications among these devices request the support of multiple communication protocols (e.g., ZigBee, LTE, and Wi-Fi as shown in Fig. 6). • Edge computing devices (short as “edge devices”) have been introduced into the IoT systems as a potential and promising solution, considering the technical limitations of cloud-based IoT systems. In the newly developed edge-cloud collaborative IoT systems, edge computing devices locate in the intermediate layer, which can provide local and real-time processing to IoT end devices and can also execute preliminary data analytics so that the tasks can be offloaded from the cloud platform and the burden of trunk link can be relieved. In the system architecture proposed in Fig. 6 (Sharma and Wang 2017), IoT gateway is utilized as the edge computing device. Different from the conventional gateways, IoT gateway not only works as a communication relay but also has stronger capabilities of computing and storage (Kang et al. 2017). In addition to the IoT gateway, any device that has the capabilities of computing, communication, and storage can be utilized as the edge device, such as a cloudlet server. Even the UAV can serve as a mobile edge device. • Cloud computing platform is the legacy of cloud-based architecture, which still serves as the remote data and control center in the edge-cloud collaborative IoT systems. Since edge devices have limited computing and storage capabilities, the cloud platform is responsible for complex and comprehensive data analytics and the massive amount of data storage. Functions of the major components in the system architecture have been explained in detail. The interactions, namely, data communications, among them are further given as follows: • IoT end devices and edge devices: Edge devices are equipped with RF modules of different communication protocols, which can support the data uploading from heterogeneous IoT end devices. As mentioned, edge devices serve as the intermediate layer in the edge-cloud collaborative IoT system architecture. Therefore, besides the data uploading, edge devices are also responsible for sending and relaying the reaction and feedback generated by either edge devices or the cloud platform back to the IoT end devices.

16 Real-Time Data Analytics in Internet of Things Systems

Core network/ Internet cloud

Backhaul link

551

Cloud Processing

Interactions IoT Gateway Edge Processing

Fronthaul links WiFi

ZigBee

Cellular

Fig. 6 A general edge-cloud collaborative system architecture for real-time data analytics in heterogeneous IoT systems

• Edge devices and cloud platform: Edge devices upload the pre-processed data to the cloud so that the burden on the trunk link can be relieved. The cloud platform then sends back the results of comprehensive data processing and analysis. As compared to the cloud platform, the capabilities of edge devices are weaker. Thus, the data processing speed of the edge is slower than that of the cloud. While as mentioned in the previous subsection, data offloading to the cloud can incur extra latency due to the procedure of data communication. Therefore, it is necessary to balance the trade-off between the processing time and the communication time, when optimizing the task offloading of data analytics. More details on task offloading are analyzed in the Sect. 4.

3

Applications of Real-Time Data Analytics in IoT Systems

In this section, a comprehensive summary of the existing applications of realtime data analytics in IoT systems is conducted, which includes smart city, smart healthcare, smart grid, social network, environmental monitoring, and industrial IoT.

552

T. Yu and X. Wang

3.1

Smart City

Hut architecture as depicted in Fig. 7 is specifically designed for the smart city, which can provide the service of real-time data processing based on historical data analytics (Ta-Shma et al. 2018). For example, in abnormal event detection, the historical batch data are used to learn the normal patterns so that the abnormality of real-time data streams can be timely and accurately identified. Two specific use cases using hut architecture are analyzed as instances. One is the Madrid transportation system, where 3000 traffic sensors are deployed on the M30 ring road by Madrid city council. Based on the descriptive analytics of the historical traffic data collected by the sensors, bad traffic is detected in real time to prevent the worse congestion and facilitate public transportation. The other case is the Taiwan energy management system, where malfunctioning electronic devices and unusual appliance usages are monitored and detected in real time through excessive power dissipation. Another work also focuses on the prevention of traffic congestions in Madrid (Akbar et al. 2018). Different from the above work (Ta-Shma et al. 2018), not only traffic data from the city council of Madrid but also media data from Twitter and weather data are jointly considered to predict and prevent traffic congestions using the Bayesian network in a real-time way. With the comprehensive consideration of multiple factors and utilization of the Bayesian network model, the prediction of traffic congestions is more accurate. In Akbar et al. (2018), multiple data streams

Data Acquisition

Message Broker

Actuation

IoT

Event Consumption

Event Processing Framework

Machine Learning/ Analytics

Ingestion

Data Storage Framework

Data Retrieval

Batch Analytics Framework

Fig. 7 Hut architecture for data analytics in the smart city

Real Time Batch

16 Real-Time Data Analytics in Internet of Things Systems

553

are jointly utilized for the same aim, namely, prediction of traffic congestions. To fully extract the relations among multiple data streams in the smart city, latent Dirichlet allocation (LDA), a topic extraction method that is generally used in text analysis, is exploited to uncover the underlying structure of the multiple data streams (Puschmann et al. 2018). Although several efforts have been spared on the application of real-time analytics in the smart city, there are still several challenges remaining as listed below. • Factor selection: Smart city is a complex application scenario with multiple data streams of different physical factors. It is a critical challenge to select the proper factors for the specific target. In Akbar et al. (2018), traffic, media, and weather data streams are utilized to predict the traffic congestions. In Puschmann et al. (2018), the LDA based method is utilized to uncover the relation between traffic and weather data streams. It is not difficult to unveil the relations among these aforementioned factors. While for some other data streams, the underlying relations may not be perceptual. It is necessary to find out a scientific way to uncover the underlying relations to improve the accuracy of prescriptive analytics. • Time window selection: In the smart city, most of the applications have the requirements of real-time analytics, e.g., traffic coordination. However, the amount of data generated in the smart city is huge, which imposes a heavy burden on data communications and can further lead to the high latency of data analytics. Therefore, the selection of a proper time window for data collection is also among the most critical technical challenges. It is necessary to develop a method that can adaptively adjust the time window, which can automatically decrease to capture times of high interest in a finer granularity and adjust again in times of low interest.

3.2

Smart Healthcare

Smart healthcare is among the most promising application scenarios where IoT systems can change the way of living (Shah et al. 2016). IoT technology-enabled smart healthcare systems have already been utilized to do long-term monitoring of chronic diseases. While for spasmodic diseases, particularly the real-time emergency event detection for elders living alone, it has higher requirements on the capability of real-time analytics, which needs to be seriously considered in the design of IoT-enabled smart healthcare system. There have been a few works in this area as analyzed below. In Yacchirema et al. (2018), a real-time monitoring architecture is proposed for obstructive sleep apnea (OSA) detection based on the collaboration of edge and cloud computing, as depicted in Fig. 8. For real-time OSA detection, multiple related factors are monitored including sleep environment (collected by smart city system), sleep status, physical activities, and physiological parameters (collected

554

T. Yu and X. Wang

Cloud Computing Layer

Storage

Analytics

Accessibility

Edge Computing Layer Communi -cation

PreProcessing

Event Handler

IoT Layer Low Power Wireless Networks

Internet

Smart City

Smart Home Personal Data

Environmental Data

Fig. 8 Edge-cloud collaborative architecture for obstructive sleep apnea (OSA) detection

by the smart home system). Edge and cloud play different roles in processing the measurements of these factors. More specifically, cloud computing with stronger capability is responsible for batch data processing-enabled pattern recognition and event prediction. Edge computing as analyzed in the section of architecture design is closer to the monitoring devices, which is utilized to implement real-time OSA detection and reduce the latency of reaction and feedback. Through the edge computing-enabled real-time detection, lives can be saved from OSA. Another commonly occurring disease of elders is dementia, which affects 46 million people around the world. In Enshaeifar et al. (2018), an IoT system is specifically designed for dementia care, termed as TIHM (technology integrated healthcare management). TIHM involves families with dementia patients, clinics and hospitals with healthcare experts, small and medium-sized IoT companies, and academic groups with healthcare, economic, security, and technical experts. The system architecture of TIHM is quite similar to the OSA detection system (Fig. 8); real-time data of environmental conditions, patients’ physiological parameters, and their daily lifestyles are collected through environmental sensors, medical devices, wearable technologies, and interactive applications. Lightweight servers provided

16 Real-Time Data Analytics in Internet of Things Systems

555

by the IoT companies function as edge computing devices, while the TIHM project has a more powerful backend server providing the service of cloud computing. Based on the data analytics, the needs of dementia patients can be identified in an early stage, which allows the clinical team to provide a timely response and prevent the patients from exacerbating ill health. Smart healthcare systems can improve the quality of life and scientifically extend the lifetime of patients. However, the issue of the privacy protection of patients’ information remains unsolved. The security and privacy issues of IoT data would be analyzed in the Sect. 4.

3.3

Smart Grid

A smart grid is defined as an electrical grid that can deliver energy (i.e., electricity) in a controlled and smart manner from power generation nodes to active consumers. The real-time IoT system is among the most promising solutions to the smart grid. A system architecture for demand response management in the smart grid is shown in Fig. 9 (Mortaji et al. 2017). From the architecture, it can be seen that the system consists of two major sides, namely, server side and customer side, where the customers are assumed to be linked through advanced metering infrastructure (AMI), and is equipped with energy consumption scheduling modules and remotecontrollable appliances. The appliances on the customer side are categorized into shift-able, dimmable, and static appliances according to their capabilities of adjusting working time and power consumption. Based on the system architecture, a novel algorithm has been proposed utilizing forecasting, load shedding, and smartdirect load control (S-DLC) to minimize the power outages of customers in the case of sudden grid load changes and also reduce the peak-to-average power ratio. In such a system, IoT technology and stream analytics are utilized to provide real-time load control, which can also generate a daily schedule for the customers equipped with intelligent electronic devices according to their demands, thermal comfort, and the forecast load model. The above work has proposed the system architecture for demand response management in the smart grid and assumes that all customers are linked through advanced metering infrastructure (AMI). The smart electricity meters and their utilization have been further surveyed and analyzed in Alahakoon and Yu (2016), including the metering process, interests of different stakeholders (i.e., customers, electricity companies or utilities, and environment), and the technologies used to satisfy the interests of stakeholders.

3.4

Social Network

With the pervasive deployment of IoT, not only people but also physical and virtual objects are interconnected through the evolving communications and embedded systems technologies (Vermesan et al. 2011). In such a condition, the social IoT

556

T. Yu and X. Wang

Visualization

Big Data

Stream Analytics Data Management Load Forecast, Load Control

Automated Load Control

Inside of Cloud

CLOUD Transforming Data to Intelligent Actions

Power Grid & Customer Historical Data

Weather Organization

Subscriber 1

Subscriber 3

Subscriber 2 Fig. 9 Architecture for data analytics in the smart grid system

(SIoT) system has been proposed (Atzori et al. 2011). Similar to the online social network (OSN) for people, SIoT introduces the concept of social relationships into objects. However, before fully implementing the concept of SIoT, an SIoT system architecture needs to be developed, where IoT end devices can be controlled, managed, and monitored in a real-time and cognitive way. A few works focusing on this problem are analyzed below. As shown in Fig. 10, an SIoT system architecture has been proposed to intelligently and cognitively create, manage, control, and monitor the SIoT objects in real time (Shamszaman and Ali 2018). In the proposed architecture, real-world objects are termed as physical objects (POs), while the services that need special skills are termed as abstract objects (AOs). POs and AOs jointly compose the tier 1 of the system architecture, which has direct interactions with the real world. POs and AOs are then virtually represented as virtual objects (VOs) in tier 2. The new services incurred by the combination of VOs are termed as composite VOs (CVOs). Tier 3 is the most important component in the system architecture, namely, stream

16 Real-Time Data Analytics in Internet of Things Systems

557

Application

Tier 5 Tier 4 Request Analyzer

Context Matching

Tier 2

Decision Maker

Creating and managing VO and CVO

Tier 3

VO controller

CVO

VO and CVO Registry Tier 1

CVO

Policy Handler

CVO

VO

VO

VO

VO

VO

VO

VO

VO

Physical Objects (PO)

Stream Processing Engines

Abstract Objects (AO)

Fig. 10 Architecture for data analytics in social IoT systems

processing engines, which is the part that enables real-time analytics. Tier 4 is the decision-making layer, which is executed based on the results provided by the stream processing engines. Tier 5 indicates the applications and services that the SIoT system can provide. The architecture provides a social interaction framework for IoT end devices functioning similar to the OSN for people and supports the realtime data stream processing in the meantime. However, there are still many aspects, especially the applications in tier 5 that need to be further investigated. Anomaly detection in the cross-platform SIoT systems has already been analyzed as a case study (Sharma et al. 2017). In the enlarging cross-platform SIoT systems, the number of heterogeneous connected devices has been increasing tremendously, which brings a high risk of information loss and malicious access to the systems. In Sharma et al. (2017), an intelligent sensing model for anomaly detection (ISMA) has been proposed for the cross-platform SIoT systems, where anomalies refer to the malicious users misleading the systems with fraudulent information. The ISMA strategy deliberately induces faulty data (termed as cognitive tokens) to attract malicious users and then identifies and classifies the anomalies with the

558

T. Yu and X. Wang

error-based outlier filters. A common login system for different platforms in the SIoT system is introduced into the whole architecture as a part of collaborative anomaly identification across different platforms. A fair play point approach is used for the determination of anomalies, which improves the anomaly detection accuracy, as compared to the existing methods, for example, SVM-RBF (support vector machine-radial basis function) and sigmoid approach. However, this work still depends on the historical data for off-site evaluations, which needs to be further developed to meet the requirements of real-time services to provide anomaly detection with continuous user monitoring.

3.5

Environmental Monitoring

IoT technology has been pervasively applied to environmental monitoring such as oceanic atmosphere monitoring and forest fire surveillance, due to the advantages of low cost and flexible deployment of IoT-enabled systems (Yu et al. 2018a; Fang et al. 2014). In Yu et al. (2018b), an edge-cloud collaborative IoT system architecture is proposed for data analytics in environmental monitoring as shown in Fig. 11, where UAVs are deployed and utilized as mobile edge devices. Wireless sensor nodes and the cloud platform are involved in environmental sensing and complex data analytics, respectively. Moreover, a UAV-enabled spatial data sampling scheme is further developed based on the system architecture, to overcome the challenge of accurate and efficient data sampling and reconstruction. Taking advantage of the UAVs, urgent tasks of data analytics can be timely completed at the mobile edge devices. Furthermore, the most significant function of real-time analytics in IoT-enabled environmental monitoring system is disaster detection and management. IoTenabled natural disaster management approaches have been surveyed and summarized in Ray et al. (2017), such as early warning, notification, knowledge aggregation, remote monitoring, and victim localization. Data analytics, particularly real-time analytics, plays a key role in the disaster management system for realtime decision-making. The main technical challenge in such a system is also the issue of security because personal and private data are collected for environmental monitoring and disaster detection. Thus, besides the necessity of efficiency and collaboration, security is also a severe concern for the design of system architecture.

3.6

Industrial IoT

Industrial IoT (IIoT) is the leverage and reality of IoT technology in the context of industrial transformation. On one hand, the transformation can optimize performance and boost productivity while cutting the total cost. On the other hand, it can predict and prevent potential machinery failures (Moskvitch 2017). From the technical perspective, IIoT paves the way to connect all the industrial assets, such as machines and control systems, through the evolving machine-to-

16 Real-Time Data Analytics in Internet of Things Systems

559

Slow

Data Processing and Storage

Cloud

Data Upload

UAV Local Processing Data Upload

Wireless Sensor Nodes

Real-time Response

Feedback

PreProcessing

Data Upload

Fast Fig. 11 Architecture for IoT-enabled environmental monitoring

machine (M2M) and industrial communication technologies (Sisinni et al. 2018). More specifically, the IIoT can facilitate the process automation domain in the following three aspects, namely, supervision, closed-loop networked control, and interlocking. However, closed-loop networked control and interlocking are highly sensitive to delay and require bounded delay at the millisecond level (10–100 ms), which imposes a heavy burden on the real-time analytics in IIoT systems (Akerberg et al. 2011). To meet the critical requirement of real-time analytics, a three-tier IIoT system architecture has been specifically designed for delay mitigation, as depicted in Fig. 12 (Sisinni et al. 2018). In terms of the functions of each tier in the architecture, the edge tier defines the domain in which IIoT components interact with each other, which consists of sensors, actuators, and controllers interconnected by independent local area networks to an IIoT edge gateway. The IIoT edge devices are in turn connected to the platform tier for global coverage. Finally, the platform tier takes advantage of the service network to establish connections with the enterprise tier that implements domain-specific applications and provides interfaces to the end users. The latency level incurred by the processing at each tier is also labeled in Fig. 12. It can be seen that the edge tier can complete tasks within milliseconds, which can meet the critical requirements of bounded delay in closed-loop networked control and interlocking applications. Although the three-tier IIoT system architecture has been widely accepted for delay mitigation, the explosive growth of IIoT applications, especially in terms of their scale and complexity, has dramatically increased the difficulty in ensuring the desired real-time performance. In addition to the challenge of the real-time

560

T. Yu and X. Wang

Enterprise Tier minutes to days

Platform Tier

Latency

Edge Tier

seconds to minutes

IIoT Edge Gateways milliseconds to sub-seconds

Controllers Sensors and Actuators

Fig. 12 Three-tier IIoT system architecture

performance, energy-efficient operations, interoperability among heterogeneous IIoT devices, and security and privacy all need to be seriously considered in the IIoT systems. In the next section, the challenges and future research directions of real-time analytics in not only IIoT but also the general IoT systems are analyzed.

4

Challenges and Future Research Directions

In this section, the challenges and future research directions of real-time data analytics in IoT systems are analyzed from the following aspects: the optimized collaboration between edge and cloud computing, autonomous collaborations among IoT end devices, cost-efficient event management, and real-time security and privacy protection.

16 Real-Time Data Analytics in Internet of Things Systems

4.1

561

Optimized Collaboration Between Edge and Cloud Computing

Collaborative edge-cloud architecture is the most commonly adopted IoT system architecture for real-time data analytics. In such architecture, tasks of data processing and analysis need to be dynamically allocated among the IoT end devices, edge devices, and the cloud platform, to meet the requirements of real-time analytics of the massive IoT data. Besides, from the perspective of security and privacy, edge and cloud computing also need to be collaborated to ensure all the devices involved in the system are communicating reliably and securely (Masip-Bruin et al. 2016). Therefore, although the edge-cloud collaborative IoT system architecture has already been adopted in several application scenarios, several aspects still need to be further developed to optimize the collaboration between the edge and cloud computing to minimize the consumption of system resources while meeting the critical requirements of real-time data analytics. Some of the related challenges and future research directions are listed as follows: • Selection of communication protocols: Communication is among the fundamental technologies that support the IoT systems. Therefore, communication protocols need to be well-designed for the multiple communication interfaces among the IoT system components, including the communications among the heterogeneous IoT end devices and subnets in the sensing layer, interfaces between the sensing layer and the edge computing layer, communications among the multiple edge devices, and the interfaces between edge devices and cloud platform. Except for the selection of proper communication protocols, considering the limited spectrum resources, the heterogeneous and massive communications need to be effectively scheduled and coordinated as well. • Resource awareness of the IoT system components: The optimization objective of an edge-cloud collaborative IoT system is to meet the requirements of real-time data analytics while minimizing the consumption of system resources. Therefore, it is necessary to be aware of the available resources of all the components in the system, including the communication resources (e.g., bandwidth and spectrum), computing resources, and power supplies. With the awareness of available resources, the consumption can be optimally allocated among the components while assigning the tasks. • Task offloading: The tasks of data collection, analytics, and storage need to be optimally allocated within the IoT systems. Thus, the specific responsibilities of each IoT system component have to be determined to minimize the resource consumption and optimize the task completion time. In terms of the real-time requirements, it is better to allocate the tasks to the edge devices, since edge devices are closer to the IoT end devices. However, as mentioned in the section of system architecture, the service of edge computing is generally supported by lightweight devices such as cloudlet servers. Thus, the tasks with a massive amount of IoT data and high computing complexity still have to be partially offloaded to the cloud that has much stronger capabilities than the edge devices.

562

T. Yu and X. Wang

Therefore, it is critical to develop certain decision-making strategies for task allocation so that the time and resources consumed by the processing at the edge and the cloud and the communications between these two ends can be minimized (Pham and Huh 2016). • Quality of service (QoS) enhancement: In terms of QoS enhancement, firstly, it is necessary to identify the constraints of the IoT systems that possibly lead to the shortcomings of performance, such as underlying network bandwidth, computing power, and cache size. Based on the findings, corresponding methods need to be further developed to minimize the response time and resource consumption and also enhance the reliability in the case of system failures.

4.2

Autonomous Collaborations Among IoT End Devices

In the edge-cloud collaborative IoT systems, besides the optimized collaboration between the edge and cloud computing, the autonomous collaborations among the IoT end devices are of equal importance, because D2D communications and autonomous collaborations among IoT end devices can facilitate the IoT systems in several technical aspects. Take the context-aware application as an example. With the pervasive deployment of context-aware services, location awareness of the IoT end devices gradually becomes a demand. The low-cost feature of IoT end devices makes it impossible to be equipped with GPS chipsets, and GPS cannot support indoor localization. In such conditions, inner collaborations among IoT end devices can facilitate the network-wide localization and further support the location-aware, more generally, context-aware services. Social IoT as analyzed in the section of applications is among the most promising solutions, where IoT end devices are interconnected with social relationships in a similar way as OSN for humans. Nevertheless, autonomous collaborations among IoT end devices still meet several challenges. One of the most significant challenges is heterogeneity. As shown in Fig. 2, the sensing layer comprises heterogeneous IoT end devices such as the appliances in the smart home and also the subnets such as VANETs and WSNs. The heterogeneous and dynamic features of the connected IoT end devices make it difficult to ensure interoperability. Several challenges have been met to manage the devices and maintain the communications, such as how to associate a new device to the system, how to rediscover an orphan device, how to build up a collaborative cluster, and how to disconnect a malicious device in the case of meeting security threats (Papageorgiou et al. 2016). Interoperability is important, since the data generation, collection, and sharing are all implemented based on the communications among the devices (Bello and Zeadally 2016). Therefore, it is necessary to develop device management schemes to efficiently manage IoT end devices and ensure interoperability. Some of the future research directions in autonomous collaborations among IoT end devices are summarized as follows: • Social IoT: Social IoT system as depicted in Fig. 10 focuses on the virtualization of the social relationships among the IoT end devices and also the extraction of

16 Real-Time Data Analytics in Internet of Things Systems

563

the underlying relations among multiple data streams. Since OSNs for humans have been well studied, the system architecture and theoretical methods of OSNs can be learned to develop the social IoT systems for the coordination and collaboration of IoT end devices. • Device management schemes: The huge number of heterogeneous IoT end devices also brings uncertainties to the IoT systems. Considering the dynamic features of these devices, it is a critical challenge to manage the devices, such as new device association, orphan device rediscovery, and malicious device disassociation. • Cluster formation: By forming up clusters properly, IoT end devices can be effectively controlled and coordinated by certain management strategies executed at the edge devices. Proper cluster formation can also improve the accuracy and efficiency of data analytics (Yu et al. 2017b). While for cluster formation, except for understanding the social relationships among the devices (Kang et al. 2016), several other technical issues still need to be resolved, including the selection of suitable clustering criteria, the location tracking of the devices, and the inference-based strategy design for autonomous collaborations. Therefore, cluster formation algorithms need to be developed to classify the IoT end devices into clusters with suitable sizes according to the specific requirements of applications.

4.3

Cost-Efficient Event Management

Edge-cloud collaborative IoT systems have already been deployed in several application scenarios for long-term event monitoring, where sensing devices are deployed to sense and collect the information of monitoring targets. In other words, the service of long-term event monitoring relies on seamless interactions with the real world through sensing devices (Zhao et al. 2016). Due to the complex and dynamic features of the environments and objects, a large number of sensing devices need to be deployed to fully cover the large-scale sensing field and adapt to the instantaneous environmental changes. The data sampled and collected by the sensing devices are finally stored in the cloud platform. Based on the historical data, comprehensive data analytics can be done to extract the normal patterns of the systems and monitoring targets and predict future trends. The results of data analytics can be either kept in the cloud platform or sent back to the edge devices for event detection, where data that do not follow the normal pattern or trend are detected as abnormal events. Event detection executed at the edge devices can improve the timeliness of responses. However, long-term event monitoring and detection are resource-draining, where massive system resources are occupied and consumed, such as energy, computing power, and spectrum. One potential solution is the data-driven event-triggering technique, which enables the actions of communication or computing to take place only when a particular event or a series of events occur (Kolios et al. 2016). By using such an approach, the consumption of system resources can be dramatically

564

T. Yu and X. Wang

reduced, since most of the devices can be scheduled to sleep when no event occurs. Some of the interesting future research directions in this area are highlighted below. • Behavior modeling: Based on the historical data stored in the cloud, behaviors of the monitoring targets can be learned. However, several issues still need to be resolved, such as how to define suitable reference models, how to deal with unpredictable characteristics of the systems, and how to train models with machine learning methods. • Event detection: By exploitation of behavior modeling, the normal patterns and trends can be identified. Thus, the sampled data that do not follow the normal patterns are detected as abnormal events. Machine learning methods (Yu et al. 2017b) and even neural network models (Yu et al. 2018c) can be applied to abnormal event detection. • Timing of event triggering: The event triggering technique can reduce the consumption of system resources. However, it is a big issue to determine the timing of event triggering, since the events are dynamic, which may have recurrent patterns. In other words, how to identify the states of an event and adjust the system accordingly needs to be investigated. • On-demand resource allocation: After an event is triggered, how to handle the events and allocate the system resources (e.g., energy, bandwidth, and spectrum) according to the demands remains a big technical challenge.

4.4

Real-Time Security and Privacy Protection

Although IoT technology has enabled several conventional systems into smart and intelligent areas, how to provide real-time security and privacy protection for the massive amount of IoT data remains a key technical concern (Rehman et al. 2018). In the existing IoT system architecture, IoT end devices are heterogeneous with quite different capabilities. Some of the devices with weak capabilities are vulnerable to security threats, due to the transparent air interfaces of wireless communications and lack of protection mechanisms. Thus, for real-time analytics of the massive amount of IoT data, malicious attacks can occur at any phase of data processing, such as data collection, filtering, and modeling. IoT data are highly related to the privacy of users because IoT systems register the personal information of users and monitor the daily behaviors of users (Porambage et al. 2016). Therefore, it can be inferred that the malicious attacks on IoT data can unveil the privacy of users. For example, in IoT-enabled smart healthcare system, the private and personal information of patients are collected and uploaded to the third-party cloud platform for comprehensive analytics and storage, where patients’ data are exposed to the attackers all the way along the smart wearable devices to the lightweight edge devices and finally to the third-party cloud platform (Zhou et al. 2015).

16 Real-Time Data Analytics in Internet of Things Systems

565

Furthermore, the unique characteristics of IoT systems make traditional security and privacy protection mechanisms not suitable for the heterogeneous IoT systems any longer. From the perspective of IoT data characteristics, the intricate patterns and characteristics of IoT data are seldom considered in the traditional protection mechanisms. Moreover, most of the traditional protection mechanisms are based on the static databases, while in the IoT systems, data are dynamically changing due to the unstable states of the systems. Thus, the existing protection mechanisms cannot deal with IoT data. In terms of the edge-cloud collaborative system architecture, the cloud platform as the remote data and control center can provide a global view of the system, which is generally used in the centralized security and privacy protection mechanisms for device authentication and access control. However, due to the heterogeneous and dynamic features of IoT end devices, the traditional centralized mechanisms enabled by the cloud platform are not efficient enough to authenticate the huge number of devices and authorize their access to IoT data. In addition to the IoT end devices, the distributed edge devices also bring security risks to the IoT systems. Unlike the cloud platform generally provided by trustworthy third parties, edge devices are from multiple unauthorized providers, which imposes an extra burden on the device authentication and access control. Therefore, it is necessary to develop some new mechanisms to protect the security and privacy of IoT data in the edge-cloud collaborative IoT systems. One potential solution is the utilization of the edge-cloud collaboration, where edge devices are secured by the cloud platform and function as proxies to protect the resource-constraint IoT end devices (Chiang and Zhang 2016). The other one is developing decentralized protection mechanisms, such as the newly proposed blockchain-based methods (Novo 2018). Based on the above discussions, the research directions that need to be seriously considered in the future are summarized as follows: • Security enhancement on edge-cloud collaboration: Although edge-cloud collaboration can enhance the security of IoT systems, several security issues still need to be considered, such as how to protect the confidentiality, integrity, and availability of IoT data in the procedure of task offloading and how to prevent the privacy of encrypted IoT data from being unveiled to the service provider when processing the data at a third-party cloud platform. • Privacy protection: In IoT systems, since personal information of users is registered and daily behaviors of users are monitored, IoT data are highly related to the privacy of users. Therefore, privacy protection mechanisms such as differential privacy need to be well investigated. • Access control: Although the cloud platform can provide centralized device authentication and access control, it is not efficient enough for the IoT systems with a huge number of devices. Therefore, both edge-cloud collaborative and decentralized mechanisms need to be further studied to manage the access control of the massive and heterogeneous devices.

566

5

T. Yu and X. Wang

Conclusion

In this chapter, real-time data analytics in IoT systems has been thoroughly studied. The characteristics of real-time data analytics in IoT systems have been elucidated firstly. Afterward, the suitable IoT system architecture for real-time data analytics is investigated, where both the traditional cloud-based architecture and the newly developed edge-cloud collaborative architecture are analyzed. By exploitation of the edge-cloud collaborative architecture, real-time data analytics have been applied in several application scenarios of IoT systems, such as the smart city, smart healthcare, and industrial IoT. The applications have been extensively surveyed and analyzed from the perspectives of system design and shortcomings of performance. Last but not the least, the main challenges remaining in the application of realtime data analytics in IoT systems have been pointed out, and the corresponding research potentials have been identified in the following aspects: optimized collaboration between edge and cloud computing, autonomous collaborations among IoT end devices, cost-efficient event management, and real-time security and privacy protection.

References A. Akbar, G. Kousiouris, H. Pervaiz, J. Sancho, P. Ta-Shma, F. Carrez, K. Moessner, Real-time probabilistic data fusion for large-scale IoT applications. IEEE Access 6, 10015–10027 (2018) J. Akerberg, M. Gidlund, M. Bjorkman, in Future research challenges in wireless sensor and actuator networks targeting industrial automation. 2011 9th IEEE International Conference on Industrial Informatics (INDIN) (IEEE, 2011), pp. 410–415 D. Alahakoon, X. Yu, Smart electricity meter data intelligence for future energy systems: a survey. IEEE Trans. Ind. Inform. 12(1), 425–436 (2016) L. Atzori, A. Iera, G. Morabito, SIoT: giving a social structure to the Internet of Things. IEEE Commun. Lett. 15(11), 1193–1195 (2011) A. Bekker, 4 Types of data analytics to improve decision-making (2017). Available: https:// www.scnsoft.com/blog/4-types-of-data-analytics O. Bello, S. Zeadally, Intelligent device-to-device communication in the Internet of Things. IEEE Syst. J. 10(3), 1172–1182 (2016) M. Chen, S. Mao, Y. Zhang, V.C. Leung, Big Data: Related Technologies, Challenges and Future Prospects (Springer, Heidelberg, 2014) M. Chiang, T. Zhang, Fog and IoT: an overview of research opportunities. IEEE Internet Things J. 3(6), 854–864 (2016) E. Enshaeifar, P. Barnaghi, S. Skillman, A. Markides, T. Elsaleh, S.T. Acton, R. Nilforooshan, H. Rostill, The Internet of Things for dementia care. IEEE Internet Comput. 22(1), 8–17 (2018) S. Fang, L. Da Xu, Y. Zhu, J. Ahati, H. Pei, J. Yan, Z. Liu, et al., An integrated system for regional environmental monitoring and management based on Internet of Things. IEEE Trans. Ind. Inform. 10(2), 1596–1605 (2014) J. Gubbi, R. Buyya, S. Marusic, M. Palaniswami, Internet of Things (IoT): a vision, architectural elements, and future directions. Futur. Gener. Comput. Syst. 29(7), 1645–1660 (2013) INFORMS, Best definition of analytics (2012). Available: https://www.informs.org/AboutINFORMS/News-Room/O.R.-and-Analytics-in-the-News/Best-definition-of-analytics D.-O. Kang, J.-H. Choi, J.-Y. Jung, K. Kang, C. Bae, SDIF: social device interaction framework for encounter and play in smart home service. IEEE Trans. Consum. Electron. 62(1), 85–93 (2016)

16 Real-Time Data Analytics in Internet of Things Systems

567

B. Kang, D. Kim, H. Choo, Internet of everything: a large-scale autonomic IoT gateway. IEEE Trans. Multi-Scale Comput. Syst. 3(3), 206–214 (2017) P. Kolios, C. Panayiotou, G. Ellinas, M. Polycarpou, Data-driven event triggering for IoT applications. IEEE Internet Things J. 3(6), 1146–1158 (2016) X. Masip-Bruin, E. Marín-Tordera, G. Tashakor, A. Jukan, G.-J. Ren, Foggy clouds and cloudy fogs: a real need for coordinated management of fog-to-cloud computing systems. IEEE Wirel. Commun. 23(5), 120–128 (2016) M. Mohammadi, A. Al-Fuqaha, S. Sorour, M. Guizani, Deep learning for IoT big data and streaming analytics: a survey. IEEE Commun. Surv. Tutorials 20, 2923–2960 (2018) H. Mortaji, S.H. Ow, M. Moghavvemi, H.A.F. Almurib, Load shedding and smart-direct load control using Internet of Things in smart grid demand response management. IEEE Trans. Ind. Appl. 53(6), 5155–5163 (2017) K. Moskvitch, When machinery chats, connections industrial IoT. Eng. Technol. 12(2), 68–70 (2017) O. Novo, Blockchain meets IoT: an architecture for scalable access management in IoT. IEEE Internet Things J. 5(2), 1184–1195 (2018) A. Papageorgiou, R. Bifulco, E. Kovacs, H.-J. Kolbe, in Dynamic M2M device attachment and redirection in virtual home gateway environments. 2016 IEEE International Conference on Communications (ICC) (IEEE, 2016), pp. 1–6 X.-Q. Pham, E.-N. Huh, in Towards task scheduling in a cloud-fog computing system. 18th Asia-Pacific Network Operations and Management Symposium (APNOMS) (IEEE, 2016), pp. 1–4 P. Porambage, M. Ylianttila, C. Schmitt, P. Kumar, A. Gurtov, A.V. Vasilakos, The quest for privacy in the Internet of Things. IEEE Cloud Comput. 3(2), 36–45 (2016) D. Puschmann, P. Barnaghi, R. Tafazolli, Using LDA to uncover the underlying structures and relations in smart city data streams. IEEE Syst. J. 12(2), 1755–1766 (2018) R. Qureshi, Ericsson mobility report. Tech. rep. EAB-14, Ericsson, Stockholm, vol. 28658 (2014) P.P. Ray, M. Mukherjee, L. Shu, Internet of Things for disaster management: state-of-the-art and prospects. IEEE Access 5, 18818–18835 (2017) M.H. Rehman, E. Ahmed, I. Yaqoob, I.A.T. Hashem, M. Imran, S. Ahmad, Big data analytics in industrial IoT using a concentric computing model. IEEE Commun. Mag. 56(2), 37–43 (2018) P. Russom et al., Big data analytics. TDWI Best Pract. Rep. Fourth Quarter 19(4), 1–34 (2011) T. Shah, A. Yavari, K. Mitra, S. Saguna, P.P. Jayaraman, F. Rabhi, R. Ranjan, Remote health care cyber-physical system: quality of service (QoS) challenges and opportunities. IET Cyber-Phys. Syst. Theory Appl. 1(1), 40–48 (2016) Z.U. Shamszaman, M.I. Ali, Toward a smart society through semantic virtual-object enabled realtime management framework in the social Internet of Things. IEEE Internet Things J. 5(4), 2572–2579 (2018) S.K. Sharma, X. Wang, Live data analytics with collaborative edge and cloud processing in wireless IoT networks. IEEE Access 5(99), 4621–4635 (2017) V. Sharma, I. You, R. Kumar, ISMA: intelligent sensing model for anomalies detection in cross platform OSNs with a case study on IoT. IEEE Access 5, 3284–3301 (2017) W. Shi, J. Cao, Q. Zhang, Y. Li, L. Xu, Edge computing: vision and challenges. IEEE Internet Things J. 3(5), 637–646 (2016) E. Sisinni, A. Saifullah, S. Han, U. Jennehag, M. Gidlund, Industrial Internet of Things: challenges, opportunities, and directions. IEEE Trans. Ind. Inform. 14(11), 4724–4734 (2018) P. Ta-Shma, A. Akbar, G. Gerson-Golan, G. Hadash, F. Carrez, K. Moessner, An ingestion and analytics architecture for IoT applied to smart city use cases. IEEE Internet Things J. 5(2), 765–774 (2018) O. Vermesan, P. Friess, P. Guillemin, S. Gusmeroli, H. Sundmaeker, A. Bassi, I.S. Jubert, M. Mazura, M. Harrison, M. Eisenhauer, et al., Internet of Things strategic research roadmap. Internet Things – Glob. Technol. Soc. Trends 1, 9–52 (2011) D.C. Yacchirema, D. Sarabia-Jácome, C.E. Palau, M. Esteve, A smart system for sleep monitoring by integrating IoT with big data analytics. IEEE Access 6, 35988–36001 (2018)

568

T. Yu and X. Wang

T. Yu, X. Wang, A. Shami, in A novel fog computing enabled temporal data reduction scheme in IoT systems. GLOBECOM 2017–2017 IEEE Global Communications Conference (IEEE, 2017a), pp. 1–5 T. Yu, X. Wang, A. Shami, Recursive principal component analysis-based data outlier detection and sensor data aggregation in IoT systems. IEEE Internet Things J. 4(6), 2207–2216 (2017b) T. Yu, X. Wang, J. Jin, K. McIsaac, Cloud-orchestrated physical topology discovery of large-scale IoT systems using UAVs. IEEE Trans. Ind. Inform. 14(5), 2261–2270 (2018a) T. Yu, X. Wang, A. Shami, UAV-enabled spatial data sampling in large-scale IoT systems using denoising autoencoder neural network. IEEE Internet Things J. 6(2), 1856–1865 (2018b) T. Yu, Y. Zhu, X. Wang, Autoencoder neural network-based abnormal data detection in edge computing enabled large-scale IoT systems. Chin. J. Internet Things 2(4), 14–21 (2018c) S. Zhao, L. Yu, B. Cheng, An event-driven service provisioning mechanism for IoT (Internet of Things) system interaction. IEEE Access 4, 5038–5051 (2016) J. Zhou, Z. Cao, X. Dong, X. Lin, Security and privacy in cloud-assisted wireless wearable communications: challenges, solutions, and future directions. IEEE Wirel. Commun. 22(2), 136–144 (2015)

Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

17

Sye Loong Keoh, Heng Chuan Tan, and Zhaohui Tang

Contents 1 2 3 4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication and Key Distribution in AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Data Aggregation with Integrity Preservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Setup Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Data Aggregation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Trapdoor Collision Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Hash Verification Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Key Blinding Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.7 Security Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Classification of Key Management Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Symmetric-Based Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Asymmetric-Based Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Hybrid-Based Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusions and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

570 571 572 574 574 575 577 578 579 580 583 584 584 585 586 588 588 589

S. L. Keoh () School of Computing Science, University of Glasgow, Glasgow, UK e-mail: [email protected] H. C. Tan Advanced Digital Science Centre, Singapore, Singapore e-mail: [email protected] Z. Tang University of Southern Queensland, QLD, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_39

569

570

S. L Keoh et al.

Abstract Cyber-physical system (CPS) is a collaborative system of cyber and physical devices that work together to facilitate automation, communication, and sharing of information in real time. This chapter examines the Advanced Metering Infrastructure (AMI) in a smart grid environment, in which energy consumption data collected by smart meters is collected and aggregated in real time. Thus, allowing the system operators to analyze the energy usage to improve consumer service by refining utility operating and asset management processes more efficiently. Data aggregation is an integral part of AMI deployment. Data aggregation reduces the number of transmissions, thereby reducing communication costs and increasing the bandwidth utilization of AMI. However, the concentrator (the entity that aggregates the energy readings) poses a considerable risks of being tampered with, leading to erroneous bills, and possible consumer disputes. In this chapter, we discuss an end-to-end integrity protocol using elliptic curve-based chameleon hashing to provide data integrity and authenticity. The concentrator generates and sends a chameleon hash value of the aggregated readings to the Meter Data Management System (MDMS) for verification, while the smart meter with the trapdoor key computes and sends a commitment value to the MDMS so that the resulting chameleon hash value calculated by the MDMS is equivalent to the previous hash value sent by the concentrator. By comparing the two hash values, the MDMS can validate the integrity and authenticity of the data transmitted by the concentrator.

1

Introduction

Cyber-physical system (CPS) has gained a lot of attention from the academia and the industry in recent years, largely due to the increased interest to promote the integration between the cyber and physical parts of the world. A CPS is a network of collaborative systems that work together to facilitate greater communication and sharing of information in real time. In CPS, physical devices are empowered with computing and communication capabilities to drive automation and improve productivity without human involvement. Such a system is made possible through the integration of computer-based algorithms, information processing, and networking with the physical process. One of the key features of CPS is the ability to interact with the environment and adapt to new working conditions through distributed intelligent mechanisms operating at the unit (single device), cluster (groups of devices), and network level (the network of devices). The data collected from the environment is analyzed to effect proper reaction and control measures to guarantee the Quality of Service (QoS) of the applications. With CPS, industries can optimize their operations quickly and efficiently to cut costs. A streamlined process allows enterprises to enhance their services proactively to better cater to the needs of the companies and their customers. There are definitely huge potentials to deploy CPS. Many industries are already using CPS to harness

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

571

their technological advances in a variety of domains. These include but not limited to agriculture, transportation, smart grid, robotics, and healthcare. Despite the many benefits, CPS is a complex system to design as the physical devices are expected to interoperate with heterogeneous communication capability involving both wired and wireless infrastructure. As new communication and information technologies emerge, security issues arising from the combination of these technologies introduce many attack opportunities. The accuracy of the data collected from the environment may be affected by the device calibration problems, attacks at the communication layer, the presence of soft and hard faults, or changes in the environment in which the devices are operating. These inaccuracies can affect the proper functioning of the application or service, leading to a degradation of the performance and QoS. Moreover, the limited system resources on these physical devices also limit the selection of cryptography primitives to provide security protection. When considering the hardening of CPS, the fundamental challenge is always to balance the trade-off between reliability, performance, and security from the system perspective as a whole. To this end, this chapter aims to provide readers with some insight into the practice and considerations of applying cryptography and network security concepts to CPS. The remainder of this chapter is organized as follows: Sect. 2 discusses the security attacks in CPS and classified them based on the concept of computer security, namely, confidentiality, integrity, availability, non-repudiation, and authentication. Sect. 3 focuses on Advanced Metering Infrastructure (AMI) as an example of a CPS application and examines the technical challenges in providing authentication and key distribution on smart meters. Sect. 4 focuses on secure data aggregation with integrity preservation by developing a provably secure and efficient end-to-end data integrity protocol to overcome the tampering of data in AMI. Sect. 5 expands the work of Sect. 4, highlighting the importance of key management schemes, and reviews the pros and cons of the latest schemes. Finally, Sect. 6 concludes the chapter and provides future trends and open research issues to be considered when designing security applications related to CPS.

2

Security Threats

Security threats in the cyber-physical system vary from systems to systems and can be discussed and explored from different perspectives. Attacks to a CPS system (Nicola et al. 2014) can originate from the physical components due to their wide exposures usually over a large and unattended geographical area, or from the cyber domain, like any other network-based system, or a combination of both due to the integration functionality. Another thread of research (Humayed et al. 2017) categorized CPS security threats by identifying the unique attack vectors to representative CPS systems such as industrial control systems (ICS), smart grid systems, medical CPS, smart cars, etc. These representative CPS applications are unique in how their cyber and physical components interact with each other, which can be exploited to conduct targeted attacks on these CPSs.

572

S. L Keoh et al.

In this chapter, we follow the conventional computer security model to identify a list of security threats that affect a CPS system’s confidentiality, integrity, availability, non-repudiation, and authentication. Nevertheless, we will mainly focus on the integrity and authentication issues within a smart grid’s Advanced Metering Infrastructure (AMI). • Confidentiality. An attacker is able to retrieve sensitive data in a CPS system by eavesdropping on the communication channels between the sensors and the controller, and between the controller and the actuators. Many CPS devices are resource-constrained, and the majority of them do not have cryptographic coprocessor to encrypt the data. • Integrity. Man-in-the-middle attacks are possible in CPS by attaching malicious sensor/controller to the network, thus allowing the attackers to intercept and tamper with the network traffic in a CPS system. This leads to data inaccuracy as the sensor data collected could have been tampered with. More seriously, this further affects the trustworthiness of the analysis results, which are based on the tampered data, leading to a wrong control decision. • Availability. Availability is an important yet challenging security goal to achieve in CPS systems. Due to the computational and resource constraints in the physical components, CPS systems are more vulnerable to denial-of-service attacks where the adversary occupies the limited resources and bandwidth of a physical device and thus making it inaccessible and unusable for an authorized entity. Notably, an attacker can easily and quickly make low-power devices unresponsive, by executing energy-consuming programs in the small devices and draining their batteries. • Non-repudiation. Non-repudiation is the attribute of communication that protects against a successful dispute of its origin, submission, delivery, or content. In other words, non-repudiation requires that an entity cannot deny the sending or receiving of a message that is sent or received by the entity. To repudiate means to deny. Non-repudiation attacks in CPS systems include both sender and receiver in which a sender denies its sending of a message and a receiver denies its receipt of a message. • Authentication. The attacker can impersonate and forge new message on behalf of the victim, or even modify an existing message, thus resulting in inability to verify the identity of the communicating entities. Authentication is particularly vital in CPS to ensure that the data is collected from the authenticated sensor, and control commands are issued by the authorized controller.

3

Authentication and Key Distribution in AMI

The Advanced Metering Infrastructure (AMI) is a key enabler of the smart grid (SG) communication network and is an example of a CPS application. It is an integrated system of sensing devices, communication networks, and data management system designed to monitor energy usage in a smart grid environment automatically (Alahakoon and Yu 2016; Kabalci 2016). With AMI, consumers can access

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

573

Fig. 1 Architecture of an AMI

real-time and accurate energy usage data to track their usage patterns and save costs. Through real-time snapshots of the energy consumption, the utilities can implement flexible pricing structures and demand response (DR) measures to improve energy efficiency, better manage their energy demands, and further reduce their operating costs. As shown in Fig. 1, the architecture of an AMI system consists of a smart meter (SM), a data concentrator (aggregator), and a Metering Data Management System (MDMS). A smart meter is a low-powered sensing device that monitors the energy consumption of connected devices. It collects energy usage and forwards it to the data concentrator where it is aggregated with other smart meter readings to conserve communication bandwidth. The final aggregated data is then sent to the MDMS where it is stored and analyzed to develop dynamic pricing plans, improve customer service, and provide accurate consumption management. To enable these components to communicate with each other, the AMI system supports various communication technologies that can be classified into home area network (HAN) and field area network (FAN), as shown in Fig. 1. More precisely, HAN is a small-scale local area network that is deployed mainly at home or office environments. It uses short-range to medium-range communication technologies such as Bluetooth (Siekkinen et al. 2012), WiSUN (WiSUN Alliance), Wi-Fi, or wired power line communication (PLC) technologies (Ancillotti et al. 2013) to enable smart meters and devices located in the consumer’s premises to interact with each other. The FAN covers a larger geographic area and consists mainly of aggregators. The FAN acts as a bridging network to connect various devices and smart meters located in the HAN to the utility backend, i.e., MDMS. The typical communication technology used by this network is WiSUN, which operates in multi-hop mode. However, other long-range and high bandwidth communication technologies such as WiMAX (Bian et al. 2014), cellular, satellite, and power line

574

S. L Keoh et al.

communication (PLC) can also be used. To improve the network capacity and reliability, aggregators in the FAN are typically configured to work in a self-healing mesh topology to recover from link failures.

4

Secure Data Aggregation with Integrity Preservation

In a typical advanced metering infrastructure (AMI) architecture, the data concentrator is responsible for aggregating energy readings from the smart meters and then sends the aggregated readings to Metering Data Management System (MDMS). As the concentrators are typically deployed in unattended location and can be easily compromised by adversaries, the compromised concentrators can be used to manipulate and tamper with the readings before sending the aggregated data to the MDMS. This could lead to erroneous bills, energy thefts, and possible consumer disputes. In addition, the data source must be authenticated to ensure that the readings are originated from the intended smart meters to ensure proper operation. In this section, we introduce an end-to-end data integrity protocol to secure data aggregation in AMI (Tan et al. 2018; Keoh and Tang 2014) with the goal of providing data integrity and data source authentication. Our protocol is based on a double-trapdoor chameleon hash function (Thakur 2016) and is constructed using elliptic curve cryptography (ECC) (Koblitz 1997) to achieve better efficiency. In essence, the concentrator aggregates the energy readings from the smart meters and calculates a chameleon hash value using the public keys that are associated with the two trapdoor keys of the chameleon hash function. To verify the chameleon hash value, a smart meter equipped with one of the trapdoor keys needs to calculate a commitment value using its own energy readings such that the resultant chameleon hash value is equivalent to the previous hash value sent by the concentrator. The commitment value is then forwarded to the MDMS where a second trapdoor key is applied to verify the authenticity and integrity of the readings sent by the concentrator. To facilitate the construction of the commitment value and subsequently the chameleon hash value, the MDMS embeds a blinded copy of its trapdoor key in the polynomial and distribute it to all the smart meters using a polynomial-based key distribution scheme (Piao et al. 2013). The entire operation is divided into five phases: setup, data aggregation, trapdoor collision, hash verification, and key blinding.

4.1

Setup Phase

In the setup phase, the MDMS generates the system parameters. It is assumed that the smart meters in the same geographic area form a group and share the same group trapdoor key. In addition, the smart meters are assumed to be well-behaved and comply with the rules of the protocol, but they may be compromised. We also assume that the compromised smart meter or concentrator acts alone, and the problem of collusion is out of the scope of this work. The system parameters are generated as follows:

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

575

• Generate ECC domain parameters (E, p, a, b, G, n) MDMS determines the ECC domain parameters based on the elliptic curve E of the form y2 (mod p) = x3 + ax + b (mod p) over the finite field, Fp where p is a large prime number and a, b are the coefficients of the elliptic curve. G is a generator denoted by a point (Gx , Gy ) selected from the elliptic curve and n is the order of the generator. The security of ECC is derived from the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP). • Generate chameleon hash function, HHK The smart meter chooses a random value x ∈ [1, n − 1] as the group trapdoor key, computes the chameleon hash public key as X = xG, and registers the public key with the MDMS. Similarly, the MDMS selects the second trapdoor key y ∈ [1, n − 1] and computes the corresponding chameleon hash public key as Y = yG. The chameleon trapdoor key is TK = (x, y), and the chameleon public key is HK = (X, Y). Next, MDMS defines a double-trapdoor chameleon hash function as follows:       HH K (m, r) = h2 h1 mX , Y (X + Y ) + rG (mod n) (1) where h1 : {0, 1} → {0, 1}k is a secure hash function that maps an arbitrary length string to a fixed string of length k and h2 : Zn × G → Zn is a keyed hash function that takes as input: the result of h1 and the public key of MDMS. • Generate polynomial Pt (x) for smart meters in a group Each smart meter smi in group t also receives a unique pre-shared key EKi from the MDMS for secure unicast communications. Using the pre-shared keys of all the smart meters in the group, MDMS constructs a polynomial and embeds its trapdoor key y in the polynomial as shown in Eq. (2). However, the MDMS selects a secret random value r  ∈ [1, n − 1] to conceal the actual value of the trapdoor key y to prevent the exposure of the trapdoor key: Pt (x) = (x − EK 1 ) (x − EK 2 ) . . . (x − EK i ) + r  y

(2)

The polynomial is then preloaded by the MDMS to all the smart meters in a group. Different groups of smart meters will receive different polynomials. Finally, MDMS publishes the system parameters (E, p, a, b, G, n, h1 , h2 , HK, HKHK , Pt (x)) to all the smart meters and concentrators in the network where Pt (x) refers to the polynomial of group t.

4.2

Data Aggregation Phase

For a group of smart meters sm1 , sm2 , . . . , smn where n is the number of meters (t) in the group, each smart meter periodically sends an energy report mi to the (t) concentrator for aggregation where mi denotes the readings at time t for smi . Upon receiving the individual reports from the smart meters, the concentrator aggregates the individual reports according to Eq. (3):

576

S. L Keoh et al.

m(t) agg =

n 

m(t) i

(3)

i=1

The concentrator then selects a random value r(t) ∈ [1, n − 1] and calculates the chameleon hash value of the aggregated message using Eq. (1), with the aggregated readings in Eq. (3) and the chameleon hash public key as inputs. After that, the (t) concentrator sends the individual smart meter readings mi , the chameleon hash (t) value  HH K , and the random value r(t) to the  for verification. The message  MDMS (t)

(t)

(t)

(t)

tuple m1 , m2 , . . . , mn , r(t) , SI GN HH K is signed by the concentrator’s private key using any unforgeable signature scheme to  and  nonre prove authenticity   (t) (t)  pudiation. At the same time, the concentrator sends HH K , h1 magg X , r (t) back to the group of smart meters so that they can produce a chameleon hash collision during the trapdoor collision phase (c.f. Sect. 4.3). The aggregated message m(t) agg is hashed using h1 to prevent an adversary from extracting energy readings of the smart meters. The pseudocode of the data aggregation phase is shown in Algorithm 1. Algorithm 1: Generate Chameleon Hash at Time 1 ≤ t ≤ T (Concentrator) Inputs: Chameleon hash public key: X = xG, Y = yG (t) Energy readings from different smart meters: mi ∀i ∈ (1, . . . , n) Random value:r(t)  (t) (t) Output: HH K magg , r (t) For i to n smart meters in a group do  (t) (t) magg = ni=1 mi End for Select a cryptographic secure random integer r(t) from f1 ← r(t) .G  multiplication   [1, n − 1]  and compute   scalar (t)  (t) = h (t) Compute HH(t)K m(t) 2 h1 magg X , Y (X + Y ) + r .G (mod n) agg , r (a) (b) (c) (d)

   (t)  Compute f2 ← h1 magg X using SHA-2 Compute HMAC value f3 ← h2 (f2 , Y) Compute sum of product f4 ←  X f3 + Y f3 (t) (t) (t) ← f4 + f1 Compute HH K magg , r

   (t) (t) Send signed mi , r (t) , SI GN HH K to MDMS      (t) (t)  Send HH K , h1 magg X , r (t) to smart meters

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

577

  (t) (t) (t) When the MDMS receives message tuple m 1 , m 2 , . . . , mn ,   (t) r(t) SI GN HH K from the concentrator, the MDMS sums up all the received (t)

meter readings mi at time t and computes the chameleon hash value using Eq. (1) with the given r(t) value. After that, it uses the public key of the concentrator to verify the signature. If the verification is successful, MDMS accepts the integrity and authenticity of the received data and stores the meter readings as well as the chameleon hash value HH(t)K for end-to-end verification later.

4.3

Trapdoor Collision Phase

This  by the smart meters every T period. On receiving t copies of  phase is executed (t) (t)  HH K , h1 magg X , r (t) from the concentrator where t → (1 ≤ t ≤ T), each

smart meter selects any one of them to calculate a r value so that the generated chameleon hash value of its own energy readings m is equivalent to the  chameleon 

(t) (t) (t) hash value stored by the MDMS at time t, i.e., HH K m , r  = HH K magg , r (t)

where m = magg . In this case, the message m is the sum of all the energy readings that the smart meter had sent during period T. To compute the r value, the smart meter must solve the following: (t)

         , Y − h r  = (x + y) h2 h1 m(t) h1 m , Y + r (t) (mod n) X 2 agg

(4)

Since the smart meter does not have knowledge of MDMS’s trapdoor key y, it is not able to compute the r  value. So, the smart meter splits the construction of r  value into two components, namely, r1 and r2 , and sends them as commitments to the MDMS. First, the smart meter substitutes its pre-shared key EKi into the preloaded polynomial in Eq. (2) to retrieve the concealed trapdoor key r  y. Using the r  y value, the smart meter executes Eq. (5) to calculate the two components:         r1 = x h2 h1 m(t) + r (t) agg Y − h2 h1 m , Y       (t)  r2 = r  y h2 h1 magg Y − h2 h1 m , Y

(5)

Note that if the smart meter is compromised by an adversary, the trapdoor key y is still safe because it is blinded and randomized by the secret value r  . The derived r1 and r2 commitments are then sent to the MDMS, encrypted using the smart meter’s pre-shared key EKi to provide confidentiality and privacy. Using the commitment values, MDMS will be able to reconstruct the r  value to calculate the chameleon hash value (c.f. Sect. 4.4) and verify that the previously aggregated messages sent by the concentrator are not tampered with and that the readings truly

578

S. L Keoh et al.

originate from the smart meters. The detailed steps of this phase are summarized in Algorithm 2. Algorithm 2: Generate Hash Collision (Smart Meter, smi , 1 ≤ i ≤ n) Inputs: Chameleon trapdoor key: x Smart meter i encryption key: EKi Polynomial: P(x) Chameleon hash public key: X = xG, Y = yG     Chameleon hash value, hash of aggregated readings: HH(t)K , h1 m(t) agg X Random value: r(t)  

(t) (t) Output: r  every period T s.t. HH K m , r  = HH K magg , r (t) where m = magg Pi (x) = (x − EK1 )(x − EK2 ) . . . (x − EKi )(x − EKn ) + r  y Substitute EKi of the smart meter i in P(x) to recover secret r  y For i to T do Sum up readings of smart meter i  (t) m ← Tj=1 mi End for        (t)  r  = (x + y) h2 h1 magg X , Y − h2 h1 m , Y + r (t) (mod n) (t)

Split r into two components r1 and r2 where       (t)  (a) r1 ← x h2 h1 magg Y − h2 h1 m , Y + r (t)       (t)  (b) r2 ← r  y h2 h1 magg Y − h2 h1 m , Y

Encrypt r1 , r2 using EKi and send it to MDMS

4.4

Hash Verification Phase

When the MDMS receives the commitments r1 , r2 from smart meter sm i , it uses

the pre-shared key EKi of smart meter i to decrypt the message to recover r1 , r2 . The MDMS then divides r2 by r  to reconstruct the actual value as r2 . Using r1 and the derived r2 values, the MDMS reconstructs the true value of r  as r  . Next, the MDMS computes m by summing up all the meter readings m of smart meter i for T intervals and computes the chameleon hash value HH K using Eq. (6) and the derived r  . More formally, MDMS calculates the following:  

HH K m , r  = h2 h1 m , Y (X + Y ) + r  G (mod n)

(6)

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

579

  The MDMS compares the calculated HH K m , r  with the previous value    (t) (t) stored in the database HH K magg , r (t) at time t. If the two hash values match, it means that the reported readings from the concentrator are consistent with each other and are not tampered with. If the verification is unsuccessful, it means that either the concentrator or the reporting smart meter is compromised. To verify the status, the MDMS may request another smart meter in the group to send the commitments to validate the chameleon hash value at time t. If the chameleon hash value of the second smart meter is verified successfully, the MDMS concludes that the first smart meter has been compromised. Conversely, if the verification of the chameleon hash value of the second smart meter is not successful, but its chameleon hash value is the same as the value reported by the first smart meter, then the MDMS concludes that the concentrator has been compromised. The verification process is shown in Algorithm 3. Algorithm 3: Verification (MDMS) Inputs: Components of r  : r1 , r2 Aggregated readings of smart meter i over a time period T: m  Random value to blind MDMS’s  trapdoor  key y: r ∈ [1, n − 1] (t) (t)   Output: Check whether HH K m , r  = HH K magg , r (t) Divide r2 by r        (t)  r2 ← y h2 h1 magg X , Y − h2 h1 m , Y

Derive r  ← r1 + r2 For i to T do Sum up readings of smart meter i  (t) m ← Tj=1 mi End for  

Compute HH K m , r  = h2 h1 m , Y (X + Y ) + r  G (mod n)      (t) (t) if HH K m , r  = HH K magg , r (t) then | Concentrator is not compromised else | Concentrator is compromised end

4.5

Key Blinding Phase

After each T period, the MDMS randomizes its trapdoor key y to limit the vulnerability of key exposure to increase security. The key randomization interval can be configured to be updated every 6 or 12 h, depending on the application

580

S. L Keoh et al.

specifications. To support this requirement, the polynomial-based key management mechanism is used.  First, the MDMS selects a new random blinding value rnew ∈ [1, n − 1] and  computes a new concealed trapdoor key as rnew y. After that, the MDMS constructs a new polynomial Pi (x) for group i using the pre-shared keys of all the smart  y. meters in the group as Pi (x) = (x − EK 1 ) (x − EK 2 ) . . . (x − EK n ) + rnew  The MDMS then broadcasts Pi (x) to the group smart meters and the concentrator, respectively. Upon receiving the new polynomial, every smart meter in the group  y by uses its secret key EKi to retrieve the new concealed trapdoor key rnew   computing Pi (EK i ). Once rnew y is known, the smart meter follows the hash collision procedure to generate the two commitments so that MDMS can verify all chameleon hash values issued between T and T + 1 intervals later. Using polynomial-based approach, updating of trapdoor keys require no further encryption or decryption by the smart meters and the MDMS.

4.6

Performance Evaluation

4.6.1 Computational Time and CPU Cycles We first evaluate and compare the performance of our ECC-based protocol with the discrete logarithm (DL)-based protocol (He et al. 2016). Both protocols were implemented in C using OpenSSL 1.0.2 Crypto library. We are interested in the computational time and the CPU cycles with respect to the following: • Generating a chameleon hash value by the concentrator • Generating a trapdoor collision by the smart meter • Verifying the chameleon hash value by the MDMS All tests were executed for 1000 times under Ubuntu 16.04 on an i5-3427U [email protected] GHz laptop. In our ECC-based chameleon hash implementation, we used a NIST Curve P-256 that provides 128-bits security. In the DL implementation, a 2048-bit field with 112-bits of security was chosen. Table 1 compares the average computing time and CPU cycles for both protocols. The results show that ECC-based chameleon hashing is significantly more efficient than the DL-based approach. The time taken to generate a chameleon hash on the concentrator based on the ECC construction is 1.096 ms, while the

Table 1 Timing comparison between ECC and DL implementation Chameleon hash protocol

ECC-256 bits DL-2048 bits

Time taken/CPU (ms/megacycles) Smart meter Concentrator 1.096/2.49 0.1/0.21 5.53/12.92 10.7/25.85

MDMS 1.84/4.21 2.91/6.68

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

581

DL approach requires 5.53 ms. In the case of generating a trapdoor hash collision, the ECC version took only 0.1 ms on the smart meter, while the DL method took nearly 11 ms. The DL implementation is more expensive because the smart meter needs to perform two modular exponentiation to compute the computationally costly commitments. In terms of performing hash verification by the MDMS, the ECC implementation improves the time efficiency by a factor of 1.6 over the DL approach. These results show that our ECC-based protocol is very efficient and well suited for low-powered devices, especially smart meters. A lower computational cost means that more resources can be freed up on the device to perform other tasks. It also indicates higher availability to service more requests, thereby improving the scalability.

4.6.2 Communication Latency A test bed comprising three smart meters and a concentrator was set up to evaluate the communication latency of the proposed protocol implemented on the Raspberry Pis. We are interested in the communication cost of AMI, in which a number of smart meters are connected to a concentrator using WiSUN. As shown in Fig. 2, three smart meters (SM) were connected to the concentrator (C). They were configured to send energy readings every minute to the concentrator for aggregation. Each smart meter then waits for the chameleon hash value and the hash of the aggregated readings to be returned as an acknowledgment to generate the trapdoor collision commitments. In this experiment, the average round-trip time (RTT) is defined as the time it takes for a message to be sent plus the amount of time it takes for an acknowledgment of that message to be received. Depending on whether our protocol is enabled, this timing may include the computational time of the chameleon hash value calculated by the concentrator

and the generation time of the trapdoor collision commitments values r1 and r2 by the smart meter. Table 2 shows the communication latency for the test setup in Fig. 2. We observed that the average RTT experienced by each smart meter is not uniform. The reason is that the concentrator must receive all the smart meters’ energy consumption readings before it can compute the chameleon hash value. Thus, some of the smart meter would have to wait longer for the acknowledgment from the concentrator to perform the trapdoor collision. Nevertheless, the average RTT of each smart meter was well within the limit of the sending rate of 1 min, and hence, it did not affect

M1

M3 C

SM1

SM3

ACK1

ACK3 ACK2

M2

Fig. 2 Network topology of a simple AMI

SM2

582

S. L Keoh et al.

Table 2 Average RTT for communication between smart meter and concentrator SM ID SM1 SM2 SM3

W/o protocol (ms) 492.15 849.84 1284.12

With protocol (ms) 539.49 1284.12 1332.23

Avg. CHV timing (ms) 48.07 48.07 48.07

r1 and r2 timings (ms) 0.38 0.37 0.38

CHV chameleon hash value Table 3 Communication overheads comparison per day Scheme Traditional approach Our approach

Transmission overhead (KB) 150 76.5

Number of messages 4800 4848

the end-to-end verification of the protocol, i.e., the transmission of the commitment values between the smart meter and the MDMS. The second observation is that though the cryptographic operations on the Raspberry Pi platform took longer to execute than on a laptop (c.f. Sect. 4.6.1), the experimental results show that our protocol is still very efficient and well suited for securing AMI communications. As illustrated in Table 2, the added layer of security only account for less than 10% of the total RTT delay.

4.6.3 Communication Overhead In terms of communication overhead, we compared our protocol with the traditional approach of applying a digital signature on each energy consumption reading sent by the smart meter without aggregation. Suppose that there are 100 smart meters and the readings are reported to the concentrator every half an hour. Then, the total number of digital signatures generated by the concentrator will be 100 * 24 h * 2 = 4800. Assume that the size of a digital signature is 32 bytes, the total transmission bandwidth required for AMI communication will be 32 bytes * 4800 = 150 Kbytes, in addition to the energy readings to be sent. In contrast, since the readings are aggregated every half hour in our proposed protocol, the concentrator only needs to send one digital signature every half hour. Furthermore, the smart meter needs to transmit the trapdoor commitment values to the MDMS for end-to-end verification. Suppose the AES algorithm is employed to encrypt the commitment values, the size of the encrypted data is 16 bytes. Thus, the total transmission bandwidth requirement of our protocol is 24 h * 2 signatures/h * 32 bytes + 100 * 24 h * 2 commitments/day * 16 bytes = 76.5 Kbytes, on top of the aggregated energy readings to be sent. Table 3 compares the number of communication messages and the transmission overhead between the two approaches. The result shows that only half of the transmission of security overhead is needed as compared to the traditional approach. Hence, we conclude that with the ECC-based end-to-end integrity protocol, a significant amount of bandwidth can be saved, thus saving the cost of operation.

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

4.7

583

Security Discussions

In this section, we analyze the security of our protocol, in particular data integrity and authenticity.

4.7.1 Data Integrity End-to-end data integrity is achieved based on the properties of the chameleon hash function, namely, trapdoor collision and collision resistant. This guarantee is conditioned upon the security of the key exposure freeness property, that is, the trapdoor keys are not exposed. • Trapdoor collision property: There exists an efficient probabilistic polynomial time (PPT) algorithm A that on input of the smart meter’s trapdoor  key   trapdoor key r y of MDMS, a message pair Output  x, the concealed (t)  (t) , and an additional self-generated message m , the smart h1 magg X , r meter is able to output a value r  ∈ Zn such that hash collision occurs, i.e.,

(t) (t) HH K m , r  = HH K magg , r (t) . This r  value that is sent to the MDMS

is represented by r1 and r2 and serves as a commitment to assist the MDMS in (t) validating the integrity of the aggregated readings magg that was reported by the concentrator at time t. If the concentrator modifies the aggregated readings, it can be detected without fail based on this property. • Collision-resistant property: There is no probabilistic polynomial time (PPT) algorithm that on input HK = (X, Y) and without the knowledge of the trapdoor   (t) key pair TK = (x, y), the concentrator is able to find pairs magg , r (t) and (m ,  

 (t) (t) (t) r ) where magg = m such that HH K m , r  = HH K magg , r (t) with a nonnegligible probability. This is equivalent to solving the ECDLP problem which is known to be computationally hard. By this property of chameleon hash function, the concentrator is always forced to abide by the rules of the protocol because such forgery can adversely affect its credibility.

4.7.2 Data Authenticity Data authenticity provides assurance that the received messages come from the authorized senders. We analyze our protocol in two aspects to show that it achieves authentication. (t)

• Case 1: Concentrator → MDMS: The chameleon hash value HH K sent by the concentrator to the MDMS is signed using a digital signature scheme such as the Elliptic Curve Digital Signature Algorithm (ECDSA) (Johnson et al. 2001). Assuming a PKI is available and can verify the concentrator’s public key using digital certificates, the authenticity of the origin and data can be validated after verifying the ECDSA signature. The ECDSA is secure under the assumptions

584

S. L Keoh et al.

that the ECDLP is hard and that the hash function is secure. An unauthenticated concentrator cannot pass off as legitimate to perform data aggregation. • Case 2: Smart meter → MDMS: Each smart meter is preloaded with a secret pre-shared key EKi that is shared between the smart meter and the MDMS. The smart meter uses this key to encrypt the commitment r1 , r2 . The use of preshared key provides guarantee that messages originate from authenticated and unique smart meters.

4.7.3 Security of Polynomial Exchange Whenever a trapdoor key needs to be randomized, the MDMS will broadcast a new polynomial to all the smart meters in the group without encryption. We note that sending the polynomial in clear will not compromise security because the MDMS is sending the expanded form of the polynomial of degree n that is Pi (x) = xn − Axn − 1 + . . . − Bx2 + Cx − D, where n denotes the number of smart meters in the group and A, B, C, and D denote the coefficients of the polynomial. If n is large, it is proven that finding the roots of the polynomial is NP-hard (Roche 2009). Therefore, it is not easy to recover the concealed trapdoor key. Moreover, the trapdoor key is blinded by a random r  . Thus, we conclude that the key blinding phase is secure against eavesdropping attacks.

5

Key Management

In the last section, it is assumed that smart meters in the same geographical area share the same group trapdoor key and that each smart meter has a pre-shared key with the MDMS. In this section, we provide a review of key management schemes that can be used to facilitate key management in AMI.

5.1

Classification of Key Management Schemes

Key management is an essential requirement for ensuring the security of communication channels. The primary goal of a key management scheme is to provide a cryptographic key between two devices or a group of devices to provide confidentiality, integrity, authenticity, privacy, and non-repudiation security (Mohassel et al. 2014). This process typically involves key generation, key exchange, key storage, and key update operations. This section summarizes the latest developments in AMI key management, highlighting the pros and cons of each solution. More importantly, the classification aims to provide readers with an understanding of AMI key management. In general, key management schemes can be classified into symmetric, asymmetric, and hybridbased approaches, as shown in Fig. 3.

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

585

Key Management Schemes for AMI

Symmetric

Trusted Authority-based Key Distribution-based

Asymmetric PKI-based

Hybrid Symmetric and asymmetric combined

Identity-based cryptography

Fig. 3 Classification of key management schemes for AMI

5.2

Symmetric-Based Key Management

Symmetric-based key management relies on the provisioning of a shared secret key between any two nodes to enable secure communication. It can be further differentiated between trusted authority-based and key distribution-based methods. Ng et al. (2018) proposed a lightweight key management scheme to distribute and manage session keys between two communicating devices in an industrial control system (ICS), e.g., between human-machine interface (HMI) and PLC using a symmetric-key based hash-chain encryption scheme. This scheme allows for automatic renewal of the session key periodically based on the use of a reversed hash chain and the authentication mechanism defined in ViotSOC (Ko et al. 2017). Any devices in the network can be paired to obtain a session key from the key management server, one acting as the client while the other as the server. This key management scheme has two phases: • Key Generation and Distribution. The key server generates three security parameters, namely, Passcode, Hash Key, and Hint. The Passcode serves as a secret communication key (session key) to be used between the two communicating devices. The Hash Key is formed using a hash chain by repeatedly applying a standard hash function such as SHA256 on a seed. This Hash Key is mapped to time, and each time slot is assigned a Hash Key and a Passcode. The passcode for each time slot is encrypted with its corresponding Hash Key, thus forming the Hint. The Hash Keys comprising a hash chain are used in reversed order to provide fine granular time-based renewal of session keys. The Key Server then distributes the Hint and the Passcode to one device acting as the server role, while it sends a designated Hash Key to the device acting as the client role. • Authentication and Key Agreement. After the keys and security parameters have been distributed, the two communicating parties must perform a key agreement protocol in order to establish a secure communication channel between them. For each time slot, a Hash Key, V, has been allocated to the two communicating parties. The device (client role) can send a request to the device (server role) that it wishes to communicate with, in order to obtain the Hint. As the client possesses the Hash Key for that particular time slot, it can decrypt the Hint to

586

S. L Keoh et al.

obtain the Passcode for the time slot. Authentication and key agreement between the client and server are successful when the Hint can be decrypted successfully. As the Hint is encrypted with the Hash Key, and each time slot has a different Hint, if a client was not provisioned with the correct Hash Key, it will not be able to decrypt the Hint and subsequently recover the Passcode. The Passcode is automatically renewed when the time slot has expired. The client will need to request for a new Hint from the server in order to obtain the new Passcode. The renewal of Passcode does not require the Key Server to be available at all times, as it only involves the two communicating parties to relay the Hint. This scheme can be deployed in the end-to-end integrity protocol to facilitate the renewal of the secret key shared between the MDMS and each smart meter i, EKi . With a periodic update of EKi , if the group trapdoor key needs to be renewed, it can also be encrypted with each smart meter’s respective EKi .

5.3

Asymmetric-Based Key Management

Asymmetric-based key management relies on two different keys, the private key and the public key. The public key is used for encryption and can be published, whereas the private key is used for decryption. The concept of asymmetric-based key management is to apply asymmetric cryptographic protocol to negotiate communication keys. From a computational point of view, asymmetric cryptography requires more resources than symmetric cryptography. However, asymmetric-based key management overcomes the key distribution problem, but it requires a certification authority (CA) infrastructure to be set up to certify the public-key pairs. In this section, we focus on identity-based key management schemes for CPS systems, using device’s identity as its public-key, instead of a randomly generated public-key that needs to be certified by the CA.

5.3.1 Identity-Based Without Pairing Sani et al. (2017) proposed an identity-based key bootstrapping protocol to support secure communications in the Energy Internet Environment. Their protocol focuses on establishing unicast and multicast communication keys. A unicast key is established based on an elliptic curve Diffie-Hellman (ECDH) key exchange and cryptographic hash function, whereas a multicast key is generated using the node’s public key and the node’s randomly chosen secret value. Although the protocol is simple, it depends on strong assumptions. First, each node must share a secret password to bootstrap the ECDH key exchange protocol. Second, each node must share a session key with other devices, for the purpose of distributing a multicast key in order to establish multicast communication. Wazid et al. (2016) proposed a three-factor user authentication protocol that utilizes the user’s mobile device to remotely authenticate the user to the smart meter in a smart grid environment. Their protocol uses a combination of ECC, cryptographic hash, bitwise XOR operator, and fuzzy extractor functions to derive

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

587

the session keys for secure and authenticated communications. Although this approach does not use bilinear pairings, multiple ECC point multiplications are required at the smart meter side, which increases the computational burden. Mohammadali et al. (2018) proposed two key establishment protocols called NIKE and NIKE+ to protect communications between smart meters and MDMS in an AMI environment. Their protocol is based on the ECC primitives and does not rely on bilinear pairing. The proposed NIKE+ protocol is an optimized version of NIKE that has a lower computational burden on the smart meters. Despite the high efficiency (very low communication and computation costs), neither protocols have addressed the issue of establishing a session key between the smart meters and the aggregator. Benmalek et al. (2018) proposed a dynamic key management protocol that uses multiple sets of Logical Key Hierarchy (LKH) structures to support unicast, multicast, and broadcast communications among multiple demand response (DR) projects in an AMI. Each leaf of the LKH represents the unicast key for a single smart meter. The root of the key tree represents the broadcast key of a DR project, and the interior nodes of the tree are the multicast keys. These keys will be used to send updated keys each time a user leaves or joins a DR project. Although this protocol has its advantages, the key establishment part is based on the classical elliptic curve Diffie-Hellman protocol, which is not much different from the previous work.

5.3.2 Identity-Based Schemes Using Pairing Tsai and Lo (2016) proposed a key distribution scheme that utilizes identitybased signature and encryption techniques to achieve mutual authentication and anonymity without the involvement of the trusted authority (TA). However, their approach fails to provide strong smart meter credentials privacy and session key security when the ephemeral secrets are leaked. Furthermore, their approach is expensive because the smart meter must perform several MapToPoint functions to instantiate pairing operations. To provide the session key security caused by the leakage of the ephemeral key, Odelu et al. (2018) proposed to mask the ephemeral key using the smart meters long-term private key. To authenticate the aggregator, their protocol uses identitybased encryption technique to validate the aggregator’s credentials. Chen et al. later discovered that the proposed scheme has an inherent key escrow problem, which makes it vulnerable to impersonation and privacy tracking attacks. That is, the private key generator (PKG) always knows the user’s private key. Therefore, the PKG can impersonate any smart meter or aggregator to decrypt the user’s cipher texts. The PKG can also track the users’ identities to compromise privacy. To that end, Chen et al. (2017) improved the scheme by generating the smart meters private key using two secret numbers that are randomly selected by the smart meter and the PKG (Chen et al. 2017). In this way, a smart meter’s private key will not be known by the PKG. To extract the smart meter’s private key, the PKG must solve the computational Diffie-Hellman problem, which is hard. Nevertheless, this

588

S. L Keoh et al.

scheme uses bilinear pairing and MapToPoint operations, which tend to be resource intensive.

5.4

Hybrid-Based Key Management

In hybrid-based key management schemes, a combination of symmetric- and asymmetric-based operations is used to negotiate session keys for secure communications in AMI. The motivation is that symmetric cryptography (e.g., AES encryption) tends to be faster because it incurs minimal computational overhead. On the other hand, asymmetric cryptography solves the problem of distributing keys. From a design perspective, their combination can make key management more efficient without losing security. Based on this idea, several hybrid-based key management schemes have been proposed. Mahmood et al. (2016) proposed a hybrid authentication scheme that uses AES and RSA public-key cryptography to generate a session key between two communicating nodes. The authors use Diffie-Hellman key agreement to negotiate an AES encryption key and employ the RSA encryption to authenticate the two smart meters mutually. After successful authentication, both smart meters derive the session key by hashing the AES key that was created. Unfortunately, their scheme did not address the privacy of the smart meters at all. Khasawneh and Kadoch (2018) proposed a more efficient hybrid authentication alternative using Elliptic Curve Integrated Encryption Scheme (ECIES) and AES as building blocks. The symmetric and authentication keys are generated based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). The protocol is further optimized for performance by pre-computing the scalar point multiplications in advance. However, this solution is not designed to protect the privacy of the smart meters. Wan et al. (2014) proposed a scalable key management (SKM) scheme to support multicast key management in AMI by combining identity-based cryptography and one-way hash tree approach. The key idea of SKM is to use bilinear pairing to generate a unicast key. After that, the unicast keys are integrated into a hash tree to compute the multicast and broadcast keys. To reduce the computational burden on the smart meters, the authors proposed that the MDMS precomputes the pairing on behalf of the smart meters. However, as the number of smart meter increases, the height of the hash tree increases. Thus, the storage cost also increases.

6

Conclusions and Outlook

In this chapter, we have outlined the security threats in CPS. In particular, we discussed the importance of data integrity and authenticity in a real-time AMI system. Any compromise on the integrity of energy consumption data and the authenticity of the smart meters will have an adverse effect on the AMI. We described a novel end-to-end data integrity protocol for AMI to protect data

17 Authentication and Integrity Protection for Real-Time Cyber-Physical Systems

589

aggregation against message tampering. The protocol is based on an ECC-based double-trapdoor chameleon hashing. Through informal security analysis, we show that our protocol is secure against key exposure problem and provides integrity and authenticity assurances. Due to the delayed verification of our protocol, i.e., between the smart meter and the MDMS, one could argue that the MDMS is only able to verify the realtime authenticity and integrity of the aggregated data sent by the concentrator and not the provenance of the readings from the authenticated smart meters until it also receives a chameleon hash collision from each individual smart meter. To address this limitation, we note that the verification of this end-to-end property (between the smart meter and MDMS) can be fine-tuned by increasing the frequency at which the chameleon hash collision is transmitted by the smart meters. If the energy consumption data is aggregated every half an hour, and the chameleon hash collision is sent every hour, then the protocol is able to verify the integrity and authenticity of data in near real time. As the protocol relies on various security keys to be provisioned, it is important that the protocol is integrated with a suitable key distribution and management protocol so that renewal of security keys can be done seamlessly without compromising the security.

References D. Alahakoon, X. Yu, Smart electricity meter data intelligence for future energy systems: A survey. IEEE Trans. Ind. Inform. 12(1), 425–436 (2016) E. Ancillotti, R. Bruno, M. Conti, The role of communication systems in smart grids: Architectures, technical solutions and research challenges. Comput. Commun. 36(17–18), 1665–1697 (2013) M. Benmalek, Y. Challal, A. Derhab, A. Bouabdallah, VerSAMI: Versatile and Scalable key management for smart grid AMI systems. Comput. Netw. 132, 161–179 (2018) D. Bian, M. Kuzlu, M. Pipattanasomporn, S. Rahman, Analysis of communication schemes for advanced metering infrastructure (AMI). In 2014 IEEE PES general meeting – conference & exposition, IEEE (2014), pp. 1–5 Y. Chen, J.-F. Martínez, P. Castillejo, L. López, An anonymous authentication and key establish scheme for smart grid: FAuth. Energies 10(9), 1354 (2017) D. He, N. Kumar, J.-H. Lee, Privacy-preserving data aggregation scheme against internal attackers in smart grids. Wirel. Netw 22, 491–502 (2016) A. Humayed, J. Lin, F. Li, B. Luo, Cyber-physical systems security – A survey. IEEE Internet Things J. 4(6), 1802–1831 (2017) D. Johnson, A. Menezes, S. Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001) Y. Kabalci, A survey on smart metering and smart grid communication. Renew. Sust. Energ. Rev. 57, 302–318 (2016) S.L. Keoh, Z. Tang, Towards secure end-to-end data aggregation in AMI through delayed-integrityverification. In 2014 10th international conference on information assurance and security (2014), pp. 6–11 S. Khasawneh, M. Kadoch, Hybrid cryptography algorithm with precomputation for advanced metering infrastructure networks. Mob. Netw. Appl. 23(4), 982–993 (2018) H. Ko, J. Jin, S.L. Keoh, in ViotSOC: Controlling access to dynamically virtualized IoT services using service object capability. Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security, CPSS ’17 (ACM, New York, 2017), pp. 69–80

590

S. L Keoh et al.

N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1997) K. Mahmood, S.A. Chaudhry, H. Naqvi, T. Shon, H.F. Ahmad, A lightweight message authentication scheme for smart grid communications in power sector. Comput. Electr. Eng. 52, 114–124 (2016) A. Mohammadali, M. Sayad Haghighi, M.H. Tadayon, A. Mohammadi-Nodooshan, A novel identity-based key establishment method for advanced metering infrastructure in smart grid. IEEE Trans. Smart Grid 9(4), 2834–2842 (2018) R.R. Mohassel, A. Fung, F. Mohammadi, K. Raahemifar, A survey on advanced metering infrastructure. Int. J. Electr. Power Energy Syst. 63, 473–484 (2014) J. Ng, S.L. Keoh, Z. Tang, H. Ko, SEABASS: Symmetric-keychain encryption and authentication for building automation systems. In 4th IEEE World Forum on Internet of Things (WF-IoT 2018), Singapore (5–8 Feb 2018), pp. 219–224 R.D. Nicola, M. Loreti, R. Pugliese, F. Tiezzi, A formal approach to autonomic systems programming: The SCEL language. ACM Trans. Auton. Adapt. Syst. 9(2), 7:1–7:29 (2014) V. Odelu, S. Zeadally, A.K. Das, M. Wazid, D. He, A secure enhanced privacy-preserving key agreement protocol for wireless mobile networks. Telecommun. Syst. 69(4), 431–445 (2018) Y. Piao, J. Kim, U. Tariq, M. Hong, Polynomial-based key management for secure intra-group and inter-group communication. Comput. Math. Appl. 65(9), 1300–1309 (2013) D.S. Roche, in Space- and time-efficient polynomial multiplication. Proceedings of the 2009 International Symposium on Symbolic and Algebraic Computation (ISSAC ’09) (ACM, New York, 2009), pp. 295–302 A. Sani, D. Yuan, W. Bao, Z. Dong, in Towards secure energy internet communication scheme: An identity-based key bootstrapping protocol supporting unicast and multicast. 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA) (IEEE Computer Society, Los Alamitos, 2017), pp. 1–5 M. Siekkinen, M. Hiienkari, J.K. Nurminen, J. Nieminen, How low energy is Bluetooth Low Energy? Comparative measurements with ZigBee/802.15.4. In 2012 IEEE wireless communications and networking conference workshops (WCNCW), IEEE (2012), pp. 232–237 H.C. Tan, K. Lim, S.L. Keoh, Z. Tang, D. Leong, C.S. Sum, Chameleon: A blind double trapdoor hash function for securing AMI data aggregation. In 2018 IEEE 4th World Forum on Internet of Things (WF-IoT) (2018), pp. 225–230 T. Thakur, An access control protocol for wireless sensor network using double trapdoor chameleon hash function. J. Sens. (2016), pp. 1–6 J. Tsai, N. Lo, Secure anonymous key distribution scheme for smart grid. IEEE Trans. Smart Grid 7(2), 906–914 (2016) Z. Wan, G. Wang, Y. Yang, S. Shi, SKM: Scalable key management for advanced metering infrastructure in smart grids. IEEE Trans. Ind. Electron. 61(12), 7055–7066 (2014) M. Wazid, A.K. Das, S. Kumari, X. Li, F. Wu, Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS. Secur. Commun. Netw. 9(13), 1983–2001 (2016) WiSUN Alliance, Wi-SUN Alliance and FAN. https://www.wi-sun.org/smart-utilities/. Accessed Jan 2019

Real-Time Simulation Support for Real-Time Systems

18

Xi Zheng

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 What Is Simulation and Real-Time Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolution of Real-Time Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Real-Time Simulation Support for Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Challenges and Best Practices in Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

592 593 594 597 598 600 601

Abstract Simulations especially real-time simulation have been widely used for the design and testing of real-time systems. The advancement of simulation tools has largely attributed to the evolution of computing technologies. With the reduced cost and improved performance, researchers and industry engineers are able to access a variety of effective and highly performing simulation tools. This chapter describes the definition and importance of real-time simulation for real-time systems. Moreover, the chapter also points out the challenges met in real-time simulation and walks through some promising research progress in addressing some of the challenges.

X. Zheng () Department of Computing, Macquarie University, Sydney, NSW, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_40

591

592

1

X. Zheng

Introduction

Real-time systems, especially nowadays Cyber-Physical Systems (CPS) (Baheti and Gill 2011), entail digital devices which interact closely with analog ones, humans, and the surround world. These systems are increasingly used in our daily lives including autonomous vehicles, smart grids, automated health care, and many other life-critical applications (Zheng et al. 2014, 2017a; Eriksen et al. 2001; Zheng and Julien 2015; Wang et al. 2017). These real-time systems need to be reliable and meet strict compliance check. A lot of research efforts has been made to improve and ensure the reliability of such systems. For instance, formal methods (Zheng et al. 2015b, 2018; Cassez et al. 2017; Bouyer et al. 2011; Zheng 2014) and testing have been widely used to improve the quality in real-time systems. However, the tighter coupling between physical processes and software components in the modern real-time systems along with the varying spatial and temporal runtime contexts made such system exhibit diverse behaviors across runs (Zheng et al. 2017a). Thus, verifying and validating real-time systems are still complicated where validation assures that a real-time system meets the needs of the customers and verification assesses whether a real-time system complies with the given specification (Zheng and Julien 2015). In industry, simulators have been used extensively in the planning, designing, implementation, and verification stage of real-time systems for decades (Bélanger et al. 2010). With the above mentioned complexity which increased dramatically for modern real-time systems, the industry has a strong tendency of relying more heavily on simulation tools (Yamane et al. 2016). Nowadays the industry mainly uses real-time simulators to design and test various aspects of real-time systems including controls and protection schemes and devices. The simulators allow the designer to conduct a variety of test earlier at the planning and design stage and in a repetitive and safe fashion. At the same time, with the rapid development of computing technologies, the cost of running simulations is steadily reduced and the performance is increasingly improved, making the simulators available to more researchers and engineers for a wider variety of real-time systems (Zheng 2015). The adoption of real-time simulation allows testing real-time systems under faulty and extreme conditions without damaging equipments under test while maintaining sufficient flexibility in choosing test parameters and components. Other benefits of using real-time simulations also include maintaining a relatively safe testing environment for the engineers and other personnel (Zheng et al. 2017a; Nguyen et al. 2017). Though real-time simulation allows a tight coupling between a real hardware with a simulation tool to test hardware or software components under realistic conditions, the execution of the simulator in this case requires each time step execution to meet the real-time constraints of the corresponding physical target modelled. The costs of developing and running such simulators can be very prohibitive for a relatively complex real-time system (e.g., autonomous vehicles) (Zheng et al. 2017a). A recent study Zheng et al. (2017a) finds out that the truthfulness of the real-time systems behavior in simulation-based approaches is often uncertain, and

18 Real-Time Simulation Support for Real-Time Systems

593

in practice the uncertainty and random disturbances in real-time systems cannot be coped with by even extensive simulation. As a result, simulation-based approach often fails to verify mission-critical real-time systems and identify key failure points. Also in the same report, the high-learning curve associated with creating the models and scalability remain major issues for simulation-based approaches. The objective of this chapter is to provide an introduction of simulation and give some definitions of real-time simulation. Then the chapter will explain the history of real-time simulation, which is followed by explaining real-time simulation support for real-time systems. Then the chapter will walk through the challenges in establishing accurate real-time simulation and some industry best practices. Finally, this paper concludes with the discussion of some promising research directions in exploring real-time simulation for more robust and accurate real-time systems.

2

What Is Simulation and Real-Time Simulation

Simulation uses the operation of one system to represent the operation of another. Since digital computers are not able to record a continuous snapshot of a transient phenomena, but rather recording a sequence of snapshots at discrete intervals, as a result, the simulation discussed in the paper is also known as digital or numerical simulation with discrete time step. In such simulation, time usually moves forward in steps which are either of equal duration (Dommel 1969) or variable duration (Sanchez-Gasca et al. 1995). At each time step, some form of mathematical functions or equations (e.g., differential equations) are solved. While most of the linear systems can be simulated using fixed time step, variable time step simulation is more suitable for nonlinear and high-frequency dynamic systems to give the capabilities to study both fast and slow phenomena reflecting the observed system behavior (Sanchez-Gasca et al. 1995). For instance, in power grid systems, analysis of such systems must cater for the voltage instability and unpredictable disturbances which can span hundreds or thousands of seconds. Using fixed time step simulation with small steps to solve equations and integrations in such system is not efficient. Conversely, using fixed time step simulation with large time steps fails to capture the possible fast transients associated with above mentioned instability and disturbance. As a result, a simulation is required to adjust automatically the time step (SanchezGasca et al. 1995). In discrete time simulation, the amount of real time required to solve the underlying mathematical equations, which represents the system at a specific time step, is known as the execution time TE . However, the specified step size TS in most of time is either shorter or longer than TE . In the above mentioned simulation scenarios, which are also known as “offline” simulation, the difference between TS and TE is irrelevant as the main objective of such simulation is to obtain simulation results as soon as possible. TE can be dependent on many factors; the main contributors are the computation power of the host machine and complexity of the mathematical equations (e.g., the system model) required to be solved in each time step.

594

X. Zheng

In comparison, real-time simulation is an “online” version of discrete-time simulation, where time moves forward in steps of predefined duration (SanchezGasca et al. 1995). In real-time simulation, the simulation results are dependent not only on the equations/models but also on the TE (Bélanger et al. 2010). To solve the underlying mathematical equations (e.g., differential equations) at a specific time step, the model is solved using the input of the variables/states from the preceding time step. In each time step, the real-time simulator is required to execute the same batch of tasks which include (1) reading inputs from the last time step and generating outputs for the next time step; (2) solving the equations (e.g., differential equations) specified for each time step; (3) if necessary, exchanging data with other simulation nodes; (4) and waiting for the next time step to start. This implies that for any externally connected devices or simulation nodes, the state of the simulated system can be exchanged only once at the beginning of each time step in the real-time simulation. This means, as compared to an “offline” version, the execution time TE required to solve the equations for a time step must be shorter than the specified step size TS . To be more precise, for a real-time simulation to be valid, the simulator must calculate the values for those variables and states within the same time duration that the physical counterpart would require. For instance, if it takes 10 min to fill in a physical water tank, then the corresponding real-time simulator shall use a value of TE , which is within 10 min, to fill in a simulated water tank. Otherwise, the real-time simulation is considered erroneous as discrepancies between the realtime simulation and its physical counterpart’s responses are observed. This kind of error is commonly known as an “overrun” (Bélanger et al. 2010). In Fig. 1, (a) and (b) are examples of offline simulation where the actual execution time for the required mathematical equations are either shorter (a) (accelerated simulation) or longer (b) (delayed simulation) than a given simulation time step. The required time to solve the equations is largely dependent on the underlying mathematical function and corresponding variables. In comparison, (c) depicts the real-time simulation scenario where the underlying mathematical function (e.g., f (tn )) has to be done within the given discrete time step (e.g., tn − tn−1 ) to avoid the “overrun.” With the given discrete time step, not only those equations inside the given function f (tn ) need to be solved, but also the input variables of the function need to be processed, and the results need to be output within and outside the current simulation unit (e.g., current real-time simulation unit can interact with other real-time simulation unit or real hardware).

3

Evolution of Real-Time Simulation

As shown in Fig. 2, the state-of-the-art real-time simulation can find its origin in physical simulation (i.e., analog simulation). Early work in physical simulation in the 1960s utilizes amplifiers, resistors, capacitors, and diodes to simulate specific components of a physical system. This analog simulation where physical components is physically connected to each other in a manner similar to the real

18 Real-Time Simulation Support for Real-Time Systems

595

Fig. 1 (a) Accelerated Simulation (b) Delayed simulation (c) Real-time simulation (Noureen et al. 2017)

system is the basis for the Transient Network Analyses (TNA) and the HighVoltage Direct Current (HVDC) simulators (Bélanger et al. 2010; Kuffel et al. 1995). The advantage of this kind of simulation establishes a near one-to-one correlation between physical simulators and physical system components. The advantage allows system engineers to design the simulation by mapping with the parameters/components of the target physical systems with minimum efforts spent on mapping and translation (Brennan and Linebarger 1964). However, users for physical simulation often struggle to solve those issues related to the computer rather than the simulation as a technique. For instance, users for physical simulation need to scale all the equations (e.g., differential equations) and shall grasp the necessary and often advanced knowledge of the transformation solution (e.g.,

596

X. Zheng

Fig. 2 Evolution of Real-Time Simulation

transforming those equations from the problem domain into the physical component of the computer). Digital simulations use mathematical representation to simulate the target physical system. The algorithms created for such software-based simulations were described as early as in 1969 and have been used in some quite well-known programs (Kuffel et al. 1995). Compared with their analog simulators which are able to operate in real time, these early digital simulators operate, however, in non-real-time fashion. As implied before, real-time operation requires that an event in the physical system which takes for 1 s shall be simulated on the corresponding simulator within 1 s. Unfortunately in the early digital simulators, those computations necessary to solve the required mathematical equations might take many seconds or even minutes rather than within 1 s to meet the real-time simulation requirement. With the quick development of microprocess, digital signal processing (DSP), together with the improvement of software modelling techniques, digital real-time simulators started to replace its physical counterparts in 1980s (Bélanger et al. 2010). The earlier pioneers in digital real-time simulation use relatively high-speed computers to achieve real-time operation for short period of time, but these simulators are restricted to quite simple systems (Marti and Linares 1994; Kezunovic et al. 1994). The main issue of these simulators lies in the scalability. When the modelled system becomes realistic and more complex, the number of equations to be solved gets more complex. Correspondingly, the number of computations needs to be performed restricts the applicability of these simulators. To achieve real-time operations for digital simulators, many digital signal processors can work in parallel to share the computational tasks necessary to solve the underlying equations in the simulation models. This DSP-based real-time simulators are developed with proprietary hardware and became commercially available (Kuffel et al. 1995).

18 Real-Time Simulation Support for Real-Time Systems

597

Since proprietary hardware imposes non-trivial limitation on its applicability, some other digital real-time simulators based on commercial supercomputers are created (e.g., HYPERSIM from Hydro-Quebec (Do 1999)). There are also other attempts to use low-cost standard PCs to host real-time simulators (Hollman and Martí 2003), and this attempt has been further accelerated by the introducing of low-cost commercial off-the-shelf (COTS) multi-core processors. COTS-enabled digital simulators are able to conduct complex parallel simulation by reducing dependence on inter-computer communications, and these simulators are widely used to simulate large-scale microgrids, aircraft, and power systems (Bélanger et al. 2007). A recent advancement in real-time simulation lies in running simulation models directly on field-programmable gate arrays (FPGAs). This relatively new trend allows fully utilizing the parallel nature of FPGAs so that the time step for the realtime simulation can be set to very small, and a complex system can be simulated by many smaller models (Saad et al. 2015; Chen and Dinavahi 2009).

4

Real-Time Simulation Support for Real-Time Systems

Real-time systems, especially recent Cyber-Physical Systems, entail complex software and exhibit sophisticated interactions among digital devices, analog components, and the surrounding world, including humans in that world. Such systems are often safety critical and must be reliable. However, real-time systems contain both digital and analog components and must be modelled as hybrid systems, which are known to be hard to formally verify (Henzinger et al. 1995). The state-of-thepractice in creating a repetitive and flexible test environment is to use real-time simulation, where computer models are used to accurately produce values of internal variables inside a real-time system; these models are designed to operate on the same time scale as the corresponding physical system (Bélanger et al. 2010). The basic assumption to use real-time simulation is to consider in a real-time system, the process which needs to be verified composes of a plant with a controller acting upon it. Thus, though real-time simulation has been used in various real-time systems, these applications can be categorized as two tests: hardware-in-the-loop tests (HiL) (Chen 2010; Zhang et al. 2013) and software-in-the-loop tests (SiL) (Kwon and Choi 1999). In HiL, a physical controller is connected to an executing real-time simulation representing a virtual plant, and this is used to verify the controller. Aircraft manufacturer Embraer used real-time simulation software platform (e.g., RT-LAB) to execute a highly accurate fighter plane model, which is connected with a real onboard aircraft computer and a real cockpit. The real-time simulation model can provide a variety of feedback including force (via flight control joystick), visual, and sound (De Resende 2004). Industrial electronic company Mitsubishi also used real-time simulation to design motor drives, where a physical motor was simulated to work with its related real-world controllers (Harakawa et al. 2005). This simulation allows testing and verification of the whole system in a

598

X. Zheng

much earlier stage where a physical motor is not yet available for test. Realtime simulation also helps to understand the integration of microgrid devices with renewable energy resources (e.g., solar power and wind farms), where the overall stability and transient responses from the integrated power system can be thoroughly studied and various statistical studies can be conducted for optimization and worsecase scenario analysis (Paquin et al. 2007, 2008). In comparison, in SiL (Kwon and Choi 1999), both controller and plant are simulated. SiL supports the embedded software in a real-time system to be tested as early as possible where the entire real-world platform including equipment (which might not be ready yet) and environment (which cannot be thoroughly tested) is modelled in software and simulated. Compared with HiL which is often used during the testing phase of a real-time system, SiL can be used at all stages in a real-time system including design, development, and testing (Demers et al. 2007). In Bayha et al. (2012), SiL is used to model the controllers and the environment of an unmanned aerial vehicles (UAV) system and test the control software using a variety of test cases for fault-tolerance and robustness. In Demers et al. (2007), SiL is used to evaluate a policy-based network management software against a variety of network simulators. In Muresan and Pitica (2012), SiL is used to evaluate the controller software for an electric motor, and it was found that the cost for implementing a SiL environment is about 60 times cheaper than HiL environment. Similarly in Russo et al. (2007), an SiL analysis is performed to evaluate a brake controller algorithm, and good results are obtained by SiL with a cost-effective way. Though SiL is cost-effective to produce repeatable results (as the randomness of the controller and plant both reside in the real-time simulator) and supports some basic forms of testing (e.g., by visualizing the internal state of some variables), advanced debugging which allows traceability to software errors is not available, and SiL does not provide any form of automation of test cases and test oracles neither (Demers et al. 2007; Bayha et al. 2012).

5

Challenges and Best Practices in Industry

Since real-time systems often entail multiple physical processes, and each physical process may be modelled separately, in industry, different real-time simulations must be able to coordinate, even potentially exchanging state information during a single time step TS . Different simulation models and platforms may have different time steps, depending on their physical laws (e.g., a dynamic electrical system has a fast time step, while a dynamic thermal system may have a much slower one). Each real-time simulator (i.e., the executable implementing the simulation for a given model) has to execute a number of tasks within TE , including reading inputs, solving model equations, generating outputs, and exchanging results with other simulation models. All these tasks are important, and failures or inaccuracies in any of them can render the real-time simulation useless (Bélanger et al. 2010). Accurate synchronization among different simulation models is crucial to ensuring simulation stability (Bednar and Crosbie 2007).

18 Real-Time Simulation Support for Real-Time Systems

599

The Functional Mock-up Interface (FMI) (Blochwitz et al. 2012) is an independent standard to create a co-simulation environment where C code for a specific dynamic system model is generated in the form of an input/output block, and two or more models (with different solvers) can be coupled. FMI requires each simulation platform provider (where each dynamic model is created) to explicitly support an FMI interface for model exchange so that it is possible to automatically generate a Functional Mock-up Unit (FMU) from the dynamic model. A FMU is a combination of C code and a helper XML specification that has definitions for all the variables in the given dynamic model. However, the two fundamental challenges in establishing real-time simulation, namely, time synchronization and data integration among simulation models, are left for developers to implement in the form of Master Algorithm. The MODELISAR (Modelisar 2016) project supports FMI and includes a prototypical implementation of a Master Algorithm. However, the existing implementation does not guarantee the efficiency and simulation speed, which largely depend on the problem to be solved (e.g., the size of the underlying ordinary differential equation or differential algebraic equation) and the host computer’s power (Bastian et al. 2011). This kind of implementation of the Master Algorithm is not acceptable for an integrated verification environment where efficiency and speed of the real-time simulation must be optimized to guarantee necessary precision of the outputs; further, writing a suitable master algorithm is very errorprone and poses significant challenges for developers (Bastian et al. 2011). Since numerical integrations deal with approximations, it is of vital importance to have an alternative automated solution that can guarantee efficiency and speed of the realtime simulation (instead of an interface or a requirement for data integration and time synchronization) to maintain a satisfactory balance between the simulation speed (i.e., latency) and precision (i.e., simulation errors) (Khaled et al. 2014). In Al-Hammouri (2012), a co-simulation platform is proposed to integrate the ns-2 network simulator with the Modelica physical systems simulator. The simulation platform is able to support asynchronous events inside both physical and network systems. The main contribution of the work is to solve real-time synchronization to make sure both simulators will advance at the same wall-clock rate. In industry, real-time system practitioners guarantee the simulation speed and precision by using dedicated machines and software to build the real-time simulation environments (i.e., NI PXI server (PXI 2016) and LabVIEW real-time module (LabVIEW RealTime 2016)). However, this approach is expensive (e.g., a basic NI PXI server costs around 10,000 USD (PXIPrice 2016)) and is not scalable. Also this approach does not provide a solution for complex real-time systems where sub-system models must be created in different simulation platforms for a variety of reasons (e.g., knowledge and preference of interdisciplinary team, different costs, and different built-in solvers). In Khaled et al. (2014), a fine-grained co-simulation method is explored that enables numerical integration speed-ups. The method is to partition the existing models into loosely coupled sub-systems with sparse communication between partitioned modules. The parallel execution is mainly to exploit multi-core processors to deal with originally sequential ordinary differential equations in real-time system’s sub-system models. In Kinsy et al.

600

X. Zheng

(2011), a time-predictable computer architecture for digital emulation is proposed for real-time systems. The architecture can be implemented on top of a fieldprogrammable gate array (FPGA) to provide low latency emulation. In Yan et al. (2012), an integrated platform is proposed to integrate Matlab/Simulink simulation tool with the DETERLab emulation testbed. The runtime environment provides time synchronization and data communication to coordinate two simulation platforms for security experiments.

6

Conclusion

Simulation-based approaches are widely used in industry-scale real-time systems; however, they are restrictive both in expressiveness (e.g., of quantitative properties) and coverage (i.e., the cyber part is modelled instead of testing the real implementation). Thus common but subtle bugs that result from the interaction of cyber and physical components in complex real-time systems (e.g., Autonomous vehicles) are often not detectable. On the other hand, runtime verification where properties are formally specified and checked at runtime, receives a lot of attention to verify real-time systems. In Zheng et al. (2015a), runtime monitors can check both qualitative (e.g., safety, liveness) and quantitative (e.g., bounded safety and liveness, responsiveness) properties. However, to detect the insidious real-time systems bugs that are manifest only in a specific deployment environment, runtime verification techniques require repetitive deployments that are either too expensive (e.g., in labor, time, and/or money), dangerous (e.g., involving autonomous vehicles), or infeasible. As an example, an unmanned rover deployed to the moon was unable to move after the first lunar night. A post hoc analysis found that the temperature on the moon is considerably lower than the rover’s components had accounted for; as a result, the rover effectively suffered from frostbite (Chen, Stephen. “Last-ditch efforts to salvage mission of China’s stricken Jane Rabbit Lunar rover.” South China Morning Post 18 April 2014, (http://tinyurl.com/oq5qnqx)). Runtime verification of real-time systems in general requires a repetitive and flexible test environment where settings can be changed easily to determine whether the properties being checked will hold in all situations. In the case of the rover, there are relatively accurate models of involved physical processes (e.g., rover dynamics and moon environment). However these models are separate from the runtime verification of the system’s cyber components, ultimately leading to the failure. In Zheng et al. (2017b), a combined verification approach allows real-time system developers to opportunistically leverage real-time simulation to support runtime verification. The middleware, termed BraceBind, allows selecting, at runtime, between actual physical processes or simulations of them to support a running real-time system. BraceBind is a real-time simulation architecture to generate and manage multiple real-time simulation environments based on existing simulation models in a manner that ensures sufficient accuracy for verifying a realtime system Specifically, BraceBind aims to both improve simulation speed and

18 Real-Time Simulation Support for Real-Time Systems

601

minimize latency, thereby making it feasible to integrate simulations of physical processes into the running real-time system. BraceBind then integrates this realtime simulation architecture with an existing runtime verification approach that has low computational overhead and high accuracy. This integration uses an aspectoriented adapter architecture that connects the variables in the cyber portion of the real-time system with either sensors and actuators in the physical world or the automatically generated real-time simulation. Their experimental results show that, with a negligible performance penalty, BraceBind is both efficient and effective in detecting program errors that are otherwise only detectable in a physical deployment. Another promising direction to improve real-time simulation lies in the increasingly popular machine learning and deep learning models, which have been extensively in real-time systems to detect object location (Pan et al. 2018), user activities (Lu et al. 2019; Bhandari et al. 2017), driver drowsiness (Zhang et al. 2019), road conditions for vehicles (Zhou et al. 2019; Xie et al. 2018). As real-time systems are highly complex and essentially probabilistic, deep learning models can be used along with real-time simulators to improve the robustness and accuracy of simulation models. There is already some pioneering work toward this path as in Vedaldi and Lenc (2015) and Sivanandam and Deepa (2006). It would be very exciting and interesting to see how convolutional neural network (CNN) and recurrent neural network (RNN) (Haykin 1994) can be used effectively with realtime simulation to improve robustness and safety of real-time systems.

References A.T. Al-Hammouri, A comprehensive co-simulation platform for cyber-physical systems. Comput. Commun. 36(1), 8–19 (2012) R. Baheti, H. Gill, Cyber-physical systems. Impact Control Technol. 12(1), 161–166 (2011) J. Bastian, C. Clauß, S. Wolf, P. Schneider, Master for co-simulation using FMI, in 8th International Modelica Conference (Citeseer, 2011) A. Bayha, F. Grüneis, B. Schätz, Model-based software in-the-loop-test of autonomous systems, in Proceedings of the 2012 Symposium on Theory of Modeling and Simulation-DEVS Integrative M&S Symposium (Society for Computer Simulation International, 2012), p. 30 R. Bednar, R.E. Crosbie, Stability of multi-rate simulation algorithms, in Proceedings of SCSC, 2007, pp. 189–194 J. Bélanger, V. Lapointe, C. Dufour, L. Schoen, eMEGAsim: an open high-performance distributed real-time power grid simulator. Architecture and specification, in Proceedings of the International Conference on Power Systems (ICPS 2007) (Citeseer, 2007), pp. 12–24 J. Bélanger, P. Venne, J.N. Paquin, The what, where, and why of real-time simulation, in Power and Energy Society (2010) B. Bhandari, J. Lu, X. Zheng, S. Rajasegarar, C. Karmakar, Non-invasive sensor based automated smoking activity detection, in 2017 39th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC) (IEEE, 2017), pp. 845–848 T. Blochwitz, M. Otter, J. Åkesson, M. Arnold, C. Clauss, H. Elmqvist et al., Functional mockup interface 2.0: the standard for tool independent exchange of simulation models, in 9th International Modelica Conference (The Modelica Association, 2012), pp. 173–184

602

X. Zheng

P. Bouyer, F. Cassez, F. Laroussinie, Timed modal logics for real-time systems. J. Log. Lang. Inf. 20(2), 169–203 (2011) R.D. Brennan, R.N. Linebarger, A survey of digital simulation: digital analog simulator programs. Simulation 3(6), 22–36 (1964) F. Cassez, P. Jensen, K.G. Larsen, Refinement of trace abstraction for real-time programs, in International Workshop on Reachability Problems (Springer, 2017), pp. 42–58 H.X. Chen, Simulink and VC-based hardware-in-the-loop real-time simulation for EV, in Proceedings of EVS-25 (2010) Y. Chen, V. Dinavahi, FPGA-based real-time EMTP. IEEE Trans. Power Delivery 24(2), 892–902 (2009) S. Demers, P. Gopalakrishnan, L. Kant, A generic solution to software-in-the-loop, in MILCOM 2007-IEEE Military Communications Conference (IEEE, 2007), pp. 1–6 O.C. De Resende, The evolution of the aerodynamic design tools and transport aircraft wings at Embraer. J. Braz. Soc. Mech. Sci. Eng. 26(4), 379–389 (2004) V.-Q. Do, Hypersim, an integrated real-time simulator for power networks and control systems, in ICDS’99 (1999) H.W. Dommel, Digital computer solution of electromagnetic transients in single-and multiphase networks. IEEE Trans. Power Apparatus Syst. 4, 388–399 (1969) C.C. Eriksen, T.J. Osse, R.D. Light, T. Wen, T.W. Lehman, P.L. Sabin, J.W. Ballard, A.M. Chiodi, Seaglider: a long-range autonomous underwater vehicle for oceanographic research. IEEE J. Ocean. Eng. 26(4), 424–436 (2001) M. Harakawa, H. Yamasaki, T. Nagano, S. Abourida, C. Dufour, J. Bélanger, Real-time simulation of a complete PMSM drive at 10 μs time step, in At the 2005 International Power Electronics Conference-Niigata (IPEC-Niigata 2005) (2005) S. Haykin, Neural Networks, vol. 2 (Prentice Hall, New York, 1994) T.A. Henzinger, P.W. Kopke, A. Puri, P. Varaiya, What’s decidable about hybrid automata? in Proceedings of STOC (1995) J.A. Hollman, J.R. Martí, Real time network simulation with PC-cluster. IEEE Trans. Power Syst. 18(2), 563–569 (2003) M. Kezunovic, M. Aganagic, V. Skendzic, J. Domaszewicz, J.K. Bladow, D.M. Hamai, S.M. McKenna, Transients computation for relay testing in real-time. IEEE Trans. Power Delivery 9(3), 1298–1307 (1994) A.B. Khaled, M.B. Gaid, N. Pernet, D. Simon, Fast multi-core co-simulation of cyber-physical systems: application to internal combustion engines. Simul. Model. Pract. Theory 47, 79–91 (2014) M. Kinsy, O. Khan, I. Celanovic, D. Majstorovic, N. Celanovic, S. Devadas, Time-predictable computer architecture for cyber-physical systems: digital emulation of power electronics systems, in Proceedings of RTSS (IEEE, 2011), pp. 305–316 R. Kuffel, J. Giesbrecht, T. Maguire, R.P. Wierckx, P. McLaren, RTDS-a fully digital power system simulator operating in real time, in Proceedings 1995 International Conference on Energy Management and Power Delivery EMPD’95, vol. 2 (IEEE, 1995), pp. 498–503 W.H. Kwon, S.-G. Choi, Real-time distributed software-in-the-loop simulation for distributed control systems, in Proceedings of CACCD, 1999, pp. 115–119 LabVIEW RealTime, LabVIEW RealTime (2016), http://www.ni.com/labview/realtime/. Online; Accessed 26 Apr 2016 J. Lu, J. Wang, X. Zheng, C. Karmakar, S. Rajasegarar, Detection of smoking events from confounding activities of daily living, in Proceedings of the Australasian Computer Science Week Multiconference (ACM, 2019), p. 39 J.R. Marti, L.R. Linares Real-time EMTP-based transients simulation. IEEE Trans. Power Syst. 9(3), 1309–1317 (1994) Modelisar, Modelisar (2016), http://www.modelisar.org. Online; Accessed 26 Apr 2016 M. Muresan, D. Pitica, Software in the loop environment reliability for testing embedded code, in 2012 IEEE 18th International Symposium for Design and Technology in Electronic Packaging (SIITME) (IEEE, 2012), pp. 325–328

18 Real-Time Simulation Support for Real-Time Systems

603

V.H. Nguyen, Y. Besanger, Q.T. Tran, T.L. Nguyen, C. Boudinet, R. Brandl, F. Marten, A. Markou, P. Kotsampopoulos, A.A. van der Meer et al., Real-time simulation and hardware-in-the-loop approaches for integrating renewable energy sources into smart grids: challenges & actions (2017). arXiv preprint arXiv:1710.02306 S. Noureen, N. Shamim, V. Roy, S. Bayne, Real-time digital simulators: a comprehensive study on system overview, application, and importance. Int. J. Res. Eng. 4, 266–277 (2017) L. Pan, X. Zheng, P. Kolar, S. Bangay, Object localisation through clustering unreliable ultrasonic range sensors. Int. J. Sens. Netw. 27(4), 268–280 (2018) J.-N. Paquin, J. Moyen, G. Dumur, V. Lapointe, Real-time and off-line simulation of a detailed wind farm model connected to a multi-bus network, in 2007 IEEE Canada Electrical Power Conference (IEEE, 2007), pp. 145–152 J.-N. Paquin, C. Dufour, J. Bélanger, A hardware-in-the-loop simulation platform for prototyping and testing of wind generator controllers, in CIGRÉ Canada Conference on Power Systems Winnipeg (2008) PXI, What’s PXI (2016), http://www.ni.com/pxi/whatis/. Online; Accessed 26 Apr 2016 PXIPrice, PXI Sample Price (2016), http://sine.ni.com/nps/cds/view/p/lang/en/nid/210825. Online; Accessed 26 Apr 2016 R. Russo, M. Terzo, F. Timpone, Software-in-the-loop development and validation of a cornering brake control logic. Veh. Syst. Dyn. 45(2), 149–163 (2007) H. Saad, T. Ould-Bachir, J. Mahseredjian, C. Dufour, S. Dennetière, S. Nguefeu, Real-time simulation of MMCs using CPU and FPGA. IEEE Trans. Power Electron. 30(1), 259–267 (2015) J.J. Sanchez-Gasca, R. D’aquila, W.W. Price, J.J. Paserba, Variable time step, implicit integration for extended-term power system dynamic simulation, in Proceedings of Power Industry Computer Applications Conference (IEEE, 1995), pp. 183–189 S.N. Sivanandam, S.N. Deepa, Introduction to Neural Networks Using Matlab 6.0 (Tata McGrawHill Education, 2006) A. Vedaldi, K. Lenc, Matconvnet: convolutional neural networks for Matlab. Proceedings of the 23rd ACM International Conference on Multimedia (ACM, 2015), pp. 689–692 S. Wang, X. Li, L. Yao, Q.Z. Sheng, G. Long et al. Learning multiple diagnosis codes for ICU patients with local disease correlation mining. ACM Trans. Knowl. Discov. Data (TKDD) 11(3), 31 (2017) H. Xie, G. Tian, G. Du, Y. Huang, H. Chen, X. Zheng, T.H. Luan, A hybrid method combining Markov prediction and fuzzy classification for driving condition recognition. IEEE Trans. Veh. Technol. 67(11), 10411–10424 (2018) A. Yamane, S. Abourida, Y. Bouzid, F. Tempez, Real-time simulation of distributed energy systems and microgrids. IFAC-PapersOnLine 49(27), 183–187 (2016) W. Yan, Y. Xue, X. Li, J. Weng, T. Busch, J. Sztipanovits, Integrated simulation and emulation platform for cyber-physical system security experimentation, in Proceedings of the 1st International Conference on High Confidence Networked Systems (ACM, 2012), pp. 81–88 Z. Zhang et al., Co-simulation framework for design of time-triggered cyber physical systems, in Proceedings of ICCPS (2013) C. Zhang, X. Wu, X. Zheng, S. Yu, Driver drowsiness detection using multi-channel second order blind identifications. IEEE Access, 7, 60399–60410 (2019) X. Zheng, Physically informed assertions for cyber physical systems development and debugging, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS) (IEEE, 2014), pp. 181–183 X. Zheng, Physically informed runtime verification for cyber physical systems. Ph.D. thesis (2015) X. Zheng, C. Julien, Verification and validation in cyber physical systems: research challenges and a way forward, in 2015 IEEE/ACM 1st International Workshop on Software Engineering for Smart Cyber-Physical Systems (IEEE, 2015), pp. 15–18 X. Zheng, C. Julien, M. Kim, S. Khurshid, On the state of the art in verification and validation in cyber physical systems. The University of Texas at Austin, The Center for Advanced Research in Software Engineering, Technical Report TR-ARiSE-2014-001, vol. 1485 (2014)

604

X. Zheng

X. Zheng, C. Julien, R. Podorozhny, F. Cassez, BraceAssertion: runtime verification of cyberphysical systems, in Proceedings of MASS (2015a) X. Zheng, C. Julien, R. Podorozhny, F. Cassez, Braceassertion: runtime verification of cyberphysical systems, in 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems (IEEE, 2015b), pp. 298–306 X. Zheng, C. Julien, M. Kim, S. Khurshid, Perceptions on the state of the art in verification and validation in cyber-physical systems. IEEE Syst. J. 11(4), 2614–2627 (2017a) X. Zheng, C. Julien, H. Chen, R. Podorozhny, F. Cassez, Real-time simulation support for runtime verification of cyber-physical systems. ACM Trans. Embed. Comput. Syst. (TECS) 16(4), 106 (2017b) X. Zheng, C. Julien, R. Podorozhny, F. Cassez, T. Rakotoarivelo, Efficient and scalable runtime monitoring for cyber–physical system. IEEE Syst. J. 12(2), 1667–1678 (2018) X. Zhou, X. Cai, Y. Bu, X. Zheng, J. Jin, T.H. Luan, C. Li, When road information meets data mining: precision detection for heading and width of roads. IEEE Access, 7, 11829–11843 (2019)

Real-Time Control Systems with Applications in Mechatronics

19

Hai Wang, Youhao Hu, Mao Ye, Jie Zhang, Zhenwei Cao, Jinchuan Zheng, and Zhihong Man

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Definitions and Characteristics of Real-Time Systems . . . . . . . . . . . . . . . . . . . . . . . 1.2 Real-Time Operating Systems (RTOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Digital Control Systems: Controller Design and Discretization . . . . . . . . . . . . . . . . 2 Steer-by-Wire System with SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Introduction of SBW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Electronic Throttle (ET) System with NTSMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Introduction of ET System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Permanent Magnet Linear Motor (PMLM) with FNTSMC . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Introduction of PMLM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

606 606 607 608 610 610 614 618 622 623 623 626 628 631 632 632 633

H. Wang () Discipline of Engineering and Energy, Center for Water, Energy and Waste, Harry Butler Institute, Murdoch University, Perth, WA, Australia e-mail: [email protected] Y. Hu · M. Ye · J. Zhang School of Electrical and Automation Engineering, Hefei University of Technology, Hefei, China e-mail: [email protected] Z. Cao · J. Zheng · Z. Man School of Software and Electrical Engineering, Swinburne University of Technology, Melbourne, VIC, Australia e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_41

605

606

H. Wang et al.

4.3 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

635 637 638 639

Abstract In this chapter, the basic ideas of real-time control systems with applications in mechatronics will be discussed. The chapter starts with the introduction of a real-time system (RTS), real-time operating system (RTOS), and digital control systems. Then several interesting engineering applications of RTS are demonstrated. The detailed arrangements of this chapter are as follows: In Sect. 1, the definition and characteristics of the RTS will first be discussed, then various controller designs with respect to RTS will be reviewed. In Sect. 2, 3, and 4, the applications and analyses for three different mechatronics systems, i.e., automotive steer-by-wire systems, electronic throttle systems, and linear motor systems, are given with detailed mathematical modeling and corresponding control design. In Sect. 5, conclusions of this chapter are drawn. It is assumed that the reader has a solid background in basic control science and engineering or has some practical experience in the design or implementation of embedded systems.

Keywords Real-time system · Digital control system · Sliding mode control · Steer-by-wire · Electronic throttle · Linear motor

1

Introduction

1.1

Definitions and Characteristics of Real-Time Systems

Since the term of real-time system (RTS) involves a vast field, a comprehensive introduction is out of the scope of this chapter. In this Section, only the basic and most relevant notions will be discussed. Although the term of RTS has been well defined in the literature, here, we refer to the definition given by the IEEE Portable Operation System Interface for Computer Environments (POSIX) Standard, which is described as follows (IEEE 2018): A real-time system is one in which the correctness of a result not only depends on the logical correctness of the calculation but also upon the time at which the result is made available.

The definition of RTS emphasizes the significance of time in real-time systems, which indicates that the control of such systems subjects to the response of the real world. The systems shall be capable of dealing with the external events in a given time constraint. It means that the outputs of the systems must be produced within specified time bounds which are so-called deadlines. It is noteworthy that for the computing of RTS, the real-time computing is not equivalent to fast computing.

19 Real-Time Control Systems with Applications in Mechatronics

607

Although the results could be obtained in a short time by fast computing, the aim of real-time computing is to get the results in the prescribed time constraint which means the immediate results are not necessarily needed. Even though all the real-time systems have to meet the deadline, the real-time systems can be categorized as hard real-time system and soft real-time system, to some extent. The hard real-time system refers to a kind of hardware or software that must respond to external events within a stringent deadline. Otherwise fatal errors or undesirable consequences occur. Aircraft control system and traffic control system are typical examples of the hard real-time systems. The soft real-time system refers to a kind of system that must respond to external events within a deadline but with a degree of flexibility. The missed deadline does not result in system failure, but costs can rise in proportion to the delay, depending on the application. The communication system is a typical example of the soft real-time system.

1.2

Real-Time Operating Systems (RTOS)

Real-time systems (RTSs) often require concurrent processing of multiple inputs. A real-time operating system (RTOS) is intended to serve the real-time application. In addition to the parallelism, the key property of RTOS is determinism. Determinism means a RTOS is predictable since the time necessary to respond to a request of an external event is known in advance. Determinism, together with responsiveness, which refers to the time required for the request to be arrived, makes up the response time to external events. This response time is so-called system latency. Other features of RTOS contain fast switch context, small size, preemptive scheduling based on priorities, multitasking, and multithreading. One can refer to Gambier (2004) for more details. From the structure point of view, RTOS is similar to standard operating system due to the fact that both of them are comprised of task manager, memory manager, I/O subsystem, and intertask communication. The distinctive characteristic of an RTOS is advanced algorithm for scheduling. Scheduling algorithms consist of static and dynamic algorithms, which are designed based on whether the prior knowledge is required or not. Static algorithm arranges the scheduling before the scheduling is actually executed, leading to the off-line planning of the static scheduling. However, dynamic algorithm can generate new schedules depending on the change of system dynamically. The study of scheduling algorithms is a popular area attracting lots of attention among the computer science community, and many algorithms have been proposed. In Liu and Layland (1973), taking the fixed priority scheduling into consideration, the rate monotonic scheduling (RMS) was proposed, which is an optimal algorithm among fixed priority policies with a bounded utilization of 70%. To address the drawback of low utilization, the deadline monotonic scheduling (DMS) was further studied in Leung and Whitehead (1982), which allows deadlines less than periods leading to higher utilization. From the deadline-based dynamic scheduling point of view, the earliest deadline first (EDF) algorithm was developed in Liu and Layland (1973), which can reach full processor utilization due to the dynamic assignment of priorities. Furthermore, in

608

H. Wang et al.

Dertouzos and Mok (1989), the least laxity first (LLF) algorithm was proposed, where the laxity, namely the difference between deadline and remaining execution time, was introduced which is inversely proportional to its priority. However, in this algorithm, to obtain the execution time in advance, the estimation of execution time is taken into consideration, which inevitably degrades the reliability of scheduling. Therefore, for tackling this drawback, the maximum urgency first (MUF) algorithm was proposed in Stewart and Khosla (1991), which integrates the features of RMS, EDF, and LLF. In this approach, the priority is assigned based on task urgency, which is a combination of two fixed priorities and a dynamic priority providing an effective solution to predict which task will fail in transient overboard situations.

1.3

Digital Control Systems: Controller Design and Discretization

The significant evolution of digital computer has radically changed the implementation of control systems. To establish a real-time system, two basic steps are required: controller design and digital implementation. In practice, a typical continuoustime plant to be controlled is comprised of actuator, mechanism, and sensor. The practical scheme of the digital control system can be illustrated as Fig. 1. The corresponding control logic of RTS is: The measured output is first converted by an analog-to-digital converter (ADC) with the predetermined time instants. The system error sequence is then obtained by computing the difference between the measured output and the reference sequence, which feeds to the digital computer or embedded microcontroller thereafter. Next, the proper control sequence will be generated by the digital computer through control algorithm and transferred to actuator by means of digital-to-analog converter (DAC) for driving the mechanism. The digital signal is usually maintained by the zero-order hold (ZOH).

Computer/Microprocessor CLOCK

A-D ZOH

Control Algorithm

Fig. 1 Scheme of digital control

D-A

Mechatronics

19 Real-Time Control Systems with Applications in Mechatronics

609

Since advanced microprocessors have been widely used in many mechatronic systems (Wang et al. 2014a, b, 2016a, 2018a, b) given by the advantages of the capabilities of microprocessors – one prefers to design the controller to meet specific control performance requirements. Thus, the emerging high-performance modelbased control techniques have attracted significant interests in the community of control. However, the uncertainty in the system is a challenging work for control engineers since there is always a discrepancy between the real system dynamics and its mathematical model, which mainly comprises of exogenous disturbances, parameter variations, and parasitic dynamics. In order to better tackle the issue of parameter variations and external disturbances, many kinds of robust control methods were proposed. From the linearization point of view, feedback linearization approaches including backstepping approaches (Krstic et al. 1995) and flatness-based control design (Fliess et al. 1995) were proposed which revealed the idea of equivalent transformation from complex to simple. Despite of the effectiveness of abovementioned methods for decoupling system and known nonlinearity, the robustness against parameter uncertainties is still unsolved. Therefore, taking optimal methods into consideration, H∞ control method (Chen) was proposed to resolve the issue of parameter variations. To better estimate the partial or unknown system information, adaptive control (Sastry and Bodson 2011) has been further developed which alleviates the dependency of precise system parameters. However, the robustness cannot be essentially guaranteed, especially when the rapid system model variations occur. Another feasible solution is sliding mode control (SMC) which exhibits the remarkable advantages in maintaining robust performance and improving the disturbance rejection ability. As long as the upper bound information of system parameters and disturbances are known, the high-accuracy sliding mode controllers with finite time-transient time can be designed. The ideas of SMC have not been unveiled before the first English monograph attributed to Itkis (1976) and Utkin (1977) was published. It has been widely implemented in many fields including robots (Islam and Liu 2011), DC and AC motors (Baghaee et al. 2017), power system (Mi et al. 2016), process control (Azar and Zhu 2015), and so on. To design a SMC, two basic steps are required: (i) The first step involves the design of sliding mode that prescribes a satisfactory convergence property. (ii) The second step is concerned with the selection of a control law that steers the system states into the sliding mode in the presence of various uncertainties. In the conventional SMC, a linear sliding surface (SS) is commonly selected as the predetermined system dynamics. In doing so, the system states converge to the equilibrium point asymptotically after the states are driven to the SS in finite time. To further improve the convergence, the terminal sliding mode (TSM) controller was developed (Feng et al. 2002) which introduced the nonlinear SS achieving finitetime convergence of the system dynamics in the sliding motion. Thus, both the sliding variable and the state variables enjoy finite-time convergence characteristics. The first-order TSM technique has been first developed for the control of secondorder systems in Zhihong et al. (1994). Thereafter, Yu and Man (1996) further extended the implementation to a high-order single-input and single-output (SISO)

610

H. Wang et al.

linear time-invariant (LTI) system where the hierarchical TSMs were adopted to provide the sequential convergence of the sliding variables. In Zhihong and Yu (1997), the authors further proposed general TSM structure for multi-input and multioutput (MIMO) linear system. It is noted that this controller is particularly useful in the system requiring high tracking precision. However, there are two drawbacks in TSM: On the one hand, the convergence rate in the TSM motion is relatively slow when the system states are far away from the equilibrium. On the other hand, the design of TSM essentially has an issue of singularity, that is, the control signal might rise to infinity. For the first issue, a fast terminal sliding mode (FTSM) was proposed in Yu and Zhihong (2002) combining the advantages of both the linear SS and the nonlinear SS so that fast finite-time convergence both at far and close distance from the equilibrium can be guaranteed. In order to handle the singularity issue, nonsingular terminal sliding mode (NTSM) was proposed in Feng et al. (2002) which overcame the singularity problem by means of mathematical equivalent transformation. For more details of the general form of TSM, FTSM, and NTSM, one can also refer to Yu et al. (2005). Inspired by the NTSM and FTSM, the NFTSM control technique was proposed in Yang and Yang (2011) which adopted the similar method to deal with the singularity problem existing in the FTSM. The chattering phenomenon in SMC is another important issue for practical implementations. A practical solution is to replace the signum function with saturation function, which is the so-called boundary layer technique (Utkin et al. 2009). Although the boundary layer technique can effectively eliminate the chattering effect, the control performance inevitably degrades. Another solution is the higherorder sliding mode (HOSM) control (Levant 2005), in which the chattering is “hidden” in the higher derivative of the sliding variable. The HOSM features in successive convergence of each order derivatives of sliding mode variables, which is effective for arbitrary relative degrees. Another practical implementation of HOSM is to use as arbitrary-order robust exact differentiator (Levant 1998). In the following sections, several typical applications on mechatronics equipped with SMC design techniques will be demonstrated in detail.

2

Steer-by-Wire System with SMC

2.1

Introduction of SBW

Steer-by-Wire (SBW) systems are candidates to replace the conventional steering equipment in the new generation of vehicles. The function of an SBW system contains two main sections including turning the steered wheels by tracking the handwheel rotation and providing the driver with a feeling of the steering effort. Compared with traditional steering mechanism, the advantages of using SBW systems in road vehicles are to improve the overall steering performance, lower the power consumption, and enhance the safety and comfort of the passengers. The architecture of an SBW system is depicted in Fig. 2. From the perspective of automotive application, it is obvious that the SBW system is a real-time control

19 Real-Time Control Systems with Applications in Mechatronics

611

Hand-wheel Hand-wheel angle sensor

Hand-wheel feedback motor

Servo driver1

CAN

MCU

Battery

Servo driver2

Front wheel Steering motor

CAN Pinion angle sensor

Rack & Pinion Front wheel

Front wheel

Fig. 2 SBW system model

system, which contains the servo motor driving control and communication control between various sensors and digital processors. It can be seen from Fig. 2 that the workflow of the SBW system is described as follows: First, both the realtime handwheel angle and the front wheel steering angle signals are collected by the microcontroller unit (MCU) through controller area network (CAN) bus communication. Subsequently, the control voltage is calculated by the MCU according to the designed control algorithm. Then, it is converted into a pulse width modulation (PWM) signal as driving commands of the servo drive module to drive the steering motor and the feedback motor, respectively. In order to further develop the controller of the SBW system, the corresponding dynamics of the plant can be described as the following second-order differential equation: a δ¨f + bδ˙f + τf a + τea = u

(1)

where a = Jeq /kr and b = Beq /kr are the equivalent inertia and damping coefficient of the SBW system including the front wheels and steering motor, respectively; kr is the scale factor accounting for the conversion from the steering motor input voltage to the steering angle of front wheels via the pinion and rack system; δ f is the front wheel steering angle; τ ea is the self-aligning torque which is generated by the

612

H. Wang et al.

tire-cornering forces during turning; τ f a is the Coulomb friction; d denotes the bounded external disturbance acting on SBW system; and u is the front wheel steering motor (FSM) control torque. In addition, τ f a is the Coulomb friction in the motor assembly and the steering system, which is defined as   τf a = Fs sign δ˙f

(2)

where Fs is the Coulomb friction constant and the sign(·) denotes the standard signum function that is expressed as follows: ⎧ ˙   ⎨ 1, for δf > 0 sign δ˙f = 0, for δ˙f = 0 ⎩ − 1, for δ˙f < 0

(3)

Furthermore, we can obtain the approximative expression of τ ea which is described through the linear bicycle model in Wang et al. (2014a) as follows:

τea = −

  cf lc + lp v +

γ lf Vx

kr

− δf

 (4)

where Cf is the cornering stiffness of the front tire, υ is the vehicle body slip angle, γ is the vehicle yaw rate, lf is the distance between the center of the front wheel and the center of gravity (CG) of the vehicle, Vx is the vehicle-longitudinal velocity, lc is the caster trail that represents the distance between the tire center and the point on the ground about which the tire pivots due to the wheel caster angle, and lp is the pneumatic trail describing the distance from the tire center to the application of the tire lateral force. However, the exact values of the above parameters are difficult to determine in practical applications. Even if accurate parameter values are obtained at a certain time, the parameters may also have a change with respect to different operating conditions of the SBW system. Considering the parameter variations, we further express parameters as follows: a = a0 + a

(5)

b = b0 + b

(6)

τf a = τf a0 + τf a

(7)

τea = τea0 + τea

(8)

19 Real-Time Control Systems with Applications in Mechatronics

613

where a0 and b0 are the nominal values of the system parameters, τ f a0 and τ ea0 are the nominal values of the system disturbances that can be identified by the preliminary experiments, and a , b , τ f a , and τ ea represent the unknown bounded parameter variations. In fact, τ ea0 is predefined as a known external tire self-aligning torque on the wet asphalt road. Meanwhile, we use τ ea denoting the difference between the actual tire self-aligning torque and the predefined self-aligning torque for the wet asphalt road, due to the fact that, when road conditions change dramatically, the difference between different Cf in (4) may change a lot at the same time. Thus, τ ea is treated as the most significant disturbance torque. According to (2), (3), and (4), (1) can be rewritten as follows: a0 δ¨f + b0 δ˙f + τf a0 + τea0 = u + ρ

(9)

where ρ represents the lumped uncertainty, which is described as follows: ρ = −a δ¨f − bδ˙f − τf a − τea

(10)

According to (5), (6), (7), and (8), we can easily prove that the inertia a, the viscous damping b, and the disturbances τ f a and τ ea satisfy the following bounded properties, respectively, |a| < ς0

(11)

|b| < ς1

(12)

τf a < ς2 + ς3 δ˙f

(13)

|τea | < ς4 + ς5 δf

(14)

where ς i (i = 0, . . . ,5) are positive constants. Furthermore, using the expressions in (11), (12), (13), and (14), we can prove that the lumped uncertainty is upper bounded. |ρ| < ρ

(15)

ρ = c0 + c1 δf + c2 δ˙f

(16)

with

where c0 , c1 , and c2 are positive constants. In this section, the dynamic model of the SbW system is proposed for the purpose of designing the controller in the next section. Our control target in this chapter is

614

H. Wang et al.

to design control strategies for acquiring the fast convergence characteristics, such that the front wheels are ensured to track the handwheel reference command with high precision against parameters uncertainties and road disturbances.

2.2

Controller Design

In this section, in order to achieve the fast convergence rate, accurate tracking, and robust performance, a few robust control strategies are proposed, which ensure the front wheel-steering angle of the closed-loop SBW systems can closely track the handwheel reference angle in the presence of the uncertainties and perturbations. First, the tracking error of the SBW system with respect to the desired handwheel angle θ h is defined as: e = δf −

θh = δf − θhr Nhr

(17)

where Nhr denotes the ratio factor between the actual handwheel angle θ h and front wheel steering angle δ f . Considering the system model in (9), the error dynamics of the closed-loop SBW system can be obtained as follows: e¨ =

u − b0 δ˙f − τea0 − τf a0 + ρlum − θ¨hr a0

(18)

where ρ lum is just a new expression of lumped uncertainty and defined as: ρlum =

ρ a0

(19)

Recently, a number of control strategies have been proposed to improve steering performance of the SBW system. Proportion integration differentiation (PID) control is widely used in industrial control systems, servo control systems, and other real-time control systems due to its merits of simple structure and easy implementation characteristics. It is widely known that the PID control is a linear control strategy with many superior control characteristics. However, the Coulomb friction and τ ea become the predominant nonlinear effects underlying an SBW system. Thus, the accurate position tracking is a challenging task for conventional linear control methods such as PID control due to its limited robustness to insufficient nonlinearities compensation. Therefore, partially known nonlinearities in the closed-loop SBW system must be suppressed for the purposes of realizing superb control performances when the PID control is used for tracking the handwheel reference command with high precision. Partially known nonlinear uncertainties of nonlinear dynamic systems are tackled by the feedforward control (FC) so that the influences of the lumped

19 Real-Time Control Systems with Applications in Mechatronics

615

uncertainty can be alleviated and the strong robustness against the nonlinearities can be achieved. The PID control with FC law is given as follows:

uP I D = KP e + KI

t

edτ + KD e˙ + τf a0 + τea0

(20)

0

where KP , KI, and Kd are control gains of proportional, integral, and differential, respectively. Conventional PID control with FC is much simpler to design in comparison with other intelligent control algorithms owing to its model-free characteristics. In addition, the PID control has a better performance with respect to slowly varying disturbance, but when external disturbance changes quickly and its amplitude changes significantly, the control performance will degrade with a weaker robustness. SMC has attractive advantages of robustness against nonsmooth nonlinearities, parameter variations, and external disturbances, which have been widely applied to various nonlinear systems. In order to apply the SMC technique to the subsequent control design, we adopt the following sliding surface: s = e˙ + λe

(21)

where λ is a positive constant. The SMC strategy contains two components including the equivalent control law ueq without considering system uncertainties and reaching control law usw , where the function of control law ueq is to maintain the system state keeping on the proposed sliding surface and the control law usw is designed to compel the system states to reach the sliding surface by overcoming the system disturbance. In order to achieve better tracking performance of the SBW system, the control input uSMC can be designed as: uSMC = ueq + usw

(22)

Based on the equivalent control of SMC (Wang et al. 2004), the derivative of (21) can be expressed as: s˙ = e¨ + λe˙ =

u − b0 δ˙f − τea0 − τf a0 − θ¨hr + λe˙ a0

(23)

By letting s˙ = 0, we obtain the equivalent control law ueq without considering system uncertainties as follows:   ueq = b0 δ˙f + τea0 + τf a0 + a0 θ¨hr − λe˙

(24)

616

H. Wang et al.

In order to further improve the tracking performance and the convergence rate of error dynamics, reaching law is selected as follows: usw = −a0 (μ1 sign(s) + μ2 s)

(25)

where μ1 and μ2 are two positive control gains, and μ1 is generally chosen as a value larger than the upper bound of lumped uncertainty ρ. The reaching law gain μ2 should be carefully selected to achieve a compromise between fast convergence rate and chattering reduction since the larger value the reaching law gain is, the better robustness is. But too large value may affect the stability of the system. Considering the closed-loop error convergence analysis, we now propose the following theorem. Theorem 1 For the SBW system (1) with the error dynamics (18) if the control law is chosen as (22), the asymptotically convergence of state error can be ensured. Proof: To demonstrate the stability of the designed controller, a Lyapunov function is designed as: V =

1 2 s 2

(26)

Evaluating the time derivative of V, we can obtain the following equation: V˙ = ss˙  u−b0 δ˙f −τea0 −τf a0 ¨hr + λe˙ =s + ρ − θ lum a0   b0 ˙ 1 = s a0 u − a0 δf − a10 τea0 − a10 τf a0 + ρlum − θ¨hr + λe˙     = s a10 ueq + usw − ba00 δ˙f − a10 τea0 − a10 τf a0 + ρlum − θ¨hr + λe˙

(27)

Substituting (24) and (25) into (27), we obtain V˙ = s



   b0 1  b0 δ˙f + τea0 + τf a0 + a0 θ¨hr − λe˙ − a0 (μ1 sign(s) + μs s) − δ˙f a0 a0 1 1 − τea0 − τf a0 + ρlum − θ¨hr + λe˙ a0 a0

= s (ρlum − μ1 sign(s) − μs (s)) = −μ1 |s| − μ2 s 2 + sρlum ≤ −μ1 |s| − μ2 s 2 + |s| |ρlum | ≤ − |s| (μ1 − |ρlum |) − μ2 s 2 (28)

19 Real-Time Control Systems with Applications in Mechatronics

617

Assume that the switching gain μ1 is chosen to satisfy the following condition μ1 > |ρlum | + σ1

(29)

where σ 1 > 0 is an arbitrary positive constant. Then, (28) can be rewritten as follows: √ V˙ ≤ −μ2 s 2 − σ1 |s| ≤ −2μ2 V − σ1 2V

(30)

The inequality (30) demonstrates that the sliding variable s converges to the SM surface s = 0 in finite time (Khalil 2002). Thus, on the SM surface, the closed-loop error dynamics will enjoy asymptotical convergence characteristic, and the front wheel-steering angle of the SBW system can reach their desired values. This completes the proof. We spend a lot of time and efforts to analyze the design of sliding mode control algorithm in the above contents, but in practice, it is only one of many realtime control steps. Real-time control system is mainly composed of hardware and software, in which the controller design belongs to the software part. The hardware part mainly includes power supply, sensors for state acquisition, microcontroller unit (MCU), actuator driver, and actuator. A real-time control system with perfect performance must be the result of efficient integration and collaborative work between software and hardware. In order to further develop the design method of real-time control system, some representative experimental steps are summarized as follows: Step 1: The necessary state information is collected by sensors and transmitted to MCU. In this example, main state information includes input angle information of the handwheel and the front wheel-steering signal and so on Step 2: MCU calculates the error and its derivative based on the sensor information obtained Step 3: MCU calculates sliding mode variables s based on error information Step 4: MCU calculates the control torque u according to the designed sliding mode control algorithm Step 5: MCU converts u into corresponding signal for actuator driver Step 6: The actuator driver converts the signal from MCU into the corresponding voltage signal and outputs it to the actuator. In this example, the actuator is the steering motor Step 7: Go back to step 1 and continue the loop

Remark 1: It is important to isolate the system control circuitry from the power supply of the actuator. The reason lies in that the actuator generally needs a large current to drive, while the MCU only needs a small current for a normal working condition. The actuator driver generates the corresponding voltage and current to drive actuator according to the drive signal output by the MCU. Therefore, the actuator driver must possess superior power isolation ability to ensure the safety and reliability of the system.

618

H. Wang et al.

Remark 2: It is very important to select the appropriate communication protocol when more than one sensor is used. Since the number of MCU communication interfaces is limited, when the number of sensors is increased, only the appropriate communication protocol can be selected to ensure normal communication between all sensors and the controller. In fact, the CAN bus is widely used in industrial control due to its fast communication speed, high reliability, and simple line connection, which is adopted in the SBW system of this chapter. Remark 3: To set the necessary emergency stop action to ensure that the system can stop running immediately is to protect the device when a fault occurs. The practical system will have various unpredictable faults during the debugging process, so it is necessary for the real-time control system to possess some simple fault judgment functions to reduce the unnecessary loss of the system.

2.3

Simulation Results

In this section, numerical simulations are carried out and the detailed analysis is given to illustrate the effectiveness of the SMC scheme. The control law of both the PID control and SMC are given in (20) and (22), respectively. The nominal system parameters of the SBW system in (9) are a0 = 0.064, b0 = 0.16, Fsa = 3.04, and τ ea0 = −4.5068, which are obtained from the preliminary system identification experiments. The control parameters of the proposed PID control are KP = −1100, KI = −1, and KD = −30. The control parameters of SMC are chosen as λ = 30, μ1 = 200, and μ2 = 0.1. For quantifying the tracking result, the root-mean-squared error (RMSE) and maximum error (MAE) of the output tracking error are defined as

1 M˜ 2 e i=1 M˜

(31)

MAE(e) = maximum (|e|)

(32)

RMSE(e) =

˜ is the total number of sampled error data. where M

2.3.1 Sinusoidal Motion Tracking (Test A) In order to further compare the characteristics of different control algorithms, the unified simulation environment is assumed as follows: • Three different road conditions (icy, wet asphalt, and dry asphalt road) are set in the first 10 s, the middle 10 s, and the last 10s, respectively. • The vehicle maintains at a fixed speed of 20 m/s. • The input torque of driver is a sinusoidal signal with θ hr = 0.8 sin (0.5 π t).

19 Real-Time Control Systems with Applications in Mechatronics

619

In order to evaluate the robustness of the system, the lumped uncertainty of the system in the simulation is represented by the function d = 0.1 sin (0.5 π t + 6). Furthermore, according to the (4), the value of τ ea varies greatly with the change of road conditions. Therefore, the final disturbance signal of the system is superimposed by the external disturbance d and τ ea . We can see that the amplitude of d is only 0.1, and the maximum range of τea can reach about 1.5 with the change of road conditions in the simulation process, so the amplitude of disturbance signal of the system is mainly determined by τ ea . The tracking performance of PID control with FC using the control input in (20) was revealed in Fig. 3. It can be illustrated from Fig. 3a, b that large amplitude steady-state error exists in the PID control with respect to different road condition. However, in the periods 11 s ∼ 20 s of PID control in Fig. 3b, it can be observed that almost no steady-state error exists. The reason of this problem lies in that the value of τ ea becomes zero in theory since the actual road condition coincides with the predefined road condition. It indicates that PID has limited disturbance rejection capability, which can only eliminate partial external perturbation according to FC. The steering performance of the SMC controller with the periodical sinusoidal is shown in Fig. 4a, b, while the associated control input is depicted in Fig. 4c. It can be clearly seen that there exists a better steering performance of the SMC controller in Fig. 4a compared with PID control in Fig. 3a, which means a stronger robustness while SMC is used. However, it is difficult to implement in practical industrial applications because of the existence of high-frequency chattering. The reason for this problem lies in that the switching gain of SMC reaching law should usually be larger than the upper bound of the lumped uncertainty to suppress the effects of the lumped uncertainty, which brings serious control chattering. In fact, the switching gain μ1 should be carefully selected to achieve a compromise

Fig. 3 Control performance of the PID control strategy with sinusoidal signal: (a) steering angle; (b) tracking error; and (c) control torque

620

H. Wang et al.

Fig. 4 Control performance of the SMC with sinusoidal signal: (a) steering angle; (b) tracking error; (c) control torque; and (d) sliding variable

between fast convergence rate and chattering reduction since the larger value the reaching law gain is, the better robustness is, as well as large chattering. To solve this problem, the boundary layer method is used, which is a common method in sliding mode control design. The chattering phenomenon will be alleviated through replacing sign(s) by the saturation function, which is highly preferable for practical automobile applications. The saturation function is expressed as.  sat(s) =

s/η for |s| < η sign(s) for |s| ≥ η

(33)

where η is a positive constant and is chosen as η = 5 in this example. The function of the saturation function is to alleviate the chattering phenomenon in control signal caused by the sign function. At the same time, the positive boundary layer constant η should be appropriately selected to ensure an acceptable chattering and a satisfactory tracking performance. Note that although zero error convergence cannot be maintained, as long as the constant η is properly chosen via trial-and-error method, an acceptable tracking performance and control-chattering alleviation will still be obtained to meet the practical requirements. Figure 5a, d show the tracking results of SMC controller utilizing the saturation function. The steering performance of the SMC strategy is shown in Fig. 5a, b, while the associated control input is depicted in Fig. 5c. Compared to Fig. 4, the chattering phenomenon of control input and sliding variable in Fig. 5 is greatly improved, even eliminated due to the use of saturation functions and the selection of appropriate boundary layer parameters. In addition, compared to PID control, there are smaller steady-state error and stronger robustness. In the periods 11 s ∼ 20 s of SMC in Fig. 5b, it can be seen that there is almost no steady-state error. The reason of this

19 Real-Time Control Systems with Applications in Mechatronics

621

Fig. 5 Control performance of the SMC (sat function applied) with sinusoidal signal: (a) steering angle; (b) tracking error; (c) control torque; and (d) sliding variable

problem lies in that the value of τ ea becomes zero since the actual road condition coincides with the predefined road condition. In the periods of the first 10 s and the last 10 s in Fig. 5b, the system can still maintain small stability errors even if there are large external disturbances. Of course, these small stability errors can be tolerated for practical applications. It can be concluded that the SMC possesses stronger robustness than the PID control in the presence of parameter uncertainties and external perturbations.

2.3.2 Trapezoid Motion Tracking (Test B) Furthermore, in order to illustrate the ability of uncertainty rejection ability and robustness of the proposed control strategies, the trapezoidal signal is used for comparison purpose. The trapezoidal signal is the most common action during the driving process, which avoids obstacles on the road. One should change direction immediately when obstacles occur on the road and then turn back while passing them. Similarly, the unified simulation environment is assumed as follows: • The vehicle is driving under the wet asphalt condition. • The lumped uncertainty is replaced by the function of d = 0.1sin 0.5π t + 6. • The input torque of driver is a trapezoidal signal. Figures 6 and 7 show the performance of the SBW system by using PID and SMC strategies with respect to the trapezoidal input signal. Since it is difficult to imitate the real experimental environment in the simulation, we assume that only 80% of the known dynamics can be compensated by the feedforward control, and the remaining 20% are regarded as unmodeled dynamics and measurement noise. For the above sinusoidal simulations, it is not considered due to the large change in

622

H. Wang et al.

Fig. 6 Control performance of the PID control with trapezoid signal: (a) steering angle; (b) tracking error; and (c) control torque

road conditions leading to a great change in external disturbance τ ea . However, trapezoidal simulations are carried out under wet asphalt conditions all the time. It is obvious that there is a clear distinction in the simulation results with different control strategies. The steering performance of the SMC shown in Fig. 7 is more superior than the one of the PID control as shown in Fig. 6, in terms of both the fasttracking speed and high-tracking accuracy. From the simulation results in Fig. 7b, there is almost no steady-state error in the SMC strategy. However, in time periods of 5–20 s in Fig. 6b, a small steady-state error always occurs for the PID control strategy. The reason for this problem lies in that FC-based PID control strategies can eliminate partial known nonlinear dynamics, but there are still some unknown system uncertainties, including external disturbances, unmolded system dynamics, and measurement noises, that cannot be eliminated owing to the limit robustness of PID control strategies. Furthermore, SMC achieves a superior performance with a smaller error bound (EB), i.e., RMSE(e) = 0.0033, while the PID control, with a EB of 0.03 rad, are around 0.33% and 3% of the reference amplitude, respectively. In addition, PID control exhibit oscillations in the output tracking when the lumped uncertainty is added, while the SMC still maintains a consistently stable and robust steering performance against the lumped uncertainty. Therefore, the simulation results can prove that SMC strategies possess strong disturbance suppression ability and stronger robustness as compared with PID control strategies.

2.4

Summary

In this part, the PID control and the SMC strategy are designed for the SBW realtime control system. It has been seen that the asymptotic error convergence and

19 Real-Time Control Systems with Applications in Mechatronics

623

Fig. 7 Control performance of the SMC (sat function applied) with trapezoid signal: (a) steering angle; (b) tracking error; (c) control torque; and (d) sliding variable

strong robustness can be obtained by using the SMC. The simulations with two different operating scenarios have been carried out to demonstrate the excellent control performance of the SMC scheme.

3

Electronic Throttle (ET) System with NTSMC

3.1

Introduction of ET System

Electronic throttle (ET) systems have been widely used in automobile engine control; the main feature of ET system is to replace the mechanical connection between valve plate and accelerator pedal with a wire (Aono and Kowatari 2006). In traditional engine throttle systems, due to the rigid connection, the throttle opening angle is only controlled by the driver’s behavior. Thereafter, the internal fuel efficiency, external road conditions, cannot be fully considered. Consequently, the overall engine efficiency is greatly affected. Since the introduction of ET systems overcomes the abovementioned drawbacks, it can simultaneously regulate the engine charge air and fuel which results in the precise air-to-fuel ratio control, particularly for the transient engine working conditions. The utilization of the ET not only reduces the fuel consumption and gas emission, but also significantly improves the automobile drivability. The architecture of an ET control system is shown in Fig. 8. It is clearly seen that the ET system is comprised of an accelerator pedal, electronic throttle body, and microcontroller unit (MCU). The electronic throttle body consists of a DC motor which is powered by the bipolar chopper, a gearbox, a valve plate, a position sensor, and a dual return spring. All throttle components are assembled in a compact body.

624

H. Wang et al.

Electronic throttle body Car Battery

Accelerator pedal

Gearbox

Throttle Return Valve Spring

M

MCU

Pedal Position sensor

Position sensor

Fig. 8 ET system model

The workflow of ET control system is that the reference command is first sampled from the sensor of the accelerator pedal, and at the same time the actual throttle opening is sampled by the position sensor of the throttle valve. Both the reference and actual throttle opening angles are sent to the MCU in Engine Management System for the purpose of calculating the appropriate air-fuel mixture to be fed into the engine. The control voltage provided by the MCU is to power the DC motor generating the rotational torque. Consequently, the actual throttle opening tracks the reference command through the reduction gear set. Generally, the ET system is modeled as an integrated second-order dynamic system. A detailed ET system model has been developed in Wang et al. (2016b) which can be expressed as follows: Jeq θ¨t + Beq θ˙t + Tf,sp − Td = bu

(34)

Jeq = N 2 Jm + Jt

(35)

where

Beq = N 2 Bm + Bt +

(kt ke ) 2 N R

  Tf,sp = Tf + Tsp = Fs sign θ˙t + TLH sign (θt − θ0 ) + ksp (θt − θ0 ) Td = d (Tm ) − TL b=

Nkt R

(36) (37) (38)

(39)

19 Real-Time Control Systems with Applications in Mechatronics

625

where d(Tm ) is abounded nonlinear function of Tm with Tm being the input torque of the gear set. The sign · represents the standard signum function. In the practical scenario, the parameter uncertainties are inevitable. However, due to the constraint of mechanism, it is reasonable to assume they are bounded. Taking their upper bounds into consideration, we have: J = Jeq − Jeq0 ≤ J eq eq

(40)

B = Beq − Beq0 ≤ B eq eq

(41)

F = |Fs − Fs0 | ≤ F s s

(42)

T

LH

= |TLH = TLH 0 | ≤ T LH

(43)

k = ksp − ksp0 ≤ k sp sp

(44)

|b | = |b − b0 | ≤ b

(45)

|Td | ≤ T D

(46)

where Jeq0 , Beq0 , Fs0 tLH0 , ksp0 , and b0 denote the nominal parameters of the ET system model. Jeq , Beq , Fs , TLH , ksp , b , and T D are the upper bounds of the uncertain parameters. Furthermore, for the ease of control design, the ET control system model (34) can be rewritten into: θ¨t =

b0 u − Beq0 θ˙t − Tf,sp0 − dlump Jeq0

(47)

where   Tf,sp0 = Fs0 sign θ˙t + TLH 0 sign (θt − θ0 ) + ksp0 (θt − θ0 )

(48)

with θ 0 = 12◦ . dlump is the lumped uncertainty combining all the system uncertainties, which is described as follows:    dlump = Jeq θ¨t + Beq θ˙t + Fs sign θ˙t − b u − TD  +TLH sign (θ − θ0 ) + ksp (θt − θ0 ) /Jeq0

(49)

As has been proved in Wang et al. (2014a), provided that the closed-loop control signal u is upper bounded by the following polynomial function:

626

H. Wang et al.

|u| < l0 + l1 |θt | + l2 θ˙t

(50)

where both θ t and θ˙t are upper bounded, then the lumped uncertainty can be upper bounded as dlump < ρ = f0 + f1 |θt | + f2 θ˙t

(51)

where li and fi (i = 0,1,2) are all positive constants.

3.2

Controller Design

In this section , an NTSM controller for the purpose of enabling the ET system’s opening angle to closely track the reference command will be designed in detail. First, the error between the actual throttle opening θ t and the reference command θ d is defined as follows: e = θt − θd

(52)

Considering the system model in (47), the error dynamic of the ET system can be obtained as follows: e¨ =

b0 u − Beq0 θ˙t − Tf,sp0 + dlump − θ¨d Jeq0

(53)

Next, an NTSM variable (Yu et al. 2005) is given as: sn = e + k|e| ˙ ξ sign (e) ˙

(54)

where k is a positive switching gain and 1 < ξ < 2 is the parameter of TSM surface determining the convergence rate of system error state. Similar to Sect. 2.2, the NTSM controller is comprised of two components: the switching control law unsw and equivalent control law uneq , namely: uNTSMC = uneq + unsw

(55)

The derivation of (54) can be described as: ˙ ξ −1 e¨ s˙n = e˙ + kξ |e| b0 u − Beq0 θ˙t − Tf,sp0 − θ¨d = e˙ + kξ |e| ˙ ξ −1 Jeq0

(56)

19 Real-Time Control Systems with Applications in Mechatronics

627

By letting s˙n = 0, we have the equivalent control law uneq as: uneq = −

Jeq0 2−ξ Beq0 Tf,sp0 Jeq0 |e| θ˙t + θ¨d ˙ sign (e) ˙ + + b0 kξ b0 b0 b0

(57)

The similar switching control law chosen in (25) is given as: unsw = −

Jeq0 (μ3 sign (sn ) + μ4 sn ) b0

(58)

where μ3 and μ4 are two positive control gains that obey the selection criteria of (25) and μ3 is generally chosen larger than the upper bound of uncertainty. Theorem 2: For the ET system (34) with the error dynamics (53), if the control law is chosen as (55), then the closed-loop error dynamics will reach sliding mode sn = 0 in finite time. Thereafter, the zero-convergence of state error can be ensured along sn = 0 within finite time. Proof: Considering the Lyapunov function candidate V =

1 2 s 2 n

(59)

And the first-order derivative of V can be obtained as: V˙ = sn s˙n ˙ ξ −1 b0 uNTSMC − Beq0 θt − Tf,sp0 ¨ ˙ = sn e˙ + kξ |e| + dlump − θd Jeq0  Beq0 kξ |e| ˙ ξ −1 b0 kξ |e| ˙ ξ −1 θ˙t = sn uNTSMC − Jeq0 Jeq0  kξ |e| ˙ ξ −1 ξ −1 ξ −1 ¨ − Tf,sp0 + kξ |e| ˙ dlump − kξ |e| ˙ θd + e˙ Jeq0   Beq0 kξ |e| ˙ ξ −1 ˙ ξ −1  b0 kξ |e| = sn uneq + unsw − θ˙t Jeq0 Jeq0  kξ |e| ˙ ξ −1 ξ −1 ξ −1 ¨ θd + e˙ − Tf,sp0 + kξ |e| ˙ dlump − kξ |e| ˙ Jeq0

(60)

628

H. Wang et al.

Substituting (57) and (58) into (60), we have:   V˙ = kξ |e| ˙ ξ −1 sn dlump − μ3 sign (sn ) − μ4 sn   = kξ |e| ˙ ξ −1 −μ3 |sn | − μ4 sn2 + sn dlump   ≤ kξ |e| ˙ ξ −1 −μ3 |sn | − μ4 sn2 + |sn | dlump   ≤ −kξ |e| ˙ ξ −1 |s| μ3 − dlump − μ4 sn2 for |e| ˙ = 0

(61)

Similarly, if the desired switching gain μ3 is chosen to satisfy the following condition μ3 > dlump + σ2

(62)

where σ 2 > 0 is an arbitrary constant, (61) can be rewritten as: √ V˙ ≤ −μ4 sn2 − σ2 |sn | ≤ −2μ4 V − σ2 2V

(63)

Inequality (63) demonstrates that the sliding variable sn converges to zero in finite time. For |e| ˙ = 0, we can prove that it is not an attractor in the reaching phase. Note that e¨ = −

1 2−ξ |e| ˙ sign (e) ˙ + dlump − μ3 sign (sn ) − μ4 sn kξ

(64)

Under the condition |e| ˙ = 0 and s = 0, then it follows that: e¨ = dlump − μ3 sign (sn ) − μ4 sn = 0

(65)

which means that |e| ˙ = 0 is not an attractor in the reaching phase. Therefore, it is clear to see that the NTSM sn = 0 can be reached from any condition, such that the finite-time stability of the error dynamic (53) can be achieved. Thereafter, the throttle reference command can be tracked closely in finite time. Here completes the proof.

3.3

Simulation Results

In this section, a series of simulations are carried out in comparison with the traditional SMC control. The nominal parameters of ET system in (47) are b0 = 0.24, Beq0 = 0.15, Jeq0 = 0.0035, Fs0 = 0.089, and TLH0 = 0.3193. The control parameters of NTSMC are k = 0.2, ξ = 1.4, μ3 = 200, and μ4 = 0.02. And for eliminating the chattering, the saturation function is also applied to replace the signum function in (55) with the corresponding parameter being η1 = 0.1.

19 Real-Time Control Systems with Applications in Mechatronics

629

Taking the practical scenario into consideration, two cases are selected as follows: Case 1: A sinusoidal reference signal with θ d = 0.5 + 0.3 sin(2π t). Case 2: A sequence of step reference signals with amplitudes 0.3 rad, 0.8 rad, and 1.4 rad, followed by a large amplitude from 1.4 rad to 0 rad an vice versa. The lumped uncertainty in the simulation is constructed as dlump = 0.15 sin(2t), which is added in both case 1 and 2. Following the design method from Section 2.2, a conventional SMC can be given as: s1 = e˙ + λ2 e

uSMC1 =

(66)

Beq0 Tf,sp0 Jeq0 Jeq0 Jeq0 Jeq0 θ˙t − θ¨d − + e˙ − μ5 sat (s1 ) − μ6 s1 b0 b0 b0 b0 b0 b0 (67)

where the corresponding parameters are selected as: λ2 = 2, μ5 = 200, and μ6 = 0.02. The boundary layer parameter is selected the same as NTSMC. Figures 9 and 10 show the simulation results in case 1 for SMC and NTSMC. It is clearly seen that the tracking performance of the NTSMC is superior to the ones of SMC. Although both the SMC and NTSMC achieve closely zero steady-state error as shown in Figs. 9a,b and 10a, b with the similar control signal as shown in Figs. 9c and 10c, the settling time of NTSMC is around 0.5 s which is 65% less than that of SMC with settling time around 1.4 s. As can be seen from Figs. 9d and 10d, the sliding variables of both SMC and NTSMC enjoy a fast convergence rate due to the large switching gain selected in (58). However, due to the TSM applied in NTSMC which can obtain a fast error states convergence in the sliding mode, the finite-time zero convergence of system state error can be guaranteed while the linear sliding mode designed in SMC can only guarantee an asymptotic convergence property. Figures 11 and 12 show the simulation results in case 2 for SMC and NTSMC. It can be seen from Figs. 11a,b and 12a, b that although both the SMC and NTSMC are capable of tracking the reference command closely with almost zero steady-state error, the EB for the NTSMC is around 0.206 rad which is 20% less than that of the SMC with EB being 0.258 rad. For the transient performance, it is also illustrated that the NTSMC significantly outperforms the SMC. There is no overshoot in both NTSMC and SMC. In the periods 1 s ∼ 13 s where the step reference signals with small amplitude are given in sequence, the settling time is around 0.50s for the NTSMC which is 63% less than that of the SMC with settling time being 1.37 s. In the periods 13 s ∼ 25 s where the reference command rises (falls) with full range of opening angle, the settling time is 0.83 s for the NTSMC which is 57% less than that of the SMC with the settling time being 1.93 s. The reasons for this discrepancy of the response time have been described in case 1. More specifically, in

630

H. Wang et al.

Fig. 9 Control performance of the SMC in case 1: (a) throttle opening angle; (b) tracking error; (c) control voltage; and (d) sliding variable

Fig. 10 Control performance of the NTSMC in case 1: (a) throttle opening angle; (b) tracking error; (c) control voltage; and (d) sliding variable

the TSM motion, the convergence time is TNTSM = k ·|e(0)| , while that of LSM 1−1/ξ is tLSM = e(0) exp(−λ2 t). Thus, with elaborate tuning process, the fast convergence time can be guaranteed in the NTSM. Besides the convergence time, NTSMC can also bring less control voltage as shown in Figs. 11d and 12d due to the smoother sliding mode variable as shown in Figs. 11c and 12c. 1/ξ

1−1/ξ

19 Real-Time Control Systems with Applications in Mechatronics

631

Fig. 11 Control performance of the SMC in case 2: (a) throttle opening angle; (b) tracking error; (c) control voltage; and (d) sliding variable

Fig. 12 Control performance of the NTSMC in case 2: (a) throttle opening angle; (b) tracking error; (c) control voltage; and (d) sliding variable

3.4

Summary

In this session, the modeling of ET real-time control system has been presented in detail. The SMC and NTSMC are designed for the ET real-time control system, respectively. It has been shown that the finite-time error convergence can be obtained due to the use of TSM. The simulations with two different driving scenarios have been carried out to demonstrate the control performance of the NTSMC.

632

H. Wang et al.

4

Permanent Magnet Linear Motor (PMLM) with FNTSMC

4.1

Introduction of PMLM System

With the rapid development of automation technology and microcomputers, the importance of position accuracy has been highlighted in various industrial control systems. In this case, the conventional linear motion devices including rotary motor and conversion mechanism are far from meeting the requirement of modern control systems. Permanent linear motor (PMLM) is a conversion device which requires no intermediate switching mechanism to convert electrical energy into linear motion. Due to its merits of high-speed, high-precision, and low-noise linear motion, PMLM has been successfully applied in industry, military, and other motion occasions that require high speed, low thrust, small displacement, and high-precision position control (Kim et al. 2016). Therefore, more and more researchers devote themselves to the research of PMLM. The control objective of this part is to design a position tracking controller for a PMLM such that the reference position trajectory can be tracked with high precision. However, it is a challenging work to obtain excellent performance and effectiveness due to various parametric uncertainties, nonlinear dynamic, and disturbances such as backlash and frictional forces. In this part, the fast nonsingular terminal sliding mode (FNTSM) control strategy is implemented to permanent magnet linear motor (PMLM), where the tracking error can converge to the equilibrium point in a finite time and the strong robustness also can be guaranteed. In general, the dynamics of a PMLM can be described by a second-order system (Ahn et al. 2005) given as follows: x¨ = −

kf k e kf d x˙ + u− Rm Rm m

(68)

where x is the motor position, kf is the force constant, ke is the back electromotive force (EMF), R is the resistance, m is the moving mass, u is the control signal, and d is the lumped disturbances including the friction force and position-dependent cogging force. kf ke kf d For the simplicity, we denote a = Rm , b = Rm ,F = m . The Eq. (68) can be rewritten as: x¨ = −a x˙ + bu − F

(69)

The disturbance is composed of two parts, i.e., friction force and positiondependent cogging force. d = Ff ric + Fripple

(70)

where Ff ric is the friction force and Fripple is the position-dependent cogging force (Krishnamurthy and Khorrami 2001).

19 Real-Time Control Systems with Applications in Mechatronics

The friction force is defined as:  Ff ric = fc + (fs − fc ) e

 2 − x˙x˙s

633

 + fv x˙

sign (x) ˙

(71)

where x˙ is the motor velocity, fc is the coulomb friction coefficient, fs is the static friction coefficient, fv is the viscous friction coefficient, and x˙s is the lubricant parameter. It is known that the position-dependent cogging force could be any kind of Fourier expansion such as: Fripple =

∞ 

Ai sin (ωi x + ϕi )

(72)

i=1

In this part, the position-dependent cogging force is represented by the high-order Fourier expansion as: Fripple = A1 sin (ωx) + A2 sin (3ωx) + A3 sin (5ωx)

(73)

where Ai (i = 1,2,3) is the amplitude, ωi (i = 1,2,3) is the state-dependent cogging force frequency, and ϕ i (i = 1,2,3) is the phase angle. Although the disturbances of PMLM can be expressed, they are always unavailable. If one wants to compensate them, the appropriate observer or sensor should be applied to estimate them. Assumption 1 The disturbance F and its derivative F˙ are assumed to be bounded, ˙ i.e., |F | ≤ d with a constant d, and F˙ ≤ d˙ with a constant d.

4.2

Controller Design

In this section, an FNTSM scheme is developed to guarantee the accurate tracking performance for PMLM with unmodeled dynamics and uncertainties. In addition, the proof of the closed loop system stability based on Lyapunov theory is presented in detail. First, the output tracking error of PMLM is defined as: e = xr − x

(74)

where xr is the reference signal. Considering the system model in (69), the error dynamic of the PMLM system can be obtained as follows: e¨ = x¨r + a x˙ − bu + F

(75)

634

H. Wang et al.

FNTSM surface is given as (Yang and Yang 2011): ˙ ξ1 sign (e) ˙ + k2 |e|ξ2 sign(e) sf n = e + k1 |e|

(76)

where k1 > 0, k2 > 0, 1 < ξ 1 < 2, ξ 2 > ξ 1 and ξ 1 is chosen as ξ 1 = q/p with q and p being positive odd numbers. The proposed FNTSM controller is comprised of two components: the switching control law uf nsw and equivalent control law uf neq , namely: uf ntsm = uf nsw + uf neq

(77)

where uf neq =

1 1 a k2 ξ2 ξ2 −1 2−ξ1 |e| |e| |e| ˙ 2−ξ1 sign (e) ˙ x¨r + x˙ + ˙ + sign (e) ˙ (78) b b bk1 ξ1 bk1 ξ1 uf nsw =

   1 μ7 sign sf n + μ8 sf n b

(79)

where the μ7 and μ8 are two positive control gains, and μ7 is generally chosen larger than the upper bound of uncertainty. Theorem 3 For the PMLM system (69) with the error dynamics (75), if the control law is chosen as (77), then the close-loop error dynamics will reach sliding mode sf n = 0 in finite time. Thereafter, the zero-convergence of state error can be ensured along sf n = 0 within finite time. Proof: Considering the Lyapunov function candidate V =

1 2 s 2 fn

(80)

And the first-order derivative of V can be obtained as: V˙ = sf n s˙f n   ˙ ξ1 −1 e¨ + k2 ξ2 |e| ˙ ξ2 −1 e˙ = sf n e˙ + k1 ξ1 |e|   ˙ ξ1 −1 (x¨r + a x˙ − bu + F ) + k2 ξ2 |e| ˙ ξ2 −1 e˙ = sf n e˙ + k1 ξ1 |e| Substituting (77), (78), and (79) into (81), we have:

(81)

19 Real-Time Control Systems with Applications in Mechatronics

     ˙ ξ1 −1 F − μ7 sign sf n − μ8 sf n V˙ = sf n k1 ξ1 |e|   ˙ ξ1 −1 F s f n − μ7 sf n − μ8 sf2 n = k1 ξ1 |e|   ˙ ξ1 −1 F sf n − μ7 sf n − μ8 sf2 n ≤ k1 ξ1 |e|   ˙ ξ1 −1 d sf n − μ7 sf n − μ8 sf2 n ≤ k1 ξ1 |e|   ˙ ξ1 −1 μ7 − d sf n − μ8 sf2 n for |e| ≤ −k1 ξ1 |e| ˙ = 0

635

(82)

where μ3 is chosen to satisfy the following condition: μ3 > d + σ3

(83)

where σ 3 > 0 is an arbitrary constant, (82) can be rewritten as: √ V˙ ≤ −μ8 sf2 n − σ3 sf n ≤ −2μ8 V − σ3 2V

(84)

Inequality (84) demonstrates that the sliding variable sf n converges to zero in finite time. For |e| ˙ = 0, we show that it is not an attractor in the reaching phase. Note that e= ¨ −

  1 k1 ξ2 ξ2 −1 2−ξ1 |e| |e| |e| ˙ 2−ξ1 sign (e) ˙ ˙ − sign (e) ˙ −μ7 sign sf n −μ8 sf n +F k1 ξ1 k1 ξ1 (85)

Under the condition |e| ˙ = 0 and s = 0, then it follows that:   |e| ¨ = −μ7 sign sf n − μ8 sf n + F = 0

(86)

It is obvious that the sliding variable sf n can reach the sliding mode surface sf n = 0 in a finite time. Thus, the error dynamics of the PMLM converge to zero on the sliding mode surface in finite time. Here completes the proof.

4.3

Simulation Results

In this section, the simulations with respect to PMLM system are carried out in comparison with the SMC. Note that there are many parameters of the proposed controller required to be chosen for the best performance. μ7 and μ8 should be chosen large enough to resist large uncertain disturbances, but too large values will incur instability of closed-loop system. The four parameters ξ 1 , ξ 2 , k1 , and k2 determine the convergence rate and the robustness.

636

H. Wang et al.

The parameters of PMLM system parameters chosen in simulations are m = 5.4 kg, R = 16.8 , kf = 130 N/A, kc = 123 V/m/s, fc = 10 N, fs = 20 N, fc = 10 N, x˙s = 0.1, A1 = 8.5 N, A2 = 4.25 N, A3 = 20 N, and ω = 314 rad/s. Following the above parameter selection criteria, the control parameters of FNTSMC are k1 = 0.15, k2 = 0.01, ξ 1 = 19/17, ξ 2 = 17/11, μ7 = 20, and μ8 = 200. For eliminating the chattering, the saturation function is also applied to replace the signum function in (77) with the corresponding parameter being η1 = 0.01. In order to simulate the real running state, two input signal cases are considered to verify the performance of control strategy: Case 1: Tracking a sinusoid signal. The reference signal is xr = 0.3 + 0.4(t). Case 2: Step response. In this case, the amplitude of step signal is chosen as 0.35 m. Following the design method from 3.2, an NTSMC can be given as: ˙ ξa sign (e) ˙ s2 = e + k3 |e|

untsmc2 =

 1 a 1 1 |e| μ9 sign (s2 ) + μ10 s2 ˙ 2−ξ1 sign (e) ˙ + x¨r + x˙ + b b bka ξa b

(87)

(88)

where s2 a is sliding variable, the corresponding parameters are selected as: k3 = 0.3, ξ 3 = 1.3, μ9 = 20, and μ10 = 200. Figures 13 and 14 show the tracking responses of FNTSMC and NTSMC in case 1. It can be seen that both control methods can track the desired position in the presence of external disturbance. As seen from Fig. 13a, b, the position of PMLM for FNTSMC is capable of closely tracking the desired position, with a settling time of 0.36 s and almost zero steady-state error. Comparatively, the tracking response time of NTSM control is 0.43 s, as shown in Fig. 14a, b. Due to the welldesigned FNTSM surface, the FNTSMC strategy exhibits a faster convergence rate than the NTSMC. Furthermore, the sliding variable curves of the FNTSMC and the conventional NTSMC in case 1 are shown in Figs. 13d and 14d. It can be clearly observed that both the sliding variables of the FNTSMC and the conventional NTSMC are perfectly steered to the origin due to the same switching law design. Figures 15 and 16 show the simulation results of two controllers in case 2. As seen from Figs. 15a,b and 16a, b, for the FNTSMC and the conventional NTSMC, the actual PMLM position can closely track the reference signal with an almost zero steady-state error. It is obvious that the FNTSMC and the conventional NTSMC can closely track the reference signal with settling time being 0.38 s and 0.45 s, respectively. Since both the FNTSM control and the conventional NTSM control have the strong robustness, the effect of disturbance can be eliminated. The FNTSMC also has faster convergence rate in case 2 because of the fast convergence property of FNTSM surface.

19 Real-Time Control Systems with Applications in Mechatronics

637

Fig. 13 Control performance of the FNTSMC in case 1: (a) PMLM position; (b) tracking error; (c) control voltage; and (d) sliding variable

Fig. 14 Control performance of the NTSMC in case 1: (a) PMLM position; (b) tracking error; (c) control voltage; and (d) sliding variable

4.4

Summary

In this part, the FNTSM control strategy and conventional NTSM control strategy are implemented to the PMLM system. Different input signal cases have been considered to demonstrate the effectiveness and excellent tracking capability of the FNTSM control. By using both the FNTSM control and the conventional NTSM control, both the finite time convergence of the tracking error and the strong robustness can be guaranteed. Owing to the introduction of a fast nonsingular sliding mode surface, the FNTSM control strategy has a faster convergence rate than the

638

H. Wang et al.

Fig. 15 Control performance of the FNTSMC in case 2: (a) PMLM position; (b) tracking error; (c) control voltage; and (d) sliding variable

Fig. 16 Control performance of the NTSMC in case 2: (a) PMLM position; (b) tracking error; (c) control voltage; and (d) sliding variable

NTSM control method, which can be well implemented in practical PMLM control platforms.

5

Conclusion

In this chapter, the basic concepts of real-time control have been first discussed, followed by the methods of scheduling and discretization from the practical implementation point of view. Next, an integrated real-time digital control system

19 Real-Time Control Systems with Applications in Mechatronics

639

has been introduced which is composed of hardware and software parts. The hardware part contains ADC, DAC, processor, sensor, actuator, and the control object, and the software comprises control algorithm and drive programs. Further, we use three practical mechatronic system examples to demonstrate the detailed modeling and control design of the mechatronic systems, i.e., SBW system, ET system, and PMLM system. The control algorithm design is in detail taken into consideration, where the SMC is discussed in this chapter to give readers a clear guidance of the SMC design flow in the real-time control system. In the descriptions of SMC design, we mainly introduce three mainstream sliding mode controllers, i.e., conventional SMC, NTSMC, and FNTSMC. These three types of sliding mode controllers are all implemented in those real-time mechatronic control systems; meanwhile, the features of the sliding surface and its practical application characteristics are further analyzed. In order to verify the robustness and perfect tracking performance of each set of controllers, comparative simulations have been presented. In addition, for the ease of reading and application, we have also given the flow of controller design and practical application and pointed out the existing precautions. Researchers or engineers in mechatronics can refer to this chapter for the modeling and control design techniques of real-time mechatronic control systems for practical implementations.

References H.-S.S. Ahn, Y.Q. Chen, H.F. Dou, State-periodic adaptive compensation of cogging and Coulomb friction in permanent-magnet linear motors. IEEE Trans. Magn. 41(1), 90–98 (2005) T. Aono, T. Kowatari, Throttle-control algorithm for improving engine response based on air-intake model and throttle-response model. IEEE Trans. Ind. Electron. 53(3), 915–921 (2006) A.T. Azar, Q. Zhu, Advances and Applications in Sliding Mode Control Systems (Springer, 2015) H.R. Baghaee, M. Mirsalim, G.B. Gharehpetian, H.A. Talebi, A decentralized power management and sliding mode control strategy for hybrid AC/DC microgrids including renewable energy resources. IEEE Trans. Ind. Inf. (2017) B. M. Chen, Robust and H∞ Control. Communications and Control Engineering. London, (2000). https://doi.org/10.1007/978-1-4471-3653-8 M.L. Dertouzos, A.K. Mok, Multiprocessor online scheduling of hard-real-time tasks. IEEE Trans. Softw. Eng. 15(12), 1497–1506 (1989) Y. Feng, X. Yu, Z. Man, Non-singular terminal sliding mode control of rigid manipulators. Automatica 38(12), 2159–2167 (2002) M. Fliess, J. Lévine, P. Martin, P. Rouchon, Flatness and defect of non-linear systems: introductory theory and examples. Int. J. Control. 61(6), 1327–1361 (1995) A. Gambier, Real-time control systems: a tutorial, in 5th Asian Control Conference, 2004, vol. 2, pp. 1024–1031 IEEE Standard for Information Technology–Portable Operating System Interface (POSIX(TM)) Base Specifications, Issue 7, IEEE Std 1003.1-2017 (Revision IEEE Std 1003.1-2008), 2018, pp. 1–3951. https://doi.org/10.1109/IEEESTD.2018.8277153, https://ieeexplore.ieee.org/ servlet/opac?punumber=8277151 S. Islam, X.P. Liu, Robust sliding mode control for robot manipulators. IEEE Trans. Ind. Electron. 58(6), 2444–2453 (2011) U. Itkis, Control Systems of Variable Structure (Wiley, New York, 1976) H.K. Khalil, Nonlinear Systems (Prentice-Hall, New York, 2002)

640

H. Wang et al.

J. Kim, S. Choi, K. Cho, K. Nam, Position estimation using linear hall sensors for permanent magnet linear motor systems. IEEE Trans. Ind. Electron. 63(12), 7644–7652 (2016) P. Krishnamurthy, F. Khorrami, Adaptive control of stepper motors without current measurements, in American Control Conference, 2001. Proceedings of the 2001, 2001, vol. 2, pp. 1563–1568 M. Krstic, I. Kanellakopoulos, and P. V Kokotovic, Nonlinear and adaptive control design (Nonlinear and Adaptive Control Design (Adaptive and Learning Systems for Signal Processing, Communications and Control), vol. 222. Wiley, 1995 J.Y.-T. Leung, J. Whitehead, On the complexity of fixed-priority scheduling of periodic, real-time tasks. Perform. Eval. 2(4), 237–250 (1982) A. Levant, Robust exact differentiation via sliding mode technique. Automatica 34(3), 379–384 (1998) A. Levant, Homogeneity approach to high-order sliding mode design. Automatica 41(5), 823–830 (2005) C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1), 46–61 (1973) Y. Mi, Y. Fu, D. Li, C. Wang, P.C. Loh, P. Wang, The sliding mode load frequency control for hybrid power system based on disturbance observer. Int. J. Electr. Power Energy Syst. 74, 446– 452 (2016) S. Sastry, M. Bodson, Adaptive Control: Stability, Convergence, and Robustness. Prentice-Hall Advanced Reference Series (Engineering) (Prentice Hall, 2011) D. B. Stewart, P. K. Khosla, Real-time scheduling of dynamically reconfigurable systems, in IEEE International Conference on Systems Engineering, 1991, pp. 139–142 V. Utkin, Variable structure systems with sliding modes. IEEE Trans. Automat. Control 22(2), 212–222 (1977) V. Utkin, J. Guldner, J. Shi, Sliding Mode Control in Electro-Mechanical Systems (CRC press, New York, 2009) W. Wang, J. Yi, D. Zhao, D. Liu, Design of a stable sliding-mode controller for a class of secondorder underactuated systems. IEE Proc. Control Theory Appl. 151(6), 683–690 (2004) H. Wang, Z. Man, W. Shen, Z. Cao, Robust control for steer-by-wire systems with partially known dynamics. IEEE Trans. Ind. Inf. 10(4), 2003–2015 (2014a) H. Wang, Z. Man, W. Shen, J. Zheng, Sliding mode control for steer-by-wire systems with AC motors in road vehicles. IEEE Trans. Ind. Electron. 61(3), 1596–1611 (2014b) H. Wang et al., Design and implementation of adaptive terminal sliding-mode control on a steerby-wire equipped road vehicle. IEEE Trans. Ind. Electron. 63(9), 5774–5785 (2016a) H. Wang et al., Robust adaptive position control of automotive electronic throttle valve using PIDtype sliding mode technique. Nonlinear Dyn. 85(2), 1331–1344 (2016b) H. Wang et al., Continuous fast nonsingular terminal sliding mode control of automotive electronic throttle systems using finite-time exact observer. IEEE Trans. Ind. Electron. 65(9), 7160–7172 (2018a) H. Wang et al., Adaptive integral terminal sliding mode control for automobile electronic throttle via an uncertainty observer and experimental validation. IEEE Trans. Veh. Technol. 67(9), 8129–8143 (2018b) L. Yang, J. Yang, Nonsingular fast terminal sliding-mode control for nonlinear dynamical systems. Int. J. Robust Nonlinear Control 21(16), 1865–1879 (2011) X. Yu, Z. Man, Model reference adaptive control systems with terminal sliding modes. Int. J. Control. 64(6), 1165–1176 (1996) X. Yu, M. Zhihong, Fast terminal sliding-mode control design for nonlinear dynamical systems. IEEE Trans. Circuits Syst. I Fundam. Theory Appl. 49(2), 261–264 (2002) S. Yu, X. Yu, B. Shirinzadeh, Z. Man, Continuous finite-time control for robotic manipulators with terminal sliding mode. Automatica 41(11), 1957–1964 (2005) M. Zhihong, X.H. Yu, Terminal sliding mode control of MIMO linear systems. IEEE Trans. Circuits Syst. I Fundam. Theory Appl. 44(11), 1065–1070 (1997) M. Zhihong, A.P. Paplinski, H.R. Wu, A robust MIMO terminal sliding mode control scheme for rigid robotic manipulators. IEEE Trans. Automat. Control 39(12), 2464–2469 (1994)

PANTHEON: SCADA for Precision Agriculture

20

Laura Giustarini, Sebastian Lamprecht, Rebecca Retzlaff, Thomas Udelhoven, Nico Bono Rossellò, Emanuele Garone, Valerio Cristofori, Mario Contarini, Marco Paolocci, Cristian Silvestri, Stefano Speranza, Emanuele Graziani, Romeo Stelliferi, Renzo Fabrizio Carpio, Jacopo Maiolini, Riccardo Torlone, Giovanni Ulivi, and Andrea Gasparri Contents 1 Precision Agriculture at Large . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Precision Agriculture for Hazelnut Orchards: A Case Study . . . . . . . . . . . . . . . . . . . . . . . 3 PANTHEON: A SCADA System for Agriculture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 A SCADA for Hazelnut Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 SCADA Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Wireless Network Backbone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Ground Robotic Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Aerial Robotic Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 IoT Agrometeorologic Monitoring Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 SCADA Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Features of the Software Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

642 645 648 649 652 657 657 659 663 666 669 669 673

L. Giustarini Ferrero, Senningerberg, Luxembourg S. Lamprecht · R. Retzlaff · T. Udelhoven Trier University, Trier, Germany N. B. Rossellò · E. Garone Université Libre de Bruxelles, Brussels, Belgium V. Cristofori · M. Contarini · M. Paolocci · C. Silvestri · S. Speranza University of Tuscia, Viterbo, Italy E. Graziani SIGMA Consulting, Rome, Italy R. Stelliferi Azienda Agricola Stelliferi, Nepi (VT), Italy R. F. Carpio · J. Maiolini · R. Torlone · G. Ulivi · A. Gasparri () Rome Tre University, Rome, Italy e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_42

641

642

L. Giustarini et al.

7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

675 676

Abstract In this chapter, we introduce the vision of the H2020 project “Precision Farming of Hazelnut Orchards” (PANTHEON), which is to develop the agricultural equivalent of an industrial Supervisory Control and Data Acquisition (SCADA) system to be used for precision farming of orchards. PANTHEON’s objective is to design an integrated system where a relatively limited number of heterogeneous unmanned robotic components (including terrestrial and aerial robots) move within the orchard to collect data and perform typical farming operations. In addition, an Internet-of-Things (IoT) agrometeorological solar-powered network is deployed to continuously monitor the environmental conditions of the orchard. The information so collected is then stored in a central operative unit that integrates the data to perform automatic feedback actions (e.g., to regulate the irrigation system) and to support the decisions of the agronomists and farmers in charge of the orchard. The proposed SCADA system will acquire information at the resolution of the individual plant, to drastically increase, compared to current best practices, the detection of possible limiting factors at the level of the individual plant and to react accordingly. Differently from the current state of the art in precision farming for large-scale orchards, the capability of monitoring the state and the evolution of each single tree will be the enabling technology to allow more focused interventions. This will lead to a better average health of the orchard and to an increased effectiveness of integrated pest management (IPM) activities. In conclusion, the ongoing implemented architecture has the potential to increase production while, at the same time, being more cost-effective and environmentally friendly. To summarize, we believe that the proposed SCADA paradigm for Precision Agriculture may represent an attractive opportunity for the design of a novel real-time software architecture. In other words, by allowing the processing of massive amounts of datasets derived from the SCADA architecture, it will be possible to step up the current effectiveness of Precision Agriculture (PA) methodologies by providing real-time answers to the questions posed by farm managers, when in need of timely decisions.

1

Precision Agriculture at Large

PA is a farming management concept based on observing, measuring, and responding to inter- and intra-field variability in crops (Lee et al. 2010). Such variability may result from a number of factors. These include weather variables (temperature, precipitation, relative humidity, etc.), soil characteristics (texture, depth, nitrogen levels), cropping practices (till/no-till farming), weeds, and diseases, among others. The goal of PA is to apply the right amount at the right time and in the right place, optimizing returns on inputs while preserving resources and reducing production

20 PANTHEON: SCADA for Precision Agriculture

643

costs. In the broadest sense, PA is the application of management decisions in space and time, based on identifying, quantifying, and responding to variability. Even though farmers have always been aware of variability, the problem is that so far they lacked the tools to measure, map, and manage it precisely. The practice of PA has been enabled by technological developments, from gathering and analyzing data to the subsequent decision-making process, including the application of different agricultural inputs in the field. The advent of GNSS has greatly contributed to the spread of PA. The farmer’s and researcher’s ability to locate their precise position in a field allows for the creation of maps of the spatial variability for as many variables as can be measured (e.g., crop yield, terrain feature, topography, soil characteristics, moisture levels, nutrients levels, and others) and computed or derived (e.g., chlorophyll index, normalized difference vegetation index (NDVI), water stress). Geolocating a field enables the farmer to overlay information gathered from different analyses and various sensors. Sensor arrays can be mounted on GPS-equipped vehicles, such as unmanned aerial vehicles (UAVs) and unmanned ground vehicles (UGVs). The sensor arrays consist of instruments like laser scanners and different types of cameras, such as RGB, multispectral, hyperspectral, and thermal cameras. These instruments measure several different variables, from which information such as 3D reconstruction of the field and trees and vegetation indices (VIs) can be computed (Wiegand et al. 1991; Plant et al. 2000; Tucker et al. 1980; Yang and Everitt 2002). Two of the earliest and most widely used VIs are the NIR/red ratio (Jordan 1969) and the NDVI (Rouse et al. 1973). In general, datasets collected from sensors onboard UGVs and UAVs can be used in conjunction with information derived from airborne remote sensing and from Earth Observation (EO), with several satellites now providing imagery at centimetric resolution. Additionally, more variables can be measured with instruments such as field-based electronic sensors and spectroradiometers. Overall, it should be remarked that sensing techniques for biomass detection, weed detection, soil properties, and nutrients are most advanced. On the other hand, sensing techniques for disease detection and water stress are more difficult to design and implement in the field. Examples of recent projects are here included to provide the reader with an idea of the most recent developments in the field of integrated systems for PA. Within the H2020 program, the most relevant projects in PA are SWEEPER, FLOURISH, and APOLLO. The ambition of the SWEEPER project (Sweeper) was to bring the first-generation of greenhouse harvesting robots onto the market. The idea was to apply the technology developed in CROPS (Clever Robots for Crops) to introduce, test, and validate a robotic harvesting solution for sweet peppers in realworld conditions. The idea of FLOURISH (Flourish Project) was to develop a setup composed of a small autonomous multi-copter UAV with a multipurpose UGV to survey a field from the air, perform targeted interventions on the ground, and provide detailed information for decision support, all with minimal user intervention. This framework could potentially be adapted to a wide range of farm management activities and different crops, by choosing different sensors, status indicators, and ground treatment packages. The objective of APOLLO (APOLLO) was to develop and

644

L. Giustarini et al.

test affordable and user-friendly agricultural advisory services. This was achieved by making an extensive use of free and open EO data, such as those provided by the Sentinel satellites. These services monitor growth and health of crops, provide advice on when to irrigate and till the fields, and estimate yield. Other projects will be here briefly illustrated. The project FATIMA (FATIMA) aimed to create an effective and efficient monitoring and management system of agricultural resources to achieve optimal crop yield and quality, in a sustainable environment. Their comprehensive strategy covers five interconnected levels: a modular technology package (based on the integration of EO and wireless sensor networks into a WebGIS), a fieldwork package (with exploring options of improving soil and input management), a toolset for multi-actor participatory processes, an integrated multiscale economic analysis framework, and an umbrella policy analysis set based on indicators, accounting, and footprint approach. The TrimBot2020 (TrimBot2020) project has researched the underlying robotics and vision technologies to prototype the next generation of intelligent gardening consumer robots. The project focused on the development of intelligent outdoor hedge, rose, and bush trimming capabilities, allowing the robot to navigate over varying garden terrain, approaching hedges to restore them to their ideal tidy state and restore bushes to their optimal shape. Several other projects were funded in the previous Framework Program (FP7). The objective of SAGA (SAGA) was to demonstrate the applicability of swarm robotics principles to the agricultural domain. Specifically, SAGA targeted a decentralized monitoring/mapping scenario and implemented a use case for the detection and mapping of weeds in a field with a group of small UAVs. In AGROSENSE (AGROSENSE) two different types of sensors were considered: (i) static sensors distributed throughout the field in a form of wireless sensor network to monitor soil conditions, crop growth, and other relevant bio-parameters and (ii) remote sensing based on autonomous UAVs to provide valuable information, otherwise challenging to obtain from the ground. FUTUREFAM (FUTUREFAM) aimed at the development of an integrated information system to advise managers of formal instructions, recommended guidelines, and implications resulting from different scenarios at the point of decision-making during the crop cycle. RHEA (RHEA) focused on the design, development, and testing of a new generation of automatic and robotic systems for both chemical and physical – mechanical and thermal – effective weed management, with application in both agriculture and forestry. It investigated a large variety of European products, including agriculture wide row crops (processing tomato, maize, strawberry, sunflower, and cotton), close row crops (winter wheat and winter barley), and forestry wood perennials (walnut trees, almond trees, olive groves, and multipurpose open woodland). The project CLAFIS (CLAFIS) developed and demonstrated a pre-commercial intelligent solution prototype for communication between automation systems and IT systems in farms and forest-related processes. It focused on the need for seamless data transfer between complex field devices/automation systems and IT systems for several stakeholders in the European agribusiness sector and in forestry production. Eventually, SODSAT (SodSat) concentrated on increasing the competitiveness of

20 PANTHEON: SCADA for Precision Agriculture

645

turfgrass producers by providing a remote-based intelligent turf management system based on artificial intelligence (AI) techniques and on satellite imagery. Its outcome was an expert system able to provide agronomical recommendations by relying on historic and current data, multispectral images, and on-site sensing. Extending our analysis to outside Europe, several relevant initiatives have been carried out. The University of Minnesota developed algorithms that allow off-theshelf robotics to work autonomously in complex environments, such as an apple orchard (Surveying and servoing). A project (Robot swarms and human scouts) led by the University of Pennsylvania uses human-operated drones to produce highresolution, multidimensional maps to improve efficiency and yield. The MIT Media Lab Open Agriculture Initiative (OpenAg) builds open resources to enable the global community to accelerate digital agricultural innovation. Bringing together partners from industry, government, and academia in a research collective, they create collaborative tools, such as “food computers,” to explore future agricultural systems. In Australia, a project that received public funding (National Tree Project) contributed to the development of multi-scale monitoring tools to manage Australian tree crops. A common trait to the majority of these research papers and projects is the focus on annual crops, i.e., corn, strawberries, and cotton, with only some of them having analyzed tree crops, such as almond trees. The reason behind this is the higher market values of annual cultivations, like corn, that represent a commodity in the stock exchange market. In the case of annual crops, PA has also been used for yield estimation of major crops, such as grain and cotton. However, only limited research has been conducted on yield estimation for specialty crops such as fruit trees (Ye et al. 2007). Additionally, in the specific case of hazelnut farming, it represents a minor crop in the world scenario, which is not even part of the list of commodity products. As a consequence, in the past this has resulted in poor attractiveness for what concerns research projects and funds. Eventually, it should be remarked that real-time computing has still to be properly integrated in PA. Indeed, some of the sensors, like weather stations, already provide near real-time data and also compute in near real-time several derived variables from the measured ones. However, future challenges relate to the real-time processing of the much larger volume of data collected by sensors onboard UGVs, UAVs, aircrafts, and satellites.

2

Precision Agriculture for Hazelnut Orchards: A Case Study

PA in hazelnut farming is a relatively recent concept. As anticipated, this perennial crop, well adapted to temperate climatic conditions, has been considered until recently a minor crop. PA applications have been described in major perennial crops (Zude-Sasse et al. 2016), such as olive groves, vineyards, and stone fruits orchards, to monitor and manage water balance through remote sensing (Agam et al. 2014; Johnson et al. 2007), to predict yield, and for postharvest monitoring and management (Aggelopoulou et al. 2010; Liakos et al. 2011; Lu 2004; Perry et al. 2010; Zhou et al. 2012; Ziosi et al. 2008).

646

L. Giustarini et al.

Lately, hazelnut cultivation is experiencing a renaissance period, due to several new and large orchards being planted both in traditional hazelnut countries, such as Italy, Spain, and Oregon (USA), and also in new producer countries like Chile. This renewed interest for a nut crop, considered in the past highly suitable only for marginal areas (i.e., slopes), has provided momentum for innovative farming approaches, leading to interesting first applications in the framework of PA. The use of Differential Global Navigation Satellite System Real-Time Kinematic (DGNSS-RTK) has been introduced to design the planting scheme and to mechanically plant single trunk trees in high-density new orchards that can then be managed with high levels of mechanization for what concerns, for example, pruning operations (Cristofori et al. 2017). This new technology is mainly applied in large orchards. The design phase has been simplified, introducing surveying instruments that allow accuracy and precision in the phase of squaring the fields (Fig. 1). The number of rows and plants can be automatically computed, and the results displayed in a geographic information system (GIS) platform. In addition to the design phase, a transition from manual to mechanical planting has also taken place in the last years (Fig. 2), as a consequence of technical and economic reasons, such as higher precision in planting operation and labor reduction. Mechanical transplanters are combined with laser alignment or control systems directly connected to a DGNSS positioning tool. Along the same line, more recently,

Fig. 1 Laser alignment system positioned in the field to allow accuracy and precision in squaring the field. The instrument is equipped with a software module that shows in real-time plant positioning points

20 PANTHEON: SCADA for Precision Agriculture

647

Fig. 2 DGNSS-RTK mechanized transplanting operation in the field

an electrohydraulic control system based on DGNSS-RTK technologies has been directly integrated into the machinery used for the transplanting phase. Analyses of the economic advantages of such technology have shown that for plantations larger than 30 ha., the proposed DGNSS-RTK control should be preferred to manual operations (Cristofori et al. 2017). Fabi and Varvaro (2009) described the first results of the application of Advanced Spectroscopic Imaging System (A.Sp.I.S.) to monitor the “Dieback of hazelnut,” a bacterial disease caused by Pseudomonas syringae pv. coryli, that recently caused the loss of a large number of hectares in hazelnut orchards in the Viterbo province (Italy). The authors proved how A.Sp.I.S. can recognize the main part of a wilting or dead plant, allowing to set up a protocol of investigation, to both monitor and predict the spread of the disease in space and time with high accuracy. The derived prediction model mainly relied on temperature and rainfall for an accurate and rapid evaluation of the possible spread. Suitability analyses, based on GIS, have been recently adopted to identify suitable areas to establish new plantations. To ensure the suitability of agricultural areas, several layers of GIS information are evaluated, such as slope, soil characteristics, weather variables, water presence, etc. Applications of PA in hazelnut cultivation have also been attempted for irrigation management and efficiency. In this case, the main objective is to maximize the efficiency of water use and to allow nutrient administration through fertigation, a technique still poorly applied in hazelnut orchards. Remote sensing for monitoring soil moisture and water status of the plant and IoT technologies are under investigation to provide higher efficiency in irrigation systems at a variable rate. Mechanical pruning could also potentially be enhanced by PA. In particular, the pruning shape could be tailored to each plant, depending on its current situation. At

648

L. Giustarini et al.

Fig. 3 Mechanical pruning of hazelnut trees: hedging cut of an adult commercial orchard

present, mechanical pruning, both in trials and in commercial orchards, is performed using a rotating blade bar carried by a tractor (Fig. 3). The effectiveness of this operation, advisable for large orchards and in medium-high density plantations, is confirmed by positive effects on production, obtainable in the medium-long term. Mechanical pruning is performed with side cutting along the row (hedging) and also through cutting the top of the plants (topping). Hedging is executed when the branches of two contiguous rows overlap. To avoid a reduction in productivity, hedging is applied only to some of the plants of the orchard. Topping may be less frequent than hedging and is performed on the whole orchard every 5 to 8 years. Mechanical pruning has the aim of modifying the shape of the trees from bushes to hedges (Fig. 4), so that the resulting orchard appears more similar to other industrial, high-density fruit orchards, opening new opportunities for new PA applications. It is worth mentioning that PA has also been recently introduced in nut quality evaluation and in postharvest management. This is generally performed using nearinfrared spectroscopy, to classify hazelnuts according to different standards.

3

PANTHEON: A SCADA System for Agriculture

The vision of the H2020 project PANTHEON is to develop the agricultural equivalent of an industrial SCADA system to be used for the precision farming of orchards. By taking advantage of the technological advancements in the fields of control, robotics, remote sensing, and big data management, the objective of the project is to design an integrated system where a relatively limited number of heterogeneous unmanned robotic components (including terrestrial and aerial robots) move within the orchard to collect data and perform typical farming operations. An IoT agrometeorological solar-powered network is deployed to continuously

20 PANTHEON: SCADA for Precision Agriculture

649

Fig. 4 The “edge shape” of an adult hazelnut orchard after mechanical pruning (Girona, Spain)

monitor the environmental conditions of the orchard. The information produced is collected and stored in a central operative unit that integrates the data coming from the different robotic vehicles to perform automatic feedback actions (e.g., to regulate the irrigation system) and to support the decisions of the agronomists and farmers in charge of the orchard. The proposed SCADA system is designed to acquire information at the resolution of the single plant. As a result, this allows to drastically increase the detection of possible limiting factors for each individual plant, such as lack of water or pests and diseases affecting the plant health, and to react accordingly. Compared to the current state of the art in precision farming, the PANTHEON SCADA infrastructure represents a relevant step ahead in the context of orchard management. In fact, the capability of monitoring the state and the evolution of each single tree represents an enabling technology to allow more focused interventions. This results in a better average health of the orchard and in an increased effectiveness of IPM activities. The proposed SCADA architecture has the potential to increase the production of the orchard while, at the same time, being more cost-effective and environmentally friendly. For the experimental validation of the proposed PANTHEON SCADA system, a real-world (1:1 scale) orchard in the farm “Azienda Agricola Vignola” is considered.

3.1

A SCADA for Hazelnut Management

The objective of the project PANTHEON is to improve the current management of real-world hazelnut orchards. Briefly, the project focuses on the following aspects of orchard management:

650

L. Giustarini et al.

• Estimation of the phytosanitary status of the orchard at the granularity level of the single plant • Automatic irrigation regulation • Automatic suckers’ treatment • Improvement of pruning practices • Automatic estimation of the production Extensive discussions were conducted with actors of the agronomic community in order to list the most time-consuming and labor-intensive agronomic activities and those that also involve attributing the status of few representative trees to the entire block. In the management of large orchards, several activities can potentially benefit from automation; however, according to the priorities of the interviewed agronomists and farm managers, the previous five activities were identified as crucial. Focusing on these activities has been estimated as an achievable effort in the duration of the PANTHEON project. To do so, PANTHEON is developing a system composed of an IoT-based agrometeorological monitoring network, which includes a weather station to collect meteorological data and several soil moisture probe nodes to record humidity and temperature of the soil, along with ground and aerial robots that navigate the orchard to collect several measurements using different sensors (including highlevel imaging sensors such as LiDAR and multispectral cameras), achieving the resolution of the single tree. The information is collected by a central unit where the data is processed to extract synthetic indicators in order to describe for each tree: • • • • •

Water stress Possible presence of pests and diseases Presence and size of suckers Geometry of the tree Estimated number of nuts on the tree

Based on these synthetic indicators, the system elaborates a synoptic report for the orchard manager. Such a report highlights possible situations that may deserve attention, provides suggestions of intervention, and, if requested, offers a historical view of the status of the plant and of the treatments already performed. In addition, for some activities, algorithms to perform automatic decisions are considered. As a result, PANTHEON envisions a SCADA system capable of: (i) Autonomously controlling the levels of irrigation (ii) Carrying out automatic suckers’ elimination The design of the SCADA architecture has been performed by keeping in mind: (i) The possibility to integrate, in the future, the automation of other operations (e.g., weed control) (ii) The possibility to extend its application to other fruit crops

20 PANTHEON: SCADA for Precision Agriculture

651

3.1.1 Hazelnut Remote Sensing The reason behind the use of remote sensing in agriculture is the possibility of observing more than the human eye can and to detect changes, when possible, in the presymptomatic stage. Plant diseases and pest infestations affect plant physiology. This in turn can modify the color of different parts of the plant, the canopy morphology, the plant density and the transpiration rate, and finally the interaction of solar and thermal radiation with the canopy (Gerhards et al. 2016; Hartman et al. 2011). Thus, remote sensing technology is among the most advanced and effective methods for monitoring crop pests and diseases (Mahlein 2016). PANTHEON will utilize remote and proximity sensors to achieve the goals of pest and disease detection, water stress detection, and fruit detection with spectral analysis. Optical Sensing Multispectral sensors measure the relevant features with well-defined spectral bands. Typically the spectral characteristics of a band are achieved by spectral filters. Nearby narrow bands are capable of describing slight variations of the spectral features but might be affected by a poor signal-to-noise ratio, as the energy received at the sensor depends on the bandwidth. Since high-quality hyperspectral sensors are still rather expensive, multispectral cameras with bands customized for the specific application are generally used. In the last decades, various spectral indices have been developed to extract specific spectral features – e.g., associated with photosynthetic activity, plant health, or water content – with a limited number of bands. NDVI (see EqE 1) is a commonly used indicator for the presence of vegetation. It is based on the typical ratio of the high-reflecting near-infrared plateau (NIR), due to cell structure, and the low-reflecting red region (RED), due to absorption by pigments. NDVI =

(NI R −RED) (NI R +RED)

(1)

The photochemical reflectance index (PRI) is able to track diurnal changes in photosynthetic efficiency of plants (Gamon et al. 1992). This index is based on the reflectance at 531 nm R531 and a reference wavelength RREF , typically 570 nm or 550 nm. Its sensitivity to short-term changes of photosynthesis and its stability against sun angle changes make it particularly useful to monitor plant activity. It can also be used to identify water stress (Surez et al. 2010). With sufficient water supply, a reduced photosynthetic activity of hazelnut trees would indicate a health impairment. PRI =

(RREF − R531 ) (RREF + R531 )

(2)

Thermal Sensing Thermal sensing at field scale has an enormous potential for the measure of the plant response to water deficit (Jones et al. 2009). Canopy temperature is linearly

652

L. Giustarini et al.

related to the rate of water loss from the canopy, which is closely related to stomatal conductance (Jones and Vaughan 2010). Based on this observation, the crop water stress index (CWSI) (Jones 2013) is considered an effective indicator for water stress. To derive CWSI for a given plant with temperature Tc , the index requires also the knowledge of the temperature of a plant with water deficit Tdry and the temperature of a well-watered plant Twet (see EqE 3). CWSI ranges from −1 to 1, with values close to 1 indicating no stress, while values ≤0 indicate extreme stress.   Tc − Tdry

 CWSI =  Twet − Tdry

(3)

Since stomatal conductance responds rapidly to water deficit, CWSI is an early indicator for water stress. Thus, in PANTHEON it is planned to use CWSI to distinguish water stress from stress caused by pest and/or diseases. Given that CWSI does not provide information about the resilience of a plant against water stress, it is also scheduled to calibrate a resilience function for hazelnut trees, based on water stress experiments. Since the difference between Tc and the air temperature Ta is linearly related to the vapor pressure deficit (VPD), it is possible to define CWSI as in EqE 4 (Alderfasi and Nielsen 2001; Nielsen 1990). The coefficients D1 and D2 are estimated from the linear regression of Tc –Ta and VPD (Nielsen 1990). CWSI =

((Tc − Ta ) − D2 ) (D1 − D2 )

(4)

Spectral Analysis In PANTHEON, it is planned to use the spectral indices as indicators for drought stress and for the detection of pests and diseases. Fruit detection can be addressed with direct and indirect techniques of image processing and 3D analyses (Bargoti and Underwood 2016; Chaivivatrakul and Dailey 2014; Stein et al. 2016).

4

Experimental Setup

For the project PANTHEON, three fields were selected within the Azienda Agricola Vignola, a farm located in the municipality of Caprarola, in the province of Viterbo. They are displayed in Fig. 5, and their characteristics are listed in Table 1. Of the three fields that were offered to the consortium, only two contiguous ones were retained for the experimental setup. This precautionary redefinition of the fields derives from constraints due to the deployment of the communication network. Additionally, it should be noted that field 21 has rather similar characteristics to field 18, both in terms of variety, tree age, and irrigation scheme. In conclusion, abandoning field 21 does not compromise the statistical significance

20 PANTHEON: SCADA for Precision Agriculture

653

Fig. 5 Selected fields for the PANTHEON project Table 1 Selected fields for the PANTHEON project and their characteristics Name field 16

Area (ha) 9.1

Variety (−) Nocchione

Density (m) 4.5 × 3.0

Age (year) Young: Third leaf in the field

18

3.1

5.0 × 5.0

Adult: 30

21

3.8

Tonda Gentile Romana Tonda Gentile Romana

8.0 × 4.0

Old: >40

Irrigation (−) Underground drip irrigation: Double line between the rows, 0.8 m from the tree lines Underground drip irrigation: 1 line between the rows Underground drip irrigation: 1 line between the rows

of the experiments, also considering that the number of trees and their spatial distribution ensure a sound scientific experiment. A young orchard (field 16 – 4 years old at the beginning of vegetative season 2019) was selected to test and validate the automation of irrigation, suckers’ detection and management, pruning policies, and production estimation. The orchard design is 4.5 m × 3.0 m (Fig. 6), with cultivar Nocchione. The trees are trained as

654

L. Giustarini et al.

Fig. 6 Overview of field 16 (young hazelnut orchard) during the vegetative season (22 June 2018) and during winter rest (8 February 2019)

multi-stemmed bushes, selecting three to four main stems, and the field is irrigated with subirrigation system, namely, underground drip irrigation, with double line between the rows, at a distance of 0.8 m from each side of the tree lines.

20 PANTHEON: SCADA for Precision Agriculture

655

Fig. 7 Overview of field 18 (adult hazelnut orchard) during the vegetative season (22 June 2018) and during winter rest (8 February 2019)

Similarly, a mature orchard (field 18 – about 30 years old) has been chosen for the same trials as for field 16, with the addition of tests for major hazelnut pests and diseases. The orchard design is 5.0 m × 5.0 m (Fig. 7), with cultivar Tonda Gentile Romana. The trees are trained as multi-stemmed bushes, and the field is irrigated with subirrigation system, in the specific case an underground drip irrigation system, with one line between the rows.

656

L. Giustarini et al.

Fig. 8 Detailed view of the experimental setup of the PANTHEON project. One of the nine LoRa nodes is located extremely close to MeshC. Reference markers indicate the position of ground control points to support drone imagery referencing. Fruit detection in field 18 will be performed on every second tree, in the same row selected for “Sucker Detection Automated and Manual”

In the area covered by the IoT (see Fig. 8), each selected tree has been attributed a specific ID, for both manual and automated monitoring, in order to have appropriate cal/val datasets. For a reasonable planning of orchard management activities, a certain predefined number of trees has been selected in each field, as reported in the following: • Water stress: 20 trees selected in field 18 (adult orchard) and 20 trees selected in field 16 (young orchard), with each group divided into 2 subgroups of 10 trees each (1 subplot will be irrigated and 1 will be used as nonirrigated control). • Suckers’ detection and control: 10 trees selected into the same row in field 18 and 10 trees selected into the same row in field 16. • Tree geometry reconstruction: 15 trees were selected in field 16 and labeled as 3 different subgroups of 5 trees each, with 3 different pruning protocols, 1 per subgroup (free multi-stemmed bush; regular multi-stemmed bush; single trunk system). • Pest and disease detection: 18 trees were selected in field 18, with 6 trees with pest and disease infestation at a predefined time T1, 6 trees with pest and disease infestation at a predefined time T2, and the remaining 6 trees to be protected against infestation.

20 PANTHEON: SCADA for Precision Agriculture

657

• Fruit detection: 10 young trees selected in field 16 and 5 mature trees selected in field 18.

5

SCADA Hardware Components

The SCADA system designed within the PANTHEON project is composed of the following main components, which will be detailed in the following: 1. 2. 3. 4.

Wireless network backbone Unmanned ground robotic platforms Unmanned aerial robotic platforms IoT agrometeorologic monitoring network

Notably, the interaction among the different components is ensured by (mostly) relying on the Robotic Operating System (ROS) (Quigley et al. 2009). Briefly, ROS provides a distributed modular solution for a seamless integration of all the hardware and software components, ranging from the drivers of the actuators to the interface with the data analytic engine. In this regard, as it will be detailed in the following, the wireless network backbone serves as a medium for the other components to interact over standard TCP/IP sockets for transporting message data.

5.1

Wireless Network Backbone

The wireless network backbone (WNB) is the infrastructure required to keep all the ROS-based components of the SCADA system interconnected, from the central unit housing the farm-server with the farm-DataBase (DB) to the single robots moving in the field. The selected WNB architecture is based on a set of mesh antennas and two long-distance antennas. The former is required to create a mesh network on the field, so that UGVs and UAVs can operate in the field itself. The two long-distance antennas are required to connect the central unit, located in a remote warehouse, to the mesh network deployed in the field. Figure 9 depicts the WNB developed within the PANTHEON experimental setup. In particular, the WNB consists of seven antennas and one router, specifically: • Two AirMax antennas (LiteBeam AC GEN2) • Five UniFi antennas (AC MESH PRO) • One router (IR615-S-EN000-WLAN) Regarding the long-range AirMax antennas, as illustrated in Fig. 10, one AirMax2 antenna, named AirMax2, is wired connected through an Ethernet cable to the central unit (located in a remote warehouse) and oriented toward the other

658

L. Giustarini et al.

Fig. 9 Wireless network backbone

antenna, named AirMax1, which is instead placed in the field and where the router is also present. This router, which has the sole functionality of managing the local network, has been placed into the field with the purpose of conceptually decoupling the two network segments, identified with the mesh network (in the field) and the central unit (in the warehouse). Indeed, this choice offers the advantage to avoid that a possible temporary failure of the point-to-point long-range connection between the central unit and the mesh network would prevent the usability of the unmanned vehicles on the field. Figure 9 depicts the two network segments, and Fig. 10 illustrates the point-to-point long-range connection. Regarding the mesh network, as shown in Fig. 11, the first UniFi antenna is wired connected to the antenna AirMax1 through an Ethernet cable and to the router, utilizing another Ethernet cable. Any other UniFi antenna is wirelessly connected, i.e., through an uplink-downlink radio connection as specified by the UniFi protocol, in order to create a mesh network. In this way the signal is rebroadcasted through a desired network topology pre-configured from a software, i.e., UniFi Controller, permitting the connection between all devices in the field. All the UniFi devices are conventional WiFi access point (with up to 183 m radius of area coverage with a maximum bandwidth of 450 Mbps). It is also possible to access them even with a mobile phone, which is useful for experiments and debugging purposes. The mesh established between UniFi antennas is necessary to cover all the area and is composed by a total of five devices for a field whose

20 PANTHEON: SCADA for Precision Agriculture

659

Fig. 10 Point-to-point AirMax antennas

area is about 50 m × 200 m. In addition, as can be noticed in Fig. 11, each UniFi device, which has a power consumption of 9 Watts, has been powered through a battery that can be autonomously charged by means of a solar panel to support a long operational time.

5.2

Ground Robotic Platforms

Two ground vehicle prototypes, namely, SHERPA HL robotic platform R-A and SHERPA HL robotic platform R-B, are required for the precision farming activities to be carried out within the PANTHEON project. Briefly, the two ground vehicle prototypes are based on the commercial SHERPA HL robotic platform, i.e., a general-purpose mobile platform originally designed to target logistics tasks, produced by the Robotnik Automation, S.L.L. The following agronomic activities have been identified for the ground robotic platforms: • The main task of the SHERPA HL robotic platform R-A is to collect sensorial data for tree geometry reconstruction, for the assessment of the phytosanitary status of the plants, and to mark branches for pruning.

660

L. Giustarini et al.

Fig. 11 Mesh UniFi antennas

• The main task of SHERPA HL robotic platform R-B is to apply chemicals on suckers with the scope to remove them and any related features. The two SHERPA HL robotic platforms have been mechanically designed and customized to facilitate the execution of these specific precision farming activities. In particular two different kinematic models have been considered: (i) the SHERPA HL robotic platform R-A is mechanically designed to operate according to the omnidirectional kinematics, and (ii) the SHERPA HL robotic platform R-B is mechanically designed to operate according to the Ackermann steering kinematics. It should be noticed that the SHERPA HL robotic platform R-A could also operate according to the Ackermann steering kinematics by simply imposing that no steering is allowed for the rear tires. Indeed, this kinematic operation mode is made available by the core software library, and it can be decided by the operator (or equivalently by the autonomous control law).

20 PANTHEON: SCADA for Precision Agriculture

661

Fig. 12 Common sensorial equipment of SHERPA HL robotic platforms

5.2.1

Common Sensorial Equipment for Localization, Safety, and Navigation System The two SHERPA HL robotic platforms R-A and R-B share the same sensorial equipment for the localization, safety, and navigation system. This choice has been made to simplify the development of control, localization, and navigation algorithms. In particular, as depicted in Fig. 12, the following sensorial equipment has been considered: (i) a Trimble MB-Two GNSS receiver with GPS-RTK capabilities; (ii) an SBG Ellipse2-E IMU with an integrated compass; (iii) two Sick S300 safety laser scanner; and (iv) a Velodyne VLP-16 Puck LITE 3D LiDAR.

5.2.2 Ground Robot R-A Farming Sensorial Equipment The main features of SHERPA HL robotic platform R-A are illustrated in Fig. 13. In particular, the telescopic arm, composed of an elevator and a rotational bar, can be noticed. The sensorial equipment for the remote sensing activates is also highlighted. Briefly, this is composed of a Faro laser scanner Focus S70 LiDAR, a MicaSense RedEdge-M and a Sony Alpha α5100 mounted on a gimbal DJI Ronin MX, and a Velodyne VLP-16 Puck LITE LiDAR. In addition, a Sick S300 safety laser scanner (another one is placed on the opposite corner on the rear of the robotic platform) and an antenna for the RTK D-GPS system are included in the system. In PANTHEON it is planned to measure each tree with the robotic platform RA from four positions to gain an all-around view. As illustrated in Fig. 14, at each position the tree is scanned twice, once with the laser scanner and once with the cameras, after rotating the robots rotational bar by 180◦ . This procedure allows for a later spectral enrichment of the laser scans, due to the similar viewing perspectives. Thus, a spectral analysis of the point clouds can be achieved for an improved detection of relevant features, like sucker’s branches or fruits. To measure the relevant spectral information with the UGVs, a MicaSense RedEdge-M multispectral camera is used. Its five discrete spectral bands with an image resolution of 960 × 1280 pixels and a radiometric resolution of 12 bit are optimized for agricultural applications. Table 2 summarizes the spectral characteristics of the camera. Although within the orchard the incidence of light might be poor, this camera provides images of a sufficient signal-to-noise ratio.

662

L. Giustarini et al.

Pistol

Bar

DJI Ronix MX Gimbal

Faro S70 Lidar

Elevator MicaSense Red-Edge

Protection Shield

Sony a5100

RTK D-GPS Antenna

Velodyne VLP-16 Lidar

Sick S300 Laser Scanner

Fig. 13 SHERPA HL robotic platform R-A

Fig. 14 Data acquisition concept for the robotic platform R-A

As a counterpart to the professional multispectral camera, a custom Sony α5100 RGB camera is used, because of its high geometrical resolution and its robust design. To achieve high-quality close-range images with a large field of view, the camera has been equipped with an optical lens (Sony SEL-28F20) with 28 mm focal length and F2.0 light intensity. The spectral characteristics, with only visible

20 PANTHEON: SCADA for Precision Agriculture Table 2 Spectral characteristics of the MicaSense RedEdge-M

Band Blue Green Red Near IR Red edge

663 Center wavelength (nm) 475 560 668 840 717

Bandwidth FWHM (nm) 20 20 10 40 10

Fig. 15 Images of RGB and multispectral camera taken from the same position (RGB, blue, green, red, red edge, NIR)

and broad diversified bands, are not suitable for a meaningful spectral analysis. However, the high geometrical resolution is particularly suitable to apply object recognition techniques, e.g., for fruit detection. To record high-density 3D point clouds of the trees, a Faro Focus S70 laser scanner is used. It allows for all-around scans with a vertical field of view of 300◦ . It measures at a wavelength of 1550 nm, with a minimum step width of 0.009◦ (FARO 2018). With these resolution capabilities, detailed structures, like suckers or fruit clusters, can be recorded by the scanner. With a point precision of about 2 mm at a distance of 10 m, the laser scanner provides point clouds of a sufficient quality to reconstruct the geometry of hazelnut trees. Figure 15 illustrates a young tree captured with the RGB and multispectral camera from the same position. Taller trees require multiple photo shots from the same position, to capture the canopy completely.

5.2.3 Ground Robot R-B Farming Sensorial Equipment The main features of SHERPA HL robotic platform R-B are summarized in Fig. 16. In particular, it can be noticed that the atomizer is composed of a sprayer along with an electrical driven pump and a tank for treating suckers. In addition, two Sick S300 safety laser scanners, a Velodyne VLP-16 Puck LITE LiDAR, and an antenna for the RTK D-GPS system are visible.

5.3

Aerial Robotic Platforms

One aerial vehicle prototype is required for the precision farming activities to be carried out within the PANTHEON project. This vehicle is based on the commercial

664

L. Giustarini et al.

RTK D-GPS Antenna Tank

Sprayer

Sick S300 Laser Scanner

Velodyne VLP-16 Lidar

Fig. 16 SHERPA HL robotic platform R-B

UAV DJI Matrice 600 Pro, produced by DJI. The model chosen is a six-rotor flying platform designed for professional aerial photography and industrial applications. The main task of this robotic platform is to collect sensorial data to estimate the phytosanitary status of the plants. The model has been customized to execute the sensing activities required in precision farming. The UAV is equipped with a DJI A3 Pro triple-modular redundancy system and advanced intelligent flight functions, a DJI D-RTK system which allows high accurate positioning, and a gimbal DJI Ronin MX where three sensors are installed. All this can be controlled with a ruggedized onboard computer DJI Manifold added on the top of the aircraft. The A3 Pro flight controller provides three GPS modules and IMUs which add triple-modular redundancy to reduce the risk of system failure. This system is complemented with an RTK module which, using a ground station, provides corrected GPS signals to improve its accuracy. These elements can be seen in Fig. 17. Additionally, a flight termination system and a security parachute are mounted on the top of the aircraft. Both security systems are optional, depending on the risk of the mission, and can be activated or deactivated previously to the flight.

5.3.1 Sensorial Equipment The UAV has been equipped with the multispectral camera array Tetracam MCAW. It is a composition of six individual cameras with a focal length of 9.6 mm and

20 PANTHEON: SCADA for Precision Agriculture

665

Fig. 17 Aerial robotic platform Table 3 Spectral characteristics of the Tetracam MCAW

Band Green Green-yellow Yellow-green Red Red edge Near-infrared

Center wavelength (nm) 530.7 550.0 570.0 680.0 720.0 900.0

Bandwidth FWHM (nm) 3 10 10 10 10 10

a snapshot shutter. Its CMOS sensors with a size of 1280 × 1024 pixels and a radiometric sensitivity of 10 bit have been equipped with customized spectral filters according to Table 3. These narrow filters were selected to be able to derive the relevant spectral indices, like NDVI and PRI. Similar to the UGV, a custom Sony α5100 RGB is used as a counterpart to the multispectral camera, because of its high geometrical resolution and its robust design. To achieve high-quality close-range images with a large field of view, the camera has been equipped with an optical lens (Sony SEL-35F18) having 35 mm focal length and F2.0 light intensity. The ThermalCapture 2.0 thermal camera contains a FLIR Tau2 model equipped with a 19 mm lens and a thermal sensor of 640 × 512 pixels with a radiometric

666

L. Giustarini et al.

industrial grade sensitivity of 0.03 K and a frame capture rate of 30 Hz. The device records full radiometric information per pixel (Teax Technology 2018). The inherent thermal camera sensor is one of the most widely used camera types for UAV applications.

5.4

IoT Agrometeorologic Monitoring Network

An IoT agrometeorological monitoring network has been developed within the PANTHEON project and deployed in the experimental field to continuously monitor the environmental conditions of the orchard. This IoT network, which relies on LoRa (Long Range), i.e., a communication technology for long-range transmissions (more than 10 km in rural areas) with low power consumption, consists of the following modules: • One weather station to collect meteorological data • Nine LoRa nodes to record humidity and temperature data of the soil • One LoRA/ROS gateway of the network The modules of the network collect data from the sensors at a desired rate and send them to the gateway, which is responsible for converting data into the ROS standard for storage in the primary DB server. The gateway interfaces the LoRa network with the WNB, creating a convenient decoupling between the IoT network and the ROS network infrastructure. Notably, this decoupling is motivated by the fact that while the IoT network must continuously collect data over time, the ROSbased network, which is exploited, for instance, by the ground robots, must operate intermittently. Figure 18 shows the weather station which is responsible for monitoring the weather conditions, such as air humidity, air temperature, air pressure, and rainfall. The station is powered by a 12 V–7.2 A battery and a 10 W solar panel to ensure continuous operation over time. Table 4 indicates the weather station sensors along with their accuracy/resolution. The weather station is installed because of two reasons. First, it is required to calculate the VPD in the field for the derivation of CWSI. Second, information on precipitation, air humidity, temperature, and solar radiation are valuable accompanying data to distinguish whether the observed stress derives from lack of irrigation or from the presence of pests and diseases. The collected data is transmitted by the station to the gateway by exploiting a LoRa communication module. Figure 19 depicts the LoRa nodes, which are scattered in the field and inserted in the soil at two different depths of 15 cm and 40 cm, respectively. These nodes are responsible for the monitoring of soil properties (such as soil moisture and soil temperature). They are powered by a 7.2 V lithium battery at 6800 mA and a 5 W solar panel to enable continuous operation over time. Table 5 indicates the LoRa node sensors along with their accuracy/resolution. Soil moisture and soil

20 PANTHEON: SCADA for Precision Agriculture

667

Fig. 18 Weather station characteristics

Table 4 Weather station characteristics Weather station data Rainfall (Davis DW-6463M) Air temperature (Sensirion SHT75) Air humidity (Sensirion SHT75) Wind speed/direction (Davis DW-6410M) Solar radiation (Davis DW-6450) Air pressure (first sensor 144 s)

Accuracy/resolution Resolution 0.2 mm Minimum 0.04, typical 0.01, maximun 0.01 ◦ C Minimum 0.4, typical 0.05, maximun 0.05%RH 3–322 kph, sampling all the pulse in a 60s window time/1 degree 5% of full scale, full scale 1800 W/m2 , resolution 1 W/m2 70 mbar to 10 bar, 1 to 150 psi

temperature values measured by the LoRa nodes provide valuable reference data to monitor the water stress experiments. As per the weather station, the collected data is transmitted by each node to the gateway by exploiting a LoRa communication module. Figure 20 depicts the gateway, which is based on a Raspberry 3B+ and is responsible for bridging the IoT agrometeorological monitoring network, for which communication is based on the LoRa technology, with the ROS network, for which the communication is instead based on standard TCP/IP over the WNB.

668

L. Giustarini et al.

Fig. 19 Soil monitoring node Table 5 LoRa node characteristics Nodes data Soil volumetric water content measurement (Deltaohom)

Soil temperature (Deltaohom)

Accuracy/resolution Measuring principle capacitive; measuring range 0–60% VWC; resolution 0.1% – Accuracy (@23 ◦ C) +/− 3% between 0 and 50% VWC (standard mineral soil, EC < 5 mS/cm) Resolution 0,1 ◦ C – Accuracy +/−0,5 ◦ C

Fig. 20 IoT agrometeorological network gateway

20 PANTHEON: SCADA for Precision Agriculture

6

669

SCADA Software Architecture

Regarding data collection and analysis, the architecture of the software system has been defined with the aim of managing a high volume of data that are heterogeneous by nature, arrive at high speed, and come from various hazelnut fields. In addition, the system must be able to operate both in real time, for the monitoring of plantations, and in batch mode, for the processing of large collections of historical data oriented to predictive analysis and support of strategic decisions. Another criterion of choice is the preference for open-source libraries and tools. This is a typical scenario of big data analysis (Marz and Warren 2015), and for this reason we have chosen modern technologies based on the Hadoop ecosystem and NoSQL technologies (Atzeni et al. 2020; Bugiotti et al. 2014) that are able to support efficiently this kind of data processing.

6.1

Software Architecture

The architecture of the data collection and processing system capable of meeting the above requirements is shown in a schematic form in Fig. 21 and is composed of three main components, which implement three operational levels: • The “Data Collection and Preprocessing” layer (DCP layer in the following): this component is replicated for each hazelnut field and is dedicated to the collection of data from the various sources located in the field: sensors, weather stations, ground robots (UGV), and drones (UAV). • The “Data Transfer” layer (DT layer in the following): this is a middleware that deals with the transfer of data between the other two levels, in both directions, and between the overall system and the final users of the software. • The “Data Storage and Processing” layer (DSP layer or center in the following): it consists of a centralized unit in which all the data coming from the various DCP components are stored and on which massive analyses are carried out, mainly for knowledge extraction and decision support. In the following, these three components will be described in more detail.

6.1.1 Data Collection and Preprocessing Layer Through a local communication network, the data coming from the collection nodes (sensors, weather stations, UGV, and UAV) will be conveyed to the local server positioned in the warehouse near the hazelnut fields. The ROS protocol is used for data communication, as it is able to manage data transfers with all the collection nodes mentioned above (including the IoT nodes via a gateway with the LoRa network) and is based on the publish/subscribe mechanism, which allows the decoupling between data collection and data processing. However, data can also be stored on the internal mass storage of the various devices and then transferred

Fig. 21 The global architecture of the software system

670 L. Giustarini et al.

20 PANTHEON: SCADA for Precision Agriculture

671

manually to the local server. This guarantees, on the one hand, the possibility of not losing acquired data even in the event of a malfunction of the communication network and, on the other hand, the possibility of not occupying excessively the communication band, for example, in the case of acquisitions of large spectral images by the UGVs. The local server acts as a first point of collection and management of all the data coming from one hazelnut field. It is configured as a ROS node to communicate with the various collection nodes and will store data using MongoDB, a NoSQL database system. This choice was dictated by the amount of data to be managed, by their heterogeneity, and by the need to scale nicely as data volumes increase. In particular, MongoDB lends itself very well to IoT applications, especially those framed in the smart farming area (Nabrzyski et al. 2014). All raw data acquired from the field will be stored on the database together with the result of data processing carried out locally or in the data storage level, as described below. More specifically, some preprocessing activities will be performed on the system with the aim of: • Carrying out operations of data cleaning and transformation, oriented, for example, to eliminate grossly incorrect data and to standardize formats • Executing pre-aggregations to reduce the amount of data to be transmitted to the DSP layer and to make them more suitable for the subsequent analyses to be executed • Performing, through a local software application, activity monitoring on the collected data and provide information to the farmers on the status of the field in real time The local application will be Web-based, in order to be accessible using various types of devices, and will be developed using big data technologies, such as Spark, for processing large quantities of data at high speed. This application can be accessed directly by the operators in the field using the local server or through mobile devices, such as tablets and smartphones. An Internet connection is not required to access the application since it operates on the local database, and so the network available in the field can be used for this purpose.

6.1.2 Data Transfer Layer Data exchange between the database, stored in the local server, and the central database, located in the DSP layer, will occur using an Internet connection when available. If the area is not covered by an Internet connection, a portable device equipped with a large mass storage device, called NAS (network-attached storage), will be used for data transfer. In this case, the NAS device will be physically transported from the hazelnut field to the central database. Figure 22 shows the two communication scenarios: with and without the presence of an Internet connection. In both cases, only the data collected from the last data transfer (usually called -data) is actually copied. In the first scenario, -data is directly transferred from the local to the central database and added to the “Global Collected Data” (1). The

1

Processing

3

Global Collected Data

Collected Data

D-Data

2 Global Processed Data

Processed Data

New Processed Data

copy

New Processed Data

D-Data

copy

Processed Data

Collected Data

Fig. 22 Data exchange between the DCP and the DSP components

DATA STORAGE AND PROCESSING CENTER

INTERNET

LOCAL SERVER

DATA STORAGE AND PROCESSING CENTER

NAS

LOCAL SERVER

2

1

Processing

5

Global Collected Data

Collected Data

D-Data

copy

D-Data

3

Processed Data

New Processed Data

copy

Global Processed Data

4

New Processed Data

copy

NewProcessed Processed New Data Data

D-Data

copy

Processed Data

Collected Data

672 L. Giustarini et al.

20 PANTHEON: SCADA for Precision Agriculture

673

results of data analysis carried out in the DSP center are stored in a special archive called “Global Processed Data” (2). The results obtained from -data (called “New Processed Data” in Fig. 22) are transferred back to the local server (3) so that they can be exploited by users operating on the field even when the DSP center is not directly accessible or the communication is low. In the second scenario, data transfer needs an intermediate step involving the storage and the transport of -data in NAS devices.

6.1.3 Data Storage and Processing Layer The DSP center is equipped with a computer infrastructure that is based on a cluster of computers whose nodes can be dynamically increased according to the requirements of storage and processing of the overall application. These requirements are driven by the volume of data to be stored, the data replication policies, the physical distance between the DSP center and the hazelnut fields (e.g., located in different countries) that can be relieved by geographical clustering, and the need to support high workloads of data processing. The computing nodes of the cluster will be equipped with CPUs supporting parallel computation and with a RAM and a mass storage of a size suitable for the overall needs of data storage and processing. All the collected data will be also stored in a MongoDB database, in order to be easily exchanged with the databases saved in local servers of the DCP layer. Data processing and analysis is activated at the DSP center when new raw data arrives from the DCP layer. The results of data processing are stored in the database itself. All of these choices follow the so-called “data lake” approach, in which a large repository is used for storing any kind of data, coming from different sources and possibly heterogeneous, for later use, aimed usually at knowledge extraction (Maccioni and Torlone 2018).

6.2

Features of the Software Application

Figure 23 shows a sketch of the entire software application from the user point of view. The application is Web-based and provides to the users two main features, which are supported by two sub-components of the software system: • The real-time monitoring system, which operates in each hazelnut field on the data collected locally, combined appropriately with the results of large-scale analyses carried out in the central system. This component is in charge of producing the indicators mentioned in the previous sections able to describe the current status of the field, such as the water stress of trees and the presence of pests or diseases; this system will also monitor the weather conditions and their impact on the health of the plantation. • The batch processing system, which supports decision-making and predictive analysis by operating in the DSP center on all the available data that has been collected in various hazelnut fields and stored in the central server. This

Fig. 23 The overall application from the user point of view

674 L. Giustarini et al.

20 PANTHEON: SCADA for Precision Agriculture

675

component is in charge of applying analytics and machine learning techniques for knowledge discovery over agricultural data such as time series analysis, data clustering, automatic classification, and outlier detection, with the already mentioned goals of product estimation and automated prediction, among others. A data anomaly detection algorithm will also be developed on the batch processing system to detect malfunctions of the SCADA infrastructure. It will include data-driven and model-based approaches to validate the gathered measurements. This validation will exploit the correlation between the measurements provided by the ground and aerial robots, as well as statistical change detection/isolation algorithms to perform the early detection of malfunctions. This will allow maintenance operations before a fault has a significant effect on the system. Several users have different roles in accessing system features via a Web browser and through different devices. The application is equipped with a front end, which presents the result of data analyses to the user, and a back end, which accesses the database (local or central) and manipulates the data stored in it. The front end will be designed with the goal of producing modern, easy-to-use, and standard-based user interfaces. Finally, driven by the software and hardware requirements, the following choices have been made for data organization and for the software solutions used for the development and usage of the application: • All data will be represented in JSON, an open-standard file format that can be used for describing both structured and unstructured information. • The batch will be implemented using Spark, an open-source distributed and general-purpose framework for data analytics over big data that supports machine learning. • To implement the real-time system, we will use Kafka, an open-source streamprocessing platform to handle efficiently real-time data feeds, and Spark Streaming, a component of Spark supporting real-time analysis over stream. • As we have already mentioned, both the local and the global database will be implemented using MongoDB, an open-source, NoSQL database management system that stores and manipulates data in JSON format. • Linux will be used as the operating system of all the computers, C++ will be used for the automation of robots, and Python will be used as the host language for data processing. • HTML, CSS, and JavaScript will be used for the implementation of the client component of the application.

7

Conclusions

In this chapter, we described the vision of the H2020 project PANTHEON, which focuses on the development of the agricultural equivalent of an industrial SCADA system to be used for the precision farming of orchards. In this regard, we first

676

L. Giustarini et al.

presented the current state of the art in the context of precision farming at large, as well as in the context of large-scale (hazelnut) orchards in order to highlight major limitations of current best practices. Indeed, this motivated the creation of the PANTHEON project whose objective is to propose an integrated system composed of heterogeneous robotic components along with an IoT agrometeorological network and a central computing unit to acquire information at the resolution of the individual plant. We explained how this architecture, by reaching the resolution of the single tree, compared to the current state of the art in precision farming for large-scale orchards, allows to drastically increase the detection of possible limiting factors of each plant individually and react accordingly. Additionally we showed how this new paradigm in precision farming may lead to a better average health of the orchard and to an increased effectiveness of IPM activities, thus leading to an increase of the orchard production while, at the same time, being more costeffective and environmentally friendly. We also described the experimental setup that has been built within the PANTHEON project to validate the effectiveness of the proposed SCADA system in a real-world (1:1 scale) hazelnut orchard. To conclude, we believe that the proposed SCADA paradigm for Precision Agriculture may represent an attractive opportunity for the design of a novel real-time software architecture. In other words, by allowing the processing of massive amounts of datasets derived from the SCADA architecture, it will be possible to step up the current effectiveness of PA methodologies by providing real-time answers to the questions posed by farm managers, when in need of timely decisions. Acknowledgments This work has been supported by the European Commission under the Grant Agreement number 774571 (Project PANTHEON Precision farming of hazelnut orchards).

References N. Agam, E. Segal, A. Peeters, A. Levi, A. Dag, U. Yermiyahu, A. Ben-Gal, Spatial distribution of water status in irrigated olive orchards by thermal imaging. Precis. Agric. 15(3), 346–359 (2014) K. Aggelopoulou, D.L. Wulfsohn, S. Fountas, T. Gemtos, G. Nanos, S. Blackmore, Spatial variation in yield and quality in a small apple orchard. Precis. Agric. 11(5), 538–556 (2010) AGROSENSE, Project funded from the European Communitys Seventh Framework Programme under grant agreement No. 204472, link A.A. Alderfasi, D.C. Nielsen, Use of crop water stress index for monitoring water status and scheduling irrigation in wheat. Agric. Water Manag. 47(1), 69–75 (2001). https://doi.org/ 10.1016/S0378-3774(00)00096-2 APOLLO, Project funded from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 687412, link P. Atzeni, F. Bugiotti, L. Cabibbo, R. Torlone, Data modeling in the NoSQL world. Comput. Stand. Interfaces, Elsevier, 67:103149 (2020). https://doi.org/10.1016/j.csi.2016.10.003 S. Bargoti, J. Underwood, Image segmentation for fruit detection and yield estimation in apple orchards. arXiv preprint arXiv:1610.08120 (2016) F. Bugiotti, L. Cabibbo, P. Atzeni, R. Torlone. Database design for nosql systems, in 33rd International Conference on Conceptual Modeling (ER), (2014), pp. 223–231 S. Chaivivatrakul, M.N. Dailey, Texture-based fruit detection. Precis. Agric. 15(6), 662–683 (2014). https://doi.org/10.1007/s11119-014-9361-x

20 PANTHEON: SCADA for Precision Agriculture

677

CLAFIS, Project funded from the European Communitys Seventh Framework Programme under grant agreement No. 604659, link Clever Robots for Crops, Project funded from the European Communitys Seventh Framework Programme, link V. Cristofori, E. Blasi, B. Pancino, R. Stelliferi, M. Lazzari, Recent innovations in the implementation and management of the hazelnut orchards in Italy. Acta Hortic. 1160, 165–172 (2017) A. Fabi, L. Varvaro, Remote sensing in monitoring the dieback of hazelnut on the monti cimini district (Central Italy). Acta Hortic. 845, 521–526 (2009) FARO, Faro laser scanner scanner user manual (2018). link FATIMA, Project funded from the European Unions Horizon 2020 research and innovation programme under grant agreement No 633945, link Flourish Project, Project funded by the European Community’s Horizon 2020 programme under grant agreement no 644227 and from the Swiss State Secretariat for Education, Research and Innovation (SERI), link FUTUREFAM, Project funded from the European Communitys Seventh Framework Programme under grant agreement No. 212117, link J.A. Gamon, J. Peñuelas, C.B. Field, A narrow-waveband spectral index that tracks diurnal changes in photosynthetic efficiency. Remote Sens. Environ. 41(1), 35–44 (1992). https:// doi.org/10.1016/0034-4257(92)90059-S M. Gerhards, G. Rock, M. Schlerf, T. Udelhoven, Water stress detection in potato plants using leaf temperature, emissivity, and reflectance. Int. J. Appl. Earth Obs. Geoinf. 53, 27–39 (2016). https://doi.org/10.1016/j.jag.2016.08.004 G.L. Hartman, E.D. West, T.K. Herman, Crops that feed the world 2. Soybean – worldwide production, use, and constraints caused by pathogens and pests. Food Sec. 3(1), 5–17 (2011). https://doi.org/10.1007/s12571-010-0108-x L. Johnson, L. Pierce, A. Michaelis, T. Scholasch, R.R Nemani, Remote sensing and water balance modeling in California drip-irrigated vineyards. In: Examining the confluence of environmental and water concerns, World Environmental and Water Resources Congress, Omaha, pp. 1–9 (2007). https://doi.org/10.1061/40856(200)293 H.G. Jones, Plants and Microclimate: A Quantitative Approach to Environmental Plant Physiology (Cambridge University Press, 2013). https://doi.org/10.1017/CBO9780511845727 H.J. Jones, R.A. Vaughan, Remote Sensing of Vegetation: Principles, Techniques, and Applications (Oxford University Press, Oxford, New York, 2010) H.G. Jones, R. Serraj, B.R. Loveys, L. Xiong, A. Wheaton, A.H. Price, Thermal infrared imaging of crop canopies for the remote diagnosis and quantification of plant responses to water stress in the field. Funct. Plant Biol. 36(11), 978–989 (2009). https://doi.org/10.1071/FP09123 C.F. Jordan, Derivation of leaf-area index from quality of light on the forest floor. Ecology 50(4), 663–666 (1969) W. Lee, V. Alchanatis, C. Yang, M. Hirafuji, D. Moshou, C. Li, Sensing technologies for precision specialty crop production. Comput. Electron. Agric. 74(1), 2–33 (2010) V. Liakos, A. Tagarakis, K. Aggelopoulou, X. Kleftaki, G. Mparas, S. Fountas, T. Gemtos, Yield prediction in a commercial apple orchard by analyzing RGB and multi-spectral images of trees during flowering period, in Precision Agriculture, Proceedings of the 8th European Conference on Precision Agriculture, ed. J. Stafford, (Czech Centre for Science and Society, Prague, 2011), p. 617627 R. Lu, Multispectral imaging for predicting firmness and soluble solids content of apple fruit. Postharvest Biol. Technol. 31(2), 147–157 (2004) A. Maccioni, R. Torlone. KAYAK: A framework for just-in-time data preparation in a data lake, in 30th International Conference on Advanced Information Systems Engineering (CAiSE), (2018), pp. 474–489 A.K. Mahlein, Plant disease detection by imaging sensors – Parallels and specific demands for precision agriculture and Plant phenotyping. Plant Dis. (2016). https://doi.org/10.1094/PDIS03-15-0340-FE N. Marz, J. Warren, Big Data: Principles and Best Practices of Scalable Realtime Data Systems, 1st edn. (Manning Publications, Greenwich, 2015)

678

L. Giustarini et al.

J. Nabrzyski, C. Liu, C. Vardeman, S. Gesing, M. Budhathoki, Agriculture data for all: Integrated tools for agriculture data integration, analytics and sharing. IEEE International Congress on Big Data, Anchorage, pp. 774–775 (2014). https://doi.org/10.1109/BigData.Congress.2014.117 National Tree Project, Multi-scale monitoring tools for managing Australian tree crops industry meets innovation, link D.C. Nielsen, Scheduling irrigations for soybeans with the crop water stress index (CWSI). Field Crop Res. 23(2), 103–116 (1990). https://doi.org/10.1016/0378-4290(90)90106-L OpenAg, The MIT Media Lab Open Agriculture Initiative (OpenAg) builds open resources to enable a global community to accelerate digital agricultural innovation, link E.M. Perry, R.J. Dezzani, C.F. Seavert, F.J. Pierce, Spatial variation in tree characteristics and yield in a pear orchard. Precis. Agric. 11(1), 42–60 (2010) R. Plant, D. Munk, B. Roberts, R.L. Vargas, D.W. Rains, R.L. Travis, R.B. Hutmacher, Relationships between remotely sensed reflectance data and cotton growth and yield. Trans. ASAE 43, 535–546 (2000) M. Quigley, K. Conley, B.P. Gerkey, J. Faust, T. Foote, J. Leibs, R. Wheeler, A.Y. Ng, Ros: an open-source robot operating system, in ICRA Workshop on Open Source Software (2009) RHEA, Project funded from the European Communitys Seventh Framework Programme under grant agreement No. NMP-CP-IP 245986-2, link Robot swarms and human scouts for persistent monitoring of specialty crops (usda penw-201508504). link J. Rouse, R. Haas, J. Shell, D. Deering. Monitoring vegetation systems in the great plains with ERTS, in Proceedings of Third Earth Resources Technology Satellite. Symposium, Goddart Space Fligth Center, Washington, DC, Vol. 1 (1973), pp. 309–317 SAGA, Project founded by the ECHORD++ project, link SodSat, Project funded from the European Communitys Seventh Framework Programme under grant agreement number 605729, link M. Stein, S. Bargoti, J. Underwood, Image based mango fruit detection, localisation and yield estimation using multiple view geometry. Sensors 16(11), 1915 (2016). https://doi.org/10.3390/ s16111915 L. Surez, P.J. Zarco-Tejada, V. Gonzlez-Dugo, J.A.J. Berni, R. Sagardoy, F. Morales, E. Fereres, Detecting water stress effects on fruit quality in orchards with time-series PRI airborne imagery. Remote Sens. Environ. 114(2), 286–298 (2010). https://doi.org/10.1016/j.rse.2009.09.006 Surveying and servoing as canonical tasks to enable future farms with commercial off-the-shelf robots (usda nifa min-98-g02). link Sweeper, “Sweet Pepper Harvesting Robot”, Project funded by the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No 644313, link Teax Technology, Thermalcapture 2.0 user manual. Technical report (2018). link TrimBot2020, Project funded from the European Unions Horizon 2020 research and innovation program under grant No. 688007, link C. Tucker, B. Holben Jr., J.H. Elgin III, J.E. McMurtrey, Relationship of spectral data to grain-yield variation. Photogramm. Eng. Remote Sens. 46, 657–666 (1980) C.L. Wiegand, A.J. Richardson, D.E. Escobar, A.H. Gerbermann, Vegetation indices in crop assessments. Remote Sens. Environ. 35(2), 105–119 (1991). https://doi.org/10.1016/00344257(91)90004-P C. Yang, J.H. Everitt, Relationships between yield monitor data and airborne multidate multispectral digital imagery for grain sorghum. Precis. Agric. 3, 373–388 (2002). https://doi.org/ 10.1023/A:1021544906167 X. Ye, K. Sakai, M. Manago, S. Asada, A. Sasao, Prediction of citrus yield from airborne hyperspectral imagery. Precis. Agric. 8, 111–125 (2007). https://doi.org/10.1007/s11119-0079032-2

20 PANTHEON: SCADA for Precision Agriculture

679

R. Zhou, L. Damerow, Y. Sun, M.M. Blanke, Using colour features of cv. ‘Gala’ apple fruits in an orchard in image processing to predict yield. Precis. Agric. 13(5), 568–580 (2012) V. Ziosi, M. Noferini, G. Fiori, A. Tadiello, L. Trainotti, G. Casadoro, G. Costa, A new index based on Vis spectroscopy to characterize the progression of ripening in peach fruit. Postharvest Biol. Technol. 49, 319–329 (2008) M. Zude-Sasse, S. Fountas, T.A. Gemtos, N. Abu-Khalaf, Applications of precision agriculture in horticultural crops. Eur. J. Hortic. Sci., 81(2), 78–90 (2016). https://doi.org/10.17660/ eJHS.2016/81.2.2

Smart Grid and Demand Side Management

21

Ruilong Deng

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 The Cost Function for the Power Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 The Utility Functions for Power Consumers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 One-Provider and One-Consumer Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Lagrange Duality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Distributed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 One-Provider and Multi-Consumer Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Without Interaction Among Consumers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 With Interaction Among Consumers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 One-Provider and One-Consumer Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 One-Provider and Multi-Consumer Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

682 684 684 684 685 685 686 688 689 689 692 695 696 698 701 702

Abstract When energy meets information, smart grid, also known as the Internet of energy, has been widely considered to be the informationization of the electric power system. As an essential characteristic of smart grid, demand side management can reschedule the users’ energy consumption to reduce the operating expense from expensive generators and further to defer the capacity addition in the long run. Considering the electricity price as an essential incentive to coordinate the

R. Deng () College of Control Science and Engineering, School of Cyber Science and Technology, Zhejiang University, Hangzhou, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_43

681

682

R. Deng

real-time interaction among the power provider and consumers, in this chapter, we propose an optimal real-time pricing strategy for demand side management in smart grid. Firstly, we analytically model the power provider and consumers’ behaviors in form of cost and utility functions. Secondly, we propose distributed algorithms and show that real-time pricing can align individual optimality with systematic optimality. Finally, we also take account of the interaction among power consumers and formulate demand side management in smart grid as an interaction game with Nash equilibrium achievable via best response. Simulation results demonstrate that the proposed distributed algorithms can potentially benefit both the power provider and consumers. The optimal real-time pricing strategy can be utilized to address demand side management in smart grid towards the benefit of the overall system.

Keywords Convex optimization · Demand side management · Game theory · Smart grid

1

Introduction

The electric power system is a large interconnected infrastructure for delivering the electricity from power plants to end users. When energy meets information, as widely considered to be the next generation of the electric power system, smart grid has been proposed to fully upgrade the energy generation, transmission, distribution, and consumption. It is defined by Deng et al. (2011), Gungor et al. (2011), Fang et al. (2012), Deng et al. (2013a), Gungor et al. (2013), Sabbah et al. (2014), and Deng and Yang (2014) that smart grid is an informationized electric power system that leverages information and communications technology (ICT) to automatically gather and act on meter data, in order to improve agility, reliability, efficiency, security, economy, sustainability, and environmental friendliness. Smart grid is also known as the Internet of energy, with characteristics of cyber-physical security, distributed generation, sensors throughout, self-monitoring, self-healing, etc. Twoway communications will enable information exchange and real-time control to optimize the system stability and security. Distributed generation will also be allowed such as from PV panels on roofs, charging to/from electric vehicles or batteries, wind turbines, and other energy resources. Sensors and smart meters will be distributed throughout the grid, enabling technologies such as state estimation, which will allow self-monitoring and self-healing of the electric power system. Smart features such as renewable generation, advanced metering infrastructure, vehicle-to-grid (V2G) capability, and so on have been regarded as key components of smart grid, referring to Wang et al. (2013, 2014), Liu et al. (2016), (2018) Rahbari-Asr et al. (2016), Deng and Liang (2016, 2017), Ren et al. (2018), and You et al. (2018). Besides, with pervasive distributed energy resources (DERs), micro-grid, a small electric power system that can operate independently from bulk generation, is becoming viable nowadays. Two operational modes, grid-connected

21 Smart Grid and Demand Side Management

683

and islanded, enable micro-grid being a “prosumer” (producer and consumer) in smart grid. The concept of smart grid has been spending to smart building and smart city as shown in Deng et al. (2016) and Zhang et al. (2017a,b). By having smart meters installed at users’ premises and two-way communications enabled between the power provider and consumers, demand side management becomes an essential characteristic of smart grid (including micro-grid), with the ability to shape the users’ electricity loads in an automated and convenient fashion. It is defined by Palensky and Dietrich (2011), Deng et al. (2013b, 2014a,b, 2015a,b,c), Siano (2014), and Zhang et al. (2016) that demand side management is rescheduling of the users’ energy usage patterns in response to the variance of the power provider’s incentive or electricity price, which is designed to reduce the demand at peak time periods or during system contingencies. The demand side management capability of smart grid, in essence, enables the supply and demand sides to interact with each other by exchanging the price and demand information, in order to make wise decisions. When users are provided with sufficient incentives, they are willing to change their energy usage patterns to tradeoff between comfort and electricity bills. The introduction of smart metering and availability of bidirectional communications are two main technical drivers for incorporating demand side management into smart grid. From the smart grid perspective, demand side management is an effective means of rescheduling the users’ energy consumption to reduce the operating expense from expensive generators and further to defer the capacity addition in the long run. This technology will make the electric power system more reliable, enhance the transparency and efficiency of the electricity market, and lead to mutual financial benefits for both the power provider and consumers; last but not least, this will reduce the generating emissions and alleviate the environmental impacts, by enabling a more efficient utilization of current grid capacity. In general, demand side management could be categorized into the following three aspects as shown in Momoh (2012) and Berger and Iniewski (2012): 1. Peak clipping is to reduce the peak energy consumption, in order to prohibit the load from exceeding the supply capacity of distribution substations, or the thermal limit of transformers and feeders. Users would have their satisfaction/comfort reduced since peak clipping cuts down some of their demand. 2. Valley filling is to promote the off-peak energy consumption through energy storage devices, such as rechargeable batteries and plug-in hybrid electric vehicles (PHEVs). 3. Load shifting is to shift the energy consumption over the time horizon, for example, to shift the demand from on-peak to off-peak time periods (the combination of peak clipping and valley filling), without reducing the users’ total energy consumption within a day. Demand side management can be considered as the means or tariffs that the power provider takes to incentivize power consumers to reschedule their energy usage patterns. Considering the electricity price as an essential incentive

684

R. Deng

to coordinate the real-time interaction among the power provider and consumers, in this chapter, we propose an optimal real-time pricing strategy for demand side management in smart grid. Firstly, we analytically model the power provider and consumers behaviors in form of cost and utility functions. Secondly, we propose distributed algorithms and show that real-time pricing can align individual optimality with systematic optimality. Finally, we also take account of the interaction among power consumers and formulate demand side management in smart grid as an interaction game with Nash equilibrium achievable via best response. Simulation results demonstrate that the proposed distributed algorithms can potentially benefit both the power provider and consumers. The optimal real-time pricing strategy can be utilized to address demand side management in smart grid towards the benefit of the overall system.

2

System Model

Consider a smart grid consisting of one power provider, one or multiple power consumers, and a coordinator based on demand side management (DSM). We assume real-time and reliable two-way communications between the power provider and consumers. We also assume communications among power consumers. The time cycle is divided into T time slots. The division is based on the behavior of power consumers, i.e., on-peak hours, mid-peak hours, and off-peak hours. At a certain time slot, let s denote the energy supply of the power provider. Similarly, let di denote the energy demand of the power consumer i (i = 1,2, . . . , n, where n is the total number of power consumers).

2.1

The Cost Function for the Power Provider

We consider the cost function C(·) indicating the expense of supplying energy s by the power provider. The cost function is increasing and strictly convex. In this chapter, we consider the following quadratic cost function: C(s) = as 2 + bs + c,

(1)

where a > 0 and b, c ≥ 0 are predetermined parameters. In fact, DSM accommodates any form of cost functions (such as higher degrees polynomial) as long as they are increasing and strictly convex.

2.2

The Utility Functions for Power Consumers

The energy demand of a power consumer depends on the electricity price and the type of the power consumer, e.g., a residential consumer may have a different response to the same electricity price than an industrial one. The different responses

21 Smart Grid and Demand Side Management

685

of power consumers to the electricity price can be modeled by different utility functions. Specifically, for the power consumer i, the utility function Ui (·) represents the satisfaction obtained by the power consumer as a function of its energy demand di. The utility function is nondecreasing and concave. In this chapter, we consider the following quadratic utility function:  Ui (di ) =

ωi di − ωi2 αi

αi 2 2 di

0 ≤ di ≤ di ≥

ωi αi ,

ωi αi

(2)

where ωi α i > 0 are predetermined parameters. It corresponds to a linear decreasing marginal benefit Vi (di)  ∂Ui (di )/∂di = ωi − α i di ≥ 0 when 0 ≤ di ≤ ωi /α i . In fact, DSM accommodates any form of utility functions (such as higher degrees polynomial) as long as they are nondecreasing and concave.

3

One-Provider and One-Consumer Case

At the beginning, consider a simple case for a smart grid consisting of one power provider, one power consumer, and the DSM coordinator. We formulate the interaction among the power provider, power consumer, and DSM coordinator as local and global optimization problems and obtain the solution in a distributed and iterative way. The electricity price is taken as an incentive to reach the balance between energy supply and demand, as well as the maximum profits of both the power provider and consumer.

3.1

Problem Formulation

For the power provider, at a certain time slot, under the electricity price p, the profit of the power provider by supplying energy s is calculated as Pp (s) = ps – C (s). The power provider wants to adjust its amount of energy supply in order to pursuit the maximum profit. Thus, the local optimization problem from the power provider perspective is max ps − C (s). s

(3)

For the power consumer, at a certain time slot, under the electricity price p, the profit of the power consumer by demanding energy d is calculated as Pc (d) = U (d) – pd. The power consumer wants to adjust its amount of energy demand in order to pursuit the maximum profit. Thus, the local optimization problem from the power consumer perspective is max U (d) − pd. d

(4)

686

R. Deng

From the smart grid perspective, it is desirable that the expense of the power provider is minimized and the satisfaction of the power consumer is maximized. Mathematically, we define the system welfare as W (s, d) = U (d) – C (s) where s ≥ d. The individually optimal solution may not be systematically optimal under an arbitrary electricity price. We take the utility function minus the cost function as the objective with the constraint that the supply should be larger than or at least equal to the demand. Thus, the global optimization problem from the smart grid perspective is max U (d) − C(s) s,d

(5)

s.t.s ≥ d.

Note that the problem is a concave maximization problem, which can be solved by convex optimization techniques in a centralized way as shown in Boyd and Vandenberghe (2004). For example, we take the constraint into the objective by a Lagrangian multiplier. Thus, the Lagrangian is defined as L (s, d, X) = U (d) − C(s) + λ (s − d) = [λs − C(s)] + [U (d) − λd] ,

(6)

where λ is the Lagrangian multiplier associated with the constraint in (5). By means of ∂L/∂s = ∂L/∂d = ∂L/∂λ = 0 for (6), the DSM coordinator wants to adjust the electricity price (later we will show that λ can be interpreted as the electricity price) in order to pursuit the maximum profit of both the power provider and consumer. However, the arising challenge is that the DSM coordinator needs to know the exact cost function of the power provider and utility function of the power consumer. Since such information are private and no one wants to reveal any, the DSM coordinator may not have sufficient information to solve the problem (5). Nevertheless, the distributed algorithm will not require the DSM coordinator to know the exact cost function of the power provider and utility function of the power consumer and thus preserves their privacy. Therefore, in the following, we will present the distributed algorithm to approach the optimal electricity price for demand side management in smart grid.

3.2

Lagrange Duality

In order to solve the problem (5) in a distributed way, we define the dual function as the maximum value of (6) over s, d: D (λ) = sup L (s, d, λ) = sup [λs − C (s)] + sup [U (d) − λd] . s,d

s

d

(7)

21 Smart Grid and Demand Side Management

687

Furthermore, the Lagrange dual problem is min D (λ) λ

s.t.λ > 0.

(8)

We can solve the dual problem (8) instead of the primal problem (5) as shown in Boyd and Vandenberghe (2004). Comparing (7) with (3) and (4), we find that the Lagrangian multiplier λ can be replaced by the electricity price p to pursuit the global optimum. In this way, the dual problem can be decomposed into two separable subproblems: one is in form of (3), which can be locally solved by the power provider, whereas the other is in form of (4), which can be locally solved by the power consumer. After both the power provider and consumer solve their own local optimization problem to obtain s∗ and d∗ , the DSM coordinator can solve the dual problem (8) to obtain p∗ , which guarantees the constraint s∗ ≥ d∗ , such that the locally optimal solution will become globally optimal. For the power provider, the locally optimal solution to (3) is ∂Pp (s) ∂C(s) =p− = 0 ⇒ s ∗ = s(p). ∂s ∂s

(9)

Similarly, for the power consumer, the locally optimal solution to (4) is ∂U (d) ∂Pc (d) = − p = 0 ⇒ d ∗ = d(p). ∂d ∂d

(10)

Taking the electricity price p in place of the Lagrangian multiplier λ, together with the locally optimal solution s∗ and d∗ , we rewrite the dual problem (8) as        min D(p) = ps ∗ − C s ∗ + U d ∗ − pd ∗ . p>0

(11)

The globally optimal solution to (11) is ∂D(p) ∂C (s ∗ ) ∂s ∗ ∂U (d ∗ ) ∂d ∗ ∂s ∗ ∂d ∗ ∗ = s∗ + p − + − d = 0. − p ∂p ∂p ∂s ∗ ∂p ∂d ∗ ∂p ∂p

(12)

Note that from (9) and (10), we have ∂ C (s∗ )/ ∂ s∗ = ∂ U (d∗ )/∂ d∗ = p, so ∂D(p) = s ∗ − d ∗ = 0. ∂p

(13)

Overall, by jointly solving (9), (10), and (13), we can obtain the optimal electricity price p∗ and further calculate the specific s∗ and d∗ , such that both local

688

R. Deng

and global optimums are achieved. In other words, the DSM coordinator wants to make the locally optimal solution be globally optimal by adjusting the electricity price.

3.3

Distributed Solution

In order to preserve everyone’s privacy, it is possible to approach the optimal electricity price of the dual problem (11) in a distributed and iterative way as shown in Samadi et al. (2010): 1. The DSM coordinator begins with any initial electricity price pk ≥ 0 (k ∈ N+ is the iteration index) and announces it to both the power provider and consumer. 2. On receiving the electricity price pk, the power provider updates its amount of energy supply sk by solving the local optimization problem sk = arg maxs [pks – C (s)] and feeds it back to the DSM coordinator. Similarly, on receiving the electricity price pk, the power consumer also updates its amount of energy demand dk by solving the local optimization problem dk = arg maxd [U (d) – pkd] and feeds it back to the DSM coordinator too. 3. On receiving the locally optimal energy supply sk and demand dk, the DSM coordinator updates the electricity price pk + 1 for the next iteration using the following gradient projection method: 

p

k+1

  + +

∂D pk k k k = p −γ = p − γ s − d , ∂ pk k

(14)

where γ > 0 is the step size to adjust the convergence rate, and [x]+ represents the larger one between x and 0. 4. Repeat from the step 1 to the step 3 until the electricity price remains unchanged. The interaction among the power provider, power consumer, and DSM coordinator is shown in Fig. 1. Intuitively, from (14), if energy supply is larger than energy demand, i.e., sk > dk , the DSM coordinator will drop the electricity price, i.e., pk + 1 < pk . Otherwise, if energy supply is less than energy demand, i.e., sk < dk , the DSM coordinator will rise the electricity price, i.e., pk + 1 > pk . In this way, the iteration will converge to the globally optimal electricity price which balances between the energy supply and demand. Note that the globally optimal electricity price which balances between the energy supply and demand also achieves the maximum profit of both the power provider and consumer. Otherwise, if energy supply is larger than energy demand, the exceeded energy supplied by the power provider will be wasted, which reduces its profit. Similarly, if energy supply is less than energy demand, the power consumer will not be satisfied, which reduces its profit too.

21 Smart Grid and Demand Side Management

689

Power Provider

Price p k

Supply s k DSM Coordinator

Price p k

Demand

dk

Power Consumer

Fig. 1 Interaction among power provider, power consumer, and DSM coordinator

4

One-Provider and Multi-Consumer Case

Now, consider another case for a smart grid consisting of one power provider, multiple power consumers, and the DSM coordinator.

4.1

Without Interaction Among Consumers

Firstly, we focus on the interaction only between the DSM coordinator and each power consumer, i.e., each power consumer is expected to respond to the electricity price announced by the DSM coordinator. Under this paradigm, each power consumer only communicates with the DSM coordinator as depicted in Fig. 2, without the interaction among power consumers. The problem formulation of this case is similar to that in the one-provider and one-consumer case. The local optimization problem from the power provider perspective is the same as (3). For each power consumer i, at a certain time slot,

690

R. Deng

Power Provider Price

Supply DSM Coordinator Demand

Price Price

Demand

Power Consumer

Demand

Power Consumer

• • •

Price

• • •

i

1

Power Consumer

n

Fig. 2 Framework without interaction among power consumers

under the electricity price p, the profit of each power consumer i by demanding energy di is calculated as. Pci (di ) = Ui (di ) − pd i .

(15)

Each power consumer wants to adjust its amount of energy demand in order to pursuit the maximum profit. Thus, the local optimization problem from each power consumer perspective is max Ui (di ) − pd i . di

(16)

From the smart grid perspective, it is desirable that the expense of the power provider is minimized and the sum of the satisfaction of all power consumers is maximized. We take the sum of the utility functions minus the cost function as the objective with the constraint that the supply should be larger than or as least equal to the total demand. Thus, the global optimization problem from the smart grid perspective is max s,d

n

Ui (di ) − C(s)

i=1

s.t.s ≥

n

(17) di ,

i=1

where d  [d1 , . . . , di , . . . , dn ] are the energy demand of each power consumer. Note that the problem is a concave maximization problem, which can be solved by convex optimization techniques in a centralized way as shown in Boyd and Vandenberghe (2004). For example, the Lagrangian is defined as

21 Smart Grid and Demand Side Management

L (s, d, λ) =

n 

691

 Ui (di ) − C(s) + λ s −

i=1

= [λs − C(s)] +

n 

 di

i=1 n 

(18)

[Ui (di ) − λdi ] ,

i=1

where λ is the Lagrangian multiplier associated with the constraint in (17). Similarly, in order to solve the problem (17) in a distributed way, we define the dual function as the maximum value of (18) over s, d:

D (λ) = sup L (s, d, λ) = sup [λs − C(s)] + s

s,d

n 

sup [Ui (di ) − λdi ] .

(19)

i=1 di

Furthermore, the Lagrange dual problem is n   ∗      Ui di − pd ∗i . min D(p) = ps ∗ − C s ∗ + p>0

(20)

i=1

We can solve the dual problem (20) instead of the primal problem (17) as shown in Boyd and Vandenberghe (2004). Similarly, in order to preserve everyone’s privacy, it is possible to approach the optimal electricity price of the dual problem (20) in a distributed and iterative way as shown in Samadi et al. (2010): 1. The DSM coordinator begins with any initial electricity price pk ≥ 0 and announces it to the power provider and all power consumers. 2. On receiving the electricity price pk, the power provider updates its amount of energy supply sk by solving the local optimization problem sk = arg maxs [pks – C (s)] and feeds it back to the DSM coordinator. Similarly, on receiving the electricity price pk, each power consumer also updates its amount of energy demand dik by solving the local optimization problem dik = arg maxdi [Ui (di ) − pk di ] and feeds it back to the DSM coordinator too. 3. On receiving the locally optimal supply sk and demand dk, the DSM coordinator updates the electricity price pk + 1 for the next iteration using the gradient projection method: 

p

k+1

 +   +  n  ∂D pk k k = p −γ = pk − γ s − di . ∂ pk k

(21)

i=1

4. Repeat from the step 1 to the step 3 until the electricity price remains unchanged.

692

R. Deng

Power Provider

Price p k

Supply s k DSM Coordinator

k

Price p k

Demand d i Power Consumer i

Fig. 3 Interaction among power provider, each power consumer, and DSM coordinator

The interaction among the power provider, each power consumer, and DSM coordinator is shown in Fig. 3.

4.2

With Interaction Among Consumers

Rather than focusing only on how each power consumer behaves individually, we propose a framework with interaction among power consumers via message exchanges, e.g., each power consumer can share its energy demand di among others. As depicted in Fig. 4, the blue arrows represent the two-way communications between the power provider and each power consumer, while the red bidirectional arrows correspond to the interaction among power consumers. From (9) we know that p = ∂ C(s) / ∂ s is the locally optimal electricity price for the power

provider. From the above we also know that the global optimum exists at s = ni=1 di , by means of ∂L / ∂λ = 0 for (18). Therefore, at a certain time slot, if the energy demand of each power consumer i is di , then the locally optimal electricity price for the power provider is calculated as

21 Smart Grid and Demand Side Management

693

Power Provider

Power Consumer

• • •

Power Consumer

• • •

i

1

Power Consumer

n

Fig. 4 Framework with interaction among power consumers

 n    ∂C(s)   p= C di . n 

∂s s= di i=1

(22)

i=1

4.2.1 Game Theory Game theory is a study of selfish and rational players and a formal model of interactive decision-making situation. A game G = {N, D, {Pi (·)}} consists of the following three components as shown in Fudenberg and Tirole (1991): 1. Players: N = {1, 2, · · · , n} is a finite set of players, where n is the total number of players in the game. 2. Strategies: D = ×ni Di is the strategy space of the game, and each player i chooses a strategy di from its strategy set Di. In general, we denote a strategy vector by d = (di, d–i), where d−1  [d1 , · · · , di − 1 , di + 1 , · · · , dn ] are the strategies chosen by all the other players in the game. 3. Payoff functions: {Pi(·)} is a finite set of payoff functions. The payoff Pi of the player i is determined by the strategy vector d. Each selfish and rational player i wishes to choose the optimal strategy di according to the other players’ strategies d–i to maximize its own payoff Pi (di, d–i). Nash equilibrium (NE) is the most important concept of equilibrium condition in game theory. NE is a stable strategy vector that no player has any benefit from  unilaterally deviating from this strategy. A strategy vector d ∗ = di∗ , d ∗−i is called NE if and only if Pi (d∗) ≥ Pi di , d ∗–i , ∀i ∈ N, ∀di ∈ Di .. Theorem 1 A game can be shown to have NE if the following conditions are satisfied as shown in Neel et al. (2004): 1. The player set is finite.

694

R. Deng

2. The strategy sets are closed, bounded, and convex. 3. The payoff functions are continuous in strategy space and quasi-concave. An S-modular game restricts the payoff functions {Pi (·)} such that for ∀i ∈ N either (23a) or (23b) is satisfied: ∂ 2 Pi (d) ∂di ∂dj

≥ 0 ∀j = i ∈ N

(23a)

∂ 2 Pi (d) ∂di ∂dj

≤ 0 ∀j = i ∈ N.

(23b)

When (23a) is satisfied, the game is said to be super-modular, whereas when (23b) is satisfied, the game is said to be sub-modular. For the S-modular game, we can use best response to converge to NE as shown in Neel et al. (2004).

4.2.2 Game Among Consumers A basic modeling assumption in this chapter is that each power consumer behaves rationally in a self-interested manner. Each one wants to adjust its amount of demand to maximize its own payoff. We now model demand side management in smart grid as an interaction game among power consumers: 1. Players: All power consumers in smart grid are the players in the game. 2. Strategies: The strategy di of the player i is its energy demand. 3. Payoff functions: Taking (22) into (15), we obtain the payoff function of each power consumer i as  Pi (di , d −i ) = Ui (di ) − C



n 

 di

di .

(24)

i=1

Taking (1) and (2) into (24), we have, for ∀i ∈ N, ∂ 2 Pi (d) ∂di ∂dj

= −2a < 0 ∀j = i ∈ N.

(25)

Based on Theorem 1, NE is considered to be the solution of the game. Meanwhile, the game corresponds to the sub-modular game, where we can use best response to converge to NE. Best response allows that, at each iteration, each player adapts its strategy to the strategies of others to maximize its own payoff. We design the best response algorithm as follows: 1. Initial condition: Each player chooses a random strategy. 2. Adaption condition: Each player chooses the optimal strategy according to the strategies of others to improve its own payoff: di∗ = arg max Pi (di , d −i ) . di ∈Di

(26)

21 Smart Grid and Demand Side Management

695

Note that at each iteration, each player updates its strategy while the others keep their strategies fixed. 3. Repeat the step 2 until each player does not revise its strategy.

4.2.3 Distributed Solution Note that (26) is a concave maximization problem, which can be solved by convex optimization techniques in a centralized way. However, the arising challenge is that each power consumer needs to know the exact cost function of the power provider. Since such information is private and the power provider does not want to reveal any, each power consumer may not have sufficient information to solve the problem (26). In order to preserve the power provider’s privacy, it is possible to approach the optimal strategy of the optimization problem (26) in a distributed and iterative way: 1. Each power consumer shares the information of its current energy demand di among others. 2. The power consumer i begins with any initial demand dik ≥ 0 and aggregates the

total demand of all power consumers, i.e., d k  dik + nj=1,j =i dj , and sends it to the power provider.  3. On receiving the total demand, the power provider calculates the value of C (dk )  k and C (d ) and feeds them back to the power consumer i. 4. On receiving the feedback, the power consumer i updates its energy demand dik+1 for next iteration using the following gradient projection method:  dik+1

=

dik



  + ∂Pi dik , d −i

∂dik



+  = dik + η Ui dik − C  d k − dik C  d k ,

(27)

where η > 0 is the step size to adjust the convergence rate. 5. Repeat from the step 2 to the step 4 until the power consumer i does not revise its energy demand. The interaction among the power provider and each power consumer is shown in Fig. 5.

5

Simulation

We provide numerical examples to evaluate the proposed distributed algorithms.

696

R. Deng

● ● ●

● ● ●

Fig. 5 Interaction among power provider and each power consumer

5.1

One-Provider and One-Consumer Case

Consider a smart grid consisting of one power provider, one power consumer, and the DSM coordinator. The simulation parameters are set as a = 0.1, b = 0.5, c = 0, ω = 3, and α = 0.5. That is, we assume that the power provider has the cost function C(s) = 0.1 s2 + 0.5 s while the power consumer has the utility function U(d) = 3d – (0.5/2)d2 . Firstly, in Fig. 6, we fix the step size at γ = 0.1 and set the initial electricity price at p1 = 0 and p1 = 3, respectively. It is shown that in both cases, the electricity price converges to the global optimum which balances between the energy supply and demand. The system welfare achieves the best with the convergence of the electricity price, where the locally optimal solution of both the power provider and consumer becomes globally optimal at the converged electricity price. The convergence rate is considerably fast, which is desirable for the real-time requirement of smart grid. Next, in Fig. 7a, γ is fixed while p1 varies from 0 to 3, to study how the initial electricity price impacts the convergence performance. The figure indicates that the electricity price will finally converge to the equilibrium regardless of any initial value, although the convergence rates may be different. Similarly, in Fig. 7b, p1 is fixed while γ varies from 0.025 to 0.25, to study the impact of the step size on the electricity price convergence. We find that the smaller the step size, the slower

21 Smart Grid and Demand Side Management

697

1

1

0.5 Energy Supply Energy Demand Electricity Price

0 0

2

4 6 Iteration

0 10

8

1 p =3

3 Energy Supply Energy Demand Electricity Price

10

0 0

2

2

4 6 Iteration

Electricity Price

Energy Supply / Demand

20

1 10

8

5

4

4

3

3 Power Provider Profit Power Consumer Profit 2 System Welfare

2 1 0 0

System Welfare

2

p =0 5

1

2

4 6 Iteration

0 10

8

1 p =3

10

10

0

0

−10

−10

−20

Power Provider Profit −20 Power Consumer Profit System Welfare −30 4 6 8 10 Iteration

−30 0

2

System Welfare

1

Power Provider / Consumer Profit

4

Electricity Price

1.5

Power Provider / Consumer Profit

Energy Supply / Demand

p =0 6

Fig. 6 Demand side management in smart grid of one-provider and one-consumer case 3

1.5 p1=3 1

p =2 1

Electricity Price

Electricity Price

p =1 1

2

p =0.5 1

p =0

1

0 0

2

4

6 Iteration

(a) γ=0.1

8

10

1

γ=0.25 γ=0.2 γ=0.1 γ=0.05 γ=0.025

0.5

0 0

10

20 30 Iteration

40

50

(b) p1 =0

Fig. 7 Impact of adjustable parameters on electricity price convergence

the convergence, while the larger the step size, the faster the convergence, but the system may only approach within a certain neighborhood of the equilibrium. This is a general characteristic of any gradient-based method. In practice, we can first choose a large step size to ensure fast convergence and subsequently reduce the step size once the electricity price starts oscillating around a certain value.

R. Deng

5

5

0

0 Power Provider Profit Power Consumer 3 Profit −10 Power Consumer 2 Profit Power Consumer 1 Profit System Welfare −20 5 10 15

−10

−20 0

Iteration

Iteration ω=3; α1=0.4, α2=0.5, α3=0.6

3 Energy Supply Energy Demand 1 Energy Demand 2 Energy Demand 3 2.5 Electricity Price

10

5

0 0

1.5 15

10

ω=3; α1=0.4, α2=0.5, α3=0.6 15 Energy Supply / Demand

10

2

5

10

1.5 15

Power Provider / Consumer Profit

0 0

2

α=0.5; ω =2.5, ω =3, ω =3.5 1 2 3 10

10

10

0

0

−10 −20 −30 0

Iteration

−10 Power Provider Profit Power Consumer 1 Profit Power Consumer 2 Profit −20 Power Consumer 3 Profit System Welfare −30 5 10 15

System Welfare

10

Electricity Price

Energy Supply Energy Demand 3 Energy Demand 2 Energy Demand 1 2.5 Electricity Price

Electricity Price

Energy Supply / Demand

3

System Welfare

α=0.5; ω =2.5, ω =3, ω =3.5 1 2 3 15

Power Provider / Consumer Profit

698

Iteration

Fig. 8 Demand side management in smart grid of one-provider and multi-consumer case

5.2

One-Provider and Multi-Consumer Case

Consider a smart grid consisting of one power provider, three power consumers, and the DSM coordinator. The simulation parameters for the power provider are the same as those in the one-provider and one-consumer case, while the utility functions of different power consumers are assumed to be different. The initial electricity price and step size are fixed at p1 = 3 and γ = 0.05.

5.2.1 Without Interaction Among Consumers In Fig. 8, we first set α = 0.5 while ω varies from 2.5 to 3.5 for different power consumers. It is shown that the larger the value of ω, the more energy the power consumer will demand. Then we set ω = 3 while α varies from 0.4 to 0.6 for different power consumers. The figure indicates that the larger the value of α, the less energy the power consumer will demand. The system welfare achieves the best with the convergence of the electricity price, where the locally optimal solution to the power provider and each power consumer becomes globally optimal under the converged electricity price. The convergence rate is considerably fast, which is desirable for the real-time requirement of smart grid.

21 Smart Grid and Demand Side Management

699

5.2.2 With Interaction Among Consumers In Fig. 9, we set α = 0.5 while ω varies from 2.5 to 3.5 for different power consumers. It is shown that the larger the value of ω, the more energy the power consumer will demand. Initially, the demands of the three power consumers are random, so their payoffs are very low. Then, at each iteration, each power consumer chooses the most selfish strategy according to the strategies of others to improve its own payoff. We can see from the figure that the best response algorithm guarantees that the power consumers’ strategies and payoffs converge to NE. The convergence rate is considerably fast, which is desirable for the real-time requirement of smart grid. At NE, each power consumer achieves the best payoff. Through the DSM game, each power consumer can strategically adjust its demand to improve its individual profit. We also evaluate the distributed and iterative approach to the problem (26). The initial energy demands of the three power consumers are the same as those in the DSM game, and the step size is fixed at η = 0.5. It is shown that the energy demands of all power consumers converge to the optimal solution solved in a centralized way. In Fig. 10, we set ω = 3 while α varies from 0.4 to 0.6 for different power consumers. The figure indicates that the larger the value of α, the less energy the power consumer will demand. We can see from the figure that the best response

4

4 d

d

1

2

d

P

3

Payoff

Strategy

3

2

1

0 0

P

3

1 0

2

4

6

−1 0

8

2

4

9

5

8

Power Provider Profit Power Consumer Profit System Welfare 4 Iteration

8

6

7 8

4

3 Strategy

10

2

6

Iteration

System Welfare

Power Provider / Consumer Profit

2

2

Iteration

0 0

P

1

3

d1*

d2*

d3*

d1

d2

d3

2

1

0 0

5

10

15

20

Iteration

Fig. 9 DSM game in smart grid of one-provider and multi-consumer case (α = 0.5; ω1 = 2.5, ω2 = 3, ω3 = 3.5)

700

R. Deng 4

2.5 d1

d3

P1

3 2.5 2

1.5 1

0

2

4

6

0

8

0

2

4

Iteration 6

9

8

Power Provider Profit Power Consumer Profit System Welfare 2 4 Iteration

6

d *

d *

d *

d

d

d

1

2

1

Strategy

4

2

8

4 3.5

0

6

Iteration

System Welfare

Power Provider / Consumer Profit

P3

0.5

1.5 1

P2

2 Payoff

Strategy

3.5

d2

2

3

3

3 2.5 2 1.5

7 8

1 0

5

10

15

20

Iteration

Fig. 10 DSM game in smart grid of one-provider and multi-consumer case (ω = 3; α 1 = 0.4, α 2 = 0.5, α 3 = 0.6)

algorithm guarantees that the power consumers’ strategies and payoffs converge to NE. The convergence rate is considerably fast, which is desirable for the real-time requirement of smart grid. At NE, each consumer achieves the best payoff. We also evaluate the distributed and iterative approach to the problem (26). The initial energy demands of the three power consumers are the same as those in the DSM game, and the step size is fixed at η = 0.5. It is shown that the energy demands of all power consumers converge to the optimal solution solved in a centralized way. When we address demand side management in smart grid while assuming that there is no interaction among power consumers, we refer to the solution as “solution 1” (without interaction). When we assume the interaction among power consumers and formulate the DSM game to address demand side management in smart grid, we refer to the solution as “solution 2” (interaction game). In Fig. 11, we compare the performance of these two solutions. We first set α = 0.5 while ω varies from 2.5 to 3.5 for different power consumers. Then we set ω = 3 while α varies from 0.4 to 0.6 for different power consumers. It is shown that in both cases, each power consumer’s profit in solution 1 outperforms that in solution 2, while the power provider’s profit and system welfare are a little lower than those in solution 2. The reason is because the algorithm without interaction takes the system welfare into the first consideration, while the interaction game guarantees that each power consumer

21 Smart Grid and Demand Side Management

701

Fig. 11 Comparison between “solution 1” (without interaction) and “solution 2” (interaction game) to demand side management in smart grid

is selfish and rational who only wants to maximize its individual profit, regardless of the power provider’s profit nor the system welfare.

6

Conclusion

When energy meets information, smart grid, also known as the Internet of energy, has been proposed to informationize the electric power system towards the next generation. Demand side management emerges as a promising technology to promote the interaction and responsiveness of end users with the aim of not only reducing their bills or saving energy but also benefiting system operation, expansion, and market efficiency, by means of actively adapting demand to supply or fast reacting to system contingencies. Taking advantages of smart meters and enabled two-way communications, the electricity price plays a major role in incentivizing users to reschedule their energy usage patterns and involve in demand side management.

702

R. Deng

In this chapter, we propose an optimal real-time pricing strategy for demand side management in smart grid. It can be implemented in a distributed manner such that the real-time interaction among the power provider and consumers is coordinated through a limited number of message exchanges. We show that real-time pricing can align individual optimality with systematic optimality. We also take account of the interaction among power consumers and formulate demand side management in smart grid as an interaction game with Nash equilibrium achievable via best response. Simulation results demonstrate that, by using the proposed optimizationbased real-time pricing strategy, not only the power provider but also consumers will benefit. The DSM coordinator in smart grid can thus use the optimal realtime pricing strategy to address demand side management towards the benefit of the overall system.

References L.T. Berger, K. Iniewski, Smart Grid Applications, Communications, and Security (Wiley, Hoboken, 2012) S. Boyd, L. Vandenberghe, Convex Optimization (Cambridge University Press, Cambridge, 2004) R. Deng, H. Liang, Whether to charge an electric vehicle or not? A near-optimal online approach, in Proceedings of IEEE power and energy society general meeting (PES-GM), 2016, pp. 1–5 R. Deng, H. Liang, Whether to charge or discharge an electric vehicle? An optimal approach in polynomial time, in Proceedings of IEEE Vehicular Technology Conference (VTC-fall), 2017, pp. 1–5 R. Deng, Z. Yang, Cooperative transmission game for smart grid communication, in Proceedings of IEEE International Conference on Control & Automation (ICCA), 2014, pp. 314–319 R Deng, S Maharjan, X Cao, J Chen, Y Zhang, S Gjessing, Sensing-delay tradeoff for communication in cognitive radio enabled smart grid, in Proceedings of IEEE International Conference on Smart Grid Communications (SmartGridComm), 2011, pp. 155–160 R. Deng, J. Chen, X. Cao, Y. Zhang, S. Maharjan, S. Gjessing, Sensing-performance tradeoff in cognitive radio enabled smart grid. IEEE Trans. Smart Grid 4(1), 302–310 (2013a) R Deng, Z Yang, J Chen, Load scheduling with price uncertainty and coupling constraints, in Proceedings of IEEE Power & Energy Society General Meeting (PES-GM), 2013b, pp. 1–5 R. Deng, Z. Yang, J. Chen, N.R. Asr, M.Y. Chow, Residential energy consumption scheduling: A coupled-constraint game approach. IEEE Trans. Smart Grid 5(3), 1340–1350 (2014a) R. Deng, Z. Yang, J. Chen, M.Y. Chow, Load scheduling with price uncertainty and temporallycoupled constraints in smart grids. IEEE Trans. Power Syst. 29(6), 2823–2834 (2014b) R. Deng, G. Xiao, R. Lu, J. Chen, Fast distributed demand response with spatially and temporally coupled constraints in smart grid. IEEE Trans. Ind. Inf. 11(6), 1597–1606 (2015a) R. Deng, Z. Yang, M.Y. Chow, J. Chen, A survey on demand response in smart grids: Mathematical models and approaches. IEEE Trans. Ind. Inf. 11(3), 570–582 (2015b) R. Deng, Z. Yang, F. Hou, M.Y. Chow, J. Chen, Distributed real-time demand response in multiseller–multibuyer smart distribution grid. IEEE Trans. Power Syst. 30(5), 2364–2374 (2015c) R Deng, Z Zhang, J Ren, H Liang, Indoor temperature control of cost-effective smart buildings via real-time smart grid communications, in Proceedings of IEEE Global Communications Conference (GLOBECOM), 2016, pp. 1–6 X. Fang, S. Misra, G. Xue, D. Yang, Smart grid — The new and improved power grid: A survey. IEEE Commun. Surv. Tutorials 14(4), 944–980 (2012) D. Fudenberg, J. Tirole, Game Theory (MIT Press, Cambridge, 1991)

21 Smart Grid and Demand Side Management

703

V.C. Gungor, D. Sahin, T. Kocak, S. Ergut, C. Buccella, C. Cecati, G.P. Hancke, Smart grid technologies: Communication technologies and standards. IEEE Trans. Ind. Inf. 7(4), 529–539 (2011) V.C. Gungor, D. Sahin, T. Kocak, S. Ergut, C. Buccella, C. Cecati, G.P. Hancke, A survey on smart grid potential applications and communication requirements. IEEE Trans. Ind. Inf. 9(1), 28–42 (2013) Y. Liu, R. Deng, H. Liang, Game-theoretic control of PHEV charging with power flow analysis. AIMS Energy 4(2), 379–396 (2016) Y. Liu, R. Deng, H. Liang, A stochastic game approach for PEV charging station operation in smart grid. IEEE Trans. Ind. Inf. 14(3), 969–979 (2018) J.A. Momoh, Smart Grid: Fundamentals of Design and Analysis (Wiley, Hoboken, 2012) J.O. Neel, J.H. Reed, R.P. Gilles, Convergence of cognitive radio networks, in, Proceedings of IEEE Wireless Communications and Networking Conference (WCNC), 2004, pp. 2250–2255 P. Palensky, D. Dietrich, Demand side management: Demand response, intelligent energy systems, and smart loads. IEEE Trans. Ind. Inf. 7(3), 381–388 (2011) N. Rahbari-Asr, M.Y. Chow, J. Chen, R. Deng, Distributed real-time pricing control for large-scale unidirectional V2G with multiple energy suppliers. IEEE Trans. Ind. Inf. 12(5), 1953–1962 (2016) J. Ren, J. Hu, R. Deng, D. Zhang, Y. Zhang, X.S. Shen, Joint load scheduling and voltage regulation in the distribution system with renewable generators. IEEE Trans. Ind. Inf. 14(4), 1564–1574 (2018) A.I. Sabbah, A. El-Mougy, M. Ibnkahla, A survey of networking challenges and routing protocols in smart grids. IEEE Trans. Ind. Inf. 10(1), 210–221 (2014) P. Samadi, A.H. Mohsenian-Rad, R. Schober, V.W. Wong, J. Jatskevich, Optimal real-time pricing algorithm based on utility maximization for smart grid, in Proceedings of IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010, pp. 415–420 P. Siano, Demand response and smart grids-a survey. Renew. Sust. Energ. Rev. 30, 461–478 (2014) M. Wang, H. Liang, R. Deng, R. Zhang, X.S. Shen, VANET based online charging strategy for electric vehicles. In: Proceedings of IEEE Global Communications Conference (GLOBECOM), 2013, pp 4804–4809 M. Wang, H. Liang, R. Zhang, R. Deng, X. Shen, Mobility-aware coordinated charging for electric vehicles in VANET-enhanced smart grid. IEEE J. Sel. Areas Commun. 32(7), 1344–1360 (2014) P. You, S.H. Low, L. Zhang, R. Deng, G.B. Giannakis, Y. Sun, Z. Yang, Scheduling of EV battery swapping–part ii: Distributed solutions. IEEE Trans. Control Netw. Syst. 5(4), 1920– 1930 (2018) Z. Zhang, R. Deng, T. Yuan, S.J. Qin, Bi-level demand response game with information sharing among consumers. IFAC-PapersOnLine 49(7), 663–668 (2016) Z. Zhang, R. Deng, T. Yuan, S.J. Qin, Distributed optimization of multi-building energy systems with spatially and temporally coupled constraints, in Proceedings of IEEE American Control Conference (ACC), 2017a, pp. 2913–2918 Z. Zhang, R. Deng, T. Yuan, S.J. Qin, Sliding window games for cooperative building temperature control using a distributed learning method. Front Eng. Manage. 4(3), 304–314 (2017b)

Vehicle Communications for Infotainment Applications

22

Bach Long Nguyen, Duy T. Ngo, and Hai L. Vu

Contents 1 Intelligent Transportation System and Its Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Safety Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Infotainment Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 V2X Communications to Support Infotainment Applications . . . . . . . . . . . . . . . . . . . . . . 2.1 V2V-Based Solutions for Infotainment Applications . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 V2I-Based Solutions for Infotainment Applications . . . . . . . . . . . . . . . . . . . . . . . . . 3 Recent Advances in Combination of V2I and V2V for Infotainment Applications . . . . . 3.1 Should V2I Communications Be Combined with V2V Communications? . . . . . . . 3.2 Existing Solutions Combining V2I Communications with V2V Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Preliminary Results of Our Proposed Cooperation Scheme . . . . . . . . . . . . . . . . . . . 4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

706 706 707 707 708 708 711 712 712 713 715 720 720

Abstract This chapter provides an overview of vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) communications, collectively referred to as vehicleto-everything (V2X), deployed for infotainment applications of intelligent transportation system (ITS). Drawing on the characteristics of ITS’s application

B. L. Nguyen · D. T. Ngo School of Electrical Engineering and Computing, The University of Newcastle, Callaghan, NSW, Australia e-mail: [email protected]; [email protected] H. L. Vu () Department of Civil Engineering, Institute of Transport Studies, Monash University, Clayton, VIC, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_44

705

706

B. L. Nguyen et al.

categories, the chapter emphasizes the importance as well as the stringent technical specifications of infotainment applications. Surveying the state of the arts of current technical papers, the chapter introduces the benefits of V2Ibased and V2V-based communications, as well as their limitations. Furthermore, the chapter provides insights into recent advances where the essential role of combining V2I and V2V communications for infotainment applications is discussed.

Keywords Infotainment applications · Intelligent transportation systems (ITSs) · Vehicle-to-everything (V2X) · Vehicle-to-infrastructure (V2I) · Vehicle-to-vehicle (V2V)

1

Intelligent Transportation System and Its Applications

The intelligent transportation system (ITS) is a collection of advanced technologies such as information systems, communications, sensor controllers, and algorithms deployed on top of the existing transportation infrastructure. ITSs can improve safety, mitigate traffic congestion, and enhance productivity. Based on the information obtained by ITS, smart decisions are made to mitigate traffic congestion, pollution, and accident risks. Benefits from ITS are estimated at saving $3.5, $3.8, and $7.5 billion from improving system efficiency, road safety, and congestion reduction, respectively. ITS applications can be classified into three categories as shown in Fig. 1: safety applications, traffic management, and infotainment applications.

1.1

Safety Applications

The two main targets of safety applications are either minimizing the risk of accidents or reducing their severity. For example, inter-vehicle distance and speed are adjusted dynamically depending on the actual traffic situation. On the other hand, infrastructures and in-vehicle units in an intersection collision avoidance application broadcast a warning to neighboring vehicles if a traffic collision is detected. In order to help the drivers react as fast as possible, all messages in safety applications must be broadcast with low latency. According to MacHardy et al. (2018), European Telecommunications Standards Institute (ETSI) defines the minimum round-trip latency of 50 ms for broadcasting pre-sense crash warnings. Meanwhile, the allowable minimum latency is required as 20 ms by the US Department of Transportation. In general, safety applications are differentiated by their stringent requirements, such as round-trip latency of 0.05–0.1 s and broadcast frequency of 10 Hz.

22 Vehicle Communications for Infotainment Applications

Safety applications: emergency electronic brake lights, emergency vehicle warning...

707

Traffic management: regulatory speed limit, traffic light optimal speed advisory...

ITS applications

Infotainment applications: media downloading, map downloading and update...

Fig. 1 A classification of ITS applications

1.2

Traffic Management

Applications in traffic management aim to maximize road capacity and avoid traffic congestion. Exploiting real-time traffic flow information transmitted by nearby vehicles, an intelligent traffic flow control schedules a traffic light signal phasing dynamically to maximize the intersection throughput. Vehicle tracking and tracing can be used to remotely detect speed violations in reinforcement applications. Due to the demand of managing traffic flow on the roads in real time, traffic management requires a low latency of 0.1–0.5 s and robust network connections. Furthermore, the duration of processing messages frequently exchanged by a mass of vehicles must be sufficiently short.

1.3

Infotainment Applications

In infotainment applications, drivers and passengers are provided with entertaining facilities and improved up-to-date contextual information. By equipping the vehicles with onboard wireless devices, the road travellers can access the Internet to download their favorite songs or videos and play online games or perform other activities online such as seeking information, booking venue, shopping, etc. In contrast to the safety applications and traffic management, the allowable minimum latency in

708

B. L. Nguyen et al.

Table 1 Summary of ITS applications’ requirements Categories Safety applications Traffic management Infotainment applications

Applications Traffic condition warning, roadwork warning, etc. Intersection management, limited-access warning, etc. Video streaming, media download, etc.

Requirements End-to-end latency (0.02–0.1 s), beacon periodicity (10 Hz) End-to-end latency (0.1–0.5 s), beacon periodicity (1 Hz) Throughput (80 Mbps)

infotainment applications is around 0.5–1 s. Therefore, latency is not so critical in infotainment applications. As introduced in Dar et al. (2010), a high throughput is the main target when designing protocols for infotainment applications. Compared to conventional mobile broadband services, the required throughput in infotainment applications is up to 80 Mbps. Nevertheless, despite the relaxed latency requirement in infotainment applications, road travellers could still frequently face service disruptions due to short connection time. It is because the topology of the vehicular networks (or VANET) often changes rapidly due to the high mobility of vehicles (up to 100 km/h), while the coverage range of an infrastructure roadside unit is typically limited to between 0.5 and 0.6 km, and the inter-vehicle transmission distance is about 0.3 km. And thus, service continuity is a technical requirement in infotainment applications. All the requirements of three kinds of applications including safety applications, traffic management, and infotainment applications are listed in Table. 1.

2

V2X Communications to Support Infotainment Applications

Surveying the state of the arts in V2I-based solutions and V2V-based solutions, this chapter first reviews the advantages and shortcomings of relevant techniques supporting infotainment applications. Then motivated by the drawbacks in the standalone V2I and V2V architectures, the chapter proposes a combined V2I and V2V communication scheme to satisfy the strict requirements of infotainment applications.

2.1

V2V-Based Solutions for Infotainment Applications

Figure 2 shows an example of the stand-alone V2V architecture. In order to delivery data messages, a distributed traffic information system (DTIS) is primarily based on inter-vehicle communication (IVC) among vehicles. All vehicles in DTIS are equipped IVC devices, and they can communicate with each other through wireless technology. Therefore, the effect of traffic parameters, i.e., vehicle density and traffic speed, on the information propagation of DTIS is unavoidable.

22 Vehicle Communications for Infotainment Applications

Vehicle’s transmission range :V2V communications

709

: direction

Fig. 2 An illustration of V2V communications

Wang et al. (2014) modeled IVC message propagation and calculated the average IVC information propagation speed under instantaneous transmission and message carrier transmission. Developing the mathematical model for message transmission speed, the authors unveiled that the transmission speed of messages was positively proportional to the traffic conditions in terms of vehicle density and traffic speed. Besides, not only affected by the vehicle density and traffic flow, the interaction between the information flow and driver composition was investigated in Du and Ukkusuri (2010). Through theoretical analysis and simulation results, Du and Ukkusuri (2010) showed that the relative speed between adjacent lanes could improve the information propagation in VANETs. Moreover, the probability of connection between two vehicles, measured as a reachability expression, was beneficial to designing information routing protocols for intermittently connected vehicular networks. However, Wang et al. (2014) and Du and Ukkusuri (2010) only focused on understanding the information flows from different aspects of traffic conditions without considering V2V communications. Motivated by this, Du and Dao (2015) investigated the successful condition of signal-to-interferenceplus-noise ratio (SINR) in wireless communications between vehicles. Considering SINR conditions, Du and Dao (2015) proposed a closed-form analytical expression to either estimate information dissemination time in a free flow or determine two bounds of propagation delay in a congestion flow. Through instantaneous and delayed transmission, the expected transmission distance and the expected number of hops were also evaluated in each context. Also, that analytical approach was validated by Next-Generation Simulation (NGSIM)-based numerical experiments. To improve the connectivity of inter-vehicle communications in VANETs, Kesting et al. (2010) proposed the store-and-forward strategy where equipped vehicles in opposite driving direction served as relays. Despite only studying the characteristics of traffic flow under different conditions, some researches focused on addressing specific issues in infotainment applications. File transfer integrity is one of the important requirements in infotainment applications because of its direct impact on the quality of user experience. Luan et al. (2013) provided a comprehensive analytical framework to investigate file transfer integrity in inter-vehicle content transmissions. Based on the proposed model, the data volume sent from a source to a destination vehicle via V2V communications could be calculated. However, the model only studied the integrity in the scenario of single-hop file transmissions among vehicles. A cluster-based file

710

B. L. Nguyen et al.

transfer (CFT) scheme was proposed to achieve a high integrity in downloading a requested file. Due to high mobility in highways, the connection time between a provider and a requester vehicle is too short to download the whole requested file. To address that issue, neighbor vehicles were organized into the cluster whose members would forward file fragments to the requester vehicle. Moreover, the cluster could be extended linearly until all the file fragments were received by the requester. However, Luo et al. (2017) did not mention which cluster member was qualified as a forwarder. To address this gap, Luo et al. (2018) improved their previous scheme using fuzzy logic-based relay selection scheme. The fuzzy system, which fed the relative velocity, distance headway, and predicted connection time, computed an eligible level to select the best relay. Differently, Wang et al. (2018) utilized a time division policy to achieve efficient data dissemination over V2V communications. Grouping vehicles moving on a lane with a same direction into clusters, vehicles in active clusters would share their cached data to vehicles in the opposite direction through service channels. Furthermore, RSUs were empowered to broadcast scheduling decisions to passing vehicle so that vehicles in different clusters shared data via V2V communications in separated time slots. Beside the 802.11p-based dedicated short-range communication (DSRC), device-to-device (D2D) communications using long-term evolution (LTE) cellular systems have been a key solution for V2V communications. Piro et al. (2015) modelled vehicular D2D communications as a function of PHY and MAC layer settings. Determining the upper-bound performance, the authors claimed that V2V communications could be absolutely supported by D2D in LTE systems under the stringent application requirements. Although QoS requirements of V2V communications could be met using D2D technique, the interference caused by resource reuse made a degradation in the performance of V2V services. To tackle this issue, Sun et al. (2016) solved the radio resource management (RRM) problem which was constrained by the V2V communication requirements, such as latency and reliability. Meanwhile, to alleviate the impacts of interference between vehicles approaching intersections in a parallel direction, Yang et al. (2016) partitioned the resource pool reserved for V2V operation and assigned to those vehicles. Moreover, in the same subpool, the authors based on in-band emission (IBE) awareness to propose a sensing-based resource allocation algorithm for collision avoidance. To consider the advantages and drawbacks of both IEEE 802.11p and LTE-V2V, Bazzi et al. (2017) implemented two models for the two technologies in the same scenario. Compared to LTE-V2V, IEEE 802.11p provided robustness with the source-destination distance of 250–300 m. Due to hidden terminal impacts, the communication reliability of IEEE 802.11p at the longer distance up to 500 m was lower than that of LTE-V2V. Instead of depending on centralized resource allocation, Bazzi et al. (2018) focused on the improvements of a fully distributed way by vehicles, denoted as Mode 4. Varying the parameters of sensing period, power threshold, and minimum number of beacon periods, LTE-V2V Mode 4 outperformed IEEE 802.11p in terms of packet reception ratio and update delay in urban and highway scenarios. However, the gap between the two technologies was not as large as the authors expected.

22 Vehicle Communications for Infotainment Applications

2.2

711

V2I-Based Solutions for Infotainment Applications

Figure 3 describes the stand-alone V2I network consisting of roadside units (RSUs) or LTE base stations. It is widely known that deploying RSUs on highways could not improve the end-to-end delay in message propagation if the RSUs were disconnected from each other (Abdrabou and Zhuang 2011). To prove communication performance and better leverage the benefits of interconnected RSUs, Reis et al. (2014) derived mathematical models to calculate rehealing time and end-to-end delay of disseminating messages between a disconnected sourcedestination pair. Validated by simulations and network experiments, the authors provided a solution for the deployment of RSUs effectively in V2I networks. On the other hand, after deriving the connectivity models under different distributions, Jin et al. (2016) investigated the impact of roadside station location in the multihop connectivity of the whole network. Nevertheless, when the vehicles leave the RSUs’ coverage range, communication with RSU would be lost. Because the vehicles moving in uncovered areas still require V2I communications, establishing a multi-hop path to maintain the connectivity was necessary and possible. Atallah et al. (2015, 2017) proposed an analytical framework to derive the conditions for establishing a connectivity path between a source vehicle to a distant destination RSU. Under the traffic conditions, such as vehicle density, vehicle mobility, and source-destination distance, the paper analyzed how the traffic parameters impacted the probability of having an available multi-hop path, end-to-end delay, and network throughput. Nevertheless, the limited connection time caused by high mobility between infrastructure and vehicles has been a challenge in the V2I architecture. To that end, Cheung et al. (2012) proposed a dynamic optimal random access (DORA) algorithm for uploading files from vehicles to infrastructure in the coverage range. Dividing time into equal time slots, DORA would assign time slot to vehicles when they requested to upload the files. Specifically, DORA relied on the applications’ QoS requirements to find the optimal access policy. That policy could minimize the total expected cost which vehicles had to pay for the use of the infrastructure. Infrastructure : RSU, LTE base station...

Infrastructure’s coverage range : direction : V2I communication

Fig. 3 An illustration of V2I communications

712

B. L. Nguyen et al.

Besides, the time slot assignment scheme was also employed to save energy in load balancing the energy costs for the RSUs. Due to energy sustainable designs, such as solar power, the energy usage of RSUs could not exceed their solar panel and battery provisioning limits. Khezrian et al. (2015) proposed online scheduling algorithms, namely, greedy online algorithm (GOA) and 2-approximation online algorithm (TOAA), to select time slots effectively when a new vehicle arrived. They showed that the two algorithms still achieved the better performance in worst-case scenarios compared to that of the other methods. On the other hand, with the main purpose that built an end-to-end full-fledge ITS, the infrastructure operation demanded to be controlled and managed effectively when the number of requested service increased. In Atallah et al. (2018), Internet of Things gateway (IoT-GW) is considered as an infrastructure connected to an ITS central server. The vehicle residing within the IoT-GWs’ coverage range can download files and notify hazardous traffic conditions via V2I communications. The central server took the responsibility of realizing an optimal scheduling policy in order to (1) minimize latency for propagating safety messages, (2) reduce the response time for download requests, (3) satisfy the download requirements of vehicles before they leave, and (4) balance the power consumption at IoT-GWs. Employing deep reinforcement learning, the vehicular traffic events were observed and analyzed by the central server in order to achieve the abovementioned objective. It is shown that the improvement of the proposed scheme in completed requested percentage, mean request delay, and network lifetimes was over 10.9%, 10.2%, and 13%, respectively.

3

Recent Advances in Combination of V2I and V2V for Infotainment Applications

3.1

Should V2I Communications Be Combined with V2V Communications?

Although the stand-alone V2I and V2V architectures provide many benefits as described above, they cannot meet all the ITS requirements. For example, the high number of hops in the V2V communications causes long communication delay under a low vehicle density and thus cannot be applied to time-critical applications such as pre-sense crash handling and cooperative platooning. On the other hand, LTE systems, purely relying on V2I communications, have been suffering from dense population and high mobility which leads to frequent communication interruption and handover (Seo et al. 2016). Moreover, due to the centralized architecture, end-to-end latency, dependence on connectivity, and high cost have all been identified as challenges in LTE-based V2I communications. Compared to LTE, DSRC-based V2I communications provide more flexible organization without centralized control, but the coverage range of each RSU is limited to only around 0.5–0.6 km. Thus, the RSUs should be deployed densely to maximize their ability in urban or rural areas. However, the basic unit cost for installing grid-powered and solar-powered RSUs is from $1,000 to $1,500 (Nikookaran et al. 2017), while

22 Vehicle Communications for Infotainment Applications Infrastructure : RSU, LTE base station...

Vehicle’s transmission range

Infrastructure’s coverage range : V2I communication

713

: V2V communication

Uncovered area : direction

Fig. 4 An illustration of combining V2I with V2V communications

deploying cable-connected RSUs costs $5,000 (Li et al. 2014). Instead of the massive deployment of RSUs, relaying information via multi-hop communications can be adopted to either extend transmission range of the RSUs or seamlessly spread information. That is why V2I and V2V communications should be combined to complement each other in enhancing the network performance. Figure 4 depicts a combination of V2I and V2V communications.

3.2

Existing Solutions Combining V2I Communications with V2V Communications

The cooperative communication between V2I and V2V has been drawing wide research attention. The authors in Bento et al. (2012) used V2I and V2V communication technologies as a core mechanism to regulate traffic at road intersections in intelligent traffic management systems (ITMSs). Nevertheless, owing to the selfcompetition between adjacent nodes in IEEE 802.11 protocol, the total throughput over a multi-hop flow is severely limited. In addition, the medium access control (MAC) protocol is unstable and ineffective in highly mobile vehicular environments. In order to overcome these challenges, Wang et al. (2012) proposed a network coding technique to achieve seamless information spreading in a joint V2I downlink system and V2V communication system. The considered scenario of a vehicle wished to receive information broadcast from a base station (BS) when it was in a blind zone, i.e., uncovered region between two adjacent BSs. Some neighboring vehicles which collected information from that BS would relay message to the requester vehicle. The proposed network coding scheme in Wang et al. (2012) could mitigate the interference of the relaying signal to the vehicles receiving broadcast messages. Jia and Ngoduy (2016) designed a consensus-based control algorithm to build an improved cooperative driving system (CDS). Here, the packet loss caused by the unreliable inter-vehicle communications would impair the network performance. Also, the performance of the CDS was affected by the measurement errors in the downstream traffic information collected by roadside sensors in V2I

714

B. L. Nguyen et al.

communications. Based on the help of V2X communication, the proposed strategy either guaranteed the local traffic stability or mitigated traffic shockwave. On the other hand, by developing an analysis framework for a data dissemination process, Chen et al. (2017) demonstrated the efficiency of their strategy, a cooperation between V2I and V2V communications, in improving the achievable throughput of vehicle of interest. After downloading the pieces of a requested file in the RSU’s range, the target vehicle would be forwarded the next parts by the vehicles moving in its opposite direction. Moreover, the relationship between the achievable throughput and parameters, such as inter-RSU distance, radio ranges, and transmission rates, was revealed in closed-form expressions. Extending their previous work (Chen et al. 2017), Chen et al. (2018) derived the vehicular network capacity under the cooperative communication strategy supporting multiusers. They showed that under the same traffic conditions, the improvement in the capacity would be higher if less vehicles request to download. Nevertheless, the outage time elapsed since vehicles were out of coverage range of RSUs was intolerable to delay-constrained services, such as online video streaming and file downloading. In order to minimize the outage time of a target vehicle, the cooperative storecarry-forward (CSCF) scheme (Wang et al. 2017) selected the first relay which is one of the vehicles moving in the same direction as the target vehicle to forward data from an RSU. Moreover, due to the inter-RSU cooperation, the second relay among vehicles in the reverse direction was employed to serve the target vehicle. In another approach, clusters were generated among vehicles in the same direction for large-size content dissemination in highway vehicle ad hoc networks (VANETs) (Zhou et al. 2014; Guo et al. 2017) where the file requested by the target vehicle was divided into two parts to be assigned to two consecutive RSUs. After forming linear clusters in two moving directions, cluster members would download and forward chunks sliced from the two parts to the target vehicle. Consequently, the data download volume at the target vehicle could be increased significantly. Furthermore, because of the significant roles of RSUs in the V2X-based cooperation schemes, the RSU deployment has become a one key issue. Abdrabou and Zhuang (2011) estimated the minimum number of RSUs required to limit the packet delivery delay in low-density VANETs. By developing an analytic framework, they demonstrated the influence of vehicle density, transmission range, and speed on the end-to-end packet delivery delay of multi-hop communications. Thus, the maximum distance between RSUs was obtained in order to limit the worst-case packet delivery delay to a certain bound. The RSU placement problem was formulated as an integer linear programming (ILP) in Wu et al. (2012). With the objective of maximizing the achievable aggregate throughput, Capacity Maximization Placement (CMP) not only calculated the optimal number of RSUs but also determined where to allocate them. Moreover, CMP could adapt to differences in vehicle population distribution and vehicle speed on the road. A budget-constrained and delay-bounded placement (BCDP) problem was formulated and addressed by Li et al. (2014). After modeling the delay-bounded coverage of RSU placement, the BCDP was solved by two greedy algorithms searching the optimal sites that provide the maximum delay-bound coverage gain and utility.

22 Vehicle Communications for Infotainment Applications

715

Extended from the one-dimensional infrastructure placement, Lin and Deng (2015) and Lin et al. (2017) deployed RSUs and sensor nodes along the two sides and the median island of a two-lane road. Because the two-lane deployment problem was established as an NP-complete problem to minimize the total cost, center particle swarm optimization (CenterPSO) in Lin and Deng (2015) used the particles located at the central positions of other particles to find better solutions. Likewise, constrained by the maximal number of hops and capacity, the harmony search algorithm (HSA) was selected to find the candidates which could minimize total distance and the number of hops between RSUs and sensors (Lin et al. 2017). With the main target that minimized the sum of capital expenditure (CAPEX) and operating expenditure (OPEX) costs, Nikookaran et al. (2017) proposed the Minimum Cost Route Clustering (MCRC) algorithm to solve a relaxed version of the ILP. After partitioning all opened RSUs from the solutions into cluster and installing them fully, MCRC fractionally installed open RSUs until the amount of RSUs was enough to satisfy all service requirements for each cluster. MCRC outperformed the conventional Minimum Capital Coset Placement (MCCP) in terms of not only deployment cost but also lower request drop ratio. Combining three kinds of RSU allocation, namely, static locations, public mobile transportation, and controllable vehicles, Kim et al. (2017) transformed an NP-hard problem to a new optimization problem, namely, budgeted maximum coverage problem with cardinality (BMCP-CC). Applying α-approximation algorithm where  constraint  α = 12 1 − 1e , the quality of solutions that had maximal coverage of RSUs under a limited budget was at least the half of the best possible solution. Due to the strict latency in broadcasting an alert message from an accident site to the control the authors (Liu et al. 2017) found the optimal number of  L center,  RSUs is 2d where L is the highway length and d is the maximal transmission distance. Through a delay analysis for alert message transmission along highways, the relationship between the number of RSUs with the highway length was given. On the other hand, da Silva and Meira (2015) designed the Delta Network metric which could measure connectivity duration and percentage of vehicle presenting ρ such connectivity duration. To meet the given delta ρ12 , the Delta – g heuristic was developed to deploy RSUs physically. Furthermore, in order to increase the number of distinct vehicles experiencing V2I contact, Silva et al. (2016) introduced the deployment strategy which was relied on migration ratios of vehicles between urban areas instead of trajectories of all vehicles.

3.3

Preliminary Results of Our Proposed Cooperation Scheme

Despite the improvements in service quality using V2X-based cooperation schemes, the following issues still persist: • The short contact time between vehicles moving in two opposite directions (Chen et al. 2017, 2018) • The possible service disruption with only the two relays (Wang et al. 2017)

716

B. L. Nguyen et al.

( )

A

B

( )

( )

( )

( )

: RSU

: target vehicle V

: forwarder F

: other vehicles

: direct link

Fig. 5 An illustration of the proposed scheme

• The downloaded volume depending on the number of cluster members, MAC contentions, and collisions in forwarding from the cluster members to the tagged vehicle (Zhou et al. 2014; Guo et al. 2017) To address the above shortcomings, a new cooperation strategy between V2I and V2V communications has been developed in our recent work (Nguyen et al. 2018). As shown in Fig. 5a, b, the target vehicle V requests to downloading a large file through a V2I communication using RSU when it is in the coverage range of the RSU Un which relays the request to the central server. The requested file is then divided into small packets before being transmitted from the server to Un . Here we assume that the transmission time between the central server and RSUs is negligible. Furthermore, vehicles are assumed to be moving in the same direction at the same constant velocity on a highway. Vehicle V starts receiving the packets directly from Un via V2I communication until it reaches the edge of the coverage area of Un . Relying on the available neighbor vehicles behind the target vehicle V, we propose a dynamic forwarder selection and data transmission scheme to assist the target vehicle V in the uncovered area. Differently from Chen et al. (2017) and Wang et al. (2017), we select only vehicles travelling in the same direction with V. Unlike Zhou et al. (2014) and Guo et al. (2017), we select only one neighboring vehicle as a data forwarder, avoiding cluster formation. To continue downloading data when out of range, vehicle V first selects one forwarder in its neighborhood but backward to RSU Un to relay data to it as follows. Vehicle V acts as a requester and broadcasts a “Request-toForward” message. If a vehicle within the transmission range of V is willing to forward messages, it will reply with an “Acknowledgment” message together with

22 Vehicle Communications for Infotainment Applications

717

its mobility information (e.g., speed and position). Vehicle V will then be able to shortlist the neighboring vehicles still within the coverage area of Un and moving in the same direction with V. Vehicle V then selects the vehicle locating farthest away from V as its forwarder. We refer to this forwarder as F1 in Fig. 5c. Essentially, the selected forwarder satisfies all of the following criteria: 1. Locating in the transmission range of the requester (to have a direct V2V link with the requester for data forwarding) 2. Locating in the coverage area of Un (to have a direct V2I link with RSU Un for data downloading) 3. Moving in the same direction with the requester (to maximize contact time with the requester) 4. Locating farthest away from the requester (to minimize the total number of forwarders, i.e., transmission hops from Un to V) As depicted in Fig. 5c, F1 starts to download the next data packets from Un via the V2I link and forwards them to V via the V2V link. The downloading process continues until Ft reaches the boundary of RSU Un . As that point, F1 will act as a requester and select the next forwarder F2 , similar to what V did before. This is shown in Fig. 5d. F2 then downloads the next data packets from RSU Un and forwards to F1 . Note that each forwarder continues to forward the received packets using the established V2V link even when it is out of range of RSU Un . Collectively, the benefit of this proposed scheme is listed as follows: 1. The proposed scheme always guarantees an active multi-hop forwarding path between Un and V. That path consists of (i) a one-hop V2I link from RSU Un to the last forwarder and (ii) a multi-hop V2V link from the last forwarder to V, as shown in Fig. 5e. 2. Under the proposed combination scheme, an analytical model of data dissemination shows the interaction of three parameters, such as inter-RSU distance, vehicles’ assistance readiness, and buffer size of the target vehicle, with average throughput and service disruption. Based on the proposed model, we can evaluate the trade-offs between these three parameters. The advantages of our proposed scheme in terms of average throughput and service continuity are validated by a close agreement between analytical and simulation results. Specifically, Fig. 6 reveals the improvements of the combination between V2I and V2V communication in the average throughput achieved by the target vehicle when increasing the inter-RSU distance. Moreover, the average achieved throughput at the target vehicle is analyzed under the impacts of vehicle density, vehicles’ assistance willingness, and the target vehicle’s buffer size. Compared to the stand-alone V2I architecture, the improvement in average achieved throughput using our proposed cooperative scheme is more than 18.8%, as observed in Fig. 7a. Furthermore, it can be seen that the service continuity requirement of infotainment applications is satisfied using the proposed cooperative scheme. An increase in the

718

B. L. Nguyen et al.

Average achieved throughput at the target vehicle (Mbps)

8

(a) Average throughput v.s inter-RSU distance (E[XW]=0.8;b=5000) =0.003(sim) =0.003(ana) =0.004(sim) =0.004(ana) =0.005(sim) =0.005(ana)

7 6 5 4 3 2000

2500

3000

3500

4000

4500

5000

5500

6000

Distance between two consecutive RSU(m)

Average achieved throughput at the target vehicle (Mbps)

8

(b) Average throughput v.s inter-RSU distance ( =0.003;b=5000) E[X ]=0.2(sim) W

E[XW]=0.2(ana)

7

E[XW]=0.5(sim)

6

E[XW]=0.5(ana) E[X ]=0.8(sim) W

5

E[X ]=0.8(ana) W

4 3 2 2000

2500

3000

3500

4000

4500

5000

5500

6000

Distance between two consecutive RSU(m) 9

(c) Average throughput v.s inter-RSU distance ( =0.003;E[XW]=0.8) b=3000(sim) b=3000(ana) b=5000(sim) b=5000(ana) b=7000(sim) b=7000(ana)

5.2

Average achieved throughput at the target vehicle (Mbps)

5

8

4.8 4.6 4.4

7

4.2 4 4000

4200

4400

4600

4800

5000

5200

5400

5600

5800

6000

6 5 4 3 2000

2500

3000

3500

4000

4500

5000

5500

6000

Distance between two consecutive RSU(m)

Fig. 6 The average achieved throughput with multiple vehicle densities (a), multiple willingness (b), multiple buffer size (c) when increasing inter-RSU distance

22 Vehicle Communications for Infotainment Applications

719

(a) Average throughput v.s inter-RSU distance ( =0.004;E[XW]=0.8;b=5000)

Average achieved throughput at the target vehicle (Mbps)

8 7

stand-alone V2I(sim) stand-alone V2I(ana) V2I combined with V2V(sim) V2I combined with V2V(ana)

18.8%

6 43.02%

5 58.4%

4 3 2 2000

2500

3000

3500

4000

4500

5000

5500

6000

Distance between two consecutive RSU(m)

Average number of serive disruptions at the target vehicle

(b) Average number of service disruptions v.s inter-RSU distance ( =0.004;E[XW]=0.8;b=5000) 35 30

stand-alone V2I(sim) stand-alone V2I(ana) V2I combined with V2V(sim) V2I combined with V2V(ana)

25 20 15 10 5 2000

2500

3000

3500

4000

4500

5000

5500

6000

Distance between two consecutive RSU(m) Fig. 7 The comparison between two protocols in terms of average achieved throughput (a) and average number of service disruptions (b) when increasing inter-RSU distance

average number of service disruptions (i.e., shorter service disruption’s duration) in Fig. 7b indicates that the file downloading of the target vehicle is continued despite the increase in the inter-RSU distance. It is in contrast to the average number of service disruptions in the stand-alone V2I architecture which remains steady because no data packet is forwarded to the target vehicle in the uncovered area.

720

4

B. L. Nguyen et al.

Conclusion

This chapter has reviewed previous works where only the V2V or V2I communications have been employed to satisfy the technical requirements of infotainment applications. The chapter revealed several disadvantages of the stand-alone V2V and V2I architectures for such applications and suggested a combination of V2I and V2V communications to overcome these challenges. In particular, to improve the V2I connection in the uncovered areas, the chapter reviewed several approaches to select the best forwarders for a target vehicle among its available neighboring vehicles using V2V including our recent work which showed significant improvement in the average throughput achieved by the target vehicle. Comparing with the stand-alone V2I architecture, the proposed cooperation scheme has not only maximized the average achieved throughput but also restricted service disruptions at the target vehicle. Possible future directions to support infotainment applications include: 1. Controlling vehicle traffic to improve the probability of finding forwarder in the uncovered area 2. Designing efficient forwarder selection in a scenario where multiple vehicles request the same service simultaneously 3. Coordinating data transmission over V2I and V2V links using multichannels

References A. Abdrabou, W. Zhuang, Probabilistic delay control and road side unit placement for vehicular ad hoc networks with disrupted connectivity. IEEE J. Sel. Areas Commun. 29(1), 129–139 (2011). https://doi.org/10.1109/JSAC.2011.110113. ISSN 0733-8716 R. Atallah, M. Khabbaz, C. Assi, Modelling of multi-hop inter-vehicular path formation for connecting far vehicles to RSUs. in 2015 IEEE Wireless Communications and Networking Conference (WCNC) (March 2015), pp. 1954–1959. https://doi.org/10.1109/WCNC.2015.7127767 R. Atallah, M. Khabbaz, C. Assi, Multihop v2i communications: A feasibility study, modeling, and performance analysis. IEEE Trans. Veh. Technol. 66(3), 2801–2810 (2017). https://doi.org/ 10.1109/TVT.2016.2586758. ISSN 0018-9545 R.F. Atallah, C.M. Assi, M.J. Khabbaz, Scheduling the operation of a connected vehicular network using deep reinforcement learning. IEEE Trans. Intell. Transp. Syst. 20, 1–14 (2018). https:// doi.org/10.1109/TITS.2018.2832219. ISSN 1524-9050 A. Bazzi, B.M. Masini, A. Zanella, I. Thibault, On the performance of IEEE 802.11p and LTEv2v for the cooperative awareness of connected vehicles. IEEE Trans. Veh. Technol. 66(11), 10419–10432 (2017). https://doi.org/10.1109/TVT.2017.2750803. ISSN 0018-9545 A. Bazzi, G. Cecchini, A. Zanella, B.M. Masini, Study of the impact of phy and mac parameters in 3gpp c-v2v mode 4. IEEE Access 6, 71685–71698 (2018). https://doi.org/10.1109/ ACCESS.2018.2883401. ISSN 2169-3536 L. C. Bento, R. Parafita, U. Nunes, Intelligent traffic management at intersections supported by v2v and v2i communications. in 2012 15th International IEEE Conference on Intelligent Transportation Systems (September 2012), pp. 1495–1502. https://doi.org/10.1109/ ITSC.2012.6338766 J. Chen, G. Mao, C. Li, A. Zafar, A.Y. Zomaya, Throughput of infrastructure-based cooperative vehicular networks. IEEE Trans. Intell. Transp. Syst. 18(11), 2964–2979 (2017). https://doi.org/ 10.1109/TITS.2017.2663434. ISSN 1524-9050

22 Vehicle Communications for Infotainment Applications

721

J. Chen, G. Mao, C. Li, W. Liang, D. Zhang, Capacity of cooperative vehicular networks with infrastructure support: Multiuser case. IEEE Trans. Veh. Technol. 67(2), 1546–1560 (2018). https://doi.org/10.1109/TVT.2017.2753772. ISSN 0018-9545 M.H. Cheung, F. Hou, V.W.S. Wong, J. Huang, Dora: Dynamic optimal random access for vehicleto-roadside communications. IEEE J. Sel. Areas Commun. 30(4), 792–803 (2012). https:// doi.org/10.1109/JSAC.2012.120513. ISSN 0733-8716 C. M. da Silva, W. Meira, Evaluating the performance of heterogeneous vehicular networks. in 2015 IEEE 82nd Vehicular Technology Conference (VTC2015-Fall) (September 2015), pp. 1–5. https://doi.org/10.1109/VTCFall.2015.7390936 K. Dar, M. Bakhouya, J. Gaber, M. Wack, P. Lorenz, Wireless communication technologies for its applications [topics in automotive networking]. IEEE Commun. Mag. 48(5), 156–162 (2010). https://doi.org/10.1109/MCOM.2010.5458377. ISSN 0163-6804 L. Du, H. Dao, Information dissemination delay in vehicle-to-vehicle communication networks in a traffic stream. IEEE Trans. Intell. Transp. Syst. 16(1), 66–80 (2015). https://doi.org/10.1109/ TITS.2014.2326331. ISSN 1524-9050 L. Du, S. Ukkusuri, The relative mobility of vehicles improves the performance of information flow in vehicle ad hoc networks. Netw. Spat. Econ. 10(2), 209–240 (2010). https://doi.org/10.1007/ s11067-008-9063-x. ISSN 1572-9427 T. Guo, C. Li, W. Dong, Z. Miao, X. Su, Enabling efficient content dissemination for cooperative vehicular networks. in 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), pp 1–5, Oct. 2017. https://doi.org/10.1109/ PIMRC.2017.8292252. D. Jia, D. Ngoduy, Enhanced cooperative car-following traffic model with the combination of v2v and v2i communication. Transp. Res. B Methodol. 90, 172–191 (2016). https://doi.org/10.1016/ j.trb.2016.03.008. http://www.sciencedirect.com/science/article/pii/S0191261515302563 ISSN 0191-2615 W.-L. Jin, W.W. Recker, X.B. Wang, Instantaneous multihop connectivity of one-dimensional vehicular ad hoc networks with general distributions of communication nodes. Transp. Res. B Methodol. 91, 159–177 (2016). https://doi.org/10.1016/j.trb.2016.05.011. http:// www.sciencedirect.com/science/article/pii/S0191261516302909 ISSN 0191-2615 A. Kesting, M. Treiber, D. Helbing, Connectivity statistics of store-and-forward intervehicle communication. IEEE Trans. Intell. Transp. Syst. 11(1), 172–181 (2010). https://doi.org/ 10.1109/TITS.2009.2037924. ISSN 1524-9050 A. Khezrian, T.D. Todd, G. Karakostas, M. Azimifar, Energy-efficient scheduling in green vehicular infrastructure with multiple roadside units. IEEE Trans. Veh. Technol. 64(5), 1942– 1957 (2015). https://doi.org/10.1109/TVT.2014.2333665. ISSN 0018-9545 D. Kim, Y. Velasco, W. Wang, R.N. Uma, R. Hussain, S. Lee, A new comprehensive rsu installation strategy for cost-efficient VANET deployment. IEEE Trans. Veh. Technol. 66(5), 4200–4211 (2017). https://doi.org/10.1109/TVT.2016.2598253. ISSN 0018-9545 P. Li, C. Huang, Q. Liu, Bcdp: Budget constrained and delay-bounded placement for hybrid roadside units in vehicular ad hoc networks. Sensors 14(12), 22564–22594 (2014). https://doi.org/10.3390/s141222564. http://www.mdpi.com/1424-8220/14/12/22564. ISSN 1424-8220 C. Lin, D. Deng, Optimal two-lane placement for hybrid VANET-sensor networks. IEEE Trans. Ind. Electron. 62(12), 7883–7891 (2015). https://doi.org/10.1109/TIE.2015.2418314. ISSN 0278-0046 C.-C. Lin, P.-C. Chen, L.-W. Chang, On different-dimensional deployment problems of hybrid VANET-sensor networks with QoS considerations. Mob. Netw. Appl. 22(1), 125–138 (2017). https://doi.org/10.1007/s11036-015-0667-3. ISSN 1383-469X C. Liu, H. Huang, H. Du, Optimal RSUs deployment with delay bound along highways in VANET. J. Comb. Optim. 33(4), 1168–1182 (2017). https://doi.org/10.1007/s10878-016-0029-5. ISSN 1573-2886 T. H. Luan, X. Sherman Shen, F. Bai, Integrity-oriented content transmission in highway vehicular ad hoc networks. in 2013 Proceedings IEEE INFOCOM (April 2013), pp. 2562–2570. https:// doi.org/10.1109/INFCOM.2013.6567063.

722

B. L. Nguyen et al.

Q. Luo, C. Li, Q. Ye, T. H. Luan, L. Zhu, X. Han, Cft: A cluster-based file transfer scheme for highway VANETs. in 2017 IEEE International Conference on Communications (ICC) (May 2017), pp. 1–6. https://doi.org/10.1109/ICC.2017.7996452 Q. Luo, X. Cai, T.H. Luan, Q. Ye, Fuzzy logic-based integrity-oriented file transfer for highway vehicular communications. EURASIP J. Wirel. Commun. Netw. 2018(1), 3 (2018). https:// doi.org/10.1186/s13638-017-1009-x. ISSN 1687-1499 Z. MacHardy, A. Khan, K. Obana, S. Iwashina, V2x access technologies: Regulation, research, and remaining challenges. IEEE Commun. Surv. Tutorials 20, 1–1 (2018). https://doi.org/10.1109/ COMST.2018.2808444 B. L. Nguyen, D. T. Ngo, N. H. Tran, H. L. Vu, Combining v2i with v2v communications for service continuity in vehicular networks. in 2019 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM) (submitted in December 2018) N. Nikookaran, G. Karakostas, T.D. Todd, Combining capital and operating expenditure costs in vehicular roadside unit placement. IEEE Trans. Veh. Technol. 66(8), 7317–7331 (2017). https:/ /doi.org/10.1109/TVT.2017.2665480. ISSN 0018-9545 G. Piro, A. Orsino, C. Campolo, G. Araniti, G. Boggia, A. Molinaro, D2d in LTE vehicular networking: System model and upper bound performance. in 2015 7th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT) (October 2015), pp. 281–286. https://doi.org/10.1109/ICUMT.2015.7382443 A.B. Reis, S. Sargento, F. Neves, O.K. Tonguz, Deploying roadside units in sparse vehicular networks: What really works and what does not. IEEE Trans. Veh. Technol. 63(6), 2794–2806 (2014). https://doi.org/10.1109/TVT.2013.2292519. ISSN 0018-9545 H. Seo, K. Lee, S. Yasukawa, Y. Peng, P. Sartori, LTE evolution for vehicle-to-everything services. IEEE Commun. Mag. 54(6), 22–28 (2016). https://doi.org/10.1109/MCOM.2016.7497762. ISSN 0163-6804 C.M. Silva, W. Meira, J.F.M. Sarubbi, Non-intrusive planning the roadside infrastructure for vehicular networks. IEEE Trans. Intell. Transp. Syst. 17(4), 938–947 (2016). https://doi.org/ 10.1109/TITS.2015.2490143. ISSN 1524-9050 W. Sun, E.G. Strm, F. Brnnstrm, K.C. Sou, Y. Sui, Radio resource management for d2d-based v2v communication. IEEE Trans. Veh. Technol. 65(8), 6636–6650 (2016). https://doi.org/10.1109/ TVT.2015.2479248. ISSN 0018-9545 Q. Wang, P. Fan, K.B. Letaief, On the joint v2i and v2v scheduling for cooperative vanets with network coding. IEEE Trans. Veh. Technol. 61(1), 62–73 (2012). https://doi.org/10.1109/ TVT.2011.2167249. ISSN 0018-9545 W. Wang, S.S. Liao, X. Li, J.S. Ren, The process of information propagation along a traffic stream through intervehicle communication. IEEE Trans. Intell. Transp. Syst. 15(1), 345–354 (2014). https://doi.org/10.1109/TITS.2013.2280613. ISSN 1524-9050 Y. Wang, Y. Liu, J. Zhang, H. Ye, Z. Tan, Cooperative store-carry-forward scheme for intermittently connected vehicular networks. IEEE Trans. Veh. Technol. 66(1), 777–784 (2017). https:// doi.org/10.1109/TVT.2016.2536059. ISSN 0018-9545 J. Wang, K. Liu, K. Xiao, C. Chen, W. Wu, V.C.S. Lee, S.H. Son, Dynamic clustering and cooperative scheduling for vehicle-to-vehicle communication in bidirectional road scenarios. IEEE Trans. Intell. Transp. Syst. 19(6), 1913–1924 (2018). https://doi.org/10.1109/ TITS.2017.2743821. ISSN 1524-9050 T. Wu, W. Liao, C. Chang, A cost-effective strategy for road-side unit placement in vehicular networks. IEEE Trans. Commun. 60(8), 2295–2303 (2012). https://doi.org/10.1109/ TCOMM.2012.062512.100550. ISSN 0090-6778 J. Yang, B. Pelletier, B. Champagne, Enhanced autonomous resource selection for LTE-based v2v communication. in 2016 IEEE Vehicular Networking Conference (VNC) (December 2016), pp. 1–6. https://doi.org/10.1109/VNC.2016.7835937 H. Zhou, B. Liu, T.H. Luan, F. Hou, L. Gui, Y. Li, Q. Yu, X. Shen, Chaincluster: Engineering a cooperative content distribution framework for highway vehicular communications. IEEE Trans. Intell. Transp. Syst. 15(6), 2644–2657 (2014). https://doi.org/10.1109/ TITS.2014.2321293. ISSN 1524-9050

Cloud Empowered Real-Time Virtual Manufacturing Systems

23

Sourabh Dani, Akhlaqur Rahman, Jiong Jin, and Ambarish Kulkarni

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Literature Review (State of the Art) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 An Integrated Framework for Cloud Empowered VMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Prepositioning of Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Specification of the Cloud-Empowered VMS Components . . . . . . . . . . . . . . . . . . . . 3.3 Software Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Use Case of the Cloud Empowered VMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 The Physical Shopfloor Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Proposed Hybrid Virtual Manufacturing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

724 728 730 730 732 733 745 745 750 757 758

Abstract In the era of Industry 4.0, evolving trends of information technologies such as cloud computing (CC), digital twin (DT), and industrial internet of things (IIoT) has brought about robust and advanced manufacturing processes with access to finer level of customization. These attempts are bolstered by recent emergence of

S. Dani () · A. Kulkarni Swinburne University of Technology, Melbourne, VIC, Australia e-mail: [email protected]; [email protected] A. Rahman Engineering Institute of Technology, Melbourne, VIC, Australia e-mail: [email protected] J. Jin School of Science, Computing and Engineering Technologies, Swinburne University of Technology, Melbourne, VIC, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_46

723

724

S. Dani et al.

augmented virtual reality (AVR) that provides prospects for creating innovative solutions in the space of virtual manufacturing system (VMS). While integrating such technologies is difficult, the objective of this work is to develop an integrated framework to integrate IIoT, DT, CC, and AVR into a single manufacturing platform, so as to create seamless communication between physical and digital world. Additionally, the framework is validated with detailed concept of a practical use case that is automated mattress protector manufacturing, where in lies novelty. Overall, the proposed application not only explains procedural methods involved in carrying out successful cloud-empowered real-time VMS but also provides baseline for practical implementation and future modification.

Keywords Virtual manufacturing system · Industrial internet of things · Virtual reality · Real-time systems · Digital twin · Industry 4.0 · Cloud computing

1

Introduction

The advent of new technological innovations in recent past, aided by the proliferation of cyber physical systems, has prompted the existence of Industry 4.0, by enabling vertical integration of several key components such as hybrid machines, storage systems, and production facilities, all of which are capable of autonomously exchanging information triggering actions and controlling each other independently. This innovation has facilitated fundamental improvements to the processes of manufacturing, engineering, material usage and supply chain as well as life-cycle management of industrial operations. Especially, the recent developments in cuttingedge ICT technologies have led to the introduction of real-time applications for industrial manufacturing that entails more precise designing and rigid frameworks for successful implementation, thus making the process further automated. Given the context of Industry 4.0, these advancements have fulfilled the need for the manufacturing processes to be more systematic, efficient and economically competitive in its current status, therefore not only bringing about a new paradigm, that is, hybrid manufacturing, but also establishing it as the hallmark of the fourth industrial revolution (Kusiak 2018). At present the manufacturing sector and its associated business are highly competitive. The manufacturers are confronted with the constant challenge of delivering pioneering methods for production at a lowered time to the market. This emerging movement of globalized advanced smart manufacturing environment demands for real-time information exchange between the numerous stages of a product development life cycle (such as product development design, operational setup, manufacturing planning, task scheduling, operations, packing). Along with these, a flawless task collaboration among these stages is also expected. Furthermore, with increased environment consciousness and legalization, more limitations are being placed on the product disposal, hence supporting product recycling, repairing, and refurbishing activities. Unfortunately, such product development processes run the

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

725

risk of becoming progressively more complex as products become more adaptable, intricate, and intrinsically complicated, in addition to product variants multiplying with the tendency of huge customization. In order to tackle such limitations, hybrid manufacturing technologies support efficient and precise engineering decisionmaking capabilities in real-time through the establishment of versatile technologies, along with the merging of the current manufacturing tools (Kang et al. 2016). One such innovative and effective solution is the application of Virtual Reality (VR) and Augmented Reality (AR) technologies. These technologies assist to simulate and enhance these smart manufacturing procedures before they are carried out. These methods ensure that stages of production, as stated earlier, are done accurately/efficiently in the first attempt without the necessity for further redrafts and alterations (Nee et al. 2012). While automated manufacturing processes have already been an established method of practice, research on the manufacturing applications of VR and AR is a relatively emerging and growing area. In fact, the dynamic interaction of current AR applications, enabled by sharing of information with the real working environment, has the potential to provide efficient and complementary tools in order to assist the hybrid manufacturing process. However, there is a need/requirement for a higher order of accuracy, response, as well as interface design all of which are critical elements. More precisely, the main challenge is to design and implement an integrated VR and AR manufacturing systems that can enhance manufacturing method, along with the product and process development, that leads into shorter head-time, reduced cost, and improved quality (Nee and Ong 2013). Resultantly, the eventual goal will be the integration of VR and AR technologies with automated services in manufacturing (provided by service robots), thus making the newly formed VMS as good as a real-world application, if not better and more efficient. Additionally, VMS introduces the concept of a virtual factory (Choi et al. 2015), that is capable of generating information about the structure of states and the behavior of the system as can be observed in the real manufacturing operation. Overall, VMS presents an integrated computer-based model which represents physical and logical schema of a real manufacturing process and exhibits the real-world behavior in its virtual performance. It plays a significant role in reducing the cost of product life cycle and helps user to test and validate accuracy of the product and process design. Despite that, there are still some concerns that require attention. While VMS benefits users in terms of quality, shorter cycle time, flexibility, responsiveness, and customer relations, there is still significant room for improvement for performance and efficiency, which needs to be identified. This is where IIoT brings so many possibilities. By taking advantage of the emergence of cloud infrastructure and wireless technology, IIoT have improved the possibility of integrating autonomous identifying in the evolving vibrant and complex industrial applications. Subsequent industrial revolutions such as “Mechanization,” “Mass production,” and “Digitization” were followed by major change Industry 4.0. These advancements have brought incipient autonomous technologies in the manufacturing industries, renovating traditional practices into smart technologies. Due to special characteristics of virtualization, decentralization, and

726

S. Dani et al.

real-time capabilities, Industry 4.0 is anticipated to be a key area for injection of IIoT. Particularly in automating applications like detecting, instrumentation, and observing for manufacturing applications through insurgence of CC and wireless technologies. In fact, as stated in J. Liu et al. (2016), IIoT summarizes the design code of industrial machine sensors unified with the affordable computational costs and network resources, that has protracted its operational abilities and formed a modification in the types of wireless applications from machines interacting with humans for repetitive tasks toward solving more complex multi-objective problems in uncertain environments for manufacturing in an autonomous manner. Even though IIoT opens the possibilities to utilize the wireless sensor networks to further automate the industrial processes, it also adds a lot of complications in terms of decision-making as well as coordination. As previously mentioned, the cloud infrastructure services can be leveraged to enhance the performance/efficiency of the system. While VMS (Fig. 1) is already a well-established entity, there is still room for growth in terms of the overall efficiency, which can potentially be increased through integration of CC, autonomous sensing, AR and VR in newly developed/proposed Virtual manufacturing operations in Industry 4.0. This will be further aided by DT, which paves the path toward a smooth integration of physical and cyber world in the context of manufacturing industry. While AR and VR can help provide virtualization for preparation of product manufacturing (Hochhalter et al. 2014), DT can emulate the real-time application and run it in real-time while analyzing the detailed changes, which the physical equipment can react to for modification purposes. Thus, the overall VMS has the potential to integrate all the abovementioned entities and prepare a rigid manufacturing process that can perform efficiently and accurately from preparation, production as well as maintenance of the operation. While generic

Fig. 1 Overview of VMS

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

727

proposals for such integration is available in the literature, some specific use cases need to be studied in order to validate the scope of the operation as well make room for analysis of performance and efficiency of the system. Therefore, the objective is to develop a framework to bring them on to a single platform and back it up with a specific use case of an automated mattress protector. In order to achieve this objective, it is of utmost importance to understand the basic requirements of all the technologies involved. For example, IIoT technology needs to have various ranges of machines embedded with sensors that can communicate with each other as well as the cloud to provide data and make decisions. Dedicated software and sensory displays were empowered by AVR technologies. Altogether, the book chapter concentrates on efficiently getting IIoT and AR/VR on to a single platform so as to fine-tune and further improve the VMS operation, where additional real-time analytical support is provided by DT. Given the challenges of combining all these technologies, the novelty of this work lies in the concept of laying the framework for a VMS with multiple integrated entities and validating it with a proposed use case of automated mattress protector where the components proposed are used in current industrial operations. Based on conceptual knowledge, it is estimated that the proposed integration can potentially attain an efficient VMS. The main contributions in the chapter are as follows: (i) A novel framework is proposed to integrate machine sensors and AR/VR on a common platform of cloud empowered VMS with real-time support from DT. Furthermore, it presents the challenges associated in implementation, as well as development of hardware and software solutions related to the implementation of cloud empowered real-time VMS in Industry 4.0. (ii) A use case of Automated Mattress Protector Manufacturing is developed with specific details of the components of the integrated system so as to complement proposed framework. This is followed by proposing the operation details of a hybrid assembly line for a modeled VMS to validate approach in the context of a real-time industrial application. The rest of the chapter is structured as follows. Initially a detailed literature review to provide a detail of the current state of the art as well as the challenges in integrating machine sensors with AR, VR, and DT for a VMS. In order to overcome that, a framework has been proposed for cloud empowered real-time VMS that explains all the components individually and provides hardware and software details to integrate all these entities. This is followed by the use case scenario, where the application of automated mattress protector manufacturing has been considered. The objective here is to list out all the components involved and present an indepth analysis of how it relates to the proposed framework. In order to validate the system, the specification of the software and hardware components required has been explained and to demonstrate a hybrid assembly line operation to overview VMS operation. Finally, the chapter is concluded with some final remarks as well as some possible directions for future work in this domain.

728

2

S. Dani et al.

Literature Review (State of the Art)

VMS (Fig. 2) is essentially a model of implementing manufacturing process through computer systems other than real-world, where virtual environment allows for estimate predictions and analysis of possible problems associated with productivity and ability to manufacture digitally before actual manufacturing (Kimura 1993; GJ 1995). In fact, VMS is a plan of practical process where simulation is conducted by applying virtualization techniques under the assistance of highly reliable computing devices and super-speed network. In addition to that, its scope is to realize the product planning, design decisions, configuring manufacturing processes, performance investigation, and quality review of product manufacturing in all levels of manufacturing management, along with the control in the hands of decision makers, to enhance all possible decision-making capabilities and regulate the capabilities in manufacturing industries (Choi et al. 2015; Kang et al. 2016; Kimura 1993; Linthicum 2016, 2017; Liu et al. 2011; Monostori et al. 1996; Nee et al. 2012). Despite VMS recently gathering a lot of momentum, the concept itself has been available for some time. To be specific, the original concept of creating real-world models in AVR environment stems from the idea of artificial reality by Miron Krueger in 1970s, which was later suggested as VR by Jaron Lanier in 1989. Initially AVR was presented as computer-generated 3D models with high rendered animation for engrossment of interactive simulating reality (Ellis 1993). As for the terminology, the term VMS gained traction in early 1990 in the domain of aerospace, earth moving equipment, and automobile industries which gave a wide opening for researchers to dig their head into VMS. Over time, the recognition increased, as did the surrounding facilities to allow this concept to evolve. One such enabling technology was VR that served as the basis of manufacturing industry,

Fig. 2 Cluster presentation of VMS Internet of Things

Cloud Computing

Cloud Manufacturing

Vitrual Manufacturing system Cloud Network Robotics

Augumented Reality

Virtual Reality

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

729

targeted at meeting the opportunities of the consumers or producers of products as well as maintain cost efficient and measured lead times. Together with that, VMS has the potential to be the prime skills for swiftly developing data sets with technology infrastructure, as it comprises the rapid expansion of manufacturing practices without attracting too much cost on the operational time (Banerjee and Zetu 2001). However, as with the success of any technology, there are still many challenges still being faced and hence there is need for further development. More specifically, the pressure on manufacturing industries has increased due to increased customer demand and satisfaction toward the product. In the current context, the customized and diversified products get more attention in the market. As products’ manufacturing procedure and designs are becoming more complicated, the process of design-making in many specialties such as product designing, manufacturing industries, and production analysis requires many more parameters that needs to be considered (Hitomi 2017). These types of decisions often turn up as failures for the company which causes significant loss to organizations. Such issues, therefore, generate the need for a robust and well-defined methodology for appropriate decision-making and process control when it comes to industrial applications. Unfortunately, making the accurate decisions in these types of scenarios requires a lot of experience or some analysis report or at least an experts’ suggestion. Even though helpful in the short term, none of them give a definite picture of the future. In order to keep up with the development in the field of manufacturing, one needs to develop a capability to shorten the production and delivery cycles as per the customers’ needs and sudden adoption for the instant market changes. The approach in recent times to handle such difficulties have been to review the concept (in-advance) before proceeding with the actuals, thus ensuring the approach that results in the least amount of cost. However, the cost involved in change to any particular design in the theoretical design stage is basically done considering the designers’ time to review and modify the changes. The conceptual design has been finalized, further it needs to be released to the production. At this stage of the production fabrications in the manuals, approvals from the authorities and many more associated issues can be costly. The cost of a change in design increases as the development of the product advances. It is therefore important that the designers get the feedback they need as soon as possible to ensure that the results are acceptable and maintained during the production phase. The goal of this project is to provide engineers with a way to develop, evaluate, and simulate a complex computer system without having to build the hardware mock-ups themselves. This method can help them save a huge amount of time and effort in designing and developing mock-ups. Due to the increasing number of companies that are adopting simulation technology to improve their processes and reduce costs, the time to develop new products is also reduced. This is why the use of virtual models and simulations is becoming more prevalent (Iwata et al. 1995) (Onosato and Iwata 1993). The goal of this project is to provide engineers with a way to develop, evaluate, and simulate a complex computer system without having to build the hardware mock-

730

S. Dani et al.

ups themselves. This method can help them save a huge amount of time and effort in designing and developing mock-ups. Overall, VMS has become a well-established method for product manufacturing and maintenance in different types of Industry 4.0 applications. However, given its current state of the art, there is room for improvement when it comes to consideration of performance, stability, and maintenance. Based on this, the next potential approach here is to effectively integrate the beneficial features of networked machine sensors (IIoT) and augmented VR with DT, to improve the system applications while meeting the customer demand for timely delivery and greater customization in the manufacturing industry. Therefore, in this work, a framework has been proposed to overcome the challenges of a traditional VMS by integrating IIoT with AR, VR, and DT and validate this method by providing a use case of a real-world Industry 4.0 application of “automated mattress protector manufacturing,” where cloud-empowered VMS can be implemented in real-time.

3

An Integrated Framework for Cloud Empowered VMS

In order to meet the requirements of flexible and dynamic manufacturing process, this chapter proposes an integrated framework for cloud empowered VMS that merges with IIoT, AR, VR, and DT, presented as follows.

3.1

Prepositioning of Components

The preliminary components for the cloud empowered VMS (presented in Fig. 3) comprise of various subunits such as physical shopfloor (PS), virtual shopfloor (VS), and DT. PS consists of a set of different entities that includes primitive machinery, network machine sensors, raw materials, a stack of half produced products with intervention from engineers. Here the systematized order of production needs to meet the requirements of delivery as well as the cost and quality of production. On the other hand, VS is a cluster of models designed and developed in multiple dimensions, that is, the geometrical dimensions, physical appearances, machine behaviors, characteristics of the machine, and fundamental rules. The connecting thread is the cloud infrastructure (CI), which contributes to merge PS and VS as well as provide the platform for receiving the data from each entity in an optimized way. Besides that, CI also receives real-time data and analytical support from DT, leading to suggestions for predictive maintenance and multilevel optimization in the maintenance of the operation. Not only that, but DT also allows the fused data convergence from both physical and virtual shopfloor, providing more comprehensive and consistent information. Therefore, in proposed cloud empowered VMS, the CI performs as the lynchpin for an integrated service platform, where physical manufacturing data, virtual manufacturing models, and real-time analytical support are all brought into a single platform for an efficient manufacturing process with real-time implications.

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

731

Fig. 3 Block diagram representation of real-time cloud-empowered VMS

As depicted in Fig. 3, CI acts as driving force for the complete VMS. For PS, the CI updates for the production order, stock in hand, stock to produce, and raw materials required to manufacture the order quantity, etc. In case of VS, the 3D models and their working mechanisms with characteristics are built and updated according to the working status of the machine. This is specifically done depending on the various properties such as constrains, relations between the different system operations, and the rules of the physical shopfloor. Once the data has been fed to the

732

S. Dani et al.

VS, the CI tries to keep the workflow updated in agreement with future requirements so that it can keep track on the machine health status and the working nature of future load. Meanwhile, CI updates DT with the data received from PS and VS in order to analyze the machine health, its working status, and operation optimization. Based on the report from DT, the CI then updates the workflow for PS that helps achieve better efficient working model in a real-world context. Therefore, the integration of all these heterogeneous mediums (i.e., PS, VS, DT, and CI) laid the foundation for a hybrid plant, which facilitates the hybrid manufacturing process. Furthermore, the hybrid manufacturing process improves the management level of all the operations of a hybrid cloud-operated shopfloor. Here the terms “hybrid cloud-operated shopfloor” and “cloud-empowered VMS” mean the same thing and include operations in the shopfloors such as intelligent production systems and networked distributed facilities. Overall, the proposed integrated hybrid plant manages to not only utilize the benefits of the hybrid cloud-operated shopfloor (cloud-empowered VMS) components but also enables the hybrid manufacturing that can overcome the limitations of the traditional manufacturing methods/approaches and reach new heights in terms of efficiency and customer satisfaction. In order to meet the aforementioned goals of the proposed scenario, the system requires a list of software and hardware that needs to be integrated in the context of cloud-empowered VMS. The following is the detailed outline of the hybrid cloud-operated shopfloor as well as the catalogue of the required software and hardware requirements.

3.2

Specification of the Cloud-Empowered VMS Components

This section follows the information provided about the prepositioning of the components and provides detailed specifications for the architecture of an industrial cloud empowered real-time VMS that constitutes of four interconnected entities, that is, virtual shopfloor, physical shopfloor, DT, and cloud platform (Fig. 4). 1. Physical shopfloor: Physical shopfloor (PS) implies to the integration of physical machineries, which responses to accept instructions and perform tasks. The components here could include machine tools, manual workers, parts of different machines, and a network of machine sensors like temperature, pressure, height, level sensing, etc. Along with the capabilities of the traditional practices, this layer should be able to match the diverse, multiple sources of data, and real-time assessment depending upon IIoT capabilities. 2. Cloud infrastructure: The cloud provides platform-as-a-service to provide storage support and interface with the physical shopfloor, virtual shopfloor, and DT. These technologies include wireless communication links with IIoT inputs, network of machine sensors, analytical support and mobile devices, etc. The network used in the layer targets on trustworthiness, real-time feedback, and accessibility. This layer also consists of a data management block that performs

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

733

Fig. 4 Structural representation of shopfloor

production data, tooling data, apparatus data, material status, quality inputs, human resources, etc., all of which are the basis of DT driven hybrid shopfloor. 3. Virtual shopfloor: This layer consists of various virtual models, namely, symmetrical geometrical models, physical attributes of machineries, behavioral input model, data merging model, CAD models, and augmented models that help with a simulated environment for pre-built production in the planning phase. 4. Digital twin: DT refers to the integration of shopfloor data systems from the production planning phase to run real-time simulation, thus providing analytical support for improving the system performance. Here the analytical support for decision-making could include task scheduling, real-time examining of manufacturing supplies, quality examining, material assigning optimization, predictive maintenance, etc.

3.3

Software Technologies

3.3.1 3D Modeling or Development Tools 3D modeling, which is the process of developing a mathematical representation of any surface of an object (either inanimate or living) in three dimensions via

734

S. Dani et al.

specialized software, is a class of 3D computer graphics software used to produce 3D models. Individual programs of this class are called modeling applications or modelers (Bai et al. 2019). The concept of three-dimensional (3D) models represents a physical body using a collection of points in 3D space, which is connected by various geometric entities such as triangles, lines, and curved surfaces. Therefore, 3D models can be created by hand, algorithmically (procedural modeling), or can be scanned. Their surfaces may be further defined with the help of mapping. Figure 5 shows the examples of 3D models created using one of the 3D modeling software named 3Ds Max. There are more than 50 3D modeling software available in the market with a different purpose. The most relevant and useful 3D modeling apps are listed down.

3D Studio Max: Modeling, Rendering, and Animation Software 3D Max possesses powerful rendering and 3D modeling tools which is helpful for creating professional-quality 3D animations, models, and VR visualizations. In fact, it is an efficient and flexible toolset that helps to create better 3D content in less time. It has different modeling techniques such as Polygon modeling, NURBS (NonUniform Rational B-Splines), and Surface tool or editable patch object. Having its own set predefined primitives helps the user to create standard shapes and modify around them easily with predefined mesh as shown in the Fig. 5. With its extensive and vast coverage in rendering it helps anyone to render the 3D object to its maximum possible actual reality. 3Ds Max supports so many third-party rendering software plugins to help the user to utilize machines CPU and GPU processors for rendering. Third-party software such as scanline, mental ray, renderman, V-ray, and Brazil R/S, etc. are the major examples of 3D model rendering software. 3D Max has a built-in scripting language called MAXScript, used to automate repetitive tasks, combine existing functionality in new ways as well as develop new tools and user interfaces. Here, entire Plugin modules can be created within MAXScript.

Fig. 5 Vertices presentation of 3D models in 3D modeling software

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

735

SolidWorks: Solid Modeling Computer-Aided Design (CAD) and Computer-Aided Engineering (CAE) Computer Program To determine the shape or geometry of the model or assembly, the software uses constrained parameters. The parameters refer to numeric or geometric parameters, which include tangents, parallel, concentric, horizontal or vertical, line lengths, or circle diameters and more. In order to capture the intent of the design, numeric parameters can be used in associations with each other, known as relations. The design intent refers to the creator’s idea in the response of the part to changes and updates. For example, the hole at the top of a beverage can. This should remain at the top no matter the size and the shape of the can. Utilizing the SolidWorks software, the creator of the part is able to specify the hole is a feature and remain on the top surface. The software will then ensure this specification and honor the design intent. The term feature within SolidWorks refers to the building blocks on of the part. The building blocks include the shape of the part and the operations that construct the part. Before the extrusion of the shape, the features of the part begin with a 2D or 3D sketch, which includes bosses, holes, slots, and more. Features that are operation-based do not begin in sketches and usually include fillets, chamfers, shells, and more. Although 3D sketches are used, in SolidWorks the designs usually begin with 2D sketches. These sketches are made up of geometry including points, lines, arcs, conics, and splines. To define the size and location of the geometry, dimensions are added. Once the dimensions have been added to the design, the creator will incorporate relations. These are used to define the geometric parameters mentioned above. Due to SolidWorks having a parametric nature, the relations and the dimensions drive the geometry. The dimensions used within the sketch can be independent or can be controlled through relationships between the dimension and other parameters, both inside and outside the sketch. In sketches, relations define the geometric parameters. However, “mates” is the term used in assemblies to refer to the sketch relations. Similar to sketch relations, mates define the equivalent relations of the individual parts or components, which in turn allows for an easier construction of the assemblies. SolidWorks allows to create drawings from both parts and assemblies. These different views are generated automatically from the model and notes. The drawing can be modified with the dimensions and tolerances when needed. Blender: Free and Open-Source Complete 3D Creation It is a 3D creation suite, which is free and open software, that can be used for developing creative ideas (“Blender, Made by you,”). Blender is capable of a range of 3D developing features such as modelling, rigging, animation, rendering, simulation, compositing, and game creation (even video editing and motion tracking). Users employ Blender’s API for the purpose of scripting in Python, so as to customize the application and write specialized tools. In most cases, these are included in Blender’s future releases. This software concentrates more on individuals and small studios which is benefitted from its unified features and responsive development process. As for the showcase, it represents the library of many contents of reference models which can be used for development of many relatable things. Blender is

736

S. Dani et al.

a cross open platform and runs equally well on Linux, Windows, and Macintosh computers. And its user interface uses OpenGL to provide a consistent experience. In order to confirm the specific compatibility, a list of supported platforms is regularly tested by the development team.

3.3.2 Photogrammetry Software Photographs can be used to make measurements. This artistic and scientific feat is known as Photogrammetry. This type of measurement is used specially to find the exact position of surface points. From a photographic image plane, the distance between two points can be determined by measuring the distance between those two points in the image in accordance with the scale of the image. This type of analysis can be applied to a photograph and use remote sensing and highspeed photography to detect, record, and measure the complex 2D and 3D motion fields. These motion fields are recorded through feeding imagery analysis and measurements into a computational model to assist in estimating the 3D relative motions with an increased accuracy. Internal mappings use photogrammetry (Fig. 6) based on the x and y directions, whereas the more accurate data is found on the z direction. Zephyr Pro Software Zephyr Pro is a 3D modeling based on photogrammetry technology. This software includes tools that can be used in post-processing, measurements, 3D modeling, and content creation. The software also allows for 3D reconstruction from using photos and videos through the extraction of frames and selecting the most suitable for the computation. The software can only be used on Windows (“3DF Zephyr”). Reality Capture Reality Capture is a type of photogrammetry software to create a 3D model from photographs or laser scans (“Explore the possibilities of RealityCapture”). The features of this software include: (a) image registration, (b) projections, (c) Fig. 6 A peculiar shot of a warehouse in photogrammetry software

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

737

georeferencing, (d) automatic calibration, (e) coloring, (f) texturing, (g) parallel projections, (h) DSM, (i) coordinate system conversion, (j) simplification, (k) scaling, (l) filtration, (m) smoothing, (n) inspection, (o) exports and imports. To run this software, the machines are required to be 64-bit, 8GB of RAM, Windows 7/8/9/10, and utilize a graphics card that has an NVidia card; however, it will not be able to create a textured mesh. Meshing, coloring, and texturing are out-of-core in Reality Capture, which avoids performance loss within the RAM during these processes. Context Capture by Bentley Systems Context Capture allows the production of complex 3D models without the use of specialized and expensive equipment. The software uses highly detailed 3D meshes to depict a precise real-world context for design, construction, and operations throughout the lifecycle of a project. With Context Capture, the hybrid processing within the software allows for the incorporation of both worlds as it incorporates a versatile and convenient high-resolution photography supplement paired with additional accuracy of the point clouds from the laser scanning. The affordability of the software helps in the reduction of spent time and resources in training that is associated with the specialist devices (“Reality Modeling Software”). The 3D models produced can use photos that are up to 300 gigapixels and are taken with an ordinary camera. These models can be produced quite easily using Context Capture. The results are models with finer details, sharper edges, and geometric accuracy. A 3D CAD module can be used for editing and analyzing the real data to help extract the value from the reality modeling data. The Context Capture Editor also allows easy manipulation of the meshes of any scale. The meshes can be integrated with GIS and engineering data to allow an intuitive search that will support the design process.

3.3.3 Cloud Platform The CC platform is an on-demand delivery of computer power, database management, storage, and other resources that can be accessed via the Internet. This form of access to applications and storage allows versatility and efficiency that was not available before. It allows those with access to visualize and manage the data. From research conducted, it was found that by 2025, almost 90% of the global market will move to CC. To successfully achieve this future, the architecture of the cloud needs to be understood. The cloud infrastructure, as it sounds, is a virtual space. Within this virtual space, one is provided with a virtual machine which consists of all the parts required to make a workable machine, however all within the virtual space. This would reduce the use of local servers, which will in turn help with the hardware and maintenance required to keeping physical machines. To achieve all that CC is capable of, there are three main cloud bases applications below: A. Amazon Web Services: Amazon’s success is proportionate to its dominance within the cloud market. Amazon has been a shareholder in the Cloud market for over 10 years. The reason for the Amazon Web Services (AWS) popularity is

738

S. Dani et al.

because of the scope that it has with its operations (“AWS”). To be able to keep up its operations, the AWS has a complex network of worldwide data centers. Although it is one of the biggest competitors in the cloud market, the biggest weakness that AWS has is cost. While running a high workload on the service, the AWS finds it quite hard to make the costs required for maintaining such an impressive level of service. B. Microsoft Azure: Although late arrivals into the cloud market, Microsoft Azure (“Microsoft Azure”) was able to get into the market by using the software that it already had on-premises and repurposed it for the cloud. Another reason for Microsoft’s success with Azure lies in its ability to attract several leading companies to employ the use of Microsoft’s software, thus ensuring its reputation and reliability. C. Google Cloud Platform: The Google Cloud Platform (“Google Cloud Platform”) specializes in slightly different things to Azure and AWS, it offers Big Data, analytics, and machine learning. Today it offers the ability to load balance for larger-scale operations. All the different Google data centers generally provide a fast response time. Although it has several advanced features, Microsoft Azure and AWS have a variety of software and features that make them more appealing than GCP. GCP is therefore generally used as a secondary provider due to the appeal of AWS and Azure.

3.3.4 Cloud Deployment Strategies The cloud deployment has gotten quite complex with the growth of products. Nowadays, the application is required to handle traffic outbursts to attain realscale architecture. Due to the emerging demand for addition of new features and deployment of fixes several times a week, the process of deployment itself becomes complicated, especially since moving servers is difficult. Following are some challenges of deploying a cloud application using outdated strategies: • Difficulty in scaling out: Without a manual process, it is not possible to scale out unless there is a deployment plan that helps to add new servers on demand. This becomes a common challenge as dependence on the manual process will lower the performance efficiency and will not allow adding extra servers. • Manual replacement for server-outages: Cloud-based applications should be robust to server-outages by replacing servers with the help of automated deployment. Manual deployment consumes more time to replace or recover a failed server. • Application release during maintenance window/timeframe: Scheduled downtime for an application release is required if the deployment takes more time than expected. Furthermore, immediate actions such as bug fixing and deploying new features should be avoided if the release is during the maintenance window. • Runtime faults through deployment: To prevent few requests from working differently, servers must have the same version of code-base, otherwise few requests may give-out different outcomes than others, which in turn causes difficulty in troubleshooting errors that occur out of nowhere and are hard

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

739

to debug. Runtime errors are common during long application deployment processes or rolling deployment involving several servers. • Unstable deployments: Few deployments succeed in some environments while unpredictable errors arise in another environment such as production or UAT environment, thus resulting in unstable deployment. • Deployment breakdown: If an error is detected after the deployment and cannot be rolled or changed back, then it is obligatory to run the error version of the application until the error is fixed. During deployment breakdown, the application will be down or unavailable until an error-free version is deployed. • Rare production deployments: The deployments to production environment should be kept frequent, otherwise, the probability of errors after application deployments increases significantly. Deployment Strategy 1: Minimizing the Actual Downtime There are proven strategies or approaches in reducing the actual downtime such as removing servers and background performance of deployment steps. Further to this, Redding removed servers which often called serialized deployment. This type of common strategy often works for nearly all the possible deployable programming scripts, framework, and server environment as well. Other important aspects of deployment strategies are that they can be deployed parallelly with all the servers of the domain to deploy at a single instance which often called parallelized deployment. Considering the whole infrastructure as independent instances, strategy of the deployment can be altered to independent deployment steps in parallel. Further, the entire stacks of cloud infrastructure needs to be executable in all the latest instances. Important thing to keep in note is that it may not be that all the applicable approaches work or best fit for the team process. The automation support is the key aspect that plays important role in finalizing the appropriate downtime. Deployment Goal 2: Rollback on Failure The automated process works without error in most of the instances. But there might be occasional deployment failures. These may occur because of several reasons such as software bug, issues in the deployment steps, or sometimes even infrastructure failures. But the ability to roll back in any instance is the key to restore the application with a suitable stable version. If this has not been taken care while deploying an application, then there would be prolonged downtime. Rollback process of the application should include variety of steps such as: 1. Reverting to the previous stable version as soon as possible and restarting the process that are associated along with the application. 2. DNS entries need to be updated to the previous versions that infrastructure was working and need to rework on the available services. 3. Recent database needs to revert with migration steps.

740

S. Dani et al.

If an application fails to obey above steps, then it will be hard to recall all the instances of the application to instate the working order. This makes the application to perform rollback delays.

Deployment Goal 3: Script Everything Any step in the deployment process that is not scripted is a step that can introduce human error. As the deployment process is established, build scripts perform repetitive tasks. Doing so will prevent skipped steps or errors in typing that can sabotage a deployment. Deployment scripting may be handled using server configuration automation tools or build automation tools such as Jenkins, Codeship, Bamboo, GoCD, and others.

Deployment Goal 4: Version Control Everything The code should be versioned and tagged upon release to ensure a complete snapshot of the application is available at any time. Additionally, version and tag deployment scripts alongside application releases. This will provide insight into changes over time and allow for application rollback using the proper set of deployment scripts. Script versioning will also serve to capture the change history of the deployment process over time. Deployment Goal 5: Continuous Integration and Deployment As the application grows, it is important to know when changes to the code may break the application. Here, automated test coverage is a great way to ensure that the application is functioning as expected and fixed bugs do not regress. By automating the build and integration testing of the application (when code changes are committed to a central branch), teams could know immediately if those changes broke any tests. This technique is known as continuous integration (“CI”). CI builds upon the practice of using automated tests, automated deployment scripts, and version control for application deployment. It has become common place for many software products companies. Continuous delivery is the practice of automating the complete process of building and deploying a release to a specific environment that may require additional review or acceptance before final deployment. The goal is to deploy early and often to minimize the number of changes between releases, thus avoiding the “big bang” deployment problems of major releases. Continuous deployment varies from continuous delivery in that the goal is to fully automate the flow from code changes to production deployment through a series of automated processes within each application environment. While the feature may be deployed into production, the feature may be limited in exposure to internal teams, select customers, or all customers through the use of feature toggling.

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

741

Deployment Goal 6: Repeatable Deployment Across Environments Applications commonly have more than one environment: Development/Integration – where developers deploy most recent features for integration and developer testing QA/UAT – where internal testing and customer acceptance testing (where applicable) verify quality and expected behavior. Staging/Pre-Production – mirrors a production environment, including copies of production data when possible to surface any final issues or data migration failures. As the latest changes to the application moves forward to each environment, different teams qualify changes to ensure a stable release into production. If the cloud infrastructure, resources, and/or settings vary greatly, bugs may be introduced that are difficult to troubleshoot (or missed completely until a production release). To avoid this possibility, versioned scripts are applied to the infrastructure automation scripts as well as deployment scripts. Table 1 will give the clear methods of strategies and related deployment strategies which have been detailed in the earlier section of the chapter. The CC platform was an on-demand delivery of computer power, database management, storage, and other resources that can be accessed using internet. This form of access to applications and storage allowed (Monostori et al. 1996) a real-time synchronization versatility and efficiency that was not available before. It allowed seamless storage of large data set and access to visualization and management of the data. From a research carried out, it was found that by 2025, almost 90% of the global market used CC platforms (Wood, August 21, 2020). Hence future proofing required to instigate cloud architecture to reduce the use of local servers, minimizing the hardware and related maintenance requirements. The CC was the greatest invention of the era especially for integration of various technologies such as IoT, DT, and ML. However, the CC limits with latency issues when used in context of IoT. The manufacturing systems required large data set transfers between the machineries to sensors through the cloud, resulting in computing inefficiencies. The real-time computing powers of the VMS

Table 1 Cloud strategies and relative measures of deployment

742

S. Dani et al.

framework for machineries required a low latency in communication and high reliability in computational tactics. One of the solutions for the latency barrier was use of fog computing. The fog computing covered a discrete area of manufacturing to reduce the latency in communication from sensors to cloud (Li et al. 2018). But introducing another technology added a complexity to system, consequently resulting in unpredicted errors from the system management. Alternatively, sensory data connected to the cloud by surpassing the data transmitters or propagators was another solution. Connecting the data to the edge of the cloud decreased the latency which resulted in high reliability of the VMS (Lin and Lu 2011; Linthicum 2017). Once the sensory data was collected, the data needs to be processed. Validating these data in real-time was much more complex and time consuming. The data processing used potential solutions such as fog or cloud edge solutions. After that, resource allocation was done through management system for processing the required data. Another frequent concern was the lack of resource optimization that resulted in data ambiguity with unforeseen errors. To overcome these issues of resource optimization, the fundamental procedure to pilot test cloud-centric virtual shop floor became essential (Maenhaut et al. 2017). Resource management in cloud results in unforeseen errors with high data demand in a miniature amount of time. And to resolve these errors in CC, specific novel algorithms needed fine-tuned or rewritten based on the previous data sets. VMS has a unique characteristic of demanding for service-oriented networked manufacturing. This approach has optimization and composition of several complex operations which yielded dynamic operations of the shopfloor. Many authors around the world have proposed several frameworks. Furthermore, these frameworks consisted of integrated CPS, along with major technological alliances such as communication protocol between online (cloud) to offline services (physical machine). VMS constitutes for a formulated and structured component manufacturing resulting theoretical approaches receiving open point approach to address the complex operations (Liu et al. 2011). Along with the VMS the major technological verticals such as 3D printing off cyber models have gained enormous interest in recent years in terms of industrial advances, designing, manufacturing, and the research as well. Many researches around the world have proposed in how VMS can be supported for the national growth in terms of economy, and future developments were highlighted with in-house manufacturing (Jawad et al. 2019). Innovation in manufacturing along the Industry 4.0 standards has gained prominent importance in recent era with the integration of cloud manufacturing (CMfg) and IoT to overcome conventional structure of modern shopfloor. An assessment tool had been suggested from researchers in Korea in terms of VMS which equipped along with current manufacturing practices to understand the behaviors of characters and the future aspects of the organization. The comprehensive and intuitional criteria had been identified to measure the readiness along the smartness of the shop floor. These kinds of assessment tools assist the major medium-sized enterprises and small-scale engine to emphasize more on the approaches toward Industry 4.0. Interconnection between the strategies of implementation, addressing issues, and approaching toward smart solutions was intended to be the main goal. However, the

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

743

solutions that were in current industrial practices did not address the configuration and customization. To resolve these issues, IIoT hub was proposed by researchers, which comprised customization and programmed connection between the heterogeneous operations and services which were encapsulated and differentiated from individual behaviors. Addressing these heterogeneous properties has expanded their major competition across major characteristically differentiated manufacturing industries. Because of the global competition across the industries, competitors have shifted their concentration toward the automation of their industries along with implementation of advanced manufacturing technologies in the production line. The main goal of implementation of these technologies only constituted for internal growth toward its operation optimization and manufacturing efficiency (Lee et al. 2018). SMEs were in a great need of advanced manufacturing practices as aforementioned. CMfg was one of the major tools that has assisted major industries to gain the productivity emphasizing more toward high production volumes, better communications bracket cloud-enabled communications, and computational services. The concept detailed about was defined as CMfg, which has the greatest potential in upbringing the competitiveness off complex manufacturing industries. The diversities of products in a complex industry such as textile manufacturing have enormous numbers of product portfolio. To align with the development, design, implementation, management, and computation needed registering the concepts and the operations onto the cloud considered necessary to be structured systematically (Bai et al. 2019). The challenging task among the CC was to manage the services such as pluggable inputs and outputs and plug and play services. These were highly beneficial for assisting with realization of smart factory enabled by cloud. Researchers have proposed many frameworks in cloud-based intelligent services such as edge computing, CC, and REST-based web services. Framework proposed was constituting dual RESTful based services to enable a pluggable application module (PAM). The production management in manufacturing processes was handled remotely on an intelligent platform supported from PAM’s to target individual services. This kind of framework has been tested for fast and reliable deployment of VMS using cloud services. Furthermore, these applications of PAM can also be extended to facilitate predictive maintenance (Fan and Chang 2018; Liu et al. 2018). In addition to that, the deployment of these technologies on a cloud platform often faces confusion in choosing among the type of cloud deployment strategies. To define the clear path of choosing the appropriate type of cloud, this chapter discusses about the various “ cloud deployment models. ” It was found that there were many ways the cloud can be integrated and deployed to design the models, so as to enhance the current practices. Cloud deployment could be defined on the location of the infrastructure going to be built, the control authority of the infrastructure, and the designed model category. Important aspect of deployment was to select between the four major varieties of cloud models such as the following: Public Cloud In recent years, public cloud has been an influential model, generally created on-demand for third party users. The servers created on public basis are only

744

S. Dani et al.

for the on-demand public application over the internet for third party users. The resources stored in the cloud server are on usage pay basis related to user paying the provider. Some of the resources are standards as supplied for set amount and other on-demand basis where costing is set based on quotes. Major market sharers for cloud sources are Amazon, Microsoft Azure, and Google Cloud Platform. These cloud providers have extended their branches extensively across the industry. These providers help in automating a complex manufacturing industry. Studies across cloud deployment suggested that security was a most prevalent challenge, apart from latency issues when storing data on public cloud domain (Hahn et al. 2018; Kaneko et al. 2017; Kim et al. 2015; Ko et al. 2014; Li and Yang 2018; Liao and Su 2011; Malatpure et al. 2017; Mangal et al. 2015; Min et al. 2011). Private Cloud This type of cloud model deployment offers a private space or network for computational services. The nature of private cloud was that it was found to be extremely versatile and accessible service points those are locally managed by regional data centers. Literature has suggested that the access points that are assigned were designed to adapt to private cloud for their existing system (Naik et al. 2013). Private type of cloud deployment found out to be more secured compared to public cloud. The major drawback of these systems was discovered to be high-cost investments as the core of the system design was done by local administration. Community Cloud This type of deployment was similar to private cloud deployment but with one major difference. Task optimization in a single cloud with similar nature of tasks happens in the background rather on the consumer end. Several organizations share the cloud resources and infrastructure to address the similar set of issues and benefits. If the shared organizations had uniform security, performance, and privacy optimization, then the community cloud addressed by the help of the data centric architecture (Bellini et al. 2015; Carson et al. 2019; Chen et al. 2018; Gordon 2016; Khan and Freitag 2017). This extension was often used in managing several multi-operations of manufacturing to share the limited and optimized resources. Hybrid Cloud Hybrid deployment was the mixture of public and private cloud services. This type of cloud deployment handles the tasks and computational services on priority basis. Real-time computational services are handled by onpremises private cloud provider whereas the latency carried services are often managed by public cloud (Gordon 2016; Grefen et al. 2016; Linthicum 2016; Loghin et al. 2019). Scalable information needs to be stored and used according to the task priority. This deployment needs to be more redundant and proactive compared to other type of deployment because of its dual nature of computational promises. There were many challenges due to the limitations during the implementation, services, computational ability, and efficiency in terms of data handling and virtual

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

745

machine management. These major terms required several considerations when implementing a real-time environment. The following session provides details of the service models that are available in the market as well as the existing trends required to complete the functionality of the model.

4

Use Case of the Cloud Empowered VMS

For the VMS application mentioned in this chapter, an use case of Automated Mattress Protector Manufacturing was considered to validate the framework. Based on that, the proposed cloud-empowered VMS can be developed for an automated hybrid assembly line operation. In order to do that, first section of the chapter explains about the design of the components in accordance with the proposed framework.

4.1

The Physical Shopfloor Components

As highlighted in Sect. 3, the PS components are utilized in the production order and quality testing stage. Therefore, the hardware used in this section is required to not only have sensory features to enable actuation, but also capability to communicate with other devices through IIoT networks for a fully automated production preparation phase. In the context of the industrial use case, the PS components selected for the operation of Automated Mattress Protector Manufacturing are as follows.

4.1.1 ETON 5000 SYNCRO Production System The Eton system for home textile industries is a fifth-generation hardware platform geared toward a real-time operation for smoother production management and material handling. Chosen as the lynchpin for the physical shopfloor, the ETON 5000 consists of overhead conveyors that have individually addressable product carriers capable of finding path to the precise operation, thus resulting in elimination of manual transportation and minimization handling cost (“Manufacturing of plastics, cabling and medicals” 2019). The monitoring support provided as a result of interconnected computer network also helps by supplying the necessary data for accurate measurement and optimal process management. Besides, it allows modifications to be done rapidly (during production line changes) and expansion to take place when needed. Overall, ETON 5000 is a flexible material handling system, which increases speed and productivity radically, ensures an optimized workflow, allocates time to add value to the products, and provides cost saving (“ETON To Display Extended Range ETON 5000 Production System At SPESA EXPO 2010” 2010) opportunity in its operation, making it a suitable choice as PS component. Figure 7 presents the ETON 5000 Syncro Production System , which explains the transportation of all the pieces of one unit of product (i.e., for mattresses – panels, borders, zippers etc.) through different stages of production (on a product carrier), as part of the whole manufacturing process from pieces to production, resulting in

746

S. Dani et al.

Fig. 7 ETON 5000 Syncro Production System (“ETON To Display Extended Range ETON 5000 Production System At SPESA EXPO 2010” 2010)

cost-efficient product (between 30% and 100% efficiency in terms of time, space utilization, and productivity). ETON 5000 is chosen as a production system (as a PS component) for proposed framework (cloud-empowered VMS), where the unique system tool provided by ETON offers a wide range of options for hardware and software integration as well as a smooth manufacturing through RFID application.

4.1.2 AUTOMATEX CPT4700 Panel Cutter The Automatex CPT4700 (Fig. 8) is a state-of-the-art automatic panel cutter, where one or two lanes of fabrics are designed to be fed tensionless to the length and into a cross cutting unit. The prime feature of CPT 4700 that ensures high-quality output are: (a) electronic edge guiding system, (b) servo motor measuring system, (c) automated fabric in-feed tensioning system, and (d) programmable length counter with touch interaction capabilities. It is also able to provide features of remotecontrol access as well as evacuation conveyor that increases its market value. Figure 9 presents the detailed components of Automatex CPT 4700 Panel Cutter (“Home Automated Units”). For the purpose of proposed operation, choosing the appropriate version of output needed to be considered. This output capacity of 8– 12 cuts/min (which may depend on size), along with fabric width and cut length of 50–320 cm was an ideal example. Furthermore, its power supply specifications are 208 V, 3 Phase, 50 Hz, and 1.8 KW rating. With an air consumption of 6 bar/100 min and net weight of 2600 kg, it is an upgraded choice over other manual operations (additional benefits) with more accuracy and less human interaction, making it a highly suitable choice for application.

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

747

Fig. 8 CPT4700 cutting machine panel cutter

Fig. 9 Operational flow of cutting machine

4.1.3 AUTOMATEX MULTITEX 3300-2000 The Automatex Multitex 3300-2000 (Fig. 10) is an automated folding machine that is designed to fold flat and book-fold the cardboard in flat products as well as in case of fitted sheets (“Home Automated Units”). The system is designed to have two sections: a loading and a pre-fold section that may include three cross folds and two laterals, all of it with a double roll off stacker. Depending on the size of the operation, the operator numbers may vary (one or two), which will enable loading of the product on a vacuum conveyer with a view to holding the product in the appropriate positioning. It is further facilitated by the XV laser system. The pre-fold section has the cardboard inserted with two lateral sections being equipped with brushes so that it holds material in the correct place. As for the crossfold section, it operates with a “swing-arm” principle. And the automatic pressunit is connected on the last cross-fold station to maintain the quality of stacking is maintained. This helps during the finishing stages when the folder and stacked products are transported to the exit conveyer once the process is completed. Figure 11 represents the operational flow of the folding machine. Similar to the panel cutter, the Automatex Multitex 3300-2000 also has some critical features that make it a strong choice (remote control access, interactive touch features, higher

748

S. Dani et al.

Fig. 10 Multitex 3300-200 folding machine

Fig. 11 Operational flow of folding machine

efficiency). Furthermore, some unique features are prominent as well. For example, motor activated folding blade controls the operation, while double roll-off stacker suggests its higher capacity. More importantly, its design of the cardboards allows easy access while providing automatic adjustments for flexibility in its operation. The technical components for the operation of an Automatex Multitex 3300-2000 is presented in Fig. 11. For the purpose of given operation, the selected technical specifications are presented as follows: the output capacity of 12 units per min, the product size of 800 × 1000 mm-3200 × 3200 mm, the folded size of 200 × 230 mm400 × 400 mm, and the power supply of 208 V – 3 phase – 50/60 Hz – 3.1 kW. Finally, the net weight of the component is 9300 kg.

4.1.4 Available Industry 4.0 Packaging Solutions The next step of the operation would include the integration of Industry 4.0 packaging solutions. Due to variety in package dimensions and considerably large amount of Stock Keeping Units (SKU), there are several types of solutions that can provide on demand packing as shown in Figs. 12 and 13, which are the two major brands that provide on-demand packing solutions. And on-demand printing, both

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

749

Fig. 12 X7 packing machine from Packsize

Fig. 13 CMC carton wrap 1000

of which are crucial for successful integration. For example, Packsize (Partnered w/VISY) (“X7 Packing Machine”), ABBE PYT LTD, and CMC CartonWrap (“CMC CartonWrap: The Unique 3D Box on Demand Machine”) are currently leading providers in Australia for on-demand packaging solutions. In terms of service, all of them offer similar features and functions. In fact, both utilize corrugated cardboard for packing purposes, which complement the global mission of bio-degradable packing throughout the product range. Furthermore, additional customization for their automatic carton packaging systems is capable of creating dynamic cardboard boxes from simple and inexpensive (yet continuous) fanfold corrugated material in real-time. This is managed automatically through real-time product recognition or direct extraction from a database, hence guaranteeing high flexibility of processing. Nevertheless, it brings about potential challenge in branding the product post packaging with vital information and graphics, which is difficult to achieve in real-time as per product. In order to overcome that, there are some solutions presented for on-demand printing, even though they are either too expensive or are difficult to integrate out of the box. Trojan® T3-OP (Fig. 14) and Limitronic V6 Titan (Fig. 15) are two such systems that enable high-quality, color printing for different sizes and resolution. Additionally, it comes with ALTech ALline E – Front & Back Labeling (Fig. 16) that helps satisfy specific labeling requirements while applying tamper-proof seals

750

S. Dani et al.

Fig. 14 T3 OP

to product caps. Particularly the labeller is equipped with the function to save any parameter for specific label-product combinations and regulate the different units for format/product changes in a simple manner with high-precision. All of the abovementioned features make the combination of printers as ideal choice for the operation where custom print and label on demand solution has been devised in an efficient manner.

4.2

Proposed Hybrid Virtual Manufacturing Process

The proposed assembly line of the hybrid VMS integrates AR, VR, and cloud services with physical machineries as part of the same virtual manufacturing system. Based on the components presented in Sect. 4.1, the application is set up in the context of an automated mattress protector manufacturing. As the process includes the cooperation of various heterogeneous modules, chapter pictographically presents the overall integrated system in Fig. 17.

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

751

Fig. 15 V6 Titan

Fig. 16 ALline E

4.2.1 The Details of the Components As seen in Fig. 17, the modular presentation of the VMS consists of the following section: • The Physical Shop floor consists of hardware machineries for cutting (CPT4700), production and material handling (ETON Synchro 5000 System), and packing machine (Packsize X7). These machines constantly provide automated service

752

S. Dani et al.

Fig. 17 Modular presentation of VMS

and are monitored by local engineers for further maintenance and monitoring work. Alternatively, the machines also have sensors embedded that enable realtime data to be fed to the system. It is also integrated with the RFID along with ERP Systems for real-time stock management, order management, and emergency order or order dispatch management. Internet connectivity allows these components to provide the data to the cloud. • Another key component is AVR platform that is geared toward identifying approaches for research and development purpose of the manufacturing line. • The analytical support regarding management/computation/decision-making related to stock management, machine operation, and approach modification (via DT) is provided through a cloud infrastructure that has the required capability. • The critical component is industrial connectivity software that works as the lynchpin for this system. This software is the central communication platform that accepts the inputs from physical shopfloor, RFID integrated ERP systems, and AVR development platform. From this point, all the information is transferred to the cloud through a two-way communication. In the context of automated mattress protector operation, the manufacturing unit includes a number of units that work collaboratively with other verticals in a rhythmic pattern interacting with each other to yield a mattress protector that meets the precision with great efficiency. As mentioned, the automated mattress protector manufacturing system needs a specific panel cutting machine (CPT4700), a realtime customizable packing machine Pack size-XP, sewing machine Rimac 396H,

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

753

ETON Synchro 5000 systems (as shown in the Fig. 17), all of which are referred to as the physical equipment. As part of methodology, the machine’s efficiency of work toward the protector manufacturing, calculation of computational cost toward the existing practice of manufacturing, amount of resources required such as human, power resources, safety measures, and lead time to carry-out an operation is estimated to channelize proficiency of each and individual machine, thus helping understand if an improvement is needed. Furthermore, it helps Engineers on shopfloor to work with ease and in a precise manner, at the same time inspire more industries to follow same path. Complimentary to the physical shopfloor, the proposed hybrid model suggests using a virtual machine to monitor the work characteristics of the machine with the help of high-end technologies IIoT, DT, DA, AVR, and ML. Here each of the aforementioned technologies serves their own unique purpose. For example, ML analyses the collected data from machines to run learning algorithms and give out predictions and estimations about the machine’s characteristics. Furthermore, algorithms are programmed to attain a stable and consistent growth toward the better work efficiency and are stored in a cloud platform (as cloud has the capacity to hold massive amount of data, content, or information). As for VR, it creates a virtual scope of a physical apparatus which replicates its existence to near-reality so that user does not have to be physically available or have to have a physical equipment to determine the work characteristics of any machine. Finally, DT refers to a platform that lets user to monitor work carried out by machine in virtual environment that internally is connected to physical environment. Additionally, this virtual replica of physical machine is in running mode or twin mode. All of these are intertwined and used for mattress protector manufacturing where machines perform proficiently without the help of much human labor and instead humans concentrate on better work than these laborious ones. On right most part of the Fig. 17, a VR represents the virtual apparatus of the machines. In the context of operation, it refers to the virtual apparatus of cutting machine CPT4700, that is, CPT4700 will be visualized virtually as a machine altogether sitting in any part of the world with the help of using VR equipment (e.g., Oculus Rift or Google daydream or any portable VR equipment). By wearing them, it lets user to see a virtual machine in front of them that imitates/virtualizes the real machine while not being physically present in the manufacturing factory, thus helping to note the performance of the cutting machine. The characteristics of the physical machine, that is, time-period, dimensions, temperature-variant, speed, load, are noted. In the same way, this virtual cutting machine gives out the same characteristics of the machine, but virtually. All the above three units are connected to a cloud platform (e.g., Azure, AWS, or Google cloud server) where learning algorithms (ML) play a prominent role that are fed with inputs of CPT4700 characteristics to predict or estimate the work efficiency, performance rate, etc. of the virtual and physical machine which will be integrated as a part of DT technology. In this way, the proposed work not only improves upon the current setup for mattress protector manufacturing but also widens the scope of study in this field to achieve further success in the domain of smart factory in the future.

754

S. Dani et al.

4.2.2 The Operation Process Based on the aforementioned components and the proposed framework, the assembly line operation of a single unit automated mattress protector manufacturing utilizes the components presented in Fig. 18. The cutting machine CPT4700 is used as the physical machinery whose work characteristics are to be predicted. The goal is to estimate the work characteristics of this machine virtually. As shown in the Fig. 18, industrial connectivity software (ICS) is a unit that collects data from CPT4700 and stores the data for multiple scenarios from the sensors like electricity, heat, speed, and many more. Such scenarios like the electricity consumption by the machine for manufacturing a king-sized mattress protector’s task, the amount of heat produced when machine runs continuously for 8 h, heat produced when it works only for an hour, the speed of work, etc. will be monitored. Furthermore, it collects data on how efficiently CPT4700 worked for various targets, which is preprocessed for computation (including battery efficiency of the machine while the machine is working and the battery output when the machine is in rest, etc.). On left side of Fig. 18, an ERP system integrated with RFID stores information of every small detail of machines in factory such as live-stock, data management, orders placed, machines delivered, machines in-repair state, etc. which are stored securely in ERP system with help of RFID, as each machine is allocated unique RFID. This unique RFID stores systematic information of each machine in factory.

4.2.3 The Operation Flow In this section, the elaborated production flow of the use case, that is, how a mattress protector manufacturing operation flow is conducted (as depicted in Fig. 18) for the proposed framework. The operation begins once the production order is generated, and it is passed on to verify production planning and resource management. Then the flow is divided into two verticals with a view to simplifying the process planning and resource allocation. Here, this allocation helps the production planning to accumulate the required planning, data acquisition, data simulation, task offloading, and the future prediction analysis. As for the resource management, it is further divided into two verticals as the process and inventory management, to help with utilizing among the available resources for manufacturing purposes.

Production Planning In production planning, once the order for mattress protector comes into factory, the order must be planned. In this case, planning can be done only if the user has the previous history of the similar order. Else the planning team needs to plan according to the resource availability. A user cannot create a new plan every time for each order, therefore needs to be assisted with advanced technology to pace up his credibility toward the work and increase efficiency. Either ways, based on proposed framework, the operation is complemented toward this approach, as preproduction planning block of the flow is initiated. In this block, historical data will be analyzed to plan the intended production. Once the order comes into the

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

755

Production Order

Production Planning

Resource Management Stock Inevntory

Pre-production Simulation

Production Simulation Task Offloading Activity

Predefined Production Simulated Data

Product Testing

Production Preparation

Data Data Accumulation

Data Acquisition

Cutting

Task Management

Sewing, Knitting, Lamination

Predictive Analysis

Folding

Packing

Fails

Pass

Finished Goods

Fig. 18 Operational flow of production in VMS

preproduction simulation, it then matches with the similar available historical data to give the user an estimated time of arrival (ETA) of that particular order. After the preproduction is done, the simulated data is stored for the future reference. In this context, the data management will be done in a sequential manner so as to accomplish the futuristic simulation as well. Once the data acquisition is accomplished, the next task for the planner is to assign the task (offloading). The planner must manage the set of commands, to achieve the best possible solution for the resources available. He matches these resources with the availability of resourced in the virtual environment which provides the estimated time of production (ETP). While simulating the ETP, there are several precautionary measures that needs to be followed, for example, machine break down, machine maintenance, unexpected power shutdown, and inefficiency of the machine operator. In order to overcome all these issues and unexpected errors of physical world, these range of issues have to be simulated in virtual world. Such tasks would be well handled by the important block of virtual or digital world, called predictive analysis. Here predictive analysis gives in-depth analysis of unexpected errors, scheduled maintenance depending on the previous history of a mattress protector manufacturing plant, which helps with the planning process.

756

S. Dani et al.

Resource Management The next loop of flow in production line is the resource management, and it is furthermore divided into two major verticals, process flow, and inventory management. Inventory management is required to manage and supply required materials for the production of a particular order of mattress protector. Once the order is simulated in virtual world and the test results of the virtual world are satisfied for the planner, then the order is passed on to inventory manager to supply the required materials needed to process the order. Once the stock inventory is done, the next set of action is to manage and match the process data with the simulated data, which will enable the data for the production order to be generated in accordance with the requirement. This data is different to the simulated data in virtual world because of so many reasons such as materials defects, machine defects, machine operating environment restrictions, and other practical issues. Hence these data need to be properly managed and logged to overcome future delays in production progress. Once all these tests are completed, the data is accumulated in the next block for use as future reference. The next block of production flow is the manufacturing process. After receiving the required materials and mattress protector orders from the planning team, the next stage is to offload the tasks in practical world or physical world. Tasks will be offloaded according to the job priorities and process flow. After that the production preparation decisions need to be made. For example, a cutting machine needs to be assigned to a panel which is cut in a particular way for a given sets of order. The Eton lines or a conveyor line should also be aware where to cut panel sheet needs to be assigned for sewing purposes. Then the sewing machine has to be selected based on what kind of interlocking stitches is being performed. Afterwards, the folding machine is notified of the type of folds required to be performed for that order. Similarly, the packing machine has to be informed about the kind of packing, the printing machine has to understand the label required, and the inserting machine needs be clear on the type of inserts to be made into that order of mattress protector. All these are key aspects of decision-making when it comes to resource management in proposed VMS. While all these aforementioned sets of operations are easy on theory basis, the synchronization of all these individual operations is far more complex during the actual execution. Therefore, the practical solution is to bring everything on to a single platform and integrate the mattress protector with RFID technology. All these machines stated above will be capable RFID communication in real-time scenario. Particularly, the task to transfer the product (mattress protector) from one stage of production to the next has to be synchronized. This synchronization requires better understanding of the operations. Such operation includes the production time, down time, material handling time, operator handling time, and so on. In this regard, the abovementioned tasks have to be managed with assistance from virtual simulation and in synchronization with the practical data to ensure the overall operation flow of the automated mattress protector manufacturing is fully functional as well as efficient.

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

5

757

Conclusion

This book chapter proposes a framework for operation of a cloud-empowered realtime virtual manufacturing system. Numerous advanced innovations in the field of virtual manufacturing has been reviewed in order to identify the key components required for work, with a view to integrating them as part of proposed framework for VMS. In this way, proposed concept merges the virtual and physical shopfloor with a DT via a cloud platform, which would maintain seamless data integration and communication, thus ensuring smooth decision-making and process flow from preproduction, through production, all the way to packaging and beyond. Contrary to the similar work, proposal is further validated via a detailed use case for an automated mattress protector manufacturing. In this case, the detailed specifications of the components required were presented followed by the actual operational flow. Thus, the use case of an automated mattress protector manufacturing presents a comprehensive operation of a fully functional virtual manufacturing system, based on the proposed novel framework. This research strongly believes that proposed approach would make the mattress production much productive, time efficient, and economically stable. Besides the practical execution, the future attempts in this domain of research would focus on integrating DT in real-time with the physical and virtual shopfloor (as opposed to current approach that revolves around theoretical data). Furthermore, the integration of Cloud Networked Robotics (CNR) would also make VMS fully automated as well as more efficient, which will be the focus of the future studies. Overall, the major key findings are presented as follows: • The main challenges found were: (i) control of machine characters resulted in inefficiencies related to increased costs apart from the high latency issues of cloud, (ii) demand of inclusive product personalization due to global market competitions, and (iii) ineffective communications within roles and machines resulted unrequired wastes. • VMS potentially posed to be a solution to address aforementioned challenges within manufacturing industry. LR suggested that VMS is the key solution as discussed by researchers, which however lacked practical implementation strategies. Further to this, at this point literature suggests implementation as singular approaches addressing one problem at a time. Current investigation into all forms LR revealed the lack of integrated multiple transformative technology usage such as VMS in holistic form was found to be missing. • Transformative technologies (e.g., ML, CC, CNR, and AVR) required were used to capture manufacturing operations characteristics. Furthermore, AVR technologies were used for visualization of operational flow, time analysis, and simulations. These inputs advanced in attaining the vital data to analyze the behavior of the machines by incorporating ML algorithms for PA in future. All these tools integrated in cloud platform indicated potential for addressing aforementioned manufacturing challenges. Once the integration of technologies migrated to cloud, the operation was handled by its high-end computational

758

S. Dani et al.

programs. These computational programs were designed by understanding the virtual commissioning output from AVR layout. Based on these literatures a conceptual framework was proposed for implementation. • VMS-integrated approaches from previous work lacked decision-making analytics and as consequences lacked better communication protocols. In fact, the communication process lacked effective transfer of technological precedence within various roles. Collaboration of different roles and machines using advanced tools were found to be lacking the integration required with the current practices. New trends of wireless communication have given a broad understanding of real-time integration of digital and physical world. Seamless data transfer and integration of tools have emerged to make the manufacturing process more efficient and effective compared to traditional practices. Along with communication, these advanced technologies used for prioritized computing and offloading the tasks were missing. In all forms, current gap was found to be lack of practical implementation, as opposed to the theoretical illustration, which is available at this point of time. Acknowledgments I would like to express my special thanks of gratitude to Sleep Corp PTY Ltd. and Department of Industry, Science, Energy and Resources (Innovative Manufacturing CRC Ltd) for funding this research.

References J. Bai, S. Fang, R. Tang, Y. Wu, Bills of Standard Manufacturing Services (BOSS) construction based on focused crawler. Paper presented at the 2019 IEEE International Conference on Smart Manufacturing, Industrial & Logistics Engineering (SMILE), 20–21 Apr 2019 P. Banerjee, D. Zetu, Virtual Manufacturing (John Wiley & Sons, 2001) P. Bellini, D. Cenni, P. Nesi, A knowledge base driven solution for smart cloud management. Paper presented at the 2015 IEEE 8th International Conference on Cloud Computing, 27 June–2 July 2015 Blender, Made by you K. Carson, J. Thomason, R. Wolski, C. Krintz, M. Mock, Mandrake: implementing durability for edge clouds. Paper presented at the 2019 IEEE International Conference on Edge Computing (EDGE), 8–13 July 2019 X. Chen, L. Wang, C. Wang, R. Jin, Predictive offloading in mobile-fog-cloud enabled cybermanufacturing systems. Paper presented at the 2018 IEEE Industrial Cyber-Physical Systems (ICPS), 15–18 May 2018 S. Choi, B.H. Kim, S. Do Noh, A diagnosis and evaluation method for strategic planning and systematic design of a virtual factory in smart manufacturing systems. Int. J. Precis. Eng. Manuf. 16(6), 1107–1115 (2015). https://doi.org/10.1007/s12541-015-0143-9 CMC CartonWrap: The Unique 3D Box on Demand Machine S.R. Ellis, A review of: “Virtual Reality ”, by HOWARD RHEINGOLD, Summit Books/Simon and Schuster, New York (1991), pp. 415, $22·95, isbn 0-671-69363-8. Ergonomics 36(6), 743–744 (1993). https://doi.org/10.1080/00140139308967935 ETON To Display Extended Range ETON 5000 Production System At SPESA EXPO 2010. (2010) Explore. the possibilities of RealityCapture Y. Fan, J.J. Chang, Equipment communication architecture for smart manufacturing. Paper presented at the 2018 IEEE International Conference on Smart Manufacturing, Industrial & Logistics Engineering (SMILE), 8–9 Feb 2018

23 Cloud Empowered Real-Time Virtual Manufacturing Systems

759

W. GJ, An overview of virtual manufacturing. Paper presented at the 2nd Agile Manufacturing conference (AMC’95), Albuquerque, New- Mexico, USA, 1995 A. Gordon, The hybrid cloud security professional. IEEE Cloud Computing 3(1), 82–86 (2016). https://doi.org/10.1109/MCC.2016.21 P. Grefen, I. Vanderfeesten, G. Boultadakis, Supporting hybrid manufacturing: bringing process and human/robot control to the cloud (short paper). Paper presented at the 2016 5th IEEE International Conference on Cloud Networking (Cloudnet), 3–5 Oct 2016 C. Hahn, H. Kwon, J. Hur, Toward trustworthy delegation: verifiable outsourced decryption with tamper-resistance in public cloud storage. Paper presented at the 2018 IEEE 11th International Conference on Cloud Computing (CLOUD), 2–7 July 2018 K. Hitomi, Manufacturing Systems Engineering: A Unified Approach to Manufacturing Technology, Production Management and Industrial Economics (Routledge, 2017) J. Hochhalter, W.P. Leser, J.A. Newman, V.K. Gupta, V. Yamakov, S.R. Cornell, et al., Coupling Damage-Sensing Particles to the Digitial Twin Concept (National Aeronautics and Space Administration, Langley Research Center, Hampton, 2014) Home Automated Units. Retrieved from https://www.automatex.com/home-automated-units/ K. Iwata, M. Onosato, K. Teramoto, S. Osaki, A modelling and simulation architecture for virtual manufacturing systems. CIRP Ann. 44(1), 399–402 (1995) M.S. Jawad, M. Bezbradica, M. Crane, M.K. Alijel, AI cloud-based smart manufacturing and 3D printing techniques for future in-house production. Paper presented at the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing (AIAM), 16–18 Oct 2019 Y. Kaneko, T. Ito, M. Ito, H. Kawazoe, Virtual machine scaling method considering performance fluctuation of public cloud. Paper presented at the 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), 25–30 June 2017 H.S. Kang, J.Y. Lee, S. Choi, H. Kim, J.H. Park, J.Y. Son, et al., Smart manufacturing: Past research, present findings, and future directions. Int J Prec Eng Manuf-Green Technol 3(1), 111–128 (2016). https://doi.org/10.1007/s40684-016-0015-5 A.M. Khan, F. Freitag, On edge cloud service provision with distributed home servers. Paper presented at the 2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), 11–14 Dec 2017 I.K. Kim, W. Wang, M. Humphrey, PICS: a public IaaS cloud simulator. Paper presented at the 2015 IEEE 8th International Conference on Cloud Computing, 27 June–2 July 2015 F. Kimura, Product and process modelling as a kernel for virtual manufacturing environment. CIRP Ann. 42(1), 147–150 (1993) R.K.L. Ko, A.Y.S. Tan, G.P.Y. Ng, ’Time’ for cloud? Design and implementation of a timebased cloud resource management system. Paper presented at the 2014 IEEE 7th International Conference on Cloud Computing, 27 June–2 July 2014 A. Kusiak, Smart manufacturing. Int. J. Prod. Res. 56(1–2), 508–517 (2018). https://doi.org/ 10.1080/00207543.2017.1351644 J. Lee, C. Hsieh, Y. Jhao, C. Chang, C. Li, W. Li, Implementation of automated gluing and assembly workstation. Paper presented at the 2018 IEEE International Conference on Advanced Manufacturing (ICAM), 16–18 Nov 2018 C. Li, C. Yang, A novice group sharing method for public cloud. Paper presented at the 2018 IEEE 11th International Conference on Cloud Computing (CLOUD), 2–7 July 2018 L. Li, K. Ota, M. Dong, Deep learning for smart industry: efficient manufacture inspection system with fog computing. IEEE Trans. Ind. Inf. 14(10), 4665–4673 (2018). https://doi.org/10.1109/ TII.2018.2842821 W. Liao, S. Su, A dynamic VPN architecture for private cloud computing. Paper presented at the 2011 Fourth IEEE International Conference on Utility and Cloud Computing, 5–8 Dec 2011 C. Lin, S. Lu, Scheduling scientific workflows elastically for cloud computing. Paper presented at the 2011 IEEE 4th International Conference on Cloud Computing, 4–9 July 2011 D.S. Linthicum, Emerging hybrid cloud patterns. IEEE Cloud Computing 3(1), 88–91 (2016). https://doi.org/10.1109/MCC.2016.22

760

S. Dani et al.

D.S. Linthicum, Connecting fog and cloud computing. IEEE Cloud Computing 4(2), 18–20 (2017). https://doi.org/10.1109/MCC.2017.37 W. Liu, B. Liu, D. Sun, A conceptual framework for dynamic manufacturing resource service composition and optimization in service-oriented networked manufacturing. Paper presented at the 2011 International Conference on Cloud and Service Computing, 12–14 Dec 2011 J. Liu, W. Xu, J. Zhang, Z. Zhou, D.T. Pham Industrial cloud robotics towards sustainable manufacturing. Paper presented at the ASME 2016 11th International Manufacturing Science and Engineering Conference, 2016 Y. Liu, M. Hung, Y. Lin, C. Chen, W. Gao, F. Cheng, A cloud-based pluggable manufacturing service scheme for smart factory. Paper presented at the 2018 IEEE 14th International Conference on Automation Science and Engineering (CASE), 20–24 Aug 2018 D. Loghin, L. Ramapantulu, Y.M. Teo, Towards analyzing the performance of hybrid edge-cloud processing. Paper presented at the 2019 IEEE International Conference on Edge Computing (EDGE), 8–13 July 2019 P. Maenhaut, H. Moens, B. Volckaert, V. Ongenae, F.D. Turck, Resource allocation in the cloud: from simulation to experimental validation. Paper presented at the 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), 25–30 June 2017 A. Malatpure, F. Qadri, J. Haskin, Experience report: testing private cloud reliability using a public cloud validation SaaS. Paper presented at the 2017 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 23–26 Oct 2017 G. Mangal, P. Kasliwal, U. Deshpande, M. Kurhekar, G. Chafle, Flexible cloud computing by integrating public-private clouds using OpenStack. Paper presented at the 2015 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM), 25–27 Nov 2015 O. Min, C. Park, J. Lee, J. Cho, H. Kim, Issues on supporting public cloud virtual machine provisioning and orchestration. Paper presented at the 13th International Conference on Advanced Communication Technology (ICACT2011), 13–16 Feb 2011 L. Monostori, A. Markus, H. Van Brussel, E. Westkämpfer, Machine learning approaches to manufacturing. CIRP Ann. 45(2), 675–712 (1996). https://doi.org/10.1016/s00078506(18)30216-6 V.K. Naik, K. Beaty, N. Vogl, J. Sanchez, Workload monitoring in hybrid clouds. Paper presented at the 2013 IEEE Sixth International Conference on Cloud Computing, 28 June–3 July 2013 A.Y.C. Nee, S.K. Ong, Virtual and augmented reality applications in manufacturing. IFAC Proc Vol 46(9), 15–26 (2013) A.Y.C. Nee, S.K. Ong, G. Chryssolouris, D. Mourtzis, Augmented reality applications in design and manufacturing. CIRP Ann. 61(2), 657–679 (2012) M. Onosato, K. Iwata, Development of a virtual manufacturing system by integrating product models and factory models. CIRP Ann. 42(1), 475–478 (1993)

Real-Time Internet of Things for Smart Environments

24

Gowri Sankar Ramachandran and Bhaskar Krishnamachari

Contents 1 2 3 4 5

What Is Real-Time IoT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Characteristics of Real-Time IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Layered and Distributed Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Layered Network Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 MQTT and Its Support for Real-Time IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 MAC Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 IEEE-802.15.4e: Time Slotted Channel Hopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.7 Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Operating System Support for Real-Time IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Design Considerations for Real-Time IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Many Sources of Latency in IoT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Protocol and Operating System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

762 762 763 765 767 767 768 768 769 770 772 775 777 778 779 779 782 782

Abstract Internet of Things enables continuous monitoring and control of everyday objects and environments through a combination of software, hardware, and wireless communication technologies. Embedded devices, wireless radios, sensors, and actuators are at the core of IoT applications. Time-sensitive IoT applications have to combine these elements and provide deterministic responses to events

G. S. Ramachandran () · B. Krishnamachari University of Southern California, Los Angeles, CA, USA e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_47

761

762

G. S. Ramachandran and B. Krishnamachari

occurring in the application environment. Since the applications rely on a collection of embedded IoT devices, software protocols, and an operating system, application developers and architects are required to understand the characteristics and the protocols at all layers of the network stack to develop timecritical IoT applications. This chapter begins with an introduction to real-time IoT. Characteristics and the layered architecture of IoT applications are presented to explain the responsibilities of different layers. The chapter concludes with protocol and operating system recommendations for real-time IoT.

1

What Is Real-Time IoT?

Cities and industries around the world are starting to adopt Internet of Things (IoT) to automate the management processes through the data provided by the sensors. The key functional elements of IoT include sensing, computation, communication, and control or actuation. These functionalities are realized through a combination of embedded devices, wireless communication technologies, sensors, and actuators. Applications in this space increasingly require support for real-time communication for timely delivery of sensor data, actuation control, and processing, including data analytics and machine learning. A careful configuration of hardware and software components is essential to achieve the desired application goals, especially for real-time IoT applications. Application goals for the IoT typically include low power, long battery life, latency, and bandwidth. In particular, the industrial IoT applications are time-sensitive and typically require strong temporal guarantees to manage the industrial processes. In this chapter, we will introduce real-time IoT through application case studies and wireless networking, including the messaging aspects of real-time IoT along with an architectural overview of real-time IoT. Real-time IoT refers to IoT deployments with stringent time constraints for the sense-process-communicate-control loop. Any IoT application that requires a response to stimuli within a predefined upper time-bound can be defined as realtime IoT.

2

Example Applications

A few example applications that require real-time processing and control are presented below. Oil Refinery Monitoring and Control: Consider an industrial IoT deployment in an oil refinery for monitoring the oil pipes and boilers. The refining process involves controlling and monitoring the flow of oil, pressure, and the temperature of pipes and boiler machines. A central control system has to actuate the valves in real-time whenever the sensor readings deviate from the recommended threshold. Real-time control is highly necessary to prevent a catastrophe in such an environ-

24 Real-Time Internet of Things for Smart Environments

763

ment. The sensing, computation, communication, and actuation processes have to respond to events in sub-seconds to provide real-time guarantees. Vehicular IoT Application: The connected and autonomous vehicles (CAV) are expected to coordinate and collaborate with other vehicles and road-side units to safely navigate on the road. Vehicles use LIDAR and cameras to sense their environment and share this information with other vehicles. The traffic perceived by each vehicle is beneficial for other vehicles if and only if the information is shared in real-time. Therefore, the vehicular IoT infrastructure should be designed to provide real-time guarantees in a dynamic environment involving multiple mobile IoT nodes. Smart Crosswalk (Ananthanarayanan et al. 2017): The signal duration is statically defined for crosswalks. But such an approach provides insufficient duration for elderly pedestrians, who may need a few extra seconds to cross the road safely. The smart crosswalk application use cameras to monitor the crosswalk and dynamically adjust the signal duration based on pedestrian presence. Note that this application requires real-time processing of camera feeds and actuate the signal lights and the timer to make sure that the pedestrians safely cross the road. All these applications require sensing, processing, communication, and in some cases, actuation to meet the desired application goals. Architects are required to select the right technology to ensure reliability. The rest of the chapter introduces the characteristics and design elements of IoT applications.

3

Characteristics of Real-Time IoT

IoT applications are comprised of sensing, actuation, computation, and communication functionalities. Such functionalities are distributed among multiple IoT devices, one or more gateways, edge and fog infrastructures, and cloud platforms. The processing of data within the network of IoT devices is called as “in-network processing.” The primary goal of in-network processing is to reduce bandwidth usage and energy consumption by replacing expensive computation operations with cheaper computation and communications (Yao and Gehrke 2002). Such an approach significantly reduces the latency and response time for applications since the data is not traveling too far from the source devices. Alternatively, the majority of the IoT deployments involve the gateways along with edge and cloud platforms due to the lack of processing and storage resources in the network. Typically, longer communication paths lead to high latency and slow response times. Real-time IoT application developers are therefore required to understand the characteristics of the IoT deployments since they influence the real-time performance. Important characteristics of IoT deployments are discussed below. End-to-End Latency or Response Time: Real-time IoT applications are expected to respond to an event generated by one or more sensors within a predefined time. The application developers determine temporal requirements of the application in collaboration with the domain experts. For example, industrial IoT application that monitors the critical parameters of machinery such as the

764

G. S. Ramachandran and B. Krishnamachari

spinning rate of a motor and the temperature of the motor cabinet may have to report the abnormal readings to the machine operators and the facility manager before a catastrophic failure. In this case, the facility manager, manufacturers of the machinery, and the operators jointly define the ideal operating conditions, response time, and latency requirements to take swift actions. Energy Consumption: IoT devices are typically powered by batteries. Each device expends battery resource for computation, communication, sensing, and actuation functionalities. Communication is identified as the primary source of energy consumption of the majority of the IoT and sensor network applications (Dutta et al. 2007). Different networking and physical layer protocols have been developed to prolong the lifetime of battery-operated IoT devices in the past 15 years, some of which are discussed in the later sections. Besides, the energy consumption of computation depends on the processing requirement, which is a function of the network size, type of sensors, and the in-network processing requirements. Recall that the in-network processing leads to low latency and fast response times; thus, the energy budget for processing may have to higher for applications with real-time constraints. Peripherals such as sensors and actuators may impact the energy consumption of IoT deployments, but the applications that use energy-intensive peripherals favor mains power. Architects and application developers have to take into account the energy cost of their deployment since it determines the maintenance overhead and the lifetime of the deployment. Batterypowered devices require physical access to the devices in order to replace batteries. Mission-critical IoT applications have to frequently check the battery status and send a technician to the field to replace the battery on-time to minimize downtime. Device Classes: Hardware devices are central to IoT applications. Data processing, storage, interfacing, and in some cases, the communication capabilities of devices depend on the onboard resources. Internet Engineering Task Force’s (IEFT) draft on “Terminology for Constrained-Node Networks” classifies the IoT devices into three different classes based on the program (flash) and code (RAM) memory sizes (Bormann et al. 2014). Class 0 devices are severely constrained with extremely limited resources for processing and storage. The lack of resources makes these devices less suitable for computation-intensive applications such as wireless security protocols that require significant computation and storage resources for encryption and decryption operations. Note that the devices in this category do have support for secure communication and encryption, but it mostly depends on the onboard hardware support and the implementation of the protocols. TinySec (Karlof et al. 2004), TinyECC (Liu and Ning 2008), and AES (Daemen and Rijmen 2013) are examples of secure communication protocols for Class 0 devices. Besides, Class 0 devices do not connect directly to the Internet due to their limited radio capabilities, and in all cases, the devices in this category rely on a gateway or a proxy server for Internet connectivity. Class 1 devices have limited constraints, and they have enough computation and storage resources for running a lightweight network stack. Devices in this category are capable of supporting messaging protocols such as CoAP (Shelby et al. 2014)

24 Real-Time Internet of Things for Smart Environments

765

and MQTT (Standard 2014) besides enabling IP-based communication. Lastly, Class 2 devices are less resource-constrained and are capable of running a complete network stack similar to the one used in notebooks and laptops. Typically, Class 2 devices are used as a communication gateway for enabling Internet-connectivity to other resource-constrained devices. Application developers have to select the right class for their real-time IoT application considering the processing, storage, and communication requirement. On the one hand, the low-class devices are capable of operating on batteries, but they lack resources for the application functionalities. On the other hand, the highclass devices have significant resources for the application functionalities, but it comes at the cost of high energy consumption. Communication Demands: IoT devices communicate with each other and gateways to report the sensor data and to receive control commands for the actuation. The data rate, network topology, medium access protocols, and modulation schemes are some of the critical building blocks of communication functionality. Data rate determines the amount of information that can be shared between devices every second. Data generated by the IoT devices are typically in the order of tens of bytes. For example, a typical temperature sensor produces three or four bytes of temperature reading depending on the resolution of the sensing element (Ramachandran et al. 2016). Thus, an application reporting a sensor reading to a remote device only transmits a few bytes of data at an interval set by the application developers. Note that the cameras and advanced industrial sensors produce few kilobytes worth of data every few seconds, which requires high data rate communication channels. Modulation scheme determines the data rate and the radio range of the wireless technology. More discussion on modulation schemes is presented in the section on physical layer technologies. Similarly, the network topology influences the end-to-end latency and the energy consumption of the devices. For example, devices following the star topology typically have a direct communication link with the gateway. Other topologies such as mesh and tree topologies tend to rely on multiple devices to transport the data from a source device to a destination device. These characteristics clearly show how different design components influence the performance and the real-time capabilities of IoT applications. Architects and application developers are required to consider these characteristics when designing an IoT application. Typically, a layered network model is used to represent the functionalities among different layers, which is presented in Sect. 3.

4

Layered and Distributed Architecture

Internet of Things applications consist of embedded devices with support for sensing, communication, and actuation. Devices in the application network coordinate and cooperate to achieve the desired application functionality. Providing real-time support for IoT applications following such a distributed architecture requires real-

766

G. S. Ramachandran and B. Krishnamachari

Fig. 1 Architecture of IoT applications

time support at the communication layer, hardware platform, and the operating systems. Figure 1 shows the end-to-end architecture of the IoT. Connected things represent the IoT end-devices such as sensors, actuators, and embedded platforms. Throughout this chapter, the hardware platform in the “connected things” layer is referred to as “devices.” IoT applications typically report the sensor data to remote infrastructure through wireless communication technology. Applications with high processing and low latency requirements employ edge and fog computing techniques to minimize end-to-end latency. Besides, edge computing provides support for data aggregation and machine learning algorithms. Cloud computing layer is above the edge infrastructure. Applications use this layer for storage, visualization, data analytics, among other things. As shown in Fig. 1, the latency or the response time of the IoT application depends on the architecture. Processing the sensor data close to the source is essential to achieve real-time response for the IoT applications. However, the design and deployment of IoT have to consider the protocols at all stages of the IoT architecture, wherein the protocols used by IoT devices at all layers of the network stack significantly impacts the response time and the latency of the IoT application. Next section presents the layered network stack for the IoT and explains the functionalities handled at different layers. Besides, the state-of-the-art IoT protocols and wireless technologies are presented to help the architects and the application developers.

24 Real-Time Internet of Things for Smart Environments

5

767

Layered Network Stack

The communication support for the IoT application is provided by a collection of protocols which are distributed across different layers. Open Systems Interconnection (OSI) model (Zimmermann 1980) is widely employed in networked systems to conceptually represent the standards and protocols by dividing the functionalities of the networked system into multiple tiers. Figure 2 presents the OSI layer of IoT applications.

5.1

Application Layer

The core functionalities of the IoT applications are realized in the application layer. Each device in the IoT application network runs a protocol and the application logic to either acquire sensor data, actuate a peripheral, or process the data received from other devices in the application network. Consider an IoT deployment with two IoT devices in a room. One of the IoT devices, denoted as A, is responsible for sensing the temperature of the room, while the other device, represented as B, triggers the alarm whenever the temperature data reported by device A exceeds Fig. 2 Layered network stack of IoT deployments

768

G. S. Ramachandran and B. Krishnamachari

a predefined threshold. Such a simple deployment with just two devices shows how the application functionalities distributed among multiple devices. To realize this application functionality, a device-to-device messaging protocol is needed. Mosquitto (MQTT) (Standard 2014) and CoAP (Shelby et al. 2014) are widely used in IoT deployments because of their ability to run on resource-constrained embedded IoT platforms. Note that the real-time requirements at the application layer become a challenge when one or more devices involved in the application.

5.2

MQTT and Its Support for Real-Time IoT

Mosquitto (MQTT) uses publish-subscribe communication pattern (Eugster et al. 2003), which means the devices with the sensor data publishes the information to a centralized data broker, which is typically hosted on a gateway, edge, or cloud infrastructure. Devices subscribe to the data by informing their interest to the broker. The publish-subscribe communication model (Standard 2014; Mosquitto 2018) typically consists of three components: broker, publisher, and subscriber. Publishers in the system send data to a broker following the concept of the topic. The topic typically refers to the metadata, which describes information about the data in a string format. A topic can have multiple levels. For example, the data generated by a temperature sensor deployed at room 123 of building A can have its topic defined as 123. Consumers of the data can receive data from the temperature sensor by subscribing to the 123topic. Figure 2 provides an overview of publishsubscribe broker, where the publisher reports “temperature” data to a broker using “temperature” topic. MQTT relies on the lower-layer protocols for exchanging data with other devices and broker. At the transport layer, MQTT provides support for both TCP and UDP. TCP-based MQTT supports reliability for the application layer by using a connection-oriented communication model, whereas the UDP-based MQTT ensures low latency data communication at the cost of reliability. The discussion on transport and other lower layers of the stack in the following sections explain how the protocols impact the communication latency. A performance study that compared MQTT and CoAP to understand their limitations and real-time capabilities and the result shows that MQTT is more responsive and have lower device-to-device communication delay (Thangavel et al. 2014).

5.3

Transport Layer

Application layer protocols rely on the transport layer protocols for the device-todevice communication. End-to-end communication between the devices is provided by the protocols operating at the transport layer. TCP (Wright and Stevens 1995) and UDP (Postel 1980) are examples of a transport layer protocol. TCP is a sessionoriented protocol, which means the protocol maintains a logical connection between the devices throughout the communication process. Applications requiring reliable

24 Real-Time Internet of Things for Smart Environments

769

data communication can benefit from TCP. However, TCP introduces significant control overhead to ensure reliability as the devices involved in communication has to synchronize with each other following a session management protocol. Besides, the limited memory, computation, and energy resources of embedded IoT devices make TCP unsuitable for IoT applications. Alternatively, the connection-less nature of UDP provides the devices in the network to communicate more efficiently. Unlike TCP, UDP cannot guarantee reliability since there are no built-in mechanisms at the protocol level to ensure reliability. Despite its lack of reliability, UDP is widely employed in IoT applications because of its resource efficiency and limited control overhead. Note that the application can still achieve reliability by selecting an application layer protocol that operates on top of UDP with built-in reliability mechanisms. For example, MQTT, which runs on top of UDP, incorporates quality of service (QoS) mechanisms to the protocol. Application developers can configure the protocol based on their reliability demands. Higher QoS setting ensure guaranteed delivery of messages to the remote device (Lee et al. 2013). Interestingly, the application layer adds control messages to the protocol to provide reliability.

5.4

Network Layer

Devices in the IoT deployment collaborate and coordinate with each other to jointly accomplish the application goals. The network layer is responsible for forwarding the data packets from a source to a destination. IoT device uses a low power radio to transmit messages to or receive messages from other devices wirelessly. Unfortunately, the effective communication range of the low power radios is in the order of tens of meters. Due to the limited reach of these radios, a packet from a source device cannot be delivered directly to a destination device. In such cases, IoT devices form a network comprising of source devices, destination devices, and routing devices. Data packets from a source device are delivered to a destination device through one or more routing devices. This form of communication is known as multi-hop communication since the packets hop through the network between source and destination. When an IoT deployment consists of tens of devices, the source nodes do not know the route to a destination node. Network layer protocol estimates the route for each device in the network using a routing protocol. RPL (Winter et al. 2012), AoDV (Perkins et al. 2003), and CTP (Gnawali et al. 2009) are examples of IoT routing protocols. Routing protocol actively maintains the network and provides routing services to the upper layer protocols. In IoT and wireless sensor network (WSN) applications, routing protocols are designed to form a network with certain types of topology. Topology at the network layer refers to the shape of the network formed by the devices in the network. IoT deployments typically employ the tree, mesh, and star topologies. Figure 3 shows the different topologies. When a device sends a message to another device, the time taken for the message to travel from the source device’s

770

G. S. Ramachandran and B. Krishnamachari

Fig. 3 Overview of publish-subscribe broker

application layer to the destination device’s application layer is termed as the endto-end latency. The topology of the IoT deployment is one of the key contributors to the end-to-end latency. Tree Topology: Devices form a tree-like structure, wherein the device at the topmost layer is termed as “root.” Devices below the “root” layer are referred to as “leaves.” All the devices in the network connect to the root through one or more devices following multi-hop communication. The end-to-end latency of the tree topology depends on the number of routing nodes between source and destination. Mesh Topology: Each device connects to as many devices in the network. Similar to the tree topology, mesh topology extends the effective range of each device through multi-hop communication. The size of the network and the number of routing nodes between the devices determine the end-to-end latency. Star Topology: All the device in the network connects to a central coordinator. Destination devices are always two hops away from a source. Compared to mesh and star topologies, the end-to-end latency is more predictable for star topology since the destination at most two hops away from the source.

5.5

MAC Layer

IoT devices are required to share the communication medium. When multiple devices transmit at the same time, the transmission collides with each other, which results in packet loss. MAC layer protocol defines how the devices should access the communication medium. IoT MAC protocols are categorized as synchronous and asynchronous protocols. Asynchronous MAC Protocols (Messaoud et al. 2012): Device uses the carrier sensing mechanism to detect an ongoing transmission and transmit only when

24 Real-Time Internet of Things for Smart Environments

771

other devices do not use the communication medium. Carrier sense multiple access (CSMA) (Colvin 1983) is one of the widely used MAC protocols in wireless networks. CSMA/CA is a technique that allows the device to delay the transmission for a random interval when the transmission medium is busy. Such a random or back-off interval allows the devices to share the communication medium without any form of negotiation. The device senses the medium only when it has a message to transmit. Synchronous MAC Protocols (Doudou et al. 2014): Devices following the synchronous MAC protocol uses scheduled time slots for communication. Each device in the network is assigned dedicated time slots for transmission to and receiving from neighboring devices. All the devices in the network are synchronized to a global network clock. Compared to asynchronous MAC protocols, synchronous protocols have significant control overhead since the devices have to exchange messages regularly to maintain synchronization. Protocols in this category are also known as time-division multiple access (TDMA) (Sivrikaya and Yener 2004) protocols since the communication medium is divided into time slots. Devices typically reserve time slots for transmission and reception following TDMA, which means the applications with low latency requirements has to negotiate with other devices in the network at the setup phase and reserve more time slots. Besides the medium access through CSMA or TDMA protocols, IoT MAC protocols consist of duty cycle mechanisms to preserve energy usage. Resourceconstrained embedded IoT devices are expected to operate on a single battery charge for multiple years. Studies suggest that the wireless communication and the radio hardware are the primary sources of energy consumption in IoT devices. Duty cycling algorithms are widely used in IoT devices which defines when the radios should be powered on and powered off (Rout and Ghosh 2013). Maximum energy savings are achieved when the radios are powered off. Duty Cycling on Asynchronous and Synchronous Protocols: Duty cycling approaches are classified into two categories as randomly duty-cycled networks and coordinated duty-cycled networks (Rout and Ghosh 2013). Devices in randomly duty-cycled networks switch the radio between active and inactive states randomly (Hsin and Liu 2006). Coordinated duty-cycled networks follow a schedule. Asynchronous protocols do not require synchronization with neighboring devices for their transmission and reception. Thus, it comes under the randomly dutycycled network. Random duty-cycled protocols have no control overhead, and the devices randomly switch between the active and inactive state to preserve their energy. However, it comes at the cost of high latency since the probability of a transmitter reaching a neighboring receiver largely depends on the duty cycle duration of the protocol. A shorter active duration minimizes the chances of wireless communication between the devices, whereas a longer active duration increases the energy consumption of the devices while providing low latency. In the case of coordinated duty-cycled networks, devices joining the network negotiate with each other through several control messages to create a schedule for communication. Duty cycling configuration depends on the number of transmission and the reception time slots allotted to the device. At a given time slot, each device

772

G. S. Ramachandran and B. Krishnamachari

will either be in transmit, receive, or idle state. Typically, the device turns off the radio during the idle state to conserve energy. Real-time applications require low latency MAC protocols. Asynchronous MAC protocols can be configured for low latency by keeping the radio always on, as it allows the devices to exchange messages with each other immediately, instead of waiting for the two radios to be in the active state. Although such configuration is suitable for low latency communication, it comes at the cost of high energy consumption. Besides, the protocol has to ensure that the transmissions from multiple devices are not interfering with each other. Synchronous MAC protocols are capable of providing low latency communication while minimizing energy consumption. However, the devices have to exchange many control messages with each other to maintain time synchronization and schedule negotiation. IEEE-802.15.4 is a communication standard for low power wireless networks maintained by IEEE. Critical features of IEEE-802.15.4 radio include low data rate support, short-range communication, and low energy consumption. Maximum data rate supported by IEEE-802.15.4 radio is 250 Kbps. Embedded IoT platforms such as TelosB, OpenMote (Vilajosana et al. 2015), and MicaZ come with built-in IEEE802.15.4 radio. Moreover, radios are capable of communicating with neighboring devices within a 100-meter radius. To extend the communication range of the devices, mesh and tree topologies are recommended in the standard. IEEE standard does not explicitly define protocol features for real-time applications with stringent latency constraints. However, IEEE-802.15.4e, which is one of the variants of IEEE802.15.4, is developed following the principles of TDMA and offers support for low latency communication.

5.6

IEEE-802.15.4e: Time Slotted Channel Hopping

Internet Engineering Task Force (IETF) maintains the protocol specification for IEEE-802.15.4e (Palattella and Grieco 2015) time slotted channel hopping (TSCH). Several industrial applications (Watteyne et al. 2015; Dujovne et al. 2014) employed TSCH because of its low power consumption and high reliability. TSCH combines the TDMA protocol with frequency hopping mechanism to ensure reliable and low power wireless communication for resource-constrained IoT devices. Recall that TDMA protocol allows the devices to share the communication medium by scheduling dedicated time slots for transmission and reception. Devices in the network are synchronized to a global network clock and strictly follow the communication schedule. TSCH combines channel hopping mechanism (Tzamaloukas and Garcia-Luna-Aceves 2000) with TDMA. Channel hopping mechanism enables the devices to communicate at different frequencies to avoid the interference. When multiple devices communicate at the same frequency, the radio transmissions interfere with each other resulting in packet loss. TDMA avoids interference by allowing only a pair of devices to communicate with each other at a particular frequency at a particular time slot. All the other devices in the network are not allowed to transmit at the same frequency to prevent interference. Slotted Aloha

24 Real-Time Internet of Things for Smart Environments

773

Fig. 4 Network topologies

(Arnbak and van Blitterswijk 1987), Energy-Aware TDMA-Based MAC (Arisha et al. 2002), and DMAC (Lu et al. 2004) protocols are examples of TDMA-based MAC protocols without frequency hopping. TSCH defines a scheduling mechanism for devices, which consists of time slots for transmission and reception along with the channel. IEEE-802.15.4 radio consists of 16 channels (Zacharias et al. 2012) at 2.4 GHz frequency. This frequency band is used by WiFi, Bluetooth, and Microwave Oven; thus, the communication is prone to interference. TSCH schedules channels and time slots for each device by choosing channels that are not widely used in WiFi and Bluetooth networks. Figure 4 explains the operation of TSCH through an 8-node network. Devices in the network form a partial mesh network. Network manager or the gateway device acts as a central coordinator that manages the devices in the network. Whenever a device wants to join the network, the network manager allocates time slots for communication through a set of control messages. Once a device is accepted into the network, it will have communication slots to interact with its neighbor and the central network manager. As shown in Fig. 4, the available communication channels are shared between the devices in the network. At each time slot, a pair of devices indulges in wireless communication following the channel configuration provided by the network manager. Since the network manager assigns the transmission frequency by considering the communication requirements of all the devices in the network, the network can have multiple parallel transmissions on a different frequency. Such parallel transmissions are not prone to interference since the central network coordinator schedules those simultaneous transmissions on different channels – besides, the overall throughput of the network due to the efficient use of communication channels (Fig. 5). Note that the actual assignment of channels and time slots varies based on the wireless characteristics of the operational environment. SmartMesh IP (Watteyne et al. 2015), which is a commercial implementation of TSCH, continuously monitor the channels and the performance and always assigns the best channels for the devices. Such runtime optimizations further improve performance while reducing energy consumption.

774

G. S. Ramachandran and B. Krishnamachari

A

C

F Network Manager/ Gateway (G)

D H

B E

Channel 17 (2405 MHZ) Channel 16 (2405 MHZ)

F -> G

C -> F

D -> H

H -> G

Channel 14 (2405 MHZ)

D -> H

A -> C B -> D

Channel 12 (2405 MHZ) Channel 11 (2405 MHZ)

E -> H

E -> H

Channel 15 (2405 MHZ)

Channel 13 (2405 MHZ)

C -> F

A -> C Slot 0

H -> G B -> D

Slot 2

F -> G A -> C

F -> G Slot 1

F -> G

Slot 3

Slot 4

Slot 5

Timeslots

Fig. 5 Overview of time synchronized channel hopping: channel and slot allocations are shown for 8-node network

Industrial IoT deployments favor TSCH protocols because of its high reliability and low power operation (Matthys et al. 2015). Deployments follow a client-server architecture model. Each network consists of a centralized network manager (i.e., a server), which manages the devices in the network by assigning a communication schedule based on their application requirements (Watteyne et al. 2009). Devices negotiate with the network manager as soon as they join the network and reserve the desired time slots for transmission and reception. Devices requiring low latency communication typically reserve a high number of time slots to ensure timely delivery of messages to the remote devices – connectivity to the Internet provided through the network manager. Devices form a multi-hop mesh network with a manager acting as the central authority for the network. End-to-end communication latency of the network depends on the depth of the network. In other words, the higher the number of hops between the source device and destination device, the larger the end-to-end latency. Note that the protocol is targeted for devices reporting sensor data to a remote application running on the cloud through a network manager. The interaction

24 Real-Time Internet of Things for Smart Environments

775

between devices in the network is achieved through the network manager, which means the TSCH is not beneficial for applications with in-network processing. The technology has been used in many real-world IoT deployments, including smart building and smart agriculture (Brun-Laguna et al. 2018).

5.7

Physical Layer

For the devices to communicate with each other, the physical layer provides wireless communication support. This layer converts the data packets into analog bits, modulates the data, and transmits the analog signal to the neighboring devices. A wide array of physical layer technologies is available for resource-constrained IoT environments. Recall that IEEE-802.15.4-compatible radios are widely used in embedded IoT platforms such as OpenMote, SmartMesh IP, and TelosB. The communication capacity of the IoT deployment solely depends on the characteristics of the physical layer technology. The radio hardware strongly influences performance, energy consumption, bandwidth, throughput, and the latency of the IoT application. Modulation and the operational frequency are the critical parameters of the IoT physical layer technologies. Modulation: Radio consists of a modulator and a demodulator to encode and decode radio signals during the transmission and reception, respectively. Amplitude and frequency modulation are examples of modulation schemes. Operational Frequencies: Communication standards have been organizations such as IEEE and IETF define the operational frequency for the physical layer. For example, IEEE-802.15.4 radios operate at 2.4 GHz.

5.7.1 IEEE-802.15.4 Almost two decades of research on communication technologies and protocols for the IoT were based on the IEEE-802.15.4 radios. Key characteristics of IEEE-802.15.4 protocols are low power operation, support for CSMA channel access, multiple frequency bands of operation, and support for peer-to-peer mesh topologies. IEEE standard defines 27 channels in total, which are divided into three bands. Sixteen channels at 2.4 GHz, ten channels at 915 MHz ISM band, and one channel at 868 MHz. Note that 915 MHz is used in North America and the 868 MHz is targeted for Europe. Data rate supported by IEEE-802.15.4 radio ranges from 20 Kbps to 250 Kbps depends on the operational frequency. IEEE-802.15.4 radios use O-QPSK modulation at 2.4 GHz, which is a type of digital modulation scheme. BPSK modulation scheme is used at 868 and 915 MHz. The support for real-time communication at the physical layer is restricted by the limited radio range and wireless interference. Each IEEE-802.15.4 radio is capable of connecting to devices within a few tens of meters (Howitt and Gutierrez 2003), which means all the devices must be adequately spaced to enable the deviceto-device communication. Radios provide hardware support for carrier sensing, which ensures that the devices are transmitting when other devices occupy the channel. This feature prevents interference, but there is a need to coordinate with

776

G. S. Ramachandran and B. Krishnamachari

other devices in the network to ensure timely delivery of messages to the desired destination. Using synchronous MAC protocols such as TSCH on top of IEEE802.15.4 is a good option for real-time IoT applications.

5.7.2 LPWAN Technologies A new wave of radio technologies has reached the market in the past decade with long-range communication and low power consumption (Bardyn et al. 2016). These technologies are classified under the umbrella of low power wide area networks (LPWAN). LoRa (Wixted et al. 2016), SigFox (Sigfox 2018), and NB-IoT (Ratasuk et al. 2016) are examples of LPWAN technologies. LoRa: LoRa is an acronym for low power and long-range communication technology, developed and maintained by SemTech. LoRaWAN Alliance specifies the operational frequency, data rate, and deployment models for LoRa deployments. The physical layer uses chirp spread spectrum (CSS) (Springer et al. 2000) modulation at 915 MHz in North America and 868 MHz in Europe. LoRaWAN specification recommends star topology, which means the LoRa devices directly communicate with a LoRa network coordinator, often called as “gateway.” LoRa radios are capable of communicating with a gateway that is hundreds of meters away. Range test results indicate a range of almost 3 km in a rural environment (Ramachandran et al. 2017). LoRa devices are capable of supporting low latency communication, but the communication medium is unregulated, which may lead to collisions when multiple devices transmit at the same time. Studies report that the end-to-end wireless transmission latency ranges between few milliseconds to 1.5 s (Aras et al. 2017). Besides, the technology, in its current state, has limited support for downstream communication as the devices in the market predominantly handle the transmission of messages to a remote gateway. Downstream communication is only possible immediately after the upstream transmission to a gateway. LoRaWAN specification defines a receive window for the devices, which is opened only after the transmission of a message to the gateway. Despite these limitations, LoRa technology is widely used in IoT and smart cities deployments. SigFox: SigFox is similar to LoRa technology. SigFox is an organization that maintains and manages the technology. The operational frequency of SigFox is 915 MHz for North America and 868 MHz for Europe. SigFox uses ultra narrowband (UNB) modulation for achieving long-range communication in the order of kilometers. LoRaWAN specification does not restrict private organizations from deploying their own LoRa network, but the telecommunication operators nominated by Sig-Fox only deploys SigFox technology. Thus, the SigFox devices can only be used in locations covered by SigFox deployments. The star network topology used by Sig-Fox deployments makes SigFox transmissions susceptible to interference, similar to LoRa. Low latency communications are possible with a latency in the order of seconds (Vejlgaard et al. 2017), but the maximum size of a data packet is 12 bytes long for SigFox. Narrow-Band IoT (NB-IoT): 3GPP, which is an acronym for “3rd Generation Partnership Project” is a consortium formed by telecommunication standards organizations. NB-IoT is a technology introduced by 3GPP for IoT applications.

24 Real-Time Internet of Things for Smart Environments

777

The operational frequencies of NB-IoT are 700 MHz, 800 MHz, and 900 MHz, which enables the telecommunication operators to leverage their existing cellular network deployments for NB-IoT, thus minimizing the deployment cost. Upstream communication is carried out using the SC-FDMA modulation scheme, while OFDM is used for downstream communication (Mangalvedhe et al. 2016). This technology operates at the same frequencies as the LTE; therefore, the transmissions are susceptible to interference. IoT deployments in the past decade have been dominated by a single radio hardware platform with no hardware support for fine-tuning or switching the physical layer. Hobbyists and researchers have used software-defined radio (SDR) to experiment with different physical layer technologies by reprogramming the FPGA board. The flexibility of the SDR, along with its software support for various physical layer technologies, makes SDR an exciting alternative for the IoT (Machado and Wyglinski 2015). Cost, form factor, and the power consumption are starting to come down for the SDR. Nextgeneration IoT deployments can benefit from the flexibility provided by SDR as it allows the application developers to tune the physical layer to meet their wireless communication demands. Real-time IoT applications can modify the modulation scheme and other physical layer settings on the fly to achieve low latency, for example. 5G technology promises to offer low latency and high bandwidth links for bandwidth-intensive real-time applications. The building blocks of the technology are being developed and tested for next-generation applications. The growing adoption of connected and autonomous vehicles forces the telecommunication operators to introduce novel technologies to meet the demands of smart devices, including vehicles, traffic lights, and roads.

6

Operating System Support for Real-Time IoT

In the last section, the real-time aspects of the IoT deployments have been discussed through the OSI networking model. Selection of protocols and technologies at each layer of the network stack is essential to meet the real-time demands of the application. Besides, the operating system that executes the software also influences the performance of real-time IoT applications. Operating systems are broadly divided into two categories, based on how they schedule the functional tasks on the CPU, as event-triggered operating systems and time-triggered operating systems (Kopetz 1991). Event-triggered systems, as the name suggests, executes tasks in response to an event. Here, a task refers to a piece of software that executes a protocol or the application logic. All the protocols and the application logic are typically divided into a collection of tasks. Note that the monolithic operating systems maintain the entire application logic within a single application image. Resource constraints of embedded IoT platforms make monolithic operating systems less suitable for IoT applications. In event-triggered systems, an expiration of a hardware timer or a sensor reading exceeding a certain predefined threshold may trigger an event. Whenever an event, the operating system

778

G. S. Ramachandran and B. Krishnamachari

executes one or more tasks as defined by the application developer. TinyOS (Levis et al. 2005) and Contiki (Dunkels et al. 2004) are examples of event-triggered operating systems. Application deployments such as Great Duck Island deployment (Szewczyk et al. 2004), volcano monitoring (Werner-Allen et al. 2006), and adaptive lighting system for road tunnels (Ceriotti et al. 2011) used event-triggered operating systems. Time-triggered operating systems follow a predefined schedule for the execution of tasks. All the application functionalities are scheduled to execute periodically following a predefined periodicity, referred to as “period.” Real-time applications favor time-triggered operating system because of its predictability. Tasks are guaranteed to execute at the predefined time following the execution pattern defined by the application developer. Nano-RK (Eswaran et al. 2005), RIOT OS (Baccelli et al. 2013), and μC/OS-II (Labrosse 2002) are the examples of time-triggered operating systems. Peach Orchard monitoring (Watteyne et al. 2016) and smart agriculture (Brun-Laguna et al. 2016) deployments used time-triggered operating systems. Event-triggered operating systems are ideal for resource-constrained applications with a small number of random, unpredictable events such as an interrupt signal from passive infrared sensor. The operating system quickly responds to an event and executes the tasks attached to the event in a faster manner. However, the performance and the execution overhead drop significantly when the application contains a large number of unpredictable random events from sensors. Hence, real-time applications with predictable event behavior can benefit from event-triggered operating systems. Time-triggered operating systems schedule all the application tasks before the execution. Interrupt-based configuration of sensors is not used in time-triggered systems to guarantee determinism. Interrupt feature is used in embedded systems to notify the processor whenever an event requires immediate attention. Timetriggered systems use a polling mechanism to periodically poll the sensors and other hardware resources for events that require immediate attention. This approach allows the time-triggered systems to execute all the tasks in a deterministic manner, but it comes at the cost of high resource usage since the processor has to poll the sensors periodically for interrupts. Real-time IoT applications can benefit from time-triggered operating systems since it provides predictable upper bounds on the execution time.

7

Design Considerations for Real-Time IoT

The layered architecture and the integration of edge and cloud platforms to the realtime IoT application impact the real-time performance, especially the latency and response time. Recall that the section on the layered architecture presented different protocols options for each layer and explained how the design choices impact the end-to-end latency and response times. In this section, a reference architecture for real-time IoT is presented, which recommends the design choices and protocol options for architecting time-constrained applications.

24 Real-Time Internet of Things for Smart Environments

7.1

779

Many Sources of Latency in IoT Systems

Table 1 lists many sources of latency in IoT systems. The application developers are required to take these sources into account when designing a real-time IoT application. It is important to note that the communication, computation, and sensing processes may add significant latency to an application unless the application developers choose right protocols and operating systems. Section 7.2 recommends protocols and operating system for real-time IoT applications.

7.2

Protocol and Operating System Recommendations

IoT applications require processing, communication, sensing, and actuation, for which the developers have to rely on a hardware platform and a collection of software frameworks including network and MAC protocols and an operating system. The protocol recommendations and design questions for each layer are discussed below: Application Layer: Data collection, and in some cases preprocessing, happen at the source devices before the data is being relayed to the remote devices, edge, and cloud platforms. Application layer protocols enable device-to-device communication, which means that the application data can be relayed from the application layer of one device to the application layer of one or more devices in the network. For faster device-to-device communication, a lightweight protocol with support for high-speed communication is desired. MQTT is capable of handling a higher number of transactions through a lightweight implementation tailored for resource-constrained Class-0 embedded platforms. We refer the reader to the section on MQTT to understand how it can benefit real-time IoT applications. Note that the protocols used at other layers and their configuration determines the realtime capabilities of the application layer protocols. Designers are recommended to consider our suggestions at all layers of the stack for better results. Transport Layer: Protocol options are minimal at this layer. Majority of the IoT applications use either TCP or UDP based on the design requirements. TCP can provide reliable communication, but it comes at the cost of high energy consumption, while UDP provides a simple “fire-and-forget” type of transportation model, which is ideally suitable for resource-constrained IoT platforms. Architects and system designers have to ensure that the network is provisioned to deal with UDP traffic to handle real-time traffic with minimal overhead. Network Layer: This layer is responsible for creating a path between devices in the network and beyond. Each device runs a routing protocol to explore the devices in its neighborhood and forms a path following a star, mesh, or tree topology. In most IoT deployments, the route formation process happens immediately after the field deployment. During the runtime, devices continue to interact with the devices in its network to maintain the path, and some protocols allow the devices to optimize the path for better real-time performance continuously. At this layer, the system

780

G. S. Ramachandran and B. Krishnamachari

Table 1 Many Sources of Latency in IoT Systems Source Sensing latency

Propagation latency

Transmission latency

Retransmission latency

Scheduling latency

Encounter latency

Delivery latency

Queuing latency

Definition and solution Definition: Sensing is fundamental to IoT applications, wherein not all the sensors behave in the same way. For phenomena that move through space slowly (such as acoustic vibrations or moving objects), it may not be easy to sense the data in real-time Potential solution: One solution to improve this would be to place sensors more densely so they can detect the object or the phenomenon of interest quickly Definition: How far does data have to travel to be processed? In some cases, the nearest cloud infrastructure could be in a different city or a country Potential solution: Rely on a cloud infrastructure that is close to the application environment. Edge or fog computing can solve this problem Definition: The time it takes for a packet to travel from one device to another device through a wired or wireless link. For a single packet, this depends on the link rate Potential solution: Higher data rates can be helpful to reduce transmission latency Definition: The time it takes for a packet to reach the desired destination after retransmissions. Note that the retransmissions happen due to poor link performance Potential solution: Having more reliable links means fewer retransmissions to send packets successfully, which would result in lower link delay; this may be enabled by increasing radio power or by utilizing forward error correction, which may incur higher hardware complexity in some cases Definition: In time-synchronized networks such as TSCH, nodes have to wait for their turn to transmit or receive data. Such waiting times introduce scheduling latency Potential solution: Optimized designs may be needed or alternative schemes that allow limited random access in case of time-critical data may be helpful in some cases Definition: For intermittently connected mobile networks (ICMN), such as when mobile devices are used as data mules, carriers for data from static sensors, a source of latency could be how long you have to wait for a mobile carrier to show up Potential solution: It is difficult to provide real-time guarantees in mobile scenarios. Application developers should account for the transient connectivity at the design phase Definition: In ICMN networks, the delivery latency depends on the routing scheme Potential solution: Flooding or multi-copy routing is the fastest delivery mechanism for low data rate applications; but single-copy routing is more energy efficient Definition: Network congestion may lead to queuing latency Potential solution: Congestion control mechanisms, as well as scheduling mechanisms that avoid congestion, can reduce queuing latency (continued)

24 Real-Time Internet of Things for Smart Environments

781

Table 1 (continued) Source Processing hardware latency Processing algorithmic latency

Definition and solution Definition: The time it takes for a CPU or GPU to process the data Potential solution: Faster device/edge processors and multiprocessor scheduling techniques can reduce processing latency Definition: The time it takes for an algorithm to compute the result Potential solution: Using lightweight algorithms or machine learning models that can compute quickly even with limited resources can reduce the algorithmic latency

architects and developers are recommended to choose the right topology for the deployment. Networks following the star topology tend to provide low latency since the devices typically connect to the gateway or the edge device that is one hop away from the source device. However, the time-synchronized mesh network created through TSCH guarantees low latency for a network with tens of devices. In summary, the topology influence the latency but the routing protocol that creates the topology runs once at the initial stages of the deployment, which means the developers are required to pay attention to the topology. MAC Layer: Devices use the medium access control protocol to share the wireless communication medium. Asynchronous MAC protocols sense the wireless medium before the transmission, while the synchronized MAC protocols have dedicated time slots for communication. For real-time IoT applications, synchronous MAC protocols such as TSCH would be ideal since the devices have predictable latency, whereas the asynchronous MAC protocols suffer from interference due to lack of coordination among devices. PHY Layer: Wireless transmission and reception are handled by radio on IoT devices. The data rate, radio range, and frequency bands depending on the physical layer technology. Radios with extended range communication support are suitable for real-time IoT applications, but the developers have to consider its limited scalability and packet delivery performance and select the long-range technology based on their application requirements. Short-range wireless radios such as IEEE802.15.4 may also be useful for real-time IoT applications, but the developers have to choose the right protocols at the MAC and network layer for optimal real-time performance. Operating System Support: Recall that an operating system executes the layered protocol stack. Both event-triggered and time-triggered operating systems are suitable for real-time IoT applications, but the time-triggered operating systems such as μC/OS-II guarantees determinism for the application and the protocol software. A Note on Hardware: Embedded IoT devices have CPU, memory, and in some cases, a radio transceiver to processing, storage, and communication, respectively. For faster local processing of application data, a powerful CPU and a significant amount of RAM are required on the device. Besides, high-precision timing hardware

782

G. S. Ramachandran and B. Krishnamachari

may provide accurate timing for IoT applications. Low-power GPUs are also being introduced to accelerate the processing speed (Ananthanarayanan et al. 2017). Influence of Edge and Cloud Infrastructure: Applications that use cloud and edge infrastructure for processing may have to rely on one or more devices to get the data to the remote cloud or edge devices. Application developers can use the above recommendations when developing real-time IoT applications.

8

Conclusion

Real-time IoT applications are starting to emerge in the space of IoT and smart cities. This chapter has explained the characteristics and layered network stack of IoT applications. OSI layers and the functionalities handled at different layers have been presented to illustrate how each layer influences the real-time performance of the IoT deployments. The discussion on the layers has shown that the protocol selection for real-time IoT has to consider the implications of the network topology, MAC protocol, and the physical layer technology. Applications involving cloud platforms introduce high latency due to the longer data path. Thus the developers are advised to process the data “in-network” as much as possible to achieve low latency and faster response time. A discussion on operating systems illustrated that the time-triggered operating systems provide a deterministic response as compared to event-triggered operating systems. A set of design recommendations for real-time IoT is presented to help the architects and developers working on time-sensitive IoT applications. Lightweight protocols with minimal processing and communication overhead are typically suitable for real-time IoT applications that require low-latency guarantees.

References G. Ananthanarayanan, P. Bahl, P. Bodík, K. Chintalapudi, M. Philipose, L. Ravindranath, S. Sinha, Real-time video analytics: the killer app for edge computing. Computer 50(10), 58–67 (2017) E. Aras, G.S. Ramachandran, P. Lawrence, D. Hughes, Exploring the security vulnerabilities of LoRa, in 2017 3rd IEEE International Conference on Cybernetics (CYBCONF), June 2017, pp. 1–6 K. Arisha, M. Youssef, M. Younis, Energy-aware TDMA-based MAC for sensor networks, in System-Level Power Optimization for Wireless Multimedia Communication: Power Aware Computing, ed. by R. Karri, D. Goodman, (Springer US, Boston, 2002), pp. 21–40 J. Arnbak, W. van Blitterswijk, Capacity of slotted ALOHA in Rayleigh-fading channels. IEEEJ. Sel. Areas Commun. 5(2), 261–269 (1987) E. Baccelli, O. Hahm, M. Gunes, M. Wahlisch, T.C. Schmidt, RIOT OS: towards an OS for the internet of things, in 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Apr 2013, pp. 79–80 J. Bardyn, T. Melly, O. Seller, N. Sornin, IoT: the era of LPWAN is starting now, in ESSCIRC Conference 2016: 42nd European Solid-State Circuits Conference, Sept 2016, pp. 25–30

24 Real-Time Internet of Things for Smart Environments

783

C. Bormann, M. Ersue, A. Keranen, Terminology for constrained-node networks. Technical report (2014) K. Brun-Laguna, A. L. Diedrichs, D. Dujovne, R. Léone, X. Vilajosana, T. Wat-teyne, (not so) intuitive results from a smart agriculture low-power wireless mesh deployment, in Proceedings of the Eleventh ACM Workshop on Challenged Networks – CHANTS ’16, (ACM Press, New York, 2016), pp. 25–30 K. Brun-Laguna, A.L. Diedrichs, D. Dujovne, C. Taffernaberry, R. Léone, X. Vi-lajosana, T. Watteyne, Using SmartMesh IP in smart agriculture and smart building applications. Comput. Commun. 121, 83–90 (2018) M. Ceriotti, M. Corrà, L. D’Orazio, R. Doriguzzi, D. Facchin, S.T. Gun˘a, G.P. Jesi, R.L. Cigno, L. Mottola, A.L. Murphy, M. Pescalli, G.P. Picco, D. Pregnolato, C. Torghele, Is there light at the ends of the tunnel? wireless sensor networks for adaptive lighting in road tunnels, in Proceedings of the 10th ACM/IEEE International Conference on Information Processing in Sensor Networks, Apr 2011, pp. 187–198 A. Colvin, CSMA with collision avoidance. Comput. Commun. 6(5), 227–235 (1983) J. Daemen, V. Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard (Springer Science & Business Media, New york, 2013) M. Doudou, D. Djenouri, N. Badache, A. Bouabdallah, Synchronous contention-based MAC protocols for delay-sensitive wireless sensor networks: a review and taxonomy. J. Netw. Comput. Appl. 38, 172–184 (2014) D. Dujovne, T. Watteyne, X. Vilajosana, P. Thubert, 6TiSCH: deterministic IP-enabled industrial internet (of things). IEEE Commun. Mag. 52(12), 36–41 (2014) A. Dunkels, B. Gronvall, T. Voigt, Contiki – a lightweight and flexible operating system for tiny networked sensors, in 29th Annual IEEE International Conference on Local Computer Networks, Nov 2004, pp. 455–462 P. Dutta, D.E. Culler, S. Shenker, Procrastination might lead to a longer and more useful life, in HotNets, (2007) A. Eswaran, A. Rowe, R. Rajkumar, Nano-RK: an energy-aware resource-centric RTOS for sensor networks, in 26th IEEE International Real-Time Systems Symposium (RTSS’05), Dec 2005, pp. 10, 256–265 P.T. Eugster, P.A. Felber, R. Guerraoui, A.-M. Kermarrec, The many faces of publish/subscribe. ACM Comput. Surv. 35(2), 114–131 (2003) O. Gnawali, R. Fonseca, K. Jamieson, D. Moss, P. Levis, Collection tree protocol, in Proceedings of the 7th ACM Conference on Embedded Networked Sensor Systems, SenSys ’09, (ACM, New York, 2009), pp. 1–14 I. Howitt, J.A. Gutierrez, IEEE 802.15.4 low rate – wireless personal area network coexistence issues, in 2003 IEEE Wireless Communications and Networking, 2003. WCNC 2003, vol. 3, Mar 2003, pp. 1481–1486 C. Hsin, M. Liu, Randomly duty-cycled wireless sensor networks: dynamics of coverage. IEEE Trans. Wirel. Commun. 5(11), 3182–3192 (2006) C. Karlof, N. Sastry, D. Wagner, TinySec: a link layer security architecture for wireless sensor networks, in Proceedings of the 2Nd International Conference on Embedded Networked Sensor Systems, SenSys ’04, (ACM, New York, 2004), pp. 162–175 H. Kopetz, Event-triggered versus time-triggered real-time systems, in Operating Systems of the 90s and Beyond, volume 563 of Lecture Notes in Computer Science, ed. by A. Karshmer, J. Nehmer, (Springer, Berlin/Heidelberg, 1991), pp. 86–101 J.J. Labrosse, MicroC/OS-II: The Real Time Kernel (CRC Press, Lawrence, Kansas, 2002) S. Lee, H. Kim, D. Hong, H. Ju, Correlation analysis of MQTT loss and delay according to QoS level, in The International Conference on Information Networking 2013 (ICOIN), Jan 2013, pp. 714–717 P. Levis, S. Madden, J. Polastre, R. Szewczyk, K. Whitehouse, A. Woo, D. Gay, J. Hill, M. Welsh, E. Brewer, D. Culler, TinyOS: an operating system for sensor networks, in Ambient Intelligence, ed. by W. Weber, J. M. Rabaey, E. Aarts, (Springer, Berlin/Heidelberg/Berlin/Heidelberg, 2005), pp. 115–148

784

G. S. Ramachandran and B. Krishnamachari

A. Liu, P. Ning, TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks, in Proceedings of the 7th International Conference on Information Processing in Sensor Networks, IPSN ’08, (IEEE Computer Society, Washington, DC, 2008), pp. 245–256 G. Lu, B. Krishnamachari, C.S. Raghavendra, An adaptive energy-efficient and low-latency MAC for data gathering in wireless sensor networks, in 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings, Apr 2004, pp. 224 R.G. Machado, A.M. Wyglinski, Software-defined radio: bridging the analog–digital divide. Proc. IEEE 103(3), 409–423 (2015) N. Mangalvedhe, R. Ratasuk, A. Ghosh, NB-IoT deployment study for low power wide area cellular IoT, in 2016 IEEE 27th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), Sept 2016, pp. 1–6 N. Matthys, F. Yang, W. Daniels, S. Michiels, W. Joosen, D. Hughes, T. Watteyne, μPnP-Mesh: the plug-and-play mesh network for the internet of things, in 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), Dec 2015, pp. 311–315 D. Messaoud, D. Djamel, B. Nadjib, Survey on latency issues of asynchronous MAC protocols in delay-sensitive wireless sensor networks. IEEE Trans. Commun. Surv. Tutorials 99, 1–23 (2012) E. Mosquitto, An Open Source MQTT Broker (2018) Eclipse Foundation, Canada M. Palattella, L. Grieco, Using IEEE 802.15.4e Time-Slotted channel hopping (TSCH) in the internet of things (IoT): problem statement. Technical report (2015) C. Perkins, E. Belding-Royer, S. Das, Ad hoc on-demand distance vector (AODV) routing. Technical report (2003) J. Postel, User datagram protocol. Technical report (1980) G.S. Ramachandran, N. Matthys, W. Daniels, W. Joosen, D. Hughes, Building dynamic and dependable Component-Based Internet-of-Things applications with dawn, in 2016 19th International ACM SIGSOFT Symposium on Component-Based Software Engineering (CBSE), Apr 2016, pp. 97–106 G.S. Ramachandran, F. Yang, P. Lawrence, others, μPnP-WAN: experiences with LoRa and its deployment in DR Congo. Communication. (2017) R. Ratasuk, B. Vejlgaard, N. Mangalvedhe, A. Ghosh, NB-IoT system for M2M communication, in IEEE Wireless Communications and Networking Conference Workshops (WCNCW), Apr 2016, pp. 428–432 R.R. Rout, S.K. Ghosh, Enhancement of lifetime using duty cycle and network coding in wireless sensor networks. IEEE Trans. Wirel. Commun. 12(2), 656–667 (2013) Z. Shelby, K. Hartke, C. Bormann, The Constrained Application Protocol (CoAP). Technical report (2014) S.A. Sigfox, Sigfox Technology Overview (2018) SigFox Foundation, France F. Sivrikaya, B. Yener, Time synchronization in sensor networks: a survey. IEEE Netw. 18(4), 45–50 (2004) A. Springer, W. Gugler, M. Huemer, L. Reindl, C.C.W. Ruppel, R. Weigel, Spread spectrum communications using chirp signals, in IEEE/AFCEA EURO-COMM 2000. Information Systems for Enhanced Public Safety and Security (Cat. No.00EX405), May 2000, pp. 166–170 O. Standard, MQTT version 3.1. 1. URL http://docs.oasis-open.org/mqtt/mqtt/v3, 1 (2014) R. Szewczyk, E. Osterweil, J. Polastre, M. Hamilton, A. Mainwaring, D. Estrin, Habitat monitoring with sensor networks. Commun. ACM 47(6), 34 (2004) D. Thangavel, X. Ma, A. Valera, H. Tan, C. K. Tan, Performance evaluation of MQTT and CoAP via a common middleware, in 2014 IEEE Ninth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP), Apr 2014, pp. 1–6 A. Tzamaloukas, J.J. Garcia-Luna-Aceves, Channel-hopping multiple access, in 2000 IEEE International Conference on Communications. ICC 2000. Global Convergence Through Communications. Conference Record, vol. 1, June 2000, pp. 415–419 B. Vejlgaard, M. Lauridsen, H. Nguyen, I.Z. Kovács, P. Mogensen, M. Sorensen, Coverage and capacity analysis of sigfox, lora, gprs, and nb-iot, in Proceedings of the 2017 IEEE 85th Vehicular Technology Conference (VTC Spring), Sydney, Australia, 2017, pp. 4–7

24 Real-Time Internet of Things for Smart Environments

785

X. Vilajosana, P. Tuset, T. Watteyne, K. Pister, OpenMote: Open-Source prototyping platform for the industrial IoT, in Ad Hoc Networks, (Springer International Publishing, 2015), San Remo, Italy, pp. 211–222 T. Watteyne, A. Mehta, K. Pister, Reliability through frequency diversity, in Proceedings of the 6th ACM Symposium on Performance Evaluation Of Wireless Ad Hoc, Sensor, And Ubiquitous Networks – PE-WASUN ’09, 2009 T. Watteyne, J. Weiss, L. Doherty, J. Simon, Industrial IEEE802.15.4e networks: performance and trade-offs, in 2015 IEEE International Conference on Communications (ICC), June 2015, pp. 604–609 T. Watteyne, A.L. Diedrichs, K. Brun-Laguna, J.E. Chaar, D. Dujovne, J.C. Taffernaberry, G. Mercado, PEACH: predicting frost events in peach orchards using IoT technology. EAI Endorsed Trans. Internet Things 2(5) (2016) G. Werner-Allen, K. Lorincz, M. Ruiz, O. Marcillo, J. Johnson, J. Lees, M. Welsh, Deploying a wireless sensor network on an active volcano. IEEE Internet Comput. 10(2), 18–25 (2006) T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik, J.P. Vasseur, R. Alexander, RPL: IPv6 routing protocol for low-power and lossy networks. Technical report (2012) A. J. Wixted, P. Kinnaird, H. Larijani, A. Tait, A. Ahmadinia, N. Strachan. Evaluation of LoRa and LoRaWAN for wireless sensor networks, in 2016 IEEE SENSORS, (2016), pp. 1–3 G.R. Wright, W.R. Stevens, TCP/IP Illustrated: The Implementation, vol 2 (Addison-Thesley, 1995) Boston, MA Y. Yao, J. Gehrke, The cougar approach to in-network query processing in sensor networks. SIGMOD Rec. 31(3), 9–18 (2002) S. Zacharias, T. Newe, S. O’Keeffe, E. Lewis, 2.4 GHz IEEE 802.15.4 channel interference classification algorithm running live on a sensor node, in SENSORS, 2012 IEEE, Oct 2012, pp. 1–4 H. Zimmermann, OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Trans. Commun. 28(4), 425–432 (1980)

CyreumE: A Real-Time Situational Awareness and Decision-Making Blockchain-Based Architecture for the Energy Internet

25

Abubakar Sadiq Sani, Dong Yuan, Stephen Ogaji, and Zhao Yang Dong

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 CyreumE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Security Guarantees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Energy Internet Requirements for Real-Time Situational Awareness and Decision-Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Contributions to Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Structure of the Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 CyreumE-CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Identity-Based Communication Paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Description of CyreumE-CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Formal Security Verification of CyreumE-CP Using AVISPA . . . . . . . . . . . . . . . . . 4 CyreumE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Real-Time Situational Awareness Process CRSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Distributed Value Chain Framework CDVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 The Real-Time Decision-Making Process CRDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

788 790 791 792 792 794 795 797 797 797 799 800 801 807 814 817 819

A. S. Sani () · D. Yuan School of Electrical and Information Engineering, The University of Sydney, Sydney, NSW, Australia e-mail: [email protected]; [email protected] S. Ogaji Department of Fuel and Gas, Niger Delta Power Holding Company, Abuja, Nigeria e-mail: [email protected] Z. Y. Dong School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_48

787

788

A. S. Sani et al.

6.1 Impact of Failures on SCADA System: Generation (Lack of Real-Time Availability of Operational Data/Reliability Issues) and Distribution (ATC&C) Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Disputes Across the Value Chain of the Power Grid . . . . . . . . . . . . . . . . . . . . . . . . . 7 Discussion and Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

820 825 830 832 833

Abstract Providing reliable and adequate electricity supply has been a persistent concern in the power sector of the less developed countries. While there has been an increasing interest in the use of blockchain in power grid for energy trading around the developed economies, technical challenges such as identifying and preventing operational inefficiency and nontechnical challenges such as inefficient and disintegrated decision-making across the power grid value chain have continuously hindered the overall efficiency of the sector. In this chapter, we present CyreumE, a blockchain-based real-time situational awareness and decision-making architecture with distributed value chain framework (DVC) for the Energy Internet which uses a combination of advanced lightweight cryptography, knowledge representation model, and decision-making process. Despite huge computational costs of blockchains which involve high delays that are not suitable for the power grid, CyreumE proposes CyreumE-CP for efficient data communications which eliminates the delays of blockchains. CyreumE-CP uses shared secret session keys to prevent security attacks from disrupting and weakening the communications. Furthermore, CyreumE prevents operational inefficiency in the power grid via a real-time situational awareness process (RSA) and efficiently utilizes a real-time decision-making process (RDM) for decision-making across the power grid value chain which enhances funding and investment opportunities. We validate CyreumE-CP on ultralow-power IEEE 802.15.4 wireless sensor module and CyreumE on a real-world dataset collected from power generation and distribution facilities. We apply our architecture to two challenges such as unavailability of real-time operational data/reliability issues and losses in the power grid as well as disputes across the value chain. Our results show that CyreumE provides real-time operational efficiency and decision-making guarantees.

1

Introduction

The problems of providing reliable and adequate electricity supply have attracted growing interest in the power sector of the developing countries. Several approaches for the provision of such electricity supply exist, ranging from situational awareness

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

789

to power system reliability assessment approaches, which abstract from system operating practices, security controls, and remedial actions to approaches based on decision-making and those which perform resilient design of electricity value chain networks (see, e.g., Jabbarzadeh et al. 2017, Heo et al. 2011, Yang et al. 2007, Melodi et al. 2017, Khan et al. 2015). In this work, our focus lies on integrating situational awareness, decision-making, and value chain approaches in the Energy Internet (or smart grid 2.0) (Cao and Yang 2013), which integrates smart grid and other energy networks based on intelligent information and communication technologies (see, e.g., Huang et al. 2011). The terms “Energy Internet” and “power grid” can therefore often be used interchangeably. All such approaches strive to achieve operational efficiency to optimize the reliability and availability of electricity supply. At present, operational inefficiencies have negatively affected the reliability and availability of electricity supply in many developing countries (see, e.g., Vaccaro et al. 2011 and Usman et al. 2015). Despite the presence of a defined power grid value chain which primarily includes gas supply companies, generation companies (Gencos), and distribution companies (Discos), challenges such as inefficient and disintegrated decision-making, insufficient funding and investment, and lack of real-time data sharing across the entire power grid value chain continue to hinder reliable and adequate electricity supply. The pervasive inefficient collection and dissemination of data give rise to serious operational concerns. In this chapter, we argue that blockchain technology (see, e.g., Crosby et al. 2016, Zhang and Wen 2017) can provide secure and reliable solution to preventing operational inefficiency in the power grid and inefficient decision-making across the power grid value chain via real-time situational awareness process (RSA) and real-time decision-making process (RDM), respectively, and increase efficiency across the existing value chain via a distributed value chain framework (DVC). Blockchain, like Ethereum (Wood 2014), is a technology that constantly grows a set of transactions or blocks and then uses cryptography to link and secure many blocks. It uses a consensus algorithm known as proof of work (PoW) to validate new blocks before adding the new blocks to the blockchain. As transactions are the most important part of a blockchain like Hyperledger Fabric (Hyperledger 2019) and Tendermint (Tendermint 2019), data communications are the most important part of CyreumE; thus, data communications between components in CyreumE can be referred to as Transactions, which are secured using shared secret session keys. The inherent criticality of the blockchain makes it a suitable solution for providing operational efficiency that can improve the reliability and availability of electricity supply in the developing countries. Despite these facts, including the expressiveness of the blockchain, limited progress has been made so far to improve the reliability and availability of electricity supply via (integrated) RSA, RDM, and DVC, and applying blockchain to the power grid is not straightforward due to its high delays and overhead that might not meet latency requirements (approximately 4.5 msec to 5 s) of the power grid applications and technologies (see, e.g., Kansal and Bose 2012 and Kuzlu et al.

790

A. S. Sani et al.

2014). One important goal of this work is therefore to provide a paradigm which gets rid of the high delays of blockchain in the power grid. Recent studies have shown that challenges such as technology limitations and obsolete infrastructure affect reliable and adequate electricity supply in the developing countries (see, e.g., Trotter et al. 2017 and PwC 2016). These challenges have led to huge financial losses, and given the country’s urgent need for electricity, they are unacceptable. As a countermeasure, some efforts have been made to address these challenges (see, e.g., PwC 2016). We stress the lack of identifying and preventing operational inefficiency in real time and inefficient decision-making which abstract from the power grid and its existing value chain, respectively, are major hindrances toward providing of reliable and adequate electricity supply.

1.1

CyreumE Overview

We propose CyreumE, a blockchain-based architecture for real-time situational awareness and decision-making with a DVC for the Energy Internet. With CyreumE, all segments of the DVC or power grid distributed value chain such as a regulator, gas suppliers, Gencos, Discos, service providers, and consumers representative, to name a few, can easily make decisions and share information securely and efficiently. Figure 1 presents an overview of CyreumE. This figure shows that

Control

Distributed Value Chain (CDVC)

Model

Observe

Real-time Security Awareness (CRSA)

Data Energy Internet (Interconnected) Fig. 1 CyreumE overview

Real-time Decision -Making (CRDM)

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

791

situational awareness and decision-making in the power grid are supported by CyreumE, which consists of three main portions: • An RSA portion denoted CRSA which takes in input data from operational components (or infrastructure) of the Energy Internet. CRSA performs the computation to determine the situational awareness between the components. These components are supported by IEEE 802.15.4 (Xplore 2012) wireless sensor modules, which carry out situational awareness via CRSA ’s layered Modeling, Observing, and Control (MOC) structure. CRSA is meant to model, observe, and control the Energy Internet’s components and then sends a transaction to the DVC. Furthermore, it is meant to protect the operational components’ data of the Energy Internet as well as transactions with the DVC (see Sect. 4.1 for a detailed description of CRSA ). Note that every component in CyreumE is registered and issued a 160 bits identity (ID) by an Energy Internet Registration and Identity Issuer (ERII) to improve the protection of the components and their information from security attacks. The ERII stores every ID in a distributed database within the Energy Internet. Furthermore, any component can use the database for identity verification. • A DVC portion denoted CDVC which takes in input data from CRSA to perform computations that support decision-making across the distributed value chain. It is referred to as the Energy Internet blockchain. Any segment of CDVC can use RDM as a decision-making process in the Energy Internet. Transactions in CDVC can be only executed by the consensus nodes, i.e., the segments of the DVC, via a CyreumE consensus process. Specifically, CDVC creates a trusted environment for secure and transparent data sharing which gives rise to efficient decision-making in real time (see Sect. 4.2 for a detailed description of CDVC and the consensus process). Similar to the components in the Energy Internet, every segment of the value chain is also registered and issued an ID by the ERII. • An RDM portion denoted CRDM which does not perform situational awareness. It takes in input data from CDVC and performs complex operational decision-making computation. Additionally, CDVC uses CRDM for nonoperational decision-making on behalf of the Energy Internet and then CRDM sends all results of the decision-making (as a form of a transaction) back to the CDVC (see also Sect. 4.3 for details of CRDM ).

1.2

Security Guarantees

CyreumE’s security guarantees consist of two features as follows: • Value chain privacy. Value chain privacy requires that privacy of transactions be provided against any segment not involved in the blockchain unless the segments themselves willingly disclose information in line with business and regulatory requirements. Furthermore, CyreumE-CP uses lightweight cryptographic operations to send transactions to the blockchain.

792

A. S. Sani et al.

• Contractual security. Contractual security protects segments in CDVC from each other. This comprises of cryptographic notions of identification, confidentiality, integrity, authenticity, and fairness in the presence of any dishonest segment.

1.3

Energy Internet Requirements for Real-Time Situational Awareness and Decision-Making

Unlike the power grids in many developed countries, the power grid in developing countries has its peculiarities which pose significant challenges for real-time situational awareness and decision-making since it may require capturing operational data in real time. Firstly, deploying sensors in many operational technologies is practically infeasible due to the current obsolete state of the sector’s infrastructure and technologies. Secondly, asset owners in the power grid usually avoid sensorbased components due to the cost associated with its deployment. Lastly, decisionmaking in the value chain is neither performed in real time nor immediately provides results that influence the entire power grid. Therefore, many situational awareness and decision-making proposals for the power grid lack practical feasibility. Deploying real-time situational awareness and decision-making applications in the power grid provides the benefit of identifying and preventing operational inefficiency, enhancing efficient decision-making, and further improving funding and investment opportunities. Moreover, activity from all components of the power grid is by default logged at the event log of each of the components (or data collectors available in the power grid). For data collection, we present that (i) IEEE 802.15.4 sensors can be connected to all the components (including obsolete components as a form of compensatory control) to collect the event logs; and (ii) event logs from upgraded/new components can be collected directly using their built-in sensors/data collectors (note that components in the power grid are usually from different vendors). These types of data collection techniques do not pose any extra burden to the applications.

1.4

Contributions to Knowledge

In this chapter, we present a novel and modular real-time situational awareness and decision-making blockchain-based architecture with a distributed value chain, novel component configuration technique, and secure broadcast communication paradigm for the Energy Internet. It is designed to fit the requirements and events of the power grid. To the best of our knowledge, CyreumE is the first to simultaneously offer realtime situational awareness and decision-making, distributed value chain, and secure broadcast communication paradigm in a blockchain environment for the Energy Internet. More specifically, our contributions are as follows: • We propose CyreumE-CP, a new lightweight secure and efficient broadcast communication paradigm used for data communications (or transactions) in

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

793

CyreumE. CyreumE-CP is an extension of our identity-based communication paradigm from Sani et al. (2017) to support broadcast communication in CyreumE designed for the Energy Internet. Transactions in CyreumE use CyreumE-CP as a secure communication protocol. We conduct real-world experiments using the IEEE 802.15.4 wireless sensor modules to construct CyreumE-CP and show that it is consistent with the latency requirement of the power grid. Security verification and performance evaluation of CyreumECP are carried out using widely accepted tools, namely, Automated Validation of Internet Security Protocols and Applications (AVISPA) and a Network Simulator-3 (NS-3), respectively. • Inspired by lack of real-time situational awareness in the power grid, we model the behavior of the power grid infrastructure using event logs at remote terminal units (RTUs) (Zapolin 1992) of a supervisory control and data acquisition (SCADA) system (Daneels and Salter 1999) in the power grid. Fuzzy cognitive map (FCM) (Kosko 1986) is used, since it exhibits flexibility to interconnect components, complex system analysis and modeling, nonlinearities, uncertainty, and decision-making parameters, in order to represent and control the behavior of the power grid. Behavioral characteristics of the power grid are observed because of its configuration and nature of the power grid connections. The FCM is responsible for updating states of all components in a continuous manner. Specifications written in MATLAB are automatically generated from known configurations of the SCADA system such as RTUs and sensors which in turn are verified using the FCM generated from their event logs. This proposed technique can be referred to as CRSA , which is based on a layered MOC structure. It exhibits high accuracy and can be easily deployed in the power grid, thus providing effective control against operational inefficiency and support for decision-making across the CDVC . • Inspired by a lack of real-time decision-making across the power grid value chain, we present CRDM , which models operational and nonoperational decisional behaviors using the data available in CDVC . Fuzzy analytical hierarchical process (F-AHP) (see, e.g., Chang 1996) is used since it exhibits complex decision-making parameters to represent the value chain decisional behaviors. Decisional behavior is observed as data provided by CDVC . Note that existing FAHP is adapted for the formalization of CRDM due to the complex and critical nature of the power grid. The result from CRDM is made available to CDVC for approval or disapproval. Once approved by more than half of the segments of CDVC , the result is executed accordingly. CRDM exhibits high accuracy and can be deployed in the existing power grid value chain. Moreover, the approach provides real-time decision-making, secure and effective data sharing and/or data integration, and operational inefficiency mitigation and shows transparency across the power grid value chain which further provides a platform for funding and investment opportunities. • We present CDVC and its core features such as CDVC transactions, local blockchains, and miners. CDVC is a crucial portion of CyreumE as the existing power grid value chain is not distributed and does not support the above core

794

A. S. Sani et al.

features. Designing such a portion requires care for the portion to meet all expected responsibilities of segments of the existing power grid value chain. Further comparison with features of the existing power grid value chain is provided in Sect. 4. • We propose some types of transactions in CRSA , CRDM , and CDVC , and each transaction is designed for a specific purpose. These transactions help to improve operations and activities in the power grid. In CRSA , a Status transaction is used to send information regarding the status of a component to CDVC . For every Status transaction in CDVC , CRDM uses the Status transaction in CDVC for (automated) operational action or decision-making and then uses a Status Decision-Making (SDM) transaction to send the result back to CDVC for approval or disapproval. For nonoperational decision-making (i.e., semiautomated decision-making), CDVC sends a Status Control (SC) transaction to CRDM for decision-making, and then CRDM replies with a Status Control DecisionMaking (SCDM) transaction. Thus, all decision-making transactions are used by CRDM to send results (or decisions) of transactions. Furthermore, other transactions in CDVC include share, store, access, request, investment, funding, add, remove, upgrade, replace, new, others, approve, disapprove, and publish transactions (see Sect. 4 for the definition of these transactions). • We analyze the security of CyreumE to show its ability in resisting security attacks such as impersonation attack, replay attack, man-in-the-middle attack, and denial of service attack. • For real-world experimentation and evaluation of CRSA and CRDM , we use a real-world dataset of more than 1000 sensors and information on the existing value chain, respectively, obtained as a result of our collaborations with leading power generation and distribution companies. Our experimental evaluations show a promising result for the proposed architecture. We further illustrate the usefulness of CyreumE (i.e., our proposed architecture) by showing for realworld technical and nontechnical challenges in the Nigerian power sector that they can be solved and further prevented from reoccurrence. Due to the use of CyreumE, solving and preventing these challenges are straightforward and practical. • We provide the first analyses of technical challenge related to Gencos and Discos because of lack of real-time availability of operational data/reliability issues of the power grid and ATC&C losses, respectively, and then provide an effective real-time solution using CyreumE. • We analyze the nontechnical challenge of disputes across the existing value chain of the power grid. We show that using CyreumE, an effective real-time solution is provided to solve this challenge.

1.5

Structure of the Chapter

The description of the dataset and the IEEE 802.15.4 wireless sensor module is presented in Sect. 2. Section 3 discusses CyreumE-CP. CyreumE and performance

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

795

evaluation of CyreumE-CP are presented in Sect. 4. The security analysis of our architecture is presented in Sect. 5. The case studies are carried out in Sect. 6. Along with related work, we present the advantages and limitation of our architecture in Sect. 7. We conclude and give insights on future work in Sect. 8. Details of security evaluation of CyreumE-CP are provided in the appendix.

2

Dataset

In a power grid, the real-world dataset reflects the true behavior of the system. Many modern works use simulations that may not necessarily reflect the true behavior of the power grid under consideration. Therefore, analyzing real-world dataset will reveal the actual behavior of the power grid. In this work, we use real-world dataset collected at power plants and distribution networks of leading power generation and distribution companies. Additionally, we establish a power grid test bed in our laboratory to conduct experiments and evaluations in a controlled experimentation environment with the support of our established cybersecurity framework from Sani et al. (2018). These include monitoring and managing of nodes or components which can configure nodes in a power plant facility. The test bed includes IEEE 802.15.4 wireless sensor nodes, sensor boards, interface modules, and network infrastructure (i.e., Ethernet data concentrator) which can perform bi-directional Energy Internet communication. A simple photograph of the Energy Internet test bed in our laboratory is shown in Fig. 2. Full descriptions of the components in the photograph are available at Advanticsys (2018). We use the event logs available at RTUs of a SCADA system, which consists of many integrated components, and it monitors and collects data from remote sites. Note that these event logs do not impose any extra burden on the RTUs. Event logs are stored for a limited amount of time and then get archived into storage for a period. This shows that the event logs get deleted in a recurring manner. We analyze the event logs in an offline manner to avoid any form of electricity supply disruption. More than 1000 sensors were communicating with the RTUs. A basic configuration of the SCADA system is presented in Table 1. This figure shows information about some SCADA system components in the power plants. In the SCADA system under consideration, scan mode for the RTUs was “1 min,” i.e., the RTUs will acquire data/readings at the interval specified in the “scan time.” Also, Table 2 presents the configuration of RTUs. It can be observed that the RTUs are aware of its neighboring sensors and the links that connect the sensors. In our case study, the IEEE 802.15.4 sensors were communicating with the RTUs, the RTUs were communicating with a master terminal unit (MTU), and then the MTU was communicating with a human-machine interface (HMI) via a wireless network. We provide a sample event log observed at RTU in Table 3. We simplified and anonymized the entries in this table to capture only the information required in this work. For each event, a timestamp is used to represent the communication between the source and destination components. The size in kilobytes (KB) represents the size of communication between two components. Lastly, the type of event between

796

A. S. Sani et al.

Fig. 2 Photograph of Energy Internet test bed in our laboratory. Notations: (a) XM1000 mote module, (b) CM3000 sensor node, (c) network infrastructure, (d) CM5000 sensor node, (e) CM3300 sensor node, (f) CM4000 sensor node, (g) EX1000 sensor board, (h) SE1000 sensor board, (i) USB1000 interface module, (j) DS1000 sensor board Table 1 Sample SCADA configuration after anonymization

Table 2 Sample RTU configuration after anonymization

SCADA component Sensor1 Sensor2 Sensor3 Sensor4

RTU RTU1

Vendor Vendor1

RTU2

Vendor2

RTU3 RTU4

Vendor2 Vendor2

Vendor Vendor1 Vendor1 Vendor2 Vendor2

Flash memory (KB) 1024 1024 512 512

Neighboring sensors Sensor1, Sensor2 Sensor3, Sensor4 Sensor5 Sensor6, Sensor7

Scan time (min) 1 1 1 1

Link type Link1

Scan time (min) 1

Link2

1

Link3 Link4

1 1

components is also recorded – “1” represents that the event was a reading report, while “2” represents a reset. Other types of events include, but are not limited to, connect and disconnect.

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

3

797

CyreumE-CP

We present our secure broadcast communication paradigm, CyreumE-CP, for transactions in CyreumE. It is used to broadcast transactions on the blockchain network in a secure manner. As already mentioned in the introduction, portions of CyreumE use CyreumE-CP for secure broadcast communication among each other. We first recall our identity-based communication paradigm (Sani et al. 2017) and then describe CyreumE-CP. The notations used in this chapter are listed in Table 4.

3.1

Identity-Based Communication Paradigm

Our identity-based communication paradigm was designed to support unicast and multicast communications for Energy Internet (Rifkin 2008; Wang et al. 2017). It uses shared secret session keys computed from an identity-based key bootstrapping protocol. Along with the shared secret session keys, it utilizes cipher-based message authentication code (CMAC) to provide message authenticity and integrity. Note that as shared secret session keys from key exchange and key bootstrapping protocols are usually short-lived, the window for compromising those keys via hacking or theft is very small. Furthermore, communications in the identity-based communication paradigm are equipped with security functionalities such as (i) protecting identity tampering, (ii) ensuring message authenticity and integrity checks, and (iii) providing message confidentiality protection. These functionalities support transactions via CyreumE-CP.

3.2

Description of CyreumE-CP

We now describe our CyreumE-CP that provides secure communication in CyreumE. It represents communication between one component and all other components in a group. These include but are not limited to (i) communication between CRSA and CRDM /CDVC and (ii) communication between a segment and other segments of CDVC . Similar to Sani et al. (2017), we also employ the use of mainly CMAC, shared secret session keys ki (generated based on the identitybased communication paradigm), MAC signing algorithm MSk (.), MAC verification

Table 3 Sample event log observed at RTU after anonymization Timestamp 40.0 76.0 148.0 78.0

Source component Sensor1 RTU1 Sensor2 RTU2

Destination component RTU1 Sensor1 RTU2 Sensor2

Size (KB) 8 16 32 8

Type 1 1 1 2

798

A. S. Sani et al.

Table 4 Notations used in this chapter Notation Description CRSA Real-time situational awareness process CRDM Real-time decision-making process CDVC Distributed value chain process p Ordered finite numbers k A shared secret session key MSk (.)

Notation Description β State of a SCADA system η zj zi



Wji

γ

MVk (.)

Message authentication code (MAC) signing algorithm MAC verification algorithm

ST

Ek (.) Dk (.)

Encryption algorithm Decryption algorithm

MPT SPT

Cipher-based MACs A node or component

kc X a˜ i j kc

Value of the node Ni at time t Weight between two nodes Ni and Nj Identity of node Ni Modeling function in CRSA Observing function in CRSA Controlling function in CRSA An identity of a component or segment of the value chain

g˜ i ∼ gv i



T/T Ni

(t)

Ai Wji

idi CRSA. M CRSA. O CRSA. C IDi

w˜ i Mi Ni Si ptr

Behavior of a SCADA system, CRSA. M , CRSA. O , and CRSA. C Input vector Output vector Strength of connection between zj and zi Learning rate parameter Size of a transaction or data communication Message payload in power grid A security parameter in the power grid Pairwise contribution matrice kcth decision-maker’s preference of ith criterion over jth Geometric mean Reverse vector of g˜ i Fuzzy weights Non-fuzzy weights Normalizing Mi Scores in F-AHP A pointer to a shared secret session key

algorithm MVk (.), encryption algorithm Ek (.), and decryption algorithm Dk (.). Furthermore, we introduce pointers to the shared secret session keys to provide security guarantees for the session keys and transactions in CyreumE. To send broadcast secret session keys to all other components in a group, the sender stores an 80 bits pointer pointing to every key for the components in the distributed database within the Energy Internet and returns the pointers to the components. Only the components in the group can use these pointers to access the corresponding session keys using their identities (see our work Sani et al. 2019 for a detailed description of pointers). Note that before a transaction or message is encrypted or decrypted, the pointers are replaced with the session keys that they refer to. To identify the pointers and their corresponding session keys, we assume that the pointers and session keys are tagged accordingly. We now present CyreumE-CP, which is based on authenticated encryption, by 1 assuming that a segment of CDVC (say, CDV ) wants to broadcast C with I DC 1 DV C

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

799

others with I D transactions to other segments of CDVC (say, CDV , . . . , I DC n−1 , 2 CDV C C DV C where n represents the total number of the other segments) as follows: 1 , pointer ptr1 (pointing • Step 1. CDV 1 C encrypts a message M1 , its identity I DCDV C to k1 ), and pointer ptr2 point to (k2 ) with a broadcast secret   session key and then uses k1 (as an encrypted message Ek1 M1 , I DC 1 , ptr1 , ptr2 DV C   MSk2 (.) that takes the Ek1 M1 , I DC 1 , ptr1 , ptr2 and another broadcast DV C

others . Then, C 1 secret session tag T for CDV C DV C sends  key k2 to produce a CMAC 

T andEk1 M1 , I DC 1

DV C

others . , ptr1 , ptr2 to CDV C

 1 CDV C : Ek1 M1 , I DC 1

DV C

 (1)

, ptr1 , ptr2

  1 E CDV : T = MS K2 k1 M1 , I DC 1 C



DV C

  1 others CDV C → CDV C : Ek1 M1 , I DC 1

DV C

(2)

, ptr1 , ptr2

  , ptr1 , ptr2 , T

 others receives E • Step 2. Every segment in CDV k1 M1 , I DC 1 C

DV C

(3)

 , ptr1 , ptr2 and T 

and then runs a verification via MVk2 (.) to produce a CMAC tag T . For every others , if the verification is true, i.e., T = true/succeeds, then each of segment in CDV C others accepts the message and gets k and k that ptr and ptr the segments in CDV 1 2 1 2 C others . refer to, respectively. This step applies to every segment in CDV C   others CDV C : MVk2 E M1 , I DC 1

DV C

others CDV C : M1 , I D C 1

DV C

3.3

 , ptr1 , ptr2

  = Dk1 Ek1 M1 , I DC 1

 k1

DV C

,T

= T ?

(4)

 , ptr1 , ptr2

(5)

Formal Security Verification of CyreumE-CP Using AVISPA

Similar to Nicanfar et al. (2014), we use AVISPA (2003) to model CyreumE in the presence of an intruder. We assume that the adversary is monitoring the CyreumE. Once any component is compromised, the adversary can intercept, replace, and modify transactions. In AVISPA, Dolev-Yao intruder model (Dolev and Yao 1983) is followed which allows an adversary to inject, drop, intercept, replace, modify, rearrange, and collect transactions. The simulation results from the On-the-Fly Model Checker (OFMC) and Constraint-Logic-based Attack Searcher (CL-AtSe)

800

A. S. Sani et al.

Table 5 AVISPA outputs showing CyreumE-CP between two components/segments OFMC backend % OFMC % Version of 2006/02/13 SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS PROTOCOL /home/span/span/testsuite/results/CyreumECP.if GOAL as_specified BACKEND OFMC COMMENTS STATISTICS Parse time: 0.00s Search time: 0.01 s Visited nodes: 8 nodes Depth: 3 plies

CL-AtSe backend %CL-AtSe SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS TYPED_MODEL PROTOCOL /home/span/span/testsuite/results/CyreumECP.if GOAL As Specified BACKEND CL-AtSe STATISTICS Analyzed: 2 states Reachable: 0 states Translation: 0.01 s Computation: 0.00 s

in AVISPA are presented in Table 5. The results show that communication between two components/segments constructed by CyreumE-CP is safe and resilient against security attacks such as replay and man-in-the-middle attacks in the power grid (see Sani et al. 2017 for detailed definitions of security attacks). The performance analysis of CyreumE-CP is provided along with CyreumE in Sect. 4.2 to show its efficiency in our architecture.

4

CyreumE

In this section, we present CyreumE, which consists of three structured portions, CRSA , CRDM , and CDVC . CRSA receives data from the Energy Internet components, evaluates them based on the layered MOC structure, and forwards the data via a Status transaction to CDVC (note that definition of a Status transaction is already mentioned in the introduction). Then, CDVC evaluates the received transaction and forwards the transaction to CRDM in the case of nonoperational action or decision-making. Furthermore, CRDM takes every Status transaction available in CDVC for operational action. CDVC sends nonoperational and operational results from nonoperational and operational actions, respectively, back to the CDVC for approval or disapproval. This structural representation allows the improvement of real-time situational awareness and decision-making, thereby reducing operational inefficiency and enhancing efficient decision-making in the Energy Internet. We now present CRSA and later describe CRDM and CDVC .

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

4.1

801

Real-Time Situational Awareness Process CRSA

CRSA is a layered MOC structure based on new FCM representations. We describe the layered MOC structure and then present their FCM representations. The first layer of the MOC structure is Modeling. The Modeling oversees capturing raw data and constructing uniform formatted data (or FCM-based values) that will be needed by the following layers. Also, it filters out data that are not required for realtime situational awareness. Furthermore, Modeling offers access to valuable data required in CyreumE. Note that we studied and analyzed the event logs to construct suitable initial FCM-based values that are utilized by the Modeling (see Sect. 6 for details of event logs analysis and FCM-based values of components). The second layer is the Observing, which oversees noting the relationships between connected components and distinguishing the influence from one component to another. It transformed the data from the Modeling into chains of events to understand the behavior of the components. The main objective of the Observing is to report the behavior of components to the next layer based on a rule, which mainly focuses on if (FCM-based) value of a component exceeds the maximum value set in the Observing layer, then it notifies the next layer for appropriate component control measure/action. For example, if a read event of a component exceeds the maximum value that has been set in the Observing layer, action is required by the next layer to prevent any form of unplanned shutdown associated with that component (and any connected components) in the Energy Internet. Finally, the obtained value that is outside the maximum value of the Observing is forwarded to the next layer. Note that in analyzing the event logs, we studied the minimum and maximum values of the data to set suitable minimum and maximum values of the Observing. The final layer is the Control, which performs component control via real-time data. This layer oversees reading the data/event from the Observing, builds chains of events that represent how the component behaves (say, its downtime pattern), and influences its connected components. If the value/associated data of the component exceeds the maximum value set by the Control (or the value shows a downtime pattern), it resets the component to its minimum value in the Observing layer to prevent any downtime that can affect operational efficiency in the Energy Internet. Then, CRSA notifies CDVC by using the Status transaction. CyreumE’s CRSA focuses on the long-time behavior of components in the power grid and captures information in real time. Therefore, the Modeling, Observing, and Control must act as intelligent hardware (e.g., sensors and actuators) and/or software. We note that (i) the Modeling uses a set of data as a reference point (see Sect. 6 for more details on the data for initializing values of the components); (ii) the implementation of the Control is usually linked to the Modeling, while the Modeling is linked to the Observing; and (iii) CRSA is responsible for sending notifications of any component to CDVC . We briefly recall the general idea of FCM before showing FCM representations of CRSA . FCM was introduced as an extension of cognitive maps used for logical reasoning and knowledge representation of concepts (e.g., components) and their

802

A. S. Sani et al.

relationship. It has been applied to model complex systems (Stylios and Groumpos 2004) and knowledge of many real-world domains and applications (Papageorgiou and Salmeron 2013) such as medicine (Stylios et al. 2008), energy consumption (Papageorgiou and Pocz˛eta 2015), intrusion detection system (Siraj et al. 2001), utility automation system (Mohagheghi 2014), and energy management system (Kyriakarakos et al. 2012), to name a few. A simple illustration of FCM is presented in Fig. 3. This figure shows that two nodes (or components), Ni and Nj , are connected by a causal link weight Wji . A simple FCM rule is presented in Eq. (6). ⎛ (t+1) Ai

=f⎝

A(t) i

n 

+

⎞ ⎠ A(t) j Wj i

(6)

j =1,j =i (t)

(t+1)

(t)

is value of node Ni at time t + 1, Aj where Ai is value of node Ni at time t, Ai is value of node Nj at time t, Wji is weight value of interconnection between node Nj and Ni , and f is a threshold function that maps results to [0, 1]. Furthermore, f can be represented as a unipolar sigmoid function as given below: f (A) =

1 1 + e−λA

(7)

where λ > 0 determines slope of the continuous f. Furthermore, we present FCM training, where the weights are usually developed in a semiautomated fashion via three steps: (i) using an expert system to determine the initial weights of the edges based on short-range impacts of connected nodes; (ii) using the centrality of vertices (Kosko 1986) to adjust the initial weights; and (iii) using an unsupervised Hebbian learning algorithm (Oja 1989) to enable further tuning of the weights (see below). An expert system is modeled as knowledge from a human expert (in this case, an expert of the power grid). The impact of each node on the connected/next nodes can be measured relatively correctly, but the accuracy declines as the impact of the nodes increases. Thus, expert knowledge can view only one-step-ahead impacts but cannot accurately depict the overall wide impacts of

Fig. 3 A Simple Illustration of FCM with vertices and nodes

Ni

Nj

Wji

Ai

Aj Nk

Ak

...

Nn

Nm

An

Am

...

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

803

nodes. Based on this, in our work we initialize the weight of the FCM with support of the MOC structure, where we select weights that accurately indicate the nodes and further enable the MOC structure to have influence over these nodes, adjust the initial weight using centrality of vertices supported by the MOC structure, and then use Hebbian learning algorithm to automatically perform further tuning of the weights (see below). We now present the FCM representations of CRSA . Due to the complex nature of operations and connections among components in the Energy Internet, we present a new general FCM formalization of CRSA in Eq. (8) and Eq. (9) to support the representation of CRSA . ⎧ n  ⎪

j (t+p−1) Wj i , ⎪ A ⎪ ⎪ ⎪ ⎨j =1,j =i n 

i (t+p) = (t+p−1) A

j (t+p−1) Wj i , Ai + A ⎪ ⎪ ⎪ j =1,j =i ⎪ ⎪ ⎩(t+p) A i

i (t+p) < 0.25 p = 0; 0 < A

i (t+p) < 0.75 p > 0; 0.25 ≤ A otherwise (8)

Given that (t+p) A i

⎧ n  ⎨A (t+p−1) + 2 (t+p−1) Wj i , A i i = j =1,j =i ⎩ p=1

 p > 0; 0.75 ≤ A i

(t+p)

≤1

otherwise (9)

i is value of node Ni at time t + p (where p belongs to a set of ordered where A

j (t+p−1) is value of node Nj at time t + p − 1, Wji is weight of finite numbers), A i (t+p) is value of node Ni at interconnection between node Nj and node Ni , and A time t + p. Let the Modeling, Observing, and Control layers of CRSA be CRSA. M , CRSA. O , i (t+p) with the conditions and CRSA. C , respectively. Firstly, CRSA. M is designed as A (t+p) i (t+p) with i < 0.25. Secondly, CRSA. O is designed as A that p = 0 and0 < A i (t+p) < 0.75. Lastly, CRSA. C is designed as the conditions that p > 0 and 0.25 ≤ A (t+p) i (t+p) ≤ 1. According to Eqs. i with the conditions that p > 0 and 0.75 ≤ A A (8) and (9), we can see that CRSA. O depends on CRSA. M and then CRSA. C utilizes the combination of CRSA. O and CRSA. M ; thus each layer receives information from a lower layer, and the last layer performs the node (or component) control action. Based on this, CRSA is a layered structure for real-time situational awareness (see Sect. 6 for the application of CRSA ). We now present how CRSA shares information about the node control and other details of the node with CDVC as already mentioned in the introduction. CRSA uses the Status transaction to forward information regarding the status of the node (t+p)

804

A. S. Sani et al.

i (t+p) ≤ 1, (i.e., active or semi-active), the current value of the node at 0.75 ≤ A i (t+p) > 1 and p = 1 for A i (t+p) , and number of other values of the node at A times CRSA performed control on the node. Other information may include some false alarm and false reporting. If the status of the node is active, it shows that the component is always healthy. If the status of the node is semi-active, it shows that the number of times the component was healthy during observation (i.e., say i (t+p) < 0.75) is equal to the number of times the component was 0.25 ≤ A i (t+p) >1). CRSA is presented in a flowchart as shown in Fig. 4. unhealthy (i.e., A This figure depicts steps involved in CRSA and disclosing information to CDVC via the Status transaction. We present how CDVC handles the Status transaction in Sect. 4.2. Furthermore, note that since some operations in the power grid cannot be stopped or interrupted to avoid production loss and disrupting electricity supply, we model CRSA to understand this condition of the power grid. We say that for operations that cannot be interrupted, CRSA. C only resets processes that support components associated with such operations and then CRSA notifies CDVC about the behavior of the components. For example, in a scenario where temperature value of a component is showing a downtime pattern up to a level set by CRSA , the CRSA will automatically shut down some supporting processes of that component by resetting the temperature value according to Eq. (9). We now show the FCM training, i.e., weight initialization, weight adjustment, and weight tuning in our work. • Weight initialization: Since CPS is built of the event log of a SCADA system, which comprises of components in the Energy Internet, we first consider the format of a log entry represented as:

(t)

(t)

(10)

idi , Ai , idj , Aj , Wj i (t)

where idi represents name (or identity) of source component Ni , Ai represents (temperature) value of component Ni at time t, idj represents name (or identity) (t) of destination component Nj , Aj represents (temperature) value of component Nj at time t, and Wji is the weight of interconnection between component Nj and Ni . Without loss of generality, the selection of temperature value of the SCADA components to represent the type of value used in CRSA is done because the temperature is universally recognized as a reliability feature of components in the Energy Internet where observing and controlling temperature can increase the reliability of components of the Energy Internet. The behavior/state of the components is determined using the MOC structure and the values of the components as represented below:

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

Fig. 4 CRSA solution algorithm

805

806

A. S. Sani et al.

CRSA.M , CRSA.O , CRSA.C (t)

(t)

β : Ai  Aj  Wj i → {true, f alse)

(11)

(12)

where the function β encodes the state of the SCADA system by evaluating to true anytime the parameters used as input correspond to the event logs of the SCADA system. If the same entry is observed by the SCADA system, β will result in true. Otherwise, the entry needs to be corrected. • Weight adjustment: We consider the centrality of vertices by applying the MOC structure to the SCADA system components and entire FCM environment.

(t)

(t)

η : Ai  Aj  Wj i  CRSA.M  CRSA.O  CRSA.C

(13)

where the function η represents the behavior/state of the SCADA system and MOC structure then their initial weights are adjusted based on the centrality of the vertices. Every component of the SCADA system can be dependent or independent of other connected components. • Weight tuning: In our work, considering the criticality of the power grid as an automated system, we utilize the Hebbian learning approach for automated adjustment/tuning of weights in the power grid since the values of nodes can change after each iteration step. A general rule of this approach is given as (Wood and Gennert 1992): Wj i = γ ∗ zj ∗ zi

(14)

where zj is an input vector, zi is an output vector, γ is the learning rate parameter, and  Wji is the strength of the connection between zj and zi . According to the Eq. (14), the strength of zi unto zj increases when zi repeatedly supports zj . To select the right value of the learning rate parameter, the two factors are taken into considerations: (i) the influence of the learning rate parameter on the FCM structure and (ii) limiting the changes in the weight values to ±25% of their original weight values (Mohagheghi 2014). The overall objective is to avoid any possible instability in the weight values due to unexpected large input. After a preliminary analysis of using different values of the learning rate, we choose 0.1 as the learning rate value of our dataset since the value showed the best result for the CRSA .

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

4.2

807

Distributed Value Chain Framework CDVC

In this section, we present CDVC , which contains some essential features such as CDVC transactions, miners, and local blockchains. Note that the miners are segments of the distributed value chain. These features are inspired by the criticality and transparency of blockchain technologies and the urgent need for reliable and adequate electricity supply in the developing countries. A simple description of all segments of CDVC is illustrated in Fig. 5. This figure shows that each segment of CDVC is a miner with a local blockchain, and it uses CDVC transactions via CyreumE-CP. Furthermore, CDVC has several features that distinguish it from the

Gas suppliers

Gencos

Discos

Service Providers

Transmission Company

Regulator

Trading Company

Others (including customers representative)

Miner

Adding new blocks/set of transactions

Local private blockchain

CDVC Transactions via CyreumE-CP

Fig. 5 A simple description of all segments of CDVC in CyreumE

808

A. S. Sani et al.

existing power grid value chain typically considered in the literature. First, CDVC never directly sends transactions to a single segment of the distributed value chain. This is an important feature as all segments are aware of the activities in the power grid which enhances operational efficiency and simplifies transparency across the distributed value chain. Second, unlike most existing power grid value chains, CDVC makes it possible to send secure and efficient broadcast transactions across the distributed value chain using CyreumE-CP. Lastly, the privacy of transactions is provided in CDVC such that a segment’s transactions cannot be disclosed to other segments unless the segment sends the transactions, and also all the segments’ transactions cannot be disclosed to any participants outside the value chain. We now present CDVC transactions and then describe how local blockchains and miners use CDVC transactions. CDVC Transactions: Recall from Sect. 1 that data communications between components are known as transactions, which are secured using shared secret session keys to provide integrity, confidentiality, and authenticity of data. There are different types of transactions in CDVC and each designed for a function related to increasing operational efficiency in the Energy Internet and providing efficient decision-making solution across the distributed value chain. These transactions are generated by the segments of CDVC , and they include: (i) Status Control (SC) transactions – to initiate nonoperational actions (see below for definition of nonoperational actions) (ii) Share transactions – to share data (iii) Store transactions – to store data (iv) Access transactions – to access specific data (v) Request transactions – to request for specific data (vi) Monitor transactions – to monitor a particular data (vii) Investment transactions – to provide potential investment opportunities (viii) Funding transactions – to request for funding (ix) Add transactions – to add a new user (e.g., potential investor) under the requestor’s segment or the entire CDVC (i.e., a segment of CDVC that is introducing a potential investor will be responsible for adding the potential investor to the Energy Internet blockchain (or CDVC ) after approval by more than half of the segments of CDVC ) (x) Remove transactions – to remove an existing user (xi) Upgrade transactions – to upgrade an existing infrastructure/component (xii) Replace transactions – to replace an obsolete component with a new one (xiii) New transactions – to introduce a new component (xiv) Penalized transaction – to penalize a segment of CDVC which attempts to avoid processing a certain transaction (xv) (xv) Other transactions – to request for other unspecified transactions related to enhancing operational efficiency, providing efficient decision-making, and making available funding and investment opportunities, to name a few (xvi) Approve transactions – to accept any of the aforementioned transactions as well as result (or decision) from CRDM

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

809

(xvii) Disapprove transactions – to reject any of the aforementioned transactions (excluding the “Approve transactions”) as well as result from CRDM (xviii) Publish transactions – to publish validated transactions Note that all the aforementioned transactions use CyreumE-CP for secure and efficient communication. Furthermore, we conduct an experiment using the IEEE 802.15.4 wireless sensor module to compute lightweight cryptographic operations such as SHA-256 cryptographic hash algorithm to detect any changes in transactions during transmission (see Table 6 for details and results of our experiments). Note that (i) nonoperational action (or decision-making) represents an action that does not directly influence operations of components in the Energy Internet, i.e., a segment of CDVC is required to initiate a transaction, and thus this represents a semiautomated action; (ii) operational action represents an action that directly influences operations of components, i.e., a segment of CDVC is not required to initiate a transaction, and thus this presents an automated action that is automatically presented to CDVC by CRDM ; and (iii) nonoperational action is initiated either when the status of components is semi-active (see Sect. 4.1 for details of semi-active status of components) or a segment of CDVC wants to perform nonoperational action. • Local Blockchain: In each segment of the CDVC , a local blockchain is available to keep track of all transactions. Each segment’s approved transactions are connected in the blockchain. In the local blockchain, each block (i.e., several transactions) has one header called a block header as shown in Fig. 6. The block header contains the hash of the previous block to maintain immutability of the blockchain, and as shown in the figure, the block header has six parameters such as (i) previous transactions identifier (PID), which refers to the identifier (ID) of preceding transaction performed by owner of the new transaction; (ii) owner ID (OID), which refers to the ID of the owner of the new transaction; (iii) transaction ID (TID), which refers to the ID of the new transaction; (iv) validator ID (VID), which refers to the ID of the miner that validates the (approved) transaction (this is the same as the SID); (v) transaction type (TTY), which refers to the type of transaction (see above); and (vi) approval rate (APP), which refers to the percentage of miners that approved the transaction. • Miners: Unlike other blockchain technologies, each segment of the distributed value chain in CyreumE is a miner that either accepts or rejects transactions

Table 6 Computation time of cryptographic operations

Operation AES 128 bits symmetric encryption AES 128 bits symmetric decryption SHA-256 cryptographic hash algorithm

Computation time of CM5000 wireless sensor node 1.73 msec 1.70 msec 9.26 msec

810

A. S. Sani et al. Sample transactions structure Previous Transaction ID (PID) PID-38 (Access)

Owner ID (OID) OID-2 (Transmission Company)

Transaction ID (TID) TID-14

Validator ID (VID) VID-2 (Transmission Company)

PID-75 (Funding and Investment)

OID-4 (Genco)

TID-122

VID-4 (Genco)

Transaction Type (TT) TT-1 (Share) TT-2 (Store) TT-3 (Access) TT-4 (Request) TT-5 (Monitor) TT-6 (Investment) TT-7 (Funding) TT-8 (Add)

Approval Rate (APP) APP-92%

APP-98%

Sample local blockchain Header

Transactions

Block 1 Block Header 38: 2: 14: 2: 1: 92 75: 4: 122: 4: 6: 98 12: 9: 156: 9: 9: 55 68: 8: 14: 8: 1: 76 56: 7: 101: 7: 6: 52

Block 2 Block Header 38: 2: 14: 2: 1: 92 75: 4: 122: 4: 6: 98 12: 9: 156: 9: 9: 55

Miner

Fig. 6 Sample of transactions structure and local blockchain ofCDVC of the Energy Internet

on the blockchain network. These transactions are open to all the segments of the distributed value chain (i.e., in this case, the miners) on the network. Each miner uses the Approve and Disapprove transactions to accept or reject other transactions, respectively, from other segments of the distributed value chain. If more than half of the miners approve a transaction, the (approved) transaction will be validated and published (via CyreumE-CP) as a validated transaction to the entire network by the miner that owns the asset related to the transaction, and then each miner will verify the transaction and add the validated transaction to its immutable distributed ledger. For example, if a transaction is related to a Genco’s SCADA system, the miner/owner of the SCADA system is the Genco; hence, the Genco (in this case, a miner) is responsible for validating and publishing the transaction. Using the owner for validating transactions related to the owner’s components helps to achieve control over CDVC transactions. Furthermore, if this transaction is not approved (i.e., more than half of the segments of CDVC disapprove the transaction), each miner will see that the transaction is not approved (i.e., it is not valid). It shows that the transaction cannot be validated by the owner of the transaction and it will not be added to the ledger and thus will not be a part of the chain. All approved transactions are linked together as an immutable distributed ledger, which is a chain of transactions that are open

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

811

and public to all miners on the network, and all the miners can decide whether a transaction has been approved (i.e., it is valid) or not. Every miner has a copy of the distributed ledger which means that all the copies of the distributed ledger must be synchronized in the network to make sure that all the miners have the same version of the distributed ledger. Figure 7 presents the CyreumE consensus process that shows how the copies of the ledger are synchronized in the network. Note that since CyreumE-CP is a secure broadcast communication paradigm, all transactions are broadcasted on the entire network, and thus every miner sees the transactions. Suppose a segment of CDVC (say, a Disco) sends a transaction (say, TID: 814) to the network using the consensus process. Note that this transaction is not yet an approved or valid transaction, i.e., it is not yet in the ledger. Unlike the concept of blockchain where miners will compete to validate transactions and add it to the ledger for a financial reward, all miners in our work will need to approve or disapprove the transaction (without a need for any significant computational power and time investment). If more than half of the segments of the distributed value chain (or miners) approve the transaction which is automatically broadcasted on the network, the Disco will need to validate the (approved) transaction via “Publish transactions” by using a new broadcast secret session key to add/lock the (approved) transaction to previous (approved) transaction in its own ledger and publish the (approved) transaction and a pointer to the new broadcast secret session key to the network. Then, all other segments will see that the (approved) transaction has been validated by the owner of the transaction and will immediately verify the (approved) transaction and add it to their ledger if the verification succeeds. We have a security guarantee if the verification succeeds with the support of the session key. Thus, this process of synchronizing the ledger ensures that the ledger across the segments of CDVC is synchronized. Note that (i) for every disapproved transaction, its TID cannot be used again in CRDM ; (ii) every segment has the same copy of “Block 1” presented in Fig. 7, where A is the previous hash of a block, B is the index that represents the position of the current block, C indicates the time when the block was generated, D is the number of transactions in a block, and E represents all the transactions in a block; (iii) since the shared secret sessions keys used for securing the transactions as well as the session key for adding the (approved) transaction to the ledger are usually short-lived, every segment of the value chain is required to respond to every (sent) transaction before the session keys expire to avoid being penalized, thus guaranteeing a real-time response by our architecture and mitigating the delay in reaching consensus or gossiping in the value chain; and (iv) unlike Bitcoin where computational power and time are invested to find the fresh key which is random and the miners are repeatedly guessing until they find the right fresh key associated with the transaction for a financial reward, our solution only requires 5 the owner (say a Genco denoted as CDV C in CDVC ) of the transaction to generate a new broadcast shared secret session key for the entire segments with the help of CyreumE-CP which meets the latency requirement of the power grid (see below).

812

A. S. Sani et al.

A: Previous Hash via SHA-256 B: Index C: Timestamp D: Number of Transactions E: Transactions (814 and PIDs)

2. Approve 2. Approve

2. Approve

2. Approve

2. Approve Transaction (TID: 814)

3. Validate the transaction (TID: 814) after it has been approved by more than half of the segments and then publish the (approved) transaction and a pointer to a secret session key

2. Approve 2. Approve

1. Send a Transaction (say, TID:814) Block 1

A

B

C

D

E

Fig. 7 CyreumE consensus process

We now present the performance evaluation of CyreumE-CP in CyreumE. The size of a transaction, ST , (in bits) from CRSA to CDVC is expressed as: ST = MPT + SP T

(15)

where MPT is message payload in the power grid and SPT is a security parameter added to enhance the security of the data packet. The minimum MPT of many smart grid applications is 28 bytes (Al-Ali and Aburukba 2015), and the security parameter utilized in this work is Advanced Encryption Standard (AES)-128 bits key. Without loss of generality, we use these parameters in our simulation to ensure that CyreumE-CP meets the latency requirement of the power grid. We perform some experiments using the IEEE 802.15.4 Tmote Sky (temperature, humidity, and light) sensor in network embedded systems C (nesC) programming language (Gay et al. 2014) to determine the computation time of cryptographic operations that we utilize in this work. These computation times will allow us to realistically determine the latency of CyreumE as well as computation time of cryptographic operations in CDVC . According to our experiment, as shown in Table 6, the computation times of AES 128 bits symmetric encryption and decryption are 1.73 and 1.70 msec, respectively. We now present the latency of CyreumE-CP in CyreumE of the power grid. As presented in Sect. 1, the latency requirements of many technologies and applications in the smart grid range from 4.5 msec to 5 sec. Using NS-3 (Consortium

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

813

2015), we model CyreumE-CP as a UDP/IP network with a data rate of 100 Mbps for broadcast communication, while the data rate of the Tmote Sky sensor is 250 Kbps. The minimum size of a message is 673 bits. The latency of CyreumECP is given by the sum of packetization delay at a sender, packetization delay at the receiver, and propagation delay (i.e., the time taken to deliver the message from the sender to receiver by the network). The approximate latency of CyreumE-CP is given as 18.251 msec. Note that latency value is the same even as the number of segments increases in CDVC . This is because, transactions are directly broadcasted to all segments and no segment acts as a broadcast route to other segments; thus, the increment in the number of segments or miners does not affect the latency value. Based on these, our result is consistent with the power grid latency requirements as presented above. In general, this result also applies to all other transactions between CDVC and CDRM as well as all transactions in CDVC . Furthermore, CDVC guarantees the following security requirements. • Independent privacy. Each segment does not see other segments’ transaction computations before using CyreumE-CP on their own. This way, computations of transactions by segments of the distributed value chain are independent of others’ transaction computations. • Advanced privacy. If the miner does not disclose information/transactions, the transaction computations are kept private from others. • Security against a dishonest segment. A dishonest segment of CDVC cannot affect the outcome of the processes from CRSA and CRDM as well as transactions in CDVC since we ensure authenticity against a dishonest segment using transactions as well as CyreumE-CP. • Fairness among segments. Segments may attempt to avoid processing a transaction and validating and publishing a transaction or prematurely abort a transaction. If any of these happen, the segment involved will be financially penalized, while the remaining segments receive compensation. In Andrychowicz et al. (2014), fairness for honest parties is guaranteed irrespective of the loser behavior. We now present handling of the Status transaction by CDVC . Based on the Status transaction, CDVC initiates nonoperational decision-making process using an SC transaction. CDVC sends the SC transaction to CRDM for decision-making on the hierarchy of the nonoperational tasks to be performed. Now, CRDM sends the result to CDVC using the SCDM transaction for approval or disapproval by each segment of CDVC (see next section for more details of the SCDM transaction). Based on this, we say that for every nonoperational task across the power grid value chain, SC and SCDM transactions from CDVC and CRDM , respectively, are required by each segment of CDVC for review before approving or disapproving a Status transaction. Note that the Status transaction has a TID that links it to SC and SCDM transactions, thereby linking all these (sub) transactions to the (main) Status transaction. Thus, we present for every Status transaction (say with a TID-815), an SC for TID-815 and SCDM for TID-815 are required for easy identification and

814

A. S. Sani et al.

linkage of transactions across CyreumE. We show how the Status transaction is used for operational decision-making in Sect. 6.

4.3

The Real-Time Decision-Making Process CRDM

We present our CRDM for the distributed value chain. As already mentioned in the introduction, CRDM is based on the fuzzy analytical hierarchical process (F-AHP). It is inspired by the following: (i) enhancing decision-making process across the existing value chain of the power grid, (ii) improving operational efficiency in the power grid, and (iii) providing a platform that can attract funding and investment opportunities for the power sector. For example, for nonoperational decision-making, replacing obsolete infrastructure with new ones will require making decision on certain metrics such as reason of replacement (R), time of replacement (T), cost of replacement (C), knowledge required for replacement (K), and impact of replacement on the power grid (I). An approach for organizing and prioritizing these metrics is required to understand their importance and use across the distributed value chain. Unlike most decision-making solutions in the literature (see Sect. 7), CRDM ensures that these metrics are organized hierarchically, and it further helps to find the best real-time decision to several alternatives in the power grid. We briefly recall the F-AHP before describing CRDM . Hierarchy levels in AHP include objective (first level), criteria (second level), sub-criteria (third level), and alternatives (fourth level). Pairwise comparisons of both criteria and alternatives by triangular numbers are represented as F-AHP (Chang 1996). We adopt the Buckley’s method (Buckley 1985) to assist us in determining the relative weights for both the criteria and alternative. We adopt the Buckley’s method in this work to adequately represent, interpret, and report our F-AHP results. Thus, our overall steps are regarded as CRDM . We now describe CRDM by presenting the overall steps as shown below. • Step 1: Based on the fuzzy logic approach, CRDM represents linguistic terms and their corresponding triangular numbers in Table 7. According to this table, if the decision-maker states “Criterion 2 (C2) is equally important than Criterion 3 (C3),” then it takes the fuzzy triangular scale as (1, 1, 1). In pairwise contribution matrices of the criteria as represented in AHP, comparison of C3 to C2 will take the fuzzy triangular scale as (1/4, 1/3, 1/2). Then, the pairwise contribution matrices are given by: ⎡

X˜ kc

kc · · · a˜ 11 ⎢ = ⎣ ... . . . kc · · · a˜ n1

⎤ kc a˜ 1n .. ⎥ . ⎦

(16)

kc a˜ nn

where a˜ ijkc represents kcth decision-maker’s preference of ith criterion over jth via the triangular numbers.

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . . Table 7 Linguistic terms and their triangular numbers

Scale 1

Description Equal importance between two elements (EI) One element is weakly important than the other (WI) One element is fairly important than the other (FI) One element is strongly more important than the other (SI) One element is absolutely more important than the other (AI)

3

5

7

9

2 4

The intermediate value between two nearby scales

6 8

815

Triangular numbers (1,1,1) (2,3,4)

(4,5,6)

(6,7,8)

(9,9,9)

(1,2,3) (3,4,5) (5,6,7) (7,8,9)

• Step 2: Through Eq. (17), the preferences of each decision-maker is averaged and computed by CRDM if decision-maker, a˜ i j kc , is more than one decision-maker: kc aij =

˜ ijk i=0 a Kc

(17)

Furthermore, based on the averaged preferences, CRDM updates the pairwise contribution matrice as follows: ⎤ ⎡ a˜ 11 · · · a˜ 1n ⎥ ⎢ (18) X˜ = ⎣ ... . . . ... ⎦ a˜ n1 · · · a˜ nn • Step 3: CRDM calculates the geometric mean g˜ i of the fuzzy comparison values of each criterion: ⎛ g˜ i = ⎝

n 

⎞1/n a˜ ij ⎠

, i = 1, 2, . . . , n

(19)

j =1

• Step 4: In this step, CRDM calculates the fuzzy weights of each criterion and replaces the triangular numbers in increasing order. Then, it derives the weight of criterion i via multiplying each g˜ i with its reverse vector g  vi .

816

A. S. Sani et al.

w i = g˜ 1 × g  v 1 ; g˜ 2 × g  v 2 ; g˜ 3 × g  v 3 ; . . . ; g˜ n × g  vn

(20)

• Step 5: Since w i is still a triangular number, CRDM uses the method proposed by Chou and Chang (2008) to calculate the non-fuzzy weight of each criterion from w˜ i as follows (i.e., the fuzzy triangular numbers need to be de-fuzzified): n w˜ i (21) Mi = i=1 n • Step 6: CRDM normalizes the calculated Mi of each criterion: Mi Ni = n

(22)

i=1 Mi

• Step 7: CRDM uses this step for only the “alternatives.” Then, it calculates the scores of each alternative by multiplying each alternative normalize weight ANi with Ni . Si =

n 

(23)

Ni ANi

i=1

Thus, CRDM considers the largest score as the best alternative. Other scores are ranked accordingly, i.e., as a second-best alternative, third-best alternative, etc. depending on the number of alternatives in the F-AHP. • Step 8: As shown in Table 8, CRDM presents the F-AHP scores as CRDM results classification, which consists of CRDM level, CRDM degree, and range of CRDM values.

• Step 9: CRDM uses decision-making transactions to send the result to CDVC . The decision-making transactions are of two types: (i) SCDM transaction for sending a result of nonoperational decision-making result of received SC transaction and (ii) SDM transaction for sending a result of operational decision-making result of every Status transaction in CDVC . Approving or disapproving of every result is done by each segment of CDVC after receiving SCDM transaction and Table 8 CRDM results classification

Level of CRDM Level 4 Level 3 Level 2 Level 1

Degree of CRDM Excellent High Medium Low

Range of CRDM values 0.75 ≤ Si ≤ 0.99 0.50 ≤ Si ≤ 0.74 0.25 ≤ Si ≤ 0.49 0.00 ≤ Si ≤ 0.24

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

817

SDM transaction for nonoperational decision-making and operational action, respectively. We now show how the Status transaction is utilized for operational tasks. These tasks are required to be fully automated using CRSA and CRDM , and then CDVC will approve or disapprove the result to be executed. To initiate operational tasks on behalf of the component, CRDM uses the Status transaction available in CDVC for decision-making. The operational tasks include, but not limited to, component replacement, upgrade, service, inspection, and repair based on the status information sent from CRSA to CDVC . Then, CRDM sends the result of the operational decisionmaking to CDVC using an SDM transaction for approval or disapproval. Based on this, we also say that for every operational decision-making across the distributed value chain, Status and SCM transactions from CRSA and CDVC , respectively, are required by each segment of CDVC for review before approving or disapproving a Status transaction. For every Status transaction (say TID-815), we have an additional (sub) transaction SDM of TID-815 for linking of transactions across CyreumE. In general, we say that for every (main) Status transaction (again say TID-815), we have (sub) transactions SC of TID-815, SCDM of TID-815, and SDM of TID-815 for enhancing operational efficiency and efficient decision-making. CyreumE is presented in Fig. 8. This figure shows that both operational and nonoperational decision-making can be performed efficiently via Status transaction, thereby enhancing the operational efficiency and decision-making in the power grid. Note that other transactions in CDVC are also used to enhance operational efficiency and decision-making (see Sect. 4.2 for full details of other CDVC transactions).

5

Security Analysis

In this section, CyreumE is analyzed from theoretical security analysis and explanations to show that it is resilient against various security attacks. A proposition is presented to show the security analysis of CyreumE. Proposition 1 CyreumE is resilient against impersonation attack, replay attack, man-in-the-middle attack, and denial of service attack. Proof (a) Impersonation attack: In this attack, an adversary can masquerade as a legitimate component or segment of the value chain. In CyreumE, all components and segments are registered with the ERII before deployment. If an adversary 1 impersonates a segment CDV C for registration and identity issuing, the ERII 1 uses the issued I DC 1 to check whether CDV C has been registered before. DV C Once the validity is checked, the adversary will be prevented from impersonat-

818

A. S. Sani et al.

Start

: prepares information regarding status of a component and then the information is ready to be sent using a Status transaction (say, TID-815)

: receives a Status transaction of TID-815

Yes

No Operational decision-making?

: receives Status Control (SC) transaction for non-operational decision-making for TID-815

: takes TID-815 from for operational decision-making

: performs non-operational decision-making for TID-815

: performs operational decision-making for TID-815

: result of the non-operational decision-making for TID-815 is now available to be sent using Status Control Decision-Making (SCDM) transaction

: result of the operational decision-making for TID-815 is now available to be sent using Status Decision-Making (SDM) transaction

End End

Fig. 8 Status transaction solution algorithm in CyreumE

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

819

1 ing CDV C . Furthermore the use of MSK2 and Ek1 for every transaction supports 1 the prevention of the adversary from impersonating CDV C . Thus, the adversary cannot impersonate as any legitimate segment (or component). (b) Replay attack: In CyreumE, this attack can be prevented by using I DC 1 DV C and TID. Suppose an adversary has any of the transmitted transactions and repeatedly sent them to the other segments. In CyreumE, TID cannot be replayed since (i) it has been accepted/rejected, and (ii) it is supported by the presence of the I DC 1 . Thus, replayed transactions will not be accepted and will be DV C ignored by the other segments. (c) Man-in-the-middle attack: In CyreumE, MSK2 has been utilized to prevent this attack. Suppose the adversary can obtain I DC 1 . MSK2 cannot be changed DV C because the adversary does not have k2 . Thus, genuine transactions cannot be created by the adversary. Furthermore, the man-in-the-middle attack is also prevented by verifying received transactions. 1 (d) Denial of service attack: In this attack, the adversary enters I DC 1 or CDV C DV C enters incorrect I DC 1 . If this happens, the I DC 1 entered by the adversary DV C

DV C

1 entered by CDV or the incorrect I DC 1 C cannot be verified by the other DV C segments; thus the denial of service attack is prevented from the adversary or 1 CDV C.

Note that CyreumE is proved to be resilient against various security attacks, unknown attacks that cannot be anticipated may cause disruption in CyreumE, and, thus, we assume that CyreumE cannot continue if any unknown attack disrupts its execution.

6

Case Studies

In this section, we carry out two case studies to demonstrate the usefulness of our architecture in the Nigerian power sector. These case studies include (i) analyzing the technical challenges associated with Gencos and Discos as a result of unavailability of operational data/reliability issues of the power grid in realtime and ATC&C losses, respectively, and then we use our architecture to provide effective real-time solution that makes available real-time operational data, prevent reliability issues, and mitigate ATC&C losses in real time and (ii) analyzing the nontechnical challenge of disputes across the existing power grid value chain, and then we also use our architecture to provide effective real-time solution that prevents and resolves disputes in real time. Both solutions are meant to increase the reliability and availability of electricity supply in Nigeria.

820

6.1

A. S. Sani et al.

Impact of Failures on SCADA System: Generation (Lack of Real-Time Availability of Operational Data/Reliability Issues) and Distribution (ATC&C) Losses

In this case study, we use the real-world dataset of leading Genco and Disco in Nigeria to capture the actual behavior of the generation and distribution sections of the power grid. We use CRSA to track, understand, and anticipate activities and issues associated with these sections via a SCADA system. Without loss of generality, we expand the SCADA system by adding a master terminal unit (MTU) (or a master system), which is a device that controls many RTUs in the SCADA system (Choi et al. 2009). MTU is equipped with adequate computational resources in the SCADA system. Note that (i) RTUs are connected to sensors and they execute MTU’s instructions (Choi et al. 2009), (ii) MTU is connected to RTUs, and (iii) HMI is an interface of the system operator for the SCADA system. An overview of the SCADA system is presented in Fig. 9. This figure shows the connections between the SCADA system components that we utilize in this case study. We consider the configurations of these components and the event logs to initialize CRSA . We now present the FCM of the SCADA system supported by the MOC structure of CRSA as depicted in Fig. 10. This figure shows that the MOC structure is capable of influencing the behavior of the SCADA system to realize the expected properties of CRSA which enhances operational efficiency in the power grid. CRSA is built on a presumed flow of data between the SCADA system components. Recall that FCM training is used for realizing CRSA (see Sect. 4.1 for more details of FCM training). To show the FCM training, we first initialize weights of the FCM using expert knowledge of the power grid and MOC structure to determine the local dependencies between the SCADA system components and MOC structure based on the event logs. Secondly, with the support of the MOC structure, we

HMI

MTU RTU-1

Sensors

Sensors

Sensors

RTU-2

Sensors

Sensors

Sensors

Fig. 9 A SCADA system. Abbreviations: RTU-1 remote terminal unit 1, RTU-2 remote terminal unit 2, MTU master terminal unit, HMI human-machine interface

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

Modeling

Observing

821

Control MOC structure Interconnections Between MOC structure and SCADA system

HMI

MTU SCADA system

Sensors RTUs

Sensors

Sensors

RTUs

Sensors

Sensors

Sensors

Sensors

Fig. 10 SCADA system with MOC structure

adjust the weights based on the centrality of vertices. Lastly, we use the Hebbian learning approach for automated adjustment of the weights. Note that we also utilize historical data of past events that have led to system shutdown to support the design of the FCM training of the SCADA system. To show the effectiveness of our architecture in this case study, we develop the weights of the SCADA system based on the temperature values of the components in the event logs and then use the MOC structure to support the SCADA system as shown in Fig. 11. Simulations have been performed in MATLAB environment based on the above-developed weights. We show the impact of failures on SCADA system which arises from the behavior of the components and then use CRSA of our architecture to prevent such failures (in real time) from causing any availability/reliability issues or losses that can arise from the SCADA system in the power grid. We now show the usefulness of our architecture in this case study by using two test cases as follows: • MTU performance using its first and fifth states: The first and fifth states of the MTU indicate behavior and temporal relations of the MTU and other connected components. Note that a sequence of states is represented as a dynamic behavior and temporal relations between the SCADA system components. Table 9 presents the impact of the case studies on some components within the SCADA system of our dataset and how CRSA models, observes, and controls the failure of the SCADA system. Without loss of generality, healthy states of the components lie between 0 and 1; otherwise, the components lie in unhealthy states.

822

A. S. Sani et al.

M 0.7

0.4

0.33

RTUI

0.57

S-I

0.13 0.23

0.875

0.1

0.175

0.6 0.2 RTUII

0.5 S-II

0.71

0.75

O 0.15

0.17 0.125

0.75

0.13 0.8 MTU

0.4

0.27

S-III

0.67 0.2

0.25

0.1 0.17

0.2 0.5

C

HMI

0.07 0.05

0.83

S-IV

0.125

Fig. 11 FCM developed for the SCADA system and MOC structure. Abbreviations: M modeling in MOC structure, O observing in MOC structure, C control in MOC structure, S-I sensors-I, S-II sensors-II, S-III sensors-III, S-IV sensors-IV, HMI human-machine interface, MTU master terminal unit, RTU-I remote terminal unit-I, RTU-II remote terminal unit-II

For the above test case, the first and fifth states of the MTU are shown in Figs. 12 and 13, respectively. These figures show that MTU and all other components are in healthy states. • MTU in an unhealthy state: In this test case, we use the initial state of the MTU as “1.1.” As shown in Fig. 14, our simulation result shows that CRSA. C controls the state of the MTU from “1.1” to “0.6025” in the first state since (i) CRAS.C : i ≤ 1 at time t + p; otherwise CRAS. C : p = 1 (see Sect. 4.1 p>0; 0.75 ≤ A for more details on CRAS. C ); and (ii) Fig. 11 shows the influence of CRSA. C on the MTU. Then, CRSA notifies CDVC by sending a Status transaction about the information regarding the status of MTU and its connected components including the control action performed for controlling the unhealthy behavior of the MTU (also Sect. 4.1 for more details).

Case study MTU performance (first state) MTU performance (fifth state) MTU in unhealthy state (i.e., initial state is “1.1”) MTU first state of the initial state “1.1”

CRSA. O 0.7500

0.7500

0.7500

0.7500

CRSA. M 0.2475

0.2475

0.2500

0.2475

1.0000

1.0000

1.0000

CRSA. C 1.0000

0.4275

0.0500

0.3101

HMI 0.2025

Table 9 Impact of case studies on SCADA system and MOC structure

0.6025

1.1000

0.6097

MTU 0.6025

1.0000

0.1500

0.9203

RTU-II 0.6000

1.0000

0.1750

1.0000

RTU-I 0.6975

0.5020

0.1250

1.0000

SensorsIV 0.5020

0.3980

0.1000

0.9252

SensorsIII 0.3980

0.5017

0.1250

1.0000

SensorsII 0.5017

0.3972

0.1000

0.8790

Sensors-I 0.3872

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . . 823

824

A. S. Sani et al. 1 0.9

1st state of MTU

0.8 0.7 0.6 0.5 0.4 0.3 0.2

1

2

3

4

5

6

7

8

9

10

11

MOC structure and SCADA system

Fig. 12 First state of the MTU in Table 9. Notations for MOC structure and SCADA system: (1) CRSA. M (Modeling in MOC structure), (2) CRSA. O (Observing in MOC structure), (3) CRSA. C (Control in MOC structure), (4) human-machine interface (HMI), (5) master terminal unit (MTU), (6) remote terminal units-II (RTU-II), (7) RTU-I, (8) Sensors-IV, (9) Sensors-III, (10) Sensors-II, (11) Sensors-I

1 0.9

5th state of MTU

0.8 0.7 0.6 0.5 0.4 0.3 0.2

1

2

3

4

5

6

7

8

MOC structure and SCADA system

Fig. 13 Fifth state of the MTU in Table 9

9

10

11

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

825

1st state of MTU with initial state “1.1”

1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2

1

2

3

4

5

6

7

8

9

10

11

MOC structure and SCADA system

Fig. 14 First state of MTU in unhealthy state “1.1” in Table 9

Thus, our solution in this case study ensures the real-time availability of operational data/reliability issues (and automated control) and mitigation of ATC&C losses associated with components’ failure at the Genco and Disco, respectively, in the power grid. Furthermore, other major benefits provided by our architecture include (i) real-time availability of the operational data to other segments of the distributed value chain to improve data sharing and integration in the power grid and (ii) handling of the Status transaction by CDVC and CRDM for nonoperational and operational decision-making, respectively.

6.2

Disputes Across the Value Chain of the Power Grid

In this case study, we consider disputes across the distributed value chain. The Discos, for example, were privatized to bidders with the best ATC&C losses reduction plans over 5 years; the successful bidders have been unable to come up with enough funds to match with their proposed ATC&C losses reduction plans. They make an argument that the state of the privatized assets was worse than the status stated by the FGN during the privatization; however, they also claim that the due diligence period was short, not allowing adequate time to evaluate the assets properly. We now analyze their argument and provide a dispute prevention and resolution mechanism using our architecture. Since the argument arises from the

826

A. S. Sani et al.

2 Discos, without loss of generality, we present a Disco X denoted as CDV C in CDVC which uses operational data from CRSA and other nonoperational data for CRDM . In this work, we consider “disputes” as a nonoperational feature of the power grid; thus we say that nonoperational decision-making is required. Recall that, as mentioned in Sects. 4.2 and 4.3, CDVC utilizes a Status transaction to initiate nonoperational decision-making via an SC transaction. In this case study, the utilized Status transaction is the transaction related to the recorded state of distribution components at the time of the privatization. To initiate the required nonoperational decision-making, CDVC sends an SC transaction to CRDM . We now present the role of CRDM in dispute prevention and resolution, i.e., how CRDM handles the SC transaction in this case. CRDM is responsible for decision-making related to the best hierarchy of deploying essential metrics related to the ATC&C losses reduction plan, while CDVC (using CRSA ’s Status transaction) is responsible for validating the result from CRDM . According to the above dispute, without loss of generality, we present the essential metrics for describing an F-AHP formalization for modeling CRDM related to this dispute. The essential metrics include (i) S, state of the power grid and its distribution segment components; (ii) R, ATC&C losses reduction plans; (iii) C, the cost of the reduction; (iv) F, funding of the reduction; and (v) T, time/period of the reduction. We now model CRDM to solve the challenge of selecting the best hierarchy of deploying the above essential metrics. An F-AHP representation of the essential metrics is presented in Fig. 15. This figure shows the following:

(i) Objective – our objective is to choose the best hierarchy of the essential metrics S, R, C, F, and T (see above) to solve a challenge associated with ATC&C losses reduction plans in the distribution segment of the distributed value chain. (ii) Criteria – the criteria are the essential metrics S, R, C, F, and T. (iii) The alternatives – let the alternatives be decision I (DI), decision II (DII), and decision III (DIII) used for selecting the best alternative without loss of generality.

Choosing the best hierarchy of deploying essential metrics to solve a challenge associated with ATC&C losses reduction plans in distribution segment of the power grid value chain

S - State of distribution components

DI

DII

DIII

R – ATC&C losses reduction plans

DI

DII

DIII

C – cost of the reduction

DI

DII

DIII

F – funding of the reduction

T – Time of the reduction

DI

DI

DII

DIII

DII

DIII

Fig. 15 F-AHP representation of the essential metrics showing the hierarchy of criteria and the alternatives. Abbreviations: DI decision I, DII decision II, DIII decision III

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

827

We now present our F-AHP formalization using the nine steps of CRDM . • Step 1: CRDM presents the average pairwise comparison of the criteria according to preferences shown in Table 10. • Step 2: CRDM presents pairwise comparison matrices of the criteria in Table 11.

• Step 3: As shown in Table 12, CRDM calculates the geometric means of the fuzzy comparison values of each criterion. • Step 4: CRDM calculates the fuzzy weight of each criterion in Table 13. • Steps 5 and 6: CRDM combines steps 5 and 6 to calculate the non-fuzzy relative weight Mi and normalized relative weight Ni , respectively, of each criterion as presented in Table 14. Using the same procedure in Table 13, CRDM now determines the weights of alternatives regarding the criteria. The alternatives should be a pairwise comparison to each criterion, i.e., each criterion requires a separate analysis. Without loss of generality, we now present the pairwise comparisons of alternatives. CRDM presents the pairwise comparison of alternatives regarding “S” criterion in Table 15. Note that

Table 10 Pairwise comparisons of the criteria via triangular numbers AI SI FI WI EI (9,9,9) (6,7,8) (4,5,6) (2,3,4) Criterion (1,1,1) S Yes Yes S Yes S Yes S Yes R Yes R Yes R C Yes C F

WI FI SI AI Criterion (2,3,4) (4,5,6) (6,7,8) (9,9,9) R C F T C F T F Yes T T Yes

Table 11 Comparison matrices of the criteria Criteria S R C F T

S (1,1,1) (1,1,1) (1/8, 1/7, 1/6) (1/8, 1/7, 1/6) (1/6, 1/5, 1/4)

R (1,1,1) (1,1,1) (1/6, 1/5, 1/4) (1/8, 1/7, 1/6) (1/6, 1/5, 1/4)

C (6,7,8) (4,5,6) (1,1,1) (2,3,4) (1/4, 1/3, 1/2)

F (6,7,8) (6,7,8) (1/4, 1/3, 1/2) (1,1,1) (4,5,6)

T (4,5,6) (6,7,8) (4,5,6) (1/6, 1/5, 1/4) (1,1,1)

828 Table 12 Geometric means of the fuzzy comparison values

Table 13 Relative fuzzy weight of each criterion

A. S. Sani et al. Criteria S R C F T Total Inverse of summation vector (reverse of total) Increasing order (reverse vector)

Criteria S R C F T

Table 14 Average relative weight and normalized relative weight of each criterion

g˜ i 2.70 2.49 0.40 0.35 0.43 6.37 0.16

3.00 2.81 0.49 0.41 0.49 7.20 0.14

3.29 3.10 0.61 0.49 0.57 8.06 0.12

0.12

0.14

0.16

w 1 0.324 0.2988 0.048 0.042 0.0516

0.420 0.3934 0.0686 0.0574 0.0686

0.5264 0.496 0.0976 0.0784 0.0912

Criteria S R C F T

Mi 0.423 0.396 0.071 0.059 0.070

Ni 0.415 0.389 0.0697 0.0579 0.0687

Table 15 Pairwise comparisons of alternatives regarding “S” criterion AI SI FI WI EI (9,9,9) (6,7,8) (4,5,6) (2,3,4) Criterion (1,1,1) DI DI DII

WI FI SI AI Criterion (2,3,4) (4,5,6) (6,7,8) (9,9,9) DII Yes DIII Yes DIII Yes

(i) scale of the criterion depends on the challenge (see Table 7 for more information about using “scale”); and (ii) in this case study, CRDM uses the same information in Table 15 for other criteria R, C, F, and T. Other calculations performed include (i) comparison matrices of the alternatives; (ii) geometric means of the alternatives; (iii) relative fuzzy weights of alternatives; (iv) average relative weight and normalized relative weight of the alternatives; and (v) normalized non-fuzzy relative weights of each alternative for each criterion.

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

829

Table 16 Scores/results for each alternative according to each criterion Criteria S R C F T Total

Weights 0.415 0.389 0.0697 0.0579 0.0687

Score of alternatives with respect to related criterion (Si ) DI DII DIII 0.060 0.161 0.778 0.060 0.161 0.778 0.060 0.161 0.778 0.060 0.161 0.778 0.060 0.161 0.778 0.060 0.161 0.778

• Step 7: CRDM calculates the score of each alternative according to each criterion as shown in Table 16. According to this table, DIII has the largest total score, and thus it is chosen as the best alternative for the stated objective. The decision on the hierarchy of the essential metrics will now be based on their respective score in DIII. Furthermore, the accuracy of our result is supported by the selection in Table 15 where DIII is absolutely more important than DII and strongly more important than DI. Thus, DIII is more important than DII and DI. Note that in a scenario where pairwise comparison of alternatives is complex in Table 15, a more interesting result should be expected which will present a different score/result at the end of this step.

• Step 8: CRDM now presents the CRDM results classification. The result shows that the classification of DIII is “Excellent” since “0.778” falls in “Level 4” of the CRDM results classification (see Table 8 for details of the CRDM results classification). • Step 9: Then, CRDM sends the result to CDVC via an SCDM transaction. We now model the SCDM transaction handling by CDVC . The SCDM transaction (say, with a TID-816) from CRDM is received by all segments of CDVC . Each segment of CDVC will now verify the SCDM transaction (with the support of CRSA ’s Status transaction related to the SCDM transaction). If more than half of the segments approve the SCDM transaction, the (approved) SCDM transaction is now validated 2 and published to the entire network by CDV C , and then each segment of CDVC adds the (validated) SCDM transaction to its immutable distributed ledger. Otherwise, the 2 transaction cannot be validated by CDV C and will not be added to the ledger. Since the result shows that the criteria S, R, C, F, and T are to be treated equally and they have been accepted by the entire segments of CDVC , no segment of CDVC can make any flaws argument regarding the ATC&C losses reduction plans in the future. If 2 any criterion is missing, then CDV C can make an argument regarding the missing criterion. Assuming the result presents that one criterion is more important than other criteria, then such criteria must be first before other criteria, i.e., according to 2 their scores in DIII. Note that if CDV C fails to validate or publish the transaction,

830

A. S. Sani et al.

S - State of the power grid and distribution segment components (accepted)

T – Time required for the plans according to “F” (accepted)

TID-816 (Approved with same priority)

F – funding based on “C” (accepted)

R – ATC&C losses reduction plans based on “S” (accepted)

C – cost associated with “R” (accepted)

 2  Fig. 16 CRDM result of the nonoperational decision-making process initiated by Disco X CDV C for TID-816 (approved/accepted) with respect to five (5) criteria. Abbreviations: TID transaction identifier

2 a Penalized transaction will be sent to CDV C by the blockchain (see Sect. 4.2 for details of a Penalized transaction). We want to explore a formulation of financial reward or compensation based on this transaction in future work. 3 2 Looking at the dispute between CDV C and FGN (denoted as CDV C ), if the SCDM transaction is executed during or after the privatization, the transaction ID (i.e., TID816) will be checked by all segments of CDVC , and thus all information associated with the TID-816 will be used as a dispute resolution data as shown in Fig. 16 (since it was approved by segments of CDVC ), such that the TID-186 is now utilized 3 2 to resolve and prevent the dispute between CDV C and CDV C at any point during (or after) ATC&C losses reduction. Thus, our architecture has been applied to prevent and resolve disputes across the distributed value chain.

7

Discussion and Related Work

There are several different approaches for providing reliable and adequate electricity supply, mainly using situational awareness, decision-making, efficient value chain networks, and reliability assessment approaches. All of these approaches have different benefits and limitations. • Situational awareness approaches abstract from best practices, information sharing, and statistical indication system to offer a very high level of reliability and operational decision-making to the power grid operators (see, e.g., Usman et al. 2015 and He et al. 2016). But during situational awareness, these approaches do not support automated and real-time control mechanism that is also connected

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

831

to a distributed value chain and a real-time decision-making process for efficient decision-making in the power grid. Additionally, the lack of real-time information sharing about the operational position of the power grid poses a huge threat to efficient control of situations in the power grid. • Decision-making approaches come with communication methods, information technology, strategic and comprehensive planning, heuristic methods, and economic activities to stimulate decision-making in the power grid (see, e.g., Gelston et al. 2012). However, these approaches do not enjoy integrated hierarchical and real-time decision-making in the power grid. • Efficient value chain networks capture design and implementation of electricity value chains that are resilient to disruption and provide decision-making across the value chains, but the designs lack many benefits associated with blockchain technology, and the implementation is complex and undistributed (see, e.g., Jabbarzadeh et al. 2017). • Reliability assessment approaches are very flexible in assessing the power grid (see, e.g., Yang et al. 2007 and Melodi et al. 2017). Some of the methods utilized are Monte Carlo methods (Robert 2004), energy planning methods, reliability assessment tools and techniques, and security evaluation. Our architecture, CyreumE, provides the features of automated and real-time situational awareness, real-time (and automated/semiautomated) decision-making, and (semiautomated) distributed value chain while at the same time providing security and privacy guarantees in the power grid. All these features enhance funding and investment opportunities for the power sector of the developing countries because it assures investors of transparency and objectivity in the utilization of their funds. Due to the importance of real-time situational awareness in the power grid, the effectiveness of the distributed value chain can be more limited during decision-making since data/information is required from the real-time situational awareness process to support decision-making (see also the descriptions in Sect. 4). Note that modelling, observing, and controlling any components which are not part of CyreumE will not be successful. However, we believe that the effect of such disintegration would be limited to a particular area, i.e., small scale. In the remainder of this section, we discuss closely related work in detail. The work of He et al. (2016) is tedious, complex, and error-prone. For example, operators’ decision-making/inputs in He et al. (2016) are required during situational awareness, thus posing a huge threat to real-time situational awareness and operations in the power grid. Using power grid operators during situation awareness in the power grid may present a single point of failure via (little or heavy) reliance on humans for controlling certain situations as well as susceptibility to errors cannot be avoided. Our architecture provides features that avoid tedious, complex, and errorprone solutions, which support real-time operational efficiency in the power grid. Gelston et al. (2012) proposed a multi-organizational distributed decisionmaking method to address the root causes of complex and large-scale power grid contingencies. Human factors, organization behavior, and organization view of decision support, to name a few, are used in this research. Due to variable demand

832

A. S. Sani et al.

and unplanned outages in the power grid, Dalal et al. (2016) introduced a new hierarchical decision-making model for managing the grid. There are two key differences of our architecture to the solutions proposed by Gelston et al. (2012) and Dalal et al. (2016). First, our architecture supports automated and real-time decision-making based on the state of components in the power grid. Lastly, our architecture allows semiautomated and real-time decision-making (on the state of the power grid) in the power grid which in turn provides an efficient and integrated decision-making solution across the distributed value chain. Solutions of our case studies have not yet been provided in a blockchain setting with FCM and F-AHP. Making available operational data and reliability issues of the power grid and mitigating impact of extreme events have been provided in Wang and Gharavi (2017). As presented in our work, disputes across the distributed value chain can be resolved using our architecture. Moreover, secure communication solutions for the power grid have been proposed in Bou-Harb et al. (2013). Many of the solutions focus on achieving secure communication between components in the power grid; however, the performance analysis of their work did not specify that the latency requirement of the smart grid is met. In our work, our architecture uses a defined secure and efficient broadcast communication paradigm, CyreumE-CP, which allows secure broadcast communication across the power grid and its value chain. The performance evaluation of our work shows that CyreumE-CP meets the latency requirement of the power grid (see Sect. 4 for details).

8

Conclusion and Future Work

In this chapter, we have proposed CyreumE, a real-time situational awareness and decision-making blockchain-based architecture with distribution value chain framework for the power sector of the developing countries. Our architecture consists of three major portions, namely, real-time situational awareness process, real-time decision-making process, and distributed value chain framework denoted CRSA , CRDM , and CDVC , respectively. It uses a broadcast communication paradigm, CyreumE-CP, for secure and efficient communication in the Energy Internet, which can be referred to power grid in this chapter. CyreumE-CP is supported by shared secret session keys for preventing security attacks. Altogether, CyreumE uses blockchain-based technology, which in turn enhances real-time situational awareness and decision-making in the Energy Internet. Notably, CRSA and CRDM are designed to prevent operational inefficiency and inefficient decision-making, respectively. The desired properties of CRSA and CRDM are efficiently enhanced with the introduction of CDVC . We validate CyreumE-CP using IEEE 802.15.4 wireless sensor module and a security verification tool, and the result shows that CyreumE-CP is secure to be utilized in the power grid. The performance analysis of CyreumE-CP shows that all data communications or transactions in CyreumE meet the latency requirement of the power grid. Overall, our architecture uses integrated approaches that increase the reliability and availability of electricity supply, get rid

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

833

of complexity and error-prone associated with operational efficiency in the power grid, and increase security and efficiency of existing solutions designed to support reliable and adequate electricity supply. At the same time, our integrated approaches offer funding and investment opportunities for the power sector of the developing countries. We have demonstrated the usefulness of our architecture in two real-world case studies associated with the Nigerian power sector. In the case of technical challenges of unavailability of operational data/reliability issues and ATC&C losses associated with the Gencos and Discos, respectively, using a real-world dataset of leading power Genco and Disco simulated in MATLAB environment, we provide an efficient solution that guarantees adequate operational efficiency and mitigates power grid losses in real time. In the case of nontechnical challenges of disputes between a Disco and FGN, we provide an efficient solution that prevents and resolves disputes in real time. In future work, we will apply our architecture to other technical and nontechnical challenges across the power grid and extend our architecture to further enhance the reliability and availability of electricity supply in the world.

References Advanticsys, IoT Hardware Platforms, 2018. https://www.advanticsys.com/shop/iot-hardwareplatforms-c-7.html?lang=en. Accessed 12 Dec 2018 A. Al-Ali, R. Aburukba, Role of internet of things in the smart grid technology. J Comput Commun 3(05), 229 (2015) M. Andrychowicz, S. Dziembowski, D. Malinowski, L. Mazurek 2014 IEEE symposium on, secure multiparty computations on bitcoin, in Security and Privacy (SP) (IEEE, 2014), pp. 443–458 AVISPA, Automation Validation of Internet Security Protocols and Applications, 2003. http:// www.avispa-project.org/. Accessed 14 Jan 2017 E. Bou-Harb, C. Fachkha, M. Pourzandi, M. Debbabi, C. Assi, Communication security for smart grid distribution networks. IEEE Commun. Mag. 51(1), 42–49 (2013) J.J. Buckley, Fuzzy hierarchical analysis. Fuzzy Sets Syst. 17(3), 233–247 (1985) J. Cao, M. Yang, Energy internet – towards smart grid 2.0, in 2013 Fourth International Conference on Networking and Distributed Computing, Hong Kong, 2013; 2014 (IEEE, 2013), pp. 105–110. https://doi.org/10.1109/ICNDC.2013.10 D.-Y. Chang, Applications of the extent analysis method on fuzzy AHP. Eur. J. Oper. Res. 95(3) (1996) D. Choi, H. Kim, D. Won, S. Kim, Advanced key-management architecture for secure SCADA communications. IEEE Tran Power Deliv 24(3), 1154–1163 (2009). https://doi.org/10.1109/ TPWRD.2008.2005683 S.W. Chou, Y.C. Chang, The implementation factors that influence the ERP (enterprise resource planning) benefits. Decis. Support. Syst. 46(1), 149–157 (2008). https://doi.org/10.1016/ j.dss.2008.06.003 N. Consortium, The network simulator 3 (2015). https://www.nsnam.org/. Accessed 3 May 2018 M. Crosby, P. Pattanayak, S. Verma, V. Kalyanaraman, Blockchain technology: Beyond bitcoin. Appl Innov 2, 6–10 (2016) Dalal G, Gilboa E, Mannor S Hierarchical decision making in electricity grid management, in International Conference on Machine Learning, 2016, pp. 2197–2206 A. Daneels, W. Salter, What is SCADA? (1999)

834

A. S. Sani et al.

D. Dolev, A. Yao, On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983). https://doi.org/10.1109/TIT.1983.1056650 D. Gay, P. Levis, R. Von Behren, M. Welsh, E. Brewer, D. Culler, The nesC language: A holistic approach to networked embedded systems. ACM SIGPLAN Not. 49(4), 41–51 (2014) G. Gelston, A. Dalton, L. Tate, Multi-organizational distributed decision making in the power grid industry, in: 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA) (IEEE, 2012), pp. 158–161 X. He, R.C. Qiu, Q. Ai, L. Chu, X. Xu, Z. Ling, Designing for situation awareness of future power grids: An indicator system based on linear eigenvalue statistics of large random matrices. IEEE Access 4, 3557–3568 (2016) J.-H. Heo, M.-K. Kim, G.-P. Park, Y.T. Yoon, J.K. Park, S.-S. Lee, D.-H. Kim, A reliabilitycentered approach to an optimal maintenance strategy in transmission systems using a genetic algorithm. IEEE Trans Power Deliv 26(4), 2171–2179 (2011) A.Q. Huang, M.L. Crow, G.T. Heydt, J.P. Zheng, S.J. Dale, The future renewable electric energy delivery and management (FREEDM) system: The energy internet. Proc. IEEE 99(1), 133–148 (2011). https://doi.org/10.1109/JPROC.2010.2081330 Hyperledger, Hyperledger fabric, 2019. https://www.hyperledger.org/projects/fabric. Accessed 23 Aug 2019 A. Jabbarzadeh, B. Fahimnia, S. Rastegar, Green and resilient design of electricity supply chain networks: A multiobjective robust optimization approach. IEEE Trans. Eng. Manag (2017) P. Kansal, A. Bose, Bandwidth and latency requirements for smart transmission grid applications. IEEE Trans Smart Grid 3(3), 1344–1352 (2012) T. Khan, J. Reneke, R. Grotheer, T. Strauss, Decision making using a multi-criteria approach in a wholesale electrical power market, in Power Systems Conference (PSC), 2015 Clemson University, (Piscataway, IEEE, 2015), pp. 1–5 B. Kosko, Fuzzy cognitive maps. Int. J. Man Mach. Stud. 24(1), 65–75 (1986). https://doi.org/ 10.1016/S0020-7373(86)80040-2 M. Kuzlu, M. Pipattanasomporn, S. Rahman, Communication network requirements for major smart grid applications in HAN, NAN and WAN. Comput. Netw. 67, 74–88 (2014) G. Kyriakarakos, A.I. Dounis, K.G. Arvanitis, G. Papadakis, A fuzzy cognitive maps–petri nets energy management system for autonomous polygeneration microgrids. Appl. Soft Comput. 12(12), 3785–3797 (2012) A. Melodi, J. Momoh, A. Oyinlola, Transmission system reliability modeling and assessment for Nigerian electric grid, in PowerAfrica, 2017 IEEE PES (IEEE, 2017), pp. 40–45 S. Mohagheghi, Integrity assessment scheme for situational awareness in utility automation systems. IEEE Trans. Smart Grid 5(2), 592–601 (2014). https://doi.org/10.1109/ TSG.2013.2283260 H. Nicanfar, P. Jokar, K. Beznosov, V.C.M. Leung, Efficient authentication and key management mechanisms for smart grid communications. IEEE Syst. J. 8(2), 629–640 (2014). https://doi.org/ 10.1109/JSYST.2013.2260942 E. Oja, Neural networks, principal components, and subspaces. Int. J. Neural Syst. 1(1), 61–68 (1989) E.I. Papageorgiou, K. Pocz˛eta, Application of fuzzy cognitive maps to electricity consumption prediction, in Fuzzy Information Processing Society (NAFIPS) Held Jointly with 2015 5th World Conference on Soft Computing (WConSC), 2015 Annual Conference of the North American (IEEE, 2015), pp. 1–6 E.I. Papageorgiou, J.L. Salmeron, A review of fuzzy cognitive maps research during the last decade. IEEE Trans. Fuzzy Syst. 21(1), 66–79 (2013) Powering Nigeria for the Future, 2016. https://www.pwc.com/gx/en/growth-markets-centre/assets/ pdf/powering-nigeria-future.pdf. Accessed 1 May 2018 J. Rifkin, The third industrial revolution. Eng. Technol. 3(7), 26–27 (2008). https://doi.org/10.1049/ et:20080718 C.P. Robert, Monte Carlo Methods. Wiley Online Library (2004)

25 CyreumE: A Real-Time Situational Awareness and Decision-Making. . .

835

A.S. Sani, D. Yuan, W. Bao, Z.Y. Dong, Towards secure energy internet communication scheme: An identity-based key bootstrapping protocol supporting unicast and multicast, in 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA) (IEEE, 2017), pp. 1–5 A.S. Sani, D. Yuan, J. Jin, L. Gao, S. Yu, Z.Y. Dong, Cyber security framework for internet of things-based energy internet. Futur. Gener. Comput. Syst. 93, 849–859 (2018) A.S. Sani, D. Yuan, W. Bao, Z.Y. Dong, B. Vucetic, E. Bertino, Universally Composable key bootstrapping and secure communication protocols for the energy internet. IEEE Trans Inf Forensics Sec 14(8), 2113–2127 (2019). https://doi.org/10.1109/TIFS.2019.2892005 A. Siraj, S.M. Bridges, R.B. Vaughn, Fuzzy cognitive maps for decision support in an intelligent intrusion detection system, in IFSA World Congress and 20th NAFIPS International Conference, 2001. Joint 9th, 2001 (IEEE, 2001), pp. 2165–2170 C.D. Stylios, P.P. Groumpos, Modeling complex systems using fuzzy cognitive maps. IEEE Trans. Syst. Man. Cybern. Part A Syst. Hum. 34(1), 155–162 (2004) C.D. Stylios, V.C. Georgopoulos, G.A. Malandraki, S. Chouliara, Fuzzy cognitive map architectures for medical decision support systems. Appl. Soft Comput. 8(3), 1243–1251 (2008) Tendermint, Tendermint: Blockchain Consensus, 2019. https://tendermint.com/. Accessed 23 Aug 2019 P.A. Trotter, M.C. McManus, R. Maconachie, Electricity planning and implementation in subSaharan Africa: A systematic review. Renew. Sust. Energ. Rev. 74, 1189–1209 (2017) Z.G. Usman, S. Abbasoglu, N.T. Ersoy, M. Fahrioglu, Transforming the Nigerian power sector for sustainable development. Energy Policy 87, 429–437 (2015) A. Vaccaro, R. Baseil, H. Hagras, M. Ho, P. Krein, R. Larsen, G. McKnight, V. Modi, A. Pascual, K. Passino, Reliable electric power for developing countries. Hum. Technol. Challenge. 1 (2011) J. Wang, H. Gharavi, Power grid resilience [scanning the issue]. Proc. IEEE 105(7), 1199–1201 (2017). https://doi.org/10.1109/JPROC.2017.2702998 K. Wang, X. Hu, H. Li, P. Li, D. Zeng, S. Guo, A survey on energy internet communications for sustainability. IEEE Trans. Sustain. Comput. 2(3), 231–254 (2017) G. Wood, Ethereum: A secure decentralised generalised transaction ledger. Ethereum Proj. Yellow Pap. 151, 1–32 (2014) R.J. Wood, M.A. Gennert, A neural network that uses a Hebbian/backpropagation hybrid learning rule, in International Joint Conference on Neural Networks, 1992. IJCNN (IEEE, 1992). pp. 863–868 I. Xplore, IEEE Std 802.15.4f-2012 (Amendment to IEEE Std 802.15.4–2011): IEEE Standard for Local and metropolitan area networks – Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) Amendment 2: Active Radio Frequency Identification (RFID) System Physical. vol Book, Whole (IEEE, 2012) F. Yang, A.S. Meliopoulos, G.J. Cokkinides, G.K. Stefopoulos, A comprehensive approach for bulk power system reliability assessment (IEEE Lausanne Power Tech, 2007). pp. 1587–1592 R.E. Zapolin, Remote Terminal Industrial Control Communication System. Google Patents (1992) Y. Zhang, J. Wen, The IoT electric business model: Using blockchain technology for the internet of things. Peer Peer Netw Appl 10(4), 983–994 (2017)

A Real-Time Robotic System for Sewing Personalized Stent Grafts

26

Bidan Huang, Ya-Yen Tsai, and Guang-Zhong Yang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Module I: Personalized Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Module II: Bimanual Sewing Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Module III: Vision Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Trajectory Following . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Needle Driving and Piercing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Autonomous Sewing of Personalized Stent Grafts . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

838 839 841 842 843 847 850 850 851 852 856 856

Abstract This chapter presents a multi-robot system to manufacture personalized product for medical purpose. This is a modularized system with three components: a personalized module, a bimanual module, and a vision module. The personalized module is designed to accommodate for different patients’ anatomy structure, while the bimanual module performs an intricate sewing task. All the robots are coordinated via the vision module, which tracks and guides their motions in

B. Huang () Tencent Robotics X, Shenzhen, China e-mail: [email protected] Y.-Y. Tsai · G.-Z. Yang Hamlyn Centre for Robotic Surgery, Imperial College London, London, UK e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_50

837

838

B. Huang et al.

real time. Experiments show that this system can adapt to different personalized designs and achieve good accuracy and robustness. Therefore, this system can be extended to similar manipulation tasks, especially for flexible production, where multi-robot cooperation is required.

Keywords Multi-robot system · Real-time vision · Personalized manufacturing

1

Introduction

In the trend of Industry 4.0, personalized manufacturing has become an increasingly popular topic. This requires the factories to have “flexible production lines” that is able to produce quality products with customized designs (Rüßmann et al. 2015). Comparing to the current practice of mass production, the flexible production line needs to be equipped with intelligent robots with the abilities of (1) online path planning for customized designs, (2) real-time sensing for process monitoring, and (3) adaptation for changing states. In order to achieve such a flexible production line, a multi-robot scheme is proposed for personalized manufacturing. In particular, a personalized stent graft manufacturing is considered. A stent graft is an artificial vessel made with a fabric tube (the graft) and supported by multiple zig-zag metal rings (the stents) (Fig. 1). It is a medical device that is commonly used in endovascular aneurysm repair (EVAR) to treat aneurysm such as abdominal aortic aneurysms (AAA) (CDC 2013). While off-the-shelf stent grafts are available from plenty of manufacturers, few of them provide personalized products (Resch 2016). Personalized stent grafts are customized to fit the patients’ anatomical geometry, such as the diameter and the length of their aneurysm. With the current state of the art, all the personalized stent grafts are manually made, the production of which is laborious and can take up to 6–12 weeks. This long production time put acute patients in the risks of deadly aneurysm rupture. Therefore, an improved manufacturing process of personalized stent grafts has a beneficial clinical demand. The proposed robotic system adopts a modular design to account for stent grafts with different geometries. It incorporates custom-made hardware, learning, online path planning, and adaptation with real-time monitoring. The flexibility of making products with different designs is achieved by the personalized module, the repetitive tasks are responsible by the bimanual module and the entire system is monitored by a real-time vision module. Please note that in this work, the focus is on the process which is the most difficult to automate: sewing the stent on the fabric. This process involves complex bimanual motion and handling the deformation of the fabric and the thread.

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

839

Fig. 1 (a) Procedure of hand sewing a personalized graft. (b) A personalized stent graft with the maximum diameter of 34 mm. (Huang et al. 2017a)

2

Related Work

Autonomy in manufacturing, especially in customized products, has gradually gained its popularity in research. Many works focus on the high-level architecture of the system. For example, Wang et al. (2016a) relies on existing technologies such as wireless networks and cloud computing in attempting to achieve smarter factory. With the assistance of big data, Wang et al. (2016b) proposed a multi-agent system feasible of self-organization and negotiation to accomplish customization. Other works include the design of a personalized system in the aspect of a demand and supply in comparison to that of the conventional mass production (Montreuil and Poulin 2005). There is, however, little that focuses on a lower level of implementation and development of an autonomous system to produce personalized cell (Liao et al. 2017). To date, research on personalized stent graft manufacture is very limited. Its closely related field, the textile industry, on the other hand, has extensive research on different aspects of the manufacturing system. Various control policies have been proposed to adapt to environmental variations during sewing, from hybrid position/force control (Kudo et al. 2000), to fuzzy logic controllers (Koustoumpardis et al. 2006), and to a more recent leader/follower control strategies (Schrimpf et al. 2014). To increase the versatility and improve the performance, multi-arm sewing robotic systems (Kudo et al. 2000) were also developed with features such as fabric tension control and edge tracking (Schrimpf and Wetterwald 2012). Others focus on modifying or redesigning existing components to facilitate the sewing process. For instance, KSL Keilmann (Lorsch, Germany) has developed a range of singlesided sewing heads to achieve 3D sewing on fabric-reinforced aerial structures.

840

B. Huang et al.

Despite the extensive research in the textile industry, the applicability of these researches on delicate objects remains challenging. In this work, the focus is placed on customization, robot learning, and vision for tool tracking. The concept of high customization and product personalization lies at the core of Industry 4.0. At the current stage, robots and computers are used to achieve only automation for mass production; however, to drive toward more flexible manufacture, a leap has to be taken to move from such workflow to a smarter system with more autonomy and less human intervention. Manufacturing a stent graft is a typical example of the demand for such a system in the medical field. The existing robotics system is incapable of being fully utilized for automatic manufacturing at low cost simply because most stent grafts are patient specific. Hence, in this paper, the aim is to address this deficiency by proposing an enhanced robotics solution to produce a high-valued, personalized, and more affordable medical device. The proposed robotics system was built to accommodate, but not limited to stent graft sewing, which is one of the most time-consuming and challenging tasks in manufacture. Currently, most customized stent grafts are hand-sewed. Although sewing a stent on a piece of fabric is effortless for a human worker, as simple as it may seem, the manipulation of the needle, fabric, and thread could be extremely complicated and would sometimes require high dexterity which is very difficult especially for robots. One of the most studied topics in robot learning is learning from demonstrations or imitation learning, which was introduced to teach a robot to perform intricate actions like this. Many techniques have been proposed since then, from as simple as “record-and-replay” approach to a more sophisticated method that relies on visual servoing to handle different aspects of variations (Pan et al. 2012). However, many only targeted on working with a single robot arm. Providing delicate bimanual task demonstrations could be demanding for a single user, and such demonstrations have been primarily provided through tele-operation (Van Den Berg et al. 2010). To enhance the accessibility of demonstration collection, a more efficient approach using the vision system is introduced to capture the hand sewing motions of an end user. The benefits of such method are twofold: (1) It prevents the need to handle the control panel or manipulate the actual robot, i.e., kinaesthetic teaching. Through visual tracking, the demonstrations could be provided more intuitively and accurately. (2) The unnecessity of the robots in demonstrations avoids the need for changes or alternations to the existing robotic production process (detailed in Sect. 3.2). The incorporation of a visual module to the system implies the interrelation between the tool tracking and detection accuracy and the performance of manipulation (Ye et al. 2016). Small objects tracking, such as needle detection in suturing, is consequently uneasy. Iyer et al. (2013) used a single-camera system pose measurement approach (Lo et al. 2002) to achieve auto-suturing, while Staub and his team (Staub et al. 2010) relied on a stereo system to enhance the needle and the target stitching point alignment. Other works such as “look-and-move” visual servoing method (Hutchinson et al. 1996) were proposed to minimize the kinematic errors of the robots and improve task accuracy. In this chapter, an algorithm is presented

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

841

Fig. 2 The proposed multi-module and multi-robot system for stent graft sewing. (Huang et al. 2017a)

to detect needle using a 3D stereo system robustly. Figure 2 summarizes the main constituents of the proposed framework. The major contributions are as follows: 1. A multi-arm robotic system designed to sew customized products such as stent grafts 2. A modularized system to carry out the personalized tasks and the repetitive tasks independently 3. A real-time vision-based design for multi-robot collaboration

3

Overview

In this chapter, the main focus is on the most challenging procedure in personalized stent graft manufacturing: sewing the stents on the graft. According to different designs, the stents are needed to be sewn to different locations on the grafts. Our system automates the sewing process using a multi-robot system. This system contains three modules: the bimanual sewing module (KUKA Robots A, B, needle drivers A, B, as described in Sect. 3.2), the personalized module (KUKA Robot C, force sensor (Optoforce OMD-20-FE-200 N), mandrel, fabric, as described in Sect. 3.1), and the vision module (a stereo camera, detailed in Sect. 3.3). The advantage of such a modularized system is that it separates the personalized planning from the sewing task. When a new design of stent needs to be sewn, the user only needs to make a change to the personalized module rather than the entire system. Therefore, the cost of personalizing the stent grafts is controlled at a minimum level. Specifically, the role of each module is listed as below: 1. Mandrel module (a) Personalized trajectory planning

842

B. Huang et al.

(b) Stents and fabric handling (c) Thread tension monitoring 2. Bimanual sewing module (a) Learning and reproducing human hand sewing (b) Real-time adaptation 3. Vision module (a) Observing and recording user demonstrations of bimanual sewing (b) Robot coordination, tracking, and visual servoing (c) Needle pose detection

3.1

Module I: Personalized Module

This module starts from a customized stent graft design. This design is optimized according to the patient’s anatomy (Fig. 3). This customized stent graft fits the 3D geometry of the aorta and the aneurysm such that it can be tightly placed to the target location during surgery. Designing a personalized stent graft takes the following three steps. Firstly, the aneurysm is segmented from the patient’s CT/MR scan images (Fig. 3a). Secondly, the 3D geometry of the vessel and the aneurysm is reconstructed from the images (Fig. 3b), and thirdly, the stent graft is designed based on the reconstruction of the aneurysm (Fig. 3c).

Fig. 3 A personalized stent graft is designed through three stages. (a) CT scan of the patient’s abdomen. (b) A 3D reconstruction of the patient’s AAA. (c) A design of the stent graft based on the geometric structure of AAA. In this figure, the dotted line is where the stent is placed and the crosses are where the stitches will be sewed. The numerical values are represented in mm. (Huang et al. 2017a)

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

843

Fig. 4 (a) A 3D model of a mandrel to hold a fabric and stents. The stitching slots enable the needle to pierce through the fabric while the stent grooves allow the fixation of the stents. (b) The modified needle driver, motorized by a DC motor, attached to a KUKA robot. (Huang et al. 2017a)

After the customization of the stent graft, a corresponding mandrel is designed and 3D printed. A mandrel is a hollow cylinder-like object, whose primary function is to hold the stents and the graft in place during sewing (Fig. 4). It has grooves on its outer surface for stent fixation and sewing slots to allow for needle piercing. Prior to sewing, the mandrel is wrapped with a graft and stents. This device is then fixed to a 3D-printed octagonal prism adapter, of which each face is adhered with a vision-based marker for positioning purpose (Fig. 2). With the markers, the pose of the mandrel can be tracked during the sewing process (Sect. 3.3). The other side of the adapter is affixed to a force sensor for thread tension monitoring (Sect. 4). This entire mandrel-adapter-sensor setup is mounted on Robot C’s end-effector. Each time a new stent graft is to be sewn, only this setup needs to be reinstalled, and the rest of the system remains the same. The motion of Robot C is planned accordingly to the design of the mandrel. The design specification can be retrieved, for example, via a radio-frequency identification (RFID) tag attached to the end of the mandrel (Fig. 2). With this information, i.e., the locations of the stents and the sewing slots, Robot C can automatically plan its motion. During the sewing process, it continuously delivers the sewing slots to locations that are easily accessible to the bimanual module in sequence, until all the sewing are done. In this fashion, the proposed system can adapt to different designs, and the personalization is realized by simply changing the mandrel.

3.2

Module II: Bimanual Sewing Module

This module takes charge of the primary task: sewing. Inspired by most personalized and hand sewn stent grafts, the bimanual module is designed to mimic human hand

844

B. Huang et al.

sewing. Hand sewing is painstaking and involves intricate manipulation skills. With the current state of the art, a lot of hand sewing tasks are difficult to robotize. To tackle this, a learning by human demonstration approach is applied to teach the bimanual module to sew. The learning comprises three steps. Firstly, a human demonstrates multiple times sewing of the same stitch, of which the sewing motion is recorded. The motion is then segmented into multiple motion primitives (Sect. 3.2.1). Finally, the primitives are encoded with statistical models (Sect. 3.2.2). With these models, the robots are able to reproduce the hand stitches that human has demonstrated (Sect. 3.2.3). Throughout the learning stage, vision plays two roles: observes the human demonstrations and provides visual guidance and servoing for robot sewing. This bimanual model consists of two robot arms (KUKA Robots A and B), on which two needle drivers (needle drivers A and B) are mounted (Fig. 4b). The needle drivers are the motorized surgical needle drivers designed to grip the needle firmly. To achieve single side sewing, a curved needle was used. Though the system has been developed for sewing, the setup is generic and can be applied to other bimanual manipulation tasks. Here an “object-centric” approach has been adopted: the manipulation skill is represented as the relative motion between the manipulator and the manipulated object, i.e., the needle drivers and the curved needle, rather than the motion of the human hand. During task reproduction, the robots use the same needle drivers and the needle to sew. In this manner, the human sewing skill can be transferred to the robot directly without converting between human motion and robot motion.

3.2.1 Data Acquisition The human demonstrates sewing by using two surgical needle drivers to manipulate the curved needle. At the joint of each needle driver, a pentagonal prism with vision marker on each face is attached. The vision module hence records the 6 d.o.f sewing motion by tracking the markers’ pose during the demonstration. Human demonstrates a stitch multiple times on the same sewing slot of a pre-installed mandrel. A single stitch cycle is shown in Fig. 5 to illustrate the manipulation of the needle drivers and the needle. A semicircular needle was used and tracked based on the pose of the needle divers as detailed in the Sect. 3.3.2. 3.2.2 Task Learning After recording multiple demonstrations of the sewing motion, each trajectory was filtered and manually sliced to a set of motion segments based on the rules described in Table 1. The segmentation was made according to the open and close status of the needle drivers. Segments from different demonstrations were then grouped accordingly. Dynamic time warping was applied (Berndt and Clifford 1994) to each group to align all the trials temporally. Gaussian mixture model (GMM) Ω was used to encode each group of motion segments and form a motion primitive (Calinon et al. 2007; Huang et al. 2013). These models are 7D: the time stamp t and the 6 d.o.f pose h = {x,y,z, α,β,θ }.

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

845

Fig. 5 This shows the six key steps (a–f) in a single stitch cycle and illustrated how each needle driver is manipulated during a human demonstration. Once a cycle is finished, the needle is brought to its initial location to carry out the next stitch cycle. (Huang et al. 2017a)

Table 1 Key motion primitives to perform a stitch. (Huang et al. 2017a) Motion primitives 1. 2. 3. 4. 5.

Steps in Fig. 5 a, b c d, e f a

Needle driver A status Closed Closed Open Closed Closed

Needle driver B status Open Closed Closed Closed Open

Needle status With A With A With B With B With A

For a given point t, h, its probability of belonging to a GMM Ω is estimated by the weighted sum of the probability of the point belonging to each Gaussian component Ω k : p (t, h|) =

K 

πk pk ( t, h| μk , k )

(1)

k=1

where π k and pk are the prior and the corresponding conditional probability density of the k-th Gaussian component (Ω k ), with μk and Σ k being the mean and the covariance. More specifically, the mean μk and the covariance Σ k are defined as:  μk =

μt,k μh,k



 k =

tt,k th,k ht,k hh,k

 (2)

A fivefold cross validation was used to determine the number of Gaussian components K.

846

B. Huang et al.

In order to obtain a reference trajectory of each motion primitive, Gaussian ˆ hh mixture regression (GMR) was used to query the mean μˆ h and the covariance  of the pose at each time step tˆ:

μˆ h =

K  k=1

 βk tˆ μˆ h,k

ˆ hh = 

K 

 2 ˆ hh,k βk tˆ 

(3)

k=1

where  −1   tˆ − μt,k μˆ h,k = μh,k + ht,k tt,k

(4)

  ˆ hh,k = hh,k − ht,k tt,k −1 th,k 

(5)

    πk p tˆ μt,k , tt,k βk tˆ = K    ˆ k=1 πk p t μt,k , tt,k

(6)

and

3.2.3 Trajectory Optimization for Task Contexts Generally, a robotic manipulation task has two task contexts: end point driven and contact driven. These two task contexts have different task constraints. For the former, the robot is required to reach to an end point with little constraints (unless there are obstacles) on the path along which it travels, whereas for the later, the robot contacts the environment and has to follow a particular trajectory constrained by the contact surface. According to the different task contexts, the speed of the robot varies during sewing in order to achieve both high accuracy and speed. In the case of bimanual sewing task, the approaching and departing motion of the needle to the fabric is end point driven, while the piercing in and out motion belongs to the contact-driven context. For the former, the robots moved in high speed as the requirements of the position accuracy were small, while for the latter, the robots’ speed was lower to ensure they follow the reference trajectory accurately. The task context was identified according to the variance of each motion primitive (Fig. 9). Significant variance suggests the task has a large tolerance of deviation when following the reference trajectory and the task context is end point driven. For example, needle approaching the mandrel is end point driven. Small variance suggests that the task requires the reference trajectory to be followed with high accuracy and hence the task context is contact driven, e.g., when needle is piercing the fabric, it needs to follow the reference trajectory carefully to produce high-quality stitches. According to the sewing task constraints, the variance of the speed of the robot is set as:

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

⎧ 0.5, ⎪ ⎪ ⎨ 1.5 R= ⎪ ⎪ ⎩ 2

vart vart varr vart

> 0.01 or varr > 15 ∈ [0.005, 0.01] or ∈ [5, 15] < 0.005 or varr < 5

847

(7)

where R is the ratio of robot speed to the human demonstration speed determined heuristically and vart and varr are the variance of the translation in meters and the rotation in degrees, respectively.

3.3

Module III: Vision Module

Prior to the task reproduction, the robots were registered to the vision module by hand-eye calibration. In specifically, Zhang’s camera calibration method is applied to acquire the camera intrinsic parameters (Zhang 2000). The transformation between a robot’s coordinate frame and the camera’s were determined via a visual marker attached to the end-effector of the robot. Collecting a series of marker poses under the camera frame, and the robot frame allowed us to formulate this mapping problem in the form of AX = XB, where X is the transformation matrix wanted. By performing the hand-eye calibration on all the robots, their bases to the camera frame can then be determined, and hence their motions can be tracked and guided via vision in real time.

3.3.1 Tool Pose Tracking In this work, barcode markers (Garrido-Jurado et al. 2014) were used for tool tracking (Zhang et al. 2017). Five markers were adhered to the tip of the needle drivers via a hollow pentagonal prism, such that the vision module can continuously observe it during sewing (Fig. 6). To ensure the continuous pose estimation performance, the detection was combined with tracking algorithm (Kalal et al. 2010). For the tracking, the location of a marker in the previous frame was used to estimate its location in the next frame.

Fig. 6 (a) Curved needle for piercing. (b) The needle is searched within the yellow space during needle detection. This represents a 4D space and is bounded by ±5 mm along x, ±10 degrees about x, ±60 degrees about y, and ± 30 degrees about z. These cover the needle pose variation in experiments. (Huang et al. 2017a)

848

B. Huang et al.

A set of corner points {ci }M i=1 were firstly extracted from the previous frame and then

M tracked “forward” to estimate their locations ci+ i=1 in the current frame. These forwarded points were then tracked “backward” to the previous frame to obtain

− M

− M ci i=1 . If the distance between a point in {ci }M i=1 and ci i=1 was smaller than a threshold τ , which is usually set to 1px, it would be taken as inliers. All inliers were then used to estimate the 6 d.o.f pose of the marker by perspective-n-points (Lepetit et al. 2009). In this manner, the markers’ pose can be estimated continuously, even when the detection failed.

3.3.2 Needle Detection In each stitch cycle, the curved needle is passed from needle drivers A to B and from B to A. After the two handovers, the needle usually would deviate from its initial pose in A. This deviation can be accumulated and cause task failure after multiple stitch cycles. In order to correct the deviation, the robots’ motion was altered adaptively according to the current needle pose. Hence after each handover, the needle is observed at a fixed via point, where the light condition is stable and the needle is not occluded, and the needle pose is estimated by performing a grid search in both stereo images (Huang et al. 2016). The needle pose estimation was a constrained 2D/3D rigid registration problem. The curved needle was modeled as a series of points along its medial axis to determine the 6 d.o.f pose. A set of possible needle poses was first anticipated. To estimate the needle pose, points describing these possible needle poses were projected to and compared to needle features extracted from a pair of stereo images. The sum of the feature strength for the projected 3D model points was calculated (Fig. 6). The pose with the highest overall feature score was then taken as the pose of the needle. Features that had strong responses to lines and curvilinear objects (Baert et al. 2003) were used to extract the needle from the image. How the robot adapts its motion to the needle pose is explained in the next section. 3.3.3 Visual Servoing The sewing task was performed with three robots. To coordinate all the robots’ motion, their bases were registered to the frame of the vision system, i.e., handeye calibrated (from Matlab: https://uk.mathworks.com/matlabcentral/fileexchange/ 22422-absolute-orientation). It is time-consuming to calibrate multiple robots, especially for tasks such as sewing or surgical tasks requiring high precision. Errors of hand-eye calibration could cause the low quality of sewing or collision between robots. To ensure the stitch quality, the visual servoing technique was deployed. With online visual feedback, the difference between the robot pose and the target pose can be eliminated regardless of the accuracy of the hand-eye calibration and the robot kinematics (Hutchinson et al. 1996). Multiple reference frames were involved in our system and here is a list of the abbreviations: 1. c: camera 2. m: mandrel

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

3. 4. 5. 6. 7.

849

s: stitching slots n: needle d: needle driver r: robot base ee: robot end-effector

Here, b •a is denoted as the homogeneous matrix of the pose of an object a in the frame of an object b. Relative pose between object a and b, which is independent of robot motion, is denoted as b Ha . Pose that changes along the robot motion is denoted as b xa . Each personalized mandrel was registered to the vision module via the adapter such that all the stitching slots (m Hs ), i.e., sewing locations, were registered to the robots. Further, the motorized needle drivers’ (A, B) poses were computed from simple translation from their end-effectors’ poses. In this work, position based “look-and-move” visual servoing approach was adopted. The accurate following of the reference trajectory was achieved by moving the robot to reduce the error between the current pose and the target pose of the needle drivers. The computation process is as followed. The location of the stitching slot used for demonstration (s0 ) in the camera frame (c) was firstly registered to the camera by: c

xs0 =c xm ·m Hs0

(8)

Hence, for the mandrel to deliver the i – th stitching slot to the same location, the error in pose was computed as: m

xmi =

c

xm

−1

·c xs0 ·

m

Hsi

–1

(9)

This can be transformed to find the error of Robot C end-effector by ee Hm . Hence the commands for Robot C to move the mandrel to the target pose are generated. Note that different mandrels will have different values of m Hsi . During the robotic sewing, the same principle was applied. For instance, during motion primitive 1, the goal of the robot is to deliver the needle to the stitching location to carry out piercing thereafter. Therefore, the reference trajectory was represented as a series of needle poses in the frame of the stitching slot (s xn ). The needle pose was transformed to the needle driver pose by: s

xd =s xn ·



d

Hn

−1

(10)

where d Hn is the relative pose between the needle (n) and needle driver (d), detected over the task as explained in Sect. 3.3.2. With different needle poses, the robot will adapt its trajectory to ensure the s xn remains the same, i.e., to produce the same stitch. Similar to the mandrel module, the error between the current needle driver pose (d) and the desired needle driver pose (d*) was computed as:

850

B. Huang et al. d

xd∗ =

c

xd

−1

·c xsi ·s0 x d∗

(11)

The discrepancy between the robot current and desired end-effector poses could be computed from the above error. This discrepancy could be used to drive and servo the robot to the target pose. Since the robot control frequency was faster than the camera frame rate, to achieve a real-time performance, this servoing was conducted once every ten robot control cycles. To address the noise of the vision detected pose n and d, a double rate Kalman filter was applied as explained in our previous works (Huang et al. 2017b).

4

System Performance

The performance of the proposed framework was examined in terms of its accuracy and robustness from a set of three experiments. Firstly, the accuracy of the visual servoing approach was estimated by a trajectory following task. Secondly, the robots were taught to perform needle driving and piercing at a fixed location. Finally, the performance of autonomous sewing on custom-made stent grafts was evaluated.

4.1

Trajectory Following

The purpose of this experiment was to evaluate the accuracy of the proposed visual servoing approach and compare it to nonvisual servoing approach. A reference trajectory was demonstrated and visually recorded as explained in Sect. 3.2. This trajectory was first repeated with the demonstrated speed using a nonvisual servoing approach, i.e., repeated in an open loop without checking the error between the current pose and the target pose. After that, the reference trajectory was repeated using the visual servoing approach in the same speed for five times. All the trajectories, including the reference trajectory and the repeated trajectories, were recorded via an optical tracker fixed on the robot end-effector. The distances between the reference trajectory and the repeated trajectories were computed and are shown in Table 2. For the nonvisual servoing approach, the reference trajectory was repeated with an average error of 5.23 mm, while with visual servoing approach, the average error was less than 1 mm. Table 2 Trajectory reproduction accuracy (Huang et al. 2017b)

Error No visual servoing Trial 1 Trial 2 Trial 3 Trial 4 Trial 5

Translation (mm) 5.23 0.82 0.81 1.11 0.92 0.80

Rotation (degree) 0.07 0.01 0.01 0.02 0.01 0.01

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

4.2

851

Needle Driving and Piercing

The intention of this task was to validate the use of the vision module. Through visual servoing and needle detection, the robot replicated the task, which was to drive a needle and pierce a fabric at a specified point, demonstrated by the end user. During the human demonstration, the demonstrator used a needle driver to manipulate a φ 8 mm semicircular needle (Fig. 6). The tool’s trajectory was captured using a marker and a stereo system (resolution: 640 × 480). The pose of the needle was estimated using a model consisting of ten evenly distributed points along its arc, and the method is described in Sect. 3.3.2. At the initial state, the needle driver grasped the needle and was located distanced from the fabric. In the demonstration, the needle was first moved toward the target location before performing the piercing action on the fabric. This recorded trajectory allowed the robot to learn and thus replicated the demonstrated task. Note that the demonstrations were collected from only one human demonstrator, which have shown to be sufficient to serve for the purpose of learning. Studying the effects of final performance involving multiple demonstrators were not part of the scope of this work. Through estimation of needle pose, an adaption of motion trajectory was performed by the robot to deliver the needle punctuation at the desired location. In total, this task was reproduced six times at speed equal to a third of that of the human demonstration. Across the six trials, different needle poses were obtained as illustrated in Fig. 7 and within which, half of the trials had the piercing locations identical to that of the demonstrated (Table 3). The error/accuracy was defined as the distance between the target and actual piercing locations, which is affected by the vision module (needle detection, tool tracking, and visual servoing algorithms). As shown in Fig. 7, the needle is pierced in locations with very small deviation among different trials. On average, a 0.48 mm of error was obtained with trial 2 having a much larger error of 1.63 mm resulting from the robot arm reaching its joint limits. This validated the feasibility of the proposed framework in achieving high precision sewing in stent graft manufacturing. To further improve the outcome, a stereo vision system with a higher resolution could be adopted as suggested by Pérez et al. (2016). Table 3 Quantitative measurements of needle piercing task. Absence of observable errors is denoted as -. (Huang et al. 2017a) Needle pose 1 2 3 4 5 6

θ x (degrees) −1.00 0.41 0.12 1.17 −2.88 −2.00

θ y (degrees) 0 −9.39 −0.99 6.49 21.00 6.00

θ z (degrees) 8.51 −0.12 1.50 10.0 7.43 13.53

X (mm) −1 0 −2 1 −2 −3

Error (mm) – 1.63 – – 0.5 0.8

852

B. Huang et al.

a

b

Trial 1

d

c

Trial 2

Trial 3

e

Trial 4

f

Trial 5

Trial 6

Fig. 7 The first experiment used six unique starting needle poses. From top row to the bottom, it shows the results of needle and the tool pose detection and reprojection, the robot adaptation to the needle poses, and needle piercing on the fabric. (Huang et al. 2017a)

Fig. 8 Stent grafts with four different outer diameters; from left to right, 4.4 cm, 4 cm, 3 cm, 3 cm. (Huang et al. 2017a)

4.3

Autonomous Sewing of Personalized Stent Grafts

An evaluation of the proposed multi-robot sewing system was performed by conducting sewing on four stent grafts shown in Fig. 8 with different physical parameters. (The diameter of a stent graft could be made even smaller. Limited by the available fabrication method and materials, the smallest that could be achieved was 3 cm in diameter, which was much smaller than most of the stent grafts in use to treat AAA.) The parameters were selected such that the customized one was available from the existing manufacturers. The materials used for the fabric and the stents were Dacron and medical stainless steel, respectively. The fabrication of the mandrels was done based on the geometric structures of the designed stent grafts. Each mandrel consists of ten stitching slots with a size of 2 mm in width placed at the crests, the center, and the troughs of the stent groove. Before commencing sewing, the mandrel and its marker were mounted on Robot C, and the sewing slots were manually covered with the fabric and the stent.

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

853

a

b

c

d

e

f

g

h

i

j

Fig. 9 The top row shows the five trajectories recorded from tracking the needle drivers during demonstration. The bottom row shows the reference motion primitives learned. A green line is the reference trajectory and the shaded area represents the variance. (Huang et al. 2017a)

A setup of the proposed multi-arm robotic sewing system is illustrated in Fig. 2. It consisted of three 7 d.o.f. KUKA robots where each of which being registered under the vision module through hand-eye calibration. The camera was located above the workspace for tools’/mandrel’s tracking and demonstration recording. In this task, five demonstrations of bimanual sewings were performed on the same stitching slot of stent graft A using the identical needle drivers and needle as seen in the previous task. At the beginning of each stitch, the needle pose estimation was made in order to compute the needle pathway. On average, the stitch size of 4.10 mm was acquired from the human demonstrator. Figure 9 shows the five motion primitives of the demonstrations. Some trajectories, i.e., primitives 2 and 3 of needle driver A and primitives 1, 4, and 5 of needle driver B, were omitted in the figure due to them being stationary at a point in space. The variance of each motion primitive changed over phases and is presented at the bottom of the same figure. Significant variance indicates the presence of multiple paths to reach goal target, while small variance implies a more restricted path needed to carry out precise actions. These were evidenced from trajectories of tool’s approaching/leaving the fabric and piercing the needle, respectively. To ensure precise insertion, extraction, and driving of the needle, the robot was slowed down for better controllability; otherwise, the movement of robots was sped up to shorten the sewing duration. Overall, the robots were sped up for more than half of the entire process, and hence the stitching cycle was completed efficiently in time (Fig. 10). Through the use of the vision-based system and the markers placed on the tools and mandrels, the learned trajectories could be registered to a new stitching slot of different mandrel given the known geometric configurations between stitching slots and the mandrel frame. At the beginning of each stitch, the reference trajectory was adapted accordingly to the pose of the needle. Upon the completion of a stitch,

854

B. Huang et al.

a

c

b

Primitive 1

d

e

Primitive 4

f

Primitive 3

Primitive 2

Primitive 5

g

h

i

Primitive 1

Primitive 2

i

Primitive 3

j

Primitive 4

Primitive 5

Fig. 10 A key frame for each motion primitive in bimanual sewing is present. (a–e) are the top views and (f–j) are the side views of each motion primitive

Robot A would pull the stitch to a pre-programmed destination to tighten the thread. This was achieved by monitoring the reading on the force sensor placed on the mandrel, which when it exceeded a predefined threshold, the pulling action would be terminated. After which, Robot C would translate and rotate the mandrel to deliver

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

855

the next stitching slot to the desired location for a new stitch. In the case of failure, the system would revert to its initial pose to restart the sewing process. In this task, a success rate of 79% was achieved based on a total of 124 stitches made across the four designed mandrels. On average the stitch was about 3.60 mm, and the variance was approximately 0.89 mm. The lengths of stitches are detailed in Figs. 11 and 12. Four sources of failure were identified, (1) needle mishandled (stent and trial A4, A7, A8, B36, B43, B45, D7, D14, D35, D49); (2) misplaced stitch (A15, A16, B31, C49, C51, D11, D31, D32); (3) needle-stent collision (B24, B25, D26, D53); and (4) thread entanglement (B22, C51, D1, D18). Out of the four causes of the failure, the first three were contributed from the needle estimation and visual servoing errors, while the last one resulted from the absence of adequate thread shape control. The outcomes of this task imply the potentiality of the proposed robotic system being adopted to manufacture personalized stent grafts. To address the failures as mentioned earlier, the system could be further enhanced by improving its components. For example, adopting high-resolution stereo vision systems could improve the needle detection and visual servoing performance, and modification to the motorized needle drivers could allow for wider opening and thus increasing the tolerance against the not well-placed needle. 7

Stitch Size (m)

6 5 4 3 2 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

Stent A

Stent B

Stent C

Fig. 11 Experimental results for each stent graft; A (blue: 1–18), B (red: 19–46), and C (green: 47–64). From a total of 64 trials, an obtained success rate is 77% with mean stitch size of 3.93 mm and the variance of 0.77 mm. Failed stitches are presented as zero stitch size. (Huang et al. 2017a)

Stitch Size (mm)

6 5 4 3 2 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

Stent D

Fig. 12 Experimental results obtained from stent graft D. From a total of 60 trials, a success rate of 82% was obtained with the mean size of 3.46 mm and the variance 0.44 mm. Again, failed stitches are represented as zero stitch size. (Huang et al. 2017a)

856

B. Huang et al.

The slack of the fabric covering the mandrel was considered as the leading cause of the variance in stitch size. A small amount of deformation resulted from the slack could have significant influence on the stitch size. A potential solution is to design a collapsible mandrel that could fit into a fabric tube and expand its size to fit tightly to the fabric. Lastly, with the implementation of explicit thread control, although not yet considered, it could help further increase the reliability of the proposed system.

5

Conclusion

In this chapter, a multi-robot system for personalized AAA stent graft manufacturing is described. This system is motivated by the increasing demand of customization of medical devices. A practical solution for flexible production of custom-made medical device has been proposed. In this work, penalization has been achieved by a modular designed system, which can cope with flexibility while minimizing the complexity of the task. When handling individual design, only the personalized module needs to be reconfigured, and the rest of the system remains the same. Such a system can be extended to other similar manufacturing tasks. The proposed system consists of three robot arms, which are coordinated via a real-time vision system. It has been evaluated by sewing different stent grafts. The accuracy and robustness of the system have been detailed. The results show that the proposed system achieves sub-millimeter accuracy for positioning. For multiple throw sewing, it achieved the overall success rate of 79% with the average stitch size of 3.6 mm and the target stitch size of 4.10 mm. In summary, the multi-robot system described in this chapter demonstrates good potential for practical use. The performance of this system can be improved by various means. For industrial manufacturing, the primary requirements of a system are the accuracy and the robustness, and they will be focused on in the future work. The flexibility of this system will also be further explored to accustom more complex designs such as stent grafts with branches and fenestrations.

References S.A. Baert, M.A. Viergever, W.J. Niessen, Guide-wire tracking during endovascular interventions. IEEE Trans. Med. Imaging 22(8), 965–972 (2003) D.J. Berndt, J. Clifford, Using dynamic time warping to find patterns in time series, in KDD Workshop, vol. 10, (Seattle, 1994), pp. 359–370 S. Calinon, F. Guenter, A. Billard, On learning, representing, and generalizing a task in a humanoid robot. IEEE Trans. Syst. Man Cybern. B Cybern. 37(2), 286–298 (2007) CDC, Deaths, percent of total deaths, and death rates for the 15 leading causes of death in 5-year age groups, by race, and sex: United states. Ctr. Dis. Control Prev. (2013). www.cdc.gov/nchs/ data/dvs/lcwk1_2013.pdf S. Garrido-Jurado, R.M. Noz Salinas, F. Madrid-Cuevas, M. Marín-Jiménez, Automatic generation and detection of highly reliable fiducial markers under occlusion. Pattern Recogn. 47(6), 2280–2292 (2014). https://doi.org/10.1016/j.patcog.2014.01.005. http:// www.sciencedirect.com/science/article/pii/S0031320314000235

26 A Real-Time Robotic System for Sewing Personalized Stent Grafts

857

B. Huang, S. El-Khoury, M. Li, J.J. Bryson, A. Billard, Learning a real time grasping strategy, in 2013 IEEE International Conference on Robotics and Automation (ICRA), (2013), pp. 593–600. https://doi.org/10.1109/ICRA.2013.6630634 B. Huang, A. Vandini, Y. Hu, S.L. Lee, G.Z. Yang, A vision-guided dual arm sewing system for stent graft manufacturing, in 2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), (IEEE, 2016), pp. 751–758 B. Huang, M. Ye, Y. Hu, A. Vandini, S.L. Lee, G.Z. Yang, A multirobot cooperation framework for sewing personalized stent grafts. IEEE Transactions on Industrial Informatics 14(4), 1776–1785 (2017a) B. Huang, M. Ye, S.L. Lee, G.Z. Yang, A vision-guided multi-robot cooperation framework for learning-by-demonstration and task reproduction, in 2017 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), (IEEE, 2017b) S. Hutchinson, G.D. Hager, P.I. Corke, A tutorial on visual servo control. IEEE Trans. Robot. Autom. 12(5), 651–670 (1996) S. Iyer, T. Looi, J. Drake, A single arm, single camera system for automated suturing, in 2013 IEEE International Conference on Robotics and Automation (ICRA), (IEEE, 2013), pp. 239–244 Z. Kalal, K. Mikolajczyk, J. Matas, Forward-backward error: Automatic detection of tracking failures, in 2010 20th International Conference on Pattern Recognition (ICPR), (IEEE, 2010), pp. 2756–2759 P. Koustoumpardis, N. Aspragathos, P. Zacharia, Intelligent Robotic Handling of Fabrics Towards Sewing (INTECH Open Access Publisher, 2006) M. Kudo, Y. Nasu, K. Mitobe, B. Borovac, Multi-arm robot control system for manipulation of flexible materials in sewing operation. Mechatronics 10(3), 371–402 (2000) V. Lepetit, F. Moreno-Noguer, P. Fua, Epnp: An accurate o (n) solution to the pnp problem. Int. J. Comput. Vis. 81(2), 155 (2009) Y. Liao, F. Deschamps, E.F.R. Loures, L.F.P. Ramos, Past, present and future of industry 4.0-a systematic literature review and research agenda proposal. Int. J. Prod. Res. 55(12), 3609–3629 (2017) D. Lo, P.R. Mendonça, A. Hopper, et al., Trip: A low-cost vision-based location system for ubiquitous computing. Pers. Ubiquit. Comput. 6(3), 206–219 (2002) B. Montreuil, M. Poulin, Demand and supply network design scope for personalized manufacturing. Prod. Plann. Control 16(5), 454–469 (2005) Z. Pan, J. Polden, N. Larkin, S. Van Duin, J. Norrish, Recent progress on programming methods for industrial robots. Robot. Comput.- Integr. Manuf. 28(2), 87–94 (2012) L. Pérez, ´i. Rodríguez, N. Rodríguez, R. Usamentiaga, D.F. García, Robot guidance using machine vision techniques in industrial environments: A comparative review. Sensors 16(3), 335 (2016) T. Resch, Custom-made devices: Current state of the art. Endovascular Today. (2016). http:// evtoday.com/2016/03/custom-made-devices-current-state-of-the-art/ M. Rüßmann, M. Lorenz, P. Gerbert, M. Waldner, J. Justus, P. Engel, M. Harnisch, Industry 4.0: The Future of Productivity and Growth in Manufacturing Industries (Boston Consulting Group, Boston, 2015), p. 14 J. Schrimpf, L.E. Wetterwald, Experiments towards automated sewing with a multi-robot system, in 2012 IEEE International Conference on Robotics and Automation (ICRA), (IEEE, 2012), pp. 5258–5263 J. Schrimpf, M. Bjerkeng, G. Mathisen, Velocity coordination and corner matching in a multi-robot sewing cell, in 2014 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS 2014), (IEEE, 2014), pp. 4476–4481 C. Staub, T. Osa, A. Knoll, R. Bauernschmitt, Automation of tissue piercing using circular needles and vision guidance for computer aided laparoscopic surgery, in 2010 IEEE International Conference on Robotics and Automation (ICRA), (IEEE, 2010), pp. 4585–4590 J. Van Den Berg, S. Miller, D. Duckworth, H. Hu, A. Wan, X.Y. Fu, K. Goldberg, P. Abbeel, Superhuman performance of surgical tasks by robots using iterative learning from humanguided demonstrations, in 2010 IEEE International Conference on Robotics and Automation (ICRA), (IEEE, 2010), pp. 2074–2081

858

B. Huang et al.

S. Wang, J. Wan, D. Li, C. Zhang, Implementing smart factory of Industrie 4.0: An outlook. Int. J. Distrib. Sens. Netw. (2016a) S. Wang, J. Wan, D. Zhang, D. Li, C. Zhang, Towards smart factory for industry 4.0: A selforganized multi-agent system with big data based feedback and coordination. Comput. Netw. 101, 158–168 (2016b) M. Ye, L. Zhang, S. Giannarou, G.Z. Yang, Realtime 3d tracking of articulated tools for robotic surgery, in International Conference on Medical Image Computing and Computer-Assisted Intervention, (Springer, 2016), pp. 386–394 Z. Zhang, A flexible new technique for camera calibration. IEEE Trans. Pattern Anal. Mach. Intell. 22(11), 1330–1334 (2000) L. Zhang, M. Ye, P.L. Chan, G.Z. Yang, Real-time surgical tool tracking and pose estimation using a hybrid cylindrical marker. Int. J. Comput. Assist. Radiol. Surg. 12(6), 921–930 (2017). https:/ /doi.org/10.1007/s11548-017-1558-9

Part IV Real-Time Networks and Communications Naveen Chilamkurti

Low-Latency Multicast and Broadcast Technologies for Real-Time Applications in Smart Grid

27

Yuemin Ding and Xiaohui Li

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Low-Latency Multicast to Minimize End-to-End Delay for WAC . . . . . . . . . . . . . . . . . . . 2.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Problem-Solving with Lagrangian Relaxation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Algorithm Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Low-Latency Multicast for Multiple Multicast Trees with Shared Links in WANs . . . . . 3.1 Problem Formulation and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Problem-Solving with Constrained Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Low-Latency Constrained Broadcast in NANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Constrained Optimization and Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 An Illustrative Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

862 863 863 865 868 869 869 875 880 880 883 888 890 891

Abstract Smart grid integrates modern information and communication technologies with the electrical grid for improved efficiency and reliability. In smart grid, the communication infrastructure is composed of wide area networks (WANs), neighborhood area networks (NANs), and home area networks (HANs). There are many real-time applications demanding low-latency communication tech-

Y. Ding Tecnun School of Engineering, University of Navarra, San Sebastian, Spain e-mail: [email protected] X. Li () School of Information Science and Engineering, Wuhan University of Science and Technology, Wuhan, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_66

861

862

Y. Ding and X. Li

nologies, such as wide area protection, urgent demand response, and real-time operations. However, the coexistence of various smart grid applications leads to a competition of limited network resources, leading to negative impacts on communication latency, system reliability, etc. To improve the performance of communication latency, multicast and broadcast technologies are efficient approaches, especially for networks with limited bandwidth and large scalability. This chapter offers a systematic introduction to the multicast and broadcast technologies for real-time applications in smart grid, including low-latency multicast to minimize end-to-end delay for wide area control, low-latency multicast for multiple multicast trees with shared links in WANs, and low-latency constrained broadcast in NANs. Aspects of problem formulation, problemsolving, and illustrative examples have been addressed.

1

Introduction

Smart grid is deployed to improve the efficiency and reliability of power systems by using modern information and communication technologies. The smart grid communication infrastructure comprises wide area networks (WANs), neighborhood area networks (NANs), and home area networks (HANs). They help in fully automated monitoring, control, and protection of large-scale energy systems. In smart grid, there are many real-time applications, e.g., wide area control, wide area protection, and urgent demand response, demanding low-latency communication technologies. In the wide areas, the essential information components include phasor measurement units (PMUs) and phasor data concentrators (PDCs) to support real-time state estimation, protection, and operation. For instance, a delay of data packets in WAN communications implies insufficient information for the WAC to make a decision for real-time operations. An increased WAN delay may even have the same impact on the WAC functionality as a packet loss (Kansal and Bose 2012; Konstantinos et al. 2014). In addition, the coexistence of multiple applications in WAN leads to competition for limited network resources. The resource competition may cause congestion on shared communication links. With the consideration of the features of WAN applications, multicast-based communications offer feasible solutions for low-latency communications. In the neighborhood areas, wireless technologies have been widely adopted, serving as the bridge between WAN and HAN. Low-latency communication over a wireless NAN is a fundamental requirement for wireless NANs in some smart grid applications as in many other wireless network systems, e.g., those discussed in Pradittasnee et al. (2017) and Tian et al. (2016). A typical time-critical application in smart grid is emergency demand response (EDR), which aims to avoid cascading failures during emergency events, such as voltage collapse and power blackout (Wang et al. 2011; Kim and Kim 2012; Tran et al. 2018). A viable way to fulfill this requirement is to broadcast the control command to the whole NAN. This demands one-to-many communications with a very low latency (Rajalingham et al.

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

863

2013; Kansal and Bose 2012). However, the low-latency broadcast is challenging in wireless NANs due to the limited bandwidth, unreliable wireless links, and network scalability. To address these issues, this chapter offers a systematic introduction to lowlatency multicast and broadcast technologies for real-time applications in smart grid. This chapter is composed of three technical parts: (i) low-latency multicast routing to minimize end-to-end delay for wide area control (WAC) through constructing an optimized multicast tree with Lagrangian relaxation and a bandwidth-constrained minimum Steiner tree (BCMST) algorithm (Li et al. 2019a); (ii) low-latency multicast routing for multiple multicast trees with shared links in WANs through betweenness centrality to bandwidth ratio tree (BCBT) approach (Li et al. 2019b); and (iii) low-latency constrained broadcast in wireless NANs with unreliable wireless links by using constrained optimization (Ding et al. 2020).

2

Low-Latency Multicast to Minimize End-to-End Delay for WAC

This section presents a low-latency multicast scheme to minimize end-to-end delay in WAN, including the problem formulation, the problem-solving with Lagrangian relaxation, and the algorithm design. The notations used in the section are listed in Table 1.

2.1

Problem Formulation

Figure 1 shows a multicast routing framework for WAC in a publish-subscribe network (PSN) in smart grid. The data management plane receives publishers’ announcements of the availability of their data, as well as subscribers’ requests for data services. For example, a PMU as a publisher sends its data to multiple PDCs as subscribers through a network of middleware-level status routers. The data management plane maintains the whole PSN topology. It also determines multicast routing and sets up actual data delivery paths. Directed by the data management plane, a specialized middleware-layer forwarding engine on the data delivery plane accomplishes the multicast between a publisher and multiple subscribers. Therefore, constructing a multicast tree between a publisher and multiple subscribers becomes essential for multicast routing for WAC in smart grid. A PSN of WAC systems can be described as an undirected network G(V, E) composed of a set of nodes V and a set of links E among these nodes. The nodes in V can be one of the following three types: (1) source connecting to a publisher that sends out the data packets; (2) destination connecting a subscriber that receives the data packets; or (3) route node acting as an intermediate node in the path from the source to a destination. Each link e ∈ E is characterized by delay d(e) > 0 and bandwidth b(e) > 0.d(e) is related to the propagation delay and other delays of the link.

864

Y. Ding and X. Li

Table 1 Notations and symbols used in this section b(e) bT Bc B(T) d(e) dT D Dmox (T) D(P(T, v)) E, e LR(α) LR∗ G(V, E) P(T, v) s T Tmin (w) Tmin (b) Tmin (d) T∗ V, v w α, β, γ

Bandwidth of the link e in G Bandwidth of the edge in tree T Bandwidth constraint The total bandwidth of a multicast tree T Delay of the link e in G Delay of the edge in tree T A set of destination nodes The maximum end-to-end delay of multicast tree End-to-end delay along path P(T, v) The set of links in G, and a link in E, respectively Lagrangian relaxation with Lagrangian multiplier α The maximum of LR(α) Communication network of WAC Path from the root of T to v ∈ D, P(T, v) ⊆ T The source node A multicast tree from a source node to all nodes in D The min multicast tree with respect to weight w The min bandwidth tree with respect to the weight b The shortest delay tree with respect to the weight d The optimal tree The set of nodes, and a node in V, respectively Aggregate weight Lagrangian multipliers

Fig. 1 Multicast routing framework for WAC in smart grid

The following assumptions are made, which are reasonable for WAC systems in smart grid: (1) The WAC PSN is relatively static as part of the smart grid infrastructure, and (2) the bandwidth resources are allocated in advance to each

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

865

link in the WAC communication infrastructure. The bandwidth allocation does not change frequently for the communication infrastructure. If it changes significantly, the data management plane will be triggered to reconstruct the multicast tree. On a network G(V, E), a source node s and a set of destination nodes D ⊆ V −{s} together are called a multicast group. A multicast tree T is rooted at s and spans all nodes in D. A path P (T , v) ⊆ T is the set of tree links connecting s to v ∈ D. The end-to-end delay along that path is 

D (P (T , v)) =

d(e).

(1)

e∈P (T ,v)

Thus, the maximum end-to-end delay of multicast tree is D max (T ) = max (D (P (T , v))). v∈D

(2)

To achieve a short delay of the multicast tree in WAC, a multicast tree construction requires minDmax (T). This is a classical Steiner tree problem. It is NPcomplete (Oliveira and Pardalos 2005). Limited bandwidth leads to a bandwidth constraint to each multicast tree. The total bandwidth of a multicast tree T is B(T ) =

 e∈T

b(e)

(3)

It should be capped by an upper limit Bc . Therefore, a multicast tree construction in a WAC PSN is described as 

min D max (T ) s.t. B(T ) ≤ B c

(4)

This is a bandwidth-constrained minimum Steiner tree problem. Its solution is a tree spanning a source and a set of destination nodes such that the maximum endto-end delay is minimized under the bandwidth constraint.

2.2

Problem-Solving with Lagrangian Relaxation

The construction of BCMST in a WAC network is NP-complete. Therefore, it is not realistic to find a theoretical optimum for the problem in a reasonable period of time. A viable way to solve the problem is to use heuristics. Lagrangian relaxation is such a heuristic method, which approximates a difficult optimization problem by a simpler one (Stachowiak and Zwierzykowski 2012). To relax the bandwidth constraint in Eq. (4), it is added into the objective function through a Lagrangian multiplier α. Thus, the optimization in Eq. (4) is converted to

866

Y. Ding and X. Li

   min D max (T ) + α B(T ) − B c .

(5)

The basic idea of Lagrangian relaxation is to combine the bandwidth constraint and end-to-end delay via a parameter α to form an aggregate weight w = dT + α. bT for each link, where dT is the delay of the edge in tree T, and bT denote the bandwidth of the edge in tree T. We have the following proposition for a lower bound of the optimization. Proposition 1 Denote LR(α) = min (dT + α(bT − Bc )). Then, LR(α) is a lower bound to Eq. (4) for any α ≥ 0. Proof Let T * denote an optimal solution to Eq. (4). Then LR (α) = min (dT + αbT ) − α · B c ≤ dT ∗ + α (bT ∗ − B c ) ≤ dT ∗ To obtain the best lower bound, the LR(α) is maximized with respect to α, i.e. LR ∗ = maxLR (α) α≥0

Any solution feasible to the original problem will certainly suit the relaxation condition as well. Thus, a lower bound of the original problem is obtained. If the current tree is not feasible for the constraining condition, the dominance of the condition in the aggregate weight function is increased. This will force the solution to approach the optimal solution and also reduce the difference between the obtained lower bound and the optimal solution to the original problem. Let Tmin (w) denote the minimum multicast tree with respect to the aggregate weight w between s and D found by a Steiner tree construction algorithm. We have the following proposition for a comparison of two multicast trees: Proposition 2     If T1 = T min dT1 + α · bT1 , T2 = T min dT2 + β · bT2 , α ≥ 0, β ≥ 0, and α ≤ β, then bT1 ≥ bT2 and dT1 ≤ dT2 hold. Proof As T1 is the minimum multicast tree when the link is weighted by d + α · b, we have dT1 + α · bT1 ≤ dT2 + α · bT2 .

(6)

Similarly, the following inequality holds dT2 + β · bT2 ≤ dT1 + β · bT1 .

(7)

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

867

Combining these two inequalities gives βbT2 ≤ dT1 + βbT1 − dT2 ≤ dT2 + αbT2 − αbT1 + βbT1 − dT2 = αbT2 + (β − α) bT1 Thus, bT1 ≥ bT2 holds. Moreover, it follows from Eq. (6) that   dT1 ≤ dT2 + α bT2 − bT 1 ≤ dT2 Remark 1 Proposition 2 gives an insight into the impact of Lagrangian multiplier α on the end-to-end delay and bandwidth performance. The larger the α value is, the smaller the bandwidth consumption is while the longer the end-to-end delay is. This implies that a trade-off between the end-to-end delay and bandwidth requirement can be achieved by appropriately choosing α for computing the mixed weight. The following proposition quantifies the range of α. Proposition 3       Let T1 = T min dT1 +α · bT1 , T2 = T min dT2 +β · bT2 , T3 = T min dT3 +γ · bT3 , where β ≤ γ , bT2 = bT3 , α = bT3 hold.

dT3 −dT2 bT2 −bT3 .

Then, dT2 ≤ dT1 ≤ dT3 and bT2 ≥ bT1 ≥

Proof From Proposition 2, it is only necessary to prove that β ≤ α ≤ γ . As T2 is the minimum multicast tree when the link is weighted by d + β · b, we have dT2 + βbT2 ≤ dT3 + βbT3 Moreover, β ≤ γ implies that bT2 ≥ bT3 and dT2 ≤ dT3 . As dT2 = dT3 , the above inequality can be rewritten as β≤

dT3 − dT2 =α bT2 − bT3

Similarly, it can be proved that α ≤ γ . dT −dT

Remark 2 Proposition 3 means that with α = bT3 −bT2 , the resulting minimum 2 3 multicast tree T1 has a delay between the delays of tree T2 and T3 and a bandwidth between the bandwidth consumptions of the two trees.

868

2.3

Y. Ding and X. Li

Algorithm Design

With the theoretical results derived above, an iteration BCMST algorithm is designed in this section to solve the constrained optimization problem in Eq. (5). The whole process is designated in Algorithm 1, which is described below.

1. Initialization in Lines 1 to 3. BCMST begins with the shortest delay multicast tree Tmin (d), i.e., T2 , and the minimum bandwidth multicast tree Tmin (b), i.e., T3 . Tmin (d) is a tree such that the end-to-end delay between the root s and any node v ∈ D is exactly the same as the shortest path between s and v with respect to Gdelay. Tmin (b) is a tree whose total bandwidth is minimum with respect to Gbandwidth. Tmin (d) is obtained first. If it meets the bandwidth constraint Bc , then it is an optimal solution. If the maximum end-to-end delay of Tmin (b) is the same as that of Tmin (d), then Tmin (b) is an optimal solution. Otherwise, a balance between bandwidth and delay is found to make a multicast tree meet the requirement of Eq. (5). Solving the problem in Eq. (5) involves conflicting min-bandwidth and minend-to-end delay. Although Tmin (d) minimizes the end-to-end delay between the source and any destination, its bandwidth usage may be unbounded and larger than optimal. On the other hand, Tmin (b) minimizes the bandwidth usage but may have end-to-end delay unbounded and longer than that of Tmin (d). This motivates a trade-off between Tmin (d) and Tmin (b) using Lagrange relaxation. 2. Iteration in Lines 4 to 10. The trade-off process is realized by adjusting Lagrangian multiplier α. A different α value gives a different aggregate weight. α is obtained firstly by T2 and T3 . According to Proposition tree T1  3, the resulting  with this α value meets the properties: dT1 ∈ dT2 , dT3 and bT1 ∈ bT3 , bT2 . If T1 has the same delay and bandwidth as T2 or T3 , T3 is returned as the solution. Otherwise, the bandwidth of T1 is checked to see if it is less than Bc . If the

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

869

bandwidth of T1 is bigger than Bc , T2 is updated with a better solution T1 since T1 has a lower bandwidth. Otherwise T3 is updated with a better solution T1 since T1 has a lower delay. Then, the algorithm enters the next iteration to calculate a new α value and find a better solution. In each iteration, either T3 is updated with a better solution T1 in the sense that T1 has a lower delay, or T2 is updated with a better solution T1 in the sense that T1 has a lower bandwidth. To illustrate the algorithm, Fig. 2a shows an example graph G with source E and destination set {H, C, B, G}. The bandwidth constraint Bc = 30. Figure 2b shows the shortest delay tree T2 and the minimum bandwidth tree T3 both marked by thick blue lines. If the bandwidth of the shortest delay tree meets the bandwidth constraint, this tree is the solution. Otherwise, Algorithm 1 enters a loop to find a tree that balances the bandwidth and delay by adjusting α. This example starts with α = 0.7826 (Proposition 3) in the left graph of Fig. 2c. The resulting w is also shown in the same graph. The minimum weight tree T1 of the left graph of Fig. 2c is marked by the thick red lines with B(T1 ) = 23 and Dmax (T1 ) = 24. The bandwidth of T1 meets the bandwidth constraint, thus T3 is replaced by the current better tree T1 . The loop continues. α is calculated again: α = (24 − 18)/(42 − 23) = 0.3158 (Proposition 3). The resulting w is also shown in the right graph of Fig. 2c. The minimum weight tree T1 of the right graph of Fig. 2c is marked by the thick red lines with B(T1 ) = 26 and Dmax (T1 ) = 18. The loop continues. α = 0 is obtained. T1 is constructed with respect to the weight delay. However, Dmax (T1 ) = 18 is the same as Dmax (T3 ) = 18, and B(T1 ) = 26 is the same as B(T3 ) = 26. Thus, the loop terminates. The resulting multicast tree is T3 in the last loop as shown in Fig. 2c. The bandwidth of the multicast tree falls between 42 and 19, and the delay falls between 36 and 18.

3

Low-Latency Multicast for Multiple Multicast Trees with Shared Links in WANs

This section presents a low-latency multicast scheme for multiple multicast trees with shared links in WANs. It is composed of problem formulation and analysis, problem-solving with constrained optimization, and algorithm design. The notations used in the section are listed in Table 2.

3.1

Problem Formulation and Analysis

As shown in Fig. 3, a phasor data concentrator (PDC) uses multicast (red thick arrows) to send control commands to some phasor measurement units (PMUs). The commands may direct the PMUs to start or pause streaming data or to change their sampling rates. Meanwhile, the power grid control center uses multicast (green thin

870

Y. Ding and X. Li

a

b

c

Fig. 2 (a) Example graph G with (bandwidth, delay) along edges. (b) T2 constructed by Tmin (d) and T3 constructed by Tmin (b). (c) The minimum weight tree with α = 0.7826 and the minimum weight tree with α = 0.3158

arrows) to send control commands to a few substations to control circuit breakers for some control actions. There is a link sharing from these two multicast trees. This shared link has a high possibility of traffic congestion. With considerations of reliability and security in smart grid, it is generally suggested that the computations for multicast routing be conducted offline (Gjermundrod et al. 2009; Kumar et al. 2012; Goodney et al. 2013). Thus, constructing

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

871

Table 2 Notations and symbols used in this section bij BCij dij , dv  w D Dmax (T) D(P(T, v)) D(P(G, v, w))  E, E  e(i, j), e (i, j) G(V, E)    G (V , E ) kij kv  w  K(P(G, v, w)) Ng Nn Nl P(T, v) P(G, v, w) r rc rCSP T rij r ij s T  V, V σ st σ st (i, j) 

Bandwidth of the link between node i and j Edge betweenness centrality of edge e(i, j)  Delay of the indicated links in G and G , respectively A set of destination nodes The maximum end-to-end delay of multicast tree End-to-end delay along the path P(T, v) End-to-end delay along the path from node v to w in G  The sets of links in G and G , respectively  Links between nodes i and j in G and G , respectively Communication network of WAC The complete graph of G(V, E) BC-to-bandwidth ratio on edge e(i, j) in G     BC-to-bandwidth ratio on edge e (v , w ) in G BC-to-bandwidth ratio along the path from v to w in G The number of multicast group members The number of nodes in G The number of leaves on a SPT Path from the root of T to v ∈ D, P(T, v) ⊆ T The set of the links connecting node v to w in G Packet rate measured by packets per unit time Critical data packet injection rate Critical data packet injection rate for SPT The number of packets that arrive at e(i, j) The average number of packets that arrive at e(i, j) Source node A multicast tree rooted at s and spanning the nodes in D  The sets of nodes in G and G , respectively The number of shortest paths going from s to t The number of shortest paths from s to t via edge e(i, j) Delay tolerance

an offline multicast tree between a publisher and multiple subscribers becomes essential for multicast routing in smart grid. An algorithm for multicast tree construction is referred to as a multicast tree (construction) algorithm in this paper. A formal description of the multicast tree construction problem is given below. Define the communication network of smart grid as an undirected network G(V, E), where V represents the set of nodes and E stands for the set of the links among the nodes. Publishers and subscribers connect to the network via a node belonging to set V by their physical networking proximate. The nodes in V can be one of the following three types: (1) source node connecting to a publisher that sends out the data packets; (2) destination node connecting a subscriber that receives the data packets; and (3) route node acting as an intermediate node in the path from the source to a destination. Each link e(i, j) ∈ E is characterized by delay dij and

872

Y. Ding and X. Li

PMU PMU

PMU PMU

PDC

congestion

Substation

Control center

Substation

Router

Substation

Fig. 3 Multiple multicast trees with shared links for routing in smart grid

bandwidth bij . dij > 0 is a constant real value related to the propagation delay and other possible delay of the link. bij > 0 is a real value of the bandwidth of the link. Before formulating the problem of multicast routing, the following assumptions are made for PSN communications in smart grid: (1) The communication network is relatively static as part of the smart grid infrastructure, and (2) the bandwidth resources are allocated in advance to each link in the communication infrastructure. The bandwidth allocation does not change frequently for the communication infrastructure. If it changes significantly, the routing control will reconstruct the multicast tree. A network G(V, E) involves a source node s and a set of destination nodes D ⊆ V −{s}, which form a multicast group. A multicast tree T is rooted at s and spans the nodes in D. A path P(T, v) ⊆ T is a set of tree links from s to v ∈ D. The end-to-end delay along that path is D (P (T , v)) =



dij .

(8)

e(i,j )∈P (T ,v)

Thus, the maximum end-to-end delay of a multicast tree is D max (T ) = max (D (P (T , v))) . v∈D

(9)

To achieve a short delay of the multicast tree in WAC, constructing a multicast tree in WAC networks requires min D max (T ).

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

873

This is a classical Steiner tree problem. It is NP-complete (Oliveira and Pardalos 2005). A key requirement in smart grid communications is to achieve low-latency performance. The shortest latency is obtained when the multicast tree consists of only the shortest delay paths from the source s to the destination nodes in D. Such a tree is known as a shortest path tree (SPT), e.g. T SP T = {min D (P (T , v)) , ∀v ∈ D} .

(10)

Since all the latencies from s to destination nodes in D cannot be shortened anymore in SPT, the latency becomes the minimum for each source-destination pair. SPT seems a natural choice of multicast tree construction for smart grid. However, if each multicast tree is constructed on the basis of SPT, the actual delay on the multicast tree is longer than the delay obtained by the single tree due to the link sharing from multiple multicast trees. The shared links have a high possibility of traffic congestion. The congested links cause a longer queuing delay. Consequently, only if there is no packet waiting for transmission in the queue of each link on a network can SPT routing give the shortest delay. If there is a packet waiting for transmission in the queue of any link, SPT cannot guarantee the shortest delay. In this case, it is necessary to construct another optimal multicast tree T∗ as a replacement for SPT to satisfy the delay requirements of smart grid. It is formally described as follows min D max (T ) =  max  SP T  T , if ∀e (i, J ) ∈ T SP T and rij ≤ bij D max ∗ D (T ) , if ∃e (i, J ) ∈ T SP T and rij > bij

(11)

where rij is the number of packets arriving at e(i, j). rij ≤ bij indicates that the bandwidth of link e(i, j) is enough to transmit all the packets arriving at e(i, j) without any packet waiting for transmission. For all e(i, j), no packet waiting for transmission implies that the network stays in a free flow state. rij > bij indicates the bandwidth of link e(i, j) is not enough to transmit all the packets arriving at e(i, j), and there is one or more packets waiting for transmission on e(i, j). Any packet waiting for transmission in the queue of some links means that the network enters a congested state. TSPT guarantees the shortest delay with the free flow state of a network. However, if a network enters a congested state when TSPT is used, the optimal multicast tree T* in Eq. (11) needs to be solved so that the congested state could be avoided. To solve Eq. (11), two sub-problems need to be solved, which are addressed throughout this chapter: 1. With SPT in multicast routing, when does the network switch from the free flow state to the congested state? 2. If the network enters the congested state caused by SPT, how to construct the optimal multicast tree T* to avoid the congested state of a network?

874

Y. Ding and X. Li

In order to solve Eq. (11), a theoretical analysis is offered for the conditions under which the network switches from the free flow state to the congested state when using SPT. From the theoretical results, the solving of the optimal multicast tree T* in Eq. (11) is transformed to a constrained optimization problem. After that, a heuristic solution is proposed for the constrained optimization problem. To quantify the conditions under which the network switches from the free state to the congested state when using SPT, the simplest data traffic transmission model is used to analyze the free flow state and the congested state when the shortest delay path is used as routing. Then, the analysis results are extended to SPT routing. Traffic congestion on a network is generally related to three factors: data rate r, route selection, and network topology. To observe how these three factors affect traffic congestion, the simplest data traffic transmission model is considered. (1) Traffic generation: at each time unit, there are r packets injected into the Nn node network with randomly chosen sources and destinations. (2) Traffic transmission: at each time unit, link e(i, j) can deliver at most bij packets one step toward their destination according to the shortest delay path. The link capacity bij is related to the bandwidth of e(i, j). Each node has a separate “first-in first-out (FIFO)” queue; and (3) traffic removal: once reaching its destination, a packet is removed from the network. It is found that there is a phase transition from free flow to congestion when r grows gradually (Barabasi and Albert 1999; Yan et al. 2006). Given the shortest delay routing and network topology, it is essential to estimate the overall transportation capability of the network, which can be characterized by the critical data rate rc around which a phase transition takes place from free flow to congestion. This means that the network is in free flow state when r < rc but will be congested when r > rc . The network topology is correlated with traffic dynamics on the network. The most important graph metric bridging these two aspects is the betweenness centrality (BC). It is useful in the theoretical estimate of rc . BC quantifies the number of the shortest paths going through an edge e(i, j) in a network (Newman 2001) BC ij =

 σst (i, j ) s=t

σst

.

(12)

where σ st is the number of shortest paths going from s to t and σ st (i, j) is the number of shortest paths going from s to t and passing through link e(i, j). This particular metric specifies the possible amount of traffic an edge needs to handle when the shortest delay routing strategy is used. According to the simplest data traffic transmission model, the average number of packets arriving at e(i, j) is Guimera et al. (2002), Zhao et al. (2005) r ij =

2r · BC ij . Nn (Nn − 1)

(13)

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

875

Equation (13) indicates that the traffic carried by an edge is proportional to BCij . The link e(i, j) can deliver at most bij packets per unit time toward their destination according to the shortest delay path. Thus, a link becomes jammed when r ij > bij . The BC-to-bandwidth ratio kij on e(i, j) is defined as kij = BC ij /bij .

(14)

Congestion firstly occurs at the edge with the largest kij . rc can be estimated as rc =

1 Nn (Nn − 1)   . · 2 max kij

(15)

This relationship is intuitive in that the edge with large edge BC and small transferring capacity is more susceptible to packet congestion and congestion on this edge will quickly spread over the network. SPT is composed of only the shortest delay paths from source s to the destination nodes in D. In SPT, the routing for each source-destination pair takes place along the shortest delay path. If SPT is used in the simplest data traffic transmission model, then the actual data packets the source generates are proportional to the number of leaves Nl on SPT when injecting r packets into the source of SPT. Consequently, the critical data packet injection rate for SPT rcSP T is estimated as   rcSP T = rc /Nl , Nl ∈ 1, Ng − 1 .

(16)

rcSP T reflects the maximum capability of a network for handling its traffic. For r < rcSP T , the number of created and delivered packets are balanced, leading to steady free flow traffic. For r ≥ rcSP T , traffic congestion occurs as the number of accumulated packet increases with time due to the limited network capacity. rcSP T is a critical value for which a phase transition takes place from free flow to congestion in the process of SPT routing.

3.2

Problem-Solving with Constrained Optimization

A free and uncongested traffic flow enables SPT to achieve the shortest latency. Once the network is congested, it is necessary to reconstruct multicast trees to alleviate the congestion. The reconstruction of the optimal multicast tree T* is formalized as a constrained optimization problem in this section. Then, a heuristic method is designed to solve the constrained optimization problem.

3.2.1 Constrained Optimization In a PSN supporting multicast routing for WAC, the management plane is responsible for monitoring the data packet injection rate r of the whole network. When r < rcSP T , it leads SPT to get the best latency performance. When r ≥ rcSP T , the

876

Y. Ding and X. Li

multicast tree needs to be reconstructed in order to alleviate any possible congestion. Congestion is more likely to occur on the edge with a large BC-to-bandwidth ratio. Thus, traffic congestion can be alleviated by redistributing data traffic from the edges with large BC-to-bandwidth ratio values to the edges with smaller BC-to-bandwidth ratio values in the reconstruction of the multicast tree. This requires minimizing the sum of all BC-to-bandwidth ratio values of the multicast tree, i.e. 

min

kij .

(17)

e(i,j )∈T

This is a classical minimum Steiner tree problem. It is known to be NP-complete (Oliveira and Pardalos 2005). As all end-to-end delays in SPT cannot be compressed anymore, the reconstructed multicast tree inevitably leads to end-to-end latencies bigger than those from SPT in the free flow state. Nevertheless, the resulting delays must be capped by the delay tolerance  of smart grid applications, i.e. max (D (P (T , v)))  . v∈D

(18)

Therefore, reconstructing a multicast tree is formally described as a constrained optimization problem ⎧ ⎨ min

e(i,j )∈T

kij

⎩ s.t. max (D (P (T , v)))  

(19)

v∈D

where (D(P(T, v))) and kij are calculated from Eqs. (8) and (14), respectively. Equation (19) is a delay-constrained Steiner tree (DCST) problem. It is still NP-complete. This problem requires finding a tree spanning a source and a set of destinations such that the sum of all BC-to-bandwidth ratio values of a multicast tree is minimized subject to the delay constraint. The problem is defined a minimum BCto-bandwidth ratio tree (BCBT) problem. BCBT is used as the optimal multicast tree T* to avoid the congested state of a network with SPT routing.

3.2.2 Heuristics for BCBT The construction of BCBT is NP-complete. Therefore, it is not realistic to find a theoretical optimum of the problem in a reasonable period of time. A viable way to solve the problem is to use heuristics. A heuristic method is proposed to solve the problem, named BCBT. It includes three steps. 1. Construct a complete graph. The original network is abstracted to a complete graph, in which the nodes represent the source and the destinations in the

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

877

multicast group and the edges represent the shortest BC-to-bandwidth ratio paths between these nodes within the delay bound. A path P(G, v, w) consists of a set of links from v to w in the network G(V, E). The end-to-end delay along the path is 

D (P (G, v, w)) =

(20)

dij .

e(i,j )∈P (G,v,w)

The sum of the BC-to-bandwidth ratios along the path is 

K (P (G, v, w)) =

(21)

kij .

e(i,j )∈P (G,v,w) 





The complete graph of the original network is G (V , E ), where V  = s ∪ D              and E = {{v , w }  v ∈ V , w ∈ V , and v = w }. Each link e (v , w ) ∈ E is characterized by delay dv  w , and BC-to-bandwidth ratio kv  w kv  w , =

min  

D(P (G,v ,w ))

   K P G, v  , w  .

(22)

Then, dv  w is determined by the path corresponding to kv  w . 2. Construct a constrained spanning tree. A greedy algorithm is used to add edges to a sub-tree of the constrained spanning tree until all nodes are covered in the  graph G . 

Assume that v is in the tree constructed so far. It is necessary to decide whether   or not to include node w adjacent to v in terms of   f⎧ v  , w  = ⎪ kv  w ⎨

 − D(P (G ,s,v  ))+dv  w

⎪ ⎩∞ 



   D P G , s, v  + dv  w <  otherwise 

(23)

where D(P(G , s, v )) is the delay on the path from s to v in the spanning tree    constructed so far. dv  w is the delay between v and w in G . kv  w is the BC-to   bandwidth ratio between v and w in G . They are already calculated in the first step. The select function in Eq. (23) uses both BC-to-bandwidth ratios and delay explicitly. It chooses the edges with low BC-to-bandwidth ratios but modulates the

878

Y. Ding and X. Li

choice by picking up the edges that maximize the residual delay. This leads to a tendency to compress the end-to-end delay. 3. Construct the final multicast tree. The final delay-constrained multicast tree is obtained by expanding the edges of the minimum spanning tree into the shortest paths. Any loops resulting from the expansion are removed.

3.2.3 Algorithm Design When r < rcSP T , multicast routing is executed as the SPT algorithm shows. When r ≥ rcSP T , multicast routing is executed by the heuristics derived above. A heuristic algorithm, namely, BCBT, is designed in this section to solve the constrained optimization problem in Eq. (19). The whole process is given in Algorithm 2. It is described below. 1. Computation of BC-to-bandwidth ratio kij in Lines 1 to 3. Computed from Eq. (12), BCij is the edge betweenness centrality of edge e(i, j) on G(V, E) with weight delay d. For each link, kij is calculated from Eq. (14). 2. Construction of a complete graph in Lines 4 to 7. In order to compute the   complete graph G , all-pairs paths among the nodes in V are computed based on Eq. (22). 3. Construction of a constrained spanning tree in Lines 8 to 19. The greedy  algorithm is used to construct the constrained spanning tree T on the complete  graph G . The select function is defined as Eq. (23). 4. Construction of the final multicast tree in Lines 20 to 22. The final tree T is       obtained by expanding each edge e (v , w ) of tree T into the paths P(G, v , w ) recorded in Lines 4 to 7. Any possible loop in T is required to be removed. To illustrate the algorithm, Fig. 4a shows an example graph G with source E and destination set H, C, B, G. The delay constraint  = 20. Figure 4b shows graph G with computed weight (k, delay) on each edge. Figure 4c shows the complete graph  G with (k, delay) along edges. Figure 4d shows the constrained spanning tree on  G after the greedy algorithm with select function Eq. (23). Figure 4e gives the final multicast tree (thick lines) after expanding. The complexity of BCBT is analyzed from the three steps in the heuristics for BCBT. The first step, computing the complete graph, consumes the  time most in BCBT. Equation (22) in the first step has the time complexity O Nn3  . This is because (1) the computation loops over all pairs of nodes and over all intermediate nodes such as the shortest path algorithm and (2) it also loops over all possible values of delay from 1 to ( − 1). The second step, constructing the constrained spanning

 tree on the complete graph with Ng nodes, has the time complexity of O Ng3 . The third step, expanding the tree into the final multicast tree, has the complexity of O(Ng Nn ) for Ng edges each to be expanded into at most N n edges    and remove loops. Therefore, the complexity of BCBT is O Nn3  + O Ng3 +   O Ng Nn .

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

a

879

b

c

d

e

Fig. 4 (a) Example graph G with (bandwidth, delay) along edges. (b) G with (k, delay) along  edges after the computation of BC-to-bandwidth ratio. (c) The complete graph G with (k, delay)  along edges. (d) The constrained spanning tree on G . (e) The final multicast tree

880

Y. Ding and X. Li

Both BCBT and SPT are implemented centrally on the data management plane of PSN. If they are partially implemented on the control plane of SDN, this approach becomes an SDN-based PSN solution for multicast routing in smart grid.

4

Low-Latency Constrained Broadcast in NANs

This section presents a low-latency constrained broadcast in NAN. It is composed of problem formulation, constrained optimization and solving, and an illustrative example. The notations used in the section are listed in Table 3.

4.1

Problem Formulation

As shown in Fig. 5, the control center of the smart grid monitors the running status and maintains the reliability of the grid. Real-time commands need to be sent to the demand side (e.g., homes and buildings) in case of emergency events to prevent cascade failures of the grid. The commands traverse through the WAN, utility access points (UAPs), and NANs to HANs. In the NAN, the commands need

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

881

Table 3 Notations and symbols used in this section α c , α nc

Layer-to-layer reliability control factors in (0,1) for core nodes and non-core nodes, respectively ds, i End-to-end broadcast latency from node s to i ∈ V E The set of edges in V G(V + s, E): NAN with access point s, node set V and edge set E hij The number of hops between nodes i and j in V Li The set of lower-layer neighbors of node i N The number of nodes in V pi,j , p˜ i,j Packet delivery ratio and packet loss ratio, respectively, of the link between nodes i and j Pc,i , P˜c,i The probabilities that node i as a core node receives and does not receive the command, respectively Pnc,i , P˜nc,i : The probabilities that node i as a non-core node receives and does not receive the command, respectively P˜U,c,i , P˜S,c,i : The probabilities that node i as a core node does not receive the command from its upper-layer and same neighbors, respectively P˜U,nc,i , P˜S,nc,i , P˜L,nc,i : The probabilities that node i does not receive the command from its upper-layer, same-layer and lower-layer core nodes when node i is a non-core node Ri Layer-to-layer reception reliability of node i s Utility access point Si , The set of same-layer neighbors of node i Ui The set of upper-layer neighbors of node i V The set of all NAN nodes except s Vc , Vnc The sets of core and non-core nodes, respectively zi Binary for node i, zi = 1 (core node) or 0 (non-core) zk, j zk, j = 1 if both k and j are core nodes, or 0 otherwise

to be broadcast simultaneously to a large number of nodes on the demand side. The end-to-end broadcast delay, ds, i , should be minimized for best control performance (Rajalingham et al. 2013; Kansal and Bose 2012). Here, a smart grid NAN can be formalized as a mesh graph G(V + s, E), where V represents the set of nodes (e.g., smart meters) in the neighborhood area, s denotes the UAP, and E stands for the set of wireless connections between NAN nodes. The UAP s serves as the source of traffic and the nodes in V are destinations. Each link in E has a specified reliability pi, j , ∀ i, j ∈ V + s, due to intrinsic properties of wireless technologies as shown in Fig. 5. In smart grid, a NAN is mainly composed of smart meters and other devices, which continuously operate for years after their deployment. The smart meters have relatively fixed positions. Their neighbors also remain unchanged for a certain period of time. Thus, NANs have a relatively static network topology. From these NAN characteristics, the following assumptions can be made for smart grid NANs: (1) All NAN nodes in V form a relatively static network topology; (2) all NAN nodes in V are continuously powered from the power grid, suggesting that energy

882

Y. Ding and X. Li

0.6

0.6 0.9 0.6

0.5 0.7

0.6 0.7

0.6

0.9

0.9 0.6

0.5

0.5

0.8

0.6

0.9

0.8

0.6

0.6 0.9 0.7

Fig. 5 NANs as part of the smart grid communication infrastructure

consumption is not an issue; and (3) due to the static NAN topology, the reliability of each link in E can be determined a priori based on historical communications. As real-time messages are broadcast from the UAP s to all NAN nodes, the mesh network G(V + s, E) can be converted into a multi-layer network by using breadthfirst search as shown in Fig. 6. As a result, the broadcast of real-time messages in a NAN can be described as a constrained optimization problem. More specifically, for a mesh network G(V + s, E), there is an end-to-end broadcast latency ds, i from the UAP s to NAN node i ∈ V, giving N such delays in the NAN. It is aimed to minimize all these N broadcast delays. This is subject to the constraints that the layer-to-layer reception reliability for each node i, Rj , i ∈ V is greater than a specified threshold α c or α nc . Therefore, the constrained optimization for low-latency broadcast over a NAN is conceptually formulated as ⎧ ⎨ min ds,1 , ds,2 , ds,i , · · · ds,N s.t. Ri ≥ αc , ∀i ∈ Vc ⎩ Ri ≥ αnc , ∀i ∈ Vnc

(24)

The constrained optimization problem in (Eq. 24) will be addressed throughout this study to minimize the broadcast latency. However, this is a multi-objective optimization problem, which cannot be solved directly. In the next section, an approach is presented to address this problem indirectly. In the approach, the multi-

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

Ps,a

Ps,c

Ps,b Pa,b

Pa,d

Pb,c Pc,f

Pb,e Pa,e

Pc,g

Pb,f Pe,f

Pd,e

Pf,g

Pe,h Pd,h

Pe,i

Ph,i

883

Pf,i

Pf,j

Pg,j

Pi,j

Fig. 6 Hierarchical constrained broadcast process in a NAN

objective optimization problem is transformed into a single-objective optimization problem with a number of constraints. The key idea of the problem transformation is summarized as follows: It is understood that broadcast communications imply high network traffic. With broadcast traffic, the bandwidth of the NAN can be easily exhausted, leading to a rapidly increased number of transmission backoffs and consequently deteriorated broadcast latency performance. This situation is even more severe for wireless NANs, where the frequency spectrum resources for communications are very limited. From this understanding, the multi-objective optimization problem (Eq. 24) can be approximately transformed into minimizing the overall broadcast traffic in wireless NANs. The next section will present the constrained broadcast scheme with minimized latency (CBS-ML) for such a transformation.

4.2

Constrained Optimization and Solving

The CBS-ML is graphically depicted in Fig. 6. As shown in Fig. 6, a small number of NAN nodes are chosen as core nodes to form a non-empty core node set Vc ⊂ V. All other nodes are non-core nodes, which form a non-empty set Vnc ⊂ V. We have

884

Y. Ding and X. Li

Vc = ∅, Vnc = ∅, Vc ∪ Vnc = V , Vc ∩ Vnc = ∅

(25)

The core nodes are selected based on network topology and link reliability, pi, j . They form a connected sub-network with one hop to all non-core nodes in Vnc ⊂ V, i.e. hij = 1, ∀j ∈ Vnc ∃i ∈ Vc

(26)

For the CBS-ML, a layered graph will be derived below. A mathematical expression will be developed to quantify the objective function for the original problem (Eq. 24). Then, constraints will be established theoretically for the determination of core nodes and non-core nodes in the CBS-ML. After that, CBS-ML is formally formulated, which is followed by an algorithm design for the implementation of the CBS-ML.

4.2.1 Layered Graph G(V + s, E) To formalize the constrained optimization problem for the CBS-ML, a smart grid NAN is modeled into a mesh graph as shown in Fig. 6. With the UAP s as the root, the breadth-first search (BFS) algorithm is employed to classify all NAN nodes into different network layers (Fig. 6). After that, the layer of a NAN node is determined and remains unchanged throughout the following optimization process. In this way, the NAN is converted into a multi-layered graph, with which the realtime commands are broadcast from the UAP s to all NAN nodes. For the multi-layered graph as shown in Fig. 6, only a small number of NAN nodes are selected as core nodes. The selection process is based on network topology and link reliability. Together with the UAP s, the core nodes form a connected subnetwork, which the broadcast process is limited to, e.g., s, B, E, and F in Fig. 6. All other NAN nodes are non-core nodes, which are one-hop away from core nodes. The broadcast process is limited to the core nodes only. All non-core nodes receive broadcast commands from the core nodes. In other words, the core nodes receive the commands from their neighboring UAP s or core nodes in Vc and broadcast them, while the non-core nodes only receive the commands without further broadcast. During the broadcast process, it is possible for a core node to receive multiple copies of the broadcast messages, for instance, B → E → F and B → F. In the CBSML, if a core node receives several copies of the same message, it only forwards the first received one in its broadcast process. 4.2.2 Objective Function With the presented CBS-ML topology in Fig. 6, the main objective becomes to minimize the end-to-end broadcast latency by limiting the broadcasting process to a small number of core nodes. In this way, the broadcast traffic is significantly compressed, reducing the packet collisions and transmission backoffs and consequently improving the end-to-end broadcast latency performance. Thus, to quantify the

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

885

minimization problem (Eq. 24), the number of core nodes broadcasting commands in the CBS-ML topology is minimized. For this purpose, a binary decision variable zi is defined to indicate whether or not node i ∈ V is selected as a core node:  zi =

1, node i is a core node 0, node i is a non-core node

(27)

Then, the objective function in the original constrained optimization problem (Eq. 24) is converted into the following one min



(28)

zi

∀i∈V

4.2.3 Constraints to the Selection of Core Nodes The constraints to core nodes are built such that the layer-to-layer reception probability of node i ∈ Vc is not less than the layer-to-layer control factor for core nodes, i.e. Pc,i ≥ αc , ∀i ∈ Vc

(29)

The reception probability of a core node can be determined based on the network topology and the reliability of each link. When we consider broadcasting a command from the root node s to all nodes in V, a core node only receives the command from its adjacent root, upper-layer core nodes, or same-layer core nodes, for instance, the core node F in Fig. 6. Thus, the reception probability Pc, i of a core node i ∈ Vc is equal to the complementary probability that the node does not receive the command from its adjacent root, upper-layer core nodes, or same-layer core nodes. Therefore, for practical evaluation, the constraints in Eq. (29) are expressed as Pc,i = 1 − P˜c,i = 1 − P˜U,c,i × P˜S,c,i ≥ αc · zi

(30)

The probability P˜U,c,i that node i ∈ Vc does not receive the command from its adjacent root or upper-layer core nodes can be estimated from joint probability that the node does not receive the command from any of the adjacent root and upperlayer core nodes in Ui , i.e. P˜U,c,i =



z

p˜ i,jj ,

(31)

∀j ∈Ui

The probability P˜S,c,i that node i ∈ Vc does not receive the command from its adjacent same-layer core nodes is equals to the joint probability that its same-layer core nodes j ∈ Si fail to receive the command from the root and upper-layer core

886

Y. Ding and X. Li

nodes k ∈ Uj or its same-layer core nodes j ∈ Si receive the command from a node k ∈ Uj but the command is not received by the node i. Therefore, we have 

P˜S,c,i =

 z ·z p˜ j,k + pj,k p˜ i,j j k

(32)

∀j ∈Si ,∀k∈Uj

Let zj, k represent the product of zj and zk . zj, k is equal to 1 when both zj and zk are equal to 1, and 0 otherwise. Thus, zk,j = zk · zj , 2zk,j ≤ zk + zj , zk,j ≥ zk + zj − 1

(33)

Substituting Eqs. (31–33) into Eq. (30) and considering 1 − αc · zi = (1 − αc )zi for binary variable zi yield  ∀j ∈Ui

z

p˜ i,jj

 ∀j ∈Si ,∀k∈Uj

 z p˜ j,k + pj,k p˜ i,j j,k ≤ 1 − αc · zi = (1 − αc )zi

(34)

The constraints in Eq. (34) are nonlinear. This makes the whole optimization problem under consideration difficult to solve. To simplify the problem-solving, these constraints are converted into equivalent linear ones in a logarithmic form ∀j ∈Ui

zj log p˜ i,j +

∀j ∈Si ,∀k∈Uj

  zj,k log p˜ j,k + pj,k p˜ i,j

≤ zi log (1 − αc )

(35)

In addition, it has to be guaranteed that the UAP s is an element of the core node set Vc since s is the origination of the broadcast command. Thus, it is necessary to explicitly set Eq. (36) as one of the constraints. zs = 1

(36)

4.2.4 Constraints to Non-core Nodes Constraints to non-core node in Vnc are built such that the layer-to-layer reception probability Pnc, i of non-core node i ∈ Vnc is no less than the layer-to-layer reliability control factor α nc for non-core nodes. Same as core nodes, the reception probability of each non-core node in Vnc can also be determined based on the network topology and the reliability of each link. As the commands are broadcast among the root and core nodes in the NAN, a non-core node can receive the command from its adjacent root and core nodes, for instance, non-core nodes A and C in Fig. 6. Thus, the reception probability Pnc, i of node i ∈ Vnc equals the complementary probability that the node does not receive the command from its adjacent root, upper-layer core nodes, same-layer core nodes, or lower-layer core nodes. It should not be less than the layer-to-layer reliability control factor α nc . This constraint forces each non-core

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

887

node in Vnc to reach at least one core node in Vc through a single hop. Therefore, we have Pnc,i = 1 − P˜nc,i = 1 − P˜U,nc,i P˜S,nc,i P˜L,nc,i ≥ αnc · (1 − zi )

(37)

The probability P˜U,nc,i that non-core node i ∈ Vnc does not receive the command from its adjacent root or upper-layer core nodes can be estimated from the joint probability that the node i ∈ Vnc does not receive the command from any of the adjacent root and upper-layer core nodes in Ui , i.e. P˜U,nc,i =



z

p˜ i,jj

(38)

∀j ∈Ui

The probability P˜S,nc,i that non-core node i ∈ Vnc does not receive the command from its adjacent same-layer core nodes is equal to the joint probability that any of its same-layer core nodes in Si fails to receive the command from its root and upperlayer core nodes or its same-layer core nodes receive the command from its root and upper-layer core nodes but the command is not received by the node i ∈ Vnc . Because Eq. (30) guarantees that the layer-to-layer reception probability Pc, i is not less than the reliability control factor α c , the α c is used to represent the probability that node j ∈ Si receives the command from its root and upper-layer core nodes as a relaxation. This gives P˜S,nc,i =

  z 1 − αc + αc p˜ i,j j

(39)

∀j ∈Si

Similarly, the probability P˜L,nc,i that a non-core node i ∈ Vnc does not receive the command from its adjacent lower-layer core nodes is equal to the joint probability that node j ∈ Li fails to receive the command or the node j receives the command but the command is not received by the node i ∈ Vnc . Using α c as a relaxation of the layer-to-layer reception probability, we have P˜L,nc,i =

zj  1 − αc2 + αc2 p˜ i,j

(40)

∀j ∈Li

Substituting Eqs. (38–40) into (37) and again considering 1 − αnc · (1 − zi ) = (1 − αnc )1−zi for binary zi give  ∀j ∈Ui

z

p˜ i,jj

z   z   1 − αc + αc p˜ i,j j 1 − αc2 + αc2 p˜ i,j j

∀j ∈si

∀j ∈Li 1−zi

≤ 1 − αnc · (1 − zi ) = (1 − αnc )

(41)

888

Y. Ding and X. Li

Again, the nonlinear constrains in Eq. (41) are simplified into linear ones in a logarithmic form as   zj log p˜ i,j + zj log 1 − αc + αc p˜ i,j ∀j ∈Ui   ∀j ∈Si + zj log 1 − αc2 + αc2 p˜ i,j

(42)

∀j ∈Li

≤ (1 − zi ) log (1 − αnc )

4.2.5 Constrained Optimization for CBS-ML With the above theoretical developments, the original constrained optimization problem (Eq. 24) is approximately transformed into a constrained mixed integer linear programming (MILP) with zi , i ∈ V as the decision variables: 

min

∀i∈V

zi

(43)

s.t. (33), (35), (36), and (42) This MILP problem can be solved with mathematical solvers, such as CPLEX and Gurobi. Solving this constrained optimization gives a feasible solution to the CBS-ML.

Algorithm 3 is designed to implement the CBS-ML. It starts with the classification of G(V + s, E) into a layered graph. Then, it formulates the objective function and various constraints. After that, the constrained optimization is solved for core nodes in Vc and non-core nodes in Vnc .

4.3

An Illustrative Example

Consider a simple wireless NAN graph shown in Fig. 5 with specified link reliability settings. The values of α c and α nc are set as 0.9 and 0.7, respectively. The breadth-first search is employed to classify the graph shown in Fig. 5 into a layered graph. The process is depicted in Fig. 7. First of all, as Fig. 7a shows, construct a graph connection matrix from Fig. 5. Then, start from the UAP s, and

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

a

b

c

d

889

Fig. 7 Breadth-first search to classify a graph into a layered one

find all nodes that s can reach in one hop. The results are nodes A, B, and C, which are Layer-l nodes, as shown in Fig. 7b. After that, start from Layer-1 nodes A, B, and C, and identify all nodes that the Layer-1 nodes can reach in one hop except those nodes which are already classified into Layer-1 nodes. The identified nodes are Layer-2 nodes D, E, F, and G (Fig. 7c). In a similar way, start from Layer-2 nodes D, E, F, and G, and find all Layer-4 nodes that are one hop away from Layer 3 nodes (Fig. 7d). The final results are illustrated in Fig. 6. After building the layered graph in Fig. 6, the objective function in (Eq. 28) is formulated as:   min za + zb + zc + zd + ze + zf + zg + zh + zi + zj

(44)

To formulate the optimization constraints, let us take node B as an example. For node B, the upper-layer neighbor is the UAP s, the same-layer neighbors are nodes

890

Y. Ding and X. Li

A and C, and the lower-layer neighbors are nodes E and F. Thus, the constraints for node B are formulated as follows:   zs log p˜ s,b + zs,a log p˜ s,a + ps,a p˜ a,b   + zs,c log p˜ s,c + ps,c p˜ b,c = zs log (1 − 0.9) + zs,a log [(1 − 0.6) + 0.6 × (1 − 0.5)] + zs,c log [(1 − 0.6) + 0.6 × (1 − 0.6)] ≤ zb log (1 − αc ) = zb log (1 − 0.9)

(45)

2zs,a ≤ zs + za , zs,a ≥ zs + za − 1

(46)

2zs,c ≤ zs + zc , zs,c ≥ zs + zc − 1

(47)

  zs log p˜ s,b + za log 1 − αc + αc p˜ a,b     + zc log 1 − αc + αc p˜ b,c + ze log 1 − αc2 + αc2 p˜ b,e   zf log 1 − αc2 + αc2 p˜ b,f = zs log (1 − 0.9) + za log [(1 − 0.9) + 0.9 × (1 − 0.5)] + zc log [(1 − 0.9) + 0.9 × (1 − 0.6)]    + ze log 1 − 0.92 + 0.92 × (1 − 0.9)    + zf log 1 − 0.92 + 0.92 × (1 − 0.9)   ≤ (1 − zb ) log 1 − αn,c = (1 − zb ) log (1 − 0.7)

(48)

Constraints for all other nodes in Fig. 6 can be established in a similar way. After the objective function is established together with the constraints for all nodes A to J as well as s in Fig. 6, solve the constrained optimization problem by using a mathematical solver, e.g., Gurobi, for core nodes and non-core nodes. For this example, the resulting core nodes are B, E, and F. All other nodes are non-core nodes, which are one hop away from core nodes. Thus, the objective function equals to 3 and all constraints are satisfied. For this example, it is easy to validate that the solution of three core nodes is the best solution. Any choice of only two nodes as core nodes does not meet the requirement that all other nodes are one hop away from the sub-network formed by the core nodes and s. Any choice of four nodes as core nodes will lead to an increased objective function from 3 to 4.

5

Conclusions

This chapter has introduced low-latency multicast and broadcast technologies to provide real-time communications in smart grid. Firstly, a multicast routing scheme has been presented with a focus on multicast tree construction for WAC over PSNs. The multicast tree construction problem has been formulated into a

27 Low-Latency Multicast and Broadcast Technologies for Real-Time. . .

891

constrained optimization with the objective of minimizing the end-to-end delay subject to bandwidth constraints. The optimization has been solved by using Lagrangian relaxation and iterative algorithm design. Secondly, a multicast routing has been introduced with the focus on minimizing the multicast routing delay in multiple multicast trees with shared links in WANs. The problem of multicast in multiple multicast trees with shared links has been formulated into a constrained optimization, being NP-complete. The problem has been solved by using a greedy algorithm with heuristics to construct multicast trees with satisfactory end-to-end delay performance under various network states in WANs. In the end, a constrained broadcast scheme with minimized latency has been introduced to support timecritical applications requiring one-to-all message delivery in NANs of smart grid. The constrained broadcast has been designed with a layered structure consisting of two types of nodes: core nodes and non-core nodes. The core nodes form a connected sub-network, which the broadcast process is limited to. The selection of core nodes has been formulated into a mixed-integer linear programming problem subject to reliability requirements.

References A.L. Barabasi, R. Albert, Emergence of scaling in random networks. Science 286, 509 (1999) Y. Ding, Y.-C. Tian, X. Li, Y. Mishra, G. Ledwich, C. Zhou, Constrained broadcast with minimized latency in neighborhood area networks of smart grid. IEEE Trans. Ind. Informat. 16(1), 309–318 (2020) H. Gjermundrod, D.E. Bakken, C.H. Hauser, A. Bose, GridStat: A flexible QoS-managed data dissemination framework for the power grid. IEEE Trans. Smart Grid 24(1), 136–143 (2009) A. Goodney, S. Kumar, A. Ravi, Y.H. Cho, Efficient PMU networking with software defined networks, in IEEE International Conference on Smart Grid Communication (Vancouver Oct 21–24 2013), pp. 378–383 R. Guimera, A. Diaz-Guilera, F. Vega-Redondo, A. Cabrales, A. Arenas, Optimal network topologies for local search with congestion. Phys. Rev. Lett. 89, 328170 (2002) P. Kansal, A. Bose, Bandwidth and latency requirements for smart transmission grid applications. IEEE Trans. Smart Grid 3(3), 1344–1352 (2012) D. Kim, J. Kim, Design of emergency demand response program using analytic hierarchy process. IEEE Trans. Smart Grid 3(2), 635–644 (2012) V. Konstantinos, B.Y. Katsaros, W.K. Chai, G. Pavlou, Low latency communication infrastructure for synchrophasor applications in distribution networks, in IEEE International Conference on Smart Grid Communication (Venice, 3–6 Nov 2014) K. Kumar, M. Radhakrishnan, K.M. Sivalingam, D.P. Seetharam, M. Karthick, Comparison of publish-subscribe network architectures for smart grid wide area monitoring, in IEEE 3rd International Conference Smart Grid Communication (SmartGridComm) (Tainan, 5–8 Nov 2012), pp. 611–616 X. Li, Y.-C. Tian, G. Ledwich, Y. Mishra, X. Han, C. Zhou, Constrained optimization of multicast routing for wide area control of smart grid. IEEE Trans. Smart Grid 10(4), 3801–3808 (2019a). https://doi.org/10.1109/TSG.2018.2835487 X. Li, Y.-C. Tian, G. Ledwich, Y. Mishra, C. Zhou, Minimizing multicast routing delay in multiple multicast trees with shared links for smart grid. IEEE Trans. Smart Grid 10(5), 5427–5435 (2019b) M.E.J. Newman, Scientific collaboration networks. II. shortest paths, weighted networks, and centrality. Phys. Rev. E 64(1), 016132 (2001)

892

Y. Ding and X. Li

C.A.S. Oliveira, P.M. Pardalos, A survey of combinatorial optimization problems in multicast routing. Comput. Oper. Res. 32(8), 1953–1981 (2005) L. Pradittasnee, S. Camtepe, Y.-C. Tian, Efficient route update and maintenance for reliable routing in large-scale sensor networks. IEEE Trans. Ind. Inform. 13(1), 144–156 (2017) G. Rajalingham, Q.-D. Ho, T. Le-Ngoc, Attainable throughput, delay and scalability for geographic routing on smart grid neighbor area networks, in 2013 IEEE Wireless Communication and Networking Conference (WCNC) (2013), pp. 1121–1126 K. Stachowiak, P. Zwierzykowski, Lagrangian relaxation and linear intersection based QOS routing algorithm. Int. J. Electron. Telecommun. 58(4), 307–314 (2012) G. Tian, S. Camtepe, Y.-C. Tian, A deadline-constrained 802.11 MAC protocol with QoS differentiation for real-time control. IIEEE Trans. Ind. Inform. 12(2), 544–554 (2016) N.H. Tran, C. Pham, M.N.H. Nguyen, S. Ren, C.S. Hong, Incentivizing energy reduction for emergency demand response in multi-tenant mixed-use buildings. IEEE Trans. Smart Grid 9(4), 3701–3715 (2018) Y. Wang, I.R. Pordanjani, W. Xu, An event-driven demand response scheme for power system security enhancement. IEEE Trans. Smart Grid 2(1), 23–29 (2011) G. Yan, T. Zhou, B. Hu, Z.Q. Fu, B.H. Wang, Efficient routing on complex networks. Phy. Rev. E 73(2), 046108 (2006) L. Zhao, Y.-C. Lai, K. Park, N. Ye, Onset of traffic congestion in complex networks. Phy. Rev. E 71, 026125 (2005)

The Efficacy and Real-Time Performance of Refraction Networking

28

Andrew Stephens and Mohammad Hammoudeh

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Previous Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Upstream Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Rebound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Multiflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Conjure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Siegebreaker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Downstream Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Bidirectional Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Slitheen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Gossip Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Slitheen++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Barriers to Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 ISP Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

894 896 898 899 899 900 900 901 902 902 903 904 904 904 906 906 907 908 908

Abstract As the global number of internet users grows it becomes an increasingly important medium for communication and the dissemination of information. This has led to a corresponding rise in internet censorship. Most current censorship circumvention methods relay traffic via a host which is susceptible to address-

A. Stephens () · M. Hammoudeh Manchester Metropolitan University, Manchester, UK e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_67

893

894

A. Stephens and M. Hammoudeh

based blocking. Refraction networking seeks to overcome this problem through stations that intercept traffic at the network level. This chapter evaluates current approaches to refraction networking, classifies them according to their architecture, and presents a comparison of their security properties. It finds there are still barriers to wider scale adoption, including performance issues that may impact real-time communication. The analysis shows that more research is needed to determine the viability of refraction networking in a production environment.

1

Introduction

Many governments seek to limit the information accessible to their citizens on the internet. The 2020 Freedom on the Net report (House 2020) identified a ten-year decline in global internet freedom for reasons ranging from political to social and economic. Internet censorship has been used by repressive regimes to suppress dissenting opinions, prevent communication between dissidents, and conceal information from the world at large. Freedom of communication is an essential vehicle for many people from journalists to political opposition groups. User content platforms, social media, blogs, etc. have created a new space for information warfare (Walker-Roberts et al. 2020). An ever-increasing number of people rely on the cyber world to practice their right to freedom of expression and access content from a variety of sources (Saleem and Hammoudeh 2018). This has led to the weaponization of the Internet through, for example, coordinated disinformation campaigns, political manipulation, radicalization, recruitment, and digital hate speech (Ghafir et al. 2017). Traditionally, cryptographic solutions such as VPNs have been used to preserve user privacy (Belguith et al. 2020; Walshe et al. 2019). However, modern powerful networking monitoring techniques pose a threat to online anonymity (Ghafir et al. 2018). Conventional censorship circumvention systems make use of proxy servers outside of the censor’s sphere of influence to relay traffic to blocked destinations. However, proxy servers are also susceptible to address-based blocking. This leads to a cycle of new proxy servers being created and then discovered and blocked by the censor. To overcome this problem, refraction networking, also known as decoy routing, proposes a state-level response to state censorship efforts by partnering with Internet Service Providers (ISP) to provide circumvention at the network level. It is designed to be effective against Internet Protocol (IP) address, Domain Name System (DNS)based and content-based censorship strategies. Refraction networking makes use of stations placed along the network path to intercept requests and return data from servers a client is prevented from connecting to directly. It uses tools more commonly associated with censorship systems, such as deep packet inspection and man-in-the-middle attacks, in order to identify requests from the client and relay blocked content. Figure 1 (Bocovich and Goldberg 2018) provides an overview of a generic refraction networking system. Most systems use client software to send a crypto-

28 The Efficacy and Real-Time Performance of Refraction Networking

895

Fig. 1 Generic refraction networking system, reprinted from “Secure asymmetry and deployability for decoy routing systems” by Bocovich et al., 2018 (Bocovich and Goldberg 2018)

graphically tagged request designed to be indistinguishable from normal traffic to an uncensored overt site. If the request passes through a router that is monitored by a refraction networking relay station, it is able to detect the tag and relay traffic between the client and the blocked covert site. Since traffic between the client and overt site is encrypted with Transport Layer Security (TLS) the censor is unable to determine whether the content is being returned from the overt site or the relay station. Refraction networking protocols assume that the censor has a limited sphere of influence within which it operates a blacklist policy. Within this sphere the censor has the capability to inspect, block, inject, and alter network traffic but allows TLS traffic to unblocked hosts. It is also assumed that client devices are not under the censor’s control. Refraction networking systems in the literature strive to balance stealth and performance (VanderSloot et al. 2020a). To permit real-time data flows across a refraction network at an ISP scale, effective mechanisms to extract the traffic of participating clients from high-speed backbone links are needed. Commodity network hardware processes a peak of 10–40 Gbps. To further increase the reliability of refraction networking, mechanisms for multiplexing traffic across various Internet uplinks are deployed. This chapter categorizes research according to system architecture. Upstream protocols use stations placed on the client’s upstream network route and are only able to monitor traffic sent by the client. Downstream protocols can only monitor responses from the destination. Bidirectional protocols are able to examine both the upstream connection from the client and the downstream connection from the destination. The choice of architecture has implications for both the security of the protocol and how easily the system can be deployed. Table 1 lists the protocols surveyed and classified by architecture.

896

A. Stephens and M. Hammoudeh

Table 1 Protocol classification

2

Upstream Rebound Multiflow Conjure Siegebreaker

Downstream Waterfall

Bidirectional Slitheen Gossip protocol Slitheen++

Previous Research

In 2011 three separate groups of researchers, working independently, published the first generation of refraction networking protocols. Telex (Wustrow et al. 2011) is a bidirectional protocol made up of three components: a router, a deep packet inspection (DPI) device, and a proxy server. It introduces a novel tagging technique to allow requests to be identified and provide a mechanism for the client to effectively leak the TLS session keys to the station. To initiate a connection the client software makes an HTTPS request to an overt site that passes through a Telex station. It replaces the TLS handshake ClientHello.random value with a tag encrypted with the Telex station’s public key from which the station derives a shared secret key using a Diffie-Hellman key exchange. The client uses a pseudorandom generator (PRG) seeded with the shared secret key to derive random values for the TLS key exchange. This allows the station to calculate the TLS session keys and decrypt traffic between the client and the overt site. If the station is able to decrypt both TLS Finished messages, it sends a spoofed TCP Reset (RST) to the site and blocks any further messages between the two. The proxy server can then relay traffic between the client and the covert site over the same TLS connection. The authors created a proof of concept implementation with Linux machines running a software router. Bidirectional protocols, such as Telex, require symmetric network routes in which upstream and downstream traffic from the overt destination both take the same route to the client. This allows them to listen to network traffic from both the client and the overt site. However, research has shown that asymmetric routes are common, especially in tier 1 networks where the deployment of refraction networking stations would be most effective (John et al. 2010). Curveball (Karlin et al. 2011) is a prototype upstream protocol that was designed to tolerate asymmetric routes. Curveball also places a tag in the ClientHello.random field and spoofs a TCP RST to the overt site once the TLS handshake has been completed. Rather than calculating the TLS session keys, the proxy server takes over the connection by sending the client a message encrypted with a pre-agreed shared secret key. When the client receives the message it uses a modified TLS library to change the TLS session keys to match and the station relays requests to covert sites. Finally, Houmansadr et al. published another upstream protocol named Cirripede (Houmansadr et al. 2011). Like Curveball, Cirripede relies on the client swapping

28 The Efficacy and Real-Time Performance of Refraction Networking

897

TLS session keys. Instead of using a pre-agreed key, Cirripede uses public key steganography to embed a Diffie-Hellman key exchange in the Initial Sequence Numbers (ISN) of TCP SYN packets. Once a shared key has been established the station closes the connection to the overt site on behalf of the client. It instructs the router to divert all of the client’s traffic to its proxy server for a fixed period of time. The authors developed a software-based prototype. Upstream protocols support asymmetric routes by design because they do not need to see downstream traffic returned from the overt site. As long as the client’s upstream takes a route that is visible to the refraction networking station it does not matter which route the downstream takes. The first-generation refraction networking protocols all include an inline blocking element. Telex blocks traffic from both the client and the server for tagged traffic, Curveball blocks requests from the client to the overt site if it is tagged, and Cirripede diverts all traffic from the client. Inline blocking devices must inspect all traffic before it is forwarded. Telex researchers approached internet service providers (ISP) but found them unwilling to deploy experimental inline blocking devices in a production environment due to concerns over the potential impact on customer traffic. To address these concerns they developed Tapdance (Wustrow et al. 2014). Tapdance was the first second-generation protocol, published in 2014. It focused on addressing Telex’s barriers to deployment by using an upstream tap architecture rather than an inline device. This allows the protocol to tolerate asymmetric routes. Like Telex, Tapdance uses a Diffie-Hellman key exchange to establish a shared secret key between the client and the station. Tapdance however introduces chosenciphertext steganography instead of embedding a tag in the ClientHello.random field. Chosen-ciphertext steganography allows the client to manipulate the encrypted TLS ciphertext to convey a message to a third party that is unaware of the TLS session keys. The Tapdance client achieves this by sending a TLS encrypted HTTP GET request with incomplete headers to the overt site. The request includes a custom header that is manipulated by the client to influence the TLS ciphertext. Because the headers are incomplete the request causes the overt site to silently wait for the client to provide more information. This technique is also leveraged by slow HTTP attacks which cause a denial of service by exhausting the web server connection pool. By extracting the tag the station is able to derive the TLS session keys and it spoofs a reply to the client. When the client responds its packets will reach the overt site but, since they are now out of sequence because of the added station reply, they are discarded. The station can continue to communicate with the client and relay traffic from covert sites. However, since the connection to the overt site remains open, if an old packet is replayed by the censor, it can reveal that the site is no longer synchronized with the client. Tapdance is limited by the TCP window and timeout settings of the host. This means not all overt sites are suitable for the protocol so they must be selected with care. The distribution of Tapdance clients between overt sites is also important.

898

A. Stephens and M. Hammoudeh

Fig. 2 Timeline of refraction networking research papers

Web servers have a limited pool of connections available. If all of the available connections are used by Tapdance, other clients will be unable to connect, causing a denial of service attack against the overt site. The authors created a working prototype for evaluation using high specification servers and an HP 6600-24G-4XG switch. Curveball, Cirripede, and Tapdance all suffer from a problem commonly found in upstream protocols. Since upstream stations cannot use the downstream route they proxy covert site content directly to the client. This makes it impossible to maintain the same traffic profile as the overt site. Thus traffic analysis, or website fingerprinting, will reveal that the client is using refraction networking. Similarly, since the client’s requests are being served by a station that may be in a different location from the overt site, these protocols are also vulnerable to latency analysis. Most implementations of refraction networking also share a common vulnerability. If the censor is capable of altering border gateway protocol (BGP) policies in autonomous systems (AS) under its control, it can choose to route traffic to an upstream AS that contains no refraction networking stations. This attack is known as routing around decoys (RAD) (Schuchard et al. 2012). Figure 2 illustrates the progress of refraction networking research since 2011, shaded to denote successive projects involving the same teams. The research reviewed responds to criticisms of previous research and proposes improvements. Research efforts have focused on making refraction networking systems both easier to deploy and more resilient to detection and attack by censors.

3

Upstream Protocols

The following upstream protocols can be divided into two groups. Both Siegebreaker (Sharma et al. 2020) and Conjure (Frolov et al. 2019) leverage a direct connection between the station and the client which benefits performance. Rebound (Ellard et al. 2015) and Multiflow (Manfredi and Songkuntham 2018), on the other hand, elect to communicate with the client via a third party to ensure that communication is harder to detect.

28 The Efficacy and Real-Time Performance of Refraction Networking

3.1

899

Rebound

Rebound (Ellard et al. 2015) is an upstream protocol based on Curveball that relies on a pre-agreed shared secret key and includes an inline blocking component. Curveball is vulnerable to traffic analysis because the overt site connection is severed and replaced with proxied traffic. This means downstream traffic to the client does not resemble that of the overt site. Rebound attempts to solve this problem by taking advantage of the fact that HTTP 404 errors frequently reflect the requested URL back to the client. By adding an encrypted payload to the URL the upstream station triggers a “Page Not Found” error that returns a payload to the client. For Rebound to alter upstream requests on the client’s behalf it must obtain the TLS session keys. To do this it uses chosen-ciphertext steganography in the same way as Tapdance. The client sends an HTTP GET request to the overt site which includes an encrypted payload for the Rebound station. This request is intercepted by the station before it reaches the overt site, shown as decoy host in the diagram. The station decrypts the payload and then downloads content from the covert, or disallowed, site adding responses to a queue. The station replaces the client payload with encrypted data from the queue and forwards the request to the overt site. The overt site receives a request for an invalid URL and returns an error message to the client that includes the payload. Although this protocol successfully maintains a connection to the overt site, throughput is dependent on continuous large GET requests from the client to provide payloads that the station can replace. This means it is still vulnerable to upstream traffic analysis. It also wastes the overt site’s resources by triggering 404 errors as an undesirable side effect. The authors created a proof of concept implementation of a Rebound station on a Linux machine using a software router.

3.2

Multiflow

Multiflow (Manfredi and Songkuntham 2018) is an upstream protocol that avoids replacing downstream traffic to the client by implementing a novel system for asynchronous out of band communication. Since there is no direct connection between the Multiflow station and the client, traffic analysis is mitigated by design. The authors propose sharing data via a third-party website by resuming the client’s TLS session and replaying POST requests captured from the upstream. This limits the number of useful overt sites because many sites require additional authentication mechanisms. The protocol uses an out of band registration server to allow the client and server to agree on a shared secret key using a Diffie-Hellman key exchange. This presents a problem because the server is susceptible to address-based blocking. In a similar way to other protocols, the client inserts a tag in the TLS ClientHello.random field when initiating a connection to the overt site. This allows the

900

A. Stephens and M. Hammoudeh

Multiflow station to identify the request and monitor TLS handshake traffic. The client exfiltrates the TLS session keys using chosen-ciphertext steganography. The client uses malformed GET requests or cookies to request covert sites from the station. Once the station has retrieved the data it connects to the overt site directly using the TLS session keys to resume the client’s session. It can then submit encrypted data to the overt site for the client to retrieve later. Although Multiflow’s asynchronous architecture eliminates the threat of downstream traffic analysis, it also makes communication between station and client a slow and complicated process which is detrimental to user experience. The authors performed feasibility tests with OpenSSL but did not create a full implementation of the protocol.

3.3

Conjure

Conjure (Frolov et al. 2019) is a third-generation upstream protocol proposed in 2019 based on Tapdance. It is designed to thwart traffic analysis by simulating connections to unused addresses within the IP ranges owned by an ISP. The Conjure station intercepts requests for unused IP addresses and spoofs replies to create a phantom proxy. In order to connect to a Conjure station the client registers by sending a TLS encrypted HTTP GET request to an overt site on a route visible to the station. The request includes a custom header that uses chosen-ciphertext steganography to convey a tag to the station in the same way as Tapdance. The tag allows the client and server to agree on a shared secret key using a Diffie-Hellman key exchange and also derive the IP address of the phantom proxy. The overt site replies as normal and the Conjure station registers the client and waits for requests. The client then initiates a TCP connection to the phantom host and demonstrates knowledge of the shared secret key. The Conjure station verifies the client’s IP address and opens a connection to the covert site. It returns traffic spoofed from the phantom host using obfuscated SSH (OSSH) (Leidl 2010) tunneling rather than TLS to improve performance. Since subnets served by Conjure stations are known to the client the system relies on them containing other services of value to the censor. This also means that to some extent the strength of the system depends on how widely deployed it is. The authors have implemented this system at a mid-sized ISP with an application server tapping traffic from a 20 Gbps router.

3.4

Siegebreaker

Siegebreaker (Sharma et al. 2020) is a system that uses software-defined networking (SDN) to address ISP privacy concerns. Other refraction networking protocols require the station to process all incoming traffic in order to detect tagged TLS handshakes. Since stations are likely to be maintained by a third party rather than the internet service provider (ISP), this could violate the privacy of untagged traffic

28 The Efficacy and Real-Time Performance of Refraction Networking

901

and provide an obstacle to deployment. Instead, Siegebreaker proposes using SDN switches and controllers managed by the ISP. The switches are capable of inline blocking and configured to detect and divert only tagged traffic to the station. Siegebreaker’s implementation requires out of band client registration via email. The email is encrypted with the station’s public key and allows both parties to derive a shared secret key using a Diffie-Hellman key exchange. The client also specifies the IP address and TCP initial sequence number (ISN) it will use to connect to Siegebreaker. This information is recorded by the SDN controller to allow it to identify requests that must be forwarded to the Siegebreaker station. The station closes the connection to the overt site by sending a spoofed TCP RST packet. It then derives TLS session keys from the shared secret key and returns an encrypted message to the client spoofed from the overt site. The client updates its keys and the station proxies connections to covert sites. Siegebreaker’s protocol is vulnerable to traffic analysis because the connection to the overt site is closed and replaced. It includes a registration process susceptible to blocking. Using a pre-agreed ISN to identify requests also potentially makes it vulnerable to replay or preplay attacks by a censor capable of spoofing the client’s IP address. However, it addresses concerns about the privacy of untagged traffic which could make it more attractive to ISPs. The authors developed a proof of concept system with Linux machines on a university network accessing the internet through an HP3500YL SDN switch.

4

Downstream Protocols

Waterfall (Nasr et al. 2017) proposes a new architecture designed to address the vulnerability of refraction networking protocols to routing attacks. By placing a station on the downstream path it takes advantage of the fact that routes are determined by the sender. The authors found that attacks against downstream protocols are less targeted. A censor can choose a suboptimal upstream route to avoid traffic passing through a specific autonomous system (AS), but it is not possible to selectively block downstream traffic by source AS. Blocking incoming traffic from an AS on the edge of the censor’s network comes at a much higher cost because it leads to loss of connectivity from many other destinations. Waterfall introduces a registration protocol for the client to signal its intention to use the service. This is achieved by sending an email message encrypted with the station’s public key. The registration server distributes the IP address of the client to Waterfall stations so that subsequent traffic can be recognized and intercepted. This is problematic because the registration server is vulnerable to address-based blocking. Waterfall is based on the Slitheen protocol but since the station is placed on the downstream, any messages from the client must first pass through the overt destination. The authors leverage the fact that HTTP redirect replies commonly

902

A. Stephens and M. Hammoudeh

reflect requested URLs to achieve communication with the station. Upstream throughput is reduced because of URL length restrictions. The process is as follows: 1. The user’s browser makes a request to the Waterfall client. 2. The Waterfall client sends an HTTP GET request for overt.com to the overt destination. Sites with multiple hostnames often issue redirects which include the path. 3. The client requests a fictional path that includes an encrypted covert message. 4. The overt destination replies with an HTTP 301 redirect to the same path on www.overt.com which is seen by the decoy router, or Waterfall station, on the downstream. 5. The router decrypts the covert message and forwards it to the covert destination. The Waterfall client uses a modified implementation of Slitheen’s overt user simulator (OUS) which is designed to improve downstream throughput. It achieves this by caching every reply from the overt site. Only previously cached requests are used to communicate with the station. Since the size of the response is known the station can use all of the available downstream bandwidth while maintaining the traffic pattern of the overt site. Although the protocol is resistant to traffic analysis, the OUS makes continuous HTTP GET requests to the overt site to maintain throughput. This creates a detectable signature. Waterfall also includes inline blocking. The authors implemented a prototype system using a software router.

5

Bidirectional Protocols

Bidirectional protocols, such as Slitheen (Bocovich and Goldberg 2016) and Slitheen++ (Birtel and Rossow 2020), are designed to maintain the connection between client and overt server to avoid detection. However, since they must monitor traffic both to and from the client, their usefulness is limited by routing asymmetry. Bocovich et al. (Bocovich and Goldberg 2018) address this problem by adding lightweight upstream stations that communicate through a gossip protocol and remove the need for inline blocking.

5.1

Slitheen

Slitheen (Bocovich and Goldberg 2016) is a second-generation bidirectional protocol based on Telex. It addresses the traffic and latency analysis vulnerabilities present in upstream protocols. Like Telex it includes inline blocking. Slitheen uses the same mechanism as Telex to tag requests and leak the TLS session keys to the station. However, once the TCP handshake is completed Slitheen does not close the connection to the overt site. Instead, it uses a headless browser, known as the overt user simulator (OUS) to make automated HTTP GET requests intended to emulate

28 The Efficacy and Real-Time Performance of Refraction Networking

903

web browsing activity. The client communicates with the Slitheen relay station by appending a custom header to requests. The header includes an encrypted payload. This payload instructs the station to retrieve content from a covert site, which it requests and stores in a queue. In order for the station to communicate with the client, it examines traffic returned by the overt site to determine the content type. Leaf resources, which include multimedia such as images, video, and audio files, are replaced with covert site content from the queue so that the traffic remains indistinguishable from that of the overt site. The station is unable to process TLS records larger than a single TCP segment or received in the wrong order which creates some inefficiency. By maintaining the connection to the overt server Slitheen significantly improves resistance to downstream traffic and latency analysis. This comes at the cost of decreased throughput compared to previous systems which connect directly to the client. For optimal throughput, the OUS needs to make continuous GET requests to the overt site. This is too simplistic to model real browsing activity. It creates an unusual pattern of requests which leaves the protocol vulnerable to detection. The authors created a proof of concept implementation on Linux machines.

5.2

Gossip Protocol

In 2018 Bocovich et al. (Bocovich and Goldberg 2018) published a novel solution to the problem of routing asymmetry for bidirectional protocols. They proposed complementing Slitheen with lightweight, easy to deploy upstream listening stations to create a more downstream focused system inspired by Waterfall. The protocol leverages the fact that TLS sessions persist across several requests which often follow the same route. This allows upstream relay stations to provide a registration mechanism for any downstream relay stations they can communicate with. The upstream relay first broadcasts a TLS handshake with an unregistered tag to downstream relays. The downstream relay uses a challenge-response protocol to verify the authenticity of the data and then registers the IP address of the client, overt site, and the shared secret key it calculates from the tag. The next step is for the client to initiate another TLS connection to the overt site. Finally the downstream relay captures TLS handshake responses between the same IP addresses which allow it to calculate the TLS session keys. It decrypts the TLS Finished message and replaces it with an encrypted message to signal the client is connected. The upstream relay broadcasts any registered TLS traffic to allow the client to instruct the downstream relay to retrieve blocked content which it queues. As with the original protocol the downstream relay replaces Leaf resources in responses from the overt site with data from the queue. These modifications to the Slitheen architecture remove the requirement for inline blocking and allow the protocol to tolerate asymmetric routes. Unlike upstream protocols which relay traffic directly to the client, the protocol maintains its resistance to traffic analysis. It can be deployed with many cheap and lightweight upstream relays serving a smaller number of downstream Slitheen stations. This

904

A. Stephens and M. Hammoudeh

shift of focus allows it to partially mitigate RAD attacks that seek to route around upstream stations. The authors built a proof of concept with a Linux machine linked to a DPI capable Sandvine PTS 22600 switch by two 10 Gbps connections.

5.3

Slitheen++

Slitheen++ (Birtel and Rossow 2020) is a third-generation protocol published in 2020. It proposes a series of OUS refinements to improve the original protocol’s resistance to upstream traffic analysis at the cost of reduced throughput. The authors implement a delay in between requests to simulate the thinking time of a human user and apply compression to the HTTP headers before appending content so the size remains consistent with requests to the overt site. They also add a crawler to more closely mimic realistic user activity. The crawler parses pages returned by the overt site to extract and follow links rather than loading one page continuously. This makes requests appear less unusual but leads to variable throughput depending on the number of Leaf resources available to replace. Slitheen++ also introduces a client-side queue for each covert site to multiplex connections more efficiently. In order to overcome the original protocol’s problems with out of order packets in their implementation, the authors add a cache to the relay station which imposes a limit on the maximum TLS record size and reorders all TCP traffic. This improves throughput but reduces resistance to traffic analysis by altering the order of packets received. The authors created a virtual machine-based prototype implementation.

6

Discussion

Although much progress has been made in the field of refraction networking since its inception in 2011 as yet no refraction networking solution has achieved the level of adoption required to provide an alternative to current censorship circumvention technologies.

6.1

Attacks

Censorship circumvention systems must avoid detection and disclosure of user information to censors in order to be effective. Several attacks against existing protocols have been proposed by researchers. Table 2 shows a comparison of the current state-of-the-art refraction networking approaches’ resistance to known attacks. Replay attacks involve a censor capturing traffic deemed suspicious and resending it to the destination in order to detect or disrupt censorship circumvention systems. This category also includes a variation known as a preplay attack in which the censor captures and delays the traffic sent by the client in order to test requests

28 The Efficacy and Real-Time Performance of Refraction Networking

905

Table 2 Comparison of attacks mitigated by surveyed approaches Replay attacks Latency analysis Traffic analysis RAD

Rebound Slitheen Waterfall Gossip    

Multiflow Conjure Siegebreaker Slitheen++   ✗ 

















































before they have been made. These attacks are within the capability of modern censors. Researchers have recorded active probes from the Chinese government’s Golden Shield project which allow it to selectively block hosts providing censorship circumvention (Ensafi et al. 2015). All of the approaches surveyed resist replay attacks except for Siegebreaker, which is vulnerable due to the mechanism employed to identify new requests. However, this problem could be resolved with more work on the registration protocol. The Gossip protocol registration mechanism could potentially be adapted for this purpose as has been suggested for Waterfall. Traffic and latency analysis are related attacks that seek to examine, or fingerprint, the traffic profile of the overt site. Traffic analysis examines the pattern and size of packets of a typical user. Latency analysis observes the amount of time the overt site takes to respond to requests. Both attacks seek to create a profile of normal overt site activity which can then be compared with client traffic. If a client’s traffic does not match the profile, it could reveal the use of refraction networking. These kinds of analysis are a concern for protocols that sever the client’s connection to the overt site. Because the refraction networking station communicates directly with the client it is unable to mimic the traffic of the overt site. Similarly, since the overt site and the station are not in the same location there will be detectable differences in the latency of responses. Of the research surveyed only the Rebound and Siegebreaker protocols fail to mitigate traffic and latency analysis attacks. However, it should be noted that these kinds of attacks are beyond the currently observed capabilities of censors. Finally, routing attacks (RAD) could allow a censor to divert upstream network traffic in order to avoid AS known to contain refraction networking stations. Despite its potential effectiveness researchers have cast doubt over how realistic a threat RAD poses. Houmansadr et al. (2014) found RAD attacks to be costly in terms of loss of connectivity and quality of service. The Waterfall and Gossip protocols offer some mitigation against RAD attacks. Waterfall’s downstream architecture takes advantage of the fact that censors have little control over the route taken by incoming traffic which makes it considerably more expensive to block or reroute. A similar effect can be achieved by combining Slitheen with a network of lightweight upstream taps communicating via a Gossip

906

A. Stephens and M. Hammoudeh

protocol. However, its effectiveness depends on the number of upstream stations deployed.

6.2

Barriers to Adoption

Researchers have identified several concerns raised by potential ISP partners which may present barriers to their adoption of refraction networking technologies. Telex researchers found inline blocking an obstacle to deployment on service provider networks. Inline network devices receive and forward all traffic that passes through an ISP. They are essential to the function of the network and failures normally lead to dropped packets. Refraction networking approaches that terminate or redirect traffic are more expensive to implement as a result. Rebound, Slitheen, Waterfall, and Siegebreaker all require the use of an inline device but the potential impact of these systems on ISP customer traffic has yet to be properly assessed. If combined with upstream stations, Slitheen can eliminate this requirement. Similarly, routing asymmetry may prevent the deployment of bidirectional systems which rely on the upstream and downstream following the same network route. Upstream and downstream architectures mitigate this issue by design. Of the solutions surveyed only Slitheen and Slitheen++ require symmetric routes. As with inline blocking, the addition of upstream taps that relay data to nearby Slitheen stations can allow the protocol to tolerate asymmetric routes. The privacy of ISP customer data is also an important concern. Refraction networking stations are likely to be maintained by third-party researchers or engineers. ISPs may be reluctant to trial implementations that analyze all traffic passing through the network. Siegebreaker addresses this issue by including an SDN switch which can be maintained by the provider to selectively divert traffic to the station. Finally, the cost of implementing refraction networking solutions may also prove a deterrent. For this reason, most approaches adopt more lightweight listening stations over inline devices. However, Tapdance trials found the costs of running and maintaining an upstream system to be a significant investment. The true cost of running refraction networking at scale has yet to be properly assessed but more incentives are needed for ISPs to implement censorship circumvention technologies.

6.3

ISP Deployments

A pilot deployment of Tapdance was conducted at a mid-sized ISP in 2017 (Frolov et al. 2017). The project was funded by the US government and brought together researchers from each of the first generation of protocols. To make the system available to users the project team partnered with Psiphon (2020), a popular censorship circumvention client that supports multiple censorship

28 The Efficacy and Real-Time Performance of Refraction Networking

907

Fig. 3 Useful data transmission rates, reprinted from “Running refraction networking for real” by Vandersloot et al., 2020 (VanderSloot et al. 2020a)

circumvention technologies for resilience. Researchers estimate the system was made available to about 70,000 users. Two Tapdance stations were deployed on production servers connected to 40 Gbps taps. Daily users peaked at about 55,000 with up to 4000 concurrent Tapdance sessions. At peak, the system was able to process about 20,000 tags per second. Following the pilot, in 2019 a more permanent deployment was put in place and made available to Psiphon users (VanderSloot et al. 2020b). The system received approximately 33,000 users per month, with daily usage varying from 5000 to 15,000 users. Figure 3 illustrates the useful data transmission rates measured over the course of their study. Researchers estimated that equipment costs for deployment were $30,000 USD with running costs of $13,000 USD per year for co-location and $24,000 USD per year for bandwidth. Conjure was developed to simplify Tapdance by addressing issues with overt site selection and TLS problems and has also recently been deployed at the same ISP.

6.4

Future Research

The current state-of-the-art refraction networking solutions leave open questions that present several opportunities for further research.

908

A. Stephens and M. Hammoudeh

Although ISP deployments of Tapdance and Conjure are encouraging, the viability of other solutions in production environments is not well understood. More testing in larger, more connected networks is needed. Refraction networking stations have yet to be tested in tier 1 or tier 2 AS which research suggests would be the most effective placement to maximize availability (Cesareo et al. 2012). Similarly, many approaches have been developed and tested with consumer hardware but would benefit from the evaluation of commercial equipment which could be deployed to production environments. Many protocols lack an effective mechanism for clients to easily find refraction networking stations beyond distributing lists of destinations. Since the route taken by traffic also depends on the location of the client, this may present more of a problem as usage increases. Similarly, widespread use of refraction networking systems may introduce new threats. For example, a malicious station could expose users of the system. Refraction networking protocols could benefit from research into minimizing the identifying data available and stored in order to provide anonymity to clients. Finally, refraction networking may benefit from applying research from other areas. Siegebreaker notwithstanding, advances in SDN technology are likely to find wider applications since they abstract the control plane. Commercial SDN solutions could make the prospect of deploying inline devices more attractive to internet service providers.

7

Conclusion

In this chapter, current state-of-the-art approaches to refraction networking are classified by architecture and research is divided into three categories of upstream, downstream, and bidirectional protocols. A comparison of known attacks that are mitigated by each approach is presented, current barriers to adoption are evaluated and possible avenues for future research are proposed. The chapter concludes that in order to provide an alternative to current censorship circumvention solutions refraction networking systems must be more widely deployed and tested. Although the ISP trials described are encouraging, more research is needed to assess the viability of recent approaches in a production environment.

References S. Belguith, N. Kaaniche, M. Hammoudeh, T. Dargahi, Proud: verifiable privacy-preserving outsourced attribute based signcryption supporting access policy update for cloud assisted IoT applications. Futur. Gener. Comput. Syst. 111, 899–918 (2020) B. Birtel, C. Rossow, Slitheen++: stealth TLS-based decoy routing, in Free and Open Communications on the Internet, (USENIX, 2020). https://www.usenix.org/system/ files/foci20-paper-birtel_0.pdf C. Bocovich, I. Goldberg, Slitheen: perfectly imitated decoy routing through traffic replacement, in Computer and Communications Security, (ACM, 2016). https://www. cypherpunks.ca/∼iang/pubs/slitheen-ccs16.pdf

28 The Efficacy and Real-Time Performance of Refraction Networking

909

C. Bocovich, I. Goldberg, Secure asymmetry and deployability for decoy routing systems. Priv. Enhancing Technol. 3, 43–62 (2018). https://www.petsymposium.org/ 2018/files/papers/issue3/popets-2018-0020.pdf J. Cesareo, J. Karlin, J. Rexford, M. Schapira, Optimizing the placement of implicit proxies. Technical report, Deptment of Computer Science, Princeton University (2012). http://www.cs.princeton.edu/∼jrex/papers/decoy-routing.pdf D. Ellard, A. Jackson, C. Jones, V.U. Manfredi, T. Strayer, B. Thapa, M.V. Welie, Rebound: decoy routing on asymmetric routes via error messages, in Local Computer Networks, (IEEE, 2015). https://www.victoriamanfredi.com/publications/lcn15.pdf R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, V. Paxson, Examining how the great firewall discovers hidden circumvention servers, in Proceedings of the 2015 Internet Measurement Conference, Association for Computing Machinery, New York, NY, USA, IMC ‘15, (2015), pp. 445–458. https://doi.org/10.1145/2815675.2815690 S. Frolov, F. Douglas, W. Scott, A. McDonald, B. VanderSloot, R. Hynes, A. Kruger, M. Kallitsis, D.G. Robinson, S. Schultze, N. Borisov, J.A. Halderman, E. Wustrow, An ISP-scale deployment of TapDance, in Free and Open Communications on the Internet, (USENIX, 2017). https:// www.usenix.org/system/files/conference/foci17/foci17-paper-frolov_0.pdf S. Frolov, J. Wampler, S.C. Tan, J.A. Halderman, N. Borisov, E. Wustrow, Conjure: summoning proxies from unused address space, in Computer and Communications Security, (ACM, 2019). https://jhalderm.com/pub/papers/conjure-ccs19.pdf I. Ghafir, V. Prenosil, M. Hammoudeh, L. Han, U. Raza, Malicious SSL certificate detection: a step towards advanced persistent threat defence, in Proceedings of the International Conference on Future Networks and Distributed Systems, (2017) I. Ghafir, V. Prenosil, M. Hammoudeh, T. Baker, S. Jabbar, S. Khalid, S. Jaf, Botdet: a system for real time botnet command and control traffic detection. IEEE Access 6, 38947–38958 (2018) A. Houmansadr, G.T.K. Nguyen, M. Caesar, N. Borisov, Cirripede: circumvention infrastructure using router redirection with plausible deniability, in Computer and Communications Security, (ACM, 2011), pp. 187–200. https://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf A. Houmansadr, E.L. Wong, V. Shmatikov, No direction home: the true cost of routing around decoys, in Proceedings of the Network and Distributed Security Symposium – NDSS ‘14, Internet Society, (2014) F. House, Freedom on the net 2020: the pandemic’s digital shadow (2020). https://freed omhouse.org/sites/default/files/2020-10/10122020_FOTN2020_Complete_Report_FINAL.pdf W. John, M. Dusi, K. Claffy, Estimating routing symmetry on single links by passive flow measurements in Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, Association for Computing Machinery, New York, NY, USA, IWCMC ’10, (2010), pp. 473–478. https://doi.org/10.1145/1815396.1815506 J. Karlin, D. Ellard, A.W. Jackson, C.E. Jones, G. Lauer, D.P. Mankins, W.T. Strayer, Decoy routing: toward unblockable Internet communication, in Free and Open Communications on the Internet, (USENIX, 2011). https://www.usenix.org/legacy/events/foci11/ tech/final_files/Karlin.pdf B. Leidl, Obfuscated openssh (2010). https://github.com/brl/obfuscated-openssh V. Manfredi, P. Songkuntham, MultiFlow: cross-connection decoy routing using TLS 1.3 session resumption, in Free and open communications on the Internet, (USENIX, 2018). https:// www.usenix.org/system/files/conference/foci18/foci18-paper-manfredi.pdf M. Nasr, H. Zolfaghari, A. Houmansadr, The waterfall of liberty: decoy routing circumvention that resists routing attacks, in Computer and Communications Security, (ACM, 2017). https:// acmccs.github.io/papers/p2037-nasrA.pdf Psiphon, Psiphon: uncensored internet access for windows and mobile (2020). https:// psiphon3.com J. Saleem, M. Hammoudeh, Defense methods against social engineering attacks, in Computer and Network Security Essentials, (Springer, 2018), pp. 603–618 M. Schuchard, J. Geddes, C. Thompson, N. Hopper, Routing around decoys, in Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), (2012)

910

A. Stephens and M. Hammoudeh

P.K. Sharma, D. Gosain, H. Sagar, C. Kumar, A. Dogra, V. Naik, H.B. Acharya, S. Chakravarty, SiegeBreaker: an SDN based practical decoy routing system. Priv. Enhancing Technol. (3), 243– 263 (2020). https://petsymposium.org/2020/files/papers/issue3/popets-2020-0051.pdf B. VanderSloot, S. Frolov, J. Wampler, S.C. Tan, I. Simpson, M. Kallitsis, J.A. Halderman, N. Borisov, E. Wustrow, Running refraction networking for real. Proc. Priv. Enhancing Technol. (4), 321–335 (2020a) B. VanderSloot, S. Frolov, J. Wampler, S.C. Tan, I. Simpson, M. Kallitsis, J.A. Halderman, N. Borisov, E. Wustrow, Running refraction networking for real. Priv. Enhancing Technol. (3), 321–335 (2020b). https://petsymposium.org/2020/files/papers/issue4/popets-2020-0073.pdf S. Walker-Roberts, M. Hammoudeh, O. Aldabbas, M. Aydin, A. Dehghantanha, Threats on the horizon: understanding security threats in the era of cyber-physical systems. J. Supercomput. 76(4), 2643–2664 (2020) M. Walshe, G. Epiphaniou, H. Al-Khateeb, M. Hammoudeh, V. Katos, A. Dehghantanha, Noninteractive zero knowledge proofs for the authentication of IoT devices in reduced connectivity environments. Ad Hoc Netw. 95, 101988 (2019) E. Wustrow, S. Wolchok, I. Goldberg, J.A. Halderman, Telex: anticensorship in the network infrastructure, in USENIX Security Symposium, (USENIX, 2011). https://www.usenix.org/ event/sec11/tech/full_papers/Wustrow.pdf E. Wustrow, C.M. Swanson, J.A. Halderman, Tapdance: end-to-middle anticensorship without flow blocking, in Proceedings of 23rd USENIX Security Symposium (USENIX Security 14), (USENIX Association, San Diego, 2014)

Providing Real-Time and Reliable Transmission in Routing Protocols for Large-Scale Sensor Networks

29

Lapas Pradittasnee

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Routing Metrics for Reliable and Real-Time Data Transmission . . . . . . . . . . . . . . . . . . . . 2.1 Single Routing Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Composite Routing Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Route Discovery Process for Large-Scale Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Route Maintenance Process for Supporting Real-Time and Reliable Transmissions . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

912 914 915 919 921 925 930 931

Abstract Providing real-time and reliable data transmission in large-scale sensor networks is a difficult task. Many factors must be carefully considered. The most critical issue that can affect the performance of real-time delivery and reliable transmission is the unpredictable behavior of wireless channels. In a short period of time, the condition of a wireless channel can change from good to bad. Furthermore, large-scale network implementation has unique requirements that differ from small- or medium-sized network implementation. This chapter is divided into three sections. The first section will go over routing metrics for providing reliable transmissions. It focuses on how to create a routing metric that can determine the best routing paths based on the requirement for reliable transmission. In the second section, we will go over the route discovery process, which can support large-scale networks. In large-scale implementation, the route discovery process must find a new routing path quickly because a long delay in this process can

L. Pradittasnee () King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_68

911

912

L. Pradittasnee

cause data packets to miss their deadline at the sink nodes. The route maintenance process for real-time delivery will be discussed in Sect. 4. Real-time delivery relies heavily on an efficient route maintenance process. This is primarily due to the fact that each node in the network requires as much information about the current state of the network as possible in order to react quickly to changes.

1

Introduction

Providing real-time and reliable data transmissions in large-scale sensor networks is a challenging task (Kim et al. 2017; El-Fouly and Ramadan 2020; Hasan et al. 2017a). This is mainly because the unpredictable behavior of wireless channels. Wireless channel conditions in the routing path between source and destination may change from good to poor in a small period of time, which can result in a high number of packet drops. However, if the routing protocols must support not only reliability transmissions but also real-time delivery, they must identify not only the best routing path for transmitting data packets to their destinations but also the ability to deliver data to their destinations within a time limit. To address this issue in the network layer of the TCP/IP model, routing protocols that aim to provide high reliability must be capable of accurately identifying the optimal routing path from source to destination in order to reduce the total number of packet drops caused by poor wireless channel conditions. However, if the routing protocols must support not only reliability transmissions but also real-time delivery, they must identify not only the best routing path for transmitting data packets to their destinations but also the ability to deliver data to their destinations within a time limit. This is primarily due to the fact that when data transmissions fail, the common solution is to re-transmit the same data packets from the source nodes again. As a result, the re-transmission process can significantly increase the transmission delay of the data packets, and they can miss their deadline period at the sink nodes. Previously, many routing protocols for sensor networks did not specifically designed to support reliable transmissions and real-time delivery requirements. The common main objective of these routing protocols is to conserve the overall remaining energy in all sensor nodes in the network. This is because the sensor devices are small and have limited amount of battery power. To achieve high level of energy efficiency, previous energy-efficient routing protocol chose to implement the routing metric based on energy information to find routing paths that consume less energy and also using a simple route management process to consume minimum amount of resources in each sensor device. However, energybased routing metric and the simple route management process are unlikely to support reliability transmission and real-time delivery requirement. Discovering and maintaining high-reliability routing paths is critical for ensuring reliable data transmissions in sensor networks. Using energy-related routing metrics, such as the remaining battery level and average power consumption, may not be

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

913

able to accurately estimate the condition of the routing paths. As a result, existing routing protocols that aim to provide reliable data transmissions choose routing metrics based on wireless channel condition, such as packet reception ratio (PRR), expected transmission count (ETX), received signal strength indicator (RSSI), and many more (Gomes et al. 2017; De Couto et al. 2003; Zuniga and Krishnamachari 2004). Based on their specific requirements, some existing protocols may choose to use a single routing metric that can accurately evaluate the condition of the routing paths. Another well-known approach for selecting routing metrics that can accurately evaluate reliability performance is to combine multiple routing metrics or can be called as the composite routing metrics. However, analyzing the value of routing metrics that are based on reliability often takes more time to achieve the optimum result. When using an energy-based metric, the value of the routing metric changes slowly over time and may require a shorter evaluation time. The main goal of meeting real-time delivery requirements is to utilize the best routing way that can transport data packets to their destination within a certain time requirement. In wireless communication scenarios, the wireless channel condition can rapidly deteriorate in a short amount of time and is uncontrollable. If a data packet is forwarded across a poor-quality wireless channel, the data packet is likely to be dropped and will not reach its destination. In this situation, re-transmitting the identical data packet from the source node is a frequent recovery solution. The re-transmitted data packets may be successfully received at the destination node, but it may also miss its deadline and will be dropped and cannot further be processed at the destination node. As a result, real-time routing systems must be able to quickly respond with the changes in the state of available routing paths. There are two basic components that many real-time routing protocols in sensor networks integrate in their works to quickly react to changes in network condition. The multipath routing strategy is the first component. Selecting and storing numerous pathways for each given destination is known as multipath routing (Hasan et al. 2017b; Zhang et al. 2018). As a result, data transmissions can continue as usual even if some routing paths fail, as long as other routes to the same destination are available. However, in order to retain all potential routing paths, multipath routing schemes require extra resources in each node. The second component that is provided in real time is effective route maintenance process. This is due to the fact that all associated sensor nodes must be informed of the problem with the wireless channel in order to immediately switch to an alternative routing path to avoid transmission errors. This chapter will look at three key components that can help with reliable realtime routing in large-scale sensor networks. We will first look at routing metrics that can support both real-time delivery and reliable transmissions. Then, we will look at the route discovery process, which is critical for providing real-time delivery in large-scale network implementations. Next, we will look at how to manage routing information in large-scale sensor networks in order to ensure real-time delivery and reliable transmission. Lastly, we will conclude this chapter.

914

2

L. Pradittasnee

Routing Metrics for Reliable and Real-Time Data Transmission

Sensor nodes are typically small and low-power devices. Many routing metrics in existing routing protocols designed for wireless sensor networks are based on energy information. The remaining battery power in each sensor node and the energy consumption level for performing data transmissions are well-known routing metrics that are used by many routing protocols. Using the remaining battery power as a routing metric can identify routing paths that are very likely to have sufficient energy power to forward data packets to their destination nodes. The main disadvantage of using the remaining battery power as the routing metric is that if one of the sensor nodes in the routing path has a remaining battery level that is less than the specific threshold, this routing path cannot be used for packet transmission even if other sensor nodes have sufficient battery power. Sensor nodes located very close to the sink node are more likely to have lower remaining energy. As a result, when all of the sensor nodes near the sink node run out of battery power, no data packets can be forwarded to the sink node. Using energy consumption as a routing metric can assist in identifying routing paths that will consume less energy than other available routing paths in the network. As a result, the overall network operation period may be extended. However, the evaluation process for the routing metric based on energy consumption level is more complicated than the routing metric based on the remaining battery power. Figure 1 shows an example of determining the best routing path between nodes x and y. The total cost of the routing path can be calculated using Eq. 1, where c is the sequence number of the routing path, n represents the total number of sensor nodes between nodes x and y, and li represents the energy consumption level of node i. According to Fig. 1, P2 has the lowest overall energy consumption level and will be used as the routing path to deliver data packets from node x to node y. The complexity of calculating the total cost of the routing path increases as the number of nodes in the routing path increases. If the remaining battery power is used as the routing metric, the total cost of the routing path based on the remaining battery power is the minimum remaining battery power of the sensor node in the routing path. It is notably less complicated than the path calculation using the routing metric based on energy consumption. Pc =

n 

(li )

(1)

i=1

Before designing routing metrics for any routing protocol, there are several important factors to consider. Different routing metrics may necessitate different operators evaluating the total cost of the routing paths, such as maximizing or minimizing the value of all routing metrics in each node or communication link in the routing path. Some routing metrics may need to be tweaked in order to work properly with the Shortest Path First (SPF) algorithm. Another critical issue is how

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

915

Fig. 1 Example of path metric calculation based on energy consumption

the value of the specific routing metric evolves over time. If the routing metric’s value changes frequently, it can cause serious problem because the best routing path can change frequently over time. Therefore, a complex route maintenance mechanism is required to ensure that the best routing path is selected and maintained in all network nodes. For energy-related metrics, the battery power level and energy consumption level are very likely to change gradually over time, and the sensor nodes can maintain the best routing path for an extended period of time. However, using an energy-related routing metric may not provide efficient routing paths capable of meeting real-time delivery and reliable transmission requirements. Next, we will discuss two major approaches for selecting the best routing metrics to support real-time delivery and reliable transmission requirements. There are two main types of routing metrics: single routing metrics and composite routing metrics.

2.1

Single Routing Metric

There are numerous routing metrics that can be used to identify reliable routing paths. Request for Comments (RFC) 6551 discussed routing metrics for path calculation in Low-Power and Lossy Networks (LLN) (Barthel et al. 2012). There are two types of routing metrics: node metrics and link metrics. Node metrics are used to provide information about node characteristics. Node energy, such as the remaining battery power and energy cost from transmitting and receiving packets, is one of the well-known node characteristics. Another well-known node characteristic is hop count, which can represent the number of nodes along the routing path. However, the routing path based on hop count is likely to be the shortest path between any source and destination nodes. A shortest routing path may contain some nodes with a high error rate, resulting in a large number of packet drops. Many existing works employ link metrics in their routing protocols to address reliable

916

L. Pradittasnee

transmission. There are numerous types of link metrics. In this chapter, we will look at two key link characteristics: throughput and link reliability. De Couto, Aguayo, Bicket, and Morris (2003) propose expected transmission count (ETX) as a link reliability metric (De Couto et al. 2003). ETX is determined by the likelihood that packets will be successfully transmitted across a communication link. ETX considers the probability of successfully transmitted packets in a bidirectional manner, as shown in Eq. 2, where df is the probability of packets successfully transmitted from a sender node to a receiver node over the communication link and dr is the probability of packets successfully transmitted in the reverse direction. 1  ET X =  df ∗ dr

(2)

Packet reception ratio (PRR) is another well-known throughput characteristic that can be used as the link metric for supporting reliable transmission requirements. It is intended to determine the quality of low power wireless communication links (Zuniga and Krishnamachari 2004). The value of PRR can be calculated either using mathematical analysis or using actual throughput performance with statistical analysis. Zuniga and Krishnamachari (2004) proposed a mathematical model to estimate the link condition based on Layer 2 information as shown in Eq. 3, where d is the distance between source and destination node, γ is the signal-to-noise ratio (SNR), and f is the frame size. Pradittasnee, Campete, and Tian (2017) estimates the value of PRR using actual throughput, which will be discussed in detail later (Pradittasnee et al. 2017). When compared between using mathematical analysis and using actual throughput performance, estimating the value of PRR based on the mathematical analysis is likely to require lower evaluation period, but it may not accurately represent the exact condition if the environment in the networks differs from what is assumed in the mathematical model. Using actual throughput performance to estimate the value of PRR than other approaches, these various approaches each have their own advantages. Estimating the value of PRR based on a mathematical analysis of the current input parameters can quickly determine the current status of the communication link, but it may not accurately represent the exact condition if the environment differs from what is assumed in the mathematical model. Using L3 information to estimate the value of PRR can correctly estimate the performance of data transmissions between a pair of selected source and destination nodes. However, in order to achieve accurate estimation results, a significant long evaluation period may be required.  8f 1 1 − γ (d) 2 0.64 P RR(d) = 1 − exp 2

(3)

Selecting the best routing metric that can support the specific requirements of the applications is a critical step, but it is just the first step to achieve the routing protocol that can satisfy both real-time delivery and reliable transmission. The

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

917

chosen routing metric must be integrated with the route discovery process in order to determine the optimal paths in the network. Another critical step is selecting a metric operator, which determines how each node calculates the best routing path. There are numerous metric operators for various types of routing metrics: additive, multiplicative, and concave (maximum or minimum) (Zahariadis and Trakadas 2012). For the routing metric based on ETX, multiplicative operator is likely to be used. The total ETX cost of the routing path can be determined based on Eq. 4, where ETXt is the total ETX cost of the routing path and ETXi is the value of ETX of link i and the total number of communication links in the routing path equals to l. A possible routing path between node A and node G is depicted in Fig. 2. The two possible routes from node A to node G are Path1 (A-B-C-G) and Path2 (A-D-E-G). Based on the value of ETX in Fig. 2, Path2, which has a lower overall routing metric cost, will be used as the optimal routing path between node A and node G.

ET X t =

l 

(1/ET Xi )

(4)

i=1

For the routing metric based on PRR, there are multiple approaches to estimate the total PRR cost of the routing path. This is mainly because the value of PRR can be calculated from either data link layer information or network layer information. For example, Fig. 3 shows that the total cost of PRR of each routing path will be calculated using multiplicative operator with each PRR value of each communication link along the routing path. Another approach to estimate the value of PRR of the routing path is to use the total number of received packet at the destination node divide by the total number of transmitted packet at the source node.

Fig. 2 Example of path metric calculation based on ETX

918

L. Pradittasnee

Fig. 3 Example of path metric calculation based on PRR

In this approach, the evaluation process only occur at the sink node. However, the evaluation process of ETX in Fig. 2 and the evaluation process of PRR in Fig. 3 are required at each node in the same routing path. From the example of the evaluation process of ETX and PRR, it shows that different routing metrics may require different metric operators. If we select a single routing metric to represent the optimal routing paths, it is not a complicated task. However, a single routing metric can only represent one characteristic of the routing path. It is unlikely to represent the complex requirements, such as reliable transmission and real-time delivery. In order to satisfy both of these two requirements, a composite routing metric that consists of multiple routing metric is required. Nevertheless, the process to select multiple routing metric to work together is also more complicated, especially when two selected routing metrics require different metric operators. This problem can be solved by using routing algebra, which will be discussed next. The work of Sobrinho (2003) proposed using routing algebras to analyze and ensure that the given routing metric can provide optimal and loop-free paths between all possible communication pairs of nodes in the network (Sobrinho 2003). The work of Yang and Wang (2008) extends the work of Sobrinho (2003) by focusing on routing processes in wireless networks (Yang and Wang 2008). When the chosen routing metric is used in conjunction with routing protocols, three major properties must be met: optimality, consistency, and loop-free. The work of Yang and Wang (2008) also conducted a mathematical analysis to provide a guideline for selecting routing metrics to implement in the given routing protocols used in wireless devices, as shown in Table 1. There are two properties of routing algebras that need to be explained further: monotonic and isotonic. The cost of the routing path is monotonic, which means that the total cost of the routing path does not decrease when it is prefixed or suffixed by another routing path or a communication link. For the isotonic property, the order of

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

919

Table 1 Guidelines for selecting routing metric from Yang and Wang (2008) Routing protocols Flooding with source routing Flooding with hop-by-hop routing

Optimality Right-isotonic

Consistency –

Loop-free –

Right-isotonic, strictly left-isotonic

Right-isotonic, strictly left-isotonic

Loop detect mechanism

the total cost between two routing paths is preserved even when these two routing paths are prefixed or suffixed by another routing path or the communication link. According to Table 1, if the routing protocol is based on flooding route discovery with source routing algorithm, the routing metric for this routing protocol must satisfy both right-isotonic property to ensure that the routing paths selected by this routing protocol are always the optimal routing path. If the routing protocol is based on flooding mechanism with hop-by-hop routing algorithm, to ensure that the selected routing path is optimal, consistent, and loop-free, the routing metric must satisfy right-isotonic and strictly left-isotonic. More detail of routing algebra will be discussed in the next section.

2.2

Composite Routing Metric

Using a composite routing metric increases the likelihood of accurately identifying the routing path that can meet the complex requirements of applications. Using multiple routing metrics, on the other hand, makes it more difficult to maintain isotonic and monotonic properties, which are required for routing protocols to select the best routing paths. Furthermore, the selecting routing metric may work with different types of metric operators, for example, metric 1 requires an additive metric operator, whereas metric 2 requires a multiplicative metric operator. To be able to combine these two routing metrics, this scenario necessitates some modification to the routing metric or the implementation of an additional process. Zahariadis and Trakadas (2012) suggest the following suggestion in creating a composite routing metric (Zahariadis and Trakadas 2012). • Routing metric must represent the required characteristics of the wireless networks. • Routing metric must exhibit continuity: Small changes in one routing metric value must result in small changes in the composite routing metric value. • The composite routing metric must hold isotonic and monotonic properties as discussed previously. The work of Zhariadis and Trakadas (2012) also proposes a general guideline for creating the composite routing metric. The first approach is to use an additive metric operator to combine two routing metrics. However, this approach require two routing metrics to support the same metric operator and metric order relation.

920

L. Pradittasnee

Another method to create the composite routing metric is to combine two routing metric in the lexicographic approach, which will be discussed next. The lexicographic and additive composite routing metrics were proposed by Gouda and Schneider (2003). The lexical composite metric is made up of two routing metrics (r1 and r2 ). One routing metric will be designated as the primary metric, while the other will be designated as the secondary metric. The primary routing metric takes precedence, which means that if the considered routing path has the best cost value based on the primary metric, it will be chosen as the optimal path. Only when two or more possible routing paths have the same total cost based on the primary routing metric will the secondary metric be used as part of the routing path evaluation. Because we can separately evaluate the isotonic and monotonic properties, it is easier to choose the routing metrics for creating the composite routing metric based on this concept. Pradittasnee et al. (2017) also proposed another approach for developing composite routing metrics for real-time delivery and reliable transmission in industrial wireless sensor networks. The combination of ETX and PRR is used. However, these two routing metrics are evaluated separately. PRR is used to estimate the overall performance of the entire routing path, and it is only evaluated at the sink node of each path. ETX is used to estimate the performance of each link along the routing path. Figure 4 depicts how the composite routing metric, which consists of ETX and PRR, works in a network based on the work of Pradittasnee et al. (2017). To represent the entire routing path, the PRR metric will be used. The sink node of this routing path (node Z) will be in charge of calculating the value of PRR based on Eq. 5, where kr is the number of received packets at the sink node and ks is the total number of packets transmitted at the routing path’s source node. In order to achieve high accuracy, the value of PRR will be evaluated at the sink node over a significant long period of time. It will be used to evaluate the link condition between each intermediate node for the ETX metric (link between node A and node B, between node B and node C, between node C and node Z). Each pair of nodes will calculate the value of ETX using Eq. 2, and it will be calculated over a much shorter time period than the PRR metric. Because the ETX metric can detect a potential problem in one link member of this routing path, if the estimated value of ETX is less than the threshold value, a notification message will be sent to the sink node to evaluate

Fig. 4 Example of the implementation of the composite routing metric

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

921

the value of PRR faster. If a change in ETX value degrades the PRR performance of the entire routing path, the current routing path can be terminated and the routing protocol can begin the new route discovery process to find another best routing path to transmit packets from node A to node Z. P RR =

kr ks

(5)

Selecting multiple routing metrics to create a composite routing metric can aid in identifying the optimal routing paths that can meet the requirements of complex applications such as reliable transmission. However, in order to support large-scale network implementation, the wireless channel condition can quickly change from good to bad in a very short period of time. The current optimal routing path may no longer be the optimal path in an hour, and a new routing path must be established to replace the current path. The route discovery process in a large-scale network can take a long time to complete. As a result, in order to support the large-scale implementation requirement, we must minimize the processing time of the route discovery process.

3

Route Discovery Process for Large-Scale Networks

To discuss the route discovery process, we must first discuss packet forwarding algorithms, as this is the type of packet forwarding algorithm used by routing protocols. In wireless networks, there are two types of packet forwarding algorithms: hopby-hop routing and source routing (Yang and Wang 2008). In hop-by-hop routing, a node with a packet to transmit will add the sink node’s destination address to the packet header. The packet will then be forwarded to the node next to it. The adjacent node will use its routing table to relay the packet to another adjacent nodes, which will forward it to its destination. In hop-by-hop routing, each node in the network is required to create a complete network topology and use this topology information to establish optimal routing paths for all traffic flows in the network. When using hop-by-hop routing, each node in the network only needs to know the routing information from its neighboring nodes in order to determine the best routing paths and keep all of the best paths in the routing table, while each node that uses the routing protocol based on source routing must acquire routing information from all other nodes in the network in order to create accurate network topology information. These are the primary distinctions that will influence how the route discovery process works. Many routing protocols for wireless sensor networks, such as AODV and AOMDV (Royer and Perkins 2000; Yuan et al. 2005), use the hop-by-hop routing algorithm. The majority of these routing protocols use a reactive routing approach. Because a source node only establishes a routing path from a source node to a destination node when the source node has data packets to transmit, the reactive routing approach is appropriate for hop-by-hop routing. The routing path will

922

L. Pradittasnee

be terminated once all data packets have successfully arrived at the destination node. This type of forwarding process only requires routing information about adjacent nodes, which is similar to the requirement of hop-by-hop routing. The main advantage of using hop-by-hop routing with reactive routing protocols is that it does not necessitate a large amount of computing resources in a sensor node. Each sensor node’s routing table does not need to establish and maintain a large number of routing paths. Furthermore, once the data transmissions are completed, the routing path will be terminated. When the sensor node has new data to transmit, the routing path is re-established. This main benefit is especially beneficial to sensor nodes in a wireless sensor network. Because sensor nodes are small and have limited resources, using hop-by-hop routing with reactive routing protocols can help to save resources and extend sensor node battery life. A source routing algorithm can also be found in a variety of routing protocols for wireless sensor networks. However, the total number of routing protocols that use the source routing algorithm is much lower than that of the hop-by-hop routing algorithm. This is due to the fact that the source routing algorithm necessitates a significant amount of computing resources in each sensor node. A sensor node in the network must create and maintain at least two tables: a routing table and a topology table. Furthermore, in order to create a topology table with a complete view of the network, each node must receive routing information from all other nodes in the network. The majority of routing protocols that use source routing are proactive routing protocols. In proactive routing protocols, each node in the network will establish all of the best routing paths to all network destinations. After the routing paths are built, the route update and maintenance operations must maintain them to ensure that they remain the best option for reaching the destination address. There are many different types of route discovery processes, but the most wellknown is the flood-based route discovery process, which can be used for both hop-by-hop routing and source routing algorithms. The main difference is the path calculation process used to determine the best routing paths. The most common path calculation process in many reactive routing protocols that use hop-by-hop routing is based on the Bellman-Ford algorithm. The most common path calculation process for many proactive routing protocols that use source routing is based on Dijkstra’s algorithm. Figure 5 shows an example of flood-based route discovery process that is implemented with hop-by-hop routing in reactive routing protocols. If node A wants to transmit data packet to node G, node A will create a route request packet with its routing information and flood this route request packet to all of its adjacent nodes (nodes B and C). After nodes B and C receive the route request packet, they will process the route information in the route request packet and add their routing metric into the route request packet and then flood the route request packet to its adjacent nodes (nodes D and E). This flooding process will be repeated until the route request packet can reach its destination node (node G). After node G processed the route request packet, it will reply with a route reply packet. Node G will use the route information in the route request packet to determine the best next-hop node for the route reply packet based on the Bellman-Ford algorithm. Assuming that it is node D,

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

923

Fig. 5 Example of flood-based route discovery process with hop-by-hop routing

node G will forward the route reply packet to node D in unicast mode, not flooding anymore. This forwarding process will be repeated until the route reply packet can be successfully received and processed at node A. For flood-based route discovery that is used in proactive routing protocols based on source routing algorithm, all nodes in the network must create and flood a route update packet to all other nodes in the network. When each node in the network starts the routing protocol, it will create a route update packet that contain its routing information and then flood this route update packet to its adjacent nodes. When the adjacent nodes receive the route update packets, they will process the route information in the route update packet for creating its topology table and flood the route update packet to their adjacent node. The flooding process will continue until each node can receive all route update packets from other nodes in the network, which means each node can accurately create the topology table. The information in topology table will be used with Dijkstra’s algorithm in each node to determine the optimal routing paths to all destinations in the network. The main advantage of the route discovery process of hop-by-hop routing with reactive routing protocol is that it create less amount of routing overhead because only a source node will flood the route request packet, while all nodes in the networks will flood the route update packet in the route discovery of proactive routing protocols based on source routing. In large-scale network, the route discovery of source routing algorithm is likely to create a large amount of routing overhead when compared with the route discovery process of hop-by-hop routing algorithm. Moreover, the route discovery process of hop-by-hop routing algorithm is very likely to consume less amount of resources in each sensor node because only a route table is created and this table will be terminated after the data transmission completes. On the other hand, the route discovery process of source routing algorithm require higher amount of resource in order to maintain both the routing table and the topology table. However, the major drawback of the route discovery process of hop-by-hop routing is that it requires to initiate the route discovery process every time that the

924

L. Pradittasnee

source node has a data packet to transmit. The route discovery process requires a notable amount of time to complete and the time will be longer as the size of network becomes larger. This disadvantage can significantly degrade the performance in term of real-time delivery. It is mainly because the data packets can miss their strict deadline due to the delay in the route discovery process. In order to support real-time delivery, the route discovery process of source routing algorithm can be a promising solution because all nodes in the network that use source routing algorithm must maintain all the best routing paths to all destinations in their routing table. If the routing table in all nodes are complete, there is no delay from the route discovery process as in the route discovery process based on hopby-hop routing algorithm. As a result, the data packets are transmitted from the source node in a shorter amount of time, because the sensor node that employs source routing algorithm is likely to have a routing path to the destination node in its routing table. On the other hand, the sensor nodes that implement hop-byhop routing algorithm must finish the route discovery process before it can begin the data transmission procedures, and in large-scale networks, the route discovery process is extremely likely to take a long period of time. Moreover, if real-time delivery requirement is an important requirement of the interested application, multipath routing can be added to use with the route discovery process based on source routing. Generally, many routing protocols will only store and maintain one optimal routing path per destination. Multipath routing approach allows each node to store multiple routing paths to the same destination address. This can be very helpful when one of the routing path is down. If multipath routing is implemented, the node that detects the problem in this routing path can change to use another routing path, which is available in its routing table, to resume the data transmission process without any delay. Many real-time routing protocols for wireless networks use multipath routing to ensure real-time delivery (Hasan et al. 2017a). However, implementing multipath routing also requires more amount of resources in the sensor node because each node must maintain more routing information in its routing table. The route discovery process based on the source routing algorithm can help to provide real-time delivery in large-scale networks, but there are some critical issues that must be addressed. The main issue that needs to be addressed is the large amount of routing overhead generated during the flooding process. In the source routing algorithm, all nodes in the network are required to flood their route update packets to all other nodes in the network. In large-scale networks, the amount of flooding packets can consume all available bandwidth in the network, resulting in no packets being transmitted for an extended period of time. Another significant issue is that route discovery based on source routing requires a complex route maintenance process. To ensure that the optimal paths are still available during the route discovery process based on source routing, all nodes in the network must keep the routing information in their routing table. The route discovery process based on hop-byhop routing, on the other hand, only requires maintaining the routing information until the data transmission is complete, which is a simpler process that can be easily implemented in small devices such as sensor nodes.

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

925

In conclusion, while the route discovery process based on hop-by-hop routing may not be suitable for supporting real-time delivery in large-scale network implementation, it may be the best option when sensor nodes are mobile because routing paths are frequently changed and should not be maintained for an extended period of time. On the other hand, the route discovery process based on source routing can provide a significant reduction in response time and can transmit data packets as soon as the data becomes available. However, routing protocols that use the source routing algorithm will require an efficient routing maintenance process to ensure real-time delivery performance. This issue will be addressed in the following section.

4

Route Maintenance Process for Supporting Real-Time and Reliable Transmissions

In large-scale network implementations, the route discovery mechanism that is based on source routing algorithm is likely to create a large amount of routing update packets because the route discovery mechanism requires every node in the network to create and flood the route update packets to all other nodes in the same network. Each of these route update packets will be received and then flood to other nodes. Therefore, when the number of nodes increases, the total number of the route update packets in the network during the route discovery process is significantly increased. This is one of the main reasons why there are a few number of routing protocols for wireless sensor networks that use the route discovery process based on source routing algorithm. Fisheye state routing is one of the most well-known link-state routing algorithm for ad hoc networks (Pei et al. 2000). It improved the route discovery process by limiting the amount of routing information that need to maintain in each node. So, the total amount of routing overhead can be decreased. Another approach to improve the amount of routing overhead from flooding the route update packets is to use hierarchical architecture. There are many existing routing mechanisms based on hierarchical architecture. The main concept of hierarchical architecture is to separate sensor nodes into multiple groups or clusters (Heinzelman et al. 2000; Manjeshwar and Agrawal 2001; Smaragdakis et al. 2004). Only group leader or cluster head can directly communicate with other leaders of other groups. The member in each group only can communicate directly with other nodes in the same group or its leader node. Therefore, the boundary of flood transmissions is within the same group of nodes. If the total number of node member per group can maintain within small value, it can significantly decrease the problem from flooding mechanisms of the route discovery process. Many hierarchical architectures that were proposed in many existing work in area of sensor networks did not aim to support reliable transmission and realtime delivery. Energy-related issue is one of the main objectives that many works focus on. For example, the work of Hammoudeh and Newman (2015) proposed ROL/NDC protocol which add load balancing algorithm to distribute traffic between

926

L. Pradittasnee

multiple paths in order to conserve energy of the sensor nodes and can prolong the overall network lifetime (Hammoudeh and Newman 2015). However, the number of existing works that take into account both reliable transmissions and real-time delivery is growing. (Pradittasnee et al. 2017; Long et al. 2018; Al-Mayouf et al. 2018; Kim et al. 2019). For example, the work of Pradittasnee et al. (2017) proposed a hierarchical structure that has a two-tier structure as shown in Fig. 6 (Pradittasnee et al. 2017). The core routing nodes in upper-tier use multipath routing approach to create and maintain multiple routing paths to each destination. Some of these core routing nodes will be a cluster head for the local routing nodes in lower tier. This hierarchical structure is required to limit the number of core sensor nodes to maintain an acceptable level of routing overhead. For local routing nodes in lower tier, they are only required to create and maintain a single routing path to their cluster heads in upper tier. Aside from the routing overhead issue, another factor to consider if we need to use the source routing algorithm with route discovery process is the route maintenance process. This is primarily due to the fact that all routing paths are established and maintained in the routing table of all network nodes. It remains true, however, only when the routing path condition continues to perform at an acceptable level. If the existing routing paths have a high error rate, new routing paths must be established to replace them on time in order to provide reliable transmission and real-time data delivery. The route maintenance process is divided into two categories: periodic update and partial update. A simple algorithm is the periodic update method. In general, the periodic update approach is better suited for use in small, low-power devices like sensor nodes. Partial update approaches, on the other hand, are more complex than periodic update approaches and are likely to consume more resources in each

Fig. 6 Example of hierarchical structure: two-tier structure

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

927

Fig. 7 Example of periodic update approach

sensor node. However, the partial update approach can provide faster update times to all network nodes. Following that, we will deconstruct both approaches in detail. Figure 7 shows a network topology that consists of three sensor nodes (A, B, and C) to explain how periodic update approach works. When the routing protocol in node A starts for the first time, node A will use periodic update process to perform route update process. Node A will add routing information (its network address and the value of routing metric) into a route update packet. Then, node A will transmit the route update packet to its next-hop node, node B. After node B receives the route update packet from node A, it will update its routing table based on the information inside the route update packet. But node B cannot immediately create and transmit the route update packet based on this new routing information. It must wait until the next periodic update time to transmit the route update packet to all of its adjacent nodes. Periodic update mechanism will run continuously in all nodes in the network even the routing table of all nodes have all best routing paths to all destination addresses. This is to maintain the current update information. However, it has to trade off with the total amount of routing overhead because if the routing information still remain the same, the routing update packets that are created in each periodic update will be useless and can be considered as routing overhead. Another major drawback of periodic update mechanism is a notably long update time to all nodes in the network because when a sensor node received new routing information from the route update packet, it has to wait until the next periodic update time to advertise this change to its adjacent nodes. In large-scale network implementation, the required update time can be significantly increased and may cause missed deadline events at the destination node and can significantly decrease the overall network performance. For partial update approach, this method only provides route maintenance process. The routing protocol that implements partial update mechanism needs to implement separate route discovery process, which can establish all best routing paths to every destination address for each sensor node. Partial update mechanism will be responsible to maintain the freshness of the routing information in the network. Figure 8 shows a network topology that consists of four sensor nodes (A, B, C, and D). All nodes must already have the routing table that have routing paths to all other nodes in the network. When node A detects an error in the link between itself and node B, node A will create a route update packet that has update information about the link between node A and node B. Then, node A will use flood transmission mechanism to transmit the route update packet to other nodes in the network. When the adjacent nodes receive the route update packet, it will update

928

L. Pradittasnee

Fig. 8 Example of partial update approach

current information in their routing table and immediately transmit the route update packet to all of its next-hop nodes. As a result, the update time to all nodes in the network of the partial update approach is very likely to be less than the update time of the periodic update approach. This is because route update packets can be relayed without having to wait until the next periodic update period. When compared to one another, both the periodic update and partial update approaches have advantages and disadvantages. The primary advantage of the periodic update process over the partial update process is that it is a simple algorithm with low computation complexity that is suitable for small devices such as sensor nodes. Furthermore, the periodic update process consists of two major routing protocol functions: route discovery and route maintenance. However, the main disadvantage of the periodic update process is the long route update process, which may make the periodic update process unsuitable for the requirement of real-time data transmission. When compared to the periodic update process, the partial update process can provide significantly faster updates. However, it can only perform route maintenance and requires an additional route discovery process. The partial update mechanism necessitates that each node have a complete network topology view. As a result, the route update packet must only include the routing information that has changed since the current network state. As a result, the partial update mechanism in many wireless sensor networks is implemented using a well-known route discovery process similar to that used in link-state routing protocols for wired networks such as OSPF and IS-IS. The route discovery process of link-state routing protocols require all nodes to create a route update packet with its routing information and then flood this route update packet to all other nodes in the network. As a result, this route discovery mechanism is likely to create a large amount of route update packets in large-scale networks and can disrupt the data transmissions for a period of time. Moreover, the route discovery process based on flood transmission may not effectively work in wireless environments because a lot of flood transmissions may notably interfere with the wireless channels of neighbor nodes. Next, we will look at a number of significant works that attempt to improve both periodic update

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

929

and partial update processes in order to support reliable and real-time delivery requirements in large-scale sensor networks. IPv6 routing protocol for Low-Power and Lossy Networks (RPL) is proposed in an request for comments (rfc) number 6550 (Alexander et al. 2012). It is a proactive routing protocol that is designed specifically for wireless communications in lowpower devices such as sensor nodes. RPL uses periodic update approach as its route maintenance process but it adds the trickle algorithm to address the routing overhead problem. As mentioned in the previous paragraph, the original concept of periodic update mechanism will continue to advertise the route update packets even there is no change in the routing information, which can notably increase the amount of routing overhead in the network. As a result, the total amount of available bandwidth can be significantly reduced, lowering the overall performance of data transmission processes. In RPL, each node in the network has to transmit a route update packet at the end of periodic update period (Up ). The initial Up value is equal to Imin . After each node starts its routing process, the value of Up will be modified based on the following conditions: • Condition 1: If the sensor node receives the routing update packet from its adjacent node that contains redundant routing information when compared with the information inside its own routing table, this node will suppress the route update packet for the current Up period and will double the length of Up for the next periodic update period (from Up to 2Up ). If the sensor node still receives redundant routing information for the next periodic update process, it will double the value of Up for the next periodic update period until the value of Up reaches the maximum threshold value of 2 h (which is the recommended value in rfc 6550) (Alexander et al. 2012). • Condition 2: Any time that the sensor node receives the route update packet that has routing information that is different from the current information in its routing table, the value of Up for the current periodic update period will be reset to Imin . Thus, the route update packet will be transmitted when the value of the updated Up reaches zero. The trickle algorithm that RPL uses can help to notably decrease the amount of routing overhead when compared with the original periodic update period (Levis et al. 2011). This is because even the sensor nodes that implement RPL are still required to transmit a route update period every Up seconds, if the route update packet from its next-hop node contain the same routing information that already in its routing table, the route update packet for the current update period will be suppressed and the value of Up for the next update period will be double in value. If there is no change in the network for a long period of time, no route update packet will be generated until the value of Up reaches its maximum threshold of 2 h. However, if the information in the route update packet is different than the information in the routing table, this sensor node still needs to wait until the current value of Up becomes expired in order to update this new change to the adjacent

930

L. Pradittasnee

nodes. As a result, the trickle algorithm still cannot solve a long delay problem, especially in large-scale implementations, and may not be suitable to support realtime delivery requirement. The work of Pradittasnee et al. (2017) also proposed the efficient route maintenance process in order to support reliable transmission and real-time delivery in large-scale industrial wireless sensor networks. The proposed route maintenance process is the combination of global update process and local update process. The global update process is designed to work with routing metric that requires a long evaluation period (Tg ) to get accurate results, such as packet reception ratio. The sensor nodes in the routing path will evaluate the condition of the routing path every Tg period (periodic update). The global update process is used for maintaining the optimal routing path because it can accurately determine the condition of the routing path, if the appropriate routing metric is selected. The local update process is designed to work with routing metric that requires a short evaluation period (Tl ) when compared with the value of Tg . The outcome of the local update process will be used to identify the potential problem in the routing path. It may not be used as the main criteria to terminate the current routing path and then create a new path to replace. It will be used to notify all related nodes in the routing path to reduce the value of Tg in order to start the evaluation process of the global route update process quicker than the current evaluation period. The combined global and local update processes can enhance both reliable transmission and real-time delivery because the global route update can provide an accurate estimation of the routing path condition and the local update process can quickly detect any potential problem in the routing path. This can help the routing protocol to quickly react with the change even in the large-scale network implementations.

5

Conclusion

Providing real-time delivery and reliable data transmissions in a large-scale wireless network is a difficult task. In order to achieve this goal, we must consider a variety of factors. The first thing to consider is whether the chosen routing paths can successfully deliver packets from the source node to the destination node while also meeting both reliable data transmissions and real-time delivery requirements. As a result, selecting routing metrics must be able to verify whether or not the selecting routing path can meet these stringent requirements. Normally, one routing metric can only identify one specific performance criteria of a routing path. It may be able to meet the requirements of some applications, but in order to support both real-time and reliable transmissions, the composite routing metrics may be required. However, using composite routing metrics, which are made up of multiple routing metrics, necessitates some additional steps to ensure that the chosen routing metrics can find the optimal and loop-free routing paths. Estimating the routing metrics separately is a well-known solution for designing composite routing metrics. Pradittasnee et al. (2017), for example, use composite routing metrics based on expected transmission count (ETX) and packet reception ratio (PRR). PRR will

29 Providing Real-Time and Reliable Transmission in Routing Protocols. . .

931

be used to estimate overall routing path reliability, and ETX will be used to estimate the quality of each communication link in the routing path. This is used to quickly identify potential problems and can be used to trigger the creation of an alternate routing path to meet real-time requirements. Nonetheless, designing the best routing metrics to ensure that every node in the network has the best routing paths may be insufficient to meet both real-time and reliable transmission requirements in large-scale deployment. Another critical issue to consider is the effective route maintenance process. Its purpose is to ensure that if a problem is detected in the network, the error information is quickly propagated to all related nodes. There are several recommended protocols that can be used to achieve this goal. The multipath routing scheme is extremely useful for meeting real-time requirements. This is primarily due to the fact that each sensor node will discover and maintain multiple possible routes to each destination. As a result, if the current main routing path underperforms, the alternate path can be activated to replace it and maintain the same level of performance. Another recommended method for meeting realtime requirements is to employ a proactive routing scheme. When the source node needs to find an alternative routing path to replace the current one, this will help to reduce route discovery time. This is a critical issue in large-scale implementations because the route discovery process in large-scale networks likely takes a long time to complete. In conclusion, providing real-time and reliable data transmissions for routing protocols in large-scale wireless sensor networks requires to consider and fine-tune multiple processes within the routing protocol to work efficiently with other processes. However, the examples in this chapter only discuss the critical issues that must be addressed, as well as provide some good examples from previous research works in this area. However, they are all designed to work effectively with a specific set of requirements. Some changes must be made to ensure that the solution can support both reliable transmission and real-time requirements when addressing new types of applications.

References R. Alexander, A. Brandt, J.P. Vasseur, J. Huii, P. Thubert, P. Levis, R. Struik, R. Kelsey, T. Winter, RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. RFC 6550, RFC Editor (2012) Y.R.B. Al-Mayouf, N.F. Abdullah, O.A. Mahdi, S. Khan, M. Ismail, M. Guizani, S.H. Ahmed, Real-time intersection-based segment aware routing algorithm for urban vehicular networks. IEEE Trans. Intell. Transp. Syst. 19(7), 2125–2141 (2018) D. Barthel, J.P. Vasseur, K. Pister, M. Kim, N. Dejean, Routing metric used for path calculation in low-power and Lossy networks. RFC 6551, RFC Editor (2012) D.S.J. De Couto, D. Aguayo, J. Bicket, R. Morris, in A high-throughput path metric for multi-hop wireless routing. Proceedings of the 9th Annual International Conference on Mobile Computing and Networking (MobiCom ’03) (Association for Computing Machinery, New York, 2003), pp. 134–146 F.H. El-Fouly, R.A. Ramadan, Real-time energy-efficient reliable traffic aware routing for industrial wireless sensor networks. IEEE Access 8, 58130–58145 (2020)

932

L. Pradittasnee

R.D. Gomes, D.V. Queiroz, A.C. Lima Filho, I.E. Fonseca, M.S. Alencar, Real-time link quality estimation for industrial wireless sensor networks using dedicated nodes. Ad Hoc Netw. 59, 116–133 (2017). ISSN 1570-8705 M.G. Gouda, M. Schneider, Maximizable routing metrics. IEEE/ACM Trans. Networking 11(4), 663–675 (2003) M. Hammoudeh, R. Newman, Adaptive routing in wireless sensor networks: QoS optimisation for enhanced application performance. Inf. Fusion 22, 3–15 (2015) M.Z. Hasan, H. Al-Rizzo, F. Al-Turjman, A survey on multipath routing protocols for QoS assurances in real-time wireless multimedia sensor networks. IEEE Commun. Surv. Tutorials 19(3), 1424–1456 (2017a) M.Z. Hasan, F. Al-Turjman, H. Al-Rizzo, Optimized multi-constrained quality-of-service multipath routing approach for multimedia sensor networks. IEEE Sensors J. 17(7), 2298–2309 (2017b) W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, in Energy-efficient communication protocol for wireless microsensor networks. Proceedings of the 33rd Annual Hawaii International Conference on System Sciences, vol. 2 (2000), p. 10 B.-S. Kim, H.S. Park, K.H. Kim, D. Godfrey, K.-I. Kim, A survey on real-time communications in wireless sensor networks. Wirel. Commun. Mob. Comput., 2017, 1864847 (2017) B.S. Kim, M. Aldwairi, K.I. Kim, An efficient real-time data dissemination multicast protocol for big data in wireless sensor networks. J. Grid Comput. 17, 341–355 (2019) P. Levis, T.H. Clausen, O. Gnawali, J. Huii, J. Ko, RPL: the trickle algorithm. RFC 6206, RFC Editor (2011) N.B. Long, H. Tran-Dang, D. Kim, Energy-aware real-time routing for large-scale industrial Internet of Things. IEEE Internet Things J. 5(3), 2190–2199 (2018) A. Manjeshwar, D.P. Agrawal, in TEEN: a routing protocol for enhanced efficiency in wireless sensor networks. Proceedings 15th International Parallel and Distributed Processing Symposium (IPDPS 2001) (2001), pp. 2009–2015 G. Pei, M. Gerla, T.W. Chen, in Fisheye state routing: a routing scheme for ad hoc wireless networks. IEEE International Conference on Communications. ICC 2000. Global Convergence Through Communications. Conference Record, vol. 1 (2000), pp. 70–74 L. Pradittasnee, S. Camtepe, Y. Tian, Efficient route update and maintenance for reliable routing in large-scale sensor networks. IEEE Trans. Ind. Inf. 13(1), 144–156 (2017) E.M. Royer, C.E. Perkins, in An implementation study of the AODV routing protocol. IEEE Wireless Communications and Networking Conference. Conference Record (Cat. No. 00TH8540), vol. 3 (2000), pp. 1003–1008 G. Smaragdakis, I. Matta, A. Bestavros, in SEP: a stable election protocol for clustered heterogeneous wireless sensor networks. Second International Workshop on Sensor and Actor Network Protocols and Applications (SANPA 2004) (2004) J.L. Sobrinho, in Network routing with path vector protocols: theory and applications. Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM ’03) (Association for Computing Machinery, New York, 2003), pp. 49–60 Y. Yang, J. Wang, in Design guidelines for routing metrics in multihop wireless networks. IEEE INFOCOM 2008 – The 27th Conference on Computer Communications (2008), pp. 1615–1623 Y. Yuan, H. Chen, M. Jia, in An optimized ad-hoc on-demand multipath distance vector (AOMDV) routing protocol. Asia-Pacific Conference on Communications (2005), pp. 569–573 T. Zahariadis, P. Trakadas, in Design guidelines for routing metrics composition in LLN. InternetDraft, Internet Engineering Task Force (2012) W. Zhang, Y. Liu, G. Han, Y. Feng, Y. Zhao, An energy efficient and QoS aware routing algorithm based on data classification for industrial wireless sensor networks. IEEE Access 6, 46495– 46504 (2018) M. Zuniga, B. Krishnamachari, in Analyzing the transitional region in low power wireless links. 2004 First Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, IEEE SECON (2004), pp. 517–526

Software-Defined Networking for Real-Time Network Systems

30

Bhargavi Goswami, Shuwen Hu, and Yanming Feng

Contents 1 2 3 4 5 6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Real-Time Networks (RTN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software-Defined Networks (SDN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Benefits of SDN-RTN Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standards for RTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RTN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Real-Time Ethernet (RTE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Wireless MAC Protocols for RTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 CAN Bus Protocol and Advancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Variants of CAN Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Field Bus Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Cross-Layer WNCS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3 Time-Sensitive Software-Defined Networks: TSSDN . . . . . . . . . . . . . . . . . . . . . . 8 SDN-Based RTN Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Problem Formulation of SDRTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Simulators for SDRTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Virtual Time–Enabled Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3 WiFi-Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Experimental Demonstrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

934 935 937 938 939 940 940 941 942 943 944 945 946 948 950 952 952 953 953 953 955 956

Abstract Policy implementation in real-time systems of industrial applications is challenging due to the dynamic nature of the requirements of industrial systems. Com-

B. Goswami () · S. Hu · Y. Feng School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_69

933

934

B. Goswami et al.

pelling complexity lies in the integration of the dynamic policy implementation on the existing real-time infrastructure. If software-defined networks (SDN) join hands with real-time networks (RTN), the global view of the network obtained by the controller will allow efficient decision making and policy implementation to improve the performance of real-time networks. In this chapter, we have presented software-defined real-time networks (SDRTN) to address two primary requirements of real-time networks in industrial systems: (a) improved congestion control leading to controlled timely delivery and (b) improved resource utilization to the provision of quality of service (QoS) policies. The three leading takeaways from this chapter are: (a) a theoretical model is developed integrating SDN with RTN; (b) SDRTN scheme is designed for the policy implementation in RTN; and (c) performance evaluation is demonstrated based on throughput, packet loss, latency, and jitter metrics, providing the step-by-step procedure to implement SDRTN. The numerical analysis is illustrated, showing the impact of the SDRTN architecture on the RTN-based networks’ performance. A significant performance gain is observed in SDRTN in comparison to RTN.

1

Introduction

With the evolution of industrialization, real-time networks (RTNs) have come a long way in improving device-to-device communication to meet the wide range of industrial applications. However, it has come to the threshold where further progress is feasible only if the communication strategies become intelligent. According to (Kumar et al. 2017b), the guarantee of quality of service (QoS) is challenging in RTN, which are holding RTNs from wide-scale industry applications. Cross-layer design architecture is one of the prospective solutions, and a proven complementary communication strategy that can support most RTN requirements (Kumar et al. 2017a). Therefore, control policies get implemented on the multilayered RTN architecture of the industrial systems. Again, these RTN systems are subject to frequent changes depending upon dynamic industry requirements. The significant complexity begins when cross-layered solutions integrate into the applications of real-time industrial systems. Software-defined networks (SDN) have the potential to integrate with RTN of industrial systems to impose time-constrained policies (Moutinho et al. 2019). The critical feature of SDN is to provide a global view of the network without shadowing the portion of the network through which the time-bound RTN packets pass. The rules can be enforced through SDN’s control plane from the application layer to the data plane at the medium access control (MAC) layer for stringent time-driven RTN. This complete control trait of SDN can bring in the fine-tuning of timing with precision in RTN, along with the control on resource management. Therefore, SDN is an essential technology that can assist RTN to assure guaranteed flow completion within the time-bound communication requirement. However, so to our knowledge, no communication strategy has been implemented to improvise the RTN using SDN networking concepts, especially for policy implementation of QoS. Keeping in focus the mentioned constraints, we are motivated to develop a controlled intelligent

30 Software-Defined Networking for Real-Time Network Systems

935

communication design for RTN, improving its performance, using OpenFlow action tables to implement policies for RTN device communication. In this chapter, we briefly describe RTN and SDN. Further, we discuss RTN standards followed by proficient RTN protocols. The primary contribution of this chapter is listed as follows: (a) software-defined real-time networking (SDRTN) architecture design for policy implementation in RTN; (b) mathematical model to address the integration of SDN concepts in a RTN environment; and (c) implementation of SDRTN. The simulation-based prototype of the SDRTN is demonstrated. Further, the impact of the SDRTN architecture on the performance of the RTN-based networks is analyzed using statistical methods. A comparison is drawn between the stand-alone RTN and SDRTN. Specifically, tightly controlled SDRTN has up to 217.3% multifold performance gain in throughput. There is a remarkable increase in packet loss of 71.7%, latency 69.7%, and jitter gain of 73.6%, respectively. The critical result analysis proves that the SDRTN scheme is better in comparison to the existing industrial practices. The organization of the chapter is as follows: Section 2 describes the RTN, SDN, and benefits of SDN-RTN integration. Section 3 introduces the standards of RTN. Section 4 compares widely used protocols in RTN while checking the potential of the protocols to integrate with SDN. The subsections of Sect. 4 elaborate on the critical industrial RTN protocols such as real-time Ethernet (RTE), CAN bus, Field Bus, cross-layer wireless networks for control systems (WNCS), and time-sensitive software-defined networks (TSSDN). Section 5 describes the design of SDRTN architecture. Section 6 is the problem formulation of SDN and RTN integration. Section 7 lists the simulation and emulators for SDN-RTN integration. Section 8 demonstrates a step-by-step implementation of SDRTN followed by results, discussion, and comparative analysis. Finally, Section 9 concludes the chapter.

2

Real-Time Networks (RTN)

There are two types of operating systems: (1) GPOS – general-purpose operating systems and (2) RTOS – real-time operating systems. A general-purpose operating system (GPOS) is a set of functions running upon a computer or a microcontroller (e.g., Windows, Linux, Android, and iOS). GPOS is running multiple background processes and applications. GPOS is responsible for scheduling the time for each of these tasks to make them look executing concurrently. GPOS is also responsible for resource management and support utility software such as device drivers. This type of OS is designed to provide human interaction as an essential feature that prioritizes such tasks. Priority mechanisms of the scheduler are nondeterministic, leading to a lag in completing specific time-bound procedures missing the deadlines. This delay is acceptable for humans-oriented OSs, but these OSs do not work well for medical, industry, or engine control mechanisms. In this situation, RTOS comes into the picture. RTOS offers similar functions with a scheduling mechanism that guarantees to meet the timing deadlines. RTOS is accepted widely in industrial and vehicular systems to ensure no catastrophic accidents or substantial production

936

B. Goswami et al.

Fig. 1 Real-time networks architecture (Paszke et al. 2016)

losses. For example, if the driver wants to stop the moving car and the message delivery gets delayed for 3 seconds, it may lead to an accident. Similarly, if the plastic industry has 3 seconds of delay in the mass production scenario, it may lose tons of expensive raw material. Therefore, in real-time systems, failure to respond is as bad as the wrong response. Definition: Real-time network is the collection of connected devices working on real-time operating systems (RTOS). There are two main types of real-time networks with time constraints. 1. Hard real-time networks: There is no possibility this category of systems can miss the deadline because the consequences are disastrous if they miss the deadline. An example is a flight control system. 2. Soft real-time networks: The deadline can be missed occasionally with a low probability. The consequence of missing the deadline is not fatal, and an example of such a system is telephone switching. The three fundamental elements of RTN are: (1) workload – the applications specifications supported by the system; (2) resources – the availability of the resources for the application; and (3) algorithms – the process flow of the application system and its usage of resources. As shown in Fig. 1, the field devices of RTN are on the left, and control devices are on the right side of RTN. The real-time server hosts the control and management of the control devices through the bus. For a system to be an RTN, it should be fast, small, predictable, multitasking, interfacing with other devices using programming, and efficiently utilizing computing memory resources. Also, the RTN has eventdriven (reactive) and cyclic (fixed cycles) characteristics. Thus, real-time networks are time-critical resource-constrained systems largely influencing industrialization.

30 Software-Defined Networking for Real-Time Network Systems

937

Fig. 2 Traditional versus SDN architecture (Atefeh Maleki et al. 2017)

3

Software-Defined Networks (SDN)

SDN is an emerging concept of virtualization of network functionalities making the networking programmable rather than configurable. SDN makes corporate networks agile while keeping them open and free from vendor locked. This concept proposes a new network architecture of a three-layered approach: application layer, control layer, and infrastructure (data) layer. SDN architecture demotivates vendor locking (e.g., CISCO, Juniper, NTT, and Telstra) by logically centralizing the complete configuration of the network. The QoS can be vastly improved using SDN. Traditional networking uses routers and switches integrated with fixed hardware and software to direct traffic across the network. Figure 2 refers to the difference between the working of the traditional networks and SDN. The red boxes indicate the control plane that manages the data plane, and the blue boxes indicate the data plane, which handles the traffic flows. The data plane and control plane, coupled in traditional networks, become decoupled in SDN. The intelligent “Controller” is software that works as the heart of the control plane to manage a series of routers and switches working in the data plane. A server can host this controller software to drive all the network traffic. Collectively, this controller is responsible for network function virtualization. The advantages of virtualization are: (1) spanning of network dynamically becomes easy to manage; (2) network functions can be fine-tuned to address requirements of specific use cases (e.g., real-time applications); and (3) centrally, security policies are enforced on each subnet. Control plane interfaces with data plane using southbound APIs. As shown in Fig. 3, to support network administrators with the information related to network monitoring and performance, SDN provides abstract network view using northbound APIs. OpenFlow protocol plays a vital role in the data plane. OpenFlow aims to provide services for reengineering traffic flows. The primary elements of OpenFlow are the flow tables installed on OpenFlow-aware switches, making them work according to the controller’s instructions. OpenFlow-supported software switches allow the

938

B. Goswami et al.

Fig. 3 SDN architecture (Hakiri et al. 2014)

data plane to become programmable rather than configurable. SDN’s intelligent orchestration enables on-demand resource allocation, self-service provisioning, network virtualization, and support for cloud services. Thus, SDN dramatically simplifies the network design and operations. Today, SDN technology has evolved to control connectivity for enterprises with branch offices in wide area networks (WAN). This use case, also known in the technical world as software-defined wide area networks (SD-WAN), is an aggregation of a wide range of network connections for cost-effective networking solutions with the combination of broadband, wireless, or multi-protocol label switching (MPLS).

4

Benefits of SDN-RTN Integration

Real-time applications must be able to integrate with SDN to enable computation of flow paths and guaranteed time requirements (Du and Herlich 2016). By implementing SDN on RTN, expansion is possible on these aspects: (1) tighter delay computation, (2) higher-priority allocation, and (3) guarantee RTN application requirements of QoS. Further, the usage of SDN on top of the existing real-time framework is advantageous in the following aspects:

30 Software-Defined Networking for Real-Time Network Systems

939

1. Centralized configurations through controllers. 2. Using OpenFlow controllers, standardized system functionalities are implemented. 3. Global network information of SDN controllers can be utilized for path statistics and diagnose errors in RTN. 4. Centralized SDN controls topological append and exclusion of nodes. 5. Isolation of faulty nodes using OpenFlow tables leads to zero failover. 6. Redundancy of network layer devices controlled by a single SDN controller reduces congestion. 7. Logically subnetting huge RTN into multiple tiny RTN managed efficiently using the SDN approach. 8. Load balancing feature of SDN allows dynamically change communication path after the frame has started traveling to meet time data rate–critical requirements of RTE. 9. Efficient multicasting in SDN avoids sending RTN frames to the links with no subscriber as end host, leading to security and resource benefits. The only trade-off is the need for the controller to enforce a centralized policy and controlled configuration.

5

Standards for RTN

The RTN of industrial systems trusts the standardization of every process used on the industrial site. Numerous standards are interrelated and widely referred to, adhered to by the operational engineers. There exist time-sensitive networks (TSN) standards to support time-critical data flow through Ethernet network supporting a wide range of RTN applications at data link layer (Bush 2021). These standards take care of variation in delay, packet loss, and assures guaranteed data transmission of the communication flows. The system ensures minimum chances of packet loss due to congestion in the communication line by queuing mechanisms at the receiver’s end. Therefore, prediction of worst-case scenario latency is possible by TSN. These parameters can be further improved using reliability assurance through control over bandwidth, line failures, and fault tolerance (Nayak et al. 2016). Standardization begins with IEEE 802.1 audio video bridging (AVB) applied widely supporting entertainment studios worldwide. Standard of AVB further evolved to offer IEEE 802.1 TSN, time-sensitive networks (Farkas et al. 2018). Table 1 refers to the standards and their application to related areas. These standards aim to provide reliable communication through bandwidth reservation, multipath connectivity, a limit on latency, and complex routing support to control congestion. The master clock and redundancy are introduced in IEEE 802.1AS making the electronic control unit (ECU) reliable. In IEEE 802.1bv, queue draining is introduced with time-aware queuing mechanisms to provide traffic scheduling, controlling traffic using priority. Guard bands in IEEE 802.1Qv are used to manage transmission according to predefined time slots. Time-aware shaper takes care of

940

B. Goswami et al.

Table 1 Standards for RTN Standard IEEE 802.1ASres IEEE 802.1Qbv

Focus Network time Synchronisation Scheduled low latency traffic

IEEE 802.1Qci

Filtering and policing

IEEE 802.1CB IEEE 802.1ca IEEE 802.1Qcc IEEE 802.1Qbu IEEE 802.1br

Seamless redundancy Path control and reservation Stream reservation Frame preemption Frame preemption

IEEE 802.1Qcr

Asynchronous traffic shaping

Industrial advantage All nodes share same time Scheduled Ethernet frames never collide Removes troublemakers from the network Facilitates zero loss switchover Avoids congestion Responsible for path provisioning Maximum bandwidth reservation Responsible for forwarding and queuing Deterministic latency without topology info (Draft 5.0, June 2017)

traffic scheduled to reduce delay to a great extent. IEEE 802.1Qbu supports fragmentation, where high-priority frames can halt low-priority frames transmission. IEEE 802.1br supports checksum and encapsulation on the egress (outgoing) port. IEEE 802.1ci enables ingress (incoming) traffic to identify faulty nodes through policing and filtering operations. IEEE 802.1CB performs early detection of link failure followed by redirecting traffic to alternative paths. TSN meets the robustness and safety requirements of RTN. However, to meet the demands of current RTN, application of these standards is necessary on RTN applications such as cars, airplanes, medical equipment, and elevators.

6

RTN Protocols

The fundamental step for understanding the functionalities of RTN is to understand the widely accepted industrial RTN protocols. In the following subsections, we will provide a set of RTN stellar protocols and their comparison. While doing this, we will discover the protocol with an extension potential to add on SDN concepts on top of the RTN protocol.

6.1

Real-Time Ethernet (RTE)

To apply SDN concepts in real-time Ethernet (RTE) networks, identifying proficient candidates for protocols is necessary. RTE is a widespread Ethernet technology with the advantage of high bandwidth, but latency guarantee is challenging (Ternon et al. 2016). RTE expanded further, leading to Ethernet Powerlink, VARAN, TT Ethernet,

30 Software-Defined Networking for Real-Time Network Systems

941

Profinet, and TSN. RTE’s two major performance parameters are round trip time (RTT) and data rate to observe delay and data rate, respectively. Table 2 describes the ideal situation of the protocol features with the perspective of SDN orientation. The two approaches of RTE are polling and time scheduling. In polling, the master serves all the slaves, and hardly there are chances of collision. In time scheduling, the predefined schedule is followed strictly with guard bands in place to avoid further collisions. As given in Table 2 link failure in RTEs is managed by imposing redundancy. Broadcast and multicast are required, specific to one-toall or one-to-many applications. Concurrency is an ability to send and receive both where switches can provide but not the hubs. Network topology indirectly impacts delay. Hot plugging support determines if the network connectivity is feasible while operating. By observing specific characteristics of RTN protocols, we realized that SDN could provide efficient solutions for RTN, such as (i) imposing network policies centrally and (ii) usage of global network information.

6.2

Wireless MAC Protocols for RTN

MAC protocols of RTN have two categories, contention-free and contention-based protocols. The contention-free scheme is suitable for centralized SDN control as the bandwidth is reserved for every transmission; so it is easy to comply with

Table 2 Real-time Ethernet protocol’s SDN-oriented traits Performance Max data rate Compatibility Ethernet frames Web traffic Network device SDN orientation Principal Redundancy Multicast Broadcast Hot pluggable Concurrent Snd/Rcv Multipath routing Topologies

Powerlink

VARAN

TT Ethernet

Profinet

TSN

100 Mbps

100 Mbps

1 Gbps

100 Mbps

>1 Gbps

Yes

No

Yes

Yes

Yes

Yes Hub

Yes Hub

Yes Switch

Yes Switch

Yes Switch

Polling Ring, dual No Yes Yes No

Polling No No Oneway Yes No

TimeSch Dual, more Unknown Yes Unknown Yes

TimeSch Multi, Ring No Unsure Yes Yes

TimeSch Yes Yes Yes Yes Yes

No

No

Yes

Yes

Yes

R,T,S,L

T,S,L

R,T,S,L

R,T,S,L

Arbitrary

S Star, T Tree, R Ring, L Linear, Snd Send, Rcv Receive

942

B. Goswami et al.

controller rules. On the other hand, contention-based schemes have collisions, and thus the behavior is dynamic to network traffic. This section further lists the factory automation–oriented protocols in combination with 2.4 GHz wireless technologies.

6.3

CAN Bus Protocol and Advancements

The electronic control units (ECUs), used in industrial systems, has a message-based protocol called controller area network – CAN bus, which was introduced by Bosch (Smith 2021). Its purpose is to communicate with each other in a reliable, prioritydriven manner. It is a two-layer protocol where the messages or “frames” do not require a host computer to operate. The rich set of international standards of ISO 11898 supports CAN bus. Figure 4 describes the CAN bus node where the CAN controller through transceiver using bus communicates with other nodes in a RTN system. The term “flexible” means that ECUs can modify transmission rates and message sizes dynamically as per the requirements of the real-time circumstances. The recently introduced “Flexible Data (Rate)” version of the CAN bus is also known as CAN FD. In this version, the standard length of the message has risen to 800%, making it 64 bytes. In addition to that, the maximum data rate has surged from 1 Mbps to 8 Mbps. All the three frame formats (standard, extended, and flexible data rate) of the CAN bus as given in Fig. 5. Here, SOF is the start of the frame. RTR is a remote transmission request. IDE is an identifier extension bit to identify CAN that is transmitted. RO reserved for future use. DLC is the data length code indicating the number of bytes in transmission. CRC stands for cyclic redundancy check carrying checksum value to perform error detection and correction. ACK stands for acknowledgment; 1-bit usage provides reliability without adding overhead. EoF is the end of the frame, and IFS is inter-frame spacing allowing 3 bits to pass before the start of the frame SOF bit to safeguard from collisions. CAN supports transmission of four types of communication: (1) data frames from one-to-many receivers; (2) demand frames represent that more data is expected from sending nodes; (3) using

Fig. 4 CAN bus node

30 Software-Defined Networking for Real-Time Network Systems

943

Fig. 5 CAN bus frame format with standard, extended, and FD version

error frames, errors get reported; and (4) report overload conditions using overload frames.

7

Variants of CAN Bus

CAN is indeed all elegant and reliable protocol (Varsamis and Kornaros 2021), but complex to analyze and understand data transmission, which forced the industry to come up with additional standards and protocols with additional functionalities. Few of the stellar protocols are discussed in this section. 1. SAE J1939: The Society of Automotive Engineers developed protocol functionalities on CAN support heavy trailers and trucks within limited 29-bit message IDs and up to 500 kbps of data rate. 2. OBD 2: A dedicated onboard diagnostics port is provided for RTN system engineers to diagnose and troubleshoot the issues using 16 pin connectors. It further helps them to observe temperature, velocity, and connectivity. 3. XCP: The Universal Measurement and Calibration Protocol is based on CAN calibration protocol which supports Ethernet data transmission in the absence of any software. 4. CAN Open: Widely used in embedded systems, CAN open is developed to provide logging, recording, and accessing the motion control systems. It provides interoperability being a high-level protocol.

944

7.1

B. Goswami et al.

Field Bus Protocol

History and key features: Flammini first introduced the Field Bus protocol for the machinery of the plastic industry. This protocol is designed to support wireless devices up to 16 at 128 ms cycles. This protocol aims to minimize overheads, data exchange, energy consumption, and computation work leading to the protocol’s increased efficiency. With the support of IEEE 802.15.4 on the transceiver, in combination with TDMA/CA – time division multiple access collision avoidance, the protocol can guarantee transmission within the cycle time deadline. The protocol works on a star topology with closely located nodes, further avoiding complex requirements of routing. The end nodes of Field Bus get paired with 9bit microcontrollers for data acquisition. Figure 6 represents simplest Field Bus scenario. Figure 7 discusses the operations in detail. Operation: The network coordinator is the center of the communication network responsible for the transmission of beacon periodically to trigger new flow cycles as shown in Fig. 7. Next is the joint period that supports transmission of joined messages. The communication slots then get allocated in a real-time period (RT period). Piggybacking of joint messages with acknowledgement is supported through JoinAck. A 32 ms frame forming and queuing followed by six slots of TDMA, each of 6 ms. The protocol has a delay acknowledgment strategy to avoid frame retransmission. The coordinator can reserve the slots to support guaranteed time slots (GTS) for the high-priority messages such as thermocouple nodes. Limitations: After analyzing the performance of the Field Bus protocol, the two significant aspects are timing correctness and reliability. It came out that there was no rebinding procedure or switching of communication channel needed. However, in the events of burst traffic, consecutive beacon loss, data frame loss, and risk

Fig. 6 Field Bus protocol

30 Software-Defined Networking for Real-Time Network Systems

945

Fig. 7 Field Bus protocol, CSMA/CA – TDMA hybrid medium access

of disconnectivity with the coordinator are frequent. If the central coordinator is unavailable, then it may lead to burst errors and colossal data loss. A 2.4 GHz channel is susceptible to interference exposure, affecting the performance of timely delivery and reliable communication guarantees. SDN compatibility: Considering the working of Field Bus protocol, it aligns perfectly with a centralized control system with a capability to embed with an SDN communication module using OpenFlow. A controller is added to a thin middle layer to reduce complexity and support time-critical reliable SDN communication functionalities.

7.2

Cross-Layer WNCS Network

A cross-layer wireless networks for control systems (WNCS) is presented by the authors of (Tian and Tian 2012) that address the requirement of RTN applications with a guaranteed performance using admission control and flow rate adaptation. It uses the skeleton of MILD – multiplicative increase and linear decrease algorithms with some variations in parameters. As a solution, to support periodic traffic generation in RTN, the Markov model of the distributed control function (DCF) is used in real-time WNCSs traffic. This research becomes the base for RTN traffic performance evaluation for our model. The same set of authors have come up with additional contributions to address the unpredictable deadline performance of RTN control systems. In (Tian et al. 2016), deadline-constrained MAC protocol is presented with QoS differentiation for

946

B. Goswami et al.

IEEE 802.11 soft RTN control systems. Mainly, it manages periodic traffic through two communication mechanisms, a contention-sensitive back-off mechanism and a deadline-sensitive QoS differentiation mechanism. Both these models are highly prominent in industry applications with wireless RTN implementations.

7.3

Time-Sensitive Software-Defined Networks: TSSDN

Background: With the proliferation of IEEE 803.3 and IP networks, a technological push is desired for growing industrial systems. There is a requirement for alternative field buses for time-sensitive systems, especially for transmitting timesensitive packets. As a solution, time-sensitive software-defined networks (TSSDN) is proposed to provision real-time guaranteed delivery of time-triggered traffic flow through nondeterministic queuing delays (Nayak et al. 2016). The solution includes the formulation of an integer linear program (ILP) to address the routing and scheduling of traffic. This solution assures delays stays ≤14 μs and jitter ≤7 μs. The protocol uses the YANG data model, which is a language used to describe data models of network devices. The required functionality of time-sensitive networks get imposed using CUC-centralized user configuration and CNC – centralized network configuration. System model: TSSDN is SDN-based architecture with the elements of end hosts, OpenFlow-based switches, and controller as shown in Fig. 8. The controller is logically centralized, providing the global view of network topologies, traffic flow, and link failures. Only time-triggered traffic is passed to the channel using UDP, thus prioritizing packets using differential and best-effort services. Additionally, PTP – precision time protocol is used for clock synchronization across the network nodes. However, all the traffic with a time-triggered flag is set to the same priority, which leads to the requirement of an additional scheduling strategy to handle conflicting traffic with the same priority. Scheduling: Networking delay consists of four types: propagation delay, processing delay, queuing delay, and transmission delay. Now, to determine propagation delay, the band capacity is used. Processing delay in a guided media is in microseconds, hence deterministic. UDP transmission has a constant bit rate (CBR), and therefore transmission delay is deterministic. The only nondeterministic delay is queuing delay for time-sensitive flows. The main reason for queuing is a multiinput single-output structure. If the reservation is applied to queuing mechanism, a multi-network path can solve the issues. TSSDN imposes time-triggered TDMA – time division multiple access to support high-priority traffic over the reserved path. Using the information provided by the controller’s global view of the network, we can impose a scheduling mechanism assuring completion of time-triggered packets within deadlines. The TSN section reaching the bottom of the southbound interface is observed. Routing: Using SDN OpenFlow protocol, the OpenFlow tables buffer the shortest path information to avoid searching once the request gets generated. The set of the

30 Software-Defined Networking for Real-Time Network Systems

947

Fig. 8 Architecture of TSSDN (Böhm et al. 2019)

shortest path can be provided as the actual path to achieve the reduced runtime, thus saving the shortest path computation time and execution time for each flow. Bandwidth reservation: According to (Kumar et al. 2017a) to suffice the requirement of guaranteed bandwidth to all the flows, flow rules are imposed on each flow using the OpenFlow protocol of SDN. The meters assure guaranteed bandwidth for (1) each flow (queue/meter) and (2) each multiplexed virtual switch for multiple flows. The only drawback to this system is that the protocol can support limited flows, making admission control inevitable. Observe the SDN switch section of southbound interface in Fig. 8. Quality of service: The three major parameters controlled to provide assured QoS are bandwidth reservation, queue isolation, and metering the traffic rate (Kumar et al. 2017b). We discussed bandwidth reservation in the previous subsection and metering during scheduling. In OpenFlow of SDN, every switch is enabled with flow tables and flow isolation capabilities from each other. QoS is configured on each queue for the parameters of rate and threshold. These queues are matched using flow ids in OpenFlow-enabled switches. Observe the SDN section in Fig. 8.

948

B. Goswami et al.

Fig. 9 SDRTN architecture overview

8

SDN-Based RTN Architecture

This section describes the proposed SDRTN framework provided in Fig. 9, integrating RTN working on CAN bus, and on top of it is SDN. The responsibility of SDN includes: (a) data plane for tracking node status, (b) global view of the topology, and (c) message passing on an optimum path using southbound API. While focusing upon time-critical RTN systems, the northbound interface remains thin and subject to expansion in the future. Admission control policies are enforced on SDN-based RTN through OpenFlow protocol using SDN controller to address congestion. To suffice the RTN transmission requirements, (a) the controller determines the best route, (b) performs consistent configurations to the entire set of network devices, (c) makes table entries in OpenFlow with an action plan, and (d) forwards the frames. If the admission of the flow fails, the packet gets dropped. The control plan interacts with the southbound interface using OpenFlow protocol and REST APIs. Further, data plane equipment aligns with the flow table rules of OpenFlow that further govern the entire communication. If we consider the primary requirements of Industry 4.0, the data plane supports (a) communication of RTN traffic in two way, concurrently receiving and sending; (b) reacts to RTN event that triggers all the time using ingress procedural calls at each intermediate host; (c) priority-based queuing mechanism to segregate high-priority and low-priority flows; (d) resource reservation for high-priority RTN frame flow; (e) assures QoS alongside; and (f) guaranteed timely delivery. At the ingress (input) port, the OpenFlow enabled virtual switches to receive CAN bus frames as shown in Fig. 10. The flow table is a set of flow entries where (i) priority gets checked, (ii) filtering of packets is followed based on flow entry specifications, (iii) action is taken based on a set of rules, and further, (iv) the

30 Software-Defined Networking for Real-Time Network Systems

949

Fig. 10 SDN data plane implementation using OpenFlow

exit process at egress begins, (v) predefined computation is performed, and (vi) packets start moving toward the destination. The base of this filtering is upon the IP, matching content, size, time to live (TTL), and priority. The associated matching instructions in table entries are subject to change based on the congestion, highpriority events, and queuing status updates. If the flow entry is not found in the flow tables, OpenFlow switches keep the packets under observation and wait for flow entry updates from the controller while keeping track of the deadline. The meter tables option plays a vital role in CAN bus frames, and performs traffic segregation before packet flows out from egress (output) port. These meter tables assist in managing multicast, web traffic, data rate assurance, priority setting, and minimizing latency for the flowing traffic. For QoS, Open Flow relies entirely upon these meter tables. For powerful dynamic management of forwarding traffic, OpenFlow functionality requires communication with RTN to perform flow table entry and access, filter traffic, packet distribution in groups, maintain meters, network configuration, etc. Moreover, to our knowledge, there is no system architecture available suitable for OpenFlow-based CAN bus service provision. Our research addresses these gaps by proposing an OpenFlow-CAN bus communication model for data plane and control plane services in RTN. This dual-service mechanism integrates time-critical industry systems with software-defined communication. Figure 11 represents the SDN-RTN communication model with full stack OpenFlow SDN features and time-critical event aspects of RTN. SDN controller accesses information using OpenFlow APIs such as user ID, time-outs, priorities, and flow information to configure, balance load, and select the best possible path. The RTN data plane has the liability of prioritizing scheduling, resource reservation, and imposing actions from higher layers through the dispatcher. Global time–triggered framework (TTF)

950

B. Goswami et al.

Fig. 11 OpenFlow CAN bus traffic model

gets implemented centrally using OFCB-OpenFlow CAN bus embedded to master node. Transmission of frames from/to RTN and SDN happens through ingress and egress ports using gateways or Ether channel. Policies such as admission control and redundant mesh topology are used to support functionalities of multipath forwarding, network load balancing, and controlling the congestion. The significant challenges this architecture faces are as follows: (1) the network functionality has to be recoded as per the proposed new SDRTN architecture; (2) forwarding table of OpenFlow has to be learned by all the nodes working on Layer 2 and Layer 3 of the OSI model; and (3) efficient interfacing of OpenFlow CAN bus (OFCB) messages has to be addressed through APIs.

9

Problem Formulation of SDRTN

Let N denote the topology of an SDN. Also, use F to represent a set of RTN flows. We model the network as an undirected graph N(V, E), where V is the set of nodes (or ports) and E is the set of edges (a possible path for packets to go from one switch port to another). For a flow fk ∈ F, it is given by a four-tuple (sk , tk , Dk , Bk ), where sk , tk ∈ V are ports, Dk is the maximum delay that the flow can tolerate, and Bk is the maximum required bandwidth by the flow. A flow path Pk is defined as a sequence of traverse edges for a flow fk to go from the source port sk to a destination port tk . Therefore, the problem is to synthesize flow rules that use queues at each edge (u, v) ∈ Pk that can handle all flows F in the

30 Software-Defined Networking for Real-Time Network Systems

951

given system while each flow’s requirement should be satisfied. If dfk (u, v) is the delay faced by the flow fk and bfk (u, v) is the bandwidth assigned to fk at edge (u, v), we have ∀fk ∈ F, ∀ (u, v) ∈ Pk ,  dfk (u, v) ≤ Dk ,

(u,v) ∈ Pk

bfk (u, v) ≥ Bk .

Let D (u, v) be the delay on the edge (u, v), then the total delay for flow fk over the path Pk is Dfk (Pk ) =



D (u, v) .

(1)

(u,v) ∈ Pk

Then the constraint on end-to-end delay for the flow fk is Dfk (Pk ) ≤ Dk .

(2)

We define the bandwidth utilization for an edge (u, v) in a flow fk as: Bk (u, v) =

Bk , Be (u, v)

(3)

where Be (u, v) is available bandwidth of an edge (u, v). Then the bandwidth utilization over a path Pk is: Bfk (Pk ) =



Bk (u, v) .

(4)

(u,v) ∈ Pk

Now the bandwidth constraint is Bfk (Pk ) ≤ max(u,v)∈E Bk (u, v) |V | ,

(5)

where |V| is the cardinality of a set of ports in the topology. In order to ensure that the bandwidth requirement Bk of the flow fk is guaranteed, let Bˆ k = max(u,v)∈E Bk (u, v) |V | and the constraint on bandwidth utilization becomes Bfk (Pk ) ≤ Bˆ k .

(6)

Therefore, the selection of an optimal path for each flow fk can be formalized as a multi-constrained path (MCP) problem with the delay constraint in Eq. (2) and bandwidth constraint in Eq. (6). More details about the solution of this MCP problem can be found in (Kumar et al. 2017a, b).

952

10

B. Goswami et al.

Simulators for SDRTN

A wide range of simulators can implement RTN, but limited simulators support the RTN with SDN functionality. This section explores the simulators that can build, implement SDN concepts, and integrate with RTN.

10.1

Virtual Time–Enabled Mininet

VT Mininet, introduced by (Yan and Dong 2015), is a virtual time–embedded SDN network emulator to enhance the Mininet functionality addressing RTN requirements. It uses time-dilation fidelity (TDF) strategy to develop virtual RTN claimed by authors to be lightweight and transparent to RTN applications. The design architecture of VT Mininet is shown in Fig. 12. The two main components of VT Mininet are virtual time managers and virtual time adaptive schedulers. (a) Virtual time manager: VT Manager is in charge of keeping track of virtual time for the set of active containers across the network to support emulation and synchronization within the simulator environment. (b) Adaptive virtual time scheduler monitors runtime resources. It collects information such as CPU utilization, threads available, based on TDF, and time elapsed. Implementation: Runtime resource monitor keeps track of the processes demanding resources and resource allocation. Each container/host has a process tree with applications and processes running under the private network Namespace. Virtual interface helps access network resources and gets utilized for data communication.

Fig. 12 VT Mininet architecture (Yan and Dong 2015)

30 Software-Defined Networking for Real-Time Network Systems

953

The modified kernel of VT Mininet forces the devices to adapt to the global virtual clock across the system through TDF adaptor. The VT Mininet also permits global time setting across the RTN systems dynamically using virtual time management. Thus, the VT Mininet is an adaptive virtual time scheduling subsystem on the Mininet simulator that controls experiment speed and fidelity balance.

10.2

Mininet

Mininet is the widely used emulator to implement SDN scenarios across the SDN fraternity. It is the only emulator that serves a wide range of APIs supported by all the controllers. Mininet (Lantz and Heller 2021) is used by the authors of (Oginni et al. 2018) to develop SDN architecture for low-latency RTN. It supports adaptive path provisioning using layer two and layer three communication strategies. Three major strategies simulated are related to bandwidth, delay, and path selection. Ryu controller and OpenFlow APIs perform functionalities of monitoring, logging, and statistical computations for best path selection. In (Lunagariya and Goswami 2021) Mininet is used to compare the performance of various controllers. Mininet is the only platform commonly used by all the controllers for RTN scenario generation, to name a few, Pyrectic (Kulkarni et al. 2021), Onos (Sameer and Goswami 2018), Floodlight (Khan et al. 2020), Ryu (Asadollahi et al. 2018), and Beacon (Manuel and Goswami 2019). For traffic generation, OFNet and iPerf is used in (Asadollahi and Goswami 2017; Asadollahi et al. 2017).

10.3

WiFi-Mininet

RTN can be simulated on VT Mininet and Mininet environments, allowing network administrators to configure the wired network centrally using the controllers as a platform. The biggest challenge is the dissipation of OpenFlow’s flow table rules down the southbound APIs on wireless channels. Software-defined wireless networks (SDWN) provide programmable centralized network control for wireless channels to connect wireless nodes in RTN. WiFi-Mininet uses WiFi interfaces on stations (STAs) connected to an access point (AP) through its “wlanX” interface. Further, this wlanX is bridged to an OpenFlow switch with access point capabilities as stated by authors of (Fontes et al. 2015). Additionally, authors of (Kumar et al. 2019) argue that WiFi-Mininet is a scalable option to implement SDN on wireless networks.

11

Experimental Demonstrations

In this section, the experiment is established to claim the feasibility of the SDRTN framework by implementing the RTN traffic over SDN. The proposed scheme is evaluated in this experiment using the Mininet simulator on OpenFlow protocol.

954

B. Goswami et al.

We set the benchmark for the industrial systems applications using the RTN model to evaluate advanced SDRTN. To address the industry requirements as per the standards stated in Table 1, SDRTN is established, experimented with, and tested on RTN switches enhanced with OpenFlow protocol. Based on the communication architecture presented in Figs. 9, 10, and 11, SDRTN is implemented. The topology consists of N(V, E) with V nodes and E edges. The flow path Pk as per OpenFlow protocol is imposed on sk source and tk destination. Considering a heavily loaded RTN scenario N(V, E), POX controller is connected to end hosts through a redundant network of multiple switches constrained with (sk , tk , Dk , Bk ). Even though RTN nodes are configured with UDP protocol, OpenFlow protocol handles both the types (UDP and TCP) of traffic flows fk for SDRTN networks. The scheduling is constrained with the delay DK , and the communication is constrained with the bandwidth utilization of Bˆ k . The following parameters are selected for the evaluation of the novel scheme of SDRTN. • Throughput: It is the actual amount of traffic passing through the sk source and tk destination in a given time to observe the consistency of the communication scheme. This parameter will prove the consistency of the SDRTN. • Packet loss: It is defined as the number of packets lost during the flow transmission and could not complete the transmission journey within the deadline. This parameter is selected to identify the percentage of packets lost in the scheme of SDRTN. • Latency: It is defined as the amount of time the communication packets take during the transmission and processing before reaching the final destination. This parameter proves if the SDRTN fits well in the application requirements of RTN. • Jitter: It is the parameter identifying the variance in latency observed consistently for a specific duration of time to determine the delay DK faced by every packet due to congestion. This parameter will identify the variance that is tolerable within the deadline specifications of RTN. The results are presented in Fig. 13 and described further in this section. The network performance of the RTN versus SDRTN for four parameters, (a) throughput, (b) packet loss, (c) latency, and (d) jitter, can be seen in Fig. 13. The first two parameters are related to our bandwidth constrain Bfk (Pk ) and the last two parameters are related to our delay constraint Dfk (Pk ) as stated during problem formulation. Figure 13 has a total of eight graphs, two for each parameter. Left-side graphs present RTN results, and right-side graphs show SDRTN results. The X axis represents the duration of the experimental run (150 seconds), standard for all the graphs to set the base of parameter comparison. Throughput is in Mbps; packet loss is in number; latency and jitters are in milliseconds. Each graph has four straight lines: (a) mean and standard deviation (SD), (b) median, (c) maximum value, and (d) minimum value. These lines assist us in comparing a single parameter in both the models (left RTN and right SDRTN). In our observation, while running bulky RTN flows on lightweight SDN environments, a significant gain of 529.04 is obtained in throughput. When the successful

30 Software-Defined Networking for Real-Time Network Systems

955

Fig. 13 Result analysis of RTN versus SDRTN

packets transmitted in the given time were just 490 in RTN but 995 in SDRTN. As the SDN sets the network free from the burden of other unnecessary protocols and supports a lightweight path selection policy, packet loss is reduced from 155 to 50 (maximum values). The latency is reduced to half in a SDRTN environment, proving that our model fits well in addressing the critical deadline requirements of RTN. Significant gain is observed in the jitter of the SDRTN model because from 2.85 seconds in RTN it reduced to 0.75 seconds in SDRTN. Overall, 217.3% throughput, 71.7% packet loss, 69.7% latency, and 73.6% jitter gain were detected during the simulation-based experimental run of SDRTN. These results confirm that SDRTN will serve the real-time requirements and make the system lightweight. Thus, the SDRTN model integrating SDN concepts on RTN is promising for futuristic dynamic RTN systems.

12

Conclusion

This chapter has studied RTN, SDN, benefits of SDN-RTN integration, widely practiced standards, and RTN protocols. Software-defined real-time networks (SDRTN) design architecture is presented in this chapter to enhance the QoS policy implementation for RTN systems. This model enhances centralized control functionality and policy implementation in a RTN environment by interfacing SDN concepts with RTN. This model is designed using (a) the standards of RTN, (b) the key

956

B. Goswami et al.

features of RTN protocols, and (c) the critical features of SDN controllers and OpenFlow protocol. Compared to the existing RTN, SDRTN is proved beneficial in the following aspects: (a) provisioning global view of the network; (b) guaranteed flow completion within the time-bound communication requirement; (c) optimizing network monitoring and control to fine-tuning traffic management; and (d) fulfill QoS requirements of real-time applications. This study also introduces the potential simulators with the traffic generation and analysis capabilities to implement the SDRTN communication scenarios. The experimental demonstration and results support our argument with a gain of 217.3% in throughput, gain in packet loss of 71.7%, latency gain of 69.7%, and jitter gain of 73.6%, respectively, in SDRTN in comparison of traditional RTN. The discussion concludes that the SDRTN efficiently and effectively meets the Industry 4.0 requirements of RTN. The discussed communication scheme of SDRTN can be applied to multiple domains of RTN to obtain maximum benefits of high-quality services in industrial systems.

References S. Asadollahi, B. Goswami, Experimenting with scalability of floodlight controller in software defined networks, in 2017 International Conference on Electrical, Electronics, Communication, Computer, and Optimization Techniques (ICEECCOT), (IEEE, 2017), pp. 288–292 S. Asadollahi, B. Goswami, A.S. Raoufy, H.G.J. Domingos, Scalability of software defined network on floodlight controller using ofnet, in 2017 International Conference on Electrical, Electronics, Communication, Computer, and Optimization Techniques (ICEECCOT), (IEEE, 2017), pp. 1–5 S. Asadollahi, B. Goswami, M. Sameer, Ryu controller’s scalability experiment on software defined networks, in 2018 IEEE International Conference on Current Trends in Advanced Computing (ICCTAC), (IEEE, 2018), pp. 1–5 M. Atefeh Maleki, J.-P.G. Hossain, E. Rondeau, T. Divoux, An sdn perspective to mitigate the energy consumption of core networks–géant2, in International SEEDS Conference, (2017), pp. 233–244 M. Böhm, J. Ohms, M. Kumar, O. Gebauer, D. Wermser, Time-sensitive software-defined networking: a unified control-plane for tsn and sdn, in Mobile Communication-Technologies and Applications; 24. ITG-Symposium, (VDE, 2019), pp. 1–6 J. Bush, Open standards to improve automotive ethernet (2021) J.L. Du, M. Herlich, Software-defined networking for real-time ethernet, in ICINCO, vol. 2, (2016), pp. 584–589 J. Farkas, L.L. Bello, C. Gunther, Time-sensitive networking standards. IEEE Commun. Stand. Mag. 2(2), 20–21 (2018) R.R. Fontes, S. Afzal, S.H.B. Brito, M.A.S. Santos, C.E. Rothenberg, Mininet-wifi: Emulating software-defined wireless networks, in 2015 11th International Conference on Network and Service Management (CNSM), (IEEE, 2015), pp. 384–389 A. Hakiri, A. Gokhale, P. Berthou, D.C. Schmidt, T. Gayraud, Software-defined networking: Challenges and research opportunities for future internet. Comput. Netw. 75, 453–471 (2014) M.A. Khan, B. Goswami, S. Asadollahi, Data visualization of software-defined networks during load balancing experiment using floodlight controller, in Data Visualization, (Springer, Singapore, 2020), pp. 161–179 M. Kulkarni, B. Goswami, J. Paulose, Experimenting with scalability of software defined networks using pyretic and frenetic, in International Conference on Computing Science, Communication and Security, (Springer, 2021), pp. 168–192

30 Software-Defined Networking for Real-Time Network Systems

957

R. Kumar, M. Hasan, S. Padhy, K. Evchenko, L. Piramanayagam, S. Mohan, R.B. Bobba, Dependable end-to-end delay constraints for real-time systems using sdns. arXiv preprint arXiv:1703.01641 (2017a) R. Kumar, M. Hasan, S. Padhy, K. Evchenko, L. Piramanayagam, S. Mohan, R.B. Bobba, End-toend network delay guarantees for real-time systems using sdn, in 2017 IEEE Real-Time Systems Symposium (RTSS), (IEEE, 2017b), pp. 231–242 A. Kumar, B. Goswami, P. Augustine, Experimenting with resilience and scalability of wifi mininet on small to large sdn networks. International Journal of Recent Technology and Engineering 7(6S5), 201–207 (2019) B. Lantz, B. Heller, Mininet: An instant virtual netwok on your computer (2021). D. Lunagariya, B. Goswami, A comparative performance analysis of stellar sdn controllers using emulators, in 2021 International Conference on Advances in Electrical, Computing, Communication and Sustainable Technologies (ICAECT), (IEEE, 2021), pp. 1–9 T. Manuel, B.H. Goswami, Experimenting with scalability of beacon controller in software defined network. Int. J. Recent Technol. Eng. 7(5S2), 550–555 (2019) L. Moutinho, P. Pedreiras, L. Almeida, A real-time software defined networking framework for next-generation industrial networks. IEEE Access 7, 164468–164479 (2019) N.G. Nayak, F. Dürr, K. Rothermel, Time-sensitive software-defined network (tssdn) for real-time applications, in Proceedings of the 24th International Conference on Real-Time Networks and Systems, (2016), pp. 193–202 O. Oginni, P. Bull, YonghaoWang., Constraint-aware softwaredefined network for routing real-time multimedia. ACM SIGBED Rev. 15(3), 37–42 (2018) A. Paszke, A. Chaurasia, S. Kim, E. Culurciello, Enet: A deep neural network architecture for real-time semantic segmentation. arXiv preprint arXiv:1606.02147 (2016) M. Sameer, B. Goswami, Experimenting with onos scalability on software defined network. Journal of Advanced Research in Dynamical and Control Systems 10(14-Special Issue), 1820– 1830 (2018) G. Smith, Communication of can bus to other vehicle (2021) C. Ternon, J. Goossens, J.-M. Dricot, Ftt-openflow, on the way towards real-time sdn. ACM SIGBED Rev. 13(4), 49–54 (2016) G. Tian, Y.-C. Tian, Modelling and performance evaluation of the IEEE 802.11 dcf for real-time control. Comput. Netw. 56(1), 435–447 (2012) G. Tian, S. Camtepe, Y.-C. Tian, A deadline-constrained 802.11 mac protocol with qos differentiation for soft real-time control. IEEE Trans. Indus. Inform. 12(2), 544–554 (2016) V. Varsamis, G. Kornaros. Control of CAN-bus time-trigger messages for adaptive networking. PhD thesis, Department of Electrical and Computer Engineering, Hellenic Mediterranean University (2021) J. Yan, J. Dong, Vt-mininet: Virtual-time-enabled mininet for scalable and accurate software-define network emulation, in Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research, (2015), pp. 1–7

Satellite Communication Networks

31

Muhammad Furqan and Bhargavi Goswami

Contents 1 2 3 4

5

6 7 8 9 10 11 12 13 14 15 16 17 18

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ITU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 LEO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 MEO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 GEO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 FSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scenarios and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Radio Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Link Budget Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Antenna Gain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EIRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Noise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G/T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Spectral Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software-Defined Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software-Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SDR-SDN Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

960 961 962 962 963 964 965 965 966 966 966 967 967 969 971 972 972 972 972 973 973 973 974 975 975

M. Furqan Queensland University of Technology, Brisbane, QLD, Australia e-mail: [email protected] B. Goswami School of Computer Science, Queensland University of Technology, Brisbane, QLD, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_70

959

960

M. Furqan and B. Goswami

19 Interfacing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

976 979 980 980

Abstract Provision of communication in remote areas is a challenge due to limitations of terrestrial communication infrastructure. This challenge is overcome by connectivity provided via satellite communication. Satellites are located at high altitudes in different predetermined orbits, and they can provide communication services globally. Latency or propagation delays and coverage footprints depend upon the orbit of the satellite. To provide real-time network services through satellites, the unavoidable latency has to be considered for the expected delays. Satellites, for remote connectivity, are used by different industries including but not limited to telecommunications, broadcast, oil and gas, mining, government, health, and education. Real-time communication needs for search and rescue, emergency response, defense, maritime, logistics, and aviation are served by satellite communication networks. However, satellites so far have been relaying analogue signals from one point on earth to another, with functionalities limited to physical layer of any network architecture. Recent research and developments in the industry and regulatory allows involvement of higher layer of networks and software-defined technologies in satellite communication networks to improve the efficiency in terms of resources, radio spectrum, and latency.

1

Introduction

Real-time networks rely on satellites one way or the other. The primary reason for this reliance is global navigation satellite system (GNSS), for provision of positioning, navigation, and timing (PNT) services on regional or global scales. These services are provided by different groups of satellites referred to as constellations, normally orbiting the earth in medium earth orbit (MEO). Some commonly used constellations for the PNT services are US-based global positioning system (GPS), Russian constellation global navigation satellite system (GLONASS), European Galileo, and China-based BeiDou. Satellites not only provide the PNT services for terrestrial real-time networks but also provide connectivity for real-time networks in remote regions and services requiring global footprint. Surprisingly, satellites also rely on RTN for their seamless operation as shown in Fig. 1. Harbor Research (Harbor Research 2021) has mapped the ecosystem of wireless real-time networks, with coverage area against data rate requirements of the networks. Satellite communication can provide real-time network services to larger areas at higher data rates. The telemetry, tracking, and control (TT&C) of the space segment is based on RTN for keeping the satellites orbital, spatial, motion, and sensor networks operational and perform satellite maneuvers as per requirement in real-time scenarios without

31 Satellite Communication Networks

961

Fig. 1 Wireless RTN landscape (Harbor Research 2021)

any possibility of delays or errors. During the course of this chapter, we will review the importance of satellites for real-time networks which cannot be connected through terrestrial networks. Before we proceed further to satellite-based RTN, we need a basic understanding of satellite communication.

2

Background

Satellite communication, an idea of Sir. Arthur C. Clarke, was introduced to answer the need of reliable communication with global coverage and limitless mobility. According to Clarke model provided in Fig. 2, three satellites placed at a suitable distance can be sufficient to provide global coverage for communication needs. The satellite-based communication technology is addressing these needs, but like any other matrix, it also has some limitations, the biggest of them is latency. With geostationary satellites located in geosynchronous orbit at 35,786 km above the equator the time delay of a one-way trip of a message is 270 milliseconds and 540 milliseconds for a round trip, which is humongous for the needs of today’s technology communications requirements. The problem seems to be addressed by upcoming around 100,000 satellites in LEO-HTS (lower earth orbit-highthroughput satellite) mega constellations, which will provide global connectivity services from lower earth orbit, below 2000 km altitude, with latency matching that of fiber optic communications.

962

M. Furqan and B. Goswami

Fig. 2 Sir. Arthur C. Clarke model (Clarke 1945)

3

ITU

Satellite communication, the frequencies they use, and their orbital parameters are standardized by the ITU (International telecommunication Union), which is a constituent body of the UN (United Nations). The orbital locations and radiofrequency electromagnetic spectrum are limited natural resources, which should be accessed in harmony by the state members of the ITU. Until recent developments in the satellite technology, satellite communication-related standards were limited to radio-frequency usage and orbital parameters. With the recent developments, satellite communication has been considered a network-based element for the ITU future network requirements Network 2030 (ITU 2020) as “Space Networking.” Network 2030 is the successor of IMT 2020 (International Mobile Telephony 2020), which were technical requirements established by the ITU and in response to those requirements 3GPP (third Generation Partnership Project) formulated the 5G (fifth Generation of Mobile Communication) standards.

4

Orbits

Satellites can be categorized in different categories based on their applications like meteorology, earth observation, communication, broadcast, etc., however, they are commonly distinguished through the orbits they are deployed in. Most common orbits used by communication satellites are LEO (lower earth orbit), MEO (medium earth orbit), and GEO (geosynchronous earth orbit). Comparison of key attributes of these orbits are discussed in Table 1.

31 Satellite Communication Networks

963

Table 1 Orbit comparison Satellite orbits Attributes Altitude (km) Round trip latency (ms) Lifespan (years) No. of satellites required for global coverage Examples

LEO 160–2000 10∼30 3∼7 40∼800

MEO 5000–12,000 70∼200 10∼15 8∼20

ISS, StarLink

GPS, O3B

GEO 35,786 540 15+ 3 (no polar coverage) Intelsat, Inmarsat

Table 2 LEO-HTS mega constellations Company Project No. of satellites Gen-1 System throughput Gen-1 Data rate per satellite Planned no of satellites System throughput full deployment Frequency bands Operational orbit

4.1

SpaceX StarLink 4408 10 Tbps 6 Gbps 42,000 27 Tbps

OneWeb OneWeb 648 1.5 Tbps 2–4 Gbps 7000 25 Tbps

Telesat LightSpeed 298 7.5 Tbps 15–25 Gbps 1671 16–24 Tbps

Amazon Kuiper 1600 9 Tbps 15 Gbps 3236 53 Tbps

Ku, Ka 540–570 km

Ku, Ka 1200 km

Ka 1015–1325 km

Ka 590–630 km

LEO

Lower earth orbit (LEO) satellite orbits the earth periodically in altitudes less than 2000 km. To provide complete global coverage, the number of satellites required vary between hundreds and thousands depending upon their altitude. Recently, there has been a lot of development in LEO satellites after witnessing billions of dollars of investment from technology firms to provide global broadband services with lower latencies. These developments also incorporate innovation elements by introducing on-board processing for deployment of software-defined technologies like network function virtualization (NFV), software-defined radio (SDR), and software-defined networks (SDN), as well as inter-satellite links, which wasn’t a common technology in previous generations of communication satellites. Due to exponential increase in demand for provision of data connectivity services on global scales, multiple technology firms have announced ambitious plans to deploy mega constellations in LEO consisting of thousands of satellites; details are provided in Table 2. StarLink’s existing constellation can be seen at Fig. 3. These constellations will complement terrestrial networks in provision of data connectivity for different applications. Although these constellations will cover the connectivity gap for remote communities, there are concerns for the environment and space debris-related issues associated with the launch of thousands of satellites in lower orbits.

964

M. Furqan and B. Goswami

Fig. 3 StarLink’s existing constellation (Stuff In Space 2021)

Fig. 4 Galileo GNSS constellation (Stuff In Space 2021)

4.2

MEO

Medium earth orbit requires fewer satellites as compared to the LEO for complete global coverage but at a higher latency as shown in Fig. 4. The orbit has been primarily used for GNSS services for provision PNT applications. All the RTN rely on PNT applications. With the passage of time new technologies have helped improve the accuracy of PNT parameters for enhanced precision. These services are frequently used by maritime, aviation, defense, and mining industry. Moreover, the services provided by GNSS satellites are now embedded in personal devices, and people can use them for navigation while travelling.

31 Satellite Communication Networks

965

Fig. 5 Intelsat Geo constellation (Stuff In Space 2021)

4.3

GEO

Geosynchronous earth orbit is aligned against the equator at an altitude of 35,786 km, where the satellites, referred to as GEO or geostationary satellites, appear to be stationary as their orbiting velocity matches with the rotation of the earth around its axis, visible in Fig. 5. GEO has been preferred orbit for communication satellites for more than half a century. However, GEO communication satellites thus far have been limited to bounce back signals from one place to another in their coverage footprint, working only as a bridge in the physical layer of any network model. Recent developments in technology have introduced software-defined satellites with on-board processing for provision of networking services through SDN, SDR, and NFV. Larger coverage footprints, longer lifespans, and with new technologies, having on-board processing for remotely configurable radios and network services have renewed the importance of GEO satellites.

5

Services

Communication satellites provide a bouquet of services for provision of connectivity in remote regions as well as for the urban regions to complement the terrestrial networks. These services are categorized as: • FSS (fixed satellite services) • BSS (broadcast satellite services) • MSS (mobile satellite services) Satellites aren’t limited to these services and applications, they also provide plenty of other services including earth observation, deep space telescopes, space exploration, global navigation, positioning, and meteorological services.

966

M. Furqan and B. Goswami

Fig. 6 FSS network architecture for cellular backhaul (Furqan and Butt 2020)

5.1

FSS

Fixed satellite services are provided to connect the core network with remote terminal without the requirement of mobility. This service is commonly used for cellular backhaul, IP transit for broadband networks, or connecting private networks like defense applications, mining, oil, and gas exploration. It is primarily used for connecting networks interfaced via gateway terminal, mostly through VSAT (very small aperture terminal) as shown in Fig. 6.

5.2

BSS

Broadcast satellite services, as evident from the name, is mainly used for media networks for broadcasting livestream over the satellite to receive only terminals. With the development of higher resolution of video quality, the requirement of bandwidth for such services has also increased. The content can be broadcasted live in the form of news and sports matches, and it can be streamed for data centers that host a variety of content available to be viewed through subscription.

5.3

MSS

MSS is used where the user equipment or device is directly connected to the satellite and may require mobility with different velocity. As shown in Fig. 7, Satellite provide fronthaul link connectivity directly to the subscriber at one end and backhaul connectivity to the core network through a ground station on the other end. Aviation, maritime, search and rescue, emergency services, and adventure expeditions are primary users of the MSS services.

31 Satellite Communication Networks

967

Fig. 7 MSS network architecture (Furqan and Butt 2020)

6

Segments

Satellite communication system is divided into two segments: • Ground segment consists of satellite terminals at the hub and remote end as well as the satellite radio-frequency transponders that connect the remote and hub end terminals. • Space segment: Emphasis on TT&C (telemetry, tracking, and control) consists of earth stations responsible for performing maneuvering controls of the satellite and the aerospace elements of the satellite in the space including on-board sensors, power subsystems, propulsion, etc. Figure 8 represents satellite subsystems.

7

Scenarios and Use Cases

Depending upon the nature of the satellite and application at the user end, satellite communication can be categorized in different scenarios and use cases. GEO Bent-Pipe: Traditional GEO satellite communication is shown in Fig. 9, where the satellite only relays the signal at the physical layer of the communication architecture. Software-Defined GEO: GEO satellite having on-board processing capabilities to perform software-defined networking and radio functionalities, involving higher layers of communication architecture. For example, Fig. 10 shows the IP internetworking functions in satellite. Coupled LEO: LEO satellites with on-board processing to perform softwaredefined network and radio functionalities but do not have inter-satellite links and rely on intermittent ground stations to communicate with each other or end user. This can be seen in Fig. 11. Decoupled LEO: LEO satellites with on-board processing to perform softwaredefined network and radio functionalities that have inter-satellite links and do not

968

M. Furqan and B. Goswami

Fig. 8 Satellite subsystems

Fig. 9 Traditional satellite physical relay link (ETSI 2002)

rely on intermittent ground stations to communicate with each other or end user. This can be seen in Fig. 12. Use Case 1: Gateway with multiple AP (connecting two networks), the use case is the application of FSS with considerations of SDN and SDR implementation. This use case expands the core network to the last-mile connectivity and the network becomes cloud-based as shown in hexagon shape in Fig. 13. Use Case 2: AP, the application of single AP connected to the core or cloud through satellites using software-defined technologies to provide fog-computing services for the RTN. This can be seen in triangle-shaped panel in Fig. 13.

31 Satellite Communication Networks

969

Fig. 10 IP interworking functions in satellite-based IP networks (ETSI 2002)

Fig. 11 Coupled scenario (ITU 2020)

Use Case 3: UE, an application of MSS, which may be static or mobile connected to the cloud or core through satellite scenarios with software-defined technologies to provide edge-computing services for the RTN. Figure 13, rectangle shape depicts this use case.

8

Radio Link

Satellite communications use a wide range of radio-frequency electromagnetic spectrum in accordance with ITU standards and national requirements. All the communication taking place between the satellite and ground stations, user equipment, or devices need to be connected through radio-frequency signals as per the requirements. Most commonly used frequency bands are mentioned in Fig. 14:

970

M. Furqan and B. Goswami

Fig. 12 Coupled scenario (Decoupled Scenario (ITU 2020)

Fig. 13 Satellite use cases

The satellite radio link is the wireless OTA (over-the-air) interface link between the satellite and ground station, gateway, or user device. It is in the analogue signal form, and its waveform is generated before being transmitted through antenna. The signal parameters are defined through the frequency being used and the transmit power required for transmitting required amount of data in the form of bandwidth

31 Satellite Communication Networks

971

Fig. 14 Radio-frequency and satellite communication frequency bands (European Space Agency 2019)

calculated for modulation, coding, compression, and error correction algorithms used.

8.1

Link Budget Analysis

Mathematical calculations used to identify the transmit power, required bandwidth, etc. are known as link budget analysis. The basic equation for the link budget Eq. (1) is the equality of transmit power to the received power in any radio link chain of the communication. PT = PR ,

(1)

where PT = power transmitted PR = power received The equation can be expanded on both sides where all the gains are added, and all the losses are subtracted. To achieve the equality, we must optimize the KPIs (key performance indicators) of the RF link, which add multiple parameters for calculations of link budget analysis, which are categorized as transmit parameters, receive parameters, satellite parameters, carrier parameters, and link parameters. The ultimate objective of the analysis is to calculate the carrier-to-noise ratio at the receiving terminal using all the parameters involved.

972

9

M. Furqan and B. Goswami

Antenna Gain

An antenna’s gain is a key input parameter of the link budget. Gain of all antennas involved in the transmission and reception of the radio signal, including ground stations, satellite, gateways, etc. The gain of antenna is denoted by Eq. (2): G = η(π D/λ)2

(2)

where D = antenna’s diameter η = antenna efficiency λ = wavelength = c / f (c is the velocity of light, f is the frequency used for the signal)

10

EIRP

EIRP (equivalent isotropic radiated power) is the transmit power radiated through an isotropic antenna to deliver equal level of power at receiver’s antenna as that of the transmitter. A transmitter’s efficiency relies on the antenna’s gain and the transmitter’s power given in Eq. (3). (Khan 2015) EI RP = PT x + GT x

(3)

where PTx = transmitted power GTx = antenna gain

11

Noise

Thermal energy is a natural source of noise, which interferes the signals in a negative way and cannot be avoided. Noise is present in the space and earth’s atmosphere. Noise is considered for the calculations of link budgets.

12

G/T

G/T is the ratio of receiving antenna’s gain to receiving antenna’s noise temperature as per Eq. (4). G/T = GRx –Ts where GRx = receiving antenna gain Ts = noise temperature of system A satellite receiver’s G/T ranges from −25 dB/K to 5 dB/K normally.

(4)

31 Satellite Communication Networks

13

973

Losses

Overall losses in the analysis consist of many conditions that may include free space propagation loss, atmospheric absorption loss, transmitter and receiver feeder losses, antenna alignment loss, polarization mismatch loss, and the modem’s implementation loss. Equation (5) for the analysis to determine the Eb/No (energy of a bit per ratio noise) at receive end is given by: Eb/No = EI RP (dBW ) + G/T (dB/degK) –L(dB)–10 log BW –10 log k (5) where L denotes all the losses in the link and BW is bandwidth, 10 log k is constant with the value of 228.6.

14

Bandwidth

To integrate physical layer with upper layers in a network, there needs to be a corresponding calculation to compute the bandwidth requirement from the data rate requirements of the link. Bandwidth can be calculated as given in Eq. (6) in MHz from data rate in Mbps, using the following formula:   BW (MH z) = DR(Mbps) · 1 + a 2 / (F EC · M)

(6)

FEC: forward error correction, viterbi, and Reed-Solomon. (If both used, multiply together) M = modulation coding level (2 = QPSK, 3 = 8PSK, 4 = 16QAM, 4 = 8VSB). a = spectral shaping; 0.2 typical

15

Spectral Efficiency

Although the Eb/No or the C/No are the primary KPIs used to determine the health of a satellite RF link, there are other parameters which can be used to determine the performance of the RF link as well as that of the network. Spectral efficiency is such a KPI which calculates the performance of both physical and network layer link. Spectral efficiency is the ratio of bit rate to the bandwidth used. According to Eq. (7), the unit of spectral efficiency is (bits/sec/hertz). η=

R B

where R = rate in bits/sec and B = bandwidth in hertz.

(7)

974

16

M. Furqan and B. Goswami

Software-Defined Radio

Software-defined radio (SDR) is one of many new technologies being adopted by satellite communication to lower the costs both operational and capital by reducing the amount of radio equipment involved in the communication chain and by giving the advantage of remote configuration and regular firmware updates. SDR basically replaces most of the radio equipment by a single computing device with software capable of performing functions of the replaced hardware equipment. SDRs are introduced not only in terrestrial gateways and ground stations, but next generations of LEO and GEO satellites are already adopting the technology. Previously, satellite radio links were limited to the configuration of radio equipment that was installed during the manufacturing of the satellite, which couldn’t be modified throughout the lifespan of the satellite. Figure 15 displays a generic digital communication transmit and receive RF chain at the physical layer for binary, sampled, and analogue data streams. Data in binary that is collected from data source at transmit end is coming from the higher layers, which is then coded in binary, modulated to sampled, converted to analogue waveform through digital to analogue converter before sending it to the antenna end for transmission over-the-air interface with required transmit power. At the receive end, the wireless signal is received as analogue, converted to sampled for demodulation, decoded to binary, and sent to data sink for integrating with upper layers. The coding/decoding and modulation/demodulation, commonly referred to as MOD/COD, are programmable functions and can be replaced by SDR using a processing device. This can be done at the ground stations, at the gateway, user terminals, and at the satellite using on-board processing.

Fig. 15 Digital communication components where programmable can be implemented in SDR (Collins and Getz 2018)

31 Satellite Communication Networks

17

975

Software-Defined Networking

Upcoming LEO-HTS mega constellations have promised on-board processing as well as inter-satellite communications links, reducing reliance on earth stations for every decision-making. Algorithms, which we are looking at, must be self-sustained to be easily performed and updated remotely through on-board processing based on DSP or FPGAs. These algorithms will form the bases of SDN and SDR operations, and they must be capable of calculating the entire link budget of the RF link on the run-time. On-board processing will not only operate the radio links, originating from, or terminating at the given satellite, but it can also be used to provide data security. Processing encryption/decryption and compression/decompression for up to at least the third layer of the OSI model can be helpful for the provision of cybersecurity to the physical links. On-board processing gives extra edge to prolong the life of a given satellite by reducing the payload required for hardware components by providing software-based technologies, which can be regularly updated remotely without the need of physical replacement. Given the ability to perform complex processing and multitasking on-board, the smart satellites, developed through these projects, will be able to compute several other duties like data-analytics on the go.

18

SDR-SDN Integration

ITU future network requirements Network 2030 (ITU 2020) describe four key components of the future integrated space-terrestrial network: 1. 2. 3. 4.

Satellite Ground station and terminals Controller Mobile edge computing

All these components need to have processing capabilities to meet the Network 2030 requirements, a pathway for 6G and beyond. The processing capabilities will be used to provide SDR, SDN, NFV, and their integration to achieve overall objectives of the satellite network deployed. The scenario of SDR-SDN layered architecture along with the listed core functionalities of each layer is provided in Fig. 16, which will become the base for further developments in satellite-based realtime networks. Satellite in any given orbit is itself the component of deployment of any such required network. The emphasis of ITU framework, however, is on LEO satellites. GEO or MEO satellites can provide connectivity through LEO satellites by provision of backhaul and TT&C connectivity for RTN on-board LEO satellites. Consideration of on-board processing is essential for the satellites to meet the future network framework requirements to provide software-defined technologybased network services. The network has to be terminated at a user terminal at

976

M. Furqan and B. Goswami

Fig. 16 SDR-SDN layered architecture

one end and to be connected to a core network at the other end. For both ends of the network, satellite terminals and ground stations play an important role in the operations of the network. Future network requirements explicitly mention the network controller to SDN architecture-based for the satellite networks. Figure 17 depicts the hybrid network scenario of LEO-GEO structure. The controller can be on-board GEO satellites or on the ground station to control the LEO network operations. Other than network controller, LEO constellations will require satellite controller to maintain TT&C of the satellites, which can also be provided through controller on-board GEO satellites. GEO satellites are the preferred option as compared to ground stations for controlling the network and the LEO satellites as GEO satellites have larger coverage footprint and only three satellites can provide such services for LEO global constellations. In comparison, a large number of ground stations will be required to communicate regularly with high velocity LEO satellites to meet the requirements of the RTN.

19

Interfacing

The SDR-SDN integration needs to be interfaced with core network at one end and user interface at the other end to complete the network architecture, provided in Fig. 18. Satellite communications, although has evolved rapidly, lacks standardized approach for communication protocols and algorithms for interoperability and interconnectivity. Satellite operators and equipment manufacturers have relied on proprietary technologies for specific communication needs. After the introduction of software-defined technologies in the industry, there has been a dire need of

31 Satellite Communication Networks

977

Fig. 17 LEO-GEO hybrid network (Furqan 2020)

Fig. 18 SDR-SDN integration and interfacing

standardization for communication protocols, algorithms, and spectrum usage. A lot of efforts in the research and development of key enablers for interoperability, scalability, and flexibility is required on urgent basis. Higher layer integration of satellite IP networks is provided in Fig. 19.

978

M. Furqan and B. Goswami

Fig. 19 Higher layer integration of satellite IP networks (ETSI 2002)

Involvement of huge technology firms in the LEO-HTS mega constellations has seen unprecedented development in satellite communication industry. Not only the constellations but growth has been observed in the ground segment of the sector with firms like AWS (Amazon Web Services) which is also launching their own constellation the Project Kuiper, and Microsoft has expanded their cloud platform Azure to accommodate the satellite communication infrastructure through Ground Station as a Service, and Ground Station as a Platform. Figure ?? shows the services provided at Ground Station of AWS. These services enable service providers deploy their network without investing in infrastructure like the cloud services eliminated the need of dedicated data centers. Microsoft Azure Orbital incorporates the whole satellite communication ecosystem with their cloud infrastructure. Microsoft has partnered with satellite industry players for the provision of cutting-edge software-defined technologies for private and public networks, as well as TT&C of the satellites in different orbits. Figure 20 provides the structure of Microsoft Azure Orbital. The proposed architecture includes NFV for SDN and SDR as Digitized RF and supports integration of satellite networks with terrestrial networks for the IoT (Internet of Things), artificial intelligence, and machine learning. Similarly, AWS has introduced their cloud-based Ground Station as a Service platform for satellite communication managed services. AWS has the advantage over Microsoft as they have their own constellation Project Kuiper for global broadband services (Fig. 21). With such exponential growth in the number of satellites and involvement of technology firms at such a scale, satellite communication industry is experiencing the similar situation which was faced by terrestrial information and communication technology a couple of decades ago. Subsequently, satellite networks can learn from the case studies of their terrestrial counterparts, avoiding the mistakes and adopting the success factors.

31 Satellite Communication Networks

979

Fig. 20 Microsoft Azure Orbital (Microsoft 2021)

Fig. 21 AWS Ground Station as a Service (AWS 2021)

20

Security

Satellite communication, in particular to radio links, have so far relied on hardware equipment. The equipment isn’t easily available for anyone to purchase. Moreover, technical skills required to install and commission a satellite link or just receive a signal was a difficult job. However, with LEO satellites, user equipment directly connecting to the satellites, added with software-defined technologies, the ease to connect to a satellite has improved. This ease of connectivity can be a security risk as well; any person or syndicate with newer generation of cell phones which have capability to connect to satellites, a computing device with SDN, and SDR software can access the satellites.

980

21

M. Furqan and B. Goswami

Summary

To cover larger geographical areas to the extent of global coverage for the deployment of real-time networks, satellite communication is the only solution. Satellites have been providing communication services to the remote regions for more than half a century. So far, they have only been relaying radio signals from servers to the remote hosts, working discretely in the physical layer of the network architecture. Moreover, latency had been an issue for real-time networks, which cannot be avoided due to very high altitude of the GE satellites. Due to exponential increase in the demand of data traffic, the satellite communication industry is innovating the way they communicate by introducing software-defined technologies like SDR and SDN involving higher layers of network architecture. This innovation is needed to meet the Network 2030 requirements, which pave the way for development and deployment of future networks including 6G mobile networks. Rollout of the LEO-HTS mega constellations with inter-satellite links and onboard processing capabilities to perform software-defined technology-based tasks can be seen as revolutionary development to meet the requirements of real-time networks at global scale.

References AWS. Ground Station (AWS, 2021). Retrieved from https://aws.amazon.com/ground-station/ A.C. Clarke, Extra-terrestrial relays. Wireless World (1945) 305–308 T.F. Collins, R. Getz, Software-Defined Radio for Engineers (Artech House, 2018) ETSI, Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia; IP Over Satellite (ETSI, Sophia, 2002) European Space Agency, Space in Images (European Space Agency, 2019). Retrieved from https:/ /www.esa.int/spaceinimages/Images/2013/11/Satellitefrequencybands M. Furqan, Efficient Utilization of Radio Frequency Electromagnetic Spectrum for Satellites in Lower Earth Orbits. 19th Australian Space Research Conference (National Space Society of Australia, Adelaide, 2020), pp. 107–114 Harbor Research, The Spread of Real-Time Networking (Harbor Research, 2021). Retrieved from https://harborresearch.com/spread-of-real-time-networking/ ITU, FG-NET2030 – Focus Group on Technologies for Network 2030 (International Telecommunication Union, Geneva, 2020) H. Khan, Utilizing Software Defined Technologies to Develop Ring Computing in Geostationary Satellite Communications (QUT, Brisbane, 2015) Microsoft, Azure Orbital (Microsoft, 2021). Retrieved from https://docs.microsoft. com/en-au/azure/networking/azure-orbital-overview M. Furqan, W. Butt, Challenges for LEO HTS Mega-constellations: Terrestrial Networks Integration (Satellite Markets and Research, 2020). Retrieved from http://satellitemarkets. com/challenges-leo-hts-megaconstelllations-terrestrial-networks-integration Stuff In Space, Stuff in Space (Stuff in Space, 2021). Retrieved from https://stuffin.space/

Part V Real-Time Multi-Agent Systems Yang Tang

Event-Triggering Impulsive Differential Evolution

32

Wei Du and Yang Tang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 DE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Event-Triggered Mechanism (ETM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Impulsive Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 An Event-Triggered Impulsive Control Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 The Proposed Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 DE with an Event-Triggered Impulsive Control Scheme . . . . . . . . . . . . . . . . . . . . . 4 Experimental Results and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Parameter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Comparison with Six DE Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Effectiveness of Two Types of Impulses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Effectiveness of Random Selection of the Reference State in Stabilizing Impulses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Parameter Sensitivity Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Scalability Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.7 Working Mechanism of ETI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

984 987 987 989 990 991 991 997 999 1000 1001 1001 1007 1008 1012 1012 1014 1015

Abstract Differential evolution (DE) is a simple but powerful evolutionary algorithm, which has been widely and successfully used in various areas for solving complex optimization problems. In this chapter, an event-triggered impulsive control

W. Du () · Y. Tang Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_15

983

984

W. Du and Y. Tang

scheme (ETI) is introduced to improve the performance of DE. Impulsive control, the concept of which derives from control theory, aims at regulating the states of a network by instantly adjusting the states of a fraction of nodes at certain instants, and these instants are determined by event-triggered mechanism (ETM). After impulsive control and ETM are incorporated into DE, the search performance of the population is altered in a positive way after revising the positions of some individuals at certain moments. At the end of each generation, the impulsive control operation is triggered when the update rate of the population declines or equals to zero. In detail, inspired by the concepts of impulsive control, two types of impulses are presented within the framework of DE in this chapter: stabilizing impulses and destabilizing impulses. Stabilizing impulses help the individuals with lower rankings instantly move to a desired state determined by the individuals with better fitness values. Destabilizing impulses randomly alter the positions of inferior individuals within the range of the current population. By means of intelligently modifying the positions of a part of individuals with these two kinds of impulses, both exploitation and exploration abilities of the whole population can be meliorated.

Keywords Evolutionary algorithm · Differential evolution · Single-objective optimization · Impulsive control · Event-triggered mechanism

1

Introduction

Differential evolution (DE), firstly proposed by Storn and Price (1995, 1997), has proven to be a reliable and powerful population-based evolutionary algorithm for global numerical optimization. Over the past decade, different variants of DE have been proposed to handle complicated optimization problems in various application fields (Plagianakos et al. 2008), such as engineering design (Kim et al. 2007), image processing (Sarkar and Das 2013), data mining (Das et al. 2008), robot control (Neri and Mininno 2010), and so on. Generally, DE employs three main operators, mutation, crossover, and selection, at each generation for the population production (Neri and Tirronen 2010; Das and Suganthan 2011). The mutation operator provides the individuals with a sudden change or perturbation, which helps explore the search space. In order to increase the diversity of the population, the crossover operator is implemented after the mutation operation. The selection operator chooses the better one between a parent and its offspring, which guarantees that the population never deteriorates. In addition to these three basic operators, there are three control parameters which greatly influence the performance of DE: the mutation scale factor F, the crossover rate CR, and the population size NP. Most of the current research on DE has focused on four aspects to enhance the performance of DE:

32 Event-Triggering Impulsive Differential Evolution

985

1. Developing new mutation operators (Tang et al. 2015; Islam et al. 2012; Zhang and Sanderson 2009; Gong and Cai 2013; Guo et al. 2015; Cai and Wang 2013; Epitropakis et al. 2011; Wang et al. 2014a; Das et al. 2009) 2. Designing novel parameter control strategies (Tang et al. 2015; Islam et al. 2012; Zhang and Sanderson 2009; Brest et al. 2006; Zhu et al. 2013; Gong et al. 2011) 3. Improving the crossover operator (Islam et al. 2012; Wang et al. 2012, 2014b; Guo and Yang 2015) 4. Pooling multiple mutation strategies (Mallipeddi et al. 2011; Wang et al. 2011; Qin et al. 2009; Dorronsoro and Bouvry 2011; Wu et al. 2016) These four categories of research on DE are described in detail as follows: 1. In recent years, some efficient mutation operators have been presented and integrated into the DE framework. For instance, Zhang and Sanderson (2009) proposed a new mutation strategy “DE/current-to-pbest” to improve the performance of the basic DE. Gong and Cai (2013) developed a ranking-based mutation operator to assign better individuals to lead the population. Guo et al. (2015) presented a successful-parent-selecting method, which adapts the selection of parents when stagnation is occurred. 2. Various parameter control schemes have been introduced to the DE algorithm. In Zhang and Sanderson (2009) and Brest et al. (2006), F and CR can be evolved during the evolution of the population. In Zhu et al. (2013), an adaptive population tuning scheme was proposed to reassign computing resources in a more reasonable way. 3. Some researchers have made efforts to optimize the conventional crossover strategy. For example, Islam et al. (2012) incorporated a greedy parent selection strategy with the traditional binomial crossover scheme to develop a pbest crossover operation. Guo and Yang (2015) utilized eigenvectors of covariance matrix to make the crossover rotationally invariant, which generates a better search behavior. 4. Several DE variants have been put forward, which employ more than one mutation operator to breed new solutions, such as EPSDE (Mallipeddi et al. 2011), CoDE (Wang et al. 2011), SaDE (Qin et al. 2009), and so on. Despite numerous efforts on improving DE from the above four aspects, there are some DE variants which take advantage of ideas from other disciplines. For instance, Rahnamayan et al. (2008) presented opposition-based DE (ODE), which adopts opposition-based learning, a new scheme in machine intelligence, to speed up the convergence rate of DE. Laelo and Ali (Kaelo and Ali 2007) made use of the attraction-repulsion concept in electromagnetism to boost the performance of the original DE. Vasile et al. (2011) proposed a novel DE, which is inspired by discrete dynamical systems. These improvements on DE enlighten researchers to look through techniques in other areas, which might contribute to the appearance of more powerful DE variants.

986

W. Du and Y. Tang

On another research frontier, as an important component in control theory, impulsive control has attracted much attention in recent years due to its high efficiency. As exemplified in Zhang et al. (2014) and Tang et al. (2015), impulsive effects can be detected in various dynamical systems, like communication networks, electronic systems, biological networks, and so on. Besides, impulsive control is able to manipulate the states of a network to a desired value by adding impulsive signals to some specific nodes at certain instants. In addition, another effective technique, event-triggered mechanism (ETM), has also been widely utilized (Tabuada 2007; Wang and Lemmon 2011; Heemels et al. 2013; Tang et al. 2016) in control theory. In ETM, the state of the controller is updated when the system’s state exceeds a given threshold. By integrating ETM into impulsive control, the operation of impulsive control can only be activated when some predefined events are triggered. This way, ETM avoids the periodical execution of impulsive control, which efficiently saves computational resources. Taking a look at how DE works in an optimization problem, the movement of the population in the evolution process can be treated as a complicated multi-agent system in control theory, where individuals in the population can be regarded as nodes in a network. On one hand, in original DE algorithms and some popular DE variants, it may take a long time for certain individuals to reach the desired positions. For instance, the “pbest” individual is utilized to guide the search of other individuals in JADE (Zhang and Sanderson 2009). However, this operation is carried out at each generation and forces the individuals to approach the desired state slowly, which deteriorates the search performance of the population in limited computational resources. On the other hand, in many DE variants, like jDE (Brest et al. 2006), JADE (Zhang and Sanderson 2009), and CoDE (Wang et al. 2011), the diversity of the population is maintained only by mutation and crossover, which are indirect. Inspired by how impulsive control manipulates a dynamical system, this chapter introduces the concept of impulsive control into the design of DE, aiming at increasing the search efficiency and the diversity of the population by instantly letting selected individuals move close to the desired positions. Besides, when DE is used for an optimization problem, the computational resources are often limited, measured by the maximum number of function evaluations (MAX FES). Therefore, it is reasonable to trigger the instantaneous movement of certain individuals by some predefined events, which follows the idea of ETM. Motivated by the above discussion, by integrating ETM into impulsive control, an event-triggered impulsive control scheme (ETI) is introduced to DE in this chapter. Similar to adjusting the states of some nodes in dynamical systems in control theory, impulsive control revises the positions of a fraction of population at certain moments, the purpose of which is to positively change the evolution state of the whole population. In detail, two varieties of impulses, stabilizing impulses and destabilizing impulses, are presented to fit into the framework of DE. In addition, based on both the fitness value and the number of consecutive stagnation generation, a novel measure Ri is developed to pick the individuals to be injected with impulsive controllers. When the update rate (UR) of the population

32 Event-Triggering Impulsive Differential Evolution

987

begins to diminish or reduces to zero, the individuals with large values of Ri will be injected with impulsive controllers. Stabilizing impulses are adopted to force a number of individuals with lower rankings in the current population to get close to the individuals with better fitness values, which increases the exploitation ability of DE. Besides, destabilizing impulses are considered to randomly adjust the positions of inferior individuals within the range of the current population, which improves the exploration capability of DE. This chapter is organized as follows. In Sect. 2, the original DE and the concepts of ETM and impulsive control are introduced. The proposed scheme ETI is presented in Sect. 3. Experimental results are reported in Sect. 4. Finally, concluding remarks are made in Sect. 5.

2

Background Information

A single-objective optimization problem can be formulated as follows (without any loss of generality, in this chapter, a minimization problem is considered with a decision space ): minimize f (x),

x ∈ ,

(1)

where  is a decision space, x = [x1 , x2 , . . . , xD ]T is a decision vector, and D is the dimension size, representing the number of the decision variables involved in the problem. For each variable xj , it should obey a boundary constraint: Lj ≤ xj ≤ Uj ,

j = 1, 2, . . . , D,

(2)

where Lj and Uj are the lower and upper bounds for the jth dimension, respectively.

2.1

DE

DE is a population-based evolutionary algorithm for a numerical optimization problem. It initializes a population of NP individuals in a D-dimensional search space. Each individual represents a potential solution to the optimization problem. After initialization, at each generation, three operators, mutation, crossover, and selection, are employed to generate the offspring for the current population. The flowchart of DE is provided in Fig. 1. 1. Mutation: Mutation is the most consequential operator in DE. Each vector xi,G in the population at the Gth generation is called target vector. A mutant vector called donor vector is obtained through the differential mutation operation. For simplicity, the notation “DE/a/b” is used to represent different mutation

988

W. Du and Y. Tang

Fig. 1 Flowchart of DE

Initialization

Mutation

Crossover

Selection

Meet stop criteria?

No

Yes Termination

operators, where “DE” denotes the differential evolution, “a” stands for the base vector, and “b” indicates the number of difference vectors utilized. In DE, there are six mutation operators that are most widely used: (i) “DE/rand/1”   vi,G = xr1 ,G + F · xr2 ,G − xr3 ,G ,

(3)

  vi,G = xr1 ,G + F · xr2 ,G − xr3 ,G   + F · xr4 ,G − xr5 ,G ,

(4)

  vi,G = xbest,G + F · xr1 ,G − xr2 ,G ,

(5)

  vi,G = xbest,G + F · xr1 ,G − xr2 ,G   + F · xr3 ,G − xr4 ,G ,

(6)

(ii) “DE/rand/2”

(iii) “DE/best/1”

(iv) “DE/best/2”

(v) “DE/current-to-best/1”   vi,G = xi,G + F · xbest,G − xi,G   + F · xr1 ,G − xr2 ,G ,

(7)

32 Event-Triggering Impulsive Differential Evolution

989

(vi) “DE/current-to-rand/1”   ui,G = xi,G + K · xr1 ,G − xi,G   + Fˆ · xr2 ,G − xr3 ,G ,

(8)

where xbest,G specifies the best individual in the current population: r1 , r2 , r3 , r4 , and r5 ∈ {1, 2, . . . , NP} and r1 = r2 = r3 = r4 = r5 = i. The parameter F > 0 is called scaling factor, which scales the difference vector. It is worth mentioning that (8) shows the rotation-invariant mutation (Price 1999). K is the combination coefficient, which should be selected with a uniform random distribution from [0, 1] and Fˆ = K ·F . Since “DE/current-to-rand/1” contains both mutation and crossover, it is not necessary for the offspring to go through the crossover operation. 2. Crossover: After mutation, a binomial crossover operation is implemented to generate the trial vector ui = [ui1 , ui2 , . . . , uiD ]T :

 uij,G =

vij,G if rand (0, 1) ≤ CR or j = jrand , xij,G otherwise,

(9)

where rand(0, 1) is a uniform random number in the range [0, 1]. CR ∈ [0, 1] is called crossover probability, which determines how much the trial vector is inherited from the mutant vector. jrand is an integer randomly selected from 1 to D and newly generated for each i, which ensures at least one dimension of the trial vector will be different from the corresponding target vector. If uij,G is out of the boundary, it will be reinitialized in the range [Lj , Uj ]. 3. Selection: The selection operator employs a one-to-one swapping strategy, which picks the better one from each pair of xi,G and ui,G for the next generation:

 xi,G+1 =

2.2

    ui,G , if f ui,G ≤ f xi,G , xi,G , otherwise.

(10)

Event-Triggered Mechanism (ETM)

Event-triggered mechanism (ETM) is an effective strategy in control theory that determines when the state of a controller is updated. Typically, a controller’s state is independent of a system’s state except at periodic instants. When the communication resource is insufficient, the traditional time-triggered paradigm may not be efficient. While in ETM, the state of the controller is revised only when a system’s state exceeds a predefined threshold, or a specified event occurs. This

990

W. Du and Y. Tang

way, ETM is able to reduce the amount of unnecessary communications. It is of paramount importance to make use of ETM by devising suitable event-triggering conditions, which saves system resources and ensures stable performance at the same time. One can refer to Tabuada (2007), Wang and Lemmon (2011), Heemels et al. (2013), and Tang et al. (2016) and references therein.

2.3

Impulsive Control

In various dynamical networks (Zou et al. 2015), like biological networks, communication networks, and electronic networks, the states of networks often undergo abrupt changes at some instants, which may be due to switching phenomena or control requirements; and these changes can be modeled by impulsive effects. Usually, impulses can be divided into two categories, stabilizing and destabilizing impulses (Zhang et al. 2014; Tang et al. 2015), which, respectively, make networks stable and unstable. For dynamical networks, impulsive control is capable of adjusting the states of a network by instantaneously regulating the states of a fraction of nodes at certain instants. Due to the high efficiency of impulsive control, it has attracted increasing attention in recent years. Besides, as shown in Zhang et al. (2014), if the impulsive strength of each node is distinct in networks, such kind of impulses is called heterogeneous impulses in space domain. In order to clearly explain the mechanism of impulsive control, the following complex nonlinear dynamical network model is considered: x˙i (t) = f˜(xi (t)) + u

N 

aij xj (t),

(11)

j =1

where i = 1, 2, . . . , N, xi (t) = [xi1 (t),xi2 (t), . . . , xin (t)]T ∈ Rn is the state vector of the ith node at time t; f˜1 (xi (t)) = f˜11 (xi1 (t)), . . . , f˜1n (xin (t))T ∈ Rn ; υ > 0 denotes the coupling strength; and A = [aij ]N × N is the coupling matrix, where aij is defined as follows: if there is a connection from node j to node i (i = j), then aij = aji > 0; otherwise aij = 0; for i = j, aij is defined as follows: aii = −

N 

aij .

(12)

j =1,j =i

Assume that the nonlinear dynamical network in Eq. (11) can be forced to the following reference state s(t): s˙ (t) = f˜(s(t)). Let ei (t) = xi (t) − s(t), then the error dynamical system can be obtained:

(13)

32 Event-Triggering Impulsive Differential Evolution

e˙i (t) = f (ei (t)) + υ

N 

991

aij ej (t),

(14)

j =1

where f (ei (t)) = f˜(xi (t)) − f˜(s(t)). Considering heterogeneous impulsive effects in system (11) or (14), the following model can be obtained: 

 e˙i (t) = f (ei (t)) + υ N a e (t), t = tk , k ∈ N+ , j =1  +  −  ij j ei tk = ei tk + μik ei tk− ,

(15)

{tk }∞ where μik denotes impulsive strengths; the impulsive instant sequence k=1  − satisfies 0 < t1 < t2 0) means that A is positive semi-definite (respectively, positive definite); for a given matrix B, σmax (B) is the maximum singular value;  ·  denotes either the Euclidean vector norm or its induced matrix 2-norm, and “⊗” denotes the Kronecker product, and I is the identity matrix with an appropriate dimension.

2

Leader-Following Consensus of Homogenous Nonlinear Multi-agent Systems via Distributed Impulsive Control

2.1

Problem Formulation

Consider a group of nonlinear multi-agent systems with N agents. The dynamics of each agent is described by x˙i (t) = Axi (t) + Bf (xi (t)) + ui (t), i = 1, 2, . . . , N

(1)

where xi (t) ∈ Rn denotes the state of the ith node, f (xi (t)) = (f1 (xi (t)), f2 (xi (t)), . . . , fn (xi (t)))T is a nonlinear function, ui (t) is the control input, and A and B are constant matrices. The leader’s dynamics is expressed as s˙ (t) = As(t) + Bf (s(t))

(2)

The proposed distributed impulsive protocol based on pinning control is designed as

ui (t) =

∞  k=1

⎡ ⎣−c

N  j =1

⎤ lij xj (t) − cdi (xi (t) − s(t))⎦ δ(t − tk )

(3)

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1023

where c is the coupling strength and di ≥ 0, i = 1, 2, . . . , N , are pinning gains. Here, di > 0 if and only if there exists a directed path from the leader to the ith node. The node i is referred to as the pinned node or controlled node, δ(·) is the Dirac impulse, and the impulse sequence {tk }∞ k=1 satisfies 0 = t0 < t1 < t2 < · · · < tk < · · · , limk→∞ tk = ∞, with h1 = inf{tk − tk−1 } and h2 = sup{tk − tk−1 }, k = 1, 2, . . .. It is assumed that 0 < h1 ≤ h2 < ∞. Assumption 1. For the nonlinear function f (·), there exist nonnegative constants qij (i, j = 1, 2, . . . , n) such that, for any z1 , z2 ∈ Rn ,

|fi (z1 ) − fi (z2 )| ≤

n 

qij |z1j − z2j |

j =1

Assumption 1 is the so-called Lipschitz condition. All linear and piecewise-linear time-invariant continuous functions satisfy this condition. Besides, Assumption 1 holds if the Jacobian matrix (∂f/∂x)n×n is uniformly bounded. It includes a number of well-known systems such as Chua’s circuit, neural networks, and Ikeda’s oscillator (Huang et al. 2007). Therefore, this assumption is mild, and the model (1) is general, representing a large class of interconnected systems with the same structure but different parameters induced by external disturbances. Homogeneous dynamic networks are clearly included as special cases. Assumption 2. For the nonlinear function f (·), there exist nonnegative constants qij (i, j = 1, 2, . . . , n) such that, for any z1 , z2 ∈ Rn , |fi (z1 ) − fi (z2 )| ≤ qi |z1j − z2j | Assumption 3. The leader has a path to every follower node. With the above-proposed control protocol in (3), the impulsive network is described by 

x˙i (t) = Ai xi (t) + Bi f (xi (t)), t = tk  − − − xi (tk ) = −c N j =1 lij xj (tk ) − cdi (xi (tk ) − s(tk ))

(4)

where xi (tk ) = xi (tk+ ) − xi (tk− ), xi (tk ) = xi (tk+ ) = limh→0+ xi (tk + h), xi (tk− ) = limh→0− xi (tk + h), and x(t) is right-hand continuous at t = tk . The objective is to design a distributed impulsive controller ui (t) with only sampled data of the agent and its neighbors at discrete instants such that all agents (1) reach globally exponentially consensus under the guidance of the leader (2). From (2) and (4), the error dynamics is described by

1024

W. He et al.



e˙i (t) = Ai ei (t) + Bi g(ei (t), s(t)), t = tk  − − ei (tk ) − ei (tk− ) = −c N j =1 lij ej (tk ) − cdi ei (tk )

(5)

where g(ei (t), s(t)) = f (ei (t) + s(t)) − f (s(t)). To facilitate the theoretical analysis in later sections, rewrite the error dynamics at the impulse instant t = tk in a matrix form as e(tk ) = (IN − c(L + D) ⊗ In )e(tk− )

(6)

T (t))T and D = for k = 1, 2, . . ., where e(t) = (e1T (t), e2T (t), . . . , eN diag{d1 , d2 , . . . , dN } is the pinning control matrix representing the pinning control strategy. The following definitions and lemma are given for deriving the main results later.

Definition 1. The multi-agent system (1) is said to achieve global exponential consensus with the leader s(t) if there exist two positive constant θ, ε such that for any xi (t0 ), s(t0 ) ∈ Rn xi (t) − s(t) ≤ θ xi (t0 ) − s(t0 )e−ε(t−t0 ) , i = 1, 2, · · · , N Definition 2. Let Z(t) ∈ Rn×n be a time-varying symmetric matrix. Then, Z(t) is said to be 1. a positive definite matrix if Z(t) > 0 for all t ≥ 0 2. a uniformly bounded positive definite matrix if there exist positive constants m, ˇ m ˆ such that 0 0 such that Assume that there exist constants ϑ, ϑ,

˜ − τ (t)), t = tk D + u(t) ≤ ϑu(t) + ϑu(t − u(tk ) ≤ ωu(t ¯ k ), k ∈ N

and

˜ − τ (t)), t = tk D + υ(t) > ϑυ(t) + ϑυ(t − υ(tk ) = ωυ(t ¯ k ), k ∈ N

Then, u(t) ≤ υ(t) for −τ¯ ≤ t ≤ 0 implies that u(t) ≤ υ(t) for t > 0, where D + u(t) = limh→0+ u(t+h)−u(t) . h

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

2.2

1025

Leader-Following Consensus Criteria with Distributed Impulsive Control

In this subsection, some impulsive consensus criteria are established for (5). First, a general result is derived based on a piecewise continuous Lyapunov function. Then, some interesting results related to the balance of the impulse sequence, pinned nodes, and coupling strength are derived by using some special Lyapunov functions. Theorem 1. Under Assumptions 1 and 3, the error system (5) is said to be exponentially stable if there exist piecewise continuous matrix functions P (t), which are uniformly bounded and positive definite, i.e., 0 < m ˇ ≤ P (t) ≤ m, ˆ and positive scalars α, κ, c, h2 , 0 < μ < 1, such that

1 =

P A + AT P + P˙ + λmax (QT Q)κ − αP P B −κI BT P

μP (tk− ) T P (tk+ ) P (tk+ ) P (tk+ )

0

ln μ + α ≤ −r h2

(8)

(9)

where Q = (qij )n×n and  = (IN − c(L + D)) ⊗ In . Proof. Choose a Lyapunov function as V (e(t)) =

N 

eiT (t)P (t)ei (t)

(10)

i=1

For t ∈ [tk−1 , tk ), k = 1, 2, . . . , taking the derivative of V (e(t)) with respect to t along the trajectory of (5) yields V˙ (e(t)) =

N 

eiT (t)[P˙ ei (t) + 2P Aei (t) + 2P Bg(ei (t))]

(11)

i=1

According to Assumption 1, for a positive constant k, one has λmax (QT Q)κeiT (t)ei (t) − κg T (ei (t))g(ei (t)) ≥ 0 Let ξi (t) = [eiT (t), g T (ei (t))]T . From (7), one has

(12)

1026

W. He et al.

V (e(t)) ≤

N  [ξiT (t)1 ξi (t) + αeiT (t)P ei (t)] ≤ αV (e(t))

(13)

i=1

On the other hand, when t = tk , based on (6), one has e(tk ) = ((IN − c(L + D)) ⊗ In )e(tk− ) = e(tk− ) According to (8) and the Schur complement, one obtains μP (tk− ) − T P (tk+ ) > 0 Then V (tk+ ) = eT (tk )P (tk+ )e(tk ) = eT (tk− )T P (tk+ )e(tk− ) ≤ μeT (tk− )P (tk− )eT (tk− ) ≤ μV (tk− )

(14)

For any ε > 0, let υ(t) be the unique solution of the following impulsive comparison system: ⎧ ˙ = αυ(t) + ε, t = tk ⎨ υ(t) υ(tk+ ) = μυ(tk ), k ∈ N ⎩ ˆ i }e(0)2 υ(0) = max1≤i≤N {m

(15)

From Lemma 1 and the fact that V (0) ≤ υ(0), it follows V (t) ≤ υ(t) for all t > 0. By the formula for variation of parameters, υ(t) can be expressed as N   t  2 υ(t) = W (t, 0)υ(0) + W (t, s) γi ωi + ε (16) 0

i=1

where W (t, s), 0 ≤ s ≤ t, is the Cauchy matrix of the linear impulsive system, satisfying  W (t, s) = eα(t−s) μ s≤tk 0, P2 > 0. Then, the following theorem can be established.

(21)

1028

W. He et al.

Theorem 2. Under Assumptions 1 and 3, the error system (5) is said to be exponentially stable if there exist matrices P1 > 0, P2 > 0 and positive scalars α, κ, c, h1 , h2 , μ1 , μ2 , 0 < μ < 1, such that 

P1 A + AT P1 +

1 hj

(P1 − P2 ) + λmax (QT Q)κ − αP1 P1 B −κI

B T P1 

P2 A + AT P2 +

1 hj



(P1 − P2 ) + λmax (QT Q)κ − αP2 P2 B −κI

B T P2

0 and positive scalars α, κ, c, h2 , such that (28) and the following inequalities hold: cλmax (L + D) < 2

(33)

ln μ +α −1 It is obvious that 1 − cλmin (L + D) < 1. So, −1 < 1 − cλi (L + D) < 1 Note that λi (IN − c(L + D)) = 1 − cλi (L + D). Thus, ρ(IN − c(L + D)) < 1 As L is symmetric and D is diagonal, one has 2 σmax (IN − c(L + D))

=ρ((IN − c(L + D))T (IN − c(L + D)))

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1031

=ρ 2 ((IN − c(L + D)) < 1 By Theorem 3, the conclusion follows. This completes the proof.



The condition (33) is very simple. It indicates that quasi-synchronization can be achieved by pinning any l ≥ 1 nodes if the coupling strength c and the impulse interval h2 are appropriately chosen according to (33) and (34) under Assumption 3. In some cases, the impulse interval h2 may be very small, which means that impulse control will be frequently used. If there are some requirements on the impulse frequency for avoiding frequent use of impulse control, the pinned nodes and coupling strength c should be carefully selected. In the following, the coupling strengths and the selective pinning scheme are further examined in two cases: (i) h2 > 0 and (ii) h2 ≥ h¯ > 0.

2.2.1

Coupling Strength and Selective Pinning Scheme in the Case of h2 > 0 In this subsection, a criterion for choosing an appropriate coupling strength is established first, and then the pinning scheme is discussed when the network structure and coupling strength are fixed. Corollary 3. Under Assumptions 1 and 3, the error system (5) with a symmetric network topology is said to be exponentially stable if there exist a matrix P > 0 and positive scalars α, κ, c, h2 , such that (28) and the following inequalities hold: 0 0 In this subsection, conditions for choosing an appropriate coupling strength are obtained first, and then the concept of impulse pinning controllability is introduced. Finally, the feedback gain is designed. Corollary 4. Under Assumptions 1 and 3, the error system (5) with a symmetric network topology is said to be exponentially stable if there exist a matrix P > 0, a diagonal matrix D, and positive scalars α, κ, c, h2 , such that (28) and the following inequalities hold: αh2

λmin (L + D) 1 − e− 2 > αh2 λmax (L + D) 1 + e− 2 αh2

(39) αh2

1 + e− 2 1 − e− 2

λmax (L + D) λmin (L + D)

(40)

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1033

Therefore, there exists c satisfying (40). Based on (40), the following inequalities hold: 1 − cλmax (L + D) > −e− 1 − cλmin (L + D) < e−

αh2 2

αh2 2

(41) (42)

It follows from Corollary 2 that ρ(In − c(L + D)) < e−

αh2 2

(43)

Consequently, 2 σmax (In − c(L + D)) = ρ 2 (In − c(L + D)) < e−αh2

By Theorem 3, the conclusion holds. This completes the proof.



Remark 3. Corollaries 3 and 4 correspond to two different circumstances. Corollary 3 shows how to design the coupling strength c and the impulse interval h2 for a given pinning strategy. In other words, the pinning matrix D is free to choose subject to Assumption 2. As the design of c and h2 depends on D, any preconditions on h2 are not suitable, which correspond to the case h2 > 0. On the other hand, Corollary 4 provides a way to design the coupling strength c and the pinning matrix D if the impulse interval h2 is determined firstly. In applications, a large h2 is preferred. The precondition h2 ≥ h¯ gives the basic guideline for the design of h2 . Compared with Corollary 3, some additional requirements on c and D as presented in (39) and (40) are needed. Specifically, both the maximum and minimum eigenvalues of L + D are required for achieving synchronization. This eigenratio in (39) reflects the pinning controllability of a given network topology with a fixed h2 . The stability of (5) is sensitive to the pinning matrix and the coupling strength, which is either too large or too small. One has to carefully design the coupling strength c and the pinning matrix D. Pinning only one node may fail, which is different from Corollary 3.

2.3

Impulse Pinning Controllability

We now define the impulse pinning controllability for a symmetric network. In particular, given a network described by (5), we define the impulse pinning controllability in terms of the values of the coupling strength c, control matrix D, and impulse interval h2 , required for achieving quasi-synchronization. The eigenratio R=

λmin (L + D) λmax (L + D)

(44)

1034

W. He et al.

and scaler function β(h2 ) =

1 − e−

αh2 2

1 + e−

αh2 2

(45)

are two key indices which we use to define and also to evaluate the impulse pinning controllability. As β(h2 ) is an increasing function and

lim

h2 →0

1 − e−

αh2 2

1 + e−

αh2 2

lim

h2 →∞

1 − e−

αh2 2

1 + e−

αh2 2

=0

=1

the lower the 1/R and h2 , the more easily the network is impulse pinning ¯ to stabilize the network (5), R should controllable. Recalling the fact that h2 ≥ h, at least be larger than

1−e 1+e

¯ − α2h ¯ − α2h

¯ when h2 = h.

Remark 4. Sorrentino et al. (2007) proposed the concept of pinning controllability and gave numerical evidence of the usefulness of R as an index for evaluating the pinning controllability of networks without impulsive effects. It is interesting to note that the conclusion about the eigenratio R in this chapter is in accordance with (Sorrentino et al. 2007). To the best of the authors’ knowledge, this is the first time to give a definition of impulse pinning controllability and its evaluation indices. Moreover, the proposed concept and corresponding results are also valid for homogeneous dynamic networks.

2.4

Pinning Feedback Gain

The conditions on the pinning feedback gain are now discussed. If l (1 ≤ l < N ) nodes are pinned and all the gains are identical, then based on Theorem III.2.1 (see Bhatia 1997 P. 62), one has λmin (L) + λmax (D) d λmin (L + D) ≤ = λmax (L + D) λmax (L) + λmin (D) λmax (L) Therefore, by (39) and (45), the feedback gain should satisfy d λmax (L)

> β(h2 )

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1035

namely, d > β(h2 )λmax (L) In the case that all the nodes are pinned with the same gain, that is, D = dIN , one has λmin (L) + d λmin (L + D) = > β(h2 ) λmax (L + D) λmax (L) + d Thus, a necessary condition for the feedback gain is d>

3

β(h2 ) λmax (L) 1 − β(h2 )

Network-Based Leader-Following Consensus of Homogenous Nonlinear Multi-agent Systems via Distributed Impulsive Control

In this section, a network-based control configuration is established, as shown in Fig. 1. where sensor/actuator and an impulsive controller of each agent are remotely distributed and connected via a communication network. It is assumed that the sensor is clock-driven and both the controller and the buffers are event-driven. h is the sampling period. At t = t0 + kh, each agent’s information is sampled and transferred to its controller and other agents via a communication network. Buffer i is used to store received information until all the data for the controller ui is collected. Let τijsck , i = 1, . . . , N, j = 1, . . . , N + 1 be the communication delay between the sensor j and buffer i, where j = N +1 denotes the sensor of the leader. Thus, the time from the instant t0 + kh when sensor i samples data from agent i to sc = max{τ sc |i = 1, . . . , N, j = the instant when the controller i is ready is τik ij k 1, . . . , N + 1}. As the controller of each agent may arrive at the actuator at different time, a common buffer n + 1 is employed to store all the controllers’ information ca , i = 1, . . . , N denote the to make all actuators operate at the same time. Let τik delay from the controller i to buffer n + 1. Thus, the total delay from the sensor to sc + τ ca , i = 1, . . . , N }. the actuator for each agent can be defined as τk = max{τik ik Then, a networked-based impulsive controller is given as ui (t) =

∞  k=1

⎡ ⎣−c

N 

⎤ lij xj (kh) − cdi (xi (kh) − s(kh))⎦ δ(t − tk )

(46)

j =1

where tk = t0 + kh + τk , τmin = mink {τk |k ∈ N}, and τmax = maxk {τk |k ∈ N}. Define the error state ei (t) = xi (t) − s(t). From (1), (2), and (46), we have the following error system:

1036

W. He et al.

Fig. 1 Network-based control configuration for multi-agent system (1)



e˙i (t) = Aei (t) + Bg(ei (t), s(t)), t ∈ [tk−1 , tk )  − − ei (tk ) − ei (tk− ) = −c N j =1 lij ej ((tk − τk ) ) − cdi ei ((tk − τk ) )

(47)

where ei (tk ) = ei (tk+ ) = limh→0+ ei (tk + h), ei (tk− ) = limh→0− ei (tk + h), e(t) is right-hand continuous at t = tk , and g(ei (t), s(t)) = f (ei (t) + s(t)) − f (s(t)). T (t))T . We rewrite the error dynamics at the Let e(t) = (e1T (t), e2T (t), . . . , eN impulse instant t = tk in a matrix form as e(tk ) = e(tk− ) − c(L + D)e((tk − τk )− )

(48)

where D = diag{d1 , d2 , . . . , dN }. Assumption 4. h + τk+1 − τk > 0, ∀ k ∈ N

3.1

Leader-Following Consensus Criteria with Delayed Impulsive Control

In this subsection, a general sufficient consensus condition is derived firstly, and then several special cases are discussed. In the end, sufficient conditions on the design of sampling period, coupling strength, and pinning matrix with allowable delays are given. Theorem 4. Under Assumptions 1, 3, and 4, the error system (47) is exponentially stable if there exist a matrix P > 0 and positive scalars κ, α, ε, 0 < μ < 1 such that (28) and the following inequalities hold:

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1037



⎞ −(μ − εβ 2 )IN IN − c(L + D)T 0 2 = ⎝ c(L + D) ⎠ < 0 ∗ −IN ∗ ∗ −εIN

(49)

ln μ +α θ1 /μ. By Step 1, for t ∈ [t0 , t0 + τmax ), one has W (e(t)) = e0 (t−t0 −τmax ) V (t) < e0 (t−t0 −τmax ) θ1 V (t0 ) < μθ2 V (t0 ) Therefore, it only needs to be proven that W (e(t)) < θ2 V (t0 ) for t ∈ [t0 + τmax , tl0 +1 ). Suppose there exists t ∈ [t0 + τmax , tl0 +1 ) such that W (e(t)) ≥ θ2 V (t0 )

(60)

Let t ∗ = inf {t ∈ [t0 + τmax , tl0 +1 )|W (e(t)) ≥ θ2 V (t0 )} and tˆ = sup{t ∈ [t0 + τmax , t ∗ )|W (e(t)) ≤ μθ2 V (t0 )}. Then one has W (t ∗ ) = θ2 V (t0 ) and W (tˆ) = μθ2 V (t0 ). According to (28), there exists a sufficient small 0 > 0 such that 1 + diag{0 P , 0} < 0. Thus, W˙ (e(t)) = e0 (t−t0 −τmax ) [0 V (e(t)) + V˙ (e(t))] < αe0 (t−t0 −τmax ) V (e(t)) = αW (e(t))

(61)

It follows that W (e(t ∗ )) < W (tˆ)eα(t

∗ −tˆ)

≤ μθ2 V (t0 )eαh2

Based on (50), one has W (e(t ∗ )) < θ2 V (t0 )

1040

W. He et al.

This is a contradiction with (60). Therefore, the inequality (59) holds. Second, assume that for some m ∈ N W (e(t)) < θ2 V (t0 ), t ∈ [t0 , tl0 +m )

(62)

W (e(t)) < θ2 V (t0 ), t ∈ [tl0 +m , tl0 +m+1 )

(63)

W (e(tl0 +m )) < μθ2 V (t0 )

(64)

We will prove that

Assume that

holds. Then according to (61), for t ∈ [tl0 +m , tl0 +m+1 ), W (e(t)) < W (e(tl0 +m ))eα(t−tl0 +m ) < μθ2 V (t0 )eαh2 ≤ θ2 V (t0 ) Thus, in order to proof (63), one only needs to prove (64). Equivalently, V (e(tl0 +m )) < μθ2 V (t0 )e0 (tl0 +m −t0 −τmax )

(65)

˜ − ) = e(t − ) − e((tl0 +m − τl0 +m )− ); one has Define e(t l0 +m l0 +m e(tl+0 +m ) = e(tl−0 +m ) − c((L + D) ⊗ In )e(tl0 +m − τl0 +m ) = ((IN − c(L + D)) ⊗ In )e(tl−0 +m ) ˜ − ) + (c(L + D) ⊗ In )e(t l0 +m

(66)

Let lˆ = inf {l|(l0 + m)h ≤ lh + τl < (l0 + m)h + τl0 +m , l ∈ N}. Therefore, there are l¯ = l0 + m − lˆ impulse in [tl0 +m − τl0 +m , tl0 +m ). They are tl0 +m−l¯, tl0 +m+1−l¯, . . . , tl0 +m−1 . Therefore, ˜ − ) e(t l0 +m =e(tl−0 +m ) − e(tl+0 +m−1 ) + e(tl−0 +m−1 ) − e(tl+0 +m−2 ) + · · · + e(tl−+m−l¯) − e((tl0 +m 0



− τl0 +m ) ) +

l¯  j =1

e(tl0 +m−j )

(67)

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1041

According to (62), one has (IN ⊗



P )e(t)2 < θ2 V (t0 )e−0 (t−t0 −τmax ) , t ∈ [t0 , tl0 +m )

Consequently, e(t)2
0, κ > 0, h2 > 0, 0 < μ < 1, i = 1, 2, . . . , N , such that 1i ≤ 2i

(99)

1i − 2i ≤ γi I

(100)

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems



μP (tk− ) T P (tk+ ) P (tk+ ) P (tk+ )

1053

>0

ln μ + α ≤ −r h2

(101)

(102)

where ⎛

⎞ Pi Ai + ATi Pi + P˙i + λmax (QT Q)κ Pi Bi Pi 1i = ⎝ ∗ −κI 0 ⎠ , ∗ ∗ −1i 2i = diag{αi Pi , 0, −2i }, P (t) = diag{P1 (t), P2 (t), . . . , PN (t)}, Q = (qij )n×n ,  = (IN − c(L + D)) ⊗ In , and α = max1≤i≤N {αi }. Proof. Choose a Lyapunov function as

V (e(t)) =

N 

eiT (t)Pi (t)ei (t)

(103)

i=1

For t ∈ [tk−1 , tk ), k = 1, 2, . . . , taking the derivative of V (e(t)) with respect to t along the trajectory of (96) yields

V˙ (e(t)) =

N 

eiT (t)[P˙i ei (t) + 2Pi Ai ei (t) + 2Pi Bi g(ei (t))

i=1

+ 2Pi Wi (s(t))]

(104)

According to Assumption 1, for a positive constant κ > 0, λmax (QT Q)κeiT (t)ei (t) − κg T (ei (t))g(ei (t)) ≥ 0

(105)

Let ξi (t) = [eiT (t), g T (ei (t)), WiT (s(t))]T . Then,

V (e(t)) ≤

N  [ξiT (t)1i ξi (t) + WiT (s(t))1i Wi (s(t))] i=1

(106)

1054

W. He et al.

From (99) and (100), one has V (e(t)) ≤

N  [αi eiT (t)Pi ei (t) + WiT (s(t))(1i − 2i )Wi (s(t))] i=1



N  [αeiT (t)Pi ei (t) + γi WiT (s(t))Wi (s(t))] i=1

≤ αV (e(t)) +

N 

γi ωi2

(107)

i=1

On the other hand, when t = tk , based on (96) and similar to Theorem 1, one has V (tk+ ) = eT (tk )P (tk+ )e(tk ) ≤ μeT (tk− )P (tk− )eT (tk− ) ≤ μV (tk− )

(108)

For any ε > 0, let υ(t) be the unique solution of the following impulsive comparison system: ⎧  2 ˙ = αυ(t) + N ⎨ υ(t) i=1 γi ωi + ε, t = tk + υ(t ) = μυ(tk ), k ∈ N ⎩ k ˆ i }e(0)2 υ(0) = max1≤i≤N {m

(109)

From Lemma 1 and the fact that V (0) ≤ υ(0) , it follows V (t) ≤ υ(t) for all t > 0. By the formula for variation of parameters, υ(t) can be expressed as  υ(t) = W (t, 0)υ(0) +



t

W (t, s) 0

N 

 γi ωi2



(110)

i=1

where W (t, s), 0 ≤ s ≤ t, is the Cauchy matrix of the linear impulsive system, satisfying 

W (t, s) = eα(t−s)

μ

s≤tk 0, P2 > 0, 1i > 0, 2i > 0, diagonal matrices D, and scalars αi , γi > 0, η > 0, κ > 0, r > 0, c > 0, h1 > 0, h2 > 0, μ1 , μ2 , 0 < μ < 1, i = 1, 2, . . . , N , such that ⎛

⎞ (1, 1, 1, j ) P1 Bi P1 ⎝ ⎠≤0 ∗ −κI 0 ∗ ∗ −(1i − 2i )

(113)

⎞ (2, 1, 1, j ) P2 Bi P2 ⎠≤0 ⎝ ∗ −κI 0 ∗ ∗ −(1i − 2i )

(114)

and ⎛

1i − 2i ≤ γi I P1 ≥ ηI ηI ≤ P2 ≤ μ1 P1 2 σmax (IN − c(L + D)) ≤ μ2

(115)

μ1 μ2 ≤ μ ln μ + α ≤ −r h2

(116)

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1057

where (1, 1, 1, j ) =P1 Ai + ATi P1 − αi P1 +

1 (P1 − P2 ) + κλmax (QT Q) hj

(2, 1, 1, j ) =P2 Ai + ATi P2 − αi P2 +

1 (P1 − P2 ) + κλmax (QT Q) hj

with j = 1, 2 and α = max1≤i≤N {αi }. Proof. The proof is similar with Theorem 2. Here we omit it. To further explore the roles of c, D and L and get feasible conditions, a constant matrix Pˆ instead of P¯ (t) is used. The corresponding result is summarized below. Corollary 10. Under Assumptions 1 and 3, the trajectory of the error system (96) converges exponentially into a ball M, where

M=

⎧ ⎨ ⎩

e ∈ Rn×N

⎫ & ' N 2 ⎬ ' γ ω i=1 i i e ≤ ( −ημ( lnh2μ + α) ⎭

(117)

if there exist matrices Pˆ > 0, 1i > 0, 2i > 0, diagonal matrices D, and scalars αi , γi > 0, η > 0, c > 0, κ > 0, h2 > 0, 0 < μ < 1, i = 1, 2, . . . , N, such that ⎛

⎞ Pˆ (1, 1) Pˆ Bi ⎝ ∗ −κI ⎠ 0, 2i > 0, a diagonal matrix  > 0, and scalars αi , γi > 0, η > 0, c > 0, h2 > 0, 0 < μ < 1, i = 1, 2, . . . , N , such that (119), (120), (121) and

1058

W. He et al.



⎞ (1, 1) Pˆ Bi Pˆ ⎝ ∗ − ⎠ 0, 1i > 0, 2i > 0, diagonal matrices  > 0, D, and scalars αi , γi > 0, κ > 0, η > 0, c > 0, h2 > 0, 0 < μ < 1, i = 1, 2, . . . , N , such that (118)–(119) and the following inequalities hold: cλmax (L + D) < 2

(123)

ln μ +α 0 Corollary 13. Under Assumptions 1 and 3, the trajectory of the error system (96) with a symmetric network topology converges exponentially into a ball M, defined by ⎫ ⎧ & ' N ⎨ 2 ⎬ ' γ ω i=1 i i M = e ∈ Rn×N e ≤ ( ⎩ −ημ( lnh2μ + α) ⎭ if there exist matrices Pˆ > 0, 1i > 0, 2i > 0, a diagonal matrix  > 0, and scalars αi , γi > 0, η > 0, κ > 0, c > 0, h2 > 0, 0 < μ < 1, i = 1, 2, . . . , N , such that (118)–(119) and the following inequalities hold: 0 0 Corollary 14. Under Assumptions 1 and 3, the trajectory of the error system (96) with a symmetric network topology converges exponentially into a ball M, defined by

M=

⎧ ⎨ ⎩

e ∈ Rn×N

⎫ & ' N 2 ⎬ ' γ ω i=1 i i e ≤ ( −ημ( lnh2μ + α) ⎭

if there exist matrices Pˆ > 0, 1i > 0, 2i > 0, diagonal matrices  > 0, D, and scalars αi , γi > 0, η > 0, κ > 0, c > 0, 0 < μ < 1, i = 1, 2, . . . , N, such that (118)–(119) and the following inequalities hold: αh2

1 − e− 2 λmin (L + D) > αh2 λmax (L + D) 1 + e− 2 αh2

(127) αh2

1 + e− 2 1 − e− 2 0 in (129) and (130) is replaced by h2 ≥ h. The following modified optimization problem

ln μ max − μ +α (132) μ,h2 h2 subject to

ln μ +α 0, 2i > 0, diagonal matrices D, and scalars αi , c > 0, κ > 0, h2 > 0, i = 1, 2, . . . , N, such that ⎛

(1, 1) ⎝ ∗ ∗

⎞ Pˆ Bi Pˆ ⎠ 0, 1i > 0, 2i > 0, a diagonal matrix D, and scalars αi , c > 0, κ > 0, h2 > 0, i = 1, 2, . . . , N, such that (134)–(135) hold and 1 0 < h2 ≤ W α



αe−1 σ

(138)

(1+αh2 )

λmin (L + D) 1 − e− 2 ≥ (1+αh2 ) λmax (L + D) 1 + e− 2 (1+αh2 )

(139)

(1+αh2 )

1 + e− 2 1 − e− 2 c= or λmax (L + D) λmin (L + D)

(140)

where α = max1≤i≤N {αi }, and W (z) is the Lambert W function satisfying z = W (z)eW (z) . Now, the design procedure is summarized as follows.

Algorithm 2: Design algorithm ¯ and ωi , i = 1, 2, . . . , N . Set error Step 1: Initialize the system parameters Ai , Bi , A, B, h, bound parameters γi , η, σ ; Step 2: Find feasible solutions αi by solving the generalized eigenvalue problem subject to (118)–(119). Set α = max1≤i≤N {αi }; Step 3: Calculate h¯ = σ1 W ( σαe ); Choose h2 ≤ h¯ and μ = e−(1+αh2 ) ; 2 (I − c(L + D)) = μ. Step 4: Choose an appropriate D and c satisfying σmax N

For a symmetric network, based on Corollary 15, Step 4 can be replaced by Step 3 in Algorithm 1.

4.4

Numerical Simulations

Consider a network consisting of three Chua’s circuits described by x˙i (t) = Ai xi (t) + Bi f (xi (t)), i = 1, 2, 3

(141)

where xi (t) = (xi1 (t), xi2 (t), xi3 (t))T , f (xi (t)) = (0.5(|xi1 +1|−|xi1 −1|), 0, 0)T , and ⎡

⎤ ⎡ 35 ⎤ −2.5 10 0 6 00 A1 = ⎣ 1 −1 1 ⎦ , B1 = ⎣ 0 0 0 ⎦ , 0 −18 −0.5 0 00

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1065



A2

A3

⎤ ⎡ 29 ⎤ −2.5 10 0 6 00 =⎣ 1 1 1 ⎦ , B2 = ⎣ 0 0 0 ⎦ , 0 −18 0.3 0.1 0 0 ⎡ ⎤ ⎡ 35 ⎤ −2.6 10 0 6 00 = ⎣ 1 −0.9 1 ⎦ , B3 = ⎣ 0 0 0 ⎦ 0 −23 0 0 00

The dynamics of the leader s(t) satisfies s˙ (t) = As(t) + Bf (s(t))

(142)

with ⎡

⎤ ⎡ 35 ⎤ −2.5 10 0 6 00 A = ⎣ 1 −1 1⎦ , B = ⎣ 0 0 0⎦ 0 −18 0 0 00 Assume that the network is connected and the Laplacian matrix L is ⎡

⎤ 1 −1 0 L = ⎣−1 2 −1⎦ 0 −1 1 In addition, by simulation, one gets ω1 = 3.1301, ω2 = 2.0597, ω3 = 4.0934 defined by (98). Figure 7 shows the trajectories of s(t) and the three Chua’s circuits, which are chaotic, stable, unstable, and periodic, respectively. Figure 8 depicts the evolution of e(t). One can see that the consensus error goes to infinity at an approximately exponential rate without impulsive control. Example 3 (bounded consensus without constraint on h2 ). Let D = diag{0, 0, 2}. Agent 3 is pinned. Then, λmax (L + D) = 3.7321. Hence, according to Corollary 13, c < 0.5359. Let c = 0.5. It is found that ρ(I3 − c(L + D)) = 0.8660. As Assumption 2 is satisfied, (118) is replaced by (122) in Corollary 10. Choosing γ1 = 0.46, γ2 = 0.46, γ3 = 0.46, η = 30 and solving the generalized eigenvalue problem (119) and (122) yield α = 89.2542. From (126), one obtains h2 < 0.0032. Set h2 = 0.002. Consequently, the error bound is 0.1074. Figure 9 compares the derived error bound with the true error evolution, whose maximum error is 0.0919. The results show that the bounded consensus criterion is very effective. On the other hand, Fig. 10 depicts the evolution of the error system with c = 0.54, from which one can see that a small increase in the coupling strength (compared with the threshold value 0.5359) results in an exponential divergence of the error, which confirms that a large coupling strength will destroy consensus.

1066

W. He et al.

(1) s(t)

(2) Node 1

0.5

0.5

x12(t)

1

s2(t)

1

0 -0.5

-0.5

-1 -5

3

0

-1 0 10 15

5

0

1

2

s1(t)

x11(t)

(3) Node 2

(4) Node 3

3

4

2 1

x32(t)

x22(t)

2 1 0

0 -1 -2

-1 -2

0

2

x21(t)

4

6 10

-5 15

0

5

x31(t)

Fig. 7 Trajectories of s(t) and x1 (t), x2 (t), and x3 (t)

Example 4 (bounded consensus with constraint on h2 ). To reduce the control cost, assume that the maximal impulse interval h2 ≥ 0.02. According to Corollary 14 and following the first two steps in Algorithm 1, one obtains γ1 = 0.64, γ2 = 0.67, γ3 = 0.69, η = 32 and α = 69.7507 with (122) used. Take h2 = 0.02. By (127), the impulse pinning controllability should satisfy R > 0.3353. The pinning matrix in Example 3 fails to work. Now choose D = diag{3, 0.5, 3}. One obtains R = 0.3400. The condition (127) holds. Based on (128), it follows that 0.3045 < c < 0.3088. To verify the effectiveness of the error bound, the error bound is compared with the simulated one as c changes over the interval (0.3045, 0.3088). Figure 11 depicts the theoretical error bounds and the corresponding simulated ones obtained by taking the maximal 2-norm value of the errors from t = 5 to t = 30 with c ∈ (0.3045, 0.3088). It shows that the theoretical error bound has a relatively larger value than the maximum error. To minimize the gap, the proposed optimized method is used. According to Algorithm 1, the impulse pinning controllability should satisfy R ≥ 0.5362. The above new pinning matrix does not work either. Thus, one has to reset the pinning matrix. Let D = diag{3.5, 3.1, 3.5}. By simple calculation, R = 0.5371. According to (128), 0.1497 < c < 0.2398. The optimized coupling strength

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

1067

10 20

||e(t)||

10 15

10 10

10 5

10

0

0

5

10

15

20

25

30

t

Fig. 8 e(t) on logarithmic scale without impulsive control

Error bound 0.1074

0.0919 -1

10

-2

||e(t)||

10

5

10

15

20

t Fig. 9 e(t) on logarithmic scale with c = 0.5 in Example 3

25

30

W. He et al.

||e(t)||

1068

10

120

10

100

10

80

10

60

10 40

10 20

10

0

0

5

10

15

20

25

30

t

Fig. 10 e(t) on logarithmic scale with c = 0.54 in Example 3

Fig. 11 Comparison between theoretical error bounds and simulated ones with c ∈ (0.3045, 0.3088) in Example 4

7 Estimated error bound Simulated error bound

6

5

4

3

2

1

0 0.3045 0.305 0.3055 0.306 0.3065 0.307 0.3075 0.308 0.3085 0.309

c

c = 0.2081 or c = 0.2085. Figure 12 depicts theoretical error bounds and the corresponding simulated ones. Compared with Fig. 11, the bounding performance is significantly improved. Figure 13 gives the simulation result of the error signal with c = 0.2081, from which one can see that the followers and the leader s(t) achieve bounded consensus with the error bound 0.3675.

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems Fig. 12 Comparison between theoretical error bounds and simulated ones with c ∈ [0.1497, 0.2398] in Example 4

1069

2.5 Estimated error bound Simulated error bound

2

1.5

1

0.5

0 0.15

0.16

0.17

0.18

0.19

0.2

0.21

0.22

0.23

0.24

c

Error bound 0.3675 0.1312

||e(t)||

10 -1

10 -2 5

10

15

20

25

30

t

Fig. 13 e(t) on logarithmic scale with c = 0.2081 in Example 4

Example 5 (Controller design with a prescribed error bound). Let γ1 = 1, γ2 = 1, γ3 = 1, σ = 20, η = 38.4615. It is easy to find the error bound to be 0.2. Solving (122), (135) yields α = 61.4336. According to (138), h2 = 0.01. By simple calculation, μ = e−(1+αh2 ) = 0.1994. By (139), the impulse pinning controllability index R ≥ 0.3826. Note that D = diag{3, 0.5, 3} in Example 4 does not work. By increasing the feedback gain of the second agent to be D = diag{3, 0.9, 3},

1070

W. He et al.

Error bound 0.2

10 -1

||e(t)||

0.0525

10

-2

5

10

15

20

25

30

t

Fig. 14 e(t) on logarithmic scale with c = 0.2864 in Example 5

one obtains R = 0.3891. Based on (140), one has c = 0.2864 or c = 0.2912. The simulation result of the error signal with c = 0.2864 is illustrated in Fig. 14. One can see that the followers and the leader s(t) achieve consensus within the prescribed error bound 0.2, which shows that the design method is effective.

5

Conclusion

Leader-follower consensus of nonlinear multi-agent systems in homogenous networks and heterogenous networks is studied by applying distributed impulsive control, respectively. Firstly, leader-follower consensus problem in homogenous networks is considered, and the relationship among impulse interval, coupling strength, and pinning control matrix is well explored. Secondly, the problem is extended to the network-based consensus case with delayed impulsive control. On the one hand, the negative effect of network-induced delays is discussed. On the other hand, the problem of how to design impulse interval, pinning matrix, and coupling strength in the case of distributed delayed impulsive control is addressed. Thirdly, bounded consensus is studied in a leader-follower heterogenous network. How to obtain a tight error bound, to design the coupling strength, to select the pinned nodes, and to determine the impulse intervals to optimize the error bound or to achieve bounded consensus within a prescribed error bound are well investigated.

33 Distributed Impulsive Control of Leader-Following Multi-agent Systems

6

1071

Notes

The results in this chapter are based on mainly on He et al. (2015, 2017). There was a minor error in dealing with the nonlinear function in He et al. (2015, 2017). By replacing  with κI in the LMIs in He et al. (2015, 2017), the problem can be easily fixed, as shown in this chapter, where the same correct simulations will be shown again. Acknowledgments is given to @2015 Elsevier. Reprinted with permission from James Lam and Jürgen Kurths, “Quasi-synchronization of heterogenous dynamic networks via distributed impulsive control: error estimation, optimization and design,” Automatica, vol. 62, pp. 249–262, 2015.

References R. Bhatia, Matrix Analysis (Springer, New York, 1997) Y. Cao, W. Yu, W. Ren, G. Chen, An overview of recent progress in the study of distributed multi-agent coordination. IEEE Trans. Ind. Inf. 9(1), 427–438 (2013) W. Chen, W. Zheng, Exponential stability of nonlinear time-delay system with delayed impulse effects. Automatica 47(5), 1075–1083 (2011) T. Chen, X. Liu, W. Lu, Pinning complex networks by a single controller. IEEE Trans. Circuits Syst. I: Reg. Pap. 54(6), 1317–1326 (2007) Y. Chen, W. Yu, F. Li, S. Feng, Synchronization of complex networks with impulsive control and disconnected topology. IEEE Trans. Circuits Syst. II: Express Briefs 60(5), 292–296 (2013a) W. Chen, D. Wei, W. Zheng, Delayed impulsive control of Takagi–Sugeno fuzzy delay systems. IEEE Trans. Fuzzy Syst. 21(3), 516–526 (2013b) L. Ding, P. Yu, Z. Liu, Z. Guan, G. Feng, Consensus of second-order multi-agent systems via impulsive control using sampled hetero-information. Automatica 49(9), 2881–2886 (2013) Z. Guan, Z. Liu, G. Feng, Y. Wang, Synchronization of complex dynamical networks with timevarying delays via impulsive distributed control. IEEE Trans. Circuits Syst. I: Reg. Pap. 57(8), 2182–2195 (2010) Z. Guan, Z.W. Liu, G. Feng, M. Jian, Impulsive consensus algorithms for second-order multi-agent networks with sampled information. Automatica 48(7), 1397–1404 (2012) G. Guo, Linear systems with medium-access constraint and Markov actuator assignment. IEEE Trans. Circuits Syst. I: Reg. Pap. 57(11), 2999–3010 (2010) G. Guo, Z. Lu, Q.-L. Han, Control with Markov sensors/actuators assignment. IEEE Trans. Autom. Control 57(7), 1799–1804 (2012) W. He, F. Qian, J. Lam, G. Chen, Q.-L. Han, J. Kurths, Quasi-synchronization of heterogenous dynamic networks via distributed impulsive control: error estimation, optimization and design. Automatica 62, 249–262 (2015) W. He, G. Chen, Q.-L. Han, F. Qian, Impulsive consensus for complex dynamical networks with nonidentical nodes and coupling time-delays. Inf. Sci. 380, 145–158 (2017) T. Huang, C. Li, X. Liao, Synchronization of a class of coupled chaotic delayed systems with parameter mismatch. Chaos 17(3), 033121 (2007) H. Hu, A. Liu, Q. Xuan, L. Yu, G. Xie, Second-order consensus of multi-agent systems in the cooperation–competition network with switching topologies: a time-delayed impulsive control approach. Syst. Control Lett. 62(12), 1125–1135 (2013) A. Jadbabaie, J. Lin, A.S. Morse, Coordination of groups of mobile autonomous agents using nearest neighbor rules. IEEE Trans. Autom. Control 48(6), 988–1001 (2003)

1072

W. He et al.

X. Jiang, Q.-L. Han, S. Liu, A. Xue, A new stabilization criterion for networked control systems. IEEE Trans. Autom. Control 53(4), 1025–1032 (2008) A. Khadra, X. Liu, X. Shen, Analyzing the robustness of impulsive synchronization coupled by linear delayed impulses. IEEE Trans. Autom. Control 54(4), 923–928 (2009) F. Lian, W. Moyne, D. Tilbury, Network design consideration for distributed control systems. IEEE Trans. Control Syst. Technol. 10(2), 297–307 (2002) H. Li, X. Liao, T. Huang, Y. Wang, Q.-L. Han, T. Dong, Algebraic criteria for second-order global consensus in multi-agent networks with intrinsic nonlinear dynamics and directed topologies. Inf. Sci. 259, 25–35 (2014) B. Liu, D. Hill, Impulsive consensus for complex dynamical networks with nonidentical nodes and coupling time-delays. SIAM J. Control Optim. 49(2), 315–338 (2011) B. Liu, X. Liu, G. Chen, H. Wang, Robust impulsive synchronization of uncertain dynamical networks. IEEE Trans. Circuits Syst. I: Reg. Pap. 52(7), 1431–1441 (2005) W. Lu, X. Li, Z. Rong, Global stabilization of complex networks with digraph topologies via a local pinning algorithm. Automatica 46(1), 116–121 (2010a) J. Lu, D.W.C. Ho, J. Cao, A unified synchronization criterion for impulsive dynamical networks. Automatica 46(7), 1215–1221 (2010b) J. Lu, J. Kurths, J. Cao, N. Mahdavi, C. Huang, Synchronization control for nonlinear stochastic dynamical networks: pinning impulsive strategy. IEEE Trans. Neural Netw. Learn. Syst. 23(2), 285–292 (2012) C. Peng, Q.-L. Han, A novel event-triggered transmission scheme and l2 control co-design for sampled-data control systems. IEEE Trans. Autom. Control 58(10), 2620–2626 (2013) C. Peng, Q.-L. Han, D. Yue, To transmit or not to transmit: a discrete event-triggered communication scheme for networked takagi-sugeno fuzzy systems, IEEE Trans. Fuzzy Syst. 21(1), 164–170 (2013) Q. Song, F. Liu, J. Cao, W. Yu, M-matrix strategies for pinning-controlled leader-following consensus in multiagent systems with nonlinear dynamics. IEEE Trans. Cybern. 43(6), 1688– 1697 (2013) F. Sorrentino, M. Di Bernardo, F. Garofalo, G. Chen, Controllability of complex networks via pinning. Phys. Rev. E 75(4), 046103 (2007) H. Su, M.Z.Q. Chen, J. Lam, Z. Lin, Semi-global leader-following consensus of linear multi-agent systems with input saturation via low gain feedback. IEEE Trans. Circuits Syst. I: Reg. Pap. 60(7), 1881–1889 (2013) Y. Tang, Z. Wang, J. Fang, Controller design for synchronization of an array of delayed neural networks using a controllable probabilistic pso, Inf. Sci. 181, 4715–4732 (2011) T. Yang, Impulsive Control Theory (Springer, Berlin, 2001) Z. Yang, D. Xu, Stability analysis and design of impulsive control systems with time delay. IEEE Trans. Autom. Control 52(8), 1448–1454 (2007) W. Yu, G. Chen, J. Lü, On pinning synchronization of complex dynamical networks. Automatica 45(2), 429–435 (2009) H. Zhang, J. Zhou, Distributed impulsive consensus for second-order multi-agent systems with input delays. IET Control Theory Appl. 7(16), 1978–1983 (2013) W. Zhang, Y. Tang, Q. Miao, J. Fang, Synchronization of stochastic dynamical networks under impulsive control with time delays. IEEE Trans. Neural Netw. Learn. Syst. 25(10), 1758–1768 (2014a) W. Zhang, Y. Tang, X. Wu, J. Fang, Synchronization of nonlinear dynamical networks with heterogeneous impulses. IEEE Trans. Circuits Syst. I: Reg. Pap. 61(4), 1220–1228 (2014b)

Impulsive Control of Multi-agent Systems with Partial Information

34

Ming-Feng Ge, Zhi-Wei Liu, and Li Ding

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Mathematical Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Algebraic Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Preliminaries on Matrix Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problems Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Impulsive Controller Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Consensus Under Identical Impulsive Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Consensus Analysis of System (7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Consensus Analysis of System (8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Performance Optimization of Convergence Speed . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Performance Optimization of Decay Rate of Error Energy . . . . . . . . . . . . . . . . . . . 6 Consensus Under Time-Varying Impulsive Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Examples for Consensus Under Identical Impulsive Period . . . . . . . . . . . . . . . . . . 7.2 Examples for Consensus Under Time-Varying Impulsive Period . . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1074 1077 1077 1077 1079 1081 1083 1084 1084 1087 1089 1090 1093 1098 1098 1103 1105 1106

M.-F. Ge School of Mechanical Engineering and Electronic Information, China University of Geosciences, Wuhan, China e-mail: [email protected]; [email protected] Z.-W. Liu () School of Artificial Intelligence and Automation, Huazhong University of Science and Technology, Wuhan, China Key Laboratory of Image Processing and Intelligent Control, Ministry of Education, Huazhong University of Science and Technology, Wuhan, China e-mail: [email protected] L. Ding School of Electrical Engineering and Automation, Wuhan University, Wuhan, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_18

1073

1074

M.-F. Ge et al.

Abstract Impulsive control of multi-agent systems has been widely studied by numerous researchers from different areas recently, due to its inherent characteristics, including sampled-data communications, fast convergence rate, and low maintenance costs. On the other hand, in many real-world applications, only partial information can be available for controller design because of limitations existed in measurement or communication of practical multi-agent systems. This chapter will provide the fundamental representations that are most generally invoked in impulsive control of multi-agent systems with partial information. Then based on these representations, using only partial information of the system states, it will provide several recently designed impulsive control algorithms to solve the multi-agent consensus problems in the following cases, including position-only measurement, sampled-data communications, and switching directed communication graphs. The general analysis and comparison studies of the presented impulsive control algorithms will be introduced correspondingly. To summarize, the objective of this chapter is to present the common tools, basic concepts, and a wider overview of impulsive control algorithms that aim to regulate real-time multi-agent systems in the case that only partial information can be accessible.

1

Introduction

A team of interconnected agents aiming to achieve one or several global tasks, which cannot be accomplished by each single agent but can be addressed by regulating cooperative collective behaviors of the whole team, is called multi-agent system. In recent years, the researches on multi-agent systems mainly concentrate on the generation mechanism and the practical implementation of such cooperative collective behaviors, for instance, flocking, swarming, and formation. Furthermore, in numerous practical applications of the cooperative collective behaviors, agents exchange information with their neighbors and update their states based on such information such that all the states of the agents can reach an agreement on a specific quantity of interest finally, which is referred to as consensus. The consensus problems, aiming to designing local protocol for achieving consensus of multi-agent systems, have been widely investigated due to their broad applications ranging from cooperative control of mobile robots, coordination of multi-fingered hands, scheduling of automated highway systems, formation control of multiple vehicles, distributed Kalman filtering in wireless sensor networks, attitude alignment of satellite clusters, and load balancing in parallel computers (Bullo et al. 2009; Ge et al. 2016a, b, c, 2017; Liu et al. 2012; Ding et al. 2013; Guan et al. 2010; Carli et al. 2008; Kashyap et al. 2007), etc. Moreover, multi-agent systems have been investi-

This work was supported by the National Natural Science Foundation of China under Grants 61673303, 61703374, and 61873194.

34 Impulsive Control of Multi-agent Systems with Partial Information

1075

gated with different special features, including communication delays (Olfati-Saber and Murray 2004; Fang et al. 2012; Liu et al. 2011a), switching topologies (Moreau 2005), asynchronous algorithms (Xiao and Wang 2008), nonlinear algorithms (Lin et al. 2007; Hui and Haddad 2009), quantized data (Kashyap et al. 2007), noisy communication channel (Huang and Manton 2009), second-order model (Ren 2008; Lin and Jia 2009), optimal consensus (Semsar-Kazerooni and Khorasani 2010), noises in transmission channels (Liu et al. 2011b), limited communication date rate (Li et al. 2011b), nonlinear dynamics (Li et al. 2012; Qing et al. 2010; Yu et al. 2011b), etc. It thus motivates researches on different types of consensus problems, including lead-following consensus (Song et al. 2010), finite-time (Li et al. 2011a; Wang and Xiao 2010) and asynchronous consensus (Xiao and Wang 2008), average consensus (Zhu and Martínez 2010), second-order or high-order consensus (Yu et al. 2010a, b; Hu and Lin 2010; He and Cao 2011; Yu et al. 2011a), etc. Most of the aforementioned work focused on the continuous-time multi-agent systems with continuous communications. However, in many real-world multiagent systems, communications among agents may occur discretely and periodically rather than continuously. Therefore, it is, in some sense, more practical to consider continuous-time multi-agent systems with sampled-data communications (i.e., only sampled information is exchanged). In Tao and Feng (2009), Cao and Ren (2010a), Ren and Beard (2005), Zhang and Tian (2010), Liu et al. (2010), and Gao and Wang (2010), consensus problems were addressed for continuous-time multi-agent systems with sampled-data settings. However, all those work assumes an equidistant sampling interval, and thus those results cannot be directly applied to systems whose length of sampling interval is time-varying or nonidentical. Consequently, there should be more efforts made on the consensus problem of multi-agent systems with aperiodic sampling interval. In addition, the existing work also assumes that each agent can obtain the complete information of its neighbors states. However, in some cases, only partial information of the system states can be available due to specific measurement limitations or communication constraints. It is, in some degree, more practical to realize consensus by utilizing partial information of system states. Hong et al. (2006) investigated the leader-following consensus of multi-agent systems without using the leader’s velocity. In Ren (2008), the consensus problem of second-order multi-agent systems in undirected networks with fixed topology was investigated, where each agent can only obtain its positions relative to its neighbors. Gao et al. (2009a) considered the consensus problem of multi-agent systems with time-delay, where each agent can only obtain the measurements of its position relative to its neighbors. Yu et al. (2011c) proposed a consensus protocol using both continuous and sampled position data without using any velocity information of agents. However, all these mentioned work (Ren 2008; Hong et al. 2006; Gao et al. 2009a; Yu et al. 2011c) requires continuous communications among agents, which cannot be realized in some applications. Nowadays, due to the development of digital sensors and the constraints of transmission bandwidth of networks, sampling and impulsive control methods have been developed and widely applied to solve the consensus problem. In most of the work dealing with sampling or impulsive control consensus, it is assumed that each agent

1076

M.-F. Ge et al.

can obtain the information of the full states (Gao and Wang 2011; Gao et al. 2009b). However, under some situations, partial information could be unobtainable due to technology limitations or communication constraints. Especially, in real-world applications, the velocity states of agents are sometimes unavailable due to sensor faults and communication constraints, resulting in that only position information can be invoked in designing consensus algorithms. Therefore, consensus algorithms using only position information have been developed and analyzed recently (Liu et al. 2012; Yu et al. 2011c; Hong et al. 2008; Ren 2008). However, it is obviously more practical and challenging to solve the consensus problem utilizing partial information. Thus, the focus of this chapter will be on introducing the development and analysis of impulsive control algorithms aiming to achieve consensus for multiagent systems with partial information. On the other hand, another challenging point is analyzing the effect of sampling period and impulsive period on the stability and performance enhancement of consensus for multi-agent systems. In Liu et al. (2012), an impulsive consensus algorithm was proposed in which the current position data of its neighbors and the past position data of its own state were utilized. In Yu et al. (2011c), a hybrid control algorithm was considered in which both current and sampled position data of its neighbors were utilized. In the aforementioned literature, some sufficient or necessary and sufficient conditions for consensus were obtained. However, the explicit expression (e.g., upper bound) of impulsive period or sampling period for consensus was not provided, which will be the focus of the introduced results. In this chapter, some recent results on the consensus of continuous-time secondorder multi-agent systems with fixed and switching topology are introduced and summarized. These results were developed based on the impulsive control strategies proposed in Guan et al. (2000, 2005) and provided some useful impulsive consensus algorithms that can deal with the consensus problem of multi-agent systems in the cases that communications among agents only occur at sampling instants and each agent can only obtain the relative positions to its neighbors and the relative position to its own state at the previous sampling instant, or the cases that the sampling period is time-varying, the communication graph has a directed spanning tree jointly, and only position information can be accessed (i.e., partial information). Correspondingly, for introduced impulsive consensus algorithms, several sufficient and necessary (or sufficient) conditions for consensus of the multi-agent system are derived via strict mathematical analysis. Furthermore, the results provided in this chapter make the following contributions to the multi-agent control field. First, they provided the explicit impulsive period for achieving second-order consensus and illustrated that the impulsive period is restricted not only by an upper bound but also by a lower bound for general directed networks with the proposed algorithms. Second, they solved the convergence performance optimization problem and revealed the relationship between topology structure, impulsive period, and convergence performance based on the analysis of convergence speed and the decay factor of error energy.

34 Impulsive Control of Multi-agent Systems with Partial Information

2

1077

Preliminaries

In this part, some basic concepts, mathematical notations, and related results, which will be used throughout this chapter, are introduced. We begin with the mathematical notations.

2.1

Mathematical Notations

Here we introduce the notations that will be used throughout this chapter. Let R be the set of real numbers, N = {1, 2, 3 . . . }, and Rn denotes the set of real vectors with dimension n. Given a complex number λ ∈ C, Re(λ), Im(λ), and |λ| denote the real part, the imaginary part, and the modulus of λ, respectively; i denotes the imaginary unit. In is the identity matrix with order n (or simply I if no confusion arises), 1n = [1, 1, · · · , 1]T ∈ Rn , 0n×m denotes the n × m matrix where all elements are equal to zero. ρ(·) and det (·) denote the spectral radius and determinant of a matrix, respectively.

2.2

Algebraic Graph Theory

A directed graph will be used to describe the communication topology with respect to the multi-agent system. This part will introduce the useful concepts in algebraic graph theory. A directed graph (i.e., digraph) of order N can be denoted by G = {V , E , A }, in which V = {1, 2,. . . N} denotes the set of nodes, E ∈ V × V stands for the set of edges, and A = aij N ×N represents the weighted adjacency matrix having the following form ⎛

a11 a12 ⎜ a21 a22 ⎜ A =⎜ . .. ⎝ .. . aN 1 aN 2

⎞ · · · a1N · · · a2N ⎟ ⎟ . ⎟. .. . .. ⎠ · · · aN N

Node i represents agent i, and an edge in G is denoted by an ordered pair {j, i}. {j, i} ∈ E if and only if agent i can directly receive information from agent j . Then, the set of the neighbors of agent i is denoted by Ni , which is, in detail, defined as Ni = {j ∈ V |(j, i) ∈ E }. The elements associated with the edges are positive, and other elements are zero, i.e., aij > 0 if j ∈ Ni and aij = 0, otherwise, ∀i ∈ V . Without loss of generality, it is assumed that self-loop is not allowed, i.e., aii = 0, ∀i ∈ V . A graph is said to be

1078

M.-F. Ge et al.

undirected and symmetric if (j, i) ∈ E ⇔ (i, j ) ∈ E . It is worthy to point out that the undirected graph set is a subset of the directed graph. A directed path in a digraph G is an ordered sequence v1 , v2 , . . . , vl of agents such that any ordered pair of vertices appearing consecutively in the sequence is an edge of the digraph, i.e., (vi , vi+1 ) ∈ E , for any i = 1, 2, . . . , l − 1. A directed tree is a digraph, where there exists an agent, called the root, such that any other agent of the digraph can be reached by one and only one path starting at the root. TG = {VT , ET } is a directed spanning tree of G , if TG is a directed tree and VT = V . If a digraph G contains a directed spanning tree, then it is also called connected. The degree of node i is defined as deg(i) =

N j =1

aij .

The degree matrix is defined as D = diag {deg(1), deg(2), . . . , deg(N )}. The Laplacian matrix of digraph G is defined as L = D − A having the following form ⎛

l11 l12 ⎜ l21 l22 ⎜ L =⎜ . . ⎝ .. .. l N 1 lN 2

··· ··· .. .

l1N l2N .. .

⎞ ⎟ ⎟ ⎟, ⎠

· · · lN N

where ⎧ ⎪ j = i, ⎨ −aij , N  lij = aik , j = i. ⎪ ⎩ k=1,k=i

Besides, the Laplacian matrix has the following properties: 1. Zero is an eigenvalue of L , and 1N is the associated right eigenvector. 2. If G is an undirected graph (aij = aj i ), then the Laplacian matrix L is a symmetric matrix, and all its eigenvalues are real. 3. If G contains a directed spanning tree, then zero is an algebraically simple eigenvalue of L , and all the other eigenvalues are with positive real parts. In what follows, some lemmas about the Laplacian L are given. Lemma 1. Let L be the Laplacian matrix of digraph G . Then, all the eigenvalues γ of L are located in the following disk:

34 Impulsive Control of Multi-agent Systems with Partial Information

1079

    N N



  γ − max  ≤ max a aik . ik   i∈V   i∈V k=1,k=i k=1,k=i By the above properties and lemma, we can easily conclude that G does not contain a spanning tree, if and only if more than one eigenvalue of L is equal to zero. Lemma 2 (Guan et al. 2012). Let L˜ = (l˜ij )(N −1)×(N −1) ⎞ ⎛ l22 − l12 . . . l2N − l1N ⎟ ⎜ .. = ⎝ ··· ⎠. . ···

(1)

lN 2 − l12 . . . lN N − l1N Denote the eigenvalues of the Laplacian matrix L and the matrix L˜ , respectively, by γ1 , γ2 , . . . , γN and μ1 , μ2 , . . . , μN −1 , where 0 = |γ1 |  |γ2 |  · · ·  |γN | and |μ1 |  |μ2 |  · · ·  |μN −1 |, and then γ2 = μ1 , γ3 = μ2 , · · · , γN = μN −1 . Proof. It is worthy to point out that ⎞ 0 l12 ... l1N ⎜ 0 l22 − l12 . . . l2N − l1N ⎟ ⎟ ⎜ E −1 L E = ⎜ . ⎟, .. .. .. ⎠ ⎝ .. . . . 0 lN 2 − l12 . . . lN N − l1N ⎛

where

 E=

1 1N −1

0TN −1 IN −1



is an invertible matrix, then L and E −1 L E have the same eigenvalues. This immediately leads to the conclusion.   The union of the digraphs G1 , G2 , G3 , . . ., Gk with the same node set V is a directed graph with the node set V and the edge set as the union of the edge sets of the digraphs in the collection.

2.3

Preliminaries on Matrix Theory

Given matrices A = (aij ) ∈ Rm×n and B = (bij ) ∈ Rp×q , the Kronecker Product ⊗ is defined as

1080

M.-F. Ge et al.

⎞ a11 B · · · a1n B ⎟ ⎜ A ⊗ B = ⎝ ... . . . ... ⎠ . am1 B · · · amn B ⎛

Lemma 3. Given any matrices A, B, C, and D, the Kronecker Product has the following properties: (1) (μA) ⊗ B = A ⊗ (μB), where μ is a constant; (2) (A + B) ⊗ C = A ⊗ C + B ⊗ C; (3) (A ⊗ B)(C ⊗ D) = (AC) ⊗ (BD). The matrix A is nonnegative, i.e., A ≥ 0, if all elements of A are nonnegative. For matrices A, B ∈ Rn×n , A ≥ B denotes A − B ≥ 0. Lemma 4 (Jadbabaie et al. 2003). Let m ≥ 2 be a positive integer and A1 , A2 , . . . , Am be nonnegative N × N matrices with positive diagonal entries. Then A1 A2 . . . Am ≥ ε(A1 + A2 + . . . + Am ), where ε > 0 can be specified from matrices Ai , i = 1, 2, . . . , m. The nonnegative matrix A is row stochastic if the sum of all elements of its row is equal to 1. The row stochastic matrix A ∈ RN ×N is called indecomposable and aperiodic (SIA) if limk→∞ Ak = 1N y T , where y is some N × 1 column vector. Lemma 5 (Wolfowitz 1963). Let P1 , P2 , . . . Pk ∈ RN ×N be a finite set of SIA matrices with the property that for each sequence Pi1 , Pi2 , . . . Pij with positive length, the matrix product Pi1 Pi2 . . . Pij is SIA. Then, for each infinite sequence Pi1 , Pi2 , . . . Pij , . . . , there exists a column vector y such that lim Pi1 Pi2 . . . Pij = 1N y T .

j →∞

  Given a matrix P = pij ∈ RN ×N , the digraph of P , denoted by G (P ), is the digraph with the node set V = {1, 2, . . . , N } such that there is an edge in G (P ) from j to i if and only if pij = 0. Lemma 6 (Ren and Beard 2005). The stochastic matrix A has algebraic multiplicity equal to one for its eigenvalue λ = 1 if and only if the digraph G (A) has a directed spanning tree.

34 Impulsive Control of Multi-agent Systems with Partial Information

1081

Lemma 7 (Ren and Beard 2005). Suppose that P ∈ RN ×N is a row stochastic matrix with positive diagonal elements. If the digraph G (P ) has a directed spanning tree, then P is SIA. Lemma 8 (Cao and Ren 2010b). The polynomial z2 + az + b = 0, where a, b ∈ C, has all roots within the unit circle if and only if all roots of (1 + a + b)t 2 + 2(1 − b)t + b − a + 1 = 0 are in the open left half plane (LHP). Lemma 9 (Yu et al. 2011c; Parks and Hahn 1993). Given a complex coefficient polynomial of order two as follows: g(s) = s 2 + (ξ1 + ζ1 i)s + ξ0 + ζ0 i, where ξ1 , ζ1 , ξ0 , ζ0 are real constants. Then, g(s) is stable if and only if ξ1 > 0 and ξ1 ζ1 ζ0 + ξ12 ξ0 − ζ02 > 0.

3

Problems Formulation

Consider a multi-agent system consists of N identical agents with second-order dynamics, x˙i (t) = vi (t), v˙i (t) = ui (t),

(2)

where t ∈ Q = [t0 , ∞), i ∈ V = {1, 2, · · · , N}, t0 ≥ 0 denotes the initial time, xi ∈ Rn and vi ∈ Rn are, respectively, the position and velocity states of agent i, ui ∈ Rn is the control input referred to the consensus algorithm. The definition of the consensus problem is given as follows. Definition 1. Consensus in the multi-agent system (2) is said to be achieved, if for any initial states xi (t0 ) and vi (t0 ), lim xi (t) = ζ,

t→∞

lim vi (t) = 0,

t→∞

where i ∈ V and ζ ∈ Rn is a constant vector.

1082

M.-F. Ge et al.

Throughout this chapter, it is assumed that the communications among the agents only occurs at sampling instants, which is referred to as sampled-data communications. The sampling time sequence {tk |∞ k=1 } satisfy t 1 < t2 < · · · < tk < · · · , lim tk = ∞,

k→∞

where t1 > t0 . Let the time-varying digraph G (t) = {V , E (t), A (t)} denote the sampled-data communications of multi-agent system (2). We assume that the communications among the agents occurs only at sampling instants, which implies that the communication graph G (t) does not contain any edge (i.e., G (t) = 0) when t = tk , ∀k ∈ N. The control objective is to design the control input ui for agent i under sampleddata communications to achieve consensus using only partial information of itself and its neighbors, namely, ui has the following form   ui (t) = ϕi xi (t1 ), . . . , xi (tk ), xj ∈Ni (t1 ) , . . . , xj ∈Ni (tk ) ,

(3)

where t ≥ tk , t < tk+1 , t ∈ Q, k ∈ N, and xj ∈Ni (tk ) denote the position states of the neighbor agents of agent i at time tk , ∀i ∈ V . In the control input of form (3), agent i, for any i ∈ V , is required to obtain the sampled relative positions to its neighbors (i.e., xj (tk ) − xi (tk ) , j ∈ Ni (t)). This is quite different from the existing consensus algorithms without velocity information (Ren 2008; Hong et al. 2006; Gao et al. 2009a; Yu et al. 2011c), which require continuous information of the position states. Furthermore, comparing with the traditional estimator-based coordination algorithms considering continuous communications, the control input of form (3) only transmits and updates the interaction information at the sampling time, which lead to the following benefits: less requirement of target information (only use sampling data of the target), lower cost for maintaining communication (only require sampled-data communications), and fewer consumption of calculation resources (only update the estimate value at sampling time). Throughout the proposed control problem, the multi-agent system has the following properties: 1. The impulsive control is only active at the impulsive instant tk which changes the velocity of each agent instantaneously. 2. The velocity of each agent is a constant within two impulsive instants. Since agents cannot obtain any information of velocity, we need to estimate the relative velocities according to the relative positions at impulsive instants.

34 Impulsive Control of Multi-agent Systems with Partial Information

4

1083

Impulsive Controller Development

This part will present several impulsive control for the multi-agent system. The impulsive controllers with partial information can be designed as ui (t) =

 ∞ 



aij [xj (t) − xi (t)] + p2 [xi (t) − xi (tk−1 )] δ(t − tk ), (4) p1 k=1

j ∈Ni (t)

and ui (t) =





  aij p1 [xj (t) − xi (t)] − p2 [xj (tk−1 ) − xi (tk−1 )] δ(t − tk ), (5)

k=1 j ∈Ni (t)

where i ∈ V , δ(·) is a Dirac function. Let the impulsive period be defined as hk = tk − tk−1 , when t ∈ ( tk−1 , tk ] , ∀k ∈ N. Assume that the control gain p1 > 0, p2 > 0. We then move on to analyze the effect of the impulsive controllers (4) and (5). First we introduce the Heaviside function Hk (t) : Q → {0, 1} for any k ∈ N having the following form.  Hk (t) =

0, 1,

t 0 ≤ t < tk , t ≥ tk .

It thus follows that DHk = δ (t − tk ), where DHk is the distributional derivatives of functions Hk (t). Furthermore, ui (t) = 0 when t = tk . Let vi (tk ) = vi (tk− ) = limς→0− vi (tk + ς ), vi (tk+ ) = limς→0+ vi (tk + ς ), ∀i ∈ V , k ∈ N. Consider



vi (tk + ς ) − vi (tk ) =

tk +ς

[ui (s)]ds,

(6)

tk

where ς > 0 is sufficiently small. As ς → 0+ , the relationship (6) reduces to Δvi (t)|t=tk = vi (tk+ ) − vi (tk ). Then based on the above analysis and the property of the Heaviside function, the impulsive controller (4) and (5) pose the effect of instantaneously changing the state

1084

M.-F. Ge et al.

vi at the impulsive time tk . Additionally, note that the velocity of each agent is a constant within two impulsive instants. Thus, the controllers (4) and (5) can be equivalently rewritten as ⎧ ⎪ x˙ (t) = vi (t), ⎪ ⎨ i v˙i (t) = 0, t ∈ (tk , tk+1 ]  ⎪ lij xj (tk ) − p2 (xi (tk ) − xi (tk−1 )) ⎪ ⎩ Δvi (tk ) = −p1

(7)

j ∈V

and ⎧ ⎪ x˙ (t) = vi (t), ⎪ ⎨ i v˙i (t) = 0, t ∈ (tk , tk+1 ]   ⎪ lij xj (tk ) + p2 lij xj (tk−1 ). ⎪ ⎩ Δvi (tk ) = −p1 j ∈V

(8)

j ∈V

It can be observed that neighbors’ position information is required to be stored for the next impulsive control in the controller (5) while do not need to be stored in the controller (4). Next we will analyze the convergence property of the closed-loop systems (7) and (8) under different cases.

5

Consensus Under Identical Impulsive Period

In this part, we focus on the consensus analysis of the multi-agent system under the impulsive controller with identical impulsive period and fixed directed communication topology G , i.e., hk = h for all k ∈ N, G (tk ) ≡ G for all k ∈ N, and h > 0 is a positive constant.

5.1

Consensus Analysis of System (7)

This part will provide the convergence analysis of the closed-loop system (7). From the closed-loop system (7), one has xi (tk+1 ) = xi (tk ) + hvi (tk+ ), vi (tk+1 ) = vi (tk+ ), k ∈ N, where + vi (tk+1 ) = vi (tk+1 ) − p1

j ∈V

lij xj (tk+1 ) − p2 hvi (tk+ ).

34 Impulsive Control of Multi-agent Systems with Partial Information

1085

Let x˜i (k + 1) = xi (tk+1 ) − x1 (tk+1 ), + + v˜i (k + 1) = vi (tk+1 ) − v1 (tk+1 ).

Then, ⎧ x˜i (k + 1) = x˜i (k) + hv˜i (k), ⎪ ⎪ ⎪

⎪ ⎪ ⎪ ⎪ v˜ (k + 1) = v˜i (k) − p1 l˜ij xj (k + 1) − p2 hv˜i (k), ⎪ ⎨ i ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

j ∈V



= ⎝1 − p2 h − p1 h



⎞ l˜ij ⎠ v˜i (k) − p1

j ∈V



l˜ij xj (k),

j ∈V

where xj (tk ) and xj (tk+1 ) have been simplified as xj (k) and xj (k + 1), respectively. Then, denote T T x(k) ˜ = [x˜1T (k), · · · , x˜N −1 (k)] , T T v(k) ˜ = [v˜1T (k), · · · , v˜N −1 (k)] .

The multi-agent system (2) with algorithm (4) can be rewritten into the matrix form as follows     x(k) ˜ x(k ˜ + 1) , (9) = (P ⊗ In ) v(k) ˜ v(k ˜ + 1) where  P =

hIN −1 IN −1 −p1 L˜ (1 − p2 h)IN −1 − p1 hL˜



and L˜ is defined in (1). Thus, the consensus problem proposed in Definition 1 can be achieved asymptotically, if and only if for any initial conditions lim x(k) ˜ = 0,

k→∞

lim v(k) ˜ = 0.

k→∞

It can be seen that the consensus can be achieved for the multi-agent system (2) under the controller (4) if and only if the discrete-time system (9) is globally asymptotically stable. Then, according to the stability results of discrete-time systems, it is easy to obtain the following result.

1086

M.-F. Ge et al.

Theorem 1. The multi-agent system (2) under the impulsive controller (4) achieves consensus asymptotically using position-only information if and only if the communication graph G contains a directed spanning tree and the impulsive period √  p2 Re(γi )+p1 Im(γi )2 −Re(γi ) θ |Im(γi )| p1

(11)

for i = 2, 3, · · · , N. Proof. Obviously, the discrete-time system (9) is globally asymptotically stable if and only if ρ(P ) < 1. Let λ be an eigenvalue of matrix P , then det(λI2N −2 − P ) = 0. Note that  det(λI2N −2 − P ) = det

−hIN −1 (λ − 1)IN −1 ˜ p1 L˜ (λ − 1 + p2 h)IN −1 + p1 hL



  = det λ2 IN −1 + λ[(p2 h − 2)IN −1 + p1 hL˜ ] + (1 − p2 h)IN −1 =

N  

 λ2 + λ(p2 h + p1 hγi − 2) + 1 − p2 h .

i=2

Let φi (λ) = λ2 + λ(p2 h + p1 hγi − 2) + 1 − p2 h = 0,

(12)

where i = 2, 3, · · · , N. According to Lemma 8, φi (λ) has all roots within the unit circle if and only if all roots of p1 hγi s 2 + 2p2 hs + 4 − 2p2 h − p1 hγi = 0

(13)

are in the open LHP. As far as graph G contains a directed spanning tree, then γi = 0 for all i = 2, 3, · · · , N, then (13) can be simplified to s2 +

2p2 4 2p2 s+ − − 1 = 0. p1 γ i p1 hγi p1 γ i

(14)

34 Impulsive Control of Multi-agent Systems with Partial Information

1087

By Lemma 9, (14) is stable if and only if 2p2 Re(γi ) >0 p1 |γi |2 and p22 (2p2 Re(γi )+p1 |γi |2 )h2 −4p2 [p2 Re(γi )+p1 Im2 (γi )]h+4p1 Im2 (γi ) < 0 (15) for i = 2, 3, · · · , N. Therefore, consensus for the multi-agent system (2) is achieved if and only if (10) and (11) are satisfied by solving (15). The proof is thus completed.   It can be observed from Theorem 1 that in order to achieve consensus, there is a tight restriction for impulsive period h, where for a general directed network with complex Laplacian eigenvalues, second-order consensus cannot be achieved for a sufficiently small or large impulsive period h. That is quite different from the conclusion obtained by second-order consensus algorithms using both position and velocity information that the impulsive period is restricted by an upper bound. Theorem 1 can be reduced to the following corollary when undirected topology is considered. Corollary 1. If the communication graph G for the multi-agent system (2) is undirected, the multi-agent system (2) under the impulsive controller (4) achieves consensus asymptotically if and only if G is connected and h
0, and when assumption (A1) holds, l¯ > 0, which implies that p2 h¯ < 2 when assumptions (A1) and (A2) hold. Then, it is easy to show that when p2 h¯ < 2, P1 (k) is a nonnegative matrix with positive diagonal elements. Obviously, P2 (k) is a nonnegative matrix with positive diagonal elements. It can be verified that when p2 h¯ < 2 and 2  p2 h   , p1 < 2h 2 − p2 h l¯ P3 (k) ≥ 0 is a nonnegative matrix with positive diagonal elements, for k ∈ N. It also can be verified that when

p1
0, μ2 > 0, αI − μ1 L˜ , and (1 − α) I − μ2 L˜ are nonnegative matrices with positive diagonal elements. Then, P˜ is also a stochastic matrix, and it is easy to check since the edges in the digraph G (P˜ ) is the same as the digraph  0 G ( l+k k=k0 P (k)). ! " Let λ be an eigenvalue of matrix P˜ , then det λI − P˜ = 0. Note that N ! "  (λ2 − 2λ (1 − α) + λμ2 γi + (1 − 2α) + (αμ2 + αμ1 − μ2 ) γi ), det λI − P˜ = i=1

where γi , i = 1, 2, . . . , N are the eigenvalues of L˜ . Let Q(λ) = λ2 − 2λ (1 − α) + λμ2 γi + (1 − 2α) − μ2 γi + αμ2 γi + αμ1 γi . Then, Q(1) = αμ2 γi + αμ1 γi . Hence, λ = 1 implies γi = 0 for some i.

34 Impulsive Control of Multi-agent Systems with Partial Information

1097

When γi = 0, one has Q(λ) = (λ − (1 − 2α)) (λ − 1) .

(36)

The union of G (tk ) across k ∈ [k0 , k0 + l] contains a directed spanning tree, so L˜ has one simple eigenvalue γi = 0. From 0 < α < 1, 1 − 2α = 1. Hence, from (36), P˜ has one simple eigenvalue λ = 1. It follows from Lemma 6 that G (P˜ )  0 contains a spanning tree, which implies that G ( l+k k=k0 P (k)) contains a spanning tree. It follows from Lemma 4 that l+k 0 k=k0

P (k) ≥ ε

l+k

0

P (k),

(37)

k=k0

for some ε > 0. By Lemma 11, P (k) is a stochastic matrix with positive diagonal elements. Then, & 0 &l+k0 it is easy to show l+k k=k0 P (k) is also a stochastic matrix. From (37), G ( k=k0 P (k)) also contains a spanning tree. Then, it follows from Lemma 7 that the matrix &l+k0   k=k0 P (k) is SIA. This completes the proof. Now we are ready to present our main result as follows. Theorem 4. If assumptions (A1) and (A2) hold, then the multi-agent system (2) with the impulsive algorithm (4) achieves consensus. & 0 Proof. From Lemma 12, if assumptions (A1) and (A2) hold, l+k k=k0 P (k) is SIA for any k0 . It follows from Lemma 5 that limk→∞ P (k) · · · P (1) = 12N y T for some   T T y ∈ R2N . From (34), lim x˜ T (k) , v˜ T (k) = 12N y T x˜ T (0) , v˜ T (0) , which k→∞

implies the multi-agent system (2) achieves consensus. That ends the proof.

 

Remark 4. Note that p2 h¯ < 2 when assumptions (A1) and (A2) hold. Then, the ¯ and it is easy to find a suitable p1 according to (29). control gain p2 < 2/h, Corollary 4. Consider the case of equidistant sampling interval, that is, hk = h with h being a constant. If assumption (A1) holds and #

$ 2 − p2 h (p2 h)2 p1 < min , , 2h (2 − p2 h) l¯ 2hl¯ where l¯ is given right after (29), then the multi-agent system (2) with the impulsive algorithm (4) achieves consensus.

1098

M.-F. Ge et al.

Corollary 5. Consider the case of fixed communication digraph, that is, G (tk ) = G , k ∈ N. Let L = (lij )N ×N be the Laplace matrix of G . If p2 hk < 2,#

$ 2 p2 h) ( 2−p2 h¯ p1 < min 2h 2−p h max{l } , 2h¯ max{l } , ( 2 ) i∈V ii ii i∈V

then multi-agent system (2) with the impulsive algorithm (4) achieves consensus. Corollary 6. Consider the case of both fixed communication digraph and the constant sampled period, that is, G (tk ) = G , hk = h. L = (lij )N ×N be the Laplace matrix of G . If G contains a spanning tree and ⎧ ⎨

⎫ 2 − p2 h ⎬ (p2 h)2 , , p1 < min ⎩ 2h (2 − p2 h) max {lii } 2h max {lii } ⎭ i∈V

i∈V

then multi-agent system (2) with the impulsive algorithm (4) achieves consensus.

7

Examples

In this section, some illustrative examples are given to validate the theoretical analysis.

7.1

Examples for Consensus Under Identical Impulsive Period

Example 1. Consider a multi-agent system (2) with the directed communication graph as shown in Fig. 1. The Laplacian matrix is given by

7

Fig. 1 Communication graph

5

6 1

8

3 2

4

34 Impulsive Control of Multi-agent Systems with Partial Information



3 ⎜ −1 ⎜ ⎜ 0 ⎜ ⎜ ⎜ 0 L=⎜ ⎜ 0 ⎜ ⎜ 0 ⎜ ⎝ 0 0

0 3 0 −1 −1 0 0 0

0 0 1 0 0 0 −1 0

0 0 −1 1 0 0 0 −1

−1 0 0 0 1 0 −1 0

−1 0 0 0 0 1 −1 0

0 −1 0 0 0 0 3 0

1099

⎞ −1 0 ⎟ ⎟ 0 ⎟ ⎟ ⎟ 0 ⎟ ⎟. 0 ⎟ ⎟ −1 ⎟ ⎟ 0 ⎠ 1

The eigenvalues of L are γ1 = 0, γ2 = γ3 = 1, γ4 = 3, γ5 = γ6 = 1.2929 ± 0.7071i, γ7 = γ8 = 2.7071 ± 0.7071i. For the controller (4), choosing p1 = 1 and p2 = 0.8 such that p2 > p1 |Im(γi )| . Since #

√ $ p2 Re(γi ) + p1 Im(γi )2 + Re(γi ) θ min 2 = 0.7563, 2≤i≤N p2 (2p2 Re(γi ) + p1 |γi |2 ) #

√ $ p2 Re(γi ) + p1 Im(γi )2 − Re(γi ) θ max 2 = 0.6194, 2≤i≤N p2 (2p2 Re(γi ) + p1 |γi |2 ) from Theorem 1, it can be found that consensus can be achieved asymptotically if and only if 0.6194 < h < 0.7563. Figure 2 shows that the multi-agent system can achieve consensus when h = 0.64 and h = 0.72 but cannot achieve consensus when h = 0.60 and h = 0.78. Then for the controller (5), let p1 = 1 and p2 = 0.8 such that p 1 > p2 , p2 >

p1 |Im(γi )| . |γi |

1100

M.-F. Ge et al. (a)

(b)

200

(c)

100

100

6000

50

4000

0

2000

0

−100

−50

x

−100

x

x

x

0

0

−100

−2000

−150

−4000

−200

−200 −300 0

(d)

100

50 t

−300 0

100

200 400 600 800 t

−200 0

100

200

300

−6000 0

50

100

150

100 t h=0.78

150

t

t 4

400

300

400

1

200 200

0.5

200

0 0

v

0

v

v

v

100 0

−0.5

−100 −200

−200

−1

−200 −400 0

50 t h=0.60

100

−300 0

x 10

200 400 600 800 t h=0.64

−400 0

100

200 t h=0.72

300

−1.5 0

50

Fig. 2 Position and velocity trajectory of the multi-agent system (2) under the controller (4), where h = 0.60 in (a), h = 0.64 in (b), h = 0.72 in (c), and h = 0.78 in (d)

From Theorem 2, we can calculate  max 2

2≤i≤N

 min 2

2≤i≤N

p2 Re(γi ) −



β p2 (p1 + p2 )|γi |2 p2 Re(γi ) +



β p2 (p1 + p2 )|γi |2

 = 0.0582,  = 0.7407.

Therefore, consensus can be achieved when h = 0.08 and h = 0.70 as shown in Fig. 3b, c but cannot be achieved when h = 0.05 and h = 0.78 as shown in Fig. 3a, d. Example 2. This example verifies the relationship between impulsive period h and per-step decay factor under different topologies. We consider three kinds of networks which contain eight agents with star-shaped coupling network, general digraph network, and global coupling network. Figure 4 plots the per-step decay factor rstep as a function of impulsive period h with the same control gains p1 = 1, p2 = 0.8 but different topologies for algorithm (9). Firstly, we calculate the allowable impulsive period for consensus, respectively. According to Theorem 1, we can get h
tijk , fij (·) ≤ 0 or fj q (·) ≤ 0

(11)

with the initial event instant tij0 = 0, agent j ∈ Ni is the tail of directed edge (i, j ) and agent q ∈ Nj is the tail of directed edge (j, q). In the proposed edge-based strategy, when the positiveness of fij (·) or fj q (·) is contravened, an event is triggered for the directed edge (i, j ) and the point-to-point link is established between reference generator i and reference generator j . The actual value of the edge state is accessible to the head reference generator i. Remark 1. Reference generator i may connect with multiple tail neighbors j ∈ Ni . Each directed edge (i, j ) is related to different event conditions. The instants at which the edge (i, j ) is triggered form an event sequence {tijk }, which is described {tij0 , tij1 , tij2 , . . .}. Define |Ni | as the cardinality of Ni . The reference generator i is updated at the union of these |Ni | event sequences corresponding to different edges that share the common reference generator i. Remark 2. There exist two event-triggering functions fij (·) and fj q (·) for directed edge (i, j ). A detector is embedded in agent i to determine whether the positiveness of fij (·) is contravened and a detector is embedded in agent j to determine whether the positiveness of fj q (·) is contravened. Either fij (·) ≤ 0 or fj q (·) ≤ 0 is satisfied, the point-to-point link is established from agent j to agent i. Remark 3. The next triggering instant tijk+1 for directed edge (i, j ) is cooperatively determined by agent i and agent j . Once the positiveness of fij (·) is contravened, agent i measures the edge state of (i, j ). In addition, if any event occurs at agent j , agent j will notice agent i to measure the edge state of (i, j ) as well as all its other children p to measure the edge state of (p, j ). k for directed edge Remark 4. Similar to the directed edge (i, j ), the event instants tpi (p, i) are given iteratively according to

  k+1 k , f (·) ≤ 0 or f (·) ≤ 0 , tpi = inf t |t > tpi pi ij

(12)

0 = 0, and agent p is the head of the where k = 0, 1, 2, . . ., the initial value tpi directed edge (p, i). From the designed communication protocols (11) and (12), it is observed that if fij (·) ≤ 0 is satisfied, the point-to-point links are established from agent j to agent i and from agent i to agent p. More specifically, when hij (t) grows beyond b(t), agent i accesses the actual value of edge state zij (t) and notifies all its neighbors (agent p) to obtain the actual value of edge state zpi (t).

35 Analysis and Design of Synchronization for a Heterogeneous Network

3.1

1119

Predicted Value for Edge state

The edge-based approach is adopted to construct the controller. Directed edge (i, j ) denotes the information from adjacent reference generator j to reference generator i. Define the state of edge (i, j ) as eij (t) = ri (t) − rj (t),

(13)

whose evolution is described by e˙ij (t) = Seij (t) + (vi (t) − vj (t)).

(14)

Remark 5. From Eq. (14), it can be observed that the calculation of edge state eij (t) is based on the control inputs vi (t) and vj (t). However, the reference generator i cannot access to the control input of reference generator j . Thus, some literatures utilize the assumption that control inputs are broadcasted among agents at event instants, which might be inappropriate from a privacy point of view. Thus, we embed a predictor in each reference generator to predict the value of eij (t) between any two consecutive event instants. At the event instant tijk , the point-to-point communication link is established from reference generator j and reference generator i. Reference generator i is accessible to the actual value of the edge state eij (tijk ). However, during the time interval (tijk , tijk+1 ), the point-to-point communication link is disconnected. Reference generator i cannot access to the actual value of the edge state eij (t). Since all reference generators in communication area have the identical dynamics, we utilize a predictor e˙ˆij (t) = S eˆij (t)

(15)

in reference generator i to predict the state of edge (i, j ) during (tijk , tijk+1 ). The solution of eˆij (t) is obtained as k

eˆij (t) = eS(t−tij ) eˆij (tijk ), t ∈ (tijk , tijk+1 ),

(16)

where eˆij (tijk ) = eij (tijk ). Define the difference of the predicted value and the actual value for the edge state as e˜ij (t) = eˆij (t) − eij (t), which satisfies

 e˜ij (t)

= 0, t = tijk ; = 0, t ∈ (tijk , tijk+1 ).

(17)

(18)

1120

Y. Wu et al.

The predictor of reference generator i is updated at the union of |Ni | event sequences. From (14), (15), and (17), we obtain that the evolution of e˜ij satisfies e˙˜ij (t) = S e˜ij (t) − (vi (t) − vj (t)).

(19)

It can be acquired that  e˜ij (t) = eSt e˜ij (tijk ) +  =

t

tijk

e

S(t−τ )

t tijk

eS(t−τ ) (vi (τ ) − vj (τ ))dτ (20)

(vi (τ ) − vj (τ ))dτ

for t ∈ [tijk , tijk+1 ). Then the norm of e˜ij (t) is upper bounded by  e˜ij (t) =   ≤

t tijk

t tijk

eS(t−τ ) (vi (τ ) − vj (τ ))dτ 

e

 S(t−τ )

vi (τ )dτ +

t

tijk

eS(t−τ ) vj (τ )dτ

(21)

≤ hij (t) + hj i (t) ≤ 2b(t). In the adopted edge-based approach, we adopt the edge state to construct the controller. Based on the definition of incidence matrix in algebraic graph theory, we can find a matrix such that D = L. Assuming that there exist m edges in the communication graph G, the following transformation e(t) = (DT ⊗ In )r(t)

(22)

holds, where the stack vector of agent states r(t) = [r1T (t) r2T (t) · · · rNT (t)]T

(23)

e(t) = [eT1 (t) eT2 (t) · · · eTm (t)]T

(24)

and

with el (t) ∈ Rn , l = 1, . . . , m denotes the state of l-th edge when rearranging the m edges according to D. Corresponding to the order of eij (t) in e(t), we arrange the order of e˜ij (t) and obtain the stack vector e˜ (t) = [˜eT1 (t) e˜ T2 (t) · · · e˜ Tm (t)]T .

(25)

35 Analysis and Design of Synchronization for a Heterogeneous Network

1121

Furthermore, corresponding to el (t) in (24), the e˜ l (t) in (25) denotes the difference of predicted value and actual value for l-th edge when rearranging the m edges according to D. Then the following inequality √ ˜e(t) ≤ 2 mb(t)

(26)

holds.

3.2

Synchronization of Reference Generators

In this part, a distributed control law with event-triggering function (9) is provided to guarantee that the networked reference generators can achieve synchronization. The outputs of all reference generators will be controlled to converge with the output of the following virtual leader, that is, r˙¯ (t) = S r¯ (t) ¯ = Q¯r (t) θ(t)

(27)

and r¯ (t) = eSt r¯ (0). Remark 6. In the case that the network doesn’t contain the leader, some literatures construct the virtual leader (Wen et al. 2015b; Su et al. 2009) to denotes the tracked trajectory. From (27), it is observed that the target trajectory depends on the initial value of (27) and the matrices S and Q. For the virtual leader, we adopt the following two assumptions. Assumption 7. It is assumed that all eigenvalues of S have zero real parts and multiplicity one in the minimal polynomial, and (S, Q) is observable. Assumption 8. It is assumed that the root of the spanning tree can access the initial state r¯ (0) of the virtual leader (27). Owing to the communication constraints of the network, only a small number of the reference generators can access to the information of the virtual leader (27). We adopt a diagonal matrix G = diag{g1 , . . . , gN } to describe the information from the virtual leader to the network, in which the scalar gi denotes whether the virtual leader is accessible to reference generator i. In the case that reference generator i can obtain the information of virtual leader (27) directly, gi = 1; otherwise, gi = 0. Since the dynamics of the virtual leader and reference generators share the same matrix S, the reference generator i (for the case that gi = 1) can predict the r¯ (t) and θ¯ (t) based on the initial value r¯ (0) at the initial event instant tij0 = 0.

1122

Y. Wu et al.

The controller for each reference generator is calculated based on the predicted values of edge states, which is given as ⎡ vi (t) = −K ⎣



⎤ dij eˆij (t) + gi (ri (t) − r¯ (t))⎦ ,

(28)

j ∈Ni

where the scalar dij is the (i, j ) entry of the incidence matrix D and matrix K is chosen for synchronization purpose. Under the action of this distributed control law (28), the dynamics of reference generator (4) is rewritten as r˙i (t) =Sri (t) − K





dij eij (t) +

j ∈Ni

dij e˜ij (t)



j ∈Ni

− Kgi (ri (t) − r¯ (t))

(29)

θi (t) =Qri (t). Define the disagreement vector δ(t) = r(t) − 1 ⊗ r¯ (t),

(30)

T (t)]T and r(t) is given in which satisfies 1T δ(t) = 0, where δ(t) = [δ1T (t) . . . δN (23). It is calculated that

ri (t) = Ei δ(t) + r¯ (t),

(31)

in which Ei is a matrix of the form Ei = [0, · · · , I, · · · , 0], where the identity matrix is in the ith place. With the aid of D 1 = 0, (22), (27), (29), and (30), it can be observed that ˙ = r˙ (t) − 1 ⊗ r˙¯ (t) = (I ⊗ S)r(t) − (D ⊗ ξ P )e(t) − (D ⊗ ξ P )˜e(t) δ(t) − (G ⊗ ξ P )δ(t) − 1 ⊗ S r¯ (t) = (I ⊗ S)r(t) − (D ⊗ ξ P )r(t) − (D ⊗ ξ P )˜e(t) − (G ⊗ ξ P )δ(t) − 1 ⊗ S r¯ (t) = (I ⊗ S − D ⊗ ξ P )(δ(t) + 1 ⊗ r¯ (t)) − (D ⊗ ξ P )˜e(t) − (G ⊗ ξ P )δ(t) − 1 ⊗ S r¯ (t) = (I ⊗ S − D ⊗ ξ P − G ⊗ ξ P )δ(t) + (I ⊗ S − D ⊗ ξ P )(1 ⊗ r¯ (t)) − 1 ⊗ S r¯ (t) − (D ⊗ ξ P )˜e(t) ˜ = Dδ(t) − (D ⊗ ξ P )˜e(t), where D˜ = (I ⊗ S) − (Dˆ ⊗ ξ P ) with Dˆ = D + G.

(32)

35 Analysis and Design of Synchronization for a Heterogeneous Network

1123

Then the analytical solution of the disagreement dynamics is calculated as ˜

δ(t) = eDt δ(0) −



t

˜

eD(t−τ ) (D ⊗ ξ P )˜e(τ )dτ.

(33)

0

The norm of the disagreement vector is bounded by ˜

δ(t) ≤ eDt δ(0) + (D ⊗ ξ P )



t

˜

eD(t−τ ) ˜e(τ )dτ.

(34)

0

The communication graph is a directed graph containing a spanning tree, which implies that D is a nonsymmetric matrix with the real parts of corresponding {D } {D } {D } eigenvalues that can be arranged as 0 = {λ1 } < {λ2 } ≤ · · · ≤ {λN }. According to Assumption 8, there at least exists one reference generator that can access the information of the virtual leader, according to the properties of M-matrix (Wen et al. 2015b; Song et al. 2013), and the real parts of eigenvalues of Dˆ satisfy {Dˆ }

{λi } > 0 for i = 1, . . . , N . Since the pair (S, I ) in reference generator (4) is always stabilizable, there exists a positive matrix P > 0 satisfying the following algebraic Riccati equation (ARE) S T P + P S − P P + W = 0,

(35)

where W = W T is a positive definite matrix. It can be observed that all eigenvalues of S − P have negative real parts. There exists a positive scalar ξ such that {Dˆ }

ξ {λi

} ≥ 1.

(36)

{Dˆ }

Thus, all eigenvalues of S − ξ λi P are in the open left half plane. The control matrix K is parameterized as K = ξ P . Constructing matrix  as a diagonal matrix with its diagonal elements is the ˆ There exists a matrix M such that eigenvalues of D. ˆ =  = diag{1 , . . . , m }, M −1 DM

(37)

where l , l = 1, . . . , m are upper triangular Jordan blocks. Moreover, it is calculated that D˜ = (M ⊗ I )[I ⊗ S −  ⊗ ξ P ](M −1 ⊗ I ).

(38)

From the properties of Kronecker product, the eigenvalues of D˜ are the same as {Dˆ } S − ξ λi P , i = 1, . . . , N. Hence, all the real parts of the eigenvalues of D˜ are negative.

1124

Y. Wu et al.

The corresponding matrix exponential is obtained as ˜

eDt = (M ⊗ I )e[I ⊗S−⊗ξ P ]t (M −1 ⊗ I ).

(39)

By using the fact that (Van Loan 1977)   [I ⊗ S −  ⊗ ξ P ]t −m , I− m→∞ m

e[I ⊗S−⊗ξ P ]t = lim

(40)

we trivially obtain ¯ e[I ⊗S−⊗ξ P ]t  ≤ ceηt ,

(41)

max{ (λ)|λ ∈ λ{I ⊗S−⊗ξ P } } ≤ η¯ < 0

(42)

where

and c≥

[γ I − (I ⊗ S −  ⊗ ξ P )]−m  γ − ηi −m

(43)

with (γ ) > η. ¯ From (39) and (41), we obtain that the norm of the matrix exponential is bounded by ˜

eDt  ≤ MM −1 ce−ηt ,

(44)

where η = −η. ¯ The time-dependent threshold b(t) is given as b(t) = αe−βt ,

(45)

α > 0, 0 < β < η.

(46)

where

Remark 7. Since η is calculated based on the eigenvalues of the symmetric matrix ˆ the parameter η is related to the convergence rate of the network. Meanwhile, D, the time-dependent threshold b(t) is chosen as (45), whose convergence rate is slower than the convergence rate of the network. This choice can guarantee that the network of reference generators achieves synchronization, while the Zeno behavior is excluded.

35 Analysis and Design of Synchronization for a Heterogeneous Network

1125

Based on the above analyses, the following theorem ensures that all reference generators achieve synchronization. Theorem 1. Under Assumptions 5–8, consider the networked identical reference generators defined by the dynamics (4). Pick a solution P > 0 for ARE (35), and set K = ξ P with ξ satisfying (36). For any initial condition r¯ (0) ∈ Rn , based on the event-triggering function (9) with the time-dependent threshold (45), the distributed control law (28) can guarantee that the networked reference generators achieve synchronization. Proof. The inequality (44) implies the following inequality ˜

eD(t−τ )  ≤ MM −1 ce−η(t−τ ) .

(47)

Based on (34), the norm of the disagreement vector δ(t) is calculated as δ(t) ≤κ(M)ce−ηt δ(0)



t

+ κ(M)c(D ⊗ ξ P )

e−η(t−τ ) ˜e(τ )dτ.

(48)

0

From (26) and the time-dependent threshold (45), we obtain that √ √ ˜e(t) ≤ 2 mb(t) ≤ 2 mαe−βt .

(49)

Then (48) implies that δ(t) ≤κ(M)ce−ηt δ(0) √ + κ(M)c(D ⊗ ξ P )2 mαe−ηt



t

eητ e−βτ dτ

0

≤κ(M)ce−ηt δ(0) √ e−βt − e−ηt + κ(M)c(D ⊗ ξ P )2 mα η−β  √ e−βt  . ≤κ(M)c e−ηt δ(0) + (D ⊗ ξ P )2 mα η−β

(50)

Since 0 < β < η, it is obtained that δ(t) exponentially converges to 0 as t → ∞, which implies that all reference generators achieve synchronization with the virtual leader. This completes the proof.   Remark 8. In the proposed edge-based approach, when an event is triggered at tijk for edge (i, j ), node i needs to communicate with only node j . This kind of

1126

Y. Wu et al.

approach is different from the node-based approach, in which the event-triggering function is defined for each node and the node needs to communicate with all its |Ni | neighboring nodes at event instants. Our event-triggering strategy can significantly reduce the communication at event instants.

3.3

Lower Bound for Inter-event Intervals

The disagreement vector δ(t) converges to zero implies that all reference generators achieve synchronization with the virtual leader. In this part, we will show that there exists a lower bound for inter-event intervals. The following lemma is imposed to ensure that the Zeno behavior can be excluded by the proposed distributed control law and event-triggering strategy. Lemma 1. Given three continuous functions ρ(t) : [t1 , ∞] → R, a(t) : [t1 , ∞] → R and d(t) : [t1 , ∞] → R, if a(t1 ) = d(t1 ) < ρ(t1 ), t2 = inf{t > t1 , d(t) = ρ(t)}, t3 = inf{t > t1 , a(t) = ρ(t)}, a(t) ≤ d(t) for t ∈ [t1 , t2 ], d(t2 ) = ρ(t2 ) and a(t3 ) = ρ(t3 ), then t2 ≤ t3 . The proof of Lemma 1 can be worked out from the comparison principle, which will omitted here for the sake of brevity. Based on Lemma 1, we obtain the following theorem to obtain the lower bound of the inter-event intervals. Theorem 2. Under Assumptions 5–8, consider the networked identical reference generators defined by the dynamics (4). Then the distributed control law (28) can guarantee that the networked reference generators achieve synchronization. Furthermore, the event instant defined in (11) ensures that the minimum inter-event interval is lower bounded by tijk+1

− tijk

  α(S + β) 1 ln 1 + > 0, ≥ S + β φ

(51)

where φ =(1 + 2m)ξ P κ(M)cδ(0) + 2mξ P α √ + (1 + 2m)ξ P κ(M)c2 mα(D ⊗ ξ P )

1 . η−β

(52)

Thus, the Zeno behavior is excluded. Proof. From (13), (17), (30), and (31), the distributed control law (28) can be rewritten as

35 Analysis and Design of Synchronization for a Heterogeneous Network

⎛ vi (t) = −K⎝ ⎛ = −K⎝ ⎛ = −K⎝



dij eij (t) +

j ∈Ni





⎞ dij e˜ij (t) + gi Ei δ(t)⎠

j ∈Ni

dij (ri (t) − rj (t)) +



j ∈Ni

j ∈Ni





dij (δi (t) − δj (t)) +

j ∈Ni

1127

⎞ dij e˜ij (t) + gi Ei δ(t)⎠ ⎞ dij e˜ij (t) + gi Ei δ(t)⎠ .

j ∈Ni

Based on (21), the norm of this control input is upper bounded by vi (t) ≤(1 + 2m)ξ P δ(t) +



ξ P e˜ij (t)

j ∈Ni

(53)

≤ξ P [(1 + 2m)δ(t) + 2mb(t)]. By taking norms in (Van Loan 1977) e

St

∞  (St) , = !

(54)

 =0

we trivially get eSt  ≤ eSt .

(55)

Based on (53) and (55), the piecewise continuous function hij (t) in (10) satisfies  t hij (t) ≤ eS(t−τ ) vi (τ )dτ tijk

≤ eSt + eSt

 

k

tijk k tijk

e−Sτ ξ P (1 + 2m)δ(τ )dτ

(56)

e−Sτ ξ P 2mb(τ )dτ.

From e−ηt < e−βt , (50) and (56), we obtain that hij (t) ≤ eSt



k tijk

e−Sτ φe−βτ dτ ≤

≤ Pij (t), where the piecewise continuous function

  k φ eSt−(S+β)tij − e−βt S + β

(57)

1128

Y. Wu et al.

Pij (t) =

  k φ e−βt e(S+β)(t−tij ) − 1 , t ∈ [tijk , tijk+1 ). S + β

(58)

The event-triggering function is defined for the directed edge (i, j ). When hij (t) ≥ b(t) is satisfied, the next event is triggered at time instant tijk+1 . In the k+1 case that hij (t) ≥ b(t) holds, we obtain tijk+1 = h−1 ij (b(tij )). Meanwhile, at the time instant tp , we have Pij (tp ) = b(tp ), that is,

  k φ e−βtp e(S+β)(tp −tij ) − 1 = αe−βtp . S + β

(59)

From (59), the time instant tp satisfies tp − tijk

  α(S + β) 1 ln 1 + . = S + β φ

(60)

Since the initial values Pij (tijk ) = hij (tijk ) = 0 and hij (t) ≤ Pij (t), we obtain that tijk+1 ≥ tp from Lemma 1. Then the lower bound of the inter-event intervals is given in (51), which implies that the Zeno behavior is excluded. This completes the proof.   It has been shown that the communication protocol (11) can guarantee a strict lower bound on the inter-execution times, which implies that Zeno behavior is excluded for each reference generator.

4

Output Regulation of Nonidentical Agents

In Sect. 3, identical reference generators are constructed to track the target trajectory, which is the output of the virtual leader (27). In this section, the output regulation control law is utilized to ensure that the output of nonidentical agent tracks the output of its reference generator. The ith reference generator is treated as the exosystem of the ith agent. The decentralized output regulation problem is considered, in which the regulated output is ωi and the control law ui is provided by a regulator. The remarkable feature of the constructed regulator is the ability of securing exponential decay of ωi , which implies that agent achieves output synchronization with its reference generator. The proposed method is similar to the separation principle, i.e., reference generator synchronizes with the virtual leader and agent synchronizes with the corresponding reference generator. The designed regulator (5) contains an internal model η˙ i = Φηi + H u˜ i ui = Γ ηi + u˜ i

(61)

35 Analysis and Design of Synchronization for a Heterogeneous Network

1129

and a stabilizer ζ˙i = Ais ζi + Bis ωi u˜ i = Cis ζi + Dis ωi .

(62)

The output regulation problem can be summarized as follows. The regulator (5) can solve the output regulation problem, so long as the stabilizer (62) can stabilize the following augmented system x˙i = Ai xi + Bi (Γ ηi + u˜ i ) η˙ i = Φηi + H u˜ i

(63)

yi = Ci xi . Remark 9. Based on the construction of matrices Φ and H , the internal model (61) can copy the dynamics of reference generator. The internal model is an invertible system, whose inverse system is obtained as η˙ i = (Φ − H Γ )ηi + H ω˜ i ωi = −Γ ηi + ω˜ i .

(64)

Since the pair (Φ, H ) is controllable, there exists a matrix Γ such that Φ − H Γ is Hurwitz. This implies that the above inverse system is a stable system. Remark 10. In the case that the dimension of the output is equal to the dimension of the input, the internal model and the stabilizer can be swapped. The output regulation problem can be solved by the following regulator ζ˙i = Ais ζi + Bis (Γ ηi + ωi ) η˙ i = Φηi + H ωi

(65)

ui = Cis ζi + Dis (Γ ηi + ωi ), which includes an internal model (pre-processing filter) η˙ i = Φηi + H ωi ω˜ i = Γ ηi + ωi

(66)

and a stabilizer ζ˙i = Ais ζi + Bis ω˜ i ui = Cis ζi + Dis ω˜ i .

(67)

The following Lemma is recalled to guarantee that there exists a stabilizer for the augmented system (63).

1130

Y. Wu et al.

Lemma 2. Let Γ is chosen such that Φ − H Γ is Hurwitz. If the triplet {Ai , Bi , Ci } is stabilizable and detectable, and if the non-resonance condition rank

  Ai − λI Bi = ni + q, ∀λ ∈ σ (S) Ci 0

(68)

holds, then the augmented system (63) is stabilizable and detectable. Cascading the virtual leader (27), the disagreement vector of reference generator (32), the nonidentical agent (1), and regulator (5), we obtain the following system r¯˙ = S r¯ ˜ − (D ⊗ ξ P )˜e δ˙ = Dδ x˙i = Ai xi + Bi Γ ηi + Bi Cis ζi + Bi Dis Ci xi −Bi Dis QEi δ − Bi Dis Q¯r η˙ i = Φηi + H Cis ζi + H Dis Ci xi −H Dis QEi δ − H Dis Q¯r ζ˙i = Ais ζi + Bis Ci xi − Bis QEi δ − Bis Q¯r .

(69)

The above system can be rewritten in compact form as r˙¯ (t) = S r¯ (t) ˜ ˙ = Dδ(t) δ(t) − (D ⊗ ξ P )e(t)

(70)

x˙ i (t) = Ai xi + pi δ(t) + Bi r¯ (t), where xi (t) = [xiT (t) ηiT (t) ζiT (t)]T , ⎡

⎤ Ai + Bi Dis Ci Bi Γ Bi Cis Ai = ⎣ H Dis Ci Φ H Cis ⎦ , Bis Ci 0 Ais ⎤ ⎡ ⎡ ⎤ −Bi Dis QEi −Bi Dis Q pi = ⎣ −H Dis QEi ⎦ , Bi = ⎣ −H Dis Q ⎦ . −Bi QEi −Bis Q

(71)

The matrices Ais , Bis , Cis , and Dis are chosen such that the matrix Ai has all eigenvalues with negative real parts. Furthermore, since Ai is Hurwitz and the eigenvalues of S are on the imaginary axis, there exists an unique solution i of the following Sylvester equation i S = Ai i + Bi .

(72)

35 Analysis and Design of Synchronization for a Heterogeneous Network

1131

Hence, changing variables as ⎡

⎤ x˜i (t) x˜ i (t) = ⎣η˜ i (t)⎦ = xi (t) − i r¯ (t), ζ˜i (t)

(73)

the system (70) yields r˙¯ (t) = S r¯ (t) ˜ ˙ = Dδ(t) δ(t) − (D ⊗ ξ P )e(t)

(74)

x˙˜ i (t) = Ai x˜ i + pi δ(t). In this way, the equation describing the motion of x˜ i (t) is independent of r¯ (t). The following theorem is given to guarantee that the agent achieves output synchronization with its reference generator. Theorem 3. Under Assumptions 5–8, consider the agent (1) and reference generator (4). Suppose the triplet {Ai , Bi , Ci } is stabilizable and detectable and the non-resonance condition (68) holds. Matrices Φ and H are chosen in forms of (7) and (8). Choose matrix Γ such that Φ − H Γ is Hurwitz. Pick matrices Ais , Bis , Cis , and Dis such that stabilizer (62) stabilizes the augmented system (63). Then regulator (5) can guarantee that the output of agent (1) tracks the output of its reference generator (4). The output regulation problem is solved by regulator (5). Proof. Since the matrix Ai is chosen as a Hurwitz matrix, there exists a positive definite matrix Zi such that ATi Zi + Zi Ai = i ,

(75)

where i is a negative definite matrix. In Sect. 3, the real parts of the eigenvalues of D˜ are proved to be negative. Thus, the following equation D˜ T F + F D˜ = Ω

(76)

holds, where F is a positive definite matrix and Ω is a negative definite matrix. Consider the candidate Lyapunov function V (t, q) = dδ T F δ + x˜ Ti Zi x˜ i , where q(t) denotes the states q(t) = col(δ(t), x˜ i (t)).

(77)

1132

Y. Wu et al.

It is calculated that ˙ + 2˜xTi (t)Zi x˜ i (t) V˙ (t, q) = 2dδ T (t)F δ(t) = dδ T Ωi δ − 2dδ T F (D ⊗ ξ P )˜e + x˜ Ti i x˜ i + 2˜xTi Zi qi δ {Ω}

≤ −dλmin δ2 + 2dδ˜eF (D ⊗ ξ P ) { }

−λmini ˜xi 2 + 2˜xi δZi qi , {Ω}

(78) { }

where λmin denotes the minimum eigenvalue of Ω and λmini denotes the minimum eigenvalue of i . Pick T ∗ as a large enough time instant; it is obtained that ˜e(t) becomes significantly small for all t ≥ T ∗ . Thus, on the time interval [T ∗ , ∞), it is calculated that 1 {Ω} { } V˙ (t, q) ≤ − dλmin δ2 − λmini ˜xi 2 2 +2˜xi δZi qi . {Ω}

(79)

{ }

It is observed that − 12 dλmin δ2 ≤ 0, −λmini ˜xi 2 ≤0 and 2˜xi δZi qi ≥0. Thus, the following equation holds 1 {Ω} { } − dλmin δ2 − λmini ˜xi 2 + 2˜xi δZi qi  2 ⎛ ⎞2  {Ω} dλmin  { } δ − λmini ˜xi ⎠ = −⎝ 2

(80)

   {Ω} { } + 2Zi qi  − 2dλmin λmini  δ˜xi . The scalar d is chosen as d ≥ d ∗ >

2Zi qi 2 { } {Ω} λmin λmini 

. This choice implies

1 {Ω} { } − dλmin δ2 − λmini ˜xi 2 + 2˜xi δZi qi  ≤ 0, 2

(81)

where = is satisfied in the case that δ = 0 and ˜xi  = 0. Furthermore, we obtain the following inequality V˙ (t, q) ≤ W (q),

(82)

in which W (q) is a quadratic function of δ and ˜xi . Meanwhile, function W (q) satisfies

35 Analysis and Design of Synchronization for a Heterogeneous Network

W (q) ≤ 0, ∀q, W (q) = 0, ⇔ δ = 0 and ˜xi  = 0.

1133

(83)

Thus, the Lyapunov function V (t, q) satisfies c1 q ≤ V (t, q) ≤ c2 q2 , V˙ (t, q) ≤ W (q) ≤ 0

(84)

for some scalars c1 and c2 , in which the function W (q) has the properties (83). Thus, the Lyapunov function V (t, q) is nonincreasing along trajectories and bounded by a time-independent bound. This implies that all trajectories are bounded and converge to the limit set W (q). Moreover, it is observed that the restriction of the system to the limit set W (q) = 0 is time-invariant. Under these circumstances, applying LaSalle-Yoshizawa’s theorem, we conclude that all trajectories asymmetrically converge to the limit set W (q) = 0. Hence, it is observed that lim ˜xi  = 0. t→∞ Furthermore, partition the matrix  in block rows consistently with the partition of xi as T  i = Txi Tηi Tζi .

(85)

From (73) and (85), it is calculated that x˜i (t) = xi (t) − xi r¯ (t).

(86)

Since the triplet {Φ, H, Γ } is controllable and observable, and Γ is chosen such that Φ − H Γ is Hurwitz, it is obtained that Ci xi − Q = 0.

(87)

From (86) and (87), it is calculated that lim ei (t) = lim [Ci xi (t) − Q¯r (t) − QEi δ(t)]

t→∞

t→∞

= lim [Ci x˜i (t) + Ci xi r¯ (t) − Q¯r (t) − QEi δ(t)] t→∞

(88)

= lim [Ci x˜i (t) − QEi δ(t)] = 0, t→∞

Thus, the output regulation problem is solved. In summary, by choosing matrices Ais , Bis , Cis , and Dis such that Ai is Hurwitz, the output of agent (1) can track the output of its reference generator. This completes the proof.   Based on the above analyses, the following theorem ensures that the heterogeneous network with event-driven communication achieves output synchronization.

1134

Y. Wu et al.

Theorem 4. Under Assumptions 5–8, consider the heterogeneous network with a group of N agents (1). Suppose the triplet {Ai , Bi , Ci } is stabilizable and detectable and the non-resonance condition (68) holds. Set Φ and H in the forms of (7) and (8). Choose Γ such that Φ − H Γ is Hurwitz. Pick a solution P > 0 for the ARE (35), and set the control matrix K = ξ P with a sufficiently large scalar ξ . The eventtriggering function is defined as (9), and the time-dependent threshold is chosen as (45). Pick matrices Ais , Bis , Cis , and Dis such that Ai in (71) is Hurwitz. Then the output synchronization problem can be solved by means of the controller having the following structure  r˙i (t) = Sri (t) − K gi (ri (t) −

1 N

N i=1 ri (t))

 S(t−tijk ) k ) − r (t k )) d e (r (t ij i j j ∈Ni ij ij   η˙ i (t) = Φηi (t) + H Cis ζi (t) + Dis (yi (t) − Qri (t)) ζ˙i (t) = Ais ζi (t) +Bis (yi (t) − Qri (t))  ui (t) = Γ ηi (t) + Cis ζi (t) + Dis (yi (t) − Qri (t)) , +

(89)

where the scalar dij is defined in algebraic graph theory, the scalar gi denotes whether the agent i can access the tracked trajectory. Furthermore, the minimum inter-event  internal is lower bounded by a positive scalar  α(S+β) 1 , which implies that the heterogeneous network subject ln 1 + S+β φ to event-driven communication achieves output synchronization. Meanwhile, the Zeno behavior is excluded. Remark 11. The triggering function fij (·) proposed here is an edge-based function and depends on the point-to-point communication link. When an event is triggered, the controller of agent i needs to communicate with only the controller of agent j to obtain the actual value of the corresponding edge state. The commonly used nodebased approach is based on the point-to-multipoint communication, where agent i needs to communicate with all its |Ni | neighbors at event instants. Compared with the node-based approach, our edge-based approach is of great avail to reduce the communication burden at event instants. The proposed principle is a non-equidistant communication principle.

5

Simulation Example

The communication topology of considered MASs is depicted in Fig. 2. This directed graph contains a spanning tree. The Laplacian matrix L and 7×9 incidence matrix D are obtained as

35 Analysis and Design of Synchronization for a Heterogeneous Network Fig. 2 Topology of the communication graph

1

2

7



1 −1 0 0 0 0 ⎢ 0 1 0 0 0 −1 ⎢ ⎢ 0 −1 2 −1 0 0 ⎢ ⎢ L = ⎢ 0 0 0 1 −1 0 ⎢ ⎢ 0 0 −1 0 1 0 ⎢ ⎣ 0 0 0 0 −1 2 −1 0 0 0 0 0 ⎤ ⎡ 100000000 ⎢0 1 0 0 0 0 0 0 0⎥ ⎥ ⎢ ⎢0 0 1 1 0 0 0 0 0⎥ ⎥ ⎢ ⎥ ⎢ D = ⎢0 0 0 0 1 0 0 0 0⎥ . ⎥ ⎢ ⎢0 0 0 0 0 1 0 0 0⎥ ⎥ ⎢ ⎣0 0 0 0 0 0 1 1 0⎦ 000000001

1135

6

3

5

4

⎤ 0 0⎥ ⎥ 0⎥ ⎥ ⎥ 0 ⎥, ⎥ 0⎥ ⎥ −1⎦ 1

We can choose a matrix M such that D = L. The matrices of nonidentical agents (1) are chosen as     11 1.2−0.2∗i 1 Ai = e , Bi = e 10 0   Ci = e1.2−0.2∗i 1 1 , 1.2−0.2∗i

where i = 1, . . . , 7. The designed reference generator is described by (4) with matrices  S=

   0 2 , Q = 1 −1 . −2 0

It is checked that {Ai , Bi , Ci } is stabilizable and detectable and the non-resonance condition (68) satisfied. The initial conditions of reference generators are given as ri (0) =

  1 + 0.2 ∗ i , i = 1, . . . , 7. 1 − 0.2 ∗ i

1136

Y. Wu et al.

The initial condition for the virtual leader (27) is chosen as r¯ (0) = [1.8 0.2]T . The target trajectory is described by the output of virtual leader, which is θ¯ (t) = Q¯r (t) = QeSt r¯ (0) = 2sin2t − 1.6cos2t. The root of the spanning tree can access the information of the virtual leader. The diagonal matrix G is chosen as G = diag{1, 0, 0, 1, 0, 0, 0}. The real parts of {Dˆ } eigenvalues for Dˆ = D + G are positive and satisfy min {λ } = 0.1451. i=1,...,N

i

{Dˆ } ξ {λi }

We choose the scalar ξ = 7 such that ≥ 1. Choosing positive matrix   10 M= in the ARE (35), the solution P and control gain K are obtained as 02 

   1.1645 −0.0911 8.1516 −0.6377 P = ,K = . −0.0911 1.2757 −0.6377 8.9296 From (42), it is calculated that η = 1.22. According to (46), the parameters of time-dependent threshold (45) are chosen as α = 2 and β = 0.2. Under the action of event-based control law (28), Fig. 3 shows that the states of reference generators converge to the states of the virtual leader. The aggregate numbers of time instants when the predictor of each reference generator updates the value of edge states are given in Table 1. From Table 1, it is obtained that the event-based controller requires less amount of information exchange, which implies a decrease in the communication burden.

virtual leader agent 1 agent 2 agent 3 agent 4 agent 5 agent 6 agent 7

2

state ri2

1 0 −1 −2 −3 4 2

6 0

state ri1

−2 −4 0

Fig. 3 States of reference generators and virtual leader

2

t

4

35 Analysis and Design of Synchronization for a Heterogeneous Network

1137

Table 1 The number of events for each reference generator Reference generator i Aggregate number

1 37

2 89

3 95

4 21

5 78

6 105

2

b(t) h12 (t)

1.5

f12(t)

7 44

1 0.5 0

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

2

2

b(t) h25 (t)

1.5

f26(t)

1.8

1 0.5 0

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

Control v1 (t)

15

2

v1 (t)

10 5 0 −5 −10

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

t Fig. 4 Evolution of the event-triggering condition for node 1

According to the event-triggering strategy, either f12 (t) ≤ 0 or f26 (t) ≤ 0 is satisfied, an event which is triggered for 1th agent. The evolutions of b(t) and h12 (t) for the first 2 s are depicted in the first subgraph of Fig. 4, where b(t) is represented in the green solid lines and h12 (t) is represented in the blue dashed lines. The evolutions of b(t) and h26 (t) for the first 2 s are depicted in the second subgraph of Fig. 4, where h26 (t) is represented in the blue dashed lines. The evolutions of v1 (t) for the first 2 s are depicted in the third subgraph of Fig. 4. The 6th agent is the head of two directed edges (6, 5) and (6, 7). The directed k }, and the directed edge (6, 7) edge (6, 5) is triggered from an event sequence {t65 k is triggered from an event sequence {t67 }. An event is triggered for 6th agent when either f65 (t) ≤ 0 or f67 (t) ≤ 0 is satisfied. The time evolutions of f65 (t), f67 (t), and v5 (t) are depicted in Fig. 5. It is observed that when either h65 (t) grows beyond

1138

Y. Wu et al. 2

b(t) h65 (t)

f65(t)

1.5 1 0.5 0

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

2

2

b(t) h67 (t)

1.5

f67(t)

1.8

1 0.5 0

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

Control v6 (t)

10

2

v6 (t)

5 0 −5 −10

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

t Fig. 5 Evolution of event-triggering conditions for edges (6, 5) and (6, 7)

the time-dependent threshold or h67 (t) grows beyond the time-dependent threshold, the 6th reference generator updates its control law. In the communication graph, 2th node has two child nodes: 1th node and 3th node. When the directed edge (2, 6) is triggered, 2th node accesses the edge state of (2, 6). Meanwhile, it notices 1th node to access the edge state of (1, 2) and 3th node to access the edge state of (3, 2). Figure 6 shows the time evolution of f26 (t), v2 (t), v1 (t), and v3 (t). It is observed that when h26 (t) grows beyond the time-dependent threshold, three control laws v2 (t), v1 (t), and v3 (t) update at the same event instants. The proposed method is similar to the separation principle, which includes two parts. In the first part, distributed control law (28) and event-triggering function (9) guarantee that reference generator synchronizes with the virtual leader. In the second part, regulator (4) ensures that output of each agent converges to the output of its corresponding reference generator. According to the matrix S, matrices Φ and H are designed as 

   0 1 0 Φ= , H = . −4 0 1

35 Analysis and Design of Synchronization for a Heterogeneous Network

1139

2

b(t) h 26(t)

f 26(t)

1.5 1 0.5

Control v2 (t)

0

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

20

1.8

2

v2 (t)

10 0 −10

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

Control v3 (t)

Control v1 (t)

15

v1 (t)

10 5 0 −5 −10

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

15

1.8

2

v3 (t)

10 5 0 −5 −10

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

t Fig. 6 Evolution of event-triggering condition f26 (t)

  The matrix Γ is chosen as Γ = 1 1 , which ensures that Φ − H Γ is Hurwitz. The matrices Ais , Bis , Cis , and Dis are chosen as follows. Ais =

      −1 2 −1 , Bis = , Cis = 0 −1 , Dis = −4. −1 0 −2

The above choices imply that Ai in (71) is a Hurwitz matrix. According to the analyses in Sect. 4, each agent achieves output synchronization with its reference generator, i.e., yi (t) = θi (t). Figure 7 shows the time evolution of outputs for the virtual leader and seven agents.

1140

Y. Wu et al. 3

target agent 1 agent 2 agent 3 agent 4 agent 5 agent 6 agent 7

output yi (t)

2 1 0 −1 −2 −3

0

1

2

3

4

5

6

t Fig. 7 Outputs of agents and virtual leader

It is observed that outputs of nonidentical agents converge to the target trajectory under the action of event-based control. Meanwhile, the Zeno behavior is excluded.

6

Conclusion

In this paper, we have investigated the output synchronization of heterogeneous network subject to event-driven communication. The proposed method was similar to separation principle. The designed controller for each nonidentical agent in the network included reference generator and regulator. The target trajectory was described by the virtual leader. Based on the designed event-triggering strategy and distributed control law, outputs of all reference generators tracked the target trajectory. The regulator was adopted to guarantee that output of each nonidentical agent converged to the output of its reference generator. Furthermore, it was shown that the elapsed time between any two successive triggering instants for any pair of linked agents was lower bounded by a positive constant. Numerical example was presented to verify the effectiveness of the proposed event-based control protocol.

References C. Godsil, G.F. Royle, Algebraic Graph Theory, vol. 207 (Springer Science & Business Media, New York, 2013) Z. Li, W. Ren, X. Liu, M. Fu, Consensus of multi-agent systems with general linear and lipschitz nonlinear dynamics using distributed adaptive protocols. IEEE Trans. Autom. Control 58(7), 1786–1791 (2013) L. Li, D.W. Ho, J. Lu, Event-based network consensus with communication delays. Nonlinear Dyn. 87(3), 1847–1858 (2017)

35 Analysis and Design of Synchronization for a Heterogeneous Network

1141

Y.-J. Liu, F. Ding, Y. Shi, An efficient hierarchical identification method for general dual-rate sampled-data systems. Automatica 50(3), 962–970 (2014) J. Lu, D.W. Ho, Globally exponential synchronization and synchronizability for general dynamical networks. IEEE Trans. Syst. Man Cybern. Part B Cybern. A Publ. IEEE Syst. Man Cybern. Soc. 40(2), 350–361 (2010) J. Lu, Z. Wang, J. Cao, D.W. Ho, J. Kurths, Pinning impulsive stabilization of nonlinear dynamical networks with time-varying delay. Int. J. Bifurcation Chaos 22(7), 137–139 (2012) W. Lu, Y. Han, T. Chen, Synchronization in networks of linearly coupled dynamical systems via event-triggered diffusions. IEEE Trans. Neural Netw. Learn. Syst. 26(12), 3060–3069 (2015) P. Shi, Q. Shen, Cooperative control of multi-agent systems with unknown state-dependent controlling effects. IEEE Trans. Autom. Sci. Eng. 12(3), 827–834 (2015) Q. Song, F. Liu, J. Cao, W. Yu, M-matrix strategies for pinning-controlled leader-following consensus in multiagent systems with nonlinear dynamics. IEEE Trans. Cybern. 43(6), 1688–1697 (2013) H. Su, X. Wang, Z. Lin, Flocking of multi-agents with a virtual leader. IEEE Trans. Autom. Control 54(2), 293–307 (2009) C. Van Loan, The sensitivity of the matrix exponential. SIAM J. Numer. Anal. 14(6), 971–981 (1977) G. Wen, Z. Duan, G. Chen, W. Yu, Consensus tracking of multi-agent systems with lipschitz-type node dynamics and switching topologies. IEEE Trans. Circuits Syst. I Regular Papers 61(2), 499–511 (2013) G. Wen, Z. Duan, G. Chen, W. Yu, Consensus tracking of multi-agent systems with lipschitz-type node dynamics and switching topologies. IEEE Trans. Circuits Syst. I Regular Pap. 61(2), 499– 511 (2014) G. Wen, M. Chen, X. Yu, Event-triggered master-slave synchronization with sampled-data communication. IEEE Trans. Circuits Syst. II Express Briefs 63, 304–308 (2015a) G. Wen, W. Yu, G. Hu, J. Cao, X. Yu, Pinning synchronization of directed networks with switching topologies: a multiple lyapunov functions approach. IEEE Trans. Neural Netw. Learn. Syst. 26(12), 3239–3250 (2015b) Z. Wu, P. Shi, H. Su, J. Chu, Exponential synchronization of neural networks with discrete and distributed delays under time-varying sampling. IEEE Trans. Neural Netw. Learn. Syst. 23(9), 1368–1376 (2012) W. Xu, D.W. Ho, L. Li, J. Cao, Event-triggered schemes on leader-following consensus of general linear multiagent systems under different topologies. IEEE Trans. Cybern. (2017) https://doi. org/10.1109/TCYB.2015.2510746 H. Yan, F. Qian, F. Yang, H. Shi, H∞ filtering for nonlinear networked systems with randomly occurring distributed delays, missing measurements and sensor saturation. Inf. Sci. 370–371, 772–782 (2015) H. Yan, F. Qian, H. Zhang, F. Yang, H∞ fault detection for networked mechanical spring-mass systems with incomplete information. IEEE Trans. Ind. Electron. 63(9), 5622–5631 (2016) S. Yang, Q. Liu, J. Wang, Distributed optimization based on a multiagent system in the presence of communication delays. IEEE Trans. Syst. Man Cybern. Syst. (2017) https://doi.org/10.1109/ TSMC.2016.2531649 W. Yu, W. Zheng, G. Chen, W. Ren, J. Cao, Second-order consensus in multi-agent dynamical systems with sampled position data. Automatica 47(7), 1496–1503 (2011) W. Yu, W. Ren, W.X. Zheng, G. Chen, J. Lü, Distributed control gains design for consensus in multi-agent systems with second-order nonlinear dynamics. Automatica 49(7), 2107–2115 (2013) H. Zhang, Q. Hong, H. Yan, F. Yang, Event-based distributed H∞ filtering networks of 2dof quarter-car suspension systems. IEEE Trans. Ind. Inform. (2017) https://doi.org/10.1109/TII. 2016.2569566 H. Zhang, G. Feng, H. Yan, Q. Chen, Observer-based output feedback event-triggered control for consensus of multi-agent systems. IEEE Trans. Ind. Electron. 61(9), 4885–4894 (2014) H. Zhang, R. Yang, H. Yan, F. Yang, H∞ consensus of event-based multi-agent systems with switching topology. Inf. Sci. 370, 623–635 (2016)

Consensus of Multi-agent Systems with Intermittent Communication and Its Extensions

36

Guanghui Wen, Wenwu Yu, Zhisheng Duan, and Peijun Wang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Preliminaries on Algebraic Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Preliminaries on Matrix Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Consensus of Second-Order Multi-agent Systems with Synchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Model Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Second-Order Consensus in Strongly Connected Networks with Synchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Second-Order Consensus in Networks Containing a Directed Spanning Tree with Synchronously Intermittent Communication . . . . . . . . . . . . . 3 Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Synchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . 3.1 Model Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Second-Order Consensus in Nonlinear Multi-agent Systems with Synchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Second-Order Consensus in Delayed Nonlinear Multi-agent Systems with Synchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Consensus Tracking of Nonlinear Multi-agent Systems with Asynchronously Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Model Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Consensus Tracking in Networks with Fixed Directed Topology Containing a Directed Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1144 1146 1146 1148 1150 1150 1152 1156 1159 1159 1160 1164 1173 1173 1175

G. Wen () · W. Yu · P. Wang School of Mathematics, Southeast University, Nanjing, P. R. China e-mail: [email protected]; [email protected] Z. Duan State Key Laboratory for Turbulence and Complex Systems, Department of Mechanics and Engineering Science, College of Engineering, Peking University, Beijing, P. R. China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_20

1143

1144

G. Wen et al.

4.3 Consensus Tracking in Networks with Every Possible Topology Containing a Directed Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Consensus Tracking in Networks with Topology Frequently Containing a Directed Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Numerical Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Consensus of Second-Order Multi-agent Systems with Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Intermittent Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1179 1184 1190 1190 1192 1194 1195

Abstract This chapter mainly studies the distributed consensus problem in multi-agent systems with intermittent communication. First, consensus for second-order multi-agent systems with a fixed directed topology and synchronously intermittent communication constraints is investigated. It is proved that consensus in the second-order multi-agent systems with synchronously intermittent communication can be reached if the general algebraic connectivity of the communication topology is larger than a threshold value and the mobile agents communicate with their neighbors frequently enough as the network evolves with time. Then, the consensus problem is investigated for a class of second-order nonlinear multiagent systems with synchronously intermittent measurements under strongly connected topology. By virtue of the Lyapunov stability analysis, it is proven that consensus in such multi-agent systems can be achieved exponentially under some suitable conditions. Furthermore, the results are extended to the case where the multi-agent systems have inherent delayed nonlinear dynamics and the interaction graph is balanced. Finally, consensus tracking problem is addressed for multi-agent systems with Lipschitz-type node dynamics and asynchronously intermittent communication.

1

Introduction

In the past few years, the distributed consensus problem for multi-agent systems has received increasing attention from various scientific communities, due to its widespread applications in real-world multi-agent systems including synchronization of complex networks, scheduling of automated highway systems, teaming of robots, and so on (Li et al. 2004; Lu et al. 2004; Olfati-Saber et al. 2007; Ren and Beard 2008; Ren et al. 2007b). To date, numerous results have been reported on consensus of multi-agent systems with first-order integrator dynamics under a dynamically changing environment (Jadbabaie et al. 2003; Olfati-Saber and Murray 2004). It has been proved that consensus in such multi-agent systems can be achieved if and only if the timevarying network topology contains a directed spanning tree jointly as the network evolves over time (Ren and Beard 2005). However, a large class of real agents obey

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1145

a second- or higher-order dynamic model. For example, some vehicle dynamics can be feedback-linearized as second-order systems, such as the holonomic mobile robot models (Cao et al. 2007). Furthermore, higher-order consensus makes more sense for cooperative control of a group of unmanned air vehicles (Ren and Beard 2004). Motivated by these observations, consensus problems for second-order and higher-order multi-agent systems have been studied in Ren and Atkins (2007), Su and Zhang (2009), Wang and Cao (2012), Li et al. (2010, 2011a), Yu et al. (2011), and He and Cao (2011). Note that most of the abovementioned works are primarily concerned with consensus in networks of agents without any leader. In practice, the introduction of a leader can broaden the scope of applications by guaranteeing the states of the multiple agents to converge onto a desired trajectory. In Wang et al. (2009a), robust consensus tracking was addressed for multi-agent systems under a fixed topology in the presence of communication disturbances. In Hong et al. (2006, 2008), an effective local controller together with a neighbor-based state estimation rule was designed to solve the consensus tracking problem for multi-agent systems with a leader. Some novel distributed consensus tracking algorithms for secondorder and higher-order multi-agent systems with a leader were proposed in Ren (2007) and Ren et al. (2007a), respectively. Distributed consensus tracking problem for higher-order linear multi-agent systems with directed switching topologies was addressed in Wen et al. (2014a). By using a delayed-input approach, consensus tracking problem for a class of multi-agent systems with first-order Lipschitz-type nonlinear dynamics and sampled-data communication was studied in Wen et al. (2013a). A new class of tracking algorithms were constructed in Jia et al. (2011) for solving the distributed consensus tracking problem for multi-agent systems with first-order nonlinear dynamics and communication delays. By using an M-matrix approach, the distributed consensus tracking problem for multi-agent systems with delayed nonlinear dynamics was addressed in Song et al. (2012). In contrast to multi-agent systems with first-order nonlinear dynamics, multiagent systems with second-order nonlinear dynamics are more interesting as it can describe a large class of real networked systems including coupled pendulums (Amster and Mariani 2008) and coupled point-mass systems with or without nonlinear disturbances (Utkin et al. 2009). Leaderless consensus problem for multiagent systems with second-order nonlinear dynamics and a fixed weakly connected topology was investigated in Yu et al. (2010a). In Song et al. (2010), the consensus tracking problem for second-order nonlinear multi-agent systems with a leader under an arbitrarily given directed topology was studied from a pinning control approach. More recently, consensus tracking problem for multi-agent systems with higher-order Lipschitz-type node dynamics and a fixed topology has been studied, e.g., in Li et al. (2011b). It should be noticed that most of the aforementioned works on second-order or higher-order consensus problems in multi-agent systems were derived under the assumption that information is transmitted continuously among multi-agents. However, this may not be the case in reality due to technological limitations or external disturbances. For example, in some cases, agents can only obtain the measurements of states of its neighbors intermittently due to the limited sensing

1146

G. Wen et al.

abilities. To deal with this challenging situation, a class of intermittent consensus protocols are proposed in this chapter to guarantee consensus. Organization The contents of this chapter can be concluded and summarized as follows. In Sect. 2, the problem of second-order consensus is investigated for a class of multi-agent systems with a fixed directed topology and communication constraints where each agent is assumed to share information only with its neighbors on some disconnected time intervals. The materials of Sect. 2 are mainly taken from Wen et al. (2012a) with some modifications. In Sect. 3, some consensus protocols are designed for a class of secondorder nonlinear multi-agent systems with intermittent measurements and strongly connected topology. In particular, consensus problem is studied for multi-agent systems with inherent delayed nonlinear dynamics. Section 3 are provided based mainly on Wen et al. (2011, 2013b). In Sect. 4, distributed consensus tracking is addressed for multi-agent systems with Lipschitz-type node dynamics under directed switching communication topologies. The contents of Sect. 4 are mainly taken from Wen et al. (2014b) with some modifications. In Sect. 5, two simulation examples are performed to verify the effectiveness of the theoretical results.

1.1

Notations

Here we introduce the notations that will be used throughout this chapter. Let R and N be the sets of real and positive natural numbers, respectively, and RN be the N-dimensional real vector space and RN ×N be the N × N real matrix space. Let IN (ON ) be the N -dimensional identity (zero) matrix and 1N (0N ) be the N dimensional column vector with each entry being 1 (0). Let λ(M) be the spectrum of a square matrix M. In particular, if all the eigenvalues are real, denote by λmax (M) (λmin (M)) the largest (smallest) eigenvalue. Furthermore, a column vector x ∈ RN is said to be positive, denoted x > 0, if and only if every entry xi > 0, i = 1, 2, · · · , N, and xmin (xmax ) represents its smallest (largest) entry. For any given real and symmetric matrix P , matrix inequality P > 0 indicates that P is positive definite. Notations ⊗ and  ·  represent the Kronecker product and Euclidean norm, respectively.

1.2

Preliminaries on Algebraic Graph Theory

Let G (V , E , A ) be a directed graph with the set of vertices V = { υ1 , υ2 , · · · , υN }, the set of directed edges E ⊆ V × V , and a weighted adjacency matrix A = [aij ]N ×N with nonnegative adjacency elements aij . An edge eij in graph G (V , E , A ) is denoted by the ordered pair of vertices (υj , υi ), where υj and υi are

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1147

called the parent and child vertices, respectively, and eij ∈ E if and only if aij > 0. Furthermore, self-loops are not allowed, i.e., aii = 0 for all i = 1, 2, · · · , N. For simplicity, denote G (V , E , A ) by G (A ) if no confusion will arise. A directed path from node υi to υj is a sequence of edges, (υi , υk1 ), (υk1 , υk2 ), · · · , (υkl , υj ), with distinct vertices υkm , m = 1, 2, · · · , l. A directed graph is called strongly connected if and only if there is a directed path between any pair of distinct vertices. A directed tree is a directed graph where every vertex υ, except one special vertex r without any parent, which is called the root vertex, has exactly one parent, and there exists a unique directed path from r to υ. A directed spanning tree of a network G (A ) is a directed tree, which contains all the vertices and some edges of G (A ). Moreover, a directed graph G (A ) is called balanced if N  j =1

aij =

N 

aj i , ∀ i = 1, 2, · · · , N.

j =1

Furthermore, the Laplacian matrix L = [lij ]N ×N of G (A ) is defined as ⎧ − aij , i = j, ⎪ ⎪ ⎨ N  lij = ⎪ aik , i = j. ⎪ ⎩

(1)

k=1,k=i

For a directed graph, the Laplacian matrix L has the following properties. Lemma 1 (Ren and Beard 2008). Suppose that directed graph G (A ) contains a spanning tree. Then, 0 is a simple eigenvalue of its Laplacian matrix L, and all the other eigenvalues have positive real parts. Remark 1. When the directed graph G (A ) is strongly connected, Lemma 1 clearly holds. Remark 2. For an undirected graph, its Laplacian matrix L is positive semi-definite. That is, all the eigenvalues of L is nonnegative. Furthermore, if it is connected, zero eigenvalue is simple. Lemma 2 (Lu and Chen 2006; Yu et al. 2010a). Suppose that directed graph G (A ) is strongly connected. Then, its Laplacian matrix L is irreducible and satisfies L1N = 0N . Furthermore, there exists a positive vector ξ = (ξ1 , ξ2 , · · · , ξN )T  = (1/2) (Ξ L + LT Ξ ) is a symmetric such that ξ T L = 0TN . In addition, L N    matrix, where Ξ = diag (ξ1 , ξ2 , · · · , ξN ) and N j =1 Lij = j =1 Lj i = 0 for all i = 1, 2, · · · , N. Definition 1. For a strongly connected network G (A ) with Laplacian matrix L, let

1148

G. Wen et al.

a(L) =

 x T Lx , T T x ξ =0,x=0 x Ξ x

(2)

b(L) =

 x T Lx , T x T ξ =0,x=0 x Ξ x

(3)

min

max

 = (1/2) (Ξ L+LT Ξ ), Ξ = diag (ξ1 , ξ2 , · · · , ξN ), ξ = (ξ1 , ξ2 , · · · , ξN )T where L  > 0, ξ T L = 0TN , and N i=1 ξi = 1. Then, a(L) is called the general algebraic connectivity. Lemma 3 (Yu et al. 2010a). Suppose that G (A ) is strongly connected. Then, a(L) > 0. Lemma 4 (Olfati-Saber and Murray 2004). A directed graph G (A ) is balanced if and only if 1N is the left eigenvector of its Laplacian matrix L associated with zero eigenvalue, i.e., 1TN L = 0TN .

1.3

Preliminaries on Matrix Theory

Lemma 5 (Brualdi and Ryser (1991) Frobenius normal form). Suppose that L is the Laplacian matrix associated with directed graph G (A ) of order N. There exist a permutation matrix W with order N and an integer m ≥ 1, such that ⎛

L11 O · · · ⎜ L21 L22 · · · ⎜ W T LW = ⎜ . .. .. ⎝ .. . . Lm1 Lm2 · · ·

⎞ O O ⎟ ⎟ ⎟, O ⎠ Lmm

(4)

where L11 ∈ Rq1 ×q1 , L22 ∈ Rq2 ×q2 , · · · , Lmm ∈ Rqm ×qm are irreducible square matrices, which are uniquely determined to within a simultaneous permutation of their lines, but their ordering is not necessarily unique. Definition 2 (Brualdi and Ryser 1991). Suppose that G (A ) is a directed network and its Laplacian matrix L is in the Frobenius normal form and G1 , G2 , · · · , Gm are the strongly connected components of G (A ) with the adjacency matrices A1 = diag(L11 ) − L11 , A2 = diag(L22 ) − L22 , · · · , Am = diag(Lmm ) − Lmm . G ∗ (A ∗ ) is called a condensation network of G (A ) if there is a connection from a node in V (Gj ) to a node in V (Gi ) (i = j ), and then the weight Aij∗ > 0; otherwise, Aij∗ = 0 for i, j = 1, 2, · · · , m; Aii∗ = 0, for i = 1, 2, · · · , m.

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1149

Lemma 6 (Yu et al. 2010a). For each i = 2, 3, · · · , m, there is an integer j < i such that Aij∗ > 0 if and only if the directed network G (A ) contains a directed spanning tree. Lemma 7. Suppose that M ∈ Rn×n is a positive definite matrix and P ∈ Rn×n is symmetric. Then, for any vector x ∈ Rn , the following inequality holds:     λmin M −1 P x T Mx ≤ x T P x ≤ λmax M −1 P x T Mx.

(5)

Proof. Since M is positive definite, it suffices to show min x=0

xT P x xT P x −1 = λ = λmax (M −1 P ). (M P ), max min x=0 x T Mx x T Mx

(6)

1

Let y = M 2 x. Then 1

min x=0

1

xT P x yT M − 2 P M − 2 y = min . y=0 x T Mx yT y 1

1

1

1

Since both M and P are symmetric, (M − 2 P M − 2 )T = M − 2 P M − 2 . According to Rayleigh-Ritz theorem, one has min x=0

1 1 xT P x = λmin (M − 2 P M − 2 ), x T Mx

which is real. On the other hand, 1

1

1

1

λmin (M − 2 P M − 2 ) = λmin ((M − 2 P )(M − 2 )) = λmin (M −1 P ). Consequently, the first formula in (6) holds. And the other formula can be proved similarly. Lemma 8 (Boyd et al. (1994) Schur complement). The following linear matrix inequality (LMI),  S=

S11 S12 S21 S22

 > 0,

T , S T T where S11 = S11 12 = S21 , S22 = S22 , is equivalent to one of the following conditions: −1 (i) S11 > 0, S22 − S21 S11 S12 > 0; −1 (ii) S22 > 0, S11 − S12 S22 S21 > 0.

1150

G. Wen et al.

Definition 3 (Horn and Johnson 1990). A matrix A = [aij ] ∈ RN ×N is called a nonsingular M-matrix if aij ≤ 0, for all i = j, i, j = 1, · · · , N , and all the leading principal minors of A are positive. Lemma 9 (Horn and Johnson 1990). Suppose that matrix A = [aij ] ∈ RN ×N has aij ≤ 0, for all i = j, i, j = 1, · · · , N. Then, the following statements are equivalent: (i) A is a nonsingular M-matrix; (ii) There exists a positive definite diagonal matrix Φ = diag {φ1 , · · · , φN } ∈ RN ×N such that AT Φ + ΦA > 0; (iii) All eigenvalues of A have positive real parts. Lemma 10. For matrices A, B, C, and D with appropriate dimensions, one has (i) (ii) (iii) (iv)

(A ⊗ B)T = AT ⊗ B T ; A ⊗ (B + C) = A ⊗ B + A ⊗ C; (A ⊗ B)(C ⊗ D) = AC ⊗ BD; (A ⊗ B)−1 = A−1 ⊗ B −1 , for any given invertible matrices A and B.

Lemma 11. For any given x, y ∈ Rn , and matrices P > 0, D and S of appropriate dimensions, one has 2x T DSy ≤ x T DP D T x + y T S T P −1 Sy.

2

Consensus of Second-Order Multi-agent Systems with Synchronously Intermittent Communication

2.1

Model Formulation

Consider a group of N agents indexed by 1, 2, · · · , N. The commonly studied continuous-time second-order protocol of the N networked agents is described by the second-order dynamics (Ren and Atkins 2005, 2007; Yu et al. 2010b): ⎧ x˙i (t) = vi (t), ⎪ ⎪ ⎨ N N   ⎪ (t) = −α l x (t) − β lij vj (t), i = 1, 2, · · · , N, v ˙ ⎪ i ij j ⎩ j =1

(7)

j =1

where xi ∈ Rn and vi ∈ Rn are the position and velocity states of the ith agent, respectively, α and β represent the coupling strengths, and L = [lij ]N ×N is the Laplacian matrix of the fixed communication topology G (A ). When the agents reach consensus, referred to second-order consensus, the velocities of all agents

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1151

N converge to j =1 ξj vj (0), which depends only on the initial velocities of the agents, where ξ = (ξ1 , · · · , ξN )T is the nonnegative left eigenvector of L associated with the eigenvalue 0, satisfying ξ T 1N = 1 (Ren and Atkins 2005, 2007; Ren 2008; Yu et al. 2010b). Note that most of the existing protocols are implemented based on a common assumption that all information is transmitted continuously among agents. However, in some real situations, agents may only communicate with their neighbors over some disconnected time intervals due to the unreliability of communication channels, failure of physical devices, external disturbances and limitations of sensing ranges, etc. Motivated by this observation and based on the existing works (Ren and Atkins 2005, 2007; Ren 2008; Yu et al. 2010a, b), in this section the following consensus protocol with synchronously intermittent measurements is considered: ⎧ ⎪ ⎪ x˙i (t) = vi (t), ⎪ ⎪ ⎪ ⎪ N N ⎨   v˙i (t) = −α lij xj (t) − β lij vj (t), ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎪ ⎪ ⎩ v˙i (t) = 0n , t ∈ T , i = 1, 2, · · · , N,

t ∈ T,

(8)

where T represents the union of time intervals over which the agents could communicate with each other and T represents the union of time intervals over which the agents could not communicate with each other. Obviously, T ∪ T = [0, +∞). Definition 4. Second-order consensus in multi-agent system (8) is said to be achieved if, for any initial conditions, limt→∞ xi (t) − xj (t) = 0, limt→∞ vi (t) − vj (t) = 0,

∀ i, j = 1, 2, · · · , N.

Remark 3. If T = [0, +∞) in system (8), that is, each agent can communicate with its neighbors all the time, then system (8) becomes the typical second-order system studied in Ren and Atkins (2005, 2007), Ren (2008), Yu et al. (2010a, b), among others. Remark 4. For the convenience of theoretical analysis, it is assumed that the multiple agents in system (8) could sense the measurements of relative states between their own and the neighbors synchronously, i.e., the intermittent measurements actually is a kind of globally synchronous intermittent measurements. According to Olshevsky and Tsitsiklis (2008), this assumption is crucial for possibly constructing a common Lyapunov function for the switching system (8).

1152

2.2

G. Wen et al.

Second-Order Consensus in Strongly Connected Networks with Synchronously Intermittent Communication

In this subsection, second-order consensus in strongly connected networks with communication constraintsis studied. N Let x˜i (t) = xi (t) − N j =1 ξj xj (0) − t j =1 ξj vj (0) and v˜ i (t) = vi (t) − N j =1 ξj vj (0) represent the position and velocity vectors relative to the weighted average position and velocity vectors of the agents in system (8), respectively, where ξ = (ξ1 , ξ2 , · · · , ξN )T is the positive left eigenvector of Laplacian matrix L associated with its zero eigenvalue, satisfying ξ T 1N = 1. A simple calculation gives the following error dynamical system: ⎧ x˙˜i (t) = v˜i (t), ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ N N ⎨   lij x˜j (t) − β lij v˜j (t), v˙˜i (t) = −α ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎪ ⎪ ⎩˙ v˜i (t) = 0n , t ∈ T , i = 1, 2, · · · , N.

t ∈ T,

(9)

T (t) )T , v(t) T (t) )T and y(t) Let x(t) ˜ = ( x˜1T (t), · · · , x˜N ˜ = ( v˜1T (t), · · · , v˜N ˜ = T T T ( x˜ (t), v˜ (t) ) . Then, system (9) can be written as

˙ ˜ t ∈ T, y(t) ˜ = (B1 ⊗ In )y(t), ˙˜ = (B2 ⊗ In )y(t), ˜ t ∈ T, y(t)  where B1 =

ON IN −αL −βL



 and B2 =

(10)

 ON IN . ON ON

Theorem 1. Suppose that the communication topology G (A ) is strongly connected. Then, second-order consensus in system (8) is achieved if there exists an infinite time sequence of uniformly bounded, nonoverlapping time intervals [tk , tk+1 ), k ∈ N, with t1 = 0, such that for each time interval [tk , tk+1 ), k ∈ N, the following conditions hold: (i) a(L) > α/β 2 , 4 (ii) δk > γ3γ+γ ωk , 4 where δk represents the Lebesgue measure of set { t | t ∈ [tk , tk+1 ) ∩ T } , ωk = tk+1 − tk ,

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1153

    4ξmin min α 2 a(L), (β 2 a(L) − α)   , γ4 = 2λmax Q−1 P3 , γ3 =  ξmax 2αβb(L) + (2αβb(L) − β)2 + 4α 2

 Q=

2αβa(L)Ξ αΞ αΞ βΞ



 , and P3 =

  1 T ON 2 αβ Ξ L + L Ξ   . 1 T αΞ 2 αβ Ξ L + L Ξ

Proof. Construct the following Lyapunov function candidate: V (t) =

1 T y˜ (t)(P ⊗ In )y(t), ˜ 2



 αβ(Ξ L + LT Ξ ) αΞ and Ξ = diag (ξ1 , ξ2 , · · · , ξN ). It will be αΞ βΞ shown that V (t) is a valid Lyapunov function for analyzing the error dynamics described by system (10). According to Definition 1, one has

where P =

V (t) =

 αβ T  x˜ (t) (Ξ L + LT Ξ ) ⊗ In x(t) ˜ + α x˜ T (t)(Ξ ⊗ In )v(t) ˜ 2 β 1 + v˜ T (t)(Ξ ⊗ In )v(t) ˜ ≥ y˜ T (t)(Q ⊗ In )y(t), ˜ 2 2

(11)



 2αβa(L)Ξ αΞ where Q = . By Lemma 8, Q > 0 is equivalent to both β > 0 αΞ βΞ and a(L) > α/(2β 2 ). From condition (i), one obtains Q > 0, V (t) ≥ 0, and V (t) = 0 if and only if y(t) ˜ = 02N n . For t ∈ {[tk , tk+1 ) ∩ T }, for arbitrarily given k ∈ N, taking the time derivative of V (t) along the trajectories of (10) gives 1 V˙ (t) = y˜ T (t) 2 1 = y˜ T (t) 2

   ˜ P B1 + B1T P ⊗ In y(t) 

ON −α 2 (Ξ L + LT Ξ ) ON −β 2 (Ξ L + LT Ξ ) + 2αΞ



 ˜ ⊗ In y(t)

  α 2 T  β2 T =− x˜ (t) Ξ L + LT Ξ ⊗ In x(t) v˜ (t) ˜ − 2 2    Ξ L + LT Ξ ⊗ In v(t) ˜ + α v˜ T (t) (Ξ ⊗ In ) v(t) ˜ ≤ −α 2 a(L)x˜ T (t) (Ξ ⊗ In ) x(t) ˜ − β 2 a(L)v˜ T (t) (Ξ ⊗ In ) v(t) ˜ + α v˜ T (t) (Ξ ⊗ In ) v(t) ˜ ˜ = −y˜ T (t) [(P1 ⊗ Ξ ) ⊗ In ] y(t),

1154

G. Wen et al.

 where P1 =

 ON α 2 a(L) . This immediately gives ON β 2 a(L) − α ˜ = −γ2 y˜ T (t)y(t), ˜ V˙ (t) ≤ −λmin (P1 )ξmin y˜ T (t)y(t)

(12)

where γ2 = min{ α 2 a(L)ξmin , (β 2 a(L) − α)ξmin }. On the other hand, one has 1 V (t) = y˜ T (t) (P ⊗ In ) y(t) ˜ 2   αβ = x˜ T (t) (Ξ L + LT Ξ ) ⊗ In x(t) ˜ + α x˜ T (t) (Ξ ⊗ In ) v(t) ˜ 2 β ˜ + v˜ T (t) (Ξ ⊗ In ) v(t) 2 β ˜ + α x˜ T (t) (Ξ ⊗ In ) v(t) ˜ + v˜ T (t) (Ξ ⊗ In ) v(t) ˜ ≤αβb(L)x˜ T (t) (Ξ ⊗ In ) x(t) 2 =y˜ T (t) [(P2 ⊗ Ξ ) ⊗ In ] y(t), ˜  where the positive matrix P2 =

 αβb(L) α/2 . Easy calculation gives α/2 β/2

˜ = γ1 y˜ T (t)y(t), ˜ V (t) ≤ λmax (P2 )ξmax y˜ T (t)y(t) where γ1 = and (13) that



2αβb(L)+

(2αβb(L)−β)2 +4α 2 ξmax . 4

(13)

Consequently, one obtains from (12)

V˙ (t) ≤ −γ3 V (t), where γ3 = γ2 /γ1 . For t ∈ { [tk , tk+1 ) ∩ T }, with arbitrarily given k ∈ N, taking the time derivative of V (t) along the trajectories of (10) gives V˙ (t) = y˜ T (t) [(P B2 ) ⊗ In ] y(t) ˜    1 ˜ = y˜ T (t) P B2 + B2T P ⊗ In y(t) 2 = y˜ T (t) (P3 ⊗ In ) y(t), ˜ where  P3 =

  1 αβ Ξ L + LT Ξ ON 2   . 1 T αΞ 2 αβ Ξ L + L Ξ

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1155

According to Lemma 7 and inequality (11), it follows that   V˙ (t) ≤ λmax (Q ⊗ In )−1 (P3 ⊗ In ) y˜ T (t) (Q ⊗ In ) y(t) ˜   = λmax Q−1 P3 y˜ T (t) (Q ⊗ In ) y(t) ˜ ≤ γ4 V (t),   where γ4 = 2λmax Q−1 P3 . Based on the above analysis, one obtains V (t2 ) ≤ V (0)e−Δ1 , where Δ1 = γ3 δ1 − γ4 (ω1 − δ1 ). Then, according to condition (ii), one has Δ1 > 0. By recursion, for any positive integer k, one has V (tk+1 ) ≤ V (0)e−

k

j =1 Δj

,

where Δj = r3 δj − r4 (ωj − δj ) > 0, j = 1, 2, · · · , k. For arbitrary t > 0, there exists a positive integer s such that ts+1 < t ≤ ts+2 . Furthermore, since [tk , tk+1 ), k ∈ N, is a uniformly bounded and nonoverlapping time sequence, one may let ωmax = maxi∈N ωi and κ = mini∈N Δi > 0. Thus, it follows that V (t) ≤ V (ts+1 )eωmax r4 ≤ eωmax r4 V (0)e−

s

j =1 Δj

≤ eωmax r4 V (0)e−sκ ≤ eωmax r4 V (0)e−(κ/ωmax )t , i.e., V (t) ≤ K0 e−K1 t ,

for all t > 0,

κ where K0 = eωmax r4 V (0) and K1 = ωmax , which indicates that the states of agents exponentially converge, thereby achieving the final  consensus. Furthermore, N consensus value of the position state xcon = N ξ x (0) + t ξ v j =1 j j j =1 j j (0), and N the final consensus value of velocity state vcon = j =1 ξj vj (0). This completes the proof.

Corollary 1. Suppose that the communication topology G (A ) is an undirected connected network. Then, second-order consensus in system (8) is achieved if there exists an infinite time sequence of uniformly bounded and nonoverlapping time intervals [tk , tk+1 ), k ∈ N, with t1 = 0, such that for each time interval [tk , tk+1 ), k ∈ N, the following conditions hold:

1156

G. Wen et al.

(i) λ2 (L) > α/β 2 , 4 (ii) δk > γ3γ+γ ωk , 4 where δk represents the Lebesgue measure of set {t|t ∈ [tk , tk+1 ) ∩ T } , ωk = tk+1 − tk ,     4 min α 2 a(L), (β 2 a(L) − α)  γ3 = , γ4 = 2λmax Q−1 P3 , 2αβb(L) + (2αβb(L) − β)2 + 4α 2  Q=

2αβλ2 (L) α α β



 ⊗ IN , and P3 =

 ON αβL . αβL αIN

Proof. Construct the same Lyapunov function candidate V (t) as that in the proof of Theorem 1. Under conditions (i) and (ii), the corollary can be proven by following the proof of Theorem 1. Remark 5. In Cai et al. (2009), Huang et al. (2009), and Xia and Cao (2009), some periodic intermittent feedback methods are proposed and used to analyze the synchronization behaviors of coupled systems. In protocol (8), the multiple agents communicate with each other but not necessarily periodically. Furthermore, analytical results indicate that intermittent feedback protocol (8) will not affect the final consensus state values of the multi-agent system (7).

2.3

Second-Order Consensus in Networks Containing a Directed Spanning Tree with Synchronously Intermittent Communication

In this subsection, second-order consensus in multi-agent systems, where the communication topology containing a directed spanning tree with communication constraints, is further studied. Based on Lemma 5, one can obtain the Frobenius normal form (4) by changing the order of the node indexes. In the following analysis, without loss of generality, it is assumed that the Laplacian matrix L is in its Frobenius normal form. Furthermore, let Lii = Li + Ai , where Li is a zero-row-sum matrix and Ai ≥ 0 is a diagonal  T matrix. By Lemma 2, there exists a positive vector ξ i = ξ i1 , ξ i1 , · · · , ξ iqi of T

appropriatedimension such that ξ i Li = 0. For   notational convenience, let ξ i min = min1≤j ≤qi ξ ij and ξ i max = max1≤j ≤qi ξ ij , i = 1, 2, · · · , m. Definition 5. For a network G (A ) containing a directed spanning tree and the Laplacian matrix L in the form of (4), define

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

c(Lii ) = min x=0

d(Lii ) = max x=0

T Lii = (Ξ i Lii + Lii Ξ i )/2, where 

(ξ i1 , ξ i2 , · · · , ξ iqi

)T

> 0 and

T ξ i Li

xT  Lii x xT Ξ i x xT  Lii x xT Ξ i x

1157

,

,

Ξ i = diag(ξ i1 , ξ i2 , · · · , ξ iqi ), ξ i =

= 0, i = 2, 3, · · · m.

Lemma 12 (Yu et al. 2010a). If the directed network G (A ) contains a directed spanning tree, then min2≤i≤m a(L11 ), c(Lii ) > 0. Remark 6. In Yu et al. (2010a), c(Lii ), 2 ≤ i ≤ m, is called the general algebraic connectivity of the ith strongly connected component of G (A ). Theorem 2. Suppose that the communication topology G (A ) contains a directed spanning tree. Then, second-order consensus in network (8) is achieved if there exists an infinite time sequence of uniformly bounded and nonoverlapping time intervals [tk , tk+1 ), k ∈ N, with t1 = 0, such that for each time interval [tk , tk+1 ), k ∈ N, the following conditions hold: 

 a(L11 ), c(Lii ) > α/β 2 , 2≤i≤m   γ4i 4 , , (ii) δk > ωk max γ3γ+γ i i 4 (i) min

γ3 +γ4

2≤i≤m

where δk represents the Lebesgue measure of set { t | t ∈ [tk , tk+1 ) ∩ T } , ωk = tk+1 − tk ,       4ξ 1min min α 2 a L11 , (β 2 a L11 − α)  , γ3 =  ξ 1max 2αβb(L11 ) + (2αβb(L11 ) − β)2 + 4α 2     2αβa(L11 )Ξ 1 αΞ 1 , γ4 = 2λmax Q−1 P3 , Q = αΞ 1 βΞ 1 ⎛ P3 = ⎝ 1

ON

  T αβ Ξ L + L Ξ 1 11 1 11 2

1 2 αβ

⎞  T Ξ 1 L11 + L11 Ξ 1 ⎠, αΞ 1

1158

G. Wen et al.

γ3i

      4ξ i min min α 2 c Lii , (β 2 c Lii − α)  , =  2 2 ξ i max 2αβd(Lii ) + (2αβd(Lii ) − β) + 4α

γ4i = 2λmax

     −1 2αβc(Lii )Ξ i αΞ i Qi P3i , Qi = , αΞ i βΞ i

⎛ P3i = ⎝ 1

2 αβ

ON

  T Ξ i Lii + Lii Ξ i

1 2 αβ

⎞  T Ξ i Lii + Lii Ξ i ⎠ , i = 2, 3, · · · , m. αΞ i

Proof. Obviously, the condensation network of G (A ), denoted by G ∗ (A ∗ ), is itself a directed spanning tree. The dynamics of the agents corresponding to the vertex set of the root of G ∗ (A ∗ ) would not be affected by others, and the local topology among them is strongly connected. According to conditions (i) and (ii) and by Theorem 1, the states of these agents will reach consensus with an exponential decay rate, i.e., there exists ε1 > 0, such that xi (t) = xcon + O(e−ε1 t ), q −ε t 1 vi (t) = vcon (t) + O(e ), where i = 1, 2, · · · , q1 , xcon = j 1=1 ξ1 j xj (0) + q 1 q 1 t j =1 ξ1 j vj (0), and vcon = j =1 ξ1 j vj (0). Next, consider the dynamics of the agents, denoted by υi1 , υi2 , · · · , υiqi , 2 ≤ i ≤ m, corresponding to the ith node in G ∗ (A ∗ ). It is only affected by these vertices, such that there exist directed paths from them to υis , s = 1, 2, · · · , qi . Suppose that such agents excluding υis , s = 1, 2, · · · , qi , are υj1 , υj2 , · · · , υjki. Furthermore, assume that the states of agents υj1 , υj2 , · · · , υjki have already reached consensus, and the final consensus values of position and velocity states are xcon and vcon , respectively. Let  xir (t) = xir (t) − xcon and  vir (t) = vir (t) − vcon , r = 1, 2, · · · , qi . Then, one obtains ⎧  x˙ ir (t) = vir (t), ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ qi qi ki ⎪    ⎪ ⎪ ⎪ ˙ ir (t) =α  v a ( x (t)− x (t))+β a ( v (t)− v (t)) − α air jp  xir (t) ⎪ i i i i i i i i r j r r j r j j ⎪ ⎪ ⎨ j =1 j =1 p=1 ⎪ ki ⎪  ⎪ ⎪ ⎪ − β air jp  vir (t) + O(e−εt ), ⎪ ⎪ ⎪ ⎪ p=1 ⎪ ⎪ ⎪ ⎪ ⎩˙  v ir (t) =0, t ∈ T , r = 1, 2, · · · , qi ,

t ∈ T,

 T  for some ε > 0. Let  x (t) =  xiT1 (t),  xiT2 (t), · · · ,  xiTq (t) ,  v (t) =  viT1 (t), viT2 (t), · · · , i T  T T  viTq (t) and  y (t) =  x (t), v T (t) . Then, the above system can be rewritten as i

36 Consensus of Multi-agent Systems with Intermittent Communication. . .



y (t) + (B 2 ⊗ In )O(e−εt ),  y˙ (t) = (B 1 ⊗ In )

1159

t ∈ T,

 y˙ (t) = (B 3 ⊗ In ) y (t), t ∈ T ,      Iqi Oq i Oq i Oq i Oqi Iqi , B2 = , B3 = . Construct −αLii −βLii Iqi Iqi Oqi Oqi the following Lyapunov function 

where B 1 =

1 T V (t) =  y (t)(P ⊗ In ) y (t), 2    T αβ Ξ i Lii + Lii Ξ i αΞ i where P = . Then, according to conditions (i) and αΞ i βΞ i (ii), by following the proof of Theorem 1, one can show that the states of agents υi1 , υi2 , · · · , υiqi , 2 ≤ i ≤ m, will reach consensus exponentially. Furthermore, q i the final consensus value of the position state is xcon = j =1 ξ 1j xj (0) + q i ξ vj (0), and the final consensus values of the velocity state is vcon = t qij =1 1j ξ j =1 1j vj (0). This completes the proof.

3

Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Synchronously Intermittent Communication

3.1

Model Formulation

Note that a large class of real coupled dynamical systems can be modeled as secondorder multi-agent systems with inherent nonlinear dynamics; examples include coupled pendulum systems (Amster and Mariani 2008) and networks of mass-spring systems with uncertain spring constants (Li et al. 2012). Therefore, based on (7), Yu et al. proposed the following second-order consensus protocol with nonlinear dynamics (Yu et al. 2010a): ⎧ x˙i (t) = vi (t), ⎪ ⎪ ⎨ ⎪ ⎪ ⎩ v˙i (t) = f (xi (t), vi (t), t) − α

N  j =1

lij xj (t) − β

N 

lij vj (t), i = 1, 2, · · · , N,

j =1

where f : Rn × Rn × [0, +∞) → Rn is a continuously differentiable vector-valued function. Following the works in Sect. 2, second-order consensus problems of nonlinear multi-agent systems with intermittent measurements will be studied in this section. Before moving forward, the following assumption is made throughout this section.

1160

G. Wen et al.

Assumption 1. There exist nonnegative constants ρi , i ∈ {1, 2}, such that

f (x1 , x2 , t) − f (y1 , y2 , t) ≤

2 

ρi xi − yi ,

i=1

∀xi , yi ∈ Rn , i ∈ {1, 2}, t ≥ 0.

3.2

Second-Order Consensus in Nonlinear Multi-agent Systems with Synchronously Intermittent Communication

In this subsection, it is assumed that each agent obtains the measurements of the relative states between its own and the neighbors only when t ∈ T , where T is the union of an infinite time sequence of uniformly bounded, nonoverlapping time intervals [tm , tm + δm ) with communication duration δm ≥ ε > 0, m ∈ N. Thus, in this subsection, the following protocol is considered: ⎧ x˙i (t)=vi (t), ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ N N ⎨   v˙i (t)=f (xi (t), vi (t), t)−α lij xj (t)−β lij vj (t), t ∈ T , ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎪ ⎪ ⎩ v˙i (t)=f (xi (t), vi (t), t), t ∈ T , i = 1, 2, · · · , N,

(14)

! where T T = [0, +∞). Let x˜i (t) = xi (t) − ΣjN=1 ξj xj (t) and v˜i (t) = vi (t) − ΣjN=1 ξj vj (t), where ξ = (ξ1 , ξ2 , · · · , ξN )T is the positive left eigenvector of L associated with eigenvalue 0 satisfying ξ T 1N = 1. One obtains the following error dynamical system: ⎧˙ x˜i (t) = v˜i (t), ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ N N ⎪   ⎪ ⎪ ⎪ v˙˜i (t) = f (xi (t), vi (t), t) − ξj f (xj (t), vj (t), t) − α lij x˜j (t) ⎪ ⎪ ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎨ N  ⎪ lij v˜j (t), t ∈ T , − β ⎪ ⎪ ⎪ ⎪ ⎪ j =1 ⎪ ⎪ ⎪ ⎪ ⎪ N ⎪  ⎪ ⎪ ˙ ⎪ (t) = f (x (t), v (t), t) − ξj f (xj (t), vj (t), t), t ∈ T , i = 1, · · · , N. v ˜ ⎪ i i ⎩ i j =1

(15)

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1161

Let T T (t))T , v(t) ˜ = (v˜1T (t), · · · , v˜N (t))T , x(t) ˜ = (x˜1T (t), · · · , x˜N

f (x(t), v(t), t) = (f T (x1 (t), v1 (t), t), · · ·, f T (xN (t), vN (t), t))T , and y(t) ˜ = (x˜ T (t), v˜ T (t))T . Then, system (15) can be written as ˙ y(t) ˜ = F (x(t), v(t), t) + (B1 ⊗ In )y(t), ˜ t ∈ T,

(16)

˙˜ = F (x(t), v(t), t) + (B2 ⊗ In )y(t), ˜ t ∈ T, y(t)

  0N n " # F (x(t), v(t), t) = , (IN − 1N ξ T ) ⊗ In f (x(t), v(t), t)     ON IN ON IN . B1 = , B2 = −αL −βL ON ON

where

Theorem 3. Suppose that the network G (A ) is strongly connected and Assumption 1 holds. Then, second-order consensus in system (14) is achieved if there exists an infinite time sequence of uniformly bounded, nonoverlapping time intervals [tk , tk+1 ), k ∈ N, with t1 = 0, such that on each time interval [tk , tk+1 ), k ∈ N, the following conditions hold:  (i) a(L) > (ii) δk >

1 2

ρ1 α

+

α β2

+

ρ2 β

+

$

ρ1 α



α β2



ρ2 β

2

+

(αρ2 +βρ1 )2 α2 β 2

,

γ2 γ1 +γ2 ωk ,

where δk represents the Lebesgue measure of the set { t | t ∈ [tk , tk+1 ) ∩ T },   ωk = tk+1 − tk , γ1 = (λmin (P1 )ξmin ) / (λmax (P2 )ξmax ), γ2 = 2λmax Q−1 P3 ,   2   α a(L) − αρ1 − 12 (αρ2 + βρ1 ) αβb(L) α/2 , P P1 = = , 2 − 1 (αρ2 + βρ1 ) β 2 a(L) − α − βρ2 α/2 β/2    2  (αρ2 +βρ1 )Ξ +αβ(Ξ L+LT Ξ ) 2αβa(L)Ξ αΞ αρ1 Ξ 2 and Q = . P3 = (αρ2 +βρ1 )Ξ +αβ(Ξ L+LT Ξ ) αΞ βΞ (βρ2 + α)Ξ 2 Proof. Construct the Lyapunov function candidate: V (t) = 

1 T y˜ (t)(P ⊗ In )y(t), ˜ 2

αβ(Ξ L +LT Ξ ) αΞ αΞ βΞ to Definition 1, one has

where P =

 and Ξ = diag (ξ1 , ξ2 , · · · , ξN ). According

1162

G. Wen et al.

V (t) ≥

1 T y˜ (t)(Q ⊗ In )y(t), ˜ 2

(17)



 2αβa(L)Ξ αΞ where Q = . By Lemma 8, Q > 0 is equivalent to both β > 0 αΞ βΞ and a(L) > α/(2β 2 ). From condition (i), one obtains Q > 0, V (t) ≥ 0, and V (t) = 0 if and only if y(t) ˜ = 02N n . Let x(t) ¯ = ΣjN=1 ξj xj (t) and v(t) ¯ = ΣjN=1 ξj vj (t). For t ∈ {[tk , tk+1 ) ∩ T }, taking the time derivative of V (t) along the trajectories of (16) gives V˙ (t) =y˜ T (t)(P ⊗ In )[F (x(t), v(t), t) + (B1 ⊗ In )y(t)] ˜   ¯ v(t), ¯ t)] = α x˜ T (t) + β v˜ T (t) [Ξ ⊗ In ] [f (x(t), v(t), t) − 1N ⊗ f (x(t),   (18)   α 2 T  β 2 T  T T − x˜ (t) Ξ L+L Ξ ⊗ In x(t)− v˜ (t) Ξ L+L Ξ ⊗ In v(t) ˜ ˜ 2 2 +α v˜ T (t) (Ξ ⊗ In ) v(t). ˜ By Assumption 1, one gets x˜ T (t) [Ξ ⊗In ] [f (x(t), v(t), t)−1N ⊗f (x(t), ¯ v(t), ¯ t)] ≤

N 

x˜i (t)ξi (ρ1 x˜i (t) + ρ2 v˜i (t))

i=1

=ρ1

N 

ξi x˜i (t) + ρ2 2

i=1

N 

(19)

ξi x˜i (t)v˜i (t),

i=1

and ¯ v(t), ¯ t)] v˜ T (t) [Ξ ⊗In ] [f (x(t), v(t), t)−1N ⊗f (x(t), ≤ρ2

N 

ξi v˜i (t)2 + ρ1

i=1

N 

ξi x˜i (t)v˜i (t).

(20)

i=1

Combining (18), (19), and (20) gives T V˙ (t) ≤ −y(t) ˜ ˜ (P1 ⊗ Ξ ) y(t),

(21)

T T, where x(t) ˜ = (x˜1 (t), · · · , x˜N (t)) ˜ = (v˜1 (t), · · · , v˜N (t))  , 2 v(t) 1 − 2 (αρ2 + βρ1 ) α a(L) − αρ1 T , v(t) T )T , P = . ˜ y(t) ˜ = (x(t) ˜ 1 − 12 (αρ2 + βρ1 ) β 2 a(L) − α − βρ2 By condition (i), P1 is a positive definite matrix. According to (21), one gets

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1163

˜ V˙ (t) ≤ −λmin (P1 ) ξmin y˜ T (t)y(t). On the other hand, 1 T y˜ (t) (P ⊗ In ) y(t) ˜ ˜ ≤ y˜ T (t) [(P2 ⊗ Ξ ) ⊗ In ] y(t), 2   αβb(L) α/2 where the positive matrix P2 = . Thus, α/2 β/2 V (t) =

˜ V (t) ≤ λmax (P2 )ξmax y˜ T (t)y(t). Consequently, V˙ (t) ≤ −γ1 V (t), where γ1 = (λmin (P1 )ξmin ) / (λmax (P2 )ξmax ). For t ∈ {[tk , tk+1 ) ∩ T }, taking the time derivative of V (t) along the trajectories of (16) gives ˜ = y˜ T (t) (P3 ⊗ In ) y(t), V˙ (t) = y˜ T (t)(P ⊗ In )[F (x(t), v(t), t) + (B2 ⊗ In )y(t)] ˜ where  P3 =

(αρ2 +βρ1 )Ξ +αβ(Ξ L+LT Ξ ) 2 (αρ2 +βρ1 )Ξ +αβ(Ξ L+LT Ξ ) (βρ + α)Ξ 2 2

αρ1 Ξ

.

It follows from Lemma 7 and inequality (17) that   ˜ V˙ (t) ≤ λmax (Q ⊗ In )−1 (P3 ⊗ In ) y˜ T (t) (Q ⊗ In ) y(t)   = λmax Q−1 P3 y˜ T (t) (Q ⊗ In ) y(t) ˜ ≤ γ2 V (t),   where γ2 = 2λmax Q−1 P3 . Based on the above analysis, one obtains V (t2 ) ≤ V (0)e−Δ1 , where Δ1 = γ1 δ1 − γ2 (ω1 − δ1 ). Then, according to condition (ii), one has Δ1 > 0. By recursion, for any positive integer k, one has V (tk+1 ) ≤ V (0)e−

k

j =1 Δj

,

1164

G. Wen et al.

where Δj = γ1 δj − γ2 (ωj − δj ) > 0, j = 1, 2, · · · , k. For arbitrary t > 0, there exists a positive integer s such that ts+1 < t ≤ ts+2 . Furthermore, since [tk , tk+1 ), k ∈ N, is an uniformly bounded and nonoverlapping time sequence, one may let ωmax = maxi∈N ωi and κ = mini∈N Δi > 0. Thus, it follows that V (t) ≤V (ts+1 )eωmax γ2 ≤ eωmax γ2 V (0)e−

s

j =1 Δj

≤eωmax γ2 V (0)e−(κ/ωmax )t ≤ K0 e−K1 t , κ for all t > 0, where K0 = eωmax γ2 V (0) and K1 = ωmax , which indicates that the states of agents converge exponentially, thereby achieving consensus. This completes the proof.

3.3

Second-Order Consensus in Delayed Nonlinear Multi-agent Systems with Synchronously Intermittent Communication

In this subsection, the following consensus protocol with time-delay and synchronously intermittent measurements is considered: ⎧ x˙i (t) =vi (t), ⎪ ⎪ ⎪ ⎪ ⎪ N N ⎨   v˙i (t) =f (vi (t−τ ), vi (t), t)−α lij xj (t)−β lij vj (t), t ∈ [kω, kω+δ), (22) ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎪ ⎩ v˙i (t) =f (vi (t − τ ), vi (t), t), t ∈ [kω + δ, (k+1)ω), k ∈ N, i = 1, 2, · · · , N,

where f : Rn × Rn × [0, +∞) → Rn is a continuously differentiable vector-valued function representing the inherent delayed nonlinear dynamics of agent i, τ > 0 is the time-delay, and the communication time duration δ satisfies τ < δ ≤ ω. Positive scalars α and β represent the coupling strengths. Furthermore, xi (t) = φi (t), vi (t) = ψi (t), for all t ∈ [−τ, 0], and the initial functions φi and ψi are continuous for all t ∈ [−τ, 0], where i = 1, 2, · · · , N. Remark 7. It is noted that system (22) covers the multi-agent systems with secondorder integrator-type dynamics. For example, system (22) becomes a second-order multi-agent system studied in Yu et al. (2010b), if δ = ω, and f (vi (t −τ ), vi (t), t) ≡ 0n , for all t ≥ 0, i = 1, 2, · · · , N. Before moving forward, the following two lemmas are introduced. Lemma 13 (Fujisaka and Yamada (1983) Halanay inequality). Suppose that the nonnegative function y(t), t ∈ [−τ, +∞), satisfies dy(t) ≤ −c1 y(t) + c2 y(t − τ ), dt

t ≥ 0,

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1165

where constants c1 > c2 > 0. Then y(t) ≤ |y(0)|τ e−rt , t ≥ 0, where |y(0)|τ = max−τ ≤s≤0 y(s) and r is the unique solution of −r = −c1 + c2 erτ . Lemma 14 (Huang et al. 2009). Suppose that the nonnegative function y(t), t ∈ [−τ, ∞), satisfies dy(t) ≤ c1 y(t) + c2 y(t − τ ), t ≥ 0, dt where c1 , c2 are positive constants. Then y(t) ≤ |y(0)|τ e(c1 +c2 )t ,

t ≥ 0,

where |y(0)|τ = max−τ ≤s≤0 y(s).  Let x˜i (t) = xi (t) − N1 N j =1 xj (t) and v˜ i (t) = vi (t) − the following error dynamical system:

1 N

N

j =1 vj (t).

One has

⎧˙ x˜i (t) =v˜i (t), ⎪ ⎪ ⎪ ⎪ ⎪ N N ⎪   ⎪ ⎪ ⎪ ˙˜i (t) =f (vi (t − τ ), vi (t), t) − 1 ⎪ f (v (t − τ ), v (t), t) − α lij x˜j (t) v j j ⎪ ⎪ N ⎪ ⎪ j =1 j =1 ⎪ ⎪ ⎪ ⎪ ⎪ N ⎨  lij v˜j (t), t ∈ [kω, kω + δ), −β (23) ⎪ ⎪ j =1 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ N ⎪  ⎪ ⎪ ˙˜i (t) =f (vi (t − τ ), vi (t), t) − 1 ⎪ f (vj (t − τ ), vj (t), t), v ⎪ ⎪ N ⎪ ⎪ j =1 ⎪ ⎪ ⎪ ⎩ t ∈ [kω + δ, (k + 1)ω), where k ∈ N and i = 1, 2 · · · , N.   T   T T (t) T , T (t) T , v(t) ˜ = v˜1 (t), · · · , v˜N Let x(t) ˜ = x˜1 (t), · · · , x˜N T  f (v(t − τ ), v(t), t) = f T (v1 (t − τ ), v1 (t), t), · · · , f T (vN (t − τ ), vN (t), t)  T and ζ (t) = x˜ T (t), v˜ T (t) . Then, system (23) can be written as

1166

G. Wen et al.



ζ˙ (t) =F (v(t − τ ), v(t), t) + (B1 ⊗ In )ζ (t), t ∈ [kω, kω + δ), ζ˙ (t) =F (v(t − τ ), v(t), t) + (B2 ⊗ In )ζ (t), t ∈ [kω + δ, (k + 1)ω),

(24)



0Nn , where k ∈ N, F (v(t − τ ), v(t), t) =  1 (IN − N 1N ×N ) ⊗ In f (v(t −τ ), v(t), t) 1N ×N indicates   the N × N matrix with each element being one, B1 = ON IN ON IN . and B2 = −αL −βL ON ON Remark 8. It is not hard to verify that ζ (t) = 02N n is an equilibrium point of the switched systems (24). Furthermore, by the definitions of ζ (t), x(t), ˜ and v(t), ˜ one obtains that the second-order consensus in multi-agent system (22) can be achieved if and only if the solution 02N n for system (24) is globally attractive, namely, ζ (t) → 0, as t → ∞. Theorem 4. Suppose that the communication topology G (A ) is strongly connected and balanced, and Assumption 1 holds. Then, second-order consensus in system (22) is achieved if the following conditions hold: (i) λ2 (L + LT ) > (ii) (iii)

α , β2 (P1 ) λ1 (R1 ) > c0λλ12(Q) , rτ +(γ3 +γ4 )ω δ > r+γ3 +γ4 ,

   −αρ1 αλ2 (L + LT ) − ρ2 α , where R1 = −αρ1 β 2 λ2 (L + LT ) − (ρ2 +2ρ1 )β − 2α     αβλN (L+LT ) α αβλ2 (L + LT ) α P1 = , Q = , c0 = (α + β)ρ2 , r α β α β c0 1) is the unique positive solution of −r = −γ1 + γ2 erτ , γ1 = λλ12(R (P1 ) , γ2 = λ1 (Q) , √ c +c + (c1 −c2 )2 +c3 (ρ2 +2ρ1 )β ρ2 α 0 γ3 = 1 2 λ1 (Q) , γ4 = (α+β)c + α and λ1 (Q) , c1 = 2 , c2 = 2 T 2 c3 = (αρ1 + αβλ2 (L + L )) . Proof. Construct the following Lyapunov function candidate: V (t) =

1 T ζ (t)(P ⊗ In )ζ (t), 2

 αβ(L + LT ) αIN . It will be shown that V (t) is a valid Lyapunov αIN βIN function for analyzing the error dynamics described by system (24). According to the Courant-Fischer theorem (Horn and Johnson 1990), one has 

where P =

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1167

 αβ T  β x˜ (t) (L + LT ) ⊗ In x(t) ˜ + α x˜ T (t)v(t) ˜ + v˜ T (t)v(t) ˜ 2 2 1 ≥ ζ T (t)(Q ⊗ IN n )ζ (t), 2

V (t) =



 αβλ2 (L + LT ) α where Q = . By Lemma 8, Q > 0 is equivalent to both α β β > 0 and λ2 (L + LT ) > βα2 . From condition (i), one obtains Q > 0, V (t) ≥ 0 and V (t) = 0 if and only if ζ (t) = 02N n .  For notational convenience, let v(t ¯ − τ ) = N1 N ¯ = j =1 vj (t − τ ) and v(t) 1 N j =1 vj (t). For t ∈ [kω, kω + δ) and arbitrarily given k ∈ N, taking the time N derivative of V (t) along the trajectories of (24) gives

V˙ (t) =ζ T (t)(P ⊗ In )[F (v(t − τ ), v(t), t) + (B1 ⊗ In )ζ (t)]    1 T IN − 1N ×N ⊗ In f (v(t − τ ), v(t), t) =α x˜ N    1 IN − 1N ×N ⊗ In + β v˜ T N    1 · f (v(t − τ ), v(t), t) + ζ T (t) P B1 + B1T P ⊗ In ζ (t) 2   (25) T T = α x˜ (t) + β v˜ (t) [f (v(t − τ ), v(t), t) − 1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)]      1 − α x˜ T (t) + β v˜ T (t) 1N ×N ⊗ In f (v(t − τ ), v(t), t) N   + α x˜ T (t) + β v˜ T (t) [1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)] 1 + ζ T (t) 2



ON −α 2 (L + LT ) ON −β 2 (L + LT ) + 2αIN

   Since x(t) ˜ = (IN − N1 1N ×N ) ⊗ In x(t) and v(t) ˜ = (IN − one gets

x˜ T (t) [1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)] = 0, v˜ T (t) [1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)] = 0,



 ⊗ In ζ (t).

1 N 1N ×N ) ⊗ In

 v(t),

(26)

1168

G. Wen et al.

and  x˜ T (t)  v˜ (t) T

1 1N ×N N 1 1N ×N N



 ⊗ In f (v(t − τ ), v(t), t) = 0,





(27)

⊗ In f (v(t − τ ), v(t), t) = 0.

Combining (25), (26) and (27), one obtains   V˙ (t) = α x˜ T (t) + β v˜ T (t) [f (v(t − τ ), v(t), t) − 1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)] % & 2 (28) ON − α2 (L + LT ) T + ζ (t) ⊗ I ζ (t). 2 n ON − β2 (L + LT ) + αIN By Assumption 1, one gets ¯ − τ ), v(t), ¯ t)] α x˜ T (t) [f (v(t − τ ), v(t), t) − 1N ⊗ f (v(t =α

N  T (xi (t) − x(t)) ¯ ¯ − τ ), v(t), ¯ t)] [f (vi (t − τ ), vi (t), t) − f (v(t i=1

≤α

N 

(29)

x˜i (t) (ρ2 v˜i (t − τ ) + ρ1 v˜i (t))

i=1

%

& N N N   ρ2  ρ 2 ≤α x˜i (t)2 + v˜i (t − τ )2 + ρ1 x˜i (t) · v˜i (t) , 2 2 i=1

i=1

i=1

and β v˜ T (t) [f (v(t − τ ), v(t), t) − 1N ⊗ f (v(t ¯ − τ ), v(t), ¯ t)] =β

N  T (vi (t) − v(t)) ¯ ¯ − τ ), v(t), ¯ t)] [f (vi (t − τ ), vi (t), t) − f (v(t i=1

≤β

N 

v˜i (t) (ρ2 v˜i (t − τ ) + ρ1 v˜i (t))

i=1

≤β

% ρ

2

2

+ ρ1

N  i=1

& N ρ2  2 v˜i (t) + v˜i (t − τ ) . 2 2

Combining (28), (29) and (30) gives

i=1

(30)

36 Consensus of Multi-agent Systems with Intermittent Communication. . . N 

ρ2 α V˙ (t) ≤ 2

x˜i (t)2 +

i=1

1169

N (ρ2 + 2ρ1 )β  v˜i (t)2 2 i=1

N 

N  (α + β)ρ2 2 + v˜i (t − τ ) + αρ1 x˜i (t) · v˜i (t) 2 i=1 i=1 % & 2 ON − α2 (L + LT ) T + ζ (t) ⊗ In ζ (t) 2 ON − β2 (L + LT ) + αIN  N  N  ρ2 − αλ2 (L + LT ) α  2 ≤ x˜i (t) + αρ1 x˜i (t) · v˜i (t) 2 i=1

+

+ =

(α + β)ρ2 2

1 2

i=1

(ρ2 + 2ρ1 )β + 2α − β 2 λ2 (L + LT ) 2 N 

(31)

N 

v˜i (t)2

i=1

v˜i (t − τ )2

i=1

 −ζ (t)T (R1 ⊗ IN ) ζ (t) + ζ (t − τ )T (S1 ⊗ IN ) ζ (t − τ ) 

where R1 =

 αλ2 (L + LT ) − ρ2 α

−αρ1

−αρ1

β 2 λ2 (L+LT )−(ρ2 +2ρ1 )β−2α

 ,

S1 =



0 0 0 (α + β)ρ2

 ,

x(t) ˜ = (x˜1 (t), x˜2 (t), · · · , x˜N (t))T , v(t) ˜ = (v˜1 (t), v˜2 (t), · · · , T   T T T ˜ , v(t) ˜ , and ζ (t − τ ) = x(t ˜ − v˜N (t)) , ζ (t) = x(t) T τ )T , v(t ˜ − τ )T . On the other hand, one has 1 T ζ (t) (P ⊗ In ) ζ (t), 2  αβ T  β x˜ (t) (L + LT ) ⊗ In x(t) = ˜ + α x˜ T (t)v(t) ˜ + v˜ T (t)v(t) ˜ 2 2 1 ≤ ζ T (t) (P1 ⊗ IN n ) ζ (t), 2

V (t) =

 where P1 =

 αβλN (L + LT ) α . Thus, according to (31) and the following α β

facts: V (t) ≤

1 λ2 (P1 )ζ T (t)ζ (t), 2

1170

G. Wen et al.

V (t − τ ) ≥

1 λ1 (Q)ζ T (t − τ )ζ (t − τ ), 2

ζ (t)T R1 ζ (t) ≥ λ1 (R1 )ζ T (t)ζ (t), ζ (t − τ )T S1 ζ (t − τ ) ≤ (α + β)ρ2 ζ T (t − τ )ζ (t − τ ), one obtains V˙ (t) ≤ −γ1 V (t) + γ2 V (t − τ ), c0 1) where γ1 = λλ12(R (P1 ) , γ2 = λ1 (Q) , and c0 = (α + β)ρ2 . For t ∈ [kω + δ, (k + 1)ω) and arbitrarily given k ∈ N, taking the time derivative of V (t) along the trajectories of (24) gives

V˙ (t) = ζ T (t)(P ⊗ In )[F (v(t − τ ), v(t), t) + (B2 ⊗ In )ζ (t)]    1 IN − 1N ×N ⊗ In f (v(t − τ ), v(t), t) = α x˜ T N    1 IN − 1N ×N ⊗ In + β v˜ T N · f (v(t − τ ), v(t), t) + ζ T (t) [(P B2 ) ⊗ In ] ζ (t),    ON IN ON IN . , and B2 = where B1 = −αL −βL ON ON Similar to the previous analysis, one obtains 

ρ2 α V˙ (t) ≤ 2

N 

x˜i (t)2 +

i=1

+ αρ1

N 

N N (ρ2 +2ρ1 )β  (α + β)ρ2  v˜i (t)2 + v˜i (t − τ )2 2 2 i=1

i=1

x˜i (t) · v˜i (t) + ζ T (t) [(P B2 ) ⊗ In ] ζ (t)

i=1

 1 ≤ ζ (t)T (R2 ⊗ IN ) ζ (t) + ζ (t − τ )T (S2 ⊗ IN ) ζ (t − τ ) , 2     ρ2 α αρ1 + αβλ2 (L + LT ) 0 0 , S2 = . It where R2 = T αρ1 + αβλ2 (L + L )

(ρ2 + 2ρ1 )β + 2α

0 (α + β)ρ2

then follows that λ2 (R2 ) λ2 (S2 ) V˙ (t) ≤ V (t) + V (t − τ ) ≤ γ3 V (t) + γ4 V (t − τ ), λ1 (Q) λ1 (Q) where γ3 = (ρ2 +2ρ1 )β 2



c1 +c2 +

(c1 −c2 )2 +c3 , λ1 (Q)

c0 λ1 (Q) , c0 = (α + + LT ))2 . Based on

γ4 =

+ α, c3 = (αρ1 + αβλ2 (L

β)ρ2 , c1 =

ρ2 α 2 ,

c2 =

the above analysis and

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1171

according to Lemma 13, one obtains V (t) ≤ |V (0)|τ e−rt , 0 ≤ t < δ,

(32)

where r is the unique positive solution of −r = −γ1 + γ2 erτ , |V (0)|τ = max−τ ≤s≤0 V (s). For δ < t < ω, by using Lemma 14, one obtains V (t) ≤ |V (δ)|τ e(γ3 +γ4 )t .

(33)

Then, according to (32), one has |V (δ)|τ = max V (t) ≤ |V (0)|τ e−r(δ−τ ) . δ−τ ≤t≤δ

(34)

Combining (33) and (34) yields V (t) ≤ |V (δ)|τ e(γ3 +γ4 )(t−δ) ≤ |V (0)|τ e−r(δ−τ )+(γ3 +γ4 )(t−δ) , δ ≤ t < ω. As V (t) is a continuous function of t, one has V (ω) = lim V (t) ≤ |V (0)|τ e−r(δ−τ )+(γ3 +γ4 )(ω−δ) . t→ω−

Then |V (ω)|τ =

max

ω−τ ≤t≤ω

V (t) ≤ |V (δ)|τ e(γ3 +γ4 )(ω−δ)

≤ |V (0)|τ e−r(δ−τ )+(γ3 +γ4 )(ω−δ) = |V (0)|τ e−Δ , where Δ = r(δ − τ ) − (γ3 + γ4 )(ω − δ) > 0. For any positive integer k, one has |V (kω)|τ ≤ |V (0)|τ e−kΔ . For arbitrary t > 0, there exists a nonnegative integer k, such that kω ≤ t < (k + 1)ω. When t ∈ [kω, kω + δ), one obtains V (t) ≤|V (kω)|τ e−r(t−kω) ≤ |V (0)|τ e−kΔ−r(t−kω) ≤|V (0)|τ e−kΔ ≤ |V (0)|τ eΔ e When t ∈ [kω + δ, (k + 1)ω), one has

  − Δ ω t

(35) .

1172

G. Wen et al.

V (t) ≤|V (kω + δ)|τ e(γ3 +γ4 )(t−kω−δ) ≤ |V (0)|τ e−kΔ−rδ e(γ3 +γ4 )(ω−δ) ≤|V (0)|τ e

  Δ (γ3 +γ4 )(ω−δ)−rδ+Δ − ω t

e

= |V (0)|τ e

  Δ −rτ − ω t

e

(36) .

Combining (35) and (36) gives V (t) ≤ K0 e−(Δ/ω)t , for all t > 0, where K0 = eΔ |V (0)|τ , which indicates that the states of agents exponentially converge to consensus. This completes the proof. Corollary 2. Suppose that the communication topology G (A ) is a strongly connected and balanced network, and Assumption 1 holds. Then, second-order consensus in system (22) is achieved if the following conditions hold: (i) β > α,   (ii) λ2 (L + LT ) > max α −1 , ρ1 , ρ2 , +(γ3 +γ4 )ω (iii) δ > rτ r+γ , 3 +γ4 β(ρ2 +2ρ1 )+2α ρ2 (α+β) + β 2 (β−α) ·(αβλN β2 T (L + L ) + α), r is the unique positive solution of √ −r = −γ1 + γ2 erτ , of which c1 +c2 + (c1 −c2 )2 +c3 2 2 1 , κ2 } γ1 = αβλmin{κ , γ2 = (α+β)ρ , γ4 = (α+β)ρ T β−α , γ3 = β−α β−α , N (L+L )+α κ1 = β 2 λ2 (L + LT ) − βρ2 − αρ1 , κ2 = α 2 λ2 (L + LT ) − α(ρ2 + 2ρ1 ) − 2α, 1 )β c1 = ρ22α , c2 = (ρ2 +2ρ + α and c3 = (αρ1 + αβλ2 (L + LT ))2 . 2

where ρ1 =

αρ2 +αρ1 ρ2 (α+β)(βλN (L+LT )+1) + , α(β−α) α2

ρ2 =

Proof. Construct the same Lyapunov function candidate V (t) as that in the proof of Theorem 4. By the Geršgorin disk theorem (Horn and Johnson 1990), the corollary can be proved by following the proof of Theorem 4. Remark 9. In Yu et al. (2010a), the concept of general algebraic connectivity a(L) is introduced to describe the second-order multi-agent system’s ability to reach T) for a consensus. By Definition 6 in Yu et al. (2010a), one has a(L) = λ2 (L+L 2 strongly connected and balanced G (A ), where L is the Laplacian matrix of the graph. Suppose that β > α. Then, from the Corollary 2, the second-order consensus can be achieved if the general algebraic connectivity a(L) and the communication time duration δ are larger than their corresponding threshold values, respectively. Remark 10. Suppose that consensus in multi-agent system (22) can be achieved for τ = τ0 , where τ0 > 0. Then, it can be concluded from Theorem 4 that consensus in multi-agent system (22) can be achieved for all τ ∈ [0, τ0 ], i.e., the consensus achievement is robust to τ ∈ [0, τ0 ].

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1173

Remark 11. It can be observed that Theorem 4 is proven by using a common Lyapunov function approach. Thus, it is interesting and important to further study how to reduce the conservatism of the theoretical results in the future.

4

Consensus Tracking of Nonlinear Multi-agent Systems with Asynchronously Intermittent Communication

4.1

Model Formulation

In most of the existing literature on the consensus tracking problem for multi-agent systems with nonlinear dynamics, it is commonly required that the neighbor set of each agent is fixed or the communication mode is synchronously intermittent. However, in reality, the neighbor set of the agents may be time-varying due to limitations of sensors or external disturbances on communication channels. On the other hand, the communication mode may be asynchronously intermittent due to the employment of directional sensor network. Actually, consensus of multiagent systems with asynchronously intermittent communication can be modeled as consensus of multi-agent systems with switching topology. Motivated by this observation, this section makes further endeavors to consider the consensus tracking problem for multi-agent systems with general high-order nonlinear node dynamics and switching topology, even for the case where the time-varying topology only frequently but not always contains a directed spanning tree. Consider a group of N agents, where an agent indexed by 1 is assigned as the leader and the agents indexed by 2, · · · , N, are referred to as followers. The dynamics of the ith agent are given by x˙i (t) = Axi (t) + Cf (xi (t), t) + Bui (t),

(37)

where xi ∈ Rn represents the states of the ith agent, i = 1, 2, · · · , N , f : Rn × [0, +∞) → Rm is a continuously differentiable vector-valued function representing the intrinsic nonlinear dynamics of the ith agent, and ui (t) ∈ Rp is the control input to be designed, and A, B, and C are constant real matrices. It is assumed that matrix pair (A, B) is stabilizable. For notational convenience, let f (xi (t), t) = (f1 (xi (t), t), f2 (xi (t), t), · · · , fm (xi (t), t))T , i = 1, 2, · · · , N . Assumption 2. There exists a nonnegative constant ρ, such that f (y, t) − f (z, t) ≤ ρy − z, ∀y, z ∈ Rn , t ≥ 0.

(38)

Assumption 2 is the so-called Lipschitz condition. Note that this assumption is mild. For example, all linear and piecewise-linear time-invariant continuous functions satisfy this condition. In addition, the condition is satisfied if the Jacobians ∂fi /∂xk (t) (i, k = 1, 2, · · · , n) are uniformly bounded.

1174

G. Wen et al.

In many real cases, the leader plays the role of a command generator providing a reference state, and it has to be approached by the followers. Thus, it is reasonable to assume that the state of the leader evolves without being affected by those of the followers, i.e., u1 (t) ≡ 0p in system (37). The control objective here is to design a distributed consensus tracking algorithm under which the states of the followers asymptotically approach those of the leader, which is precisely defined as follows. Definition 6. The multi-agent system (37) is said to achieve consensus tracking if, for any initial conditions, lim xi (t) − x1 (t) = 0, ∀ i = 2, · · · , N.

t→∞

To achieve this goal, the following distributed tracking protocol is proposed:

ui (t) = αF

N 

  aij (t) xj (t)−xi (t) , i = 2, · · · , N,

(39)

j =1

where α > 0 represents the coupling F ∈ Rp×n is the feedback gain # " strength, matrix to be designed, and A (t) = aij (t) N ×N is the adjacency matrix of graph G (A ). Here, G (A ) describes the underlying communication topology among the N agents at time t. Remark 12. System (37) is quite general since it covers the multi-agent systems with integrator-type dynamics. For example, system (37) becomes a second-order multi-agent system with nonlinear dynamics, studied in Yu et al. (2010a), if  A=

O Ir OO



 ,

B=

O Ir



 ,

C=

OO O Ir

 ,

(40)

where r is the dimension of the position state vector of an agent. Furthermore, it is easy to check that matrix pair (A, B) with A and B given in (40) is controllable and therefore also stabilizable. Note also that system (37) reduces to the commonly studied linear multi-agent system (Li et al. 2011a) if C is a zero matrix. Remark 13. The leader in the multi-agent system (37) may be a real or a virtual agent that provides a reference state being tracked by the followers. Furthermore, it is easy to verify that whether the consensus tracking problem can be solved by protocol (39) has nothing to do with the labels of the agents. For convenience of analysis, it is assumed that the agent indexed by 1 is the leader of the group.

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

4.2

1175

Consensus Tracking in Networks with Fixed Directed Topology Containing a Directed Spanning Tree

In this subsection, distributed consensus tracking is addressed for multi-agent system (37) with a fixed communication topology containing a directed spanning tree. Without loss of generality, let G (A ) = G for all t ≥ 0 since the communication topology is assumed to be fixed in this subsection. To derive the main results, the following assumption is needed. Assumption 3. The communication topology G contains a directed spanning tree with the leader as the root. Remark 14. The condition that the communication topology G contains a directed spanning tree is very mild, as it may still be satisfied even if the interaction graph among the followers does not contain any directed spanning tree. Since the leader has no neighbors, the Laplacian matrix L associated with the communication topology G can be partitioned as  L=

0 0TN −1 ' q L

 ,

(41)

' ∈ R(N −1)×(N −1) . Under Assumption 3, it follows from where q ∈ RN −1 and L Lemma 1 that the Laplacian matrix L of G has a simple zero eigenvalue and all ' the other eigenvalues have positive real parts. Obviously, all the eigenvalues of L defined in (41) have positive real parts. Based on the above analysis and according ' is a nonsingular M-matrix and is also a diagonally dominant matrix to Lemma 9, L according to the definition of Laplacian matrix. Thus, motivated by Theorem 4.25 in Qu (2009), one can get the following lemma. Lemma 15. Suppose that Assumption 3 holds. Then, there exists a positive vector 'T θ = 1N −1 and θ = (θ1 , · · · , θN −1 )T ∈ RN −1 , such that L '+ L 'T Θ > 0, ΘL ' is defined in (41). where Θ = diag {θ1 , · · · , θN −1 }, and L Since u1 (t) ≡ 0p , one has x˙1 (t) = Ax1 (t)+Cf (x1 (t), t).

1176

G. Wen et al.

Furthermore, substituting (39) into (37) gives a closed-loop system: x˙i (t)=Axi (t)+Cf (xi (t), t)+αBF

N 

  aij xj (t)−xi (t) ,

j =1

where A = [aij ]N ×N is the adjacency matrix of graph G , i = 2, · · · , N. T (t))T . It Define ei (t) = xi (t) − x1 (t), i = 2, · · · , N, and e(t) = (e2T (t), · · · , eN is easy to verify that e(t) = 0(N −1)n if and only if x1 (t) = x2 (t) = · · · = xN (t), for all t ≥ 0. Based on the above analysis, one has the following error dynamical system: e˙i (t) = Aei (t) + C (f (xi (t), t) − f (x1 (t), t)) − αBF

N 

' lij (t)ej (t),

(42)

j =1

' = [' where L lij ](N −1)×(N −1) is given in (41). Rewriting (42) into a compact form, one has   ' BF e(t), e(t) ˙ = (IN −1 ⊗A) e(t) + f'(x(t), t)−α L⊗ f'(x(t), t) T f (x1 (t), t))T .

where

=

 C (f (x2 (t), t)−f (x1 (t), t))T, · · · ,

(43)

(f (xN (t), t)−

Remark 15. The consensus tracking problem of multi-agent system (37) is solved by protocol (39) if and only if the equilibrium point e(t) = 0(N −1)n of the error dynamical system (43) is globally attractive. Before moving on, a multistep design procedure is given for selecting the control parameters of protocol (39) under a fixed topology G . Algorithm 1. Under Assumptions 2 and 3, the consensus protocol (39) can be designed as follows: (1) Solve the following linear matrix equation: 'T θ = 1N −1 , L to get a positive vector θ = (θ1 , · · · , θN −1 )T . (2) Solve the following LMI: 

AS+SAT −c θ10 BB T +ρ 2 CC T +βS S S −I

< 0,

(44)

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1177

with θ0 = maxi θi , i ∈ {1, · · · , N − 1} and ρ given in (38), to get a matrix S > 0, and two scalars c > 0 and β > 0. Then, take F = 12 B T S −1 .   '+ L 'T Θ , and (3) Choose the coupling strength α > 2c/λ0 , where λ0 = λmin Θ L Θ = diag {θ1 , · · · , θN −1 }. Then, one can establish the following theorem. Theorem 5. Suppose that Assumptions 2 and 3 hold, and the LMI (44) has a feasible solution. Then, the consensus tracking problem for system (37) can be solved by protocol (39) constructed in Algorithm 1. Proof. Construct the following multiple Lyapunov function candidate for the error dynamical system (43):   V (t) = eT (t) Θ ⊗ S −1 e(t), where Θ is defined in step 3) of Algorithm 1, and the positive definite matrix S is a solution of (44). Taking the time derivative of V (t) along the trajectories of system (43) gives     ' ⊗ S −1 BF e(t) V˙ (t) =eT (t) Θ ⊗ S −1 A + Θ ⊗ AT S −1 e(t) − 2αeT (t) Θ L +2

N 

  θi eiT (t)S −1 C f (xi (t), t)−f (x1 (t), t) .

(45)

i=2

Substituting F = 12 B T S −1 into (45) yields   V˙ (t) =eT (t) Θ ⊗ S −1 A + Θ ⊗ AT S −1 e(t)   ' ⊗ S −1 BB T S −1 e(t) − 2αeT (t) Θ L +2

N 

(46)

  θi eiT (t)S −1 C f (xi (t), t)−f (x1 (t), t) .

i=2

Based on Assumption 2 and according to Lemmas 10 and 11, it follows from (46) that   V˙ (t) ≤eT (t) Θ ⊗ S −1 A + Θ ⊗ AT S −1 e(t)   ' ⊗ S −1 BB T S −1 e(t) − αeT (t) Θ L +

N  i=2

  θi eiT (t) ρ 2 S −1 CC T S −1 +I ei (t)

1178

G. Wen et al.

" # =eT (t) Θ⊗(S −1A+AT S −1+ρ 2 S −1 CC TS −1+I ) e(t)    α '+ L 'T Θ ⊗ S −1 BB T S −1 e(t). − eT (t) Θ L 2

(47)

 T T −1 Let ε(t) = ε1T (t), · · · , εN −1 (t) , where εi (t) = S ei+1 (t), i = 1, · · · , N − 1. Obviously, e(t) = (IN −1 ⊗ S)ε(t). It thus follows from (47) that    V˙ (t) ≤εT (t) Θ ⊗ AS+SAT +ρ 2 CC T +S T S ε(t)    α '+ L 'T Θ ⊗ BB T ε(t). − εT (t) Θ L 2

(48)

Then, one has    V˙ (t) ≤ εT (t) Θ ⊗ AS + SAT + ρ 2 CC T + S T S ε(t)  αλ0 T  ε (t) IN −1 ⊗ BB T ε(t), 2   '+ L 'T Θ . Since α > 2c/λ0 , it follows from (49) that where λ0 = λmin Θ L

(49)



   V˙ (t) ≤ εT (t) Θ ⊗ AS + SAT + ρ 2 CC T + S T S ε(t)   − εT (t) IN −1 ⊗ cBB T ε(t)    ≤ εT (t) Θ ⊗ AS + SAT + ρ 2 CC T + S T S ε(t) −

(50)

 1 T  ε (t) Θ ⊗ cBB T ε(t), θ0

where θ0 = maxi θi , i ∈ {1, · · · , N − 1}. Using (44) and Lemma 8, it follows from (50) that   V˙ (t) ≤ −βεT (t) (Θ ⊗ S) ε(t) = −βeT (t) Θ ⊗ S −1 e(t). Thus, one gets V (t) < e−βt V (0),

(51)

for all t > 0. Then,one concludes that e(t) → 0 as t → +∞. Thus, the consensus tracking problem in multi-agent system (37) is solved by distributed consensus tracking protocol (39), constructed in Algorithm 1. This completes the proof.

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1179

Remark 16. According to Algorithm 1, one gets that the existence of protocol (39) depends on the solvability of the LMI (44). It can be seen from (51) that consensus tracking can be achieved in the closed-loop system (37) with protocol (39) constructed in Algorithm 1 if LMI (44) is solvable for some given positive scalars β and c. More specifically, the selections of β and c do not influence the qualitative results given in Theorem 5. The above analysis indicates that both β and c are free positive scalars in (44). Furthermore, θ0 is a fixed positive scalar for a given communication topology G . Thus, the solvability of (44) is equivalent to the following feasible problem: there exist a scalar ι > 0 and a matrix P > 0 such that 

AP +P AT −ιBB T +ρ 2 CC T P P −I

 < 0.

(52)

By using Finsler’s Lemma (de Oliveira et al. 2001) and Lemma 8, one gets that there exist scalar ι > 0 and a matrix P > 0 such that (52) holds if and only if there exist matrices P > 0 and E ∈ Rp×n such that the following algebraic Riccati inequality holds: (A − BE)P + P (A − BE)T + ρ 2 CC T + P 2 < 0.

(53)

According to the bounded real lemma (Wang et al. 2009b), one gets that (53) holds if and only if there exists a matrix E ∈ Rp×n such that  −1 ∞ < 1, ρC T sI − (A − BE)T i.e.,

 −1 ∞ < 1/ρ. C T sI − (A − BE)T

(54)

Thus, LMI (44) is solvable if and only if there exists a matrix E ∈ Rp×n such that (54) holds. Remark 17. Note that a necessary and sufficient condition for the solvability of LMI (44) was provided in Remark 16. Noticeably, it can be seen from Remark 16 that (A, B) is stabilizable and is a necessary condition for the solvability of LMI (44).

4.3

Consensus Tracking in Networks with Every Possible Topology Containing a Directed Spanning Tree

Based on the results given in Sect. 4.2, consensus tracking is considered in this subsection for multi-agent system (37) with each possible topology containing a directed spanning tree.

1180

G. Wen et al.

Suppose that there exists an infinite sequence of uniformly bounded nonoverlapping time intervals [tk , tk+1 ), k ∈ N, with t1 = 0, τ1 ≥ tk+1 − tk ≥ τ0 > 0, across which the interaction graph is time-invariant. Here, the positive constant τ0 is called the dwell time. The time sequence t1 , t2 , · · · is called the switching sequence, at which the interaction graph changes. For convenience of analysis, introduce a switching signal  s(t) : [0, +∞) → {1, · · · , m}. Then, let G s(t) be the interaction graph of system (37) at time t ≥ 0. Obviously, G s(t) ∈ G for all t ≥ 0, where G = G 1 , · · · , G m , m ≥ 1, denote the set of all possible directed interaction graphs. From the above, it can be seen that the communication topology G s(t) is fixed for t ∈ [tk , tk+1 ), k ∈ N. Assumption 4. Each possible communication topology G i , i ∈ {1, · · · , m}, contains a directed spanning tree with the leader as the root. Based on the analysis, one that the interaction graph G (t) = G s(t) ∈ G,  knows 1  for all t ≥ 0, where G = G , · · · , G m . Since the leader has no neighbors, the Laplacian matrix Ls(t) associated with the interaction graph G s(t) can be partitioned as  Ls(t) =

0 qs(t)

0TN −1 's(t) L

,

(55)

's(t) ∈ R(N −1)×(N −1) , and t ≥ 0. Under Assumption 4, it where qs(t) ∈ RN −1 , L follows from Lemma 1 that the Laplacian matrix Ls(t) of G s(t) has a simple zero eigenvalue and all the other eigenvalues have positive real parts. By some simple 's(t) defined in (55) have calculations, one can show that all the eigenvalues of L 's(t) is positive real parts. Based on the above analysis and according to Lemma 9, L a nonsingular M-matrix. Similar to Lemma 15, one gets the following lemma. Lemma 16. Suppose that Assumption 4 holds. Then, there exist positive vectors  T    s(t)  s(t) T 's(t) θs(t) = 1N −1 and θs(t) = θ1 , · · · , θN −1 ∈ RN −1 , such that L  s(t)

' Θs(t) L

 s(t) T s(t) ' + L Θ > 0,

) (  s(t)  s(t) where Θs(t) = diag θ1 , · · · , θN −1 , for all t ≥ 0. Since G (A ) = G s(t) for all t ≥ 0, the tracking protocol (39) can be rewritten as ui (t) = αF

N  j =1

 s(t) 

aij

 xj (t)−xi (t) , i = 2, · · · , N,

(56)

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1181

where α > 0 represents the coupling strength, F ∈ Rp×n is the feedback gain " s(t) # matrix to be designed, and A s(t) = aij N ×N is the adjacency matrix of graph G s(t) . T (t))T . It Define ei (t) = xi (t) − x1 (t), i = 2, · · · , N, and e(t) = (e2T (t), · · · , eN T T T (t), is easy to verify that e(t) = 0(N −1)n if and only if x1 (t) = x2 (t) = · · · = xN for all t ≥ 0. Similar to the analysis given in Sect. 4.2, one has the following error dynamical system:

e˙i (t) = Aei (t) + C (f (xi (t), t) − f (x1 (t), t)) − αBF

N 

 s(t) ' l ij (t)ej (t), (57)

j =1  s(t) 's(t) = [' where L l ij ](N −1)×(N −1) is given in (55). Rewriting (57) into a compact form, one has

  's(t) ⊗ BF e(t), e(t)= ˙ (IN −1 ⊗A) e(t)+f'(x(t), t)−α L f'(x(t), t) T f (x1 (t), t))T . where

=

 C (f (x2 (t), t)−f (x1 (t), t))T , · · · ,

(58)

(f (xN (t), t)−

Remark 18. Note that e(t) = 0(N −1)n is an equilibrium point for the switched systems (58). Furthermore, it is easy to verify that the distributed consensus tracking problem of multi-agent system (37) is solved by protocol (56) if and only if the equilibrium point e(t) = 0(N −1)n of (58) is globally attractive. It is also worth noting that the derivative of e(t) at any switching instant is its right derivative. Before moving on, a multistep design procedure is given for selecting the control parameters of protocol (56). Algorithm 2. Under Assumptions 2 and 4, the consensus tracking protocol (56) can be designed as follows: (1) Solve the following m linear matrix equations:  T 'i θ i = 1N −1 , L to get positive vectors θ i = (θ1i , · · · , θNi −1 )T , where i = 1, · · · , m. (2) Solve the following LMI: ⎞ 1 T 2 T BB +ρ CC +βS S ⎠ ⎝ AS+SA −c  < 0, θ S −I ⎛

T

(59)

1182

G. Wen et al.

where  θ = maxi,j θji , i ∈ {1, · · · , m}, j ∈ {1, · · · , N − 1}, to get a matrix S > 0, and two scalars c > 0 and β > 0. Then, take F = 12 B T S −1 .  'i + (3) Choose the coupling strength α > 2c/λ0 , where λ0 = mini=1,··· ,m λmin Θ i L    'i )T Θ i , and Θ i = diag θ i , · · · , θ i (L 1 N −1 , i = 1, · · · , m. Then, one can establish the following theorem. Theorem 6. Suppose that Assumptions 2 and 3 hold and the LMI (59) has a feasible solution. Then, the consensus tracking problem for system (37) can be solved by protocol (56) constructed in Algorithm 2, if the dwell time τ0 > (lnr0 )/β, where r0 =  θ /' θ,  θ = maxi,j θji , ' θ = mini,j θji , i ∈ {1, · · · , m}, and j = 1, · · · , N − 1. Proof. Construct the following multiple Lyapunov function candidate for the switched systems (58):   V (t) = eT (t) Θs(t) ⊗ S −1 e(t),

(60)

where Θs(t) ∈ {Θ 1 , · · · , Θ m }, with matrices Θ i , i = 1, · · · , m, defined in step 3) of Algorithm 2 and the positive definite matrix S is a solution of (59). Note that the communication topology G s(t) is fixed for t ∈ [t1 , t2 ). Then, similar to the proof of Theorem 5, one gets that    V˙ (t) ≤εT (t) Θs(t) ⊗ AS + SAT + ρ 2 CC T + S T S ε(t)  αλ0 T  − ε (t) IN −1 ⊗BB T ε(t), t ∈ [t1 , t2 ), 2

(61)

T  −1 e where ε(t)= ε1 (t)T , ·· ·, εN −1 (t)T , εi (t)=S i+1 (t), i = 1, · · ·, N − 1, and    T i i i i ' ' λ0 = mini=1,··· ,m λmin Θ L + L Θ . Since α > 2c/λ0 , it follows from (61) that      V˙ (t) ≤ εT (t) Θs(t) ⊗ AS + SAT + ρ 2 CC T + S T S − IN −1 ⊗ cBB T ε(t)    (62) c T  s(t) T 2 T T T ε(t), ⊗ AS + SA + ρ CC + S S − BB ≤ ε (t) Θ  θ where  θ = maxi,j θji , i ∈ {1, · · · , m}, j ∈ {1, · · · , N −1}. Using (59) and Lemma 8, it follows from (62) that     V˙ (t) ≤ −βεT (t) Θs(t) ⊗ S ε(t) = −βeT (t) Θs(t) ⊗ S −1 e(t),

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1183

where t ∈ [t1 , t2 ). Note that the closed-loop multi-agent system (37) with protocol (56) switches at t = t2 . It thus follows from the above analysis that V (t2− ) < V (t1 )e−β(t2 −t1 ) < e−βτ0 V (t1 ). According to (60), one gets that V (t2 ) ≤ r0 V (t2− ), with r0 =  θ /' θ,  θ = maxi,j θji , ' θ = mini,j θji , i ∈ {1, · · · , m}, and j ∈ {1, · · · , N − 1}. Thus, one gets V (t2 ) < r0 e−βτ0 V (t1 ), i.e., V (t2 ) < e(−βτ0 +lnr0 ) V (0).

(63)

According to fact that τ0 > lnr0 /β, one gets that β − lnr0 /τ0 > 0. Based on the above analysis, it follows from (63) that V (t2 ) < e−κτ0 V (0), where κ = β − (lnr0 ) /τ0 > 0. For an arbitrarily given t > t2 , there exists a positive integer z ≥ 2 such that tz < t ≤ tz+1 . Furthermore, for an arbitrarily given h ∈ N, one gets the following inequality by recursion: V (th+1 ) < e−κτ0 V (th ) < e−hκτ0 V (0). When t ∈ (tz , tz+1 ), based on the above analysis, one gets V (t) 0, supk∈N (tk+1 − tk ) < 1      s(t) 1 ε1 , such that G = G , t ∈ [tk , tk + δk ), where τ0 < δk < tk+1 − tk , k ∈ N. The objective in this subsection is to construct a distributed tracking algorithm to realize consensus tracking in the multi-agent system (37) from an intermittent control approach. Specifically, the multiple agents only share their information with   their neighbors when t ∈ [tk , tk+1 ), k ∈ N. In this case, the protocol (39) can be specified as

ui (t) =

⎧ N ⎪      ⎪ ⎪ ⎨αF aij1 xj (t)−xi (t) , t ∈ [tk , tk + δk ), ⎪ ⎪ ⎪ ⎩

j =1 

(67)



0, t ∈ [tk + δk , tk+1 ), k ∈ N,

p×n is the feedback gain where α > 0 represents the coupling   strength, F ∈ R is the adjacency matrix of G 1 . matrix to be designed, and A 1 = aij1 N ×N

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1185

Remark 20. Generally speaking, it is more difficult to solve the consensus tracking problem for nonlinear multi-agent systems with communication topology frequently having a directed spanning tree than the case where each possible topology contain a directed spanning tree. To deal this challenging case, a communication restoration mechanism is employed to restore the topology to its initial form. Furthermore, it is assumed that the multiple agents have the ability to discard communications when the network topology does not contain any directed spanning tree. Specifically, each agent will evolve according to its own intrinsic dynamics by discarding the information from its neighbors when the communication topology does not contain any spanning tree. Obviously, the condition that the topologies frequently contain a directed spanning tree is stronger than that the topologies jointly have a directed spanning tree. Additionally, it is unknown as if it is possible to solve the consensus tracking problem of multi-agent system (37) with topologies only jointly have a directed spanning tree. Since G 1 contains a directed spanning tree with the leader being the root, the Laplacian matrix L1 associated with the interaction graph G 1 can be partitioned as  0 0TN −1 , '1 q1 L

 L1 =

'1 ∈ R(N −1)×(N −1) , and t ≥ 0. Similarly to the analysis given where q 1 ∈ RN −1 , L '1 is a nonsingular M-matrix. Since the in the last subsection, one can show that L dynamic evolution of the leader will not be affected by those of the followers, one gets that x˙1 (t) = Ax1 (t)+Cf (x1 (t), t). Furthermore, substituting (67) into (37) yields

x˙i (t)=Axi (t)+Cf (xi (t), t)+αBF

N      aij1 xj (t)−xi (t) , t ∈ [tk , tk +δk ), j =1 



x˙i (t)=Axi (t)+Cf (xi (t), t), t ∈ [tk +δk , tk+1 ), where k ∈ N, and i = 2, · · · , N. Let ei (t) = xi (t) − x1 (t), i = 2, · · · , N, and e(t) = (e2 (t)T , · · · , eN (t)T )T . Then, one has the following error dynamic system   '1 ⊗ BF e(t), t ∈ [tk , tk +δk ), e(t)= ˙ (IN −1 ⊗A) e(t)+f'(x(t), t)−α L 



e(t)= ˙ (IN −1 ⊗A) e(t)+f'(x(t), t), t ∈ [tk +δk , tk+1 ),

(68)

1186

G. Wen et al.

 where f'(x(t), t) = C (f (x2 (t), t) − f (x1 (t), t))T , · · · , (f (xN (t), t) − T f (x1 (t), t))T . Obviously, consensus tracking in the closed-loop multi-agent system (37) can be achieved if and only if limt→∞ e(t) = 0. In the following, a multistep design procedure is given to select the control parameters of protocol (67) for achieving consensus tracking. Algorithm 3. The consensus protocol (67) can be designed as follows: (1) Solve the following linear matrix equation:  T '1 ξ = 1N −1 , L

(69)

to get a positive vector ξ = (ξ1 , · · · , ξN −1 )T ∈ RN −1 . (2) Solve the following LMI: 

c AS+SAT− ξmax BB T +ρ 2 CC T +βS S S −I

< 0,

(70)

where ξmax = maxi=1,··· ,N −1 ξi , to get a matrix S > 0, and two scalars c > 0, β > 0. Then, take F = 12 B T S −1 . (3) Solve the following LMI: 

AT Q+QA + In −γ Q ρQC −I ρC T Q

 < 0,

(71)

to get a matrix Q > 0, and a scalar γ > 0. (4) Choose coupling strength α > (2c)/ν0 , where c is defined in (70), ν0 =  the  '1 +(L '1 )T Ξ , Ξ = diag{ξ1 , · · · , ξN −1 }, and ξ = (ξ1 , · · · , ξN −1 )T λmin Ξ L is given in (69). 



Define rk = δk /(tk+1 − tk ), which indicates the communication rate on the kth   time interval [tk , tk+1 ), k ∈ N. Then, one can establish the following theorem. Theorem 7. Suppose that Assumption 2 holds and G 1 contains a directed spanning tree and the LMIs (70) and (71) have feasible solutions. Then, the consensus tracking problem of system (37) can be solved by the protocol (67) constructed γ 2 ln μ in Algorithm 3, if the communication rate rk > β+γ +   , where (β+γ )(tk+1 −tk ) ) ( λmax (S −1 ) ξmax λmax (Q) μ = max ξmax ξmin λmin (Q) , ξ λ (S −1 ) , in which k ∈ N, ξmax = maxi=1,··· ,N −1 ξi , min min

ξmin = mini=1,··· ,N −1 ξi , ξ = (ξ1 , · · · , ξN −1 )T is defined in (69), and S and Q are positive definite solutions of (70) and (71), respectively.

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1187

Proof. Construct the following multiple Lyapunov function candidate for the switched systems (68):

V (t) =

  ⎧   ⎨ eT (t) Ξ ⊗ S −1 e(t), t ∈ [tk , tk + δk ), ⎩





eT (t) (Ξ ⊗ Q) e(t), t ∈ [tk + δk , tk+1 ),

where k ∈ N, Ξ = diag{ξ1 , · · · , ξN −1 }, and ξ = (ξ1 , · · · , ξN −1 )T is defined in (69), and matrices S and Q are the positive definite solutions of (70) and (71), respectively.  T   T For t ∈ [tk , tk + δk ), k ∈ N, let ε(t) = ε1T (t), · · · , εN −1 (t) , where εi (t) = S −1 ei (t), i = 1, · · · , N − 1. Obviously, e(t) = (IN −1 ⊗ S)ε(t). It thus follows from (48) that    V˙ (t) ≤ εT (t) Ξ ⊗ AS + SAT + ρ 2 CC T + S T S   α Ξ L1 + (L1 )T Ξ ⊗ BB T ε(t). − 2 Based on the above analysis and according to step (4) in Algorithm 3, one has "   V˙ (t) ≤ εT (t) Ξ ⊗ AS + SAT + ρ 2 CC T + S T S −    ≤ εT (t) Ξ ⊗ AS + SAT + ρ 2 CC T + S T S −

 # IN −1 ⊗ BB T ε(t)   1 T Ξ ⊗ cBB ε(t), ξmax

αν0 2

(72)   '1 )T Ξ , ξmax = maxi=1,··· ,N −1 ξi . Using (70) and '1 + (L where ν0 =λmin Ξ L Lemma 8, it follows from (72) that   V˙ (t) ≤ −βεT (t) (Ξ ⊗ S) ε(t) = −βeT (t) Ξ ⊗ S −1 e(t). 



(73)

For t ∈ [tk +δk , tk+1 ), k ∈ N, taking the time derivative of V (t) along the trajectories of system (68) gives   V˙ (t) = eT (t) Ξ ⊗ QA + Ξ ⊗ AT Q e(t) +2

N −1  i=1

ξi eiT (t)QC(f (xi (t), t)−f (x1 (t), t)) .

1188

G. Wen et al.

Based on the above analysis and according to Lemma 11, one gets N      V˙ (t) ≤ eT (t) Ξ ⊗ QA + Ξ ⊗ AT Q e(t) + ξi eiT(t) ρ 2 QCC T Q+I ei (t) i=1

   = eT(t) Ξ ⊗ QA + ATQ + ρ 2 QCC T Q + I e(t)

(74)

< γ eT (t) (Ξ ⊗ Q) e(t), where the last inequality follows from (71) and Lemma 8.   Note that systems (68) switch at t = tk and t = tk + δk , k ∈ N. Therefore, based on (73) and (74), one obtains 













V (t2 ) < μeγ (t2 −t1 −δ1 ) V (t1 + δ1 ) < μ2 e−βδ1 +γ (t2 −t1 −δ1 ) V (t1 ) = e−φ1 V (0), (75) 

with φ1 = βδ1 − γ (t2 − δ1 ) − 2lnμ and μ = max

(

ξmax λmax (S −1 ) ξmax λmax (Q) ξmin λmin (Q) , ξmin λmin (S −1 )

) ,



where the last equation in (75)  is derived by usingthe fact that t1 = 0. According to the condition r1 =

δ1   t2 −t1

γ β+γ

>

+

for any k ∈ N, one has

2 ln μ   (β+γ )(t2 −t1 )



V (tk+1 ) < V (0)e− 

, one has φ1 > 0. By recursion,

k

i=1 φi

,



where φi = βδi − γ (ti+1 − ti − δi ) − 2lnμ > 0, i = 1, · · · , k.    For any t > t2 , there exists a positive integer z ≥ 2 such that tz < t ≤ tz+1 . Let   φ¯ = infh∈N φh > 0. When t ∈ (tz , tz + δz ), z ∈ N, based on the above analysis and   the fact that supk∈N (tk+1 − tk ) < ε1 , one gets 

V (t) < V (tz )e−βδz < V (0)e−

z−1

¯

< V (0)e

φ − (z−1) t zε 1

¯

≤ V (0)e−(z−1)φ

j =1 φj ¯

< V (0)e

− 2εφ t 1

, 

where the last inequality is obtained since z ≥ 2. When t = tz + δz , z ∈ N, the above analysis indicates that ¯

V (t) < μV (0)e

− 2εφ t 1

.

(76)

36 Consensus of Multi-agent Systems with Intermittent Communication. . . 

1189



For the case of t ∈ (tz + δz , tz+1 ), some simple calculations give that 

V (t) < eγ ε1 V (tz + δz ) < μeγ ε1 V (0)e− ¯

z−1

j =1 φj

< μeγ ε1 V (0)e−(z−1)φ < μeγ ε1 V (0)e

(77)

¯

− 2εφ t 1

.



When t = tz+1 , z ∈ N, it follows from (77) that V (t) < μ2 eγ ε1 V (0)e

¯

− 2εφ t 1

.

From the above analysis, one gets that the consensus tracking problem in multiagent system (37) is indeed solved by protocol (67), constructed by Algorithm 3. This completes the proof. Remark 21. The condition that the communication topology frequently has a directed spanning tree is stronger than that of the topology jointly having a directed spanning tree. By using a multiple Lyapunov functions approach, it has been shown in Theorem 7 that the consensus tracking problem in the multi-agent system (37) can be solved by protocol (67) with control parameters appropriately designed. It is also worth mentioning that how to construct a distributed protocol to guarantee consensus tracking in the multi-agent system (37) with topology jointly containing a directed spanning tree remains a challenging issue today. Remark 22. It is not hard to see that the solvability conditions for the LMI (44) provided in Remark 16 are applicable for LMI (70). By using Schur complement lemma, one gets that LMI (71) holds if and only if there exist a positive scalar γ > 0 and Q > 0 such that AT Q + QA + In + ρ 2 QCC T Q − γ Q < 0.

(78)

Obviously, LMI (78) is solvable if γ > λ, where λ is the maximum eigenvalue of A + AT + ρ 2 CC T + In . Remark 23. Under Assumption 2 and the condition that G 1 contains a directed spanning tree, it follows from Theorem 7 that the consensus tracking for system (37) with protocol (67) designed by Algorithm 3 can be achieved if the LMIs (70), (71) have feasible solutions and the communication rate rk is larger than a threshold value. It can be observed that, for given β, γ , and topology G1 , the minimum admissible communication rate depends only on the eigenvalue ratio of S −1 and Q. However, LMIs (70) and (71) in Algorithm 3 are solved independently, which may introduce conservatism in seeking an admissible communication rate to satisfy the consensus tracking conditions. Thus, it is important to further study, for given parameters β, γ , and a topology G 1 containing a directed spanning tree, how large

1190

G. Wen et al.

the minimum admissible communication rate is needed to achieve the intended consensus tracking. For this purpose, further investigation is needed. Remark 24. It should be noted that distributed consensus tracking for multi-agent systems with homogeneous Lipschitz-type nonlinear dynamics has been studied in the present work. For multi-agent systems with general heterogeneous nonlinear dynamics, developing a distributed consensus tracking protocol becomes more involved. First, for general nonlinear multi-agent systems, it is a challenge to design distributed tracking protocols based only on the relative states of neighboring agents over directed networks to eliminate the effects of the nonlinear term. Second, within the context of multi-agent systems, it is unclear how to deal with the heterogeneous dynamics since the coupling terms will vanish owing to the diffusive property of the Laplacian matrix when consensus tracking is achieved; from this viewpoint, the states of neighboring agents will diverge from each other again when the relative states of them are very small. Remark 25. It should be noted that the design of the coupling strength α of the protocols provided here relies on the minimum eigenvalue of some positive definite matrices depending on the Laplacian matrices associated with the communication topologies, which indeed is a piece of global information within the context of multi-agent systems. However, in practice, one could calculate the lower bound of this positive quantity off-line, since the numbers of the agents and the topological structures are finite. Nevertheless, it is more interesting to construct some fully distributed protocols such that consensus tracking can be ensured without using any global information. However, whether it is possible to construct such a fully distributed tracking protocol for multi-agent systems with intermittent communication or switching directed topologies is still an open problem.

5

Numerical Simulations

In this section, two simulation examples are provided to verify Theorems 1 and 4, respectively.

5.1

Consensus of Second-Order Multi-agent Systems with Intermittent Communication

Consider the second-order consensus protocol with intermittent measurements as shown in (8), with the communication topology visualized by Fig. 1 where the weights are indicated on the edges. Figure 1 shows that the communication topology G (A ) is strongly connected. In simulation, it is assumed that there exists an infinite time sequence of uniformly bounded and nonoverlapping time intervals

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1191

Fig. 1 Communication graph G (A )

2 Trajectory of x 1(t)

Position trajectories of agents

1

Trajectory of x 2(t) Trajectory of x 3(t)

0 -1 -2 -3 -4 -5 -6 -7 -8

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

t Fig. 2 Consensus of position trajectories of the three agents provided in Fig. 1

[tk , tk+1 ), with tk+1 − tk = 0.5, t1 = 0, for all k ∈ N. Furthermore, set the communication duration δk = 0.42, for all k ∈ N, and coupling parameters α = 1 and β = 1.1. By simple calculations, one gets that a(L) = 3.5, b(L) = 4.5, ξ = (0.2857, 0.4286, 0.2857)T . Direct calculation gives a(L) = 3.5 > α/β 2 = 4 0.8264, and δ = 0.42 > 0.5 × γ3γ+γ = 0.4147. Therefore, by Theorem 1, 4 second-order consensus can be achieved in system (8). The position and velocity states of all agents are shown in Figs. 2 and 3, respectively, with initial conditions x(0) = [1.2, −0.9, −1.5]T and v(0) = [−0.8, −0.35, −2]T , which verify the theoretical analysis very well.

1192

G. Wen et al. 0.5 Trajectory of v 1(t) Trajectory of v 2(t)

Velocity trajectories of agents

0

Trajectory of v 3(t)

-0.5

-1

-1.5

-2

-2.5

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

t Fig. 3 Consensus of velocity trajectories of the three agents provided in Fig. 1 Fig. 4 Communication graph G (A )

5.2

Consensus of Second-Order Multi-agent Systems with Nonlinear Dynamics and Intermittent Communication

Consider the second-order consensus protocol with time-delayed nonlinear dynamics in system (22), where the communication topology among the multiple agents is shown in Fig. 4 with weights on each edge being 0.2. Note that the graph G (A ) provided in Fig. 4 is strongly connected and balanced. Let the time-delayed nonlinear function be f (vi (t − τ ), vi (t), t) = 0.001cos(vi (t)) + 0.001sin(vi (t − τ )) ∈ R, where vi (t) ∈ R, τ = 0.01, and i = 1, 2, 3, 4. In view of Assumption 1, one obtains ρ1 = 0.001, ρ2 = 0.001. Let α = 25, β = 30, δ = 0.47, and ω = 0.500. Namely, the communication rate among the dynamic agents is 94%. Direct calculation gives (P1 ) λ2 (L + LT ) = 0.4 > βα2 = 0.0278, λ1 (R1 ) = 249.9750 > c0λλ12(Q) = 1.1933,

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1193

2 Trajectory of x 1(t) Trajectory of x 2(t)

Position trajectories of agents

1

Trajectory of x 3(t) Trajectory of x 4(t)

0 -1 -2 -3 -4 -5

0

2

4

6

8

10

12

14

t Fig. 5 Consensus of position trajectories of the four agents provided in Fig. 4

1.5 Trajectory of v 1(t)

Velocity trajectories of agents

1

Trajectory of v 2(t) Trajectory of v 3(t)

0.5

Trajectory of v 4(t)

0 -0.5 -1 -1.5 -2 -2.5

0

2

4

6

8

10

t Fig. 6 Consensus of velocity trajectories of the four agents provided in Fig. 4

12

14

1194

G. Wen et al. 3.5

Consensus error || (t)||

3 2.5 2 1.5 1 0.5 0

0

2

4

6

8

10

12

14

t Fig. 7 Consensus error ζ (t)

+(γ3 +γ4 )ω and δ = 0.47 > rτ r+γ = 0.4656. Therefore, by Theorem 4, second-order 3 +γ4 consensus can be achieved in multi-agent system (22). The position and velocity states of all agents are, respectively, shown in Figs. 5 and 6, with initial conditions xi (t) = 0, vi (t) = 0, for all t ∈ [−τ, 0] and i = 1, 2, 3, 4. Furthermore, T  ˜ = according to the definition of ζ (t), i.e., ζ (t) = x˜ T (t), v˜ T (t) , with x(t) ˜ = (v˜1 (t), v˜2 (t), v˜3 (t), v˜4 (t))T , it is reasonable (x˜1 (t), x˜2 (t), x˜3 (t), x˜4 (t))T and v(t) to denote ζ (t) as the consensus errors of multi-agent system (22). The evolution trajectory of ζ (t) is given in Fig. 7. It can be seen that the consensus problem in system (22) is indeed solved, and the simulation results verify the theoretical analysis very well.

6

Conclusions

In Sect. 2, second-order consensus problems have been solved for multi-agent systems with a fixed directed topology and communication constraints. Based on the synchronous intermittent local information feedback, a novel consensus protocol has been designed to ensure consensus in multi-agent systems where the communication topology is strongly connected. Furthermore, this consensus protocol is then extended to the case where the communication topology contains a directed spanning tree. It was shown that second-order consensus can be achieved in the multi-

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1195

agent systems if the general algebraic connectivity of the communication topology is larger than a threshold value and the mobile agents communicate with their neighbors frequently enough as the network evolves. The study in this section on intermittent second-order consensus protocols can serve as a stepping stone for introducing more complicated and realistic agent dynamics to groups of mobile agents. In Sect. 3, some consensus protocols have been proposed for second-order multiagent systems with nonlinear dynamics and strongly connected communication topologies. Detailed analyses have been performed on the case in which agents communicate with their neighbors over some disconnected time intervals. It was shown that second-order consensus can be achieved exponentially if the general algebraic connectivity and the communication time duration are larger than their corresponding threshold values, respectively. Furthermore, for the scenario when communication delays are presented in the network, this result was generalized under balanced communication topologies. In Sect. 4, distributed consensus tracking problem has been studied for a class of multi-agent systems with higher-order Lipschitz-type nonlinear dynamics and switching directed topologies. By assuming that the interaction graph contains a directed spanning tree rooted at the leader, a new consensus tracking algorithm for fixed topology has been constructed and analyzed. By using tools from Mmatrix theory, it has been theoretically shown that the consensus tracking problem in the closed-loop multi-agent network can be achieved asymptotically if the control parameters of the protocol are appropriately selected. The results are then extended to the case where the communication topology switches over some possible graphs, but each of them contains a directed spanning tree. At last, the distributed consensus tracking problem for multi-agent systems with switching topologies only frequently but not always containing a directed spanning tree was investigated by employing a communication restoration mechanism. Acknowledgments This work is supported by the National Nature Science Foundation of China through Grant Nos. 61722303 and 61673104, the Natural Science Foundation of Jiangsu Province of China through Grant No. BK20170079, and the Fundamental Research Funds for the Central Universities of China.

References P. Amster, M.C. Mariani, Some results on the forced pendulum equation. Nonlinear Anal.-Theory Methods Appl. 68(7), 1874–1880 (2008) S. Boyd, L. El Ghaoui, E. Feron, V. Balakrishnan, Linear Matrix Inequalities in System and Control Theory (SIAM, Philadelphia, 1994) R.A. Brualdi, H.J. Ryser, Combinatorial Matrix Theory (Cambridge University Press, Cambridage, 1991) S. Cai, Z. Liu, F. Xu, J. Shen, Periodically intermittent controlling complex dynamical networks with time-varying delays to a desired orbit. Phys. Lett. A 373(42), 3846–3854 (2009) Y. Cao, W. Ren, N. Sorensen, L. Ballard, A. Reiter, J. Kennedy, Experiments in consensus-based distributed cooperative control of multiple mobile robots, in IEEE International Conference on Mechatronics and Automation, Harbin, 2007, pp. 2819–2824

1196

G. Wen et al.

M.C. de Oliveira, R.E. Skelton, Stability Tests for Constrained Linear Systems. Perspectives in Robust Control (Springer, London, 2001), pp. 241–257 H. Fujisaka, T. Yamada, Stability theory of synchronized motion in coupled-oscillator systems. Prog. Theor. Phys. 69(1), 32–47 (1983) W. He, J. Cao, Consensus control for high-order multi-agent systems. IET Contr. Theory Appl. 5(1), 231–238 (2011) Y. Hong, J. Hu, L. Gao, Tracking control for multi-agent consensus with an active leader and variable topology. Automatica 42(7), 1177–1182 (2006) Y. Hong, G. Chen, L. Bushnell, Distributed observers design for leader-following control of multiagent networks. Automatica 44(3), 846–850 (2008) R.A. Horn, C.R. Johnson, Matrix analysis (Cambridge University Press, New York, 1990) T. Huang, C. Li, W. Yu, G. Chen, Synchronization of delayed chaotic systems with parameter mismatches by using intermittent linear state feedback. Nonlinearity 22(3), 569–584 (2009) A. Jadbabaie, J. Lin, A.S. Morse, Coordination of groups of mobile autonomous agents using nearest neighbor rules. IEEE Trans. Autom. Control 48(6), 988–1001 (2003) Q. Jia, W.K. Tang, W.A. Halang, Leader following of nonlinear agents with switching connective network and coupling delay. IEEE Trans. Circuits Syst. I-Regul. Pap. 58(10), 2508–2519 (2011) X. Li, X. Wang, G. Chen, Pinning a complex dynamical network to its equilibrium. IEEE Trans. Circuits Syst. I-Regul. Pap. 51(10), 2074–2087 (2004) Z. Li, Z. Duan, G. Chen, L. Huang, Consensus of multiagent systems and synchronization of complex networks: a unified viewpoint. IEEE Trans. Circuits Syst. I-Regul. Pap. 57(1), 213–224 (2010) Z. Li, Z. Duan, G. Chen, Dynamic consensus of linear multi-agent systems. IET Contr. Theory Appl. 5(1), 19–28 (2011a) Z. Li, X. Liu, M. Fu, Global consensus control of Lipschitz nonlinear multi-agent systems, in Proceedings of the 18th IFAC World Congress, Milano, 2011b, pp. 10056–10061 Z. Li, Z. Duan, L. Xie, X. Liu, Distributed robust control of linear multi-agent systems with parameter uncertainties. Int. J. Control 85(8), 1039–1050 (2012) W. Lu, T. Chen, New approach to synchronization analysis of linearly coupled ordinary differential systems. Physica D 213(2), 214–230 (2006) J. Lu, X. Yu, G. Chen, D. Cheng, Characterizing the synchronizability of small-world dynamical networks. IEEE Trans. Circuits Syst. I-Regul. Pap. 51(4), 787–796 (2004) R. Olfati-Saber, R.M. Murray, Consensus problems in networks of agents with switching topology and time-delays. IEEE Trans. Autom. Control 49(9), 1520–1533 (2004) R. Olfati-Saber, J.A. Fax, R.M. Murray, Consensus and cooperation in networked multi-agent systems. Proc. IEEE 95(1), 215–233 (2007) A. Olshevsky, J.N. Tsitsiklis, On the nonexistence of quadratic Lyapunov functions for consensus algorithms. IEEE Trans. Autom. Control 53(11), 2642–2645 (2008) Z. Qu, Cooperative Control of Dynamical Systems: Applications to Autonomous Vehicles (Springer, London, 2009) W. Ren, Multi-vehicle consensus with a time-varying reference state. Syst. Control Lett. 56(7), 474–483 (2007) W. Ren, On consensus algorithms for double-integrator dynamics. IEEE Trans. Autom. Control 53(6), 1503–1509 (2008) W. Ren, E. Atkins, Second-order consensus protocols in multiple vehicle systems with local interactions, in AIAA Guidance, Navigation, and Control, San Francisco, 2005, pp. 1–13 W. Ren, E. Atkins, Distributed multi-vehicle coordinated control via local information exchange. Int. J. Robust Nonlinear Control 17(10–11), 1002–1033 (2007) W. Ren, R.W. Beard, Constrained nonlinear tracking control for small fixed-wing unmanned air vehicles, in Proceeding of the 2004 American Control Conference, Boston, 2004, pp. 4663–4668 W. Ren, R.W. Beard, Consensus seeking in multiagent systems under dynamically changing interaction topologies. IEEE Trans. Autom. Control 50(5), 655–661 (2005)

36 Consensus of Multi-agent Systems with Intermittent Communication. . .

1197

W. Ren, R.W. Beard, Distributed Consensus in Multi-vehicle Cooperative Control (Springer, London, 2008) W. Ren, K.L. Moore, Y. Chen, High-order and model reference consensus algorithms in cooperative control of multivehicle systems. J. Dyn. Syst. Meas. Control 129(5), 678–688 (2007a) W. Ren, R.W. Beard, E.M. Atkins, Information consensus in multivehicle cooperative control. IEEE Control Syst. Mag. 27(2), 71–82 (2007b) Q. Song, J. Cao, W. Yu, Second-order leader-following consensus of nonlinear multi-agent systems via pinning control. Syst. Control Lett. 59(9), 553–562 (2010) Q. Song, F. Liu, J. Cao, W. Yu, Pinning-controllability analysis of complex networks: an M-matrix approach. IEEE Trans. Circuits Syst. I-Regul. Pap. 59(11), 2692–2701 (2012) H. Su, W. Zhang, Second-order consensus of multiple agents with coupling delay. Commun. Theor. Phys. 51(1), 101–109 (2009) H. Su, X. Wang, G. Chen, A connectivity-preserving flocking algorithm for multi-agent systems based only on position measurements. Int. J. Control 82(7), 1334–1343 (2009) V. Utkin, J. Guldner, J. Shi, Sliding Mode Control in Electro-mechanical Systems (CRC Press, New York, 2009) Z. Wang, J. Cao, Quasi-consensus of second-order leader-following multi-agent systems. IET Contr. Theory Appl. 6(4), 545–551 (2012) J. Wang, Y. Tan, I. Mareels, Robustness analysis of leader-follower consensus. J. Syst. Sci. Complex. 22(2), 186–206 (2009a) J. Wang, Z. Duan, Y. Yang, L. Huang, Analysis and control of nonlinear systems with stationary sets: time-domain and frequency-domain methods (World Scientific, Singapore, 2009b) G. Wen, Z. Duan, G. Chen, W. Yu, Second-order consensus for nonlinear multi-agent systems with intermittent measurements, in Chinese Control and Decision Conference, Mianyang, 2011, pp. 3710–3714 G. Wen, Z. Duan, W. Yu, G. Chen, Consensus in multi-agent systems with communication constraints. Int. J. Robust Nonlinear Control 22(2), 170–182 (2012a) G. Wen, Z. Duan, H. Su, G. Chen, W. Yu, A connectivity-preserving flocking algorithm for multi-agent dynamical systems with bounded potential function. IET Contr. Theory Appl. 6(6), 813–821 (2012b) G. Wen, Z. Duan, W. Yu, G. Chen, Consensus of multi-agent systems with nonlinear dynamics and sampled-data information: a delayed-input approach. Int. J. Robust Nonlinear Control 23(6), 602–619 (2013a) G. Wen, Z. Duan, W. Yu, G. Chen, Consensus of second-order multi-agent systems with delayed nonlinear dynamics and intermittent communications. Int. J. Control 86(2), 322–331 (2013b) G. Wen, Z. Duan, W. Ren, G. Chen, Distributed consensus of multi-agent systems with general linear node dynamics and intermittent communications. Int. J. Robust Nonlinear Control 24(16), 2438–2457 (2014a) G. Wen, Z. Duan, G. Chen, W. Yu, Consensus tracking of multi-agent systems with Lipschitztype node dynamics and switching topologies. IEEE Trans. Circuits Syst. I-Regul. Pap. 61(2), 499–511 (2014b) W. Xia, J. Cao, Pinning synchronization of delayed dynamical networks via periodically intermittent control. Chaos 19(1), 013120 (2009) W. Yu, G. Chen, M. Cao, J. Kurths, Second-order consensus for multiagent systems with directed topologies and nonlinear dynamics. IEEE Trans. Syst. Man Cybern. Part B-Cybern. 40(3), 881–891 (2010a) W. Yu, G. Chen, M. Cao, Some necessary and sufficient conditions for second-order consensus in multi-agent dynamical systems. Automatica 46(6), 1089–1095 (2010b) W. Yu, G. Chen, W. Ren, J. Kurths, W.X. Zheng, Distributed higher order consensus protocols in multiagent dynamical systems. IEEE Trans. Circuits Syst. I-Regul. Pap. 58(8), 1924–1932 (2011)

37

Synchronization in Coupled Harmonic Oscillator Systems Based on Sampled Position Data Qiang Song, Fang Liu, Guanghui Wen, Jinde Cao, and Yang Tang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problem Formulation and Algorithm Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Synchronization Under Protocol (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Synchronization Under Protocol (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Synchronization Criteria for Network (1) with Protocol (3) . . . . . . . . . . . . . . . . . . 5.2 Design of β and T for Undirected Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Design of β and T for Directed Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Numerical Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Synchronization with Current Sampled Position Data . . . . . . . . . . . . . . . . . . . . . . . 6.2 Synchronization with Past Sampled Position Data . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1200 1202 1202 1203 1203 1204 1209 1209 1213 1214 1216 1217 1217 1220 1220

Q. Song () College of Electrical Engineering, Henan University of Technology, Zhengzhou, China F. Liu School of Information Engineering, Henan International Joint Laboratory of Behavior Optimization Control for Smart Robots, Huanghuai University, Henan, China e-mail: [email protected] G. Wen School of Mathematics, Southeast University, Nanjing, P. R. China J. Cao School of Mathematics, Southeast University, Nanjing, China e-mail: [email protected] Y. Tang The Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_21

1199

1200

Q. Song et al.

Abstract A harmonic oscillator is a typical second-order spring-mass system exhibiting periodic motions. In the last decade, much effort has been devoted to the study on the synchronization in networks composed by a set of identical harmonic oscillators. Most of existing synchronization algorithms for coupled harmonic oscillators are developed based on relative velocity measurements. This chapter proposes two distributed synchronization protocols to solve the synchronization problem for a network of harmonic oscillators in continuous-time setting by utilizing current and past relative sampled position data between neighboring nodes, respectively. Some necessary and sufficient conditions in terms of coupling strength and sampling period are established to achieve synchronization in the network. By designing the coupling strength according to the nonzero eigenvalues of the Laplacian matrix of the network, it is shown that the synchronization problem of coupled harmonic oscillators can be solved if and only if the sampling period is taken from a sequence of disjoint open intervals. Interestingly, when the Laplacian matrix has some complex eigenvalues, it is found that the sampling period should be larger than a positive threshold, that is, any small sampling period less than this threshold will not lead to network synchronization. Numerical examples are given to illustrate the feasibility and the effectiveness of the theoretical analysis.

Keywords Coupled harmonic oscillators · Multi-agent system · Synchronization · Sampled position data · Sampling period

1

Introduction

Over the past few decades, the collective behaviors of networked systems have been both intensively and extensively studied due to their theoretical significance and potential applications. Under the common assumption that each node can only obtain the information from its nearest neighbors, many distributed control algorithms have been proposed to solve the coordination problems for networked systems such as the synchronization of coupled oscillators with linear dynamics (Tuna 2009; Scardovi and Sepulchre 2009; Meng et al. 2013; Zou et al. 2015) and nonlinear dynamics (Pecora and Carroll 1998; Porfiri et al. 2008; De Lellis et al. 2010; Song et al. 2012; De Lellis et al. 2013; Wen et al. 2014b; Jeter and Belykh 2015), the consensus of multi-agent systems (Olfati-Saber and Murray 2004; Ren and Beard 2005; Porfiri and Stilwell 2007; Ren and Atkins 2007; Yu et al. 2010; Song et al. 2013; Ma et al. 2010; Wen et al. 2014a; Garcia et al. 2014), and the containment control of multi-agent systems with multiple leaders (Ji et al. 2008; Cao et al. 2012).

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1201

The research related to the harmonic oscillator system, which is a second-order spring-mass system exhibiting periodic motion, has attracted increasing attention in recent years. In Zheltikov (2002), a harmonic oscillator model was adopted to study the coherent control for the acoustic vibrations in metal nanoparticles and thin films. In Ballard et al. (2010), the synchronization results for coupled harmonic oscillators was successfully applied in the collaborative control of multiple mobile robots. By using velocity data, some distributed protocols (Ren 2008b; Su et al. 2009; Cheng et al. 2011) have been developed to study the synchronization problem for coupled harmonic oscillators. In Xu et al. (2015), the containment control of coupled harmonic oscillators was considered. Note that most of the synchronization algorithms for coupled harmonic oscillators in the existing literature, including (Ren 2008b; Su et al. 2009; Cheng et al. 2011; Xu et al. 2015), are based on velocity data. When velocity information is unavailable, it is necessary to develop some synchronization algorithms by using position information. In recent years some theoretical results have been presented to address the position-based coordination control of coupled harmonic oscillators. In Zhang et al. (2013), an observer-based protocol was proposed to achieve leaderfollowing synchronization of coupled harmonic oscillators using current relative positions. In Song et al. (2016a), a synchronization algorithm was designed base on history position data. More recently, Song et al. (2019) studied the position-based synchronization problem for coupled harmonic oscillators with same or different system parameters. It should be pointed out that most of control algorithms for coupled harmonic oscillators assume that the information transmissions between neighboring nodes are continuous with respect to the time, which implies that the network communication load is relatively high. Due to some distinctive advantages of the sampled-data control approach such as the ease of digital circuit implementation and the relatively low control cost (Chen and Francis 1995), some consensus protocols have been proposed for multi-agent systems, where each agent only communicates with its local neighbors at discrete-time instants. Note that the second-order consensus of coupled double integrators was studied by utilizing sampled positions (Huang et al. 2016), and the higher-order consensus of multi-agent systems with general dynamics was addressed by using sampled output measurements (Gao et al. 2013). Recently, some sampled velocity data-based algorithms have been designed to achieve synchronization in coupled harmonic oscillators (Zhang and Zhou 2012; Sun et al. 2014). However, to the best of our knowledge, the synchronization of coupled harmonic oscillators based only on sampled position data has rarely been considered. In this chapter, we systematically investigate the sampled position-based synchronization of coupled harmonic oscillators. The main novelties can be highlighted in three perspectives. First, two distributed synchronization protocols are designed by, respectively, utilizing current and past sampled position data for coupled harmonic oscillators without designing any state observers. Second, some necessary and sufficient conditions are derived for reaching position-based synchronization of the network under periodic sampling control. For the network

1202

Q. Song et al.

with a properly designed coupling strength, it is shown that the sampling period must be taken from a sequence of disjoint open intervals. Third, some interesting findings for the proposed protocols are listed in the following and will be proved in the main body: (i) for the protocol based on current sampled position data, the coupling strength should be positive. However, for the protocol based on past sampled position data, the coupling strength may be either positive or negative. (ii) When the Laplacian matrix of the network has some complex eigenvalues, it is shown that the sampling period must be larger than a positive threshold, that is, the synchronization of the network cannot be achieved when the sampling period is less than this threshold. It is worth mentioning that the results of this chapter have been published in Song et al. (2016b). The rest of this chapter is organized as follows. Section 2 provides some mathematical preliminaries. Section 3 proposes two synchronization algorithms for coupled harmonic oscillators by using sampled position data. In Sects. 4 and 5, we study the network synchronization based on current and past sampled position data, respectively. Simulations are given in Sect. 6. Finally, some conclusions and future trends are stated in Sect. 7.

2

Preliminaries

2.1

Notations

Let Z+ , N, R, and C represent the set of nonnegative integers, natural, real, and complex numbers, respectively. For z ∈ C, let |z|, Re(z), and Im(z) be its modulus, real part, and imaginary part, respectively. Let In be the n-dimensional identity matrix, 1n (0n ) be the column vector of all ones (zeros), and 0m×n be a zero matrix. For a square matrix A ∈ Cn×n , let det(A) be its determinant and ρ(A) = max1≤i≤n |λi (A)| be its spectral radius with λi (A) being the i-th eigenvalue. The symbol ⊗ denotes the Kronecker product (Langville and Stewart 2004). Denotation 1. Let α > 0 and T > 0 be two positive parameters satisfying √ αT = √nπ, n ∈ Z+ . Let 0 ≤ θ1 < θ2 < π/2. √ Define the sets Ω T (θ1 )  {T | tan2 ( αT /2) > tan2 θ1 }, Ω√T (θ2 )  {T | tan2 ( αT /2)  < tan2 θ2 }, and 2 2 2 T (θ1 , θ2 )  {T | tan θ1 < tan ( αT /2) < tan θ2 } = Ω T (θ1 ) Ω T (θ2 ). Some Ω simple calculations yield: Ω T (θ1 ) = Ω T (θ2 ) = T (θ1 , θ2 ) = Ω

∞



√ 

∞



√ 

k=0 (2(kπ + θ1 )/ α, (2k + 1)π/ α)  ∞ √ √  k=1 ((2k − 1)π/ α, 2(kπ − θ1 )/ α) , ∞ √ √  k=0 (2kπ/ α, 2(kπ + θ2 )/ α)  ∞ √ √  k=1 (2(kπ − θ2 )/ α, 2kπ/ α) , k=0 (2(kπ + θ1 )/ α, 2(kπ + θ2 )/ α)  ∞ √ √  k=1 (2(kπ − θ2 )/ α, 2(kπ − θ1 )/ α) .

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

2.2

1203

Graph Theory

To describe the interaction between N coupled nodes, let G denote a graph with V = {1, . . . , N } and E ⊆ V × V being the node and edge sets, respectively. A directed link from nodes j to i means that node j can access information of node i. The digraph G is said to have (or contain) a directed spanning tree if there is at least one node that has a directed path to every other node (Song et al. 2012; Ren and Beard 2005). Let A = (aij )N ×N be the adjacency matrix associated with the digraph G , where aij > 0 if (j, i) ∈ E and aij = 0 if (j, i) ∈ / E . It is assumed that aii = 0 holds for all i = 1, . . . , N . The neighbor set of node i is defined as Ni = {j |aij > 0, j = i}, ∀i = 1, . . . , N . On the basis of the adjacency matrix A , define L = (lij )N ×N as the Laplacian matrix, where lij = −aij (i = j ) N and lii = k=1,k=i aik (Song et al. 2012; Ren and Beard 2005). Obviously, the Laplacian matrix L is a zero-row-sum matrix.

3

Problem Formulation and Algorithm Design

This section formulates the synchronization problem and designs two synchronization protocols for coupled harmonic oscillators by utilizing current and past sampled position data. Consider a network of coupled harmonic oscillators composed by N identical nodes (Ren 2008b): x˙i (t) = vi (t), v˙i (t) = −αxi (t) + ui (t), i = 1, . . . , N,

(1)

where α > 0 is a positive constant; xi (t), vi (t) ∈ R are the position and velocity states of node i, respectively; and ui (t) ∈ R is the control input for node i to be designed. Network (1) is said to achieve synchronization if limt→∞ xi (t) − xj (t) = 0 and limt→∞ vi (t) − vj (t) = 0, ∀i, j = 1, . . . , N(i = j ). Denotation 2. In this chapter, let G denote the digraph of network (1) with A and L being its adjacency matrix and Laplacian matrix, respectively. Let the eigenvalues of L be given by μi , i = 1, . . . , N, satisfying 0 = |μ1 | ≤ |μ2 | ≤ . . . ≤ |μN |. To solve the synchronization problem for coupled harmonic oscillators (1), we propose a distributed protocol by utilizing current sampled position data: ui (t) = β



aij (xi (tk ) − xj (tk )), t ∈ [tk , tk+1 ),

j ∈Ni

i = 1, . . . , N, k ∈ Z+ ,

(2)

1204

Q. Song et al.

where aij is the (i, j )-th entry of matrix A , Ni is the neighbor set of node i, β = 0 is the coupling strength, and xi (tk ), i = 1, . . . , N are the current sampled positions obtained at the sampling instants tk , k = 0, 1, . . . satisfying 0 = t0 < t1 < · · · < tk < tk+1 < · · · . In some practical cases, it may be difficult to instantly obtain the current sampled position data due to the time delay for information transmission. To deal with this problem, we design a protocol by using past sampled position data: ui (t) = β



aij (xi (tk−1 ) − xj (tk−1 )), t ∈ [tk , tk+1 ),

j ∈Ni

i = 1, . . . , N, k ∈ N,

(3)

where xi (tk−1 ), i = 1, . . . , N are the past sampled positions at the time instants tk−1 . In this chapter, the position states of coupled harmonic oscillators are assumed to be uniformly sampled, that is, tk+1 − tk = T > 0 and tk = kT , ∀k ∈ Z+ , where T is the sampling period to be designed later. Remark 1. If there is a virtual leader for network (1), one can label the leader as node 0. Note that when 0 ∈ Ni , i.e., ai0 > 0, the leader is the neighbor of node i indicating that node i is a pinned node (De Lellis et al. 2013; Wen et al. 2014b; Song et al. 2013). Based on the pining control approach for networked systems (De Lellis et al. 2013; Wen et al. 2014b; Song et al. 2013), it is easy to study the leader-following synchronization of network (1) by slightly modifying protocols (2) and (3).

4

Synchronization Under Protocol (2)

This section investigates the synchronization of coupled harmonic oscillators (1) under protocol (2) based on current sampled position data. Some necessary and sufficient conditions are derived for reaching synchronization in the network. Lemma 1 (Ren and Beard 2005). The Laplacian matrix L has a simple zero eigenvalue N − 1 eigenvalues in the open right-half plane if and only if the associated digraph G contains a directed spanning tree. Moreover, 1N and ξ are the right and left eigenvectors associated with the zero eigenvalue of L, respectively, where ξ = (ξ1 , . . . , ξN )T is nonnegative satisfying ξ T L = 0 and ξ T 1N = 1. Lemma 2 (Parks and Hahn 1993). Let a complex-coefficient polynomial be given by p(s) = s 2 + (ξ1 + iγ1 )s + ξ0 + iγ0 , where ξ0 , γ0 , ξ1 and γ1 are real constants. Then, p(s) is asymptotically stable if and only if ξ1 > 0 and ξ1 γ1 γ0 +ξ12 ξ0 −γ02 > 0.

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1205

The following result provides some synchronization criteria for network (1) under protocol (2). Theorem 1. Suppose that G contains a directed spanning tree. For i = 2, . . . , N, define the following parameters: ai = −β 2 |μi |2 + αβRe(μi ), bi = αβIm(μi ), ci = α 2 − αβRe(μi ), Di =

|α − βμi |2 bi2 ai bi2 + ai2 ci

.

(4)

Then, protocol (2) solves the synchronization problem of network (1) if and only if 0 < β < min αRe(μi )/|μi |2 , 2≤i≤N

(5)

and T ∈ ΩT

max arctan di .

2≤i≤N

(6)

√ √ √ Specifically, as t → ∞, xi (t) →√ x ∗ (t) =√cos( αt)ξ T x(0)+1/ α sin( αt)ξ T v(0) √ and vi (t) → v ∗ (t) = − α sin( αt)ξ T x(0) + cos( αt)ξ T v(0) for all i = 1, . . . , N , where x(t) = (x1 (t), . . . , xN (t))T and v(t) = (v1 (t), . . . , vN (t))T . T (t))T . By the definiProof. Let yi (t) = (xi (t), vi (t))T and y(t) = (y1T (t), . . . , yN tion of the Laplacian matrix and the properties of Kronecker product (Langville and Stewart 2004), the closed-loop network with dynamics (1) and (2) can be written as

y(t) ˙ = (IN ⊗ A)y(t) + β(L ⊗ B)y(tk ), t ∈ [tk , tk+1 ), k ∈ Z+ ,

(7)

where A= Let J be the Jordan should exist nonsingular (q1 , . . . , qN )T ∈ RN ×N spanning tree, by Lemma such that

0 1 −α 0



and B =

00 . 10

(8)

canonical form of Laplacian matrix L. Then, there matrices P = (p1 , . . . , pN ) ∈ RN ×N and P −1 = such that J = P −1 LP . Since G contains a directed 1, choose p1 = 1N and q1 = ξ (Ren and Atkins 2007)

1206

Q. Song et al.

J =P

−1

LP =

0 0N −1

0TN −1 L

,

(9)

∈ R(N −1)×(N −1) is a block upper triangular matrix with diagonal elements where L being nonzero eigenvalues μi i = 2, . . . , N of L. T (t))T with z = Let z(t) = (P −1 ⊗ I2 )y(t) where z(t) = (z1T (t), . . . , zN i T (zi1 , zi2 ) . Then, it follows from (7) to (9) that z˙ (t) = (IN ⊗ A)z(t) + β(J ⊗ B)z(tk ), t ∈ [tk , tk+1 ), k ∈ Z+ .

(10)

T (t))T and noting J = diag(0, L), decompose Letting z(t) = (z2T (t), . . . , zN system (10) into two subsystems:

z˙ 1 (t) = Az1 (t),

t ∈ [tk , tk+1 ),

(11a)

⊗ B) ˙ = (IN −1 ⊗ A) z(t) z(t) + β(L z(tk ), t ∈ [tk , tk+1 ), k ∈ Z+ .

(11b)

Now we show that the synchronization in network (7) can be reached if and only if subsystem (11b) is asymptotically stable. On the one hand, if subsystem (11b) is asymptotically stable, one has zi (t) → 0, i = 2, . . . , N. Since 1N is the first column of P and y(t) = (P ⊗ I2 )z(t), it is easy to obtain yi (t) → z1 (t), i = 1, . . . , N , indicating that the synchronization in network (7) is reached. On the other hand, when network (7) achieves synchronization, there should exist some y ∗ (t) ∈ R2 such that for i = 1, . . . , N , limt→∞ yi (t) = y ∗ (t), yielding limt→∞ y(t) = (1N ⊗ I2 )y ∗ (t). Considering P −1 P = IN , we have qiT p1 = qiT 1N = 0, i = 2, . . . , N . It follows from z(t) = (P −1 ⊗ I2 )y(t) that limt→∞ zi (t) = limt→∞ (qiT ⊗ I2 )y(t) = limt→∞ ((qiT 1N ) ⊗ I2 )y ∗ (t) = 0, i = 2, . . . , N , implying that subsystem (11b) is asymptotically stable. is a block By Lemma 1, one has Re(μi ) > 0, ∀i ∈ {2, . . . , N}. Since L upper triangular matrix whose diagonal elements are nonzero eigenvalues μi of L, subsystem (11b) is asymptotically stable if and only if the following N − 1 subsystems are asymptotically stable: z˙i (t) = Azi (t) + βμi Bzi (tk ), i = 2, . . . , N, t ∈ [tk , tk+1 ), k ∈ Z+ .

(12)

According to linear system theory, the solution of the i-th subsystem in (12) is given by

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

zi (t) = e

A(t−tk )

zi (tk ) + βμi

t

1207

eA(t−s) dsBzi (tk )

tk

=e

A(t−tk )

zi (tk ) + βμi

t−tk

eAs dsBzi (tk )

0

= Ei (t − tk )zi (tk ) + Fi (t − tk )zi (tk ), t ∈ [tk , tk+1 ), i ∈ {2, . . . , N },

(13)

where 

 √ √ √1 sin( αt) cos( αt) α Ei (t) = , √ √ √ − α sin( αt) cos( αt)  βμ (1−cos(√αt))  i 0 α Fi (t) = βμi sin(√ . αt) √ 0 α

(14)

Let Mi (t) = Ei (t) + Fi (t). It follows from (13) that zi (t) = Mi (t − tk )Mik (T )zi (0), t ∈ [tk , tk+1 ), i ∈ {2, . . . , N }.

(15)

Note that Mi (t − tk ) is bounded in [tk , tk+1 ). Hence, zi (t) → 0 if and only if ρ(Mi (T )) < 1, ∀i ∈ {2, . . . , N }. Then, it suffices to analyze the eigenvalues of Mi (T ). Let fi (λ, T ) = det(λI2 − Mi (T )) = 0 be the characteristic equation of Mi (T ). From (14), we have √ √ 1 − cos( αT ) βμi λ fi (λ, T ) =λ2 − 2 cos( αT ) + α √ cos( αT ) − 1 + 1+ βμi = 0. α

(16)

Obviously, fi (1, T ) = 0 when βμi = α. Meanwhile, note that λ = 1 √ and √ λ = −1 are the roots of fi (λ, T ) = 0 when T = 2kπ/ α and T =√(2k + 1)π/ α, / {nπ / α|n ∈ Z+ } are k = 0, 1, 2, . . ., respectively. Therefore, βμi = α and T ∈ the necessary conditions ensuring that fi (λ, T ) = 0 has no root on the unit circle. Let λ = (s + 1)/(s − 1). By the property of bilinear transformation, |λ| < 1 holds if and only if Re(s) < 0. It follows from (16) that  √ βμi s2 2 1 − cos( αT ) 1 − α   βμi   √ √ + 2 1 − cos( αT ) s + 2 1 + cos( αT ) = 0. α 

(17)

1208

Q. Song et al.

√ Since T = nπ/ α and βμi = α, we can cast (17) into √ βμi 1 + cos( αT ) α s + s+ = 0. √ α − βμi 1 − cos( αT ) α − βμi 2

(18)



αT ) √ > 0, the two roots of equation (18) have Considering Lemma 2 and 1+cos( 1−cos( αT ) negative real parts if and only if

−β 2 |μi |2 + αβRe(μi ) > 0, |α − βμi |2

(19)

√ ai bi2 + ai2 ci 1 + cos( αT ) 2 − b > 0, √ |α − βμi |2 1 − cos( αT ) i

(20)

and

where ai , bi , and ci are defined in (4). Recall that Re(μi ) > 0 for any i ∈ {2, . . . , N}. Then, condition (19) is equivalent to 0 < β < αRe(μi )/|μi |2 , implying that 0 < √ β < α/Re(μi ) always holds ensuring ai > 0 and ci > 0. Let θi = arctan di ∈ [0, π/2), where di ≥ 0 is defined condition (20) is equivalent to √ in (4). For all i = 2, . . . , N , note that 2 (√αT /2) > tan2 (max tan2 ( αT /2) > tan2 (θi ), which follows that tan 2≤i≤N θi ).  √  By Denotation 1, we have T ∈ Ω T max2≤i≤N arctan di . Therefore, for all i = 2, . . . , N , the roots of equation (18) are located in the open left half-plane if and only if conditions (5) and (6) hold such that the eigenvalues of Mi (T ) are within the unit circle, indicating the N − 1 subsystems in (12) are asymptotically stable, and the synchronization of network (1) under protocol (2) is reached. Let y ∗ (t) = (x ∗ (t), v ∗ (t))T ∈ R2 be the synchronization state of network (7). Recalling that ξ T isthe first row of P −1 and z(t) = (P −1 ⊗I2 )y(t), we have z1 (t) = T ∗ (ξ T ⊗ I2 )y(t) = N i=1 ξi yi (t). Considering ξ 1N = 1, we obtain y (t) = z1 (t), T that is, z1 (t) is the synchronization state. With z1 (0) = (ξ ⊗ I2 )y(0), solving subsystem (11a) gives y ∗ (t) = z1 (t) = eAt z1 (0) = (x ∗ (t), v ∗ (t))T , where x ∗ (t)   and v ∗ (t) are given in the theorem. This completes the proof. When the topology graph of network (1) is undirected, the following result can be easily obtained from Theorem 1. Corollary 1. Assume that G is undirected and connected. Then, the synchronization in network (1) with protocol (2) is reached √  if andonly if 0 < β < α/ / nπ/ α n ∈ Z+ . max2≤i≤N μi and T ∈ Ω T (0), i.e., T ∈ Remark 2. From the proof of Theorem 1, one sees that the synchronization analysis of network (1) with protocol (2) can be converted to the stability analysis for a set of second-order complex-coefficient polynomials given by (18).

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1209

Remark 3. Most of velocity-based synchronization protocols for coupled harmonic oscillators adopt the negative feedback control strategy (Ren 2008b; Su et al. 2009). Surprisingly, from condition (5) in Theorem 1 and the proof of Theorem 1, it is found that the coupling strength β in sampled position-based algorithm (2) should be positive. It is noteworthy that Song et al. (2016a) has shown that positive delayed position feedback control can lead to the synchronization of coupled harmonic oscillators. Remark 4. From condition (5), note that the feedback gain β can be conveniently designed according to the nonzero eigenvalues of the Laplacian matrix L. Remark 5. We now discuss the design of the sampling period T for protocol (2). When G is undirected and connected, it follows from Corollary  1 that  √ T can be any arbitrary positive number which does belong to the set nπ/ α n ∈ Z+ . When G is directed, it follows from condition (6) that the sampling period T should be taken from sequence of disjoint open intervals. Moreover, let T ∗ = √ a√ 2 max2≤i≤N arctan di / α. If L has some complex eigenvalues, we have T ∗ > 0, indicating that any small sampling period T in the interval (0, T ∗ ] will not lead to the synchronization of network (1).

5

Synchronization Under Protocol (3)

In this section, we study the synchronization in network (1) with protocol (3) utilizing past sampled position data.

5.1

Synchronization Criteria for Network (1) with Protocol (3)

The following result is useful to analyze the synchronization of network (1)under protocol (3). Lemma 3 (Frank 1946). Consider a third-order polynomial given by p(s) = s 3 + c1 s 2 + c2 s + c3 , where ck = ξk + iγk , ξk ∈ R and γk ∈ R, k = 1, 2, 3. Then, p(s) is stable if and only if (1) ξ1 > ⎛0; ⎞ ξ1 ξ3 −γ2 (2) det ⎝ 1 ξ2 −γ1 ⎠ > 0; 0 γ2 ξ 1

1210

Q. Song et al.



ξ1 ⎜1 ⎜ ⎜ (3) det ⎜ 0 ⎜ ⎝0 0

ξ3 ξ2 ξ1 γ2 γ1

0 0 ξ3 0 γ3

−γ2 −γ1 0 ξ1 1

⎞ 0 −γ3 ⎟ ⎟ ⎟ −γ2 ⎟ > 0. ⎟ ξ3 ⎠ ξ2

The following theorem provides some synchronization conditions for network (1) under protocol (3). Theorem 2. Suppose that G contains a directed spanning tree. Let r √ cot( αT /2). Define the following parameters: i =

α 2 − αβRe(μi ) , |α − βμi |2

ξi1 =

α 2 + αβRe(μi ) − 2β 2 |μi |2 3αβIm(μi ) , γi1 = , 2 |α − βμi | |α − βμi |2

ϑi =

αβRe(μi ) − β 2 |μi |2 , |α − βμi |2

ξi2 = i r 2 − ϑi , γi2 =

 γi1  2 r −1 , 3

ξi3 = i r 2 ,

γi1 2 r , i = 2, . . . , N. 3

γi3 =

=

(21)

The synchronization of network (1) under protocol (3) can be reached if and only if the following three conditions hold simultaneously: (1) β ∈ (max2≤i≤N βi1 , 0)



(0, min2≤i≤N βi2 ), where

   βi1 = αRe(μi ) − α Re2 (μi ) + 8|μi |2 /(4|μi |2 ),    βi2 = αRe(μi ) + α Re2 (μi ) + 8|μi |2 /(4|μi |2 ). (2)

N

i=2 {T |νi (cot

2 (√αT /2))

(22)

> 0} = ∅, where νi (ς )  a¯ i ς 2 + b¯i ς + c¯i with

2 a¯ i = −1/9γi12 , b¯i = i ξi1 − i ξi1 + 1/3γi12 ξi1 + 2/9γi12 , 2 + 1/3γi12 ξi1 + 1/9γi12 ). c¯i = −(ϑi ξi1

(3)

N

i=2 {T |σi (cot f¯i3 with

2 (√αT /2))

(23)

> 0} = ∅, where σi (ς )  f¯i0 ς 3 + f¯i1 ς 2 + f¯i2 ς +

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1211

f¯i0 = −1/81γi14 − 1/9 i2 γi12 , 2 + 1/27(ξi1 + 1)γi14 f¯i1 = i3 − 2 i3 ξi1 + i3 ξi1

+(1/9 i ϑi + 5/9 i2 )γi12 2 +(1/9 i ξi1 − 1/3ξi1 i + 1/3ξi1 i2 )γi12 , 2 − (2/27ξi1 + 1/27)γi14 f¯i2 = 2 i2 ϑi ξi1 − 2 i2 ϑi ξi1 3 2 −1/9γi12 ξi1 + (5/9 i − 1/9ϑi )γi12 ξi1

+(1/3 i − 4/3 i2 − 1/3 i ϑi )γi12 ξi1 −(4/9 i2 + 2/9 i ϑi )γi12 , 2 + (1/27ξi1 + 1/81)γi14 f¯i3 = i ϑi2 ξi1 2 +(1/9ξi1 + 1/9 i + 1/3ξi1 i )ϑi γi12 .

(24)

Proof. The proof can be carried out by using Lemma 3 and following the line for the proof of Theorem 1. The closed-loop network with dynamics (1) and protocol (3) can be written as: y(t) ˙ = (IN ⊗ A)y(t) + β(L ⊗ B)y(tk−1 ), t ∈ [tk , tk+1 ), k ∈ Z+ .

(25)

By the proof of Theorem 1, one can show that the synchronization in network (25) is reached if and only if the following N − 1 subsystems are asymptotically stable: zi (t) = Ei (t − tk )zi (tk ) + Fi (t − tk )zi (tk−1 ), i = 2, . . . , N, t ∈ [tk , tk+1 ),

(26)

where Ei (t) and Fi (t) are defined in (14). Note that Ei (0) = I2 and Fi (0) = 02×2 . For t ∈ [tk , tk+1 ), one has t − T ∈ [tk−1 , tk ). It follows from (26) that zi (tk ) = Ei (T )zi (tk−1 ) + Fi (T )zi (tk−2 ) and zi (t − T ) = Ei (t − T − tk−1 )zi (tk−1 ) + Fi (t − T − tk−1 )zi (tk−2 ) where k ≥ 2. Let ηi (t) = (ziT (t), ziT (t − T ))T . For t ∈ [tk , tk+1 ), one has ηi (t) = Pi (t)ηi (tk−1 ), i = 2, . . . , N,

(27)

where Pi (t) =

Ei (t − tk )Ei (T ) + Fi (t − tk ) Ei (t − tk )Fi (T ) . Fi (t − T − tk−1 ) Ei (t − T − tk−1 )

(28)

1212

Q. Song et al.

It follows from (27) and (28) that ηi (tk ) = Qi (T )ηi (tk−1 ),

(29)

in which Qi (T )  Pi (tk ) =

Ei (T ) Fi (T ) . I2 02×2

(30)

For t ∈ [tk , tk+1 ), k ≥ 2, combining (27) and (29) gives (T )ηi (T ), i = 2, . . . , N. ηi (t) = Pi (t)Qk−2 i

(31)

Note that Pi (t) is bounded for any t ∈ [tk , tk+1 ). Then, one sees that zi (t) → 0 if and only if ηi (t) → 0, indicating that ρ(Qi (T )) < 1 should hold. Let CEi (λ, T ) = det(λI4 − Qi (T )) = 0 be the characteristic equation of Qi (T ). By (14) and (30), one has CEi (λ, T ) = λgi (λ, T ) = 0 where √ gi (λ, T ) = λ3 − 2 cos( αT )λ2 √ √ 1 − cos( αT ) 1 − cos( αT ) + 1− βμi λ − βμi = 0, α α i = 2, . . . , N.

(32)

Obviously, λ = 0 is an eigenvalue of Qi (T ). Hence, one only needs to study the roots of gi (λ, T√) = 0. Note that λ = 1 is a root of gi (λ, T ) = 0 when βμi = α or T = 2kπ/ T ) = 0 when T = √ α, k ∈ N, and λ = −1 is a root of gi (λ,√ (2k + 1)π/ α, k ∈ Z+ . Hence, βμi = α and T = nπ/ α (n ∈ N) are the necessary conditions for reaching synchronization in network (1) under protocol (3). Let λ = (s + 1)/(s − 1), and substitute it into gi (λ, T ) = 0 yielding qi0 s 3 + qi1 s 2 + qi2 s + qi3 = 0, i = 2, . . . , N,

(33)

√ √ where qi0 = (1√− cos( αT ))(1 −√βμi /α), qi1 = (1 − cos( αT ))(1 √ + 2βμi /α), qi2 = 1 + cos( αT ) −√(1 − cos( αT ))βμi /α, and qi3 = 1 + cos( √ αT ). Recall that r = cot( αT /2). Considering βμi = α and T = nπ/ α, one can cast (33) into s 3 + ci1 s 2 + ci2 s + ci3 = 0, i = 2, . . . , N,

(34)

where ci1 = (α + 2βμi )/(α − βμi ), ci2 = (r 2 α)/(α − βμi ) − βμi /(α − βμi ) and ci3 = (αr 2 )/(α − βμi ).

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1213

Obviously, the synchronization in network (1) under protocol (3) can be achieved if and only if all the roots of the third-order polynomial equations in (34) have negative real parts, which can be studied by using Lemma 3. Let ξik = Re(cik ) and γik = Im(cik ), k = 1, 2, 3, which have been explicitly given in (21). Note that ξi1 |α − βμi |2 = α 2 + αβRe(μi ) − 2β 2 |μi |2 = −2|μi |2 (β − βi1 )(β −βi2 ). Since β = 0, ξi1 > 0 holds if and only if β ∈ (max2≤i≤N βi1 , 0) (0, min2≤i≤N βi2 ) such that condition 1 of Lemma 3 is satisfied for any i ∈ {2, . . . , N }. By some tedious calculations, one can show that for any i ∈√{2, . . . , N }, conditions 2 and √ 3 of Lemma 3 can be satisfied if and only if νi (cot2 ( αT /2)) > 0 and σi (cot2 ( αT /2)) > 0, respectively. Therefore, all the polynomials in (34) are asymptotically stable if and only if the three conditions of Theorem 2 hold simultaneously such that the synchronization of network (1) under protocol (3) is reached.   Remark 6. The synchronization problem of network (1) with protocol (3) is more challenging than that of network with protocol (2) because one has to analyze the stability for a set of third-order complex-coefficient polynomials in (34). Note that the coupling strength β may be chosen to be positive or negative by condition 1 of Theorem 2. Up to this point, it is still not quite clear how to design the sampling period T and the coupling strength β for protocol (3) to satisfy the synchronization conditions in Theorem 2, which will be addressed in the next two subsections for undirected and directed networks (1), respectively.

5.2

Design of β and T for Undirected Network

Theorem 3. Suppose that the graph G is undirected and connected. Let μmin = min2≤i≤N μi and μmax = max2≤i≤N μi . Under protocol (3), the synchronization in network (1) can be reached if and only if either of the following conditions holds:

− α/(2μmax ) < β < 0, T ∈ Ω T (arctan 3α/(α + 2βμ min ))

(35)

0 < β < α/μmax , T ∈ Ω T (arctan 3α/(α + 2βμ max ))

(36)

and

Proof. Since G is undirected and connected, all the nonzero eigenvalues of Laplacian matrix L satisfy μi > 0 and γik = 0, i = 2, . . . , N, k = 1, 2, 3. By Theorem 2, the network synchronization can be reached if and only if the three conditions of Theorem 2 hold simultaneously.  By condition 1 of Theorem 2 and (22), β ∈ (−α/(2μmax ), 0) (0, α/μmax ) can ensure that ξi1 > 0 holds for any i ∈ {2, . . . , N }.

1214

Q. Song et al.

2 − In view of condition 2 of Theorem 2 and Eq. (23), one has νi (r 2 ) = ( i ξi1 √ 2 = ξ [ (ξ − 1)r 2 − ϑ ξ ], where r = cot( αT /2). Under i ξi1 )r 2 − ϑi ξi1 i1 i i1 i i1 condition 1, ξi1 > 0 holds for i = 2, . . . , N . By some simple calculation, one can verify that νi (r 2 ) > 0 holds if and only if 3αβr 2 > (α + 2βμi )β. Consider two cases for the parameter β as follows: Case (1) β ∈ (−α/(2μmax ), 0)

tan2

√ 3α αT > , i = 2, . . . , N, 2 (α + 2βμi )

√ yielding T ∈ Ω T (arctan 3α/(α + 2βμmin )). Case (2) β ∈ (0, α/μmax ) √ tan2 ( αT /2) < 3α/(α + 2βμi ), i = 2, . . . , N, √ giving T ∈ Ω T (arctan 3α/(α + 2βμmax )). 2 )r 4 + By condition 3 of Theorem 2, one has σi (r 2 ) = ( i3 − 2 i3 ξi1 + i3 ξi1   2 2 )r 2 + ϑ 2 ξ 2 = (ξ − 1)r 2 − ϑ ξ 2 (2 i2 ϑi ξi1 −2 i2 ϑi ξi1 i i i1 i i i1 i i1 . Then, σi (r ) > 0 always holds under conditions (35) or (36). Hence, the synchronization in undirected network (1) with protocol (3) is achieved if and only if either of conditions (35) and (36) holds.  

5.3

Design of β and T for Directed Network

When network (1) is directed, we discuss how to design the coupling strength and sampling period for protocol (3). Suppose that G contains a directed spanning tree. Decompose the node set of network (1) into two subsets V1 = {i|Im(μi ) = 0, i = 2, . . . , N } and V2 = {i|Im(μi ) = 0, i = 2, . . . , N }. The following lemma analyzes the roots of the equations νi (ς ) = 0 and σi (ς ) = 0 defined in Theorem 2. Lemma 4. Suppose that the digraph G contains a directed spanning tree. Let 0 < β < min2≤i≤N αRe(μi )/|μi |2 . Then, for any i ∈ V2 , νi (ς ) = 0 has √ two distinct ν = (−b¯ + √Δ )/(2a ν = (−b¯ − Δ )/(2a ¯ i ) and ςi2 ¯i ) positive real roots given by ςi1 i i i i ν < ς ν where Δ = b¯ 2 − 4a satisfying 0 < ςi1 ¯ c ¯ . Moreover, σ (ς ) = 0 has at least i i i i i i2 one positive real root. Proof. Since G contains a directed spanning tree, Re(μi ) > 0 always holds for all i = 2, . . . , N . Recalling that ϑi is defined in (21), 0 < β < min2≤i≤N αRe(μi )/|μi |2 always ensures ϑi > 0 for any i ∈ V2 . Meanwhile, 0 < β < min2≤i≤N αRe(μi )/|μi |2 ≤ min2≤i≤N βi2 always holds such that ξi1 > 0 is satisfied for any i ∈ {2, . . . , N }. Note that |α −βμi |2 = α 2 +β 2 |μi |2 −2αβRe(μi ). Then, by some calculations, one can obtain i − 1 = ϑi > 0 and ξi1 − 1 = 3ϑi > 0.

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1215

Let νi (ς ) = 0 with i ∈ V2 , that is, a¯ i ς 2 + b¯i ς + c¯i = 0, whose discriminant is given by Δi = b¯i2 − 4a¯ i c¯i

2  = (3 i ϑi ξi1 )2 + 1/9 γi12 ξi1 + 4/3 i ϑi ξi1 γi12 2 +(2 i − 4/9)ϑi γi12 ξi1 .

(37)

Since ϑi > 0, ξi1 > 1 and i > 1, one has Δi > 0 for any i ∈ V2 . It follows from (23) that a¯ i < 0, b¯i > 0, and c¯i < 0, indicating that νi (ς ) = 0 has two distinct ν and ς ν satisfying 0 < ς ν < ς ν . positive real roots given by ςi1 i2 i1 i2 Meanwhile, for any i ∈ V2 , by (24) one has f¯i0 = −1/81γi14 − 1/9 i2 γi12 < 0 2 + (1/27ξ + 1/81)γ 4 + (1/9ξ 2 + 1/9 + 1/3ξ )ϑ γ 2 > 0, and f¯i3 = i ϑi2 ξi1 i1 i i1 i i i1 i1 i1 implying σi (0) > 0 and σi (∞) < 0. Hence, σi (ς ) = 0 has at least one positive real root.  

Remark 7. If β does not satisfy the condition in Lemma 4, by condition 1 of Theorem 2, one has β ∈ (max2≤i≤N βi1 , 0) or β ∈ [min2≤i≤N αRe(μi )/|μi |2 , min2≤i≤N βi2 ), yielding ϑk < 0 for some k ∈ {2, . . . , N }. Then, it will be difficult to analytically check if the third-order equation σi (ς ) = 0 has a positive real root, which may be left as our future work. Theorem 4. Suppose that the digraph G contains a directed spanning tree. ν and ς ν be Let 0 < β < min2≤i≤N αRe(μi )/|μi |2 . For i ∈ V2 , let ςi1 i2 the positive real roots of νi (ς) = 0 given √in Lemma 4 satisfying 0 < ν . Define CT 2 ς ν < ςi2 ν1  i∈V1 {T |νi (cot ( αT /2)) > 0} and CTν2  i1 √ 2 the synchronization of i∈V2 {T |νi (cot ( αT /2)) > 0}. Then, under protocol  (3), network (1) can be reached if and only if T ∈ CTν1 CTν2 CTσ , where

CTν1 = T (maxi∈V2 arctan 1/ς ν , Ω T (arctan 3α/(α + 2β maxi∈V1 μi )), CTν2 = Ω i2

 ν ), and CT 2 (√αT /2)) > 0} are {T |σ (cot mini∈V2 arctan 1/ςi1 σ  i i∈V2 determined by the positive roots of σi (ς ) = 0.

Proof. Recall that the synchronization of network (1) with protocol (3) can be reached if and only if three conditions of Theorem 2 hold simultaneously. One can verify that 0 < β < min2≤i≤N αRe(μi )/|μi |2 ensures β ∈ (0, min2≤i≤N βi2 ), that is, condition 1 of Theorem 2 is satisfied. By condition 2  2 (√αT /2)) > 0}, giving CT = {T |ν (cot of Theorem 2, let CTν  i ν i∈V ∪V 1 2  2 0 < β < min2≤i≤N αRe(μ )/|μ CTν1 CTν2 . For any i ∈ V1 , it follows from  i i| √ 2 and condition (36) in Theorem 3 that CTν1 = i∈V1 {T |νi (cot ( αT /2)) > 0} =

Ω T (arctan 3α/(α + 2β maxi∈V1 μi )). For any i ∈ V2 , by Lemma 4, one knows

1216

Q. Song et al.

ν and ς ν , which that νi (ς ) = 0 has two distinct positive real roots given by ςi1 i2 √ ν ν 2 follows νi (ς ) = a¯ i (ς − ςi1 )(ς − ςi2 ). Since a¯ i < 0, νi (cot ( αT /2)) > 0 holds ν < cot2 (√αT /2) < ς ν , yielding 1/ς ν < tan2 (√αT /2) < 1/ς ν . if and only if ςi1 i2 i2 i1 Then, one has

  T (max arctan 1/ς ν , min arctan 1/ς ν ). CTν2 = Ω i2 i1 i∈V2

i∈V2

Considering condition 3 of Theorem 2 and the proof of Theorem 3, one knows that 0 < β < min2≤i≤N αRe(μi )/|μi |2 and T ∈ CTν1 can ensure that σi (ς ) > 0 holds for any i ∈ V1 . Then, it suffices to discuss the set CTσ determined by the 3 (ς − ς σ ) = 0, where f¯ = node set V2 . For any i ∈ V2 , let σi (ς ) = f¯i0 Πk=1 i0 ik σ is the k-th root of σ (ς ) = 0. When 0 < β < −1/81γi14 − 1/9 i2 γi12 < 0 and ςik i min2≤i≤N αRe(μi )/|μi |2 , by Lemma 4, σi (ς ) = 0 has at least one positive real root, indicating CTσ = ∅. Since σi (ς ) = 0 has three roots, it is easy to compute the set CTσ . For instance, assume that for any i ∈ V2 , σi (ς ) = 0 has a single positive σ and two complex roots in conjugate pair. Note that σ (ς ) > 0 holds if real root ςi1 i

σ , yielding CT = Ω (max σ and only if ς < ςi1 σ T i∈V2 arctan 1/ςi1 ). For other cases, one can also easily determine CTσ based on the positive real roots of σi (ς ) = 0 for all i ∈ V2 (see Sect. 6.2). Now, by the synchronization criteria in Theorem 2, one can conclude that the synchronization   in network (1) with protocol (3) is achieved if and only if T ∈ CTν1 CTν2 CTσ .   Remark 8. Under 0 < β < min2≤i≤N αRe(μi )/|μi |2 , it follows from the synchronization conditions in Theorem 4 that when the Laplacian matrix has complex eigenvalues, the synchronization in directed network (1) with protocol (3) cannot be ν /√α. reached if the sampling period is less than 2 maxi∈V2 arctan 1/ςi2 Remark 9. It would be of interest to further consider  the synchronization of network (1) with a general protocol given by ui (t) = β j ∈Ni aij (xi (tk−h )−xj (tk−h )), t ∈ [tk , tk+1 ), i = 1, . . . , N where h ∈ N and h ≥ 2, whose analysis is much more challenging than that of the synchronization of network (1) with protocol (3). Moreover, it would be desirable to apply protocols (2) and (3) to real networked systems by using analog/digital circuits in the future.

6

Numerical Results

This section provides simulation examples to illustrate the theoretical analysis. For network (1) composed of four nodes, let the nonzero elements of the adjacency matrix A be given by a14 = 1, a23 = 1, a31 = 1 and a42 = 1. Then,

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1217

the eigenvalues of Laplacian matrix L are determined to be μ1 = 0, μ2 = 2, μ3 = 1 + i and μ4 = 1 − i, indicating that G contains a directed spanning tree. Let α = 0.81. To illustrate the synchronization performance, let position and velocity errors be given by xi (t) − x ∗ (t) and vi (t) − x ∗ (t), i = 1, . . . , N , where x ∗ (t) and v ∗ (t) are, respectively, the final position and velocity states specified in Theorem 1.

6.1

Synchronization with Current Sampled Position Data

We now investigate the synchronization of network (1) under protocol (2). By condition (5) in Theorem 1, we choose β = 0.25 < min2≤i≤4 αRe(μi )/|μi |2 = 0.405. According to Theorem 1, the sampling period T should be selected from √ the set Ω T (θ ) defined in (6) where θ = max2≤i≤4 arctan di = 1.0168. Letting k = 0, we obtain (2.2595, 3.4907) ⊂ Ω T (θ ). Choosing T = 3 ∈ Ω T (θ ), it follows from the synchronization errors shown in Fig. 1a that the synchronization problem of network (1) is successfully solved by protocol (2). By Remark 5, we know that the network can not achieve synchronization if T is less than T ∗ = 2.2595. This is confirmed by Fig. 1b where the network synchronization is not reached when T = 2.2.

6.2

Synchronization with Past Sampled Position Data

Consider the synchronization of network (1) using protocol (3). Obviously, V1 = {2} and V2 = {3, 4}. By the synchronization conditions in Theorem 4, let β = 0.2. Some T (0.2656, 0.8843). simple calculations yield CTν1 = Ω T (0.8876) and CTν2 = Ω σ = 0.1687, ς σ = For each i ∈ V2 , σi (ς ) = 0 has three positive roots given by ςi1 i2 σ 1.4938 and ςi3 = 8.8931. Considering the proof of Theorem 4, we have CTσ = Ω T 

 σ max arctan 1/ςi1 i∈V2

T Ω

  σ σ max arctan 1/ςi3 , min arctan 1/ςi2 i∈V2

= Ω T (1.1811)



i∈V2

T (0.3235, 0.6857). Ω

  Define CT = CTν1 CTν2 CTσ . Letting k = 0, the first interval in the set CT for reaching network synchronization is determined to be (0.7190, 1.5238). When T = 1 ∈ CT, the synchronization in network (1) using protocol (3) is achieved as shown by Fig. 2a. The evolutions of the synchronization errors for T = 0.7 ∈ / CT are depicted in Fig. 2b, from which we see that the synchronization is not reached in the network.

1218

Q. Song et al.

Position error

0.2 0.1 0 −0.1 −0.2 0

20

40

60

80

0

20

40

60

80

100

120

140

160

180

200

100

120

140

160

180

200

100

120

140

160

180

200

100

120

140

160

180

200

Velocity error

0.2 0.1 0 −0.1 −0.2

Time

(a) Position error

0.4 0.2 0 −0.2 −0.4

0

20

40

60

80

0

20

40

60

80

Velocity error

0.3 0.2 0.1 0 −0.1 −0.2 −0.3 −0.4

Time

(b) Fig. 1 Synchronization errors of network under protocol (2): (a) T = 3; (b) T = 2.2

Velocity error

Position error

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1219

0.2 0.1 0 −0.1 −0.2 0

50

100

0

50

100

150

200

250

150

200

250

150

200

250

150

200

250

0.2 0.1 0 −0.1 −0.2

Time

(a) Position error

0.4 0.2 0 −0.2 −0.4

0

50

100

0

50

100

Velocity error

0.3 0.2 0.1 0 −0.1 −0.2 −0.3 −0.4

Time

(b) Fig. 2 Synchronization errors of network under protocol (3): (a) T = 1; (b) T = 0.7

1220

7

Q. Song et al.

Conclusions

In this chapter, we have systematically studied the synchronization problems for continuous-time coupled harmonic oscillators by proposing two distributed control algorithms utilizing current and past sampled position data. Some necessary and sufficient conditions in terms of coupling strength and sampling period have been established to achieve network synchronization. According to the nonzero eigenvalues of the Laplacian matrix of the network, we have designed the coupling strength and then shown that the sampling period must be chosen from a sequence of disjoint open intervals. In this chapter, we focus on the leaderless synchronization of coupled harmonic oscillators. In the future it would be an interesting topic to investigate the synchronization of discrete-time coupled harmonic oscillators proposed in Ballard et al. (2010) by utilizing sampled position data.

References L. Ballard, Y. Cao, W. Ren, Distributed discrete-time coupled harmonic oscillators with application to synchronised motion coordination. IET Control Theory Appl. 4(5), 806–816 (2010) Y. Cao, W. Ren, M. Egerstedt, Distributed containment control with multiple stationary or dynamic leaders in fixed and switching directed networks. Automatica 48(8), 1586–1597 (2012) T. Chen, B.A. Francis, Optimal Sampled-Data Control Systems (Springer, London, 1995) S. Cheng, J. C. Ji, J. Zhou, Infinite-time and finite-time synchronization of coupled harmonic oscillators. Phys. Scr. 84(3), art. no. 035006 (2011) P. De Lellis, M. di Bernardo, F. Garofalo, M. Porfiri, Evolution of complex networks via edge snapping. IEEE Trans. Circuits Syst. I 57(8), 2132–2143 (2010) P. De Lellis, M. di Bernardo, F. Garofalo, Adaptive pinning control of networks of circuits and systems in Lur’e form. IEEE Trans. Circuits Syst. I 60(11), 3033–3042 (2013) E. Frank, On the zeros of polynomials with complex coefficients. Bull. Am. Math. Soc. 52(2), 144–157 (1946) Y. Gao, B. Liu, M. Zuo, T. Jiang, J. Yu, Consensus of continuous-time multiagent systems with general linear dynamics and nonuniform sampling. Math. Probl. Eng. 2013, art. no. 718759 (2013) E. Garcia, Y. Cao, D. W. Casbeer, Decentralized event-triggered consensus with general linear dynamics. Automatica 50(10), 2633–2640 (2014) Y. Hong, G. Chen, L. Bushnell, Distributed observers design for leader-following control of multiagent networks. Automatica 44(3), 846–850 (2008) N. Huang, Z. Duan, G. Chen, Some necessary and sufficient conditions for consensus of secondorder multi-agent systems with sampled position data. Automatica 63, 148–155 (2016) R. Jeter, I. Belykh, Synchronization in on-off stochastic networks: windows of opportunity. IEEE Trans. Circuits Syst. I 62(5), 1260–1269 (2015) M. Ji, G. Ferrari-Trecate, M. Egerstedt, A. Buffa, Containment control in mobile networks. IEEE Trans. Autom. Control 53(8), 1972–1975 (2008) A.N. Langville, W.J. Stewart, The Kronecker product and stochastic automata networks. J. Comput. Appl. Math. 167(2), 429–447 (2004) C.Q. Ma, J.F. Zhang, Necessary and sufficient conditions for consensusability of linear multi-agent systems. IEEE Trans. Autom. Control 55(5), 1263–1268 (2010)

37 Synchronization in Coupled Harmonic Oscillator Systems Based on. . .

1221

Z. Meng, Z. Li, A.V. Vasilakos, S. Chen, Delay-induced synchronization of identical linear multiagent systems. IEEE Trans. Cybern. 43(2), 476–489 (2013) R. Olfati-Saber, R.M. Murray, Consensus problems in networks of agents with switching topology and time-delays. IEEE Trans. Autom. Control 49(9), 1520–1533 (2004) P.C. Parks, V. Hahn, Stability Theory (Prentice Hall, New York, 1993) L.M. Pecora, T.L. Carroll, Master stability functions for synchronized coupled systems. Phys. Rev. Lett. 80(10), 2109–2112 (1998) M. Porfiri, D. J. Stilwell, Consensus seeking over random weighted directed graphs. IEEE Trans. Autom. Control 52(9), 1767–1773 (2007) M. Porfiri, D.J. Stilwell, E.M. Bollt, Synchronization in random weighted directed networks. IEEE Trans. Circuits Syst. I 55(10), 3170–3177 (2008) W. Ren, On consensus algorithms for double-integrator dynamics. IEEE Trans. Autom. Control 53(6), 1503–1509 (2008a) W. Ren, Synchronization of coupled harmonic oscillators with local interaction. Automatica 44(12), 3195–3200 (2008b) W. Ren, E. Atkins, Distributed multi-vehicle coordinated control via local information exchange. Int. J. Robust Nonlinear Control 17(10–11), 1002–1033 (2007) W. Ren, R.W. Beard, Consensus seeking in multiagent systems under dynamically changing interaction topologies. IEEE Trans. Autom. Control 50(5), 655–661 (2005) L. Scardovi, R. Sepulchre, Synchronization in networks of identical linear systems. Automatica 45(11) 2557–2562 (2009) Q. Song, F. Liu, J. Cao, W. Yu, Pinning-controllability analysis of complex networks: An M-matrix approach. IEEE Trans. Circuits Syst. I 59(11), 2692–2701 (2012) Q. Song, F. Liu, J. Cao, W. Yu, M-Matrix Strategies for pinning-controlled leader-following consensus in multiagent systems with nonlinear dynamics. IEEE Trans. Cybern. 43(6), 1688– 1697 (2013) Q. Song, W. Yu, J. Cao, F. Liu, Reaching synchronization in networked harmonic oscillators with outdated position data. IEEE Trans. Cybern. 46(7), 1566–1578 (2016a) Q. Song, F. Liu, G. Wen, J. Cao, Y. Tang, Synchronization of coupled harmonic oscillators via sampled position data control. IEEE Trans. Circuits Syst. I 63(7), 1079–1088 (2016b) Q. Song, F. Liu, J. Cao, A. V. Vasilakos, Y. Tang, Leader-following synchronization of coupled homogeneous and heterogeneous harmonic oscillators based on relative position measurements. IEEE Trans. Control Network Syst. 6(1), 13–23 (2019) H. Su, X. Wang, Z. Lin, Synchronization of coupled harmonic oscillators in a dynamic proximity network. Automatica 45(10), 2286–2291 (2009) W. Sun, J. Lü, S. Chen, X. Yu, Synchronisation of directed coupled harmonic oscillators with sampled-data. IET Control Theory Appl. 8(11), 937–947 (2014) S.E. Tuna, Conditions for synchronizability in arrays of coupled linear systems. IEEE Trans. Autom. Control 54(10), 2416–2420 (2009) G. Wen, Z. Duan, W. Ren, G. Chen, Distributed consensus of multi-agent systems with general linear node dynamics and intermittent communications. Int. J. Robust Nonlinear Control 24(16), 2438–2457 (2014a) G. Wen, W. Yu, M.Z. Chen, X. Yu, G. Chen, H∞ pinning synchronization of directed networks with aperiodic sampled-data communications. IEEE Trans. Circuits Syst. I 61(11), 3245–3255 (2014b) C. Xu, Y. Zheng, H. Su, H. O. Wang, Containment control for coupled harmonic oscillators with multiple leaders under directed topology. Int. J. Control 88(2), 248–255 (2015) W. Yu, G. Chen, M. Cao, Some necessary and sufficient conditions for second-order consensus in multi-agent dynamical systems. Automatica 46(6), 1089–1095 (2010) H. Zhang, J. Zhou, Synchronization of sampled-data coupled harmonic oscillators with control inputs missing. Syst. Control Lett. 61(12), 1277–1285 (2012) Y. Zhang, Y. Yang, Y. Zhao, Finite-time consensus tracking for harmonic oscillators using both state feedback control and output feedback control. Int. J. Robust Nonlinear Control 23(8), 878–893 (2013)

1222

Q. Song et al.

A.M. Zheltikov, A harmonic-oscillator model of acoustic vibrations in metal nanoparticles and thin films coherently controlled with sequences of femtosecond pulses. Laser Phys. 12(3), 576–580 (2002) W. Zou, D.V. Senthilkumar, R. Nagao, I.Z. Kiss, Y. Tang, A. Koseska, J. Duan, J. Kurths, Restoration of rhythmicity in diffusively coupled dynamical networks. Nat. Commun. 6, art. no. 7709 (2015)

Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses

38

Wenbing Zhang, Yang Tang, and Qingying Miao

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Model Formulation and Some Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses . . . 4 Numerical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1224 1226 1230 1240 1242 1242

Abstract In this chapter, the synchronization problem is investigated for a class of nonlinear delayed dynamical networks with heterogeneous impulsive effects. The intrinsic properties of the heterogeneous impulses are that the impulsive strengths are heterogenous in both time and space domains, i.e., the impulsive effects in each node are not only nonidentical from each other, but also timevarying at different impulsive instants. The purpose of the addressed problem is to derive synchronization criteria such that, the nonlinear delayed dynamical networks with heterogeneous impulses can be synchronized to a desired state. By means of a time-dependent Lyapunov function and the comparison principle,

W. Zhang () Department of Mathematics, Yangzhou University, Jiangsu, China e-mail: [email protected] Y. Tang The Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China Q. Miao School of Continuing Education, Shanghai Jiao Tong University, Shanghai, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_22

1223

1224

W. Zhang et al.

several sufficient conditions are established under which the nonlinear dynamical networks with heterogeneous impulsive effects are exponentially synchronized to a desired state. An example is given to show the effectiveness of the proposed synchronization criterion.

Keywords Synchronization · Heterogeneous impulses · Nonlinear dynamical networks · Multi-agent systems · Time delays

1

Introduction

Recently, multi-agent systems or complex dynamical networks (CDNs) have received increasing attention due to their extensive applications in science and engineering. Cooperative collective behavior in networks of autonomous agents has attracted growing attention owing to an increasing interest in understanding intriguing animal group behaviors, such as synchronization (Zhang and Han 2013; He et al. 2011; Zhou and Chen 2006; Lorand and Bauer 2006; Tang and Wong 2013), consensus (Tang et al. 2013; Yu et al. 2011; Li et al. 2010; Saber and Murray 2004) and flocking (Zhu et al. 2013), due to their emerging broad applications to sensor networks and unmanned air vehicles formations. Recently, special attention has been focused on the synchronization problems of various CDNs. In modeling CDNs, time delays are often encountered in real world due to the finite switching speed of amplifiers. Design flaws and incorrect analytical conclusions can be obtained if time-varying delays are not considered or not well described in system modeling (Lu et al. 2012a). Therefore, it is of great importance to consider the effects of time-varying delays for studying the dynamics of CDNs. For example, in Liu et al. (2013) the synchronization problem was studied for a class of delayed neutral-type neural networks with Markovian jumping parameters. In Yang et al. (2013), the synchronization for a class of coupled neural networks with Markovian jumping and random coupling strength was studied. In Wong et al. (2013), the stochastic synchronization was investigated for complex networks with communication and self-feedback delays as well as mixed impulses. On the other hand, the states of various dynamical networks such as electronic networks and biological networks often suffer from instantaneous disturbances and undergo abrupt changes at certain instants, which may arise from switching phenomenon or frequency change, i.e., they exhibit impulsive effects (Zhang et al. 2012, 2013; Yang and Xu 2007). As was shown in Lu et al. (2010), in general, there are three kinds of impulses in CDNs when considering synchronization performance: synchronizing impulsive effects, desynchronizing impulsive effects and inactive impulsive effects. Recently, the synchronization problems of complex dynamical networks with the first two types of impulses have received increasing attention (Zhang et al. 2010, 2013; Guan et al. 2010; Lu et al. 2011; Cao et al. 2009; Wang et al. 2012; Yang et al. 2010). For instance, in Zhang et al.

38 Synchronization of Nonlinear Dynamical Networks with. . .

1225

(2013), the exponential synchronization of coupled switched neural networks with mode-dependent impulsive effects was investigated where desynchronizing and synchronizing impulses were considered respectively. In Guan et al. (2010), by means of the comparison principle, the synchronization problem of CDNs with distributed synchronizing impulsive control was investigated. In Zhang et al. (2010), the robust global exponential synchronization problem for a class of uncertain chaotic delayed neural networks via dual-stage synchronizing impulsive control was investigated. However, in Zhang et al. (2013) and Lu et al. (2011), the results are confined to time-varying impulses or different impulses in time domain, i.e., the impulsive effects are distinct at different impulsive instants, few results have been reported on the synchronization problem of CDNs with impulsive effects in space domain. That is, it is implicitly assumed in existing works that all the nodes are subjected to the same intensities of synchronizing or desynchronizing impulses, which is impractical in real worlds. As is known to all, the CDNs or multi-agent systems are composed of a large number of interconnected dynamical nodes, in which each node is a unit with specific dynamics. As was shown in Nuño et al. (2011) and Zhao et al. (2011a, b), almost all the CDNs in engineering have different nodes’ dynamics and therefore the impulsive effects in each node may not only be different in time domain (Wong et al. 2013; Zhang et al. 2012), but also be nonidentical in space domain. Based on the above discussions, in this chapter, we firstly propose nonidentical impulses, which means that impulsive effects are nonidentical in the networks. Then we aim to propose a new concept of heterogeneous impulses, which show heterogeneities in both time domain and space domain. The proposed heterogeneous impulses can encompass recently presented time-varying impulsive effects (Wong et al. 2013; Zhang et al. 2012) and nonidentical impulses of this chapter into a unified framework. Generally, if the impulsive strengths are time-varying at different instants, i.e., the impulsive strengths are distinct at different impulsive instants, we call such kind of impulses as time-varying impulses or heterogeneous impulses in time domain (Wong et al. 2013; Zhang et al. 2012). If the impulsive strengths of each node are nonidentical in the networks, we call such kind of impulses as nonidentical impulses or heterogeneous impulses in space domain. If the impulsive effects are nonidentical in both time and space domains, then we call such kind of impulses as heterogeneous impulses. Clearly, heterogeneous impulses generalize the time-varying impulses and nonidentical impulses, which render more practically significance. Hence it becomes important from the viewpoints of theory and practice to investigate the synchronization problem of nonlinear dynamical networks with heterogeneous impulses. However, up to now, to the best of our knowledge, the synchronization problem of CDNs with heterogeneous impulses is still an open yet challenging issue, and the main purpose of this chapter is to shorten such a gap. Summarizing the above discussions, the focus of this chapter is on the synchronization problem for a class of nonlinear delayed dynamical networks with heterogeneous impulses, which can present a unified framework to include timevarying impulses (Wong et al. 2013; Zhang et al. 2012) and nonidentical impulses of this chapter. Using the Lyapunov stability theory and the comparison principle,

1226

W. Zhang et al.

synchronization criteria are established to guarantee that the nonlinear dynamical networks are synchronized to a desired state. In addition, an example is given to show the effectiveness of the proposed results. The main contribution of this chapter is mainly twofold: (1) a novel concept of heterogeneous impulses is proposed. The intrinsic properties of heterogeneous impulses are that impulses are heterogenous in both time and space domain and therefore can generalize several well-known impulsive effects; (2) based on the new type of impulses, a timedependent Lyapunov function is proposed to deal with synchronization problem for a class of nonlinear delayed dynamical networks with heterogeneous impulses. Notations: Throughout this chapter, R+ and Rn denote, respectively, the set of nonnegative real numbers and the n-dimensional Euclidean space. √ N+ denotes the set of positive integers. The vector norm is defined as x = x Tx. In denotes n-dimensional identity matrix. For matrix A ∈ Rn×n , A = λmax (AT A), where λmax (·) represents the largest eigenvalue. P C([−r, 0]; Rn ) denotes the family of piecewise continuous functions from [−r, 0] to Rn with the norm φr = sup−r≤θ≤0 φ(θ ). Moreover, X ≥ Y (respectively X > Y ) where X and Y are symmetric matrices, means that X − Y is a positive semi-definite (respectively, positive definite) matrix.

2

Model Formulation and Some Preliminaries

Consider the following complex nonlinear dynamical network model: x˙i (t) = − Cxi (t) + B f˜1 (xi (t)) + D f˜2 (xi (t − τ (t))) +υ

N 

(1)

aij Γ xj (t),

j =1

where i = 1, 2, . . . , N , xi (t) = [xi1 (t), xi2 (t), . . . , xin (t)]T ∈ Rn is the state vector of the ith node at time t; C = diag{c1 , c2 , . . . , cn } > 0; B ∈ Rn×n and D ∈ Rn×n ; τ (t) is the time-varying delay satisfies 0 ≤ τ (t) ≤ τ ; f˜1 (xi (t)) = (f˜11 (xi1 (t)), . . . , f˜1n (xin (t)))T ∈ Rn f˜2 (xi (t − τ (t))) = (f˜21 (xi1 (t − τ (t))), . . . , f˜2n (xin (t − τ (t))))T ∈ Rn ; υ > 0 denotes the coupling strength, Γ = diag{γ1 , γ2 , . . . , γn } with γi > 0(i = 1, 2, . . . , n) is the inner coupling matrix; A = [aij ]N ×N is the coupling matrix, where aij is defined as follows: if there is a connection from node j to node i (i = j ), then aij = aj i > 0; otherwise aij = 0; for i = j , aij is defined as follows:

aii = −

N  j =1,j =i

aij .

38 Synchronization of Nonlinear Dynamical Networks with. . .

1227

We assume that the nonlinear dynamical network in (1) can be forced to the following isolated node s(t): s˙ (t) = −Cs(t) + B f˜1 (s(t)) + D f˜2 (s(t − τ (t)))

(2)

Let ei (t) = xi (t) − s(t), then the following error dynamical system can be obtained: e˙i (t) = − Cei (t) + Bf1 (ei (t)) + Df2 (ei (t − τ (t))) +υ

N 

aij Γ ej (t),

(3)

j =1

where f1 (ei (t)) = f˜1 (xi (t)) − f˜1 (s(t)) and f2 (ei (t)) = f˜2 (xi (t)) − f˜2 (s(t)). Consider the heterogeneous impulsive effects in system (1) or (3), we have the following model: ⎧ ⎪ + Bf1 (ei (t)) + Df2 (ei (t − τ (t))) ⎨ e˙i (t) = −Cei (t)  +υ N j =1 aij Γ ej (t), t = tk , k ∈ N+ ⎪ ⎩ e (t + ) = e (t − ) + μ e (t − ), i k i k ik i k

(4)

where μik are constants which denote the impulsive strength; the impulsive instant − sequence {tk }∞ k=1 satisfies 0 < t1 < t2 0, T0 > 0 and θ > 0 such that ei (t) = xi (t) − s(t) ≤ θ e−λ(t−t0 ) , i = 1, 2, . . . , N,

(6)

hold for all t > T0 . Lemma 1 (Liu et al. 2008). Let x, y ∈ Rn , Q ∈ Rn×n be a positive semidefinite matrix, then the following inequality holds 2x T Qy ≤ x T Qx + y T Qy,

(7)

Lemma 2 (Schur complement Boyd et al. 1994). The following linear matrix inequality Q(x) S(x) > 0, S T (x) R(x)



where Q(x) = QT (x), R(x) = R T (x), is equivalent to either of the following conditions (1) Q(x) > 0, R(x) − S T (x)Q(x)−1 S(x) > 0; (2) R(x) > 0, Q(x) − S T (x)R(x)−1 S(x) > 0. Lemma 3 (Yang and Xu 2007). Let 0 ≤ τi (t) ≤ τ . F (t, u, u¯ 1 , u¯ 2 , . . . , u¯ m ) : m+1



  × R × . . . × R → R be nondecreasing in u¯ i for each fixed (t, u, u¯ 1 , . . . , u¯ i−1 , u¯ i+1 , . . . , u¯ m ), i = 1, 2, . . . , m, and Ik (u) : R → R be nondecreasing in u. Suppose that

R+

1230

W. Zhang et al.



D + u(t) ≤ F (t, u(t), u(t − τ1 (t)), . . . , u(t − τm (t))), k ∈ N+ , u(tk+ ) ≤ Ik (u(tk− ),

and 

D + v(t) > F (t, v(t), v(t − τ1 (t)), . . . , v(t − τm (t))), k ∈ N+ , v(tk+ ) ≥ Ik (v(tk− ),

where the upper-right Dini derivative D + y(t) is defined as D + y(t) = limh→0+ (y(t + h) − y(t))/ h. Then u(t) ≤ v(t), for −τ ≤ t ≤ 0 implies that u(t) ≤ v(t), for t ≥ 0. Lemma 4. Assume that Ω, X1 and X2 are constant matrices with appropriate dimensions, 0 ≤ ρ(t) ≤ 1, then 

Ω + X1 < 0 Ω + X2 < 0

(8)

Ω + (1 − ρ(t))X1 + ρ(t)X2 < 0.

(9)

is equivalent to

Proof. (Sufficiency). From (8), one has (1 − ρ(t))Ω + (1 − ρ(t))X1 < 0 and ρ(t)Ω + ρ(t)X2 < 0 and hence (9) holds. (Necessity). Letting ρ(t) = 1 and ρ(t) = 0 in (9) respectively, we can get that (8) holds.

Assumption 5. σ1 ≤ tk − tk−1 ≤ σ2 , where σ1 and σ2 are two positive scalars. Assumption 6. The nonlinearities f˜1 (., ., .) and f˜2 (., ., .) with f˜1 (0) = f˜2 (0) = 0 satisfy the following Lipschitz condition f˜1 (x) − f˜1 (y) ≤ l1 x − y, f˜2 (x) − f˜2 (y) ≤ l2 x − y,

(10)

∀x, y ∈ Rn , l1 and l2 are positive constants.

3

Synchronization of Nonlinear Dynamical Networks with Heterogeneous Impulses

In this section, the exponential synchronization of nonlinear dynamical networks with heterogeneous impulsive effects is investigated by using a time-dependent Lyapunov function and the comparison principle.

38 Synchronization of Nonlinear Dynamical Networks with. . .

1231

Theorem 1. Consider the nonlinear dynamical network (5) with heterogeneous impulsive effects. Suppose that Assumptions 5 and 6 hold. If for a prescribed positive scalar μ ∈ (0, 1), there exist positive definite matrices P1 , P2 ∈ R nN×nN , and three positive scalars λ1 , η and ζ such that the following inequalities hold: Pm ≤ λ1 InN ,

(11)

− 2Pm C + 2Pm A + λ1 Dl2 + 2λ1 Bl1 − ηPm +

P1 − P2 < 0, σh

λ1 Dl2 − ζ Pm < 0,

−μP1 Tk P2 < 0, P2 k −P2 η+

ln μ 1 + ζ < 0, σ2 μ

(12) (13) (14) (15)

m, h = 1, 2. Then the nonlinear dynamical network in (1) or (5) is exponentially synchronized to the objective state s(t). Proof. Let ρ(t) = function:

tk −t tk −tk−1 ,

t ∈ [tk−1 , tk ). Then we consider the following Lyapunov

V (t) = eT (t)((1 − ρ(t))P1 + ρ(t)P2 )e(t),

(16)

where P1 , P2 ∈ RnN×nN with P1 = P2 are two positive definite matrices. Let P (t) = (1 − ρ(t))P1 + ρ(t)P2 . Taking the derivative of V (t) along the trajectory of the nonlinear dynamical network (5), it yields, for t ∈ [tk−1 , tk ) D + V (t) = 2eT (t)P (t)[−Ce(t) + Bf1 (e(t)) + Df2 (e(t − τ (t))) + Ae(t)] + eT (t)P˙ (t)e(t).

(17)

In view of Lemma 1, (11) and Assumption 6, the following inequalities can be obtained:  2eT (t)P (t)Bf1 (e(t)) ≤2λ1 e(t) Bf1 (e(t))2 ≤2λ1 l1 BeT (t)e(t),   2eT (t)P (t)Df2 (e(t − τ (t))) ≤2λ1 e(t)2 Df2 (e(t − τ (t)))2

(18)

1232

W. Zhang et al.

  ≤2λ1 Dl2 e(t)2 (e(t − τ (t)))2 ≤λ1 Dl2 eT (t)e(t) + λ1 Dl2 eT (t − τ (t))e(t − τ (t)).

(19)

From (17) to (19), we have for t ∈ [tk−1 , tk ) D + V (t) ≤eT (t)[−2P (t)C + 2P (t)A + λ1 Dl2 + 2λ1 l1 B − ηP (t) + P˙ (t)]e(t) + eT (t − τ (t))[λ1 Dl2 − ζ P (t − τ (t))]e(t − τ (t)) + ηV (t) + ζ V (t − τ (t)).

(20)

From the definition of P (t), we have P˙ (t) = =

P1 P2 − tk − tk−1 tk − tk−1 1 (P1 − P2 ). tk − tk−1

(21)

In view of Assumption 5, one has 1 1 1 ≤ ≤ . σ2 tk − tk−1 σ1

(22)

Then, there exists a function α(t) : (0, +∞] → [0, 1] such that 1 1 1 = (1 − α(t)) + α(t) . tk − tk−1 σ1 σ2

(23)

From (20), (21), (22), and (23), we have: − 2P (t)C + 2P (t)A + 2λ1 l1 B + λ1 Dl2 − ηP (t) + P˙ (t) =2λ1 l1 B + λ1 Dl2 + (1 − ρ(t))[−2P1 C + 2P1 A − ηP1 ] + ρ(t)[−2P2 C + 2P2 A − ηP2 ] + α(t)

P1 − P2 P1 − P2 + (1 − α(t)) . σ2 σ1

(24)

38 Synchronization of Nonlinear Dynamical Networks with. . .

1233

From Lemma 4, we know that (12) < 0 is equivalent to 2λ1 l1 B + λ1 Dl2 − 2Pm C + 2Pm A − ηPm + α(t)

P1 − P2 P1 − P2 + (1 − α(t)) < 0, m = 1, 2, σ2 σ1

which is also equivalent to 2λ1 l1 B + λ1 Dl2 + (1 − ρ(t))[−2P1 C + 2P1 A − ηP1 ] + ρ(t)[−2P2 C + 2P2 A − ηP2 ] + α(t)

P1 − P2 P1 − P2 + (1 − α(t)) < 0. σ2 σ1

Then, we have (24) < 0 and similarly, from (13) λ1 Dl2 − ζ P (t − τ (t)) < 0.

(25)

From (20), (24), and (25), we have for t ∈ [tk−1 , tk ), D + V (t) ≤ ηV (t) + ζ V (t − τ (t)).

(26)

From the definition of ρ(t), we know that ρ(tk ) = ρ(tk+ ) = 1, ρ(tk− ) = 0 and therefore V (tk ) = eT (tk )P2 e(tk ), V (tk− ) = eT (tk− )P1 e(tk− ). Pre-and postmultiplying (14) by diag{eT (tk− ), InN } and its transpose, respectively, we have

−μeT (tk− )P1 e(tk− ) eT (tk− ) Tk P2 < 0. P2 k e(tk− ) −P2 Note that V (tk− ) = eT (tk− )P1 e(tk− ), we have −μV (tk− ) eT (tk− ) Tk P2 < 0. P2 k e(tk− ) −P2



(27)

From the second equation of (5) and using the fact V (tk ) = eT (tk )P2 e(tk ), we have V (tk ) = eT (tk )P2 e(tk ) = eT (tk− ) Tk P2 k e(tk− ).

(28)

From (27) and (28) and using Lemma 2, we have V (tk ) < μV (tk− ).

(29)

1234

W. Zhang et al.

For any ε > 0, let v(t) be a unique solution of the impulsive delay system: ⎧ ˙ = ηV (t) + ζ V (t − τ (t)), t = tk ⎨ v(t) v(t + ) = μv(tk− ), t = tk ⎩ k v(t) = V (t), t0 − τ ≤ t ≤ t0 .

(30)

Then it follows from Lemma 3 that V (t) ≤ v(t), t ≥ 0.

(31)

By the formula for the variation of parameters, it follows from (30) that 

t

v(t) = W (t, 0)v(0) +

W (t, s)[ζ v(s − τ (s)) + ε]ds,

(32)

0

where W (t, s), t, s ≥ 0 is the Cauchy matrix of linear system 

v(t) ˙ = ηv(t), t = tk v(tk+ ) = μv(tk− ), t = tk , k ∈ N+ .

(33)

According to the representation of the Cauchy matrix, the following estimation can be obtained:  μ. (34) W (t, s) = eη(t−s) s≤tk ≤t

Then it follows from (34) and Assumption 5 that t−s

W (t, s) ≤eη(t−s) μ σ2

−1 ln μ

=μ−1 eη(t−s) e σ2

(t−s)

1 (η+ lnσ μ )(t−s) 2 = e . μ Let ς = λ1 μ1 sup−τ ≤s≤0 Φ T (s)Φ(s). Let β = −(η + from (32) and (35) that v(t) ≤ ς e−βt +

 0

t

(35) ln μ σ2 ).

Then, it can be derived

1 −β(t−s) e [ζ v(s − τ (s)) + ε]ds. μ

(36)

Define h(ν) = ν − β + μ1 ζ eντ . It follows from (15) that h(0) < 0. Since h(+∞) = ˙ +∞ and h(ν) > 0, there exists an unique λ > 0 such that

38 Synchronization of Nonlinear Dynamical Networks with. . .

λ−β +

1235

1 λτ ζ e = 0. μ

(37)

On the other hand, it follows from (15) that μβ − ζ > 0 and therefore v(t) ≤ ς < ς e−λt +

ε , −τ ≤ t ≤ 0. μβ − ζ

(38)

In the following, we shall prove that v(t) < ς e−λt +

ε , t ≥ 0. μβ − ζ

(39)

If it is not true, then there exists a t ∗ > 0 such that ∗

v(t ∗ ) ≥ ς e−λt +

ε , μβ − ζ

(40)

and v(t) < ς e−λt +

ε , t < t ∗. μβ − ζ

(41)

From (36) and (41), we have ∗



t

1 −β(t ∗ −s) e [ζ v(s − τ (s)) + ε]ds 0 μ ε ∗

σ2 σ2 P1 −μ(1−ln μ)P1 σ2

2 > 0, which means that at least one term of lnσ2μ Pm + P1σ−P h in (51) is larger than 0. Hence, if all the nodes are subjected to desynchronizing impulsive effects, in order to compensate the desynchronizing impulsive effects in the networks, the impulses-free dynamical networks have to be synchronized, which confirms the results in Lu et al. (2011).

1240

W. Zhang et al. 6 4

s2

2 0 −2 −4 −6 −1

−0.5

0 s1

0.5

1

Fig. 1 Dynamics of the isolated node s(t)

4

Numerical Example

In this section, an example is given to illustrate the effectiveness of the main results obtained in this chapter. Example 1. Consider the following system as the isolated node in the dynamical network: s˙ (t) = −Cs(t) + B f˜1 (s(t)) + D f˜2 (s(t − τ (t)))





10 2 −0.1 −1.6 −0.1 ,B = ,D = and τ (t) = et /(1+et ), and 01 −5 3.2 −0.26 −2.5 f˜1 (x(t)) = f˜2 (x(t)) = (tanh(x1 (t)), tanh(x2 (t))T . Then we can get l1 = l2 = 1. The single model s˙ (t) = −Cs(t) + B f˜1 (s(t)) + D f˜2 (s(t − τ (t))) has a chaotic attractor as shown in Fig. 1. We consider a globally coupled network with 10 nodes and the coupling matrix is given as: with C =



−9 ⎢1 ⎢ ⎢ ⎢. . . ⎢ ⎣1 1

⎤ 1 1 ... 1 −9 1 . . . 1 ⎥ ⎥ ⎥ . ⎥ ⎥ 1 1 ... 1 ⎦ 1 1 . . . −9 10×10

38 Synchronization of Nonlinear Dynamical Networks with. . . Fig. 2 Synchronization error of xi1 (t) − s1 (t) of the complex network (4)

1241

6

xi1(t)

4

xi2(t)

2 0 -2 -4 -6 0

Fig. 3 Synchronization error of xi2 (t) − s2 (t) of the complex network (4)

2

t

4

6

3

ei1(t)

2

ei2(t)

1 0 -1 -2

0

2

t

4

6

Let υ = 1 and Γ = diag{1, 1}. Assume that μik = −0.6, i ≤ 8 and μik = 0.5, i = 9, 10. Let μ = 0.9 ∈ (0, 1) and solving (11), (12), (13), (14), and (15), we can get that 0.1517 < tk − tk−1 < 0.3229. Then we choose tk − tk−1 = 0.2. The state trajectories of and synchronization errors of the nonlinear dynamical network in (1) are depicted in Figs. 2 and 3, respectively. From these figures, we can see that the nonlinear dynamical network in (1) with heterogeneous impulses can be synchronized to the isolated node well. In this chapter, the criteria are in the form of linear matrix inequalities (LMIs). Obviously, when the node number increases, the size of LMIs grows accordingly. Recently, research on LMI optimization is a very active area in the applied math, optimization, and the operations research community, LMI has its limitations when

1242

W. Zhang et al.

dealing with large scale networks. For instance, problems with a thousand design variables typically take over an hour on todays workstations Wang et al. (2010). In this chapter, if the networks size is very large (such as 100 nodes), it will take over an hour on one’s personal computer. However, substantial speedups can be expected in the future and the results in this chapter can be easily extended to large scale networks and the results in this chapter can be easily extended to the large scale networks.

5

Conclusion

In this chapter, we have investigated the synchronization problem for a class of nonlinear delayed dynamical networks with heterogeneous impulses. The proposed heterogeneous impulses are heterogenous in both time and space domains, namely, the impulsive effects are not only various in the networks, but also distinct at different impulsive instants. Thus, the heterogeneous impulses can generalize time-varying impulses and nonidentical impulses. In addition, desynchronizing, synchronizing and inactive impulses can also be taken into account in nonidentical impulses at the same time, which is similar to time-varying impulses. By means of a time-dependent Lyapunov function and the comparison principle, sufficient synchronization criteria are obtained such that the proposed nonlinear delayed dynamical networks with heterogeneous impulses can be synchronized to a desired state. Finally, the simulation results confirm the effectiveness of the theoretical results.

References S. Boyd, L.E. Ghaoui, V. Balakrishnan, Linear matrix inequalities in system and control theory (SIAM, Philadelphia, 1994) J. Cao, L. Li, Cluster synchronization in an array of hybrid coupled neural networks with delay. Neural Netw. 22, 335–342 (2009) J. Cao, D.W.C. Ho, Y. Yang, Projective synchronization of a class of delayed chaotic systems via impulsive control. Phys. Lett. A 373, 3128–3133 (2009) T.P. Chen, Volatility modelling with heterogeneous impulse response function: introducing nonparametric jumps into the Fiegarch model. http://ssrn.com/abstract=1342785 W. Chen, D. Wei, W. Zheng, Delayed impulsive control of Takagi-Sugeno fuzzy delay systems. IEEE Trans. Fuzzy Syst 21, 516–526 (2013) Y. Chen, W. Yu, F. Li, S. Feng, Synchronization of complex networks with impulsive control and disconnected topology. IEEE Trans. Circuits Syst. II Exp. Briefs 60, 292–296 (2013) Z. Guan, Z. Liu, G. Feng, Y. Wang, Synchronization of complex dynamical networks with timevarying delays via impulsive distributed control. IEEE Trans. Circuits Syst. I Regul. Pap. 57, 2182–2195 (2010) W. He, F. Qian, Q. Han, J. Cao, Lag quasi-synchronization of coupled delayed systems with parameter mismatch. IEEE Trans. Circuits Syst. I Regul. Pap. 58, 1345–1357 (2011) C. Hu, H. Jiang, Z. Teng, Impulsive control and synchronization for delayed neural networks with reaction-diffusion terms. IEEE Trans. Neural Netw. 21, 67–81 (2010) C. Li, G. Feng, T. Huang, On hybrid impulsive and switching neural networks. IEEE Trans. Syst. Man Cybern. Part B Cybern. 38, 1549–1560 (2008)

38 Synchronization of Nonlinear Dynamical Networks with. . .

1243

Z. Li, Z. Duan, G. Chen, L. Huang, Consensus of multiagent systems and synchronization of complex networks: a unified viewpoint. IEEE Trans. Circuits Syst. I Regul. Pap. 57, 213–224 (2010) B. Liu, X. Liu, G. Chen, H. Wang, Robust impulsive synchronization of uncertain dynamical networks. IEEE Trans. Circuits Syst. I Regul. Pap. 52, 1431–1441 (2005) Y. Liu, Z. Wang, J. Liang, X. Liu, Synchronization and state estimation for discrete-time complex networks with distributed delays. IEEE Trans. Syst. Man Cybern. Part B Cybern. 38, 1314–1325 (2008) Y. Liu, Z. Wang, J. Liang, X. Liu, Synchronization of coupled neutral-type neural networks with jumping-mode-dependent discrete and unbounded distributed delays. IEEE Trans. Cybern. 43, 102–114 (2013) C. Lorand, P.H. Bauer, On synchronization errors in networked feedback systems. IEEE Trans. Circuits Syst. I Regul. Pap. 53, 2306–2317 (2006) J. Lu, D.W.C. Ho, J. Cao, A unified synchronization criterion for impulsive dynamical networks. Automatica 46(7), 1215–1221 (2010) J. Lu, D.W.C. Ho, J. Cao, J. Kurths, Exponential synchronization of linearly coupled neural networks with impulsive disturbances. IEEE Trans. Neural Netw. 22(2), 169–175 (2011) J. Lu, Z. Wang, J. Cao, D. Ho, J. Kurths, Pinning impulsive stabilization of nonlinear dynamical networks with time-varying delay. Int. J. Bifurcation Chaos 52, 1250176 (2012a) J. Lu, J. Kurths, J. Cao, N. Mahdavi, C. Huang, Synchronization control for nonlinear stochastic dynamical networks: pinning impulsive strategy. IEEE Trans. Neural Netw. Learn. Syst. 23, 285–292 (2012b) E. Nuño, R. Ortega, L. Basañez, D. Hill, Synchronization of networks of nonidentical eulerlagrange systems with uncertain parameters and communication delays. IEEE Trans. Autom. Control 56, 935–943 (2011) L. Pan, J. Cao, Exponential synchronization for impulsive dynamical networks. Discret. Dyn. Nat. Soc. 2012, 232794 (2012) R. Saber, R. Murray, Consensus problems in networks of agents with switching topology and timedelays. IEEE Trans. Autom. Control 49, 1520–1533 (2004) Q. Song, J. Cao, Impulsive effects on stability of fuzzy cohencgrossberg neural networks with time-varying delays. IEEE Trans. Syst. Man Cybern. Part B Cybern. 37, 733–741 (2007) Y. Tang, W.K. Wong, Distributed synchronization of coupled neural networks via randomly occurring control. IEEE Trans. Neural Netw. Learn. Syst. 24, 435–447 (2013) Y. Tang, H. Gao, W. Zou, J. Kurths, Distributed synchronization in networks of agent systems with nonlinearities and random switchings. IEEE Trans. Cybern. 43, 358–370 (2013) Z. Wang, Y. Wang, Y. Liu, Global synchronization for discrete-time stochastic complex networks with randomly occurred nonlinearities and mixed time delays. IEEE Trans. Neural Netw. 21, 11–25 (2010) Z. Wang, Z. Duan, J. Cao, Impulsive synchronization of coupled dynamical networks with nonidentical duffing oscillators and coupling delays. Chaos 22, 013140 (2012) W.K. Wong, W. Zhang, Y. Tang, X. Wu, Stochastic synchronization of complex networks with mixed impulses. IEEE Trans. Circuits Syst. I Regul. Pap. 60, 2657–2667 (2013) Z. Wu, P. Shi, H. Su, J. Chu, Sampled-data synchronization of chaotic lure systems with time delays. IEEE Trans. Neural Netw. Learn. Syst. 38, 410–421 (2013) H. Xu, K.L. Teo, X. Liu, Robust stability analysis of guaranteed cost control for impulsive switched systems. IEEE Trans. Syst. Man Cybern. Part B Cybern. 38, 1419–1422 (2008) Z. Yang, D. Xu, Stability analysis and design of impulsive control systems with time delay. IEEE Trans. Autom. Control 52, 1448–1454 (2007) Y. Yang, J. Cao, Exponential synchronization of the complex dynamical networks with a coupling delay and impulsive effects. Nonlinear Anal. Real World Appl. 11, 1650–1659 (2010) X. Yang, J. Cao, J. Lu, Stochastic synchronization of complex networks with nonidentical nodes via hybrid adaptive and impulsive control. IEEE Trans. Circuits Syst. I Regul. Pap. 59, 371–384 (2012)

1244

W. Zhang et al.

X. Yang, J. Cao, J. Lu, Synchronization of randomly coupled neural networks with Markovian jumping and time-delay. IEEE Trans. Circuits Syst. I Regul. Pap. 60, 363–376 (2013) W. Yu, G. Chen, W. Ren, J. Kurths, W. Zheng, Distributed higher order consensus protocols in multiagent dynamical systems. IEEE Trans. Circuits Syst. I Regul. Pap. 58, 1924–1932 (2011) Y. Zhang, Q. Han, Network-based synchronization of delayed neural networks. IEEE Trans. Circuits Syst. I Regul. Pap. 60, 676–689 (2013) G. Zhang, Z. Liu, Z. Ma, Synchronization of complex dynamical networks via impulsive control. Chaos 17, 043126 (2007) H. Zhang, T. Ma, G. Huang, Z. Wang, Robust global exponential synchronization of uncertain chaotic delayed neural networks via dual-stage impulsive control. IEEE Trans. Syst. Man Cybern. Part B Cybern. 40, 831–844 (2010) W. Zhang, Y. Tang, J. Fang, X. Wu, Stability of delayed neural networks with time-varying impulses. Neural Netw. 36, 59–64 (2012) W. Zhang, Y. Tang, Q. Miao, W. Du, Exponential synchronization of coupled switched neural networks with mode-dependent impulsive effects. IEEE Trans. Neural Netw. Learn. Syst. 24, 1316–1326 (2013) J. Zhao, D.J. Hill, T. Liu, Stability of dynamical networks with non-identical nodes: a multiple v-lyapunov function method. Automatica 47, 2615–2625 (2011a) J. Zhao, D.J. Hill, T. Liu, Synchronization of dynamical networks with nonidentical nodes: criteria and control. IEEE Trans. Circuits Syst. I Regul. Pap. 58, 584–594 (2011b) J. Zhou, T. Chen, Synchronization in general complex delayed dynamical networks. IEEE Trans. Circuits Syst. I Regul. Pap. 53, 733–744 (2006) Z. Zhu, H. Hu, Robust synchronization by time-varying impulsive control. IEEE Trans. Circuits Syst. II Exp. Briefs 57, 735–739 (2010) J. Zhu, J. Lu, X. Yu, Flocking of multi-agent non-holonomic systems with proximity graphs. IEEE Trans. Circuits Syst. I Regul. Pap. 60, 199–210 (2013)

Adaptive Consensus of Multiple Lagrangian Systems

39

Jie Mei

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Consensus of Multiple Lagrangian Systems Under a Directed Graph with Full Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Consensus of Multiple Lagrangian Systems Under a Directed Graph Without Relative Velocity Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1246 1247 1249 1254 1260 1260

Abstract Multi-agent systems have received a lot of attention in recent years due to their board applications in unmanned aerial vehicles, autonomous robots, and sensor networks. One important focus is the agent dynamics. Here, we focus on more realistic Lagrangian models, which can be used to represent a lot of physical systems. We study the leaderless consensus problem for multiple Lagrangian systems in the presence of parametric uncertainties under a general directed graph. We consider the cases with full relative information and without relative velocity information. In both cases, we first propose a control algorithm to make the agents achieve consensus. Then by introducing an integral term in the auxiliary variable design, we derive the final consensus equilibrium. We show that this equilibrium is dependent on the interactive topology and the initial positions of the agents. A Lyapunov-based method and the input-to-state stability theory are used for the convergence analysis.

J. Mei () Harbin Institute of Technology, Shenzhen, Guangdong, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_23

1245

1246

1

J. Mei

Introduction

Due to the broad applications in sensor networks, unmanned aerial vehicles, and multiple autonomous robots, distributed coordination of multi-agent systems has attracted a considerable attention in recent years. In the study of multi-agent systems, one basic research problem is the leaderless consensus problem, where each agent updates its own state by the interactive information from its neighboring agents. And in such a way, the group of agents achieves a common value of interest. Recently, the leaderless consensus problem has been studied for multi-agent systems with various agent dynamics, including single or double integrators (Olfati-Saber et al. 2007; Ren et al. 2007; Mei et al. 2016), general linear systems (Li and Duan 2010; Scardovi and Sepulchre 2009), unicycles (Sepulchre et al. 2008), and general nonlinear systems (Mei et al. 2015). As a special case of nonlinear systems, Lagrangian system can be used to represent a large class of mechanical systems including robotic manipulators, autonomous vehicles, and rigid bodies. And distributed coordination for multiple Lagrangian systems has drawn a lot of attention. Recent works include the leaderless consensus problem (Ren 2009; Cheng et al. 2008a; Wang 2013, 2014; Mei 2015, 2017; Nuno et al. 2011), the coordinated tracking problem with one single leader (Nuno et al. 2011; Cheng et al. 2008b; Hokayem et al. 2009; Mei et al. 2011), and the containment control problem with multiple leaders (Meng et al. 2010; Mei et al. 2012, 2013). In Ren (2009) and Cheng et al. (2008a), the authors study the leaderless consensus problem for multiple Lagrangian systems under an undirected graph. A Lyapunov-based method is proposed by exploiting the symmetry property of the undirected graph. The requirement of undirected graphs might not be practical in a realistic network, where the sensors may have different communication/sensing abilities. Instead, it is more reasonable to consider general directed graphs. Due to the fact that the associated matrices corresponding to directed graphs are not symmetric, it is difficult to solve the problem following the idea in the case of undirected graphs. A common method is to introduce distributed sliding variables (Wang 2013, 2014; Mei 2015; Nuno et al. 2011; Mei et al. 2012, 2013), where the control algorithms are firstly designed for the agents such that the agent states converge to the designed sliding surfaces. And on the sliding surfaces, the agents will achieve consensus asymptotically. In this work, we summarize our recent works on the leaderless consensus of multiple Lagrangian systems under a general directed graph in the presence of parametric uncertainties, which have been reported in Mei (2015, 2017), and Mei et al. (2012, 2013). Specifically, we first consider the case with full relative information, where we propose a control algorithm to make the agents achieve consensus following the idea of sliding mode control. The consensus convergence is analyzed via Lyapunov stability and input-to-state stability theories. It is firstly shown that the agent states converge to the designed sliding surface. Then by introducing a proper matrix, the consensus problem is converted to an input-tostate stability problem. By introducing an integral term in the auxiliary variable design, we derive the final consensus equilibrium. We show that this equilibrium

39 Adaptive Consensus of Multiple Lagrangian Systems

1247

is dependent on the interactive topology and the initial positions of the agents. We then consider the case without relative velocity information, which is motivated by the fact that the relative velocity measurements are generally more difficult to obtain than relative position measurements. Even in some cases the agents can measure their absolute velocities, to communicate the velocity measurements between neighbors will require the agents to be equipped with the communication equipment and will raise the communication burden. Due to the lack of information, the control gains in the algorithms are varying with distributed updating laws. Notations: Let 1m and 0m denote, respectively, the m × 1 column vector of all ones and all zeros. Let 0m × n denote the m × n matrix with all zeros and Im denote the m × m identity matrix. Let diag(z1 , . . . ,zp ) be the diagonal matrix with diagonal entries z1 to zp . For a vector function f (t) : R → Rm , it is said that f (t) ∈ Ll if  1l  ∞ l < ∞ and f (t) ∈ L∞ if for each element of f (t), noted as fi (t), 0  f (τ )  dτ supt ≥ 0 | fi (t) | < ∞, i = 1, . . . ,m. Throughout the paper, we use  ·  to denote the Euclidean norm.

2

Background

A. Euler-Lagrange System The agents are represented by Euler-Lagrange equations of the form

Mi (qi ) q¨i + Ci (qi , q˙i ) q˙i + gi (qi ) = τi , i = 1, · · · , n,

(1)

where qi ∈ Rp is the vector of generalized coordinates, Mi (qi ) ∈ Rp × p is the symmetric positive-definite inertia matrix, Ci (qi , q˙i ) q˙i ∈ Rp is the vector of Coriolis and centrifugal torques, gi (qi ) is the vector of gravitational torque, and τ i ∈ Rp is the vector of control torque on the ith agent. Throughout the subsequent analysis, we assume that the following assumptions hold (Spong et al. 2006; Kelly et al. 2005): (A1) Parameter boundedness: For any i, there exist positive constants km , km , kC , and kgi such that 0 < km Ip ≤ Mi (qi ) ≤ km Ip ,  Ci (x, y) ≤ kC  y  for all vectors x, y ∈Rp , and gi (qi )  ≤ kgi . (A2) Skew symmetric property: M˙ i (qi ) − 2Ci (qi , q˙i ) is skew symmetric. (A3) Linearity in the parameters: Mi (qi ) x + Ci (qi , q˙i ) y + gi (qi ) = Yi (qi , q˙i , x, y) i for all vectors x, y ∈Rp , where Yi (qi , q˙i , x, y) is the regressor and i is the constant parameter vector associated with the ith agent.

1248

J. Mei

B. Graph Theory We use a directed graph to describe the network topology among the n agents. Let G  (V, E) be a directed graph with the node set V  {1, . . . , n} and the edge set E ⊆ V × V. An edge (i, j) ∈E denotes that agent j can obtain information from agent i, but not vice versa. Here, node i is the parent node while node j is the child node. Equivalently, node i is a neighbor of node j. A directed path from node i to node j is a sequence of edges of the form (i1 , i2 ), (i2 , i3 ), . . . , in a directed graph. A directed graph is strongly connected if there exists a directed path between any two distinct nodes. A directed tree is a directed graph, where every node has exactly one parent except for one node, called the root, and the root has directed paths to every other node. A directed spanning tree of a directed graph is a direct tree that contains all nodes of the directed graph. A directed graph contains a spanning tree if there exists a directed spanning tree as asubset of the directed graph. The adjacency matrix A = aij ∈ Rn×n associated with G is defined as aij > 0 if (j, i) ∈E, and aij = 0 otherwise. In this work, self edges are not allowed, i.e., aii = 0. n × n associated with A and The (nonsymmetric) Laplacian n matrix LA = [lij ] ∈ R hence G is defined as lii = j =1,j =i aij and lij = − aij , i = j. Lemma 2.1: (Agaev and Chebotarev 2000; Ren and Beard 2008; Yu et al. 2010) Let G be a directed graph of order n and LA ∈ Rn × n be the associated (nonsymmetric) Laplacian matrix. The following two statements hold: 1. The matrix LA has a single zero eigenvalue and all other eigenvalues have positive real parts if and only if G contains a directed spanning tree; 2.  If G is strongly connected, there exists a vector ξ  [ξ 1 , . . . , ξ n ]T ∈ Rn with n T i=1 ξi = 1 and ξ i > 0, ∀i = 1, . . . , n, such that ξ LA = 0. Lemma 2.2: (Mei et al. 2016) Suppose that G is a directed graph of order n and is strongly connected. Define the matrix B  LA + LTA , where   diag (ξ 1 , . . . , ξ n ) with ξ i defined as in Lemma 2.1. Then B is the symmetric Laplacian matrix associated with an undirected graph. Let ς ∈ Rn be any positive vector. The following inequality holds, a(B) 

ϑ T Bϑ > 0.

min ϑ Tς=0 ϑT ϑ =

(2)

1

To facilitate the convergence analysis, we first introduce the following (n – 1) × n matrix Q which is defined as (Scardovi et al. 2010) ⎛ ⎜ ⎜ Q=⎜ ⎜ ⎝

⎞ −1 + (n − 1) υ 1 − υ −υ . . . −υ .. ⎟ . − 1 + (n − 1) υ −υ 1 − υ . . . ⎟ ⎟ ⎟ .. .. .. .. . . . . −υ ⎠ − 1 + (n − 1) υ −υ . . . −υ 1 − υ

(3)

39 Adaptive Consensus of Multiple Lagrangian Systems

with υ =

√ n− n n(n−1) .

1249

The matrix Q has the following properties Q1n = 0n−1 ,

(4)

QQT = In−1 , 1 QT Q = In − 1n 1Tn . n

(5) (6)

We then have the following result (Mei 2015). Lemma 2.3: Under the condition that the directed graph G contains a directed spanning tree, all the eigenvalues of QLA QT have positive real parts, where LA is the Laplacian matrix associated with G . C. Stability The following lemma is a corollary of Barbalat’s Lemma and will be repeatedly used in our subsequent analysis. Lemma 2.4: (Sastry 1999) If f (t), f˙(t) ∈ L∞ , and f (t) ∈ Lq for some q ∈ [1, ∞), then limt → ∞ f (t) = 0. Lemma 2.5: (Khalil 2002) Consider the system x˙ = f (t, x, u) ,

(7)

where f (t, x, u) is continuously differentiable and globally Lipschitz in (x, u), uniformly in t. If the unforced system x˙ = f (t, x, 0) has a globally exponentially stable equilibrium point at the origin x = 0, then the system (7) is input-to-state stable.

3

Consensus of Multiple Lagrangian Systems Under a Directed Graph with Full Information

In this section, we consider the leaderless consensus of multiple Lagrangian systems under a general directed graph with full relative information. We first propose a distributed control algorithm for each agent such that the agents achieve consensus with zero final velocity. However, the final consensus equilibrium is unknown. Then by introducing an integral term in the auxiliary variable design, we derive the final consensus equilibrium. We show that this equilibrium is dependent on the interactive topology and the initial positions of the agents. A Lyapunov-based method and the input-to-state stability theory are used for the convergence analysis. Since the associated directed graph is nonsymmetric, it is difficult to design Lyapunov functions directly. One alternative way is to introduce auxiliary variables as follows (Nuno et al. 2011; Mei et al. 2012)

1250

J. Mei

q˙ri  −

n 

  aij qi − qj ,

(8)

j =1

si  q˙i − q˙ri = q˙i +

n 

  aij qi − qj ,

(9)

j =1

where aij is the (i, j)th entry of the adjacency matrix A associated with G . Accordingly, the following distributed adaptive control algorithm is proposed for each agent ˆ i, τi = −Ki si + Yi (qi , q˙i , q¨ri , q˙ri ) 

(10a)

˙ˆ = − Y T (q , q˙ , q¨ , q˙ ) s ,  i i i i i ri ri i

(10b)

ˆ i is the estimate of i , where Ki and i are symmetric positive-definite matrixes, and Yi (qi , q˙i , q¨ri , q˙ri ) is defined as in (A3). We then have the following result on the leaderless consensus of multiple Lagrangian systems under a directed graph. Theorem 3.1: Suppose that the directed graph G is strongly connected. Using (10) for (1), qi (t) − qj (t)  → 0 and q˙i (t) → 0p as t → ∞ for arbitrary initial conditions in the presence of parametric uncertainties. Proof: Using (10a), the closed-loop system (1) can be written as ˜ i, Mi (qi ) s˙i = −Ci (qi , q˙i ) si − Ki si − Yi (qi , q˙i , q¨ri , q˙ri ) 

(11)

ˆ i. ˆ i  i −  where  Consider the following Lyapunov function candidate V =

1 T 1  T −1 ˜i  ˜ i.  si Mi (qi ) si + i 2 2 n

n

i=1

i=1

(12)

The derivative of V(t) along (11) can be written as V˙ =

 n   1 T ˙ T T −1 ˙˜ ˜ si Mi (qi ) s˙i + si Mi (qi ) si + i i i 2 i=1

=

n    ˙˜ ˜i + ˜ Ti −1  −siT Ki si − siT Yi  i i

(13)

i=1

=−

n 

siT Ki si ,

i=1

where we have used (11) and (A2) to obtain the second equality and have used (10b) to obtain the last equality. Because Ki , i = 1, . . . ,n, arc symmetric positive definite, ˆ i ∈ L∞ . we can get V˙ (t) ≤ 0, which means that si , 

39 Adaptive Consensus of Multiple Lagrangian Systems

1251

Let q and s be the column stack vectors of, respectively, qi and si , i = 1, . . . ,n. Then (9) can be written in a vector form as   s = q˙ + LA ⊗ Ip q.

(14)

Define     qˆ  Q ⊗ Ip q, sˆ  Q ⊗ Ip s, where Q is defined in (3). Clearly, sˆ ∈ L∞ . Then multiplying both sides of (14) by Q ⊗ Ip , we can get   sˆ = q˙ˆ + QLA ⊗ Ip q   = q˙ˆ + QLA QT Q ⊗ Ip q   = q˙ˆ + QLA QT ⊗ Ip q, ˆ

(15)

where we have used (6) and the fact that LA 1n = 0 to obtain the second equality. Since G is strongly connected, we can get from Lemma 2.3 that all the eigenvalues of QLA QT have positive real parts. It follows from Lemma 2.5 that the system (15) is input-to-state stable with respect to the input sˆ and the state q. ˆ It thus follows from sˆ ∈ L∞ that q, ˆ q˙ˆ ∈ L∞ . From the definition of Q, we can conclude that qi −qj ∈ L∞ . We then can get from (9) that q˙ ∈ L∞ and get from (8) that q˙ri ∈ L∞ . Differentiating both sides of (8), we can conclude that q¨ri ∈ L∞ . So far, we obtain ˜ i ∈ L∞ . We then can get from (Al) and (11) that s˙i ∈ L∞ . Integrating si , q˙ri , q¨ri ,  both sides of (13), we have si ∈ L2 . Therefore, we have si ∈ L2 ∩ L∞ and s˙i ∈ L∞ , we can get from Lemma 2.4 that limt → ∞  si (t)  = 0, i = 1, . . . ,n. Since the system (15) is input-to-state stable with respect to the input s and the state qˆ , we have limt→∞  qˆ = 0 and limt→∞  q˙ˆ = 0. From (5), we can get that rank(Q) = rank (QQT ) = n – 1, which implies that the dimension of the null space of Q is one. It follows from (4) that Qx = 0 if and only if x = a1n for some a ∈ R, which means that the agents achieve consensus if and only if qˆ = 0(n − 1)p and q˙ˆ = 0(n − 1)p. Therefore, we can conclude that limt → ∞  qi (t) − qj (t)  = 0 and limt→∞  q˙i (t) = 0, ∀i, j = 1, . . . , n. The above result shows the consensus convergence of multiple Lagrangian systems under a directed graph. However, the final consensus equilibrium is not explicitly derived. In the following, we propose a new distributed control algorithm such that the final consensus equilibrium can be explicitly derived. Before presenting the main result, we first introduce the following auxiliary variables which is motivated by (Wang 2014) ϑi = q˙i +

n  i=1

  aij qi − qj ,

(16)

1252

J. Mei

q˙ri = −

n 

  aij qi − qj −



t

ϑi (τ ) dτ,

(17)

0

i=1

 si = q˙i − q˙ri = ϑi +

t

ϑi (τ ) dτ,

(18)

0

Compared with (8) and (9), an integrate term is added into the variable design, which has benefits on deriving the final consensus equilibrium. We propose the same control algorithm as in (10) with a different definition of q˙ri in (17), which is rewritten as follows ˆ i, τi = −Ki si + Yi (qi , q˙i , q¨ri , q˙ri ) 

(19a)

ˆ i = − i YiT (qi , q˙i , q¨ri , q˙ri ) si , 

(19b)

where Ki and i are symmetric positive-definite matrixes, q˙ri and si are defined as ˆ i is the estimate of i , and Yi (qi , q˙i , q¨ri , q˙ri ) is in (17) and (18), respectively,  defined as in (A3). We have the following main result on consensus of multiple Lagrangian systems with explicitly derived final consensus equilibrium. Theorem 3.2: Suppose that the directed graph G is strongly connected. Using (19) for (1), qi (t) − qj (t)  → 0 and q˙i (t) → 0p as t → ∞ for arbitrary initial conditions in the presence of parametric uncertainties. In particular, limt→∞ qi (t) = n ξ q (0), i = 1, . . . ,n where ξ i is defined as in Lemma 2.1. i i i=1 Proof: Using (19a), the closed-loop system (1) can be written as ˆ i, Mi (qi ) s˙i = −Ci (qi , q˙i ) si − Ki si − Yi (qi , q˙i , q¨ri , q˙ri ) 

(20)

˜ i  i −  ˆ i. where  Consider the following Lyapunov function candidate V =

1  T −1 1 T ˜i  ˜ i.  si Mi (qi ) si + i 2 2 n

n

i=1

i=1

(21)

From the proof of Theorem 3.1, the derivative of V(t) along (20) is V˙ =

n  i=1

siT Ki si ≤ 0,

(22)

39 Adaptive Consensus of Multiple Lagrangian Systems

1253

˜ i ∈ L∞ . From Lemma 2.5, we can conclude that the system which implies that si ,  t (18) is input-to-state stable with respect to the input si and the state 0 ϑi (τ ) dτ . It t follows from si ∈ L∞ that 0 ϑi (τ ) dτ ∈ L∞ . Let ϑ, q, and s be the column stack vectors of, respectively, ϑi , qi , and si = 1, . . . ,n. Then (16) can be written in a vector form as   ϑ = q˙ + LA ⊗ Ip q.

(23)

Define       ϑˆ  Q ⊗ Ip ϑ, qˆ  Q ⊗ Ip q, sˆ  Q ⊗ Ip s, where Q is defined in (3). Clearly, ϑˆ ∈ L∞ . Then multiplying both sides of (23) by Q ⊗ Ip , we can get   ˆ ϑˆ = q˙ˆ + QLA QT ⊗ Ip q,

(24)

Following the steps in the proof of Theorem 3.1, under the condition that G is strongly connected, we can get that the system (24) is input-to-state stable with ˆ q˙ˆ ∈ L∞ . And respect to the input ϑˆ and the state q. ˆ It follows from ϑˆ ∈ L∞ that q, we can also get si ∈ L2 ∩ L∞ and s˙i ∈ L∞ , which implies that limt → ∞ si (t) = 0, i = 1, . . . , n. Since the system (18) is input-to-state  stable with  respect to the input si and the t  t  state 0 ϑi (τ ) dτ , we have limt→∞  0 ϑi (τ ) dτ  = 0 and limt → ∞ ϑi (t) = 0,   ˆ  i = 1, . . . , n. Obviously, limt→∞ ϑ(t)  = 0. Note that the system (24) is input-to-state stable with respect to the input ϑˆ and the state q, ˆ we can obtain     ˙   that limt→∞ qˆ = 0 and limt→∞ qˆ  = 0. Then we can conclude that limt → ∞ qi (t) − qj (t) = 0 and limt→∞ q˙i (t) = 0, ∀i, j = 1, . . . , n. We next derive the final consensus equilibrium, which exists and is denoted by q(∞). Multiplying both sides of (23) by ξ T ⊗ Ip , we can get 

      ξ T ⊗ Ip ϑ = ξ T ⊗ Ip q˙ + ξ T LA ⊗ Ip q   = ξ T ⊗ Ip q, ˙

which can be rewritten as n  i=1

ξi ϑi =

n  i=1

ξi q˙i .

(25)

1254

J. Mei

   t  Integrating both sides of (25) and noting that limt→∞  0 ϑi (τ ) dτ  = 0, we have n 

ξi q (∞) =

i=1

n 

ξi qi (0).

i=1

Therefore, we can get that q (∞)  lim qi (t) = t→∞

4

n 

ξi qi (0).

(26)

i=1

Consensus of Multiple Lagrangian Systems Under a Directed Graph Without Relative Velocity Information

Note that the proposed control algorithms (10) and (19) rely on full relative information. In practice, relative position information can be measured easily via laser or sonar rangefinders. The relative velocity measurements are generally more difficult to obtain than relative position measurements. In some cases, the agents can measure their own absolute velocities. However, to communicate the velocity measurements between neighbors will require the agents to be equipped with the communication equipments and as a result, raise the communication burden. In this section, we design a distributed control algorithm without using the relative velocity information in the absence of communication. Because the relative velocity measurements cannot be used, we propose the following control algorithm for (1)   ˆ i, τi = −kˆi si + Yi qi , q˙i , 0p , q˙ri 

(27a)

  ˆ i = − i YiT qi , q˙i , 0p , q˙ri si , 

(27b)

k˙ˆ i = γi siT si ,

(27c)

ˆ i , i , and γ i are defined as in (8), (9), and (10), and kˆi is the timewhere si , q˙ri ,  varying control gain with kˆi (0) ≥ 0. Compared with (10), q¨ri (the variable that relies on neighbors’ velocity information) is replaced with 0p in the control algorithm (27). And the constant gain matrix Ki is replaced with an adaptive gain kˆi which can be obtained with only local information, due to the lack of relative velocity information. Theorem 4.1: Suppose that the directed graph G is strongly connected. Using (27) for (1), qi (t) − qj (t) → 0 and q˙i (t) → 0p as t → ∞ for arbitrary initial conditions in the presence of parametric uncertainties.

39 Adaptive Consensus of Multiple Lagrangian Systems

1255

Proof: Using (27a), the closed-loop system (1) can be written as   ˜ i, Mi (qi ) s˙i = −Ci (qi , q˙i ) si − Mi (qi ) q¨ri − kˆi si − Yi qi , q˙i , 0p , q˙ri 

(28)

˜ i  i −  ˆ i. where  Consider the following Lyapunov function candidate

V =

n   2  1 T ˜ i + 2ξi q˜iT q˜i + γ −1 kˆi − η ˜ Ti −1  si Mi (qi ) si +  , i i 2

(29)

i=1

 where q˜i  qi − ni=1 ξi qi , ξi is defined as in Lemma 2.1 since G is strongly connected, and η is a constant to be determined later. Define q  ni=1 ξi qi . And let q˜ and qr be, respectively, the column stack vectors of q˜i and qri , i = 1, . . . , n. The derivative of V(t) along (28) can be written as

V˙ =

n      1 ˙˜ + 2ξ q˜ T q˙˜ + γ −1 kˆ − η k˙ˆ ˜ Ti −1  siT Mi (qi ) s˙i + siT M˙ i (qi ) si +  i i i i i i i i 2 i=1

=

n    −ηsiT si − siT Mi (qi ) q¨ri + 2ξi q˜iT q˙˜ i i=1

    ˜ = −ηs T s − s T M(q)q¨r + q˜ T  ⊗ Ip q˙˜ + q˙˜  ⊗ Ip q,      = −ηs T s + s T M(q) s − LA ⊗ Ip q˜ − q˜ T B ⊗ Ip q˜    + 2q˜ T  ⊗ Ip s − 1n ⊗ q˙

(30)

where B is defined as in Lemma 2.2. Note that     ⊗ Ip s − 1n ⊗ q˙           1n ξ T ⊗ Ip s − LA ⊗ Ip q˜ =  ⊗ Ip s −  ⊗ Ip    =  − ξ ξ T ⊗ Ip s.

We can obtain

1256

J. Mei

  V˙ = −ηs T s + s T M(q)s − q˜ T B ⊗ Ip q˜      − s T LA ⊗ Ip q˜ + 2q˜ T  − ξ ξ T ⊗ Ip s ˜ + s q ˜ ˜ 2 + σmax (LA ) s q ≤ −ηs2 + km s2 − a(B)q ≤ −ηs2 + km s2 − a(B)q ˜ 2+ 

a(B) (σmax (LA ) + 1)2 s2 + q ˜ 2 2a(B) 2

 a(B) (σmax (LA ) + 1)2 s2 − q ˜ 2 = − η − km − 2a(B) 2

where we have used (A1) and Lemma 2.2 to obtain the first inequality. Choose η such that η  η0 + k m +

(σmax (LA ) + 1)2 , 2a(B)

˜ i , q˜i , with η0 being a positive constant. We can get that V˙ ≤ 0. It implies that si ,  ˆki ∈ L∞ and si , q˜i ∈ L2 . It follows from (14) that q˙ ∈ L∞ , which in turn implies q˙˜ i ∈ L∞ . From (20), we can get s˙i ∈ L∞ . Thus, we have si , q˜i ∈ L2 ∩ L∞ and s˙i , q˙˜ i ∈ L∞ . From Barbalat’s Lemma, we can conclude that limt→∞ si  = limt→∞ q˜i  = 0. Therefore, consensus is achieved. We then consider the case that the final consensus equilibrium point can be explicitly derived without using relative velocity information. We use the same variables defined in (16), (17), and (18). And we propose the following control algorithm without using neighbors’ velocity measurements   ˆ i, τi = −kˆi si + Yi qi , q˙i , 0p , q˙ri 

(31a)

˙ˆ = − Y T q , q˙ , 0 , q˙  s ,  i i i i i p ri i

(31b)

k˙ˆ i = γi siT si ,

(31c)

where kˆi is the time-varying control gain with kˆi (0) ≥ 0, i is symmetric positivedefinite, and γ i is a positive constant. We have the following main result on consensus of multiple Lagrangian systems with explicitly derived final consensus equilibrium in the absence of relative velocity information. Theorem 4.2: Suppose that the directed graph G is strongly connected. Using (31) for (1), qi (t) − qj (t) → 0 and q˙i (t) → 0p as t → ∞ for arbitrary initial conditions in the presence of parametric uncertainties. In particular, limt→∞ qi (t) = n i=1 ξi qi (0), i = 1, . . . , n, where ξ i is defined as in Lemma 2.1.

39 Adaptive Consensus of Multiple Lagrangian Systems

1257

Proof: Using (31a), the closed-loop system (1) can be written as   ˜ i − Mi (qi ) q¨ri , Mi (qi ) s˙i = −Ci (qi , q˙i ) si − ki si − Yi qi , q˙i , 0p , q˙ri 

(32)

˜ i  i −  ˆ i. where  Consider the following Lyapunov function candidate n  n  2   1 T −1 ˆ T −1 ˜ ˜ si Mi (qi ) si + i i i + γi ki − η + V = ξi q˜iT q˜i 2 i=1

β + 2



i=1

T 

t

(33)

t

ϑ (τ ) dτ

ϑ (τ ) dτ,

0

0

where η and β are positive constants to be determined later. The derivative of V (t) along (32) can be written as V˙ =

 n    1 T ˙ −1  T T −1 ˙˜ ˙ ˜ k i − k ki si Mi (qi ) s˙i + si Mi (qi ) si + i i i + γi 2 i=1

+

n 

ξi q˜iT q˜i +

i=1

β 2



T 

t

t

ϑ (τ ) dτ

ϑ (τ ) dτ

0

0

n     T  = −ηsiT si − siT Mi (qi ) q¨ri + q˙˜  ⊗ Ip q˜

(34)

i=1

  + q˜ T  ⊗ Ip q˙˜ + β



T

t

ϑ (τ ) dτ

ϑ,

0

where we have used (A2) and (31c) to obtain the second equality. From (17) and (18), we can get the following vector forms   q˙ = s − LA ⊗ Ip q˜ −



t

ϑ (τ ) dτ,

(35)

0

and   q¨r = − LA ⊗ Ip q˙ − ϑ    t   2 = − (LA + In ) ⊗ Ip s − 0 ϑ (τ ) dτ + L ⊗ Ip q. ˜ We can then get that

(36)

1258

J. Mei

2 ˜ s T M(q)q¨r ≤ km s q¨r  ≤ km σmax (LA + In ) s2 + km σmax (LA ) s q  t     + km σmax (LA + In ) s   ϑ (τ ) dτ  , 0

(37) where we have used the fact that xT Py ≤ σ max (P)xy, for vectors x, y, and matrix P with appropriate dimensions, to get the last inequality. Note that    q˙˜ = q˙ − 1n ⊗ ξ T ⊗ Ip q˙    t  t    = − LA ⊗ Ip q˜ + s − ϑ (τ ) dτ − 1n ⊗ ξ T ⊗ Ip s − ϑ (τ ) dτ , 0

0

(38) where we have used (35) and the fact that ξ T LA = 0n to obtain the second equality. Also note that     t    ϑ (τ ) dτ  ⊗ Ip 1n ⊗ ξ T ⊗ Ip s − 0

  t     ϑ (τ ) dτ =  1n ⊗ ξ T ⊗ Ip s −

(39)

0

  t    T ϑ (τ ) dτ . = ξ ξ ⊗ Ip s − 0

Substituting (38) and (39) into (34), we obtain V˙ (t) =

 t 2 n         −ηsiT si − siT Mi (qi ) q¨ri − q˜ T B ⊗ Ip q˜ − β  ϑ dτ (τ )   0

i=1

  t  t    + 2q˜ T  − ξ ξ T ⊗ Ip s − ϑ (τ ) dτ + βs T ϑ (τ ) dτ. 0

0

(40) Since G is strongly connected, it follows from Lemma 2.2 that   ˜ 2, q˜ T B ⊗ Ip q˜ ≥ a(B)q

(41)

where a(B) > 0 is defined the same as in (2). Let β=

1   + 1. 2a B˜

(42)

39 Adaptive Consensus of Multiple Lagrangian Systems

1259

Note that  t  t  2   a(B)  1  2     q q ˜ + ˜  ϑ (τ ) dτ  ≤  ϑ (τ ) dτ  . 2 2a(B) 0 0

(43)

From (34), (37), and (43), we obtain V˙ (t) ≤ −ks2 + km σmax (LA + In ) s2  t     + [km σmax (LA + In ) + β] s  ϑ (τ ) dτ  

(44)

0

 t 2     a(B) 2  . q + km σmax ˜ 2− ϑ dτ ˜ − (τ ) (LA ) + 1 s q   2 0

Note that  t     ϑ dτ (τ ) [km σmax (LA + In ) + β] s    0

[km σmax (LA + In ) + β] s2 + ≤ 2 2

 t 2  1  ϑ (τ ) dτ  ,   2 0

and   2 (L ) + 1 2   km σmax a(B) A 2 s2 + q ˜ 2. km σmax (LA ) + 1 s q ˜ ≤ a(B) 4 Choose η such that   2 (L ) + 1 2 km σmax [km σmax (LA + In ) + β]2 A + + η0 , η = km σmax (LA + In ) + 2 a(B) (45) with η0 being a positive constant. We then have a(B) q ˜ 2− V˙ (t) ≤ −k0 s − 4 2

 t 2  1  ϑ (τ ) dτ  .   2 0

(46)

˙ ˜  t Since k0 , a(B) > 0, we can get that V (t) ≤ 0, which means that si , i , ki , q˜i , ϑ . From Lemma 2.5, we can conclude that the system (18) is inputdτ ∈ L (τ ) ∞ 0 i t to-state stable with respect to the input si and the state 0 ϑi (τ ) dτ . It follows from ˙ q¨r ∈ L∞ . Obviously, si ∈ L∞ that ϑi ∈ L∞ . We can get from (35) and (36) that q, q˙˜ i ∈ L∞ . We then can get from (Al) and (32) that s˙i ∈ L∞ .

1260

J. Mei

t Integrating both sides of (46), we have si , q˜i , 0 ϑi (τ ) dτ ∈ L2 . By far we get t ˙ 0 ϑi (τ )dτ, si , q˜i ∈ L2 ∩ L∞ and ϑi , s˙i , q˜ i ∈ L∞ , it follows from Lemma 2.4 that  t  limt→∞  0 ϑi (τ ) dτ  = 0, limt → ∞ si (t) = 0, and limt→∞ q˜i (t) = 0, ∀i = 1, . . . , n. It follows from (18) that limt → ∞ ϑi (t) = 0, ∀ i = 1, . . . , n. From the definition of q˜ and (16), we can conclude that limt → ∞ qi (t) − qj (t) = 0 and limt→∞ q˙i (t) = 0, ∀i, j = 1, . . . , n. From the same steps in the proof of Theorem 3.2, we can derive that the final  consensus equilibrium is limt→∞ qi (t) = ni=1 ξi qi (0).

5

Conclusions

The leaderless consensus problems for multiple Lagrangian systems in the presence of parametric uncertainties under a directed graph have been summarized. Both cases with full relative information and without relative velocity information have been studied. Consensus convergence has been shown via a Lyapunov-based method and the input-to-state stability theory. With the introducing of an integral term in the auxiliary variable design, the final consensus equilibrium of the systems has been explicitly derived. We have shown that this equilibrium is dependent on the interactive topology and the initial positions of the agents. Future works include the consensus for multiple Lagrangian systems without any velocity information and the case under switching topologies.

References R. Agaev, P. Chebotarev, The matrix of maximum out forests of a digraph and its applications. Autom. Remote Control. 61, 1424–1450 (2000) L. Cheng, Z. Hou, M. Tan, Decentralized adaptive consensus control for multi-manipulator system with uncertain dynamics, in Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, Singapore, 2008a, pp. 2712–2717 L. Cheng, Z. G. Hou, M. Tan, Decentralized adaptive leader-follower control of multimanipulator system with uncertain dynamics, in Proceedings of The 34th Annual Conference of the IEEE Industrial Electronics Society, Orlando, FL, November 2008b, pp. 1608–1613 P.F. Hokayem, D.M. Stipanovic, M.W. Spong, Semiautonomous control of multiple networked Lagrangian systems. Int. J. Robust Nonlinear Control 19(18), 2040–2055 (2009) R. Kelly, V. Santibanez, A. Loria, Control of Robot Manipulators in Joint Space (Springer, London, 2005) H.K. Khalil, Nonlinear Systems, 3rd edn. (Prentice Hall, Upper Saddle River, 2002) Z. Li, Z. Duan, G. Chen, L. Huang, Consensus of multi-agent systems and synchronization of complex networks: A unified viewpoint, IEEE Trans. Circ. Syst.-1: Regular papers, 2010, 57(1):213–224 J. Mei, Weighted consensus for multiple lagrangian systems under a directed graph, in 2015 Chinese Automation Congress (CAC), 2015, pp. 1064–1068 J. Mei, Weighted consensus for multiple Lagrangian systems under a directed graph without using neighbors velocity measurements, in Proceedings of the American Control Conference, Seattle, USA, May 24–May 26 2017, pp. 1353–1357

39 Adaptive Consensus of Multiple Lagrangian Systems

1261

J. Mei, W. Ren, G. Ma, Distributed coordinated tracking with a dynamic leader for multiple EulerLagrange systems. IEEE Trans. Autom. Control 56(6), 1415–1421 (2011) J. Mei, W. Ren, G. Ma, Distributed containment control for Lagrangian networks with parametric uncertainties under a directed graph. Automatica 48(4), 653–659 (2012) J. Mei, W. Ren, J. Chen, G. Ma, Distributed adaptive coordination for multiple Lagrangian systems under a directed graph without using neighbors’ velocity information. Automatica 49(6), 1723–1731 (2013) J. Mei, W. Ren, B. Li, G. Ma, Distributed containment control for multiple unknown second-order nonlinear systems with application to networked Lagrangian systems. IEEE Trans. Neural Netw. Learn. Syst. 26(9), 1885–1899 (2015) J. Mei, W. Ren, J. Chen, Distributed consensus of second-order multi-agent systems with heterogeneous unknown inertias and control gains under a directed graph. IEEE Trans. Autom. Control 61(8), 2019–2034 (2016) Z. Meng, W. Ren, Z. You, Distributed finite-time attitude containment control for multiple rigid bodies. Automatica 46(12), 2092–2099 (2010) E. Nuno, R. Ortega, L. Basanez, D. Hill, Synchronization of networks of nonidentical EulerLagrange systems with uncertain parameters and communication delays. IEEE Trans. Autom. Control 56(4), 935–941 (2011) R. Olfati-Saber, J.A. Fax, R.M. Murray, Consensus and cooperation in networked multi-agent systems. Proc. IEEE 95(1), 215–233 (2007) W. Ren, Distributed leaderless consensus algorithms for networked Euler-Lagrange systems. Int. J. Control. 82(11), 2137–2149 (2009) W. Ren, R.W. Beard, Distributed Consensus in Multi-vehicle Cooperative Control (Springer, London, 2008) W. Ren, R.W. Beard, E.M. Atkins, Information consensus in multivehicle cooperative control. IEEE Control. Syst. Mag. 27(2), 71–82 (2007) S. Sastry, Nonlinear Systems Analysis, Stability, and Control (Springer, New York, 1999) L. Scardovi, R. Sepulchre, Synchronization in networks of identical linear systems. Automatica 45(11), 2557–2562 (2009) L. Scardovi, M. Arcak, E. Sontag, Synchronization of interconnected systems with applications to biochemical networks: an inputoutput approach. IEEE Trans. Autom. Control 55(6), 1367–1379 (2010) R. Sepulchre, D.A. Paley, N.E. Leonard, Stabilization of planar collective motion with limited communication. IEEE Trans. Autom. Control 53(3), 706–719 (2008) M.W. Spong, S. Hutchinson, M. Vidyasagar, Robot Modeling and Control (Wiley, New York 2006) H. Wang, Flocking of networked uncertain Euler-Lagrange systems on directed graphs. Automatica 49(9), 2774–2779 (2013) H. Wang, Consensus of networked mechanical systems with communication delays: a unified framework. IEEE Trans. Autom. Control 59(6), 1571–1576 (2014) W. Yu, G. Chen, M. Cao, J. Kurths, Second-order consensus for multiagent systems with directed topologies and nonlinear dynamics. IEEE Trans. Syst. Man Cybern. B Cybern. 40(3), 881–891 (2010)

40

On Discrete-Time Convergence for General Linear Multi-agent Systems Under Dynamic Topology Jiahu Qin, Huijun Gao, and Changbin Yu

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Concepts in Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Row Stochastic Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Convergence Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Further Analysis and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1264 1267 1267 1267 1267 1268 1269 1269 1278 1281 1281

Abstract In this chapter, we aim to deal with the consensus analysis for general discretetime linear multi-agent systems (MASs), which are allowed to be unstable. To this aim, we further develop the nonnegative matrix theory, which is widely used for analysis of multiple interacting integrators, to establish certain product

J. Qin () University of Science and Technology of China, Hefei, China e-mail: [email protected] H. Gao Research Institute of Intelligent Control and Systems, Harbin Institute of Technology, Harbin, China e-mail: [email protected] C. Yu Australian National University and NICTA Ltd, Canberra, ACT, Australia e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_25

1263

1264

J. Qin et al.

properties of infinite row stochastic matrices. With the proposed approach, we finally show both theoretically and by simulation that the consensus for all the agents can be reached exponentially fast under mild conditions. More specifically, the individual uncoupled system is allowed to be strictly unstable (in the discrete-time sense), and it is only required that the joint of the communication topologies has a spanning tree frequently enough. Moreover, a lower bound of the convergence rate and an upper bound for the strictly unstable mode are specified. These bounds are proven to be independent of the switching mode of the communication topologies.

Keywords Linear MASs · Dynamic topology · Convergence rate · Discrete-time system

1

Introduction

One of the main issues in the analysis of consensus of multi-agent systems is to establish the weakest possible condition to ensure the agreement of the states of the individual agents. Toward this line, two cases of practical interest have been widely investigated. The first case focuses on consensus of multiple integrators in which agents have no dynamics in the absence of communications. Then, it is the information exchange only that determines the evolution of the state variables of agents; see, e.g., Cao et al. (2008), Cai and Ishii (2011), Gao and Wang (2011), Jadbabaie et al. (2003), Li and Zhang (2010), Lin et al. (2007), Qin et al. (2011b), Cao and Ren (2010), Ren and Beard (2005), Xiao and Wang (2008), and Yu et al. (2010). The second case focuses on consensus of general linear MASs in which each agent, referred to as linear agent for clarity, is modeled by generic linear system dynamics. Different from the integrators, the consensus behavior for linear MASs depends not only on the dynamical rules governing the isolated agents, referred to as individual system dynamics, but also on the communications between the neighboring agents. For integrator agents, it has been shown by Ren and Beard (2005) that to guarantee the consensus, existence of a directed spanning tree is the weakest condition that should be imposed on the fixed communication topology. However, for the dynamic topology, the weakest possible condition on the communication topologies is that their union has a directed spanning tree frequently enough (see Ren and Beard 2005). Besides, nonnegative matrix theory, in particular the product properties of infinite row stochastic matrices (see Wolfowitz 1963), is demonstrated to be one of the most effective and popular analysis tools for consensus analysis. It has been shown that the convergence for a group of linearly coupled integrator agents under both fixed and dynamic topologies rely on the product properties of infinite row stochastic matrices; see, e.g., Jadbabaie et al. (2003), Ren and Beard (2005), Qin et al. (2011b), Qin and Gao (2012), and Xiao and Wang (2008). However, the complexities arise when taking the individual dynamics into account. This make the techniques employed

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1265

in the previously mentioned works to integrators not applicable straightforwardly to the convergence analysis of linear MASs. To make the consensus problem for linear MASs mathematically tractable, restrictive assumptions are usually made on either the individual dynamics or the communication topology; see, e.g., Ni and Cheng (2010), Qin et al. (2011a), Tuna (2008), Tuna (2009), and Wang et al. (2008). The consensus problems of general linear MASs in continuous setting are investigated by Qin et al. (2011a) and Tuna (2009). It has been proven therein that the consensus can be reached even if the individual system has exponentially unstable mode. Tuna (2008) studies the discrete-time counterpart of the model in Tuna (2009) and Qin et al. (2011a). They further obtain that consensus can be achieved if the individual system is neutrally stable and the communication topology has a spanning tree. All of these works are in the context of fixed communication topology. Convergence analysis for dynamic topology is much more challenging than the fixed case. Attempts to extend the fixed interaction topology to the dynamic case are recently made by Ni and Cheng (2010), Su and Huang (2012), and Wang et al. (2008) in the context of undirected topology. These extensions are based on the developed Lyapunov methods for switched systems. However, such methods rely heavily on the symmetric property of the Laplacian matrix of the communication topology and thus do not apply to the directed case. Furthermore, they cannot tackle the analysis of convergence rate, which is another important topic in MASs community. It is worthwhile to mention that although (A, B) can be relaxed to be a stabilizable pair in these works, some extra conditions on either the connectivity of the interaction topology or the stability of A need to be imposed. Matrix A is required to be neutrally stable by Su and Huang (2012), and Wang et al. (2008) assumes the communication topology to be frequently connected, while Ni and Cheng (2010) considers only the leader-following consensus (a special case of leaderless consensus in the context of directed topology) based on the presumption that A satisfies two Riccati inequalities. With the above discussions, we study the consensus control of a broad class of discrete-time linear MASs under directed dynamic topology. This setting is also inspired by the fact in real applications that the information transmission among agents may be intermittent rather than continuously. The contribution comprises mainly the following three points: (1) Product properties of infinite row stochastic matrices will be exploited to deal with the convergence analysis of linear multi-agent systems. This can also be considered as one of the first attempts to relate the convergence analysis of agents modeled by integrator dynamics with that modeled by general linear system dynamics. It is expected that this new approach may help to involve more works concerning coordination control of integrator agents into the framework of general linear multi-agent systems. (2) With the help of the proposed approach, it can be established that to achieve the consensus, only the weakest possible assumptions need to be imposed on

1266

J. Qin et al.

the directed dynamic communication topology, i.e., the joint of communication topologies has a spanning tree frequently enough. This generalizes the work in Tuna (2008) to the dynamic case. It is worth pointing out that the fullstate information exchange rather than the partial-state ones as that considered in Tuna (2008) is used in the distributed feedback control law. This makes the convergence analysis under the weakest possible topology assumption mathematically tractable. A notable advantage comes along with the full-state information exchange is that the individual system is even allowed to be strictly unstable (i.e., system matrix of the individual system has eigenvalues with magnitude larger than 1). In contrast, restrictive neutrally stable assumption is imposed in Tuna (2008). (3) The techniques proposed in this work can further analyze the least convergence rate, which is independent of the switching mode of multi-agent systems. This is another advantage of our work over the existing works performing the convergence analysis for integrator MASs, which can only prove the asymptotic convergence of the system; see, e.g., Ni and Cheng (2010), Wang et al. (2008), and Su and Huang (2012) for general linear MASs and Jadbabaie et al. (2003), Ren and Beard (2005), Qin and Gao (2012), Qin et al. (2012), and Xiao and Wang (2008). It is worth emphasizing here that the theory of row stochastic matrix has also been used in our previous works (i.e., Qin et al. 2012; Qin and Gao 2012). However, the current work differs from that in Qin and Gao (2012) and Qin et al. (2012) mainly in the following two aspects when performing the convergence analysis: (1) Agents are assumed to take double-integrator dynamics in Qin and Gao (2012) and Qin et al. (2012), while we consider general linear agents in this work; (2) Qin et al. (2012) and Qin and Gao (2012) focus more on how to transform the consensus of double-integrator agents into the consensus for agents with doubled number of single-integrator agents and then apply the existing result on the product properties of row stochastic matrices to complete the analysis. The technical analysis employed therein can neither deal with the linear agents with strictly unstable selfdynamics nor specify the convergence rate. Both issues, however, can be satisfactorily addressed using the techniques developed in this work. Analysis of the convergence rate provides us with an interesting result that for the linear agents with no strictly unstable mode (i.e., eigenvalues of the individual agent’s system matrix are within the closed unit disk) communicating over undirected topology, the widely used uniformly bounded assumption imposed on the intervals between which the communication topology switches can be removed. The reminder of this chapter is organized as follows. Matrix and graph theory notations are established, and the problem is formulated in Sect. 2. Section 3 presents the convergence analysis with simulation examples to demonstrate the effectiveness of the results. Finally, the concluding remarks are offered in Sect. 4.

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

2

Preliminaries

2.1

Notation

1267

Let | · | denote the 2-norm of a vector, and  · F denote the Frobenius norm of a matrix. Denote by Ip the p × p identity matrix and by 1N the N column vector with all entries equal to 1. When the subscripts are dropped, the dimensions of these vectors and matrices are assumed to be compatible with the context. Denote by diag{A1 , A2 , . . . , An } the block diagonal matrix with its ith main diagonal matrix being a square matrix Ai , i = 1, . . . , n. Let ⊗ be the Kronecker product, and Kronecker product comes with the following property: (A ⊗ B)T = AT ⊗ B T and A ⊗ BF = AF · BF .

2.2

Concepts in Graph

Let G = (V, E, A) be a weighted digraph of order N with a finite nonempty set of nodes V = {1,  2,. . . , N } , a set of edges E ⊂ V × V, and a weighted adjacency matrix A = αij ∈ RN ×N in which αij > 0 ⇔ (j,  i) ∈ E. Moreover, we assume αii = 0, i = 1, . . . , N. Denote by L = ij the Laplacian matrix of G = (V, E, A), which is defined by Godsil and Doyle (2001) ⎧ ⎨ ij = −αij , i = j, ij = N ⎩ ii = αik . k=1,k=i

The graph Laplacian L associated with an undirected graph is positive semi-definite, but the graph Laplacian associated with a digraph does not have this property. In both the undirected and directed cases, 0 is an eigenvalue of L with associated eigenvector 1, where 1 denotes the column vector of all ones with compatible dimension. We say that a graph has a directed spanning tree if there exists at least one node, called the root node, having a directed path to all other nodes.

2.3

Row Stochastic Matrix

A real matrix M is said to be nonnegative if all its entries are nonnegative. A nonnegative matrix M is said to be row stochastic if all its row sums are 1. Given any N × N row stochastic matrix S = [s ij ] (Wolfowitz 1963), χ (S) and λ(S) are defined, respectively, as χ (S) = mini1 ,i2 j min{si1 j , si2 j } and λ(S) = 1 − χ (S), while δ(S) is defined as δ(S) = maxj maxi1 ,i2 |si1 j − si2 j |. δ(S) measures, in a certain sense, how different the rows of S are and clearly δ(S) = 0 if and only if the rows of S are identical. A matrix S is called scrambling if λ(S) < 1 or equivalently χ (S) > 0. Obviously, λ(S) = 0 if and only if δ(S) = 0.

1268

J. Qin et al.

Let Sd denote the set of N by N row stochastic matrices with positive diagonal elements, and Sd (v) denote the matrices in Sd with each nonzero element being larger than or equal to v. A row stochastic matrix M is called indecomposable and aperiodic (SIA) (Wolfowitz 1963) if there exists a column vector c such that limk→∞ M k = 1cT . ki=1 Mi = Mk Mk−1 · · · M1 denotes the left product of the matrices Mk , Mk−1 , · · · , M1 . Example 1. Given two row stochastic matrices ⎡ ⎤ ⎡ ⎤ 0.4 0 0.6 0.1 0 0.9 A = ⎣ 0 0.3 0.7⎦ , B = ⎣ 0 0.1 0.9⎦ . 0 0 1 0 1 0 Through simple calculations, it is obtained that χ (A) = 0, χ (B) = 0.9 > 0, and δ(A) = 1, δ(B) = 0.1 < δ(A). Hence, B is scrambling while A is not. Moreover, since δ(B) < δ(A), by the definition of δ(·), the rows in A are more different than those in B. This is consistent with our observation that all rows in B resemble the row vector [0, 0, 1].

2.4

Problem Statement

Consider a group of N linear agents moving in Rn , each modeled by the following discrete-time dynamics: xi ((k + 1)T ) = Axi (kT ) + Bui (kT ),

(1)

where xi (kT ) ∈ Rn is the ith agent’s state at time kT , A ∈ Rn×n , B ∈ Rn×m , and ui (kT ) ∈ Rm is the control input for agent i at time kT , where T is the sample time. In what follows, T will be dropped for simplicity. We consider the following distributed state feedback controller: ui (k) = K



αij (k)(xj (k) − xi (k))

(2)

j ∈Ni (k)

where αij (k) > 0 if agent i can receive the information of agent j at time t = kT while αij (k) = 0 otherwise, and Ni (k) = {j ∈ V : αij (k) > 0} is the set of neighbors of agent i at time kT . Moreover, we assume that all the nonzero and hence positive weighting factors are both uniformly lower and upper bounded, i.e., αij (k) ∈ [α, α], ¯ where 0 < α < α, ¯ if j ∈ Ni (k). K ∈ Rm×n is a state feedback matrix to be designed. Further, let G(k) denote the underlying communication topology among the N agents at time kT . We say that consensus is achieved for

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1269

system (1) by using distributed control law (2) if there exists a feedback matrix K such that for any initial states xi (0), limk→∞ |xi (k) − xj (k)| = 0, i, j ∈ V.

3

Main Results

3.1

Convergence Analysis

Before giving a rigorous convergence analysis, we need to introduce some results concerning matrix analysis for later use. Lemma 1 (Lemma 2, Wolfowitz 1963). For any row stochastic matrices P1 , P2 , . . ., Pk , δ(P1 P2 · · · Pk ) < ki=1 λ(Pi ). Let A = {A1 , . . . , Ak } (A can be an infinite set) be a set of square matrices with the same order. By a word (in the A s, A ∈ A) of length m, we mean the product of m A s (repetitions permitted) (Wolfowitz 1963). Lemma 2 (Wu 2007). Let S be a set of N by N SIA matrices with positive diagonal elements, then any word in the s’s (s ∈ S) of length N − 1 or larger is scrambling. The following example illustrates Lemmas 1 and 2: Example 2. For the two matrices A and B provided in Example 1, we have ⎡

⎤ ⎡ ⎤ 0.04 0 0.96 0.01 0 0.99 AB = ⎣ 0 0.03 0.97⎦ , BB = ⎣ 0 0.01 0.99⎦ . 0 0.1 0.9 0 0 1 Following the above two lemmas and through calculations, one has δ(AB) = 0.1, λ(A) = 1, λ(B) = 0.1, and χ (BB) = 0.99. Apparently, one verifies that δ(AB) ≤ λ(A)λ(B). In addition, since χ (BB) = 0.99, BB is scrambling. Lemma 3. Let A be an n × n matrix and a = max{|λ| : λ ∈ σ (A)}, where σ (A) is the set of eigenvalues of A. Then, there exists a positive number β such that for any k ≥ n, if a ≤ 1, Ak F ≤ βk n−1 , while if a > 1, Ak F ≤ βk n−1 a k . Proof. Let P be the nonsingular matrix such that P AP −1 = J = diag{J1 , · · · , Js }, where Ji , i = 1, . . . , s and 1 ≤ s ≤ n, is the Jordan block. For a Jordan block of order m (1 ≤ m ≤ n) with λ being the corresponding eigenvalue, J k takes in the following form:

1270

J. Qin et al.



λk

⎢ ⎢0 ⎢ ⎢ ⎢ .. ⎢. ⎢ ⎢ ⎣0

    k k−1 k λk−2 λ ··· 1 2   k k λk λk−1 2 λk−2 1 .. .. .. . . .

0

0

···

λk

0

···

0

···



⎥ ··· ⎥ ⎥ ⎥ ⎥. .. ⎥ ⎥  . k k−1 ⎥ λ ⎦ 1 λk

Note that    k A  = P −1 diag{J1k , · · · , Jsk }P , F

we have        k     A  ≤ P −1  P F diag{J1k , · · · , Jsk } . F

F

F

Let  β=

 n(n + 1)   −1  P  P F . F 2

Combining the above arguments together with the fact that there are at most nonzero elements in

n(n+1) 2

diag{J1k , · · · , Jsk } and the fact that   k 

≤ k

for any  ≤ k, one obtains straightforwardly that if a ≤ 1, then Ak F ≤ βk n−1 , 

while if a > 1, then Ak F ≤ βk n−1 a k . ¯ as the set To state the main result, we need to introduce a few notions. Denote G of all possible  communication  topologies among the N agents. The union of a group ¯ is a digraph with the same node set and the edge of digraphs Gi1 , . . . , Gik ⊂ G set given by the union of the edge sets of Gij , j = 1, . . . , k. Let d¯ be the largest diagonal element of all possible Laplacian matrices L(k) of G(k), i.e., d¯ =

max

⎧ N ⎨ 

1≤i≤N,k≥0 ⎩ l=1,l=i

⎫ ⎬ αil (k) . ⎭

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1271

¯ Further, let Clearly, 0 < d¯ ≤ (N − 1)α. ¯ Choose a positive such that < 1/d. ¯ α}, obviously 0 < μ < 1. We are now in a position to present μ = min{1 − d, the first of our main results. Theorem 1. Assume that matrix B is of full row rank. Using distributed feedback controller (2), consensus can be achieved for system (1) exponentially fast with the least rate 1

(1 − μT0 (N −1) ) (N−1)T0 · a,

(3)

i.e., the consensus of system (1) is faster than  k 1 T0 (N −1) (N−1)T0 (1 − μ ) ·a , if there exists an infinite sequence of contiguous, nonempty, uniformly bounded time intervals [ij , ij +1 ), j = 1, 2, . . . , starting at i1 = 0, for which the union of communication topologies G(ij ), G(ij + 1), . . . , G(ij +1 − 1) has a spanning tree and matrix A satisfies −1

a = max{|λ| : λ ∈ σ (A)} < (1 − μT0 (N −1) ) (N−1)T0 , where T0 is the upper bound for all the intervals [ij , ij +1 ), j = 1, 2, . . .. Proof. Choose K = B T (BB T )−1 A. Then, from (1) and (2) we have xi (k + 1) = Axi (k) + A



αij (k)(xj (k) − xi (k)).

j ∈Ni (k) T (k)]T , then the above system dynamics is rewritten in Let x(k) = [x1T (k), . . . , xN compact form as

x(k + 1) = [(IN − L(k)) ⊗ A] x(k) = [M(k) ⊗ A] x(k),

(4)

where L(k) is the Laplacian matrix of digraph G(k) and M(k) = IN − L(k). Since ¯ it follows that M(k) is a row stochastic matrix with positive diagonal < 1/d, elements, while M(k) ⊗ A is not even a nonnegative matrix. As such, we cannot study system (4) directly using nonnegative matrix analysis. Instead, we study the convergence of the following system, and thus   x(k + 1) = (M(k)M(k − 1) · · · M(0)) ⊗ Ak+1 x(0).

(5)

1272

J. Qin et al.

Let S ij = M(ij +1 − 1) · · · M(ij + 1)M(ij ) be the matrix corresponding to interval [ij , ij +1 ), j = 1, 2, . . .. Noticing that row stochastic matrices with positive diagonal elements are closed under matrix multiplication, it follows that each S ij is a row stochastic matrix with positive diagonal elements as well. In addition, the condition that the union of communication topologies across each interval [ij , ij +1 ) has a spanning tree implies that each S ij is SIA (Jadbabaie et al. 2003; Ren and Beard 2005). It is not difficult to derive that M(k) ∈ Sd (μ) for any k = 0, 1, . . . , which combined with the fact that ij +1 − ij ≤ T0 implies S ij ∈ Sd (μT0 ). Now consider the following product matrices: (m+1)(N  −1)

Wm =

S ij , m = 0, 1, 2, . . . .

j =m(N −1)+1

Recall that each S ij is a SIA matrix with positive diagonal elements; it then follows from Lemma 2 that each Wm , m = 0, 1, 2, . . . , is a scrambling matrix, i.e., χ (Wm ) > 0. This in conjunction with the fact that Wm ∈ Sd (μT0 (N −1) ) shows that χ (Wm ) ≥ μT0 (N −1) > 0 and thus λ(Wm ) ≤ 1 − μT0 (N −1) < 1. For simplicity, denote by γ = 1 − μT0 (N −1) , 0 < γ < 1. For any j ≥ 2N, one has S ij · · · S i1     i i j −1 j −1 (N−1)× N−1 +1 (N−1)× N−1  ij i1 · S = S ···S ···S ⎛ j −1 ⎞  N−1 −1    i j −1 ⎜ ⎟ = S ij · · · S (N−1)× N−1 +1 · ⎝ Wm ⎠ , m=0 j −1 where  Nj −1 −1  denotes the maximum integer not greater than N −1 . Noting that λ(S) ≤ 1 for any row stochastic matrix S, it then follows from Lemma 1 that

δ(S ij · · · S i1 ) 

i

j −1

≤ λ S ij · · · S (N−1)× N−1 +1





j −1  N−1 −1

⎜  ·⎝

⎞ ⎟ λ(Wm )⎠

m=0



 j −1 −1

N−1 ⎜  ≤⎝

m=0

This means that

⎞ j −1 j −1 ⎟ λ(Wm )⎠ ≤ γ  N−1  ≤ γ N−1 −1 .

(6)

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1273

  $ % lim δ M(ij +1 − 1) · · · M(1)M(0) = lim δ S ij · · · S i1 = 0,

j →∞

j →∞

i.e., the rows of M(ij +1 −1) · · · M(1)M(0) approaches each other as j → ∞ which is equivalent to saying M(ij +1 − 1) · · · M(1)M(0) converges to a rank one matrix of the form 1cT (Chatterjee and Senera 1977), or in the other words     M(ij +1 − 1) · · · M(1)M(0) − 1cT  F $ $ %% = O δ M(ij +1 − 1) · · · M(1)M(0) ,

(7)

where O(·) stands for that the two terms concerned in (7) are equivalent infinitesimal as j → ∞. In what follows, we first prove      lim  M(ij +1 − 1) · · · M(1)M(0) − 1cT ⊗ Aij +1 

j →∞

        = lim S ij · · · S i2 S i1 − 1cT  · Aij +1  = 0. j →∞

F

F

(8)

F

Note from Lemma 3 that there exist a β > 0 and a positive integer M > 0 such that for any j > M,    ij +1  A  ≤ β(ij +1 )n−1 a ij +1 ≤ β(j T0 )n−1 a j T0 F

if a > 1, while    ij +1  A  ≤ β(j T0 )n−1 F

if a ≤ 1. Thus, according to (6) and (7), s to prove (8), it suffices to prove that   j −1 lim (j T0 )n−1 a j T0 (γ N−1 −1 ) = 0

(9)

j →∞

holds for such a satisfying 1 ≤ a < 1 + η, where η > 0 is a positive number to be specified later (see Remark 2 for the special case that a < 1). Noting that 0 < γ < 1 and that    j −1  ln γ −1 T ln a+ N−1 j (j T0 )n−1 a j T0 (γ N−1 −1 ) = (j T0 )n−1 γ N−1 −1 e 0 ,

(10)

it then follows directly from the fact that the exponential decay dominates the polynomial inflation that if T0 ln a +

ln γ N −1

−1

< 0, i.e., a < γ (N−1)T0 , equation

1274

J. Qin et al.

in (9) holds. This in turn implies that η can be any positive number such that −1

η ≤ γ (N−1)T0 − 1. Now we proceed to prove   lim M(k)M(k − 1) · · · M(0) − 1cT ⊗ Ak+1 = 0.

k→∞

Let  be the largest nonnegative integer satisfying i+1 ≤ k − 1, and thus k − 1 − i+1 ≤ T0 and also k ≤ i+2 , the latter of which implies that k ≤ ( + 1)T0 , i.e.,  ≥ Tk0 − 1. It follows from the fact that each M(k), k = 0, 1, . . . , is row stochastic that       M(k)M(k − 1) · · · M(0) − 1cT ⊗ Ak+1  F ⎡⎛  ⎞ ⎤  k       ⎣⎝ = M(j )⎠ ⊗ A(k+1−i+1 ) ⎦ M(i+1 − 1) · · · M(0) − 1cT ⊗ Ai+1      j =i+1 F ⎛  ⎞     k     T i+1  ⎝ ⎠ ⊗ A(k+1−i+1 )   M(i ⊗ A ≤ M(j ) − 1) · · · M(0) − 1c   +1   F  j =i+1  F

(11)

      =O δ (M(i+1 − 1) · · · M(0)) · Ai+1    −1 −1 n−1 T0 N−1 ≤O (i+1 ) a γ & ≤O

γ

1 (N−1)T0

F

(12)

k ' ·a

· (k − 1)n−1

(13)

where (12) is obtained from (11) by noting (6) and (7) and the fact that ⎛  ⎞   k    ⎝ ⎠ ⊗ A(k+1−i+1 )  M(j )    j =i+1 

F

is ka bounded quantity since k + 1 − i+1 ≤ T0 + 2 and row stochastic matrix j =i+1 M(j ) are bounded as well, while (13) is obtained from (12) by noting that i+1 ≤ k − 1 and that  ≥ Tk0 − 1. This yields straightforwardly the fact that ( (   ( ( (x(k + 1) − (1cT ) ⊗ Ak+1 x(0)( ( (   ( ( = ( M(k)M(k − 1) · · · M(0) − 1cT ⊗ Ak+1 x(0)(

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1275

approaches zero exponentially fast with the least rate as that specified in (3). That is, % trajectories xi (k), i = 1, . . . , N , of all the agents synchronize to $ T the state 

c ⊗ Ak x(0) as k → ∞. Remark 1. Although consensus can be reached via information exchanges between neighboring agents, the trajectory to which all the agents converge may be oscillating (corresponds to a ≤ 1) or even divergent (corresponds to a > 1), which depends on the location of the eigenvalues of A. Different from the restrictive assumption made in Tuna (2008) that A is assumed to be neutrally stable, A in our work is allowed to have strictly unstable mode, i.e., A is allowed to have eigenvalues with magnitude larger than 1. The proof of Theorem 1 in fact gives an upper bound for −1

the exponentially unstable mode of A, i.e., a < (1 − μT0 (N −1) ) (N−1)T0 . This bound may not be tight; however, it relates only to T0 and N , the number of the agents, and therefore is independent of the switching mode of the multi-agent system. Remark 2. Theorem 1 further points out that consensus can be reached if the communications among agents which cause the agreement of the states of the agents can dominate the divergence mode caused by A. An intuitive scenario is that if the isolated system, modeled by s(k + 1) = As(k), is asymptotically stable, i.e., a = max{|λ| : λ ∈ σ (A)} < 1, then the states of all the agents converge asymptotically to zeros under any switching mode and any communication topologies. This can be seen from Eq. (5) in which M(k) · · · M(0) is a bounded row stochastic matrix for any k, while Ak converges to zero exponentially fast as k → ∞; see also (3) where ln a1 > 0 if a < 1 and thus no convergence needs to be contributed by the communications among agents (corresponding to the second term in (3)). Example 3. Consider a group of three agents moving in R3 . Assume that the interaction topology G(t) switches every 1T periodically from Ga to Gb and then from Gb to Ga, as is shown in Fig. 1, where T = 0.2s. Obviously, the union of Ga and Gb has a spanning tree, and agent 1 is the root. Moreover, to efficiently illustrate our result, we choose ⎡

⎤ c 0 −1 A = ⎣0 0 −b⎦ 0b 0 and ⎡

⎤ 1001 B = ⎣0 1 0 0⎦, 0010 where c and b are two numbers to be determining in the simulation. It can be easily obtained that σ (A) = {c, bi, −bi}. The initial state of each agent is randomly chosen from cube [−10, 10]3 ⊂ R3 .

1276

J. Qin et al.

Ga 1

Gb

2

3

1

1

2

2

3

3

Union graph G=Ga U Gb Fig. 1 Switching mode and two possible interaction topologies among 3 agents 25

Consensus Error

20

15

E(t) 10

5

0

0

1

2

3

4

5

6

7

8

9

10

t/s Fig. 2 Time evolution of E(t) with c = 1.01, b = 1, and T = 0.2s

For illustration, choose = 0.5. From Theorem 1 it can be computed that −1

a = max{|λ| : λ ∈ σ (A)} should satisfy a < (1 − μT0 (N −1) ) (N−1)T0 = 1.016. To accurately investigate the process of convergence of agent 2 and agent 3 to agent 1, we introduce the quantity ) * 3 * E(t) = + |x1 (k) − xi (k)|2 . i=2

Figure 2 shows that the state trajectories of all the agents synchronize with each other even if each isolated agent is strictly unstable (corresponds to c = 1.01,

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1277

4 2

Convergence Rate

0 -2 -4 -6 -8

ln(E(t))

-10 -12

0

1

2

3

4

5

6

7

8

9

10

t/s Fig. 3 The plot of ln(E(t)) with c = 1.01, b = 1, and T = 0.2s

b = 1, and thus a = 1.01 > 1). Furthermore, it can be estimated from Fig. 3 that the convergence rate of the system is approximately 1.5. However, according to Theorem 1, it follows that  k 1 (1 − μT0 (N −1) ) (N−1)T0 · a &

T0 (N −1)

(1 − μ

=O ⎛ ⎜ = O ⎝e

& ln a T +

)

1 (N−1)T0

·a

T



 ' ln 1−μT0 (N−1) (N−1)T T0

t '

t

⎟ ⎠

and thus the theoretical convergence rate is ln a1 ln(1 − μT0 (N −1) ) − = 0.031  1.5. T (N − 1)T T0 This big discrepancy comes partly from the fact that the convergence rate as specified in Theorem 1 is irrelevant to the switching mode, and partly from the technical analysis proposed in dealing with the convergence analysis, which has been demonstrated effective in specifying the convergence rate but may be of high

1278

J. Qin et al.

conservativeness. Such a conservativeness applies also to the upper bound provided for the strictly unstable mode of A. It would be interesting to exploit in the future work a new methodology/analysis that can largely reduce the conservativeness of the results.

3.2

Further Analysis and Extensions 1

(1 − μT0 (N −1) ) (N−1)T0 · a, which quantifies the least convergence rate, decreases exponentially fast as T0 increases due to the term μT0 (N −1) therein. This rate can be relaxed to be a quantity decreases linearly in T0 when confined in the context of undirected (note that the undirected graph here means that in the adjacency matrix aij > 0 iff aj i > 0, while the weights for edges (i, j ) and (j, i) could be different) communication topologies, which needs the following result: Lemma 4 (Lemma 3, Coppersmith and Wu 2008). If Si ∈ Sd (v), where v ≤ 1, and the graph associated with Si is undirected, then S1 S2 · · · Sk ∈ Sd (v N −1 ) for any k. The following results present the result in Theorem 1 under undirected communication topologies: Proposition 1. Using the same control law as that in Theorem 1, if a < (1 − −1

r) (N−1)T0 , then all the agents reach consensus exponentially fast with the least rate of 1

(1 − r) (N−1)T0 · a where r = max{μT0 (N −1) , μ(N −1) }. Evidently, the least convergence rate is 2

1 (N −1)2 (N−1)T0

(1 − μ

)

· a if T0 ≥ N − 1.

Note that the condition on the communication topologies is changed to be the jointly connected communication topologies in undirected context; see, e.g., Jadbabaie et al. (2003), Ni and Cheng (2010), and Wang et al. (2008). Proof. The proof can be completed by following exactly the same way as that for Theorem 1 with a slightly different observation that M ij ∈ Sd (μ(N −1) ) ∩ Sd (μT0 ), which is obtained by Lemma 4. As such Wm ∈ Sd (μT0 (N −1) ) ∩ Sd (μ(N −1) ), 2

which in turn implies that

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1279

χ (Wm ) ≥ max{μT0 (N −1) , μ(N −1) } > 0. 2



Proposition 1 shows that for undirected communications, the upper bound for a and the convergence rate decrease linearly with the increase of T0 . It provides us with an intuition that there are much difference in T0 for the directed and undirected framework. Indeed, the existence of T0 < +∞ such that all the intervals [ij , ij +1 ) are bounded by T0 is very important to the convergence of system (1), (2). Moreau (2003) provides an example with A = In and n = 1 (namely, the integrator agents), all the conditions in Theorem 1 are satisfied except that ij +1 − ij are unbounded as j → ∞ (namely, such intervals are not uniformly bounded), and finally consensus cannot be achieved for the dynamical system. But the case is much different for undirected communication topology, which allows us to explore more in-depth theoretical results about the consensus behavior. See below the three cases which are analyzed under undirected communication topologies: CASE I: Integrator agents systems (see, e.g., Jadbabaie et al. 2003, Ren and Beard 2005, and Olfati-Saber and Murray 2004) where A = In√ . Note in this case that Ak contribute none divergence to the system as Ak F = n for any k. It follows from (6) and the derivation of (13) that       M(k)M(k − 1) · · · M(0) − 1cT ⊗ In  F ⎛  ⎞  k    √   ⎝ = n M(j )⎠ · M(i+1 − 1) · · · M(0) − 1cT     j =i+1  F    −1  = O δ (M(i+1 − 1) · · · M(0)) ≤ O γ N−1 −1 ,

(14)

where as that in the proof of Theorem 1,  is the largest nonnegative number such that i+1 ≤ k − 1, thus M(k)M(k − 1) · · · M(0) → 1cT as k → ∞ since  → ∞ accordingly. As such, no uniformly bounded condition needs to be imposed on the intervals [ij , ij +1 ) for integrator agents if the communications among agents are undirected; see, for example, the work in Jadbabaie et al. (2003) in which such an assumption can be removed. But it is worth pointing out here that we can only prove the asymptotic convergence of the system; inequality (14) cannot guarantee the exponential convergence of the system since the length of interval [i , i+1 ) may increase linearly or even exponentially in . CASE II: General linear MASs where A = In but a = 1 (see Remark 2 for the case a < 1). Consensus for this case can still be reached if the length of interval [ij , ij +1 ) increases with j in a polynomial way; see, e.g., a linear case where ij +1 − ij = a1 j + b1 with a1 , b1 > 0. One can easily derive the convergence by noting from Lemma 3 that

1280

J. Qin et al.

  1  ij +1  A  ≤ β(ij +1 )n−1 = β[b1 j + a1 (j 2 + 1)]n−1 , F 2 and then noting that to prove (8) it suffices to prove j −1 1 lim [b1 j + a1 (j 2 + 1)]n−1 (γ N−1 −1 ) = 0, j →∞ 2

which obviously holds since exponential decay dominates the polynomial inflation. CASE III: Such uniformly bounded condition on the intervals cannot be removed for the linear MASs for any a > 1 even if [ij , ij +1 ) increases linearly with j since in this case the divergence of A dominates the decay caused by the communications among agents, which will cause the divergence of the MASs. To show this point, see the following simple example: assume also ij +1 − ij = a1 j + b1 , then it is not difficult to find that     1 2   ij +1  A  = O a ij +1 = O a 2 a1 j , F

the inflation of which will dominates the decay of δ(M ij · · · M i1 ) 45

Consensus Error

40

E(t)

35

30

25

20

15

0

5

10

15

t/s

20

25

30

Fig. 4 Time evolution of E(t) with c = 1.01, b = 1, and T increases linearly corresponding to CASE III in Sect. 3.2

40 On Discrete-Time Convergence for General Linear Multi-agent. . .

1281

as j → ∞ even if the latter one decays exponentially fast (see Fig. 4 the simulation result with a1 = 0.1, b1 = 0).

4

Conclusion

In this work, we have exploited the nonnegative matrix theory, with a focus on the product properties of infinite row stochastic matrices, to deal with the convergence analysis of a class of discrete-time linear MASs. With this new approach, we have shown that consensus can be achieved exponentially fast under the weakest possible assumption on the communication topology provided that the agents are coupled via full-state information exchanges and the unstable mode of each uncoupled agent is sufficiently weak. We have also specified the least convergence rate as well as an upper bound for the strictly unstable mode.

References K. Cai, H. Ishii, IEEE Trans. Autom. Control 56, 9 (2011) Y. Cao, W. Ren, Int. J. Robust Nonlinear Control 20, 9 (2010) M. Cao, A.S. Morse, B.D.O. Anderson, SIAM J. Control Optim. 47, 2 (2008) S. Chatterjee, E. Seneta, J. Appl. Probab. 14, 89–97 (1977) D. Coppersmith, C.W.Wu, Stat. Probab. Lett. 78, 3082–3085 (2008) Y. Gao, L. Wang, IEEE Trans. Autom. Control 56, 5 (2011) C. Godsil, G. Doyle (eds.), Algebraic Graph Theory (Springer, New York, 2001) A. Jadbabaie, J. Lin, S.A. Morse, IEEE Trans. Autom. Control 48, 6 (2003) T. Li, J.F. Zhang, IEEE Trans. Robot. Autom. 55, 9 (2010) Z. Lin, B. Francis, M. Maggiore, SIAM J. Control Optim. 46, 1 (2007) L. Moreau, in Proceedings of IEEE Conference on Decision Control, Maui (2003), pp. 3070–3075 W. Ni, D. Cheng, Syst. Control Lett. 59, 3–4 (2010) R. Olfati-Saber, R.M. Murray, IEEE Trans. Autom. Control 49, 9 (2004) J. Qin, H. Gao, IEEE Trans. Autom. Control 57, 9 (2012) J. Qin, C. Yu, H. Gao, X. Wang, in Proceedings of IEEE Conference on Decision Control and European Control Conference, Orlando (2011a), pp. 1455–1460 J. Qin, W.X. Zheng, H. Gao, Automatica 47, 9 (2011b) J. Qin, H. Gao, W.X. Zheng, Int. J. Robust Nonlinear Control 22, 4 (2012) W. Ren, R.W. Beard, IEEE Trans. Autom. Control 50, 5 (2005) Y. Su, J. Huang, Automatica 48, 9 (2012) S. Tuna, Automatica 44, 8 (2008) S. Tuna, IEEE Trans. Autom. Control 54, 10 (2009) J. Wang, D. Chen, X. Hu, Asian J. Control 10, 2 (2008) J. Wolfowitz, Proc. Am. Math. Soc., 14, 733–737 (1963) C.W. Wu (ed.), Synchronization in Complex Networks of Nonlinear Dynamical Systems (World Scientific, Singapore, 2007) F. Xiao, L. Wang, IEEE Trans. Autom. Control 53, 8 (2008) W. Yu, G. Chen, M. Cao, Automatica 46, 6 (2010)

Distributed Consensus of Stochastic Delayed Multi-agent Systems Under Asynchronous Switching

41

Xiaotai Wu, Yang Tang, Jinde Cao, and Wenbing Zhang

Contents 1 2 3 4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Numerical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Appendix: Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1284 1286 1290 1295 1299 1307 1308

Abstract In this chapter, the distributed exponential consensus of stochastic delayed multi-agent systems with nonlinear dynamics is investigated under asynchronous switching. The asynchronous switching considered here is to account for the time of identifying the active modes of multi-agent systems. After receipt of confirmation of mode’s switching, the matched controller can be applied, X. Wu () The School of Mathematics and Physics, Anhui Polytechnic University, Wuhu, China e-mail: [email protected] Y. Tang The Key Laboratory of Advanced Control and Optimization for Chemical Processes, Ministry of Education, East China University of Science and Technology, Shanghai, China e-mail: [email protected] J. Cao School of Mathematics, Southeast University, Nanjing, China e-mail: [email protected] W. Zhang Department of Mathematics, Yangzhou University, Jiangsu, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_26

1283

1284

X. Wu et al.

which means that the switching time of the matched controller in each node usually lags behind that of system switching. In order to handle the coexistence of switched signals and stochastic disturbances, a comparison principle of stochastic switched delayed systems is firstly proved. By means of this extended comparison principle, several easy to verified conditions for the existence of an asynchronously switched distributed controller are derived such that stochastic delayed multi-agent systems with asynchronous switching and nonlinear dynamics can achieve global exponential consensus. Two examples are given to illustrate the effectiveness of the proposed method.

Keywords Consensus · Multi-agent systems · Switched systems · Asynchronous switching · Comparison principle

1

Introduction

Over the past few years, complex networks and/or multi-agent systems have received much attention due to their extensive applications in both science and engineering, such as food webs, ecosystems, metabolic pathways, the Internet, World Wide Web, social networks, and global economic markets. In particular, the dynamical behaviors of complex networks and/or multi-agent systems have recently gained increasing research interests (Seifzadeh et al. 2015; Carboni et al. 2014; Sabattini et al. 2014; Vasilakos et al. 1998; Liu et al. 2012; Li et al. 2013; Tang et al. 2013a, 2014a; Khan et al. 2012). Among them, the study on synchronization or consensus problem of multi-agent systems has been an active research topic in the past few years (Tang et al. 2013b, 2014b, c; Zhao et al. 2009; Zhou et al. 2012; Zhang et al. 2014; Meng et al. 2013; Shi et al. 2013), since coordination phenomena have been found in both natural and man-made systems, such as fireflies in the forest, applause, description of hearts, distributed computing systems, and so on. Time-delay phenomena in spreading information through large-scale networked systems are ubiquitous in natural and technical societies because of the finite speed of signal transmission over links as well as networked traffic congestions. Moreover, in the process of signal transmission among networks, the nodes are often subject to stochastic perturbations which arise from external random fluctuations in the process of transmission and other probabilistic factors. Recently, consensus of multi-agent systems with time delays and/or stochastic distributions has been extensively studied in the literature (Wei et al. 2010; Zhao et al. 2011; 2012a; Wu et al. 2014a). Multi-agent systems and/or complex networks often have a switching topology due to link failures or a new creation, and such networks appear in many practical situations, such as communication networks (Zhao et al. 2009), power grids (Maia and Goncalves 2008), and many other fields. In addition, since the parameters of each node in networks could be time varying, switching behaviors can take place in dynamics of nodes as well as in the topology. When the network topology and

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1285

nodes are modeled in a switched way, multi-agent systems or complex networks under consideration can be described and analyzed by the switching theory (Zhao et al. 2009; Liberzon 2003; Tang et al. 2015; Liu et al. 2010; Lu et al. 2009; Wu et al. 2014b, c). For example, the locally and globally exponential synchronization was investigated for a class of networks with a switching topology and timevarying coupling delays in (Liu et al. 2010). In (Liu et al. 2009), the stability and synchronization problems have been addressed for a class of discrete-time neural networks with mode-dependent mixed time delay and Markovian jumping switching. For switched systems, the mode-dependent control is usually designed such that the resulting system is stable and satisfies certain performance indices, which is less conservative than the mode-independent control (Xie and Wang 2005; Zhao et al. 2012b; Zhang et al. 2011). It is worth mentioning that there always exists a lag between the system switching and the switching of a mode-dependent controller (Zhao et al. 2012b; Lin and Antsaklis 2009; Zhang and Gao 2010). In practice, it inevitably takes some time to identify the system modes, and then the matched controller can be applied (Lin and Antsaklis 2009). Thus, there exists asynchronous switching in actual operations of consensus or stabilization of switched multi-agent systems due to networked environments, which indicates that the time of the modedependent control switching lags behind the system modes’ switching. Summarizing the above discussions, up to now, almost all the research efforts on synchronization and/or consensus of switched networks have been devoted to networks without feedback control (Zhao et al. 2009; Liu et al. 2010) or with only synchronous switching (Lu et al. 2009). As mentioned above, however, little attention has been paid to consensus of multi-agent systems with asynchronously switching control despite its great importance in both theoretical and practical aspects, mainly due to the mathematical complexity in analyzing switching signals in such a large-scale network via an asynchronous way. It is, therefore, the main purpose of this paper is to investigate the distributed exponential consensus of stochastic switched multi-agent systems with asynchronous switching. The difficulties reside in several aspects: how to study consensus of multi-agent systems with asynchronous switching, which has not been addressed so far? How to mathematically extend asynchronously switching control to the case of stochastic systems instead of usual deterministic systems? Is it possible for us to tackle different types of time delays in both asynchronously switching control and internal state at the same time? Can we establish some easy verified conditions to ensure the mean square consensus of stochastic delayed multi-agent systems with asynchronous switching? In order to answer these questions, we firstly develop a comparison principle of stochastic delayed systems with switching parameters. Based on this extended comparison principle, the distributed exponential consensus problem is investigated for stochastic delayed multi-agent systems with asynchronous switching by using the average dwell time approach and stochastic analysis techniques. The contributions of this paper are summarized as follows: (1) the distributed exponential consensus of stochastic delayed multi-agent systems with asynchronous switching

1286

X. Wu et al.

is dealt with. The model (or the controller) considered here is more general and encompasses some recently well-studied results of switched networks (multi-agent systems) or networked control systems (Zhao et al. 2009; Liu et al. 2010; Lu et al. 2009). (2) A new consensus criterion of stochastic delayed multi-agent systems with asynchronous switching is obtained by assuming that the ratio of the total time running on unmatched control and matched control is less than an upper bound, and this assumption is less conservative than the restriction given in (Zhang and Gao 2010; Wang et al. 2013a). (3) The comparison principle for stochastic switched systems is firstly presented to deal with the consensus analysis of stochastic delayed multi-agent systems with asynchronous switching, which can make the derivation easy to follow and understand. (4) The results developed here are not confined to multi-agent systems and can be easily extended to networked control systems (Zhao et al. 2012b; Lin and Antsaklis 2009; Wei et al. 2011), which show the applicability of our results to other kinds of control systems. The rest of this paper is organized as follows: In section “Preliminaries”, the model of stochastic delayed multi-agent systems with asynchronous switching is presented, together with some notations, definitions, and lemmas. In section “Main Results”, several criteria are obtained to ensure the mean square consensus of stochastic delayed multi-agent systems with asynchronous switching. Finally, two simulation examples are given to illustrate the effectiveness of our results. Notations Throughout this paper, R+ and Rn denote, respectively, the set of nonnegative real numbers and the n-dimensional Euclidean space. Let N+ be the set of positive integers and In denote n-dimensional identity matrix. For x ∈ Rn , √ T T x denotes its transpose.  The vector norm is defined as  x = x x. For matrix n×n A ∈ R ,  A = λmax AT A , where λmax (·) (resp. , λmin (·)) represents the largest (resp., the smallest) eigenvalue, the notation A > 0 means that A is a real symmetric and positive definite matrix. Moreover, let (, F , {Ft } , P) be a complete probability space with filtration {Ft }t≥t0 satisfying the usual conditions (i.e., the filtration contains all P-null sets and is right continuous). Denote by C([−τ , 0]; Rn ]), the family of continuous functions ϕ from [−τ , 0] to Rn with norm ϕ  = sup−τ ≤ θ ≤ 0  ϕ(θ ). Let L2Ft ([−τ, 0] ; Rn ) the family of all Ft0 0 measurable C([−τ , 0]; Rn )-valued random variables ξ = {ξ (s) : − τ ≤ s ≤ 0} such that sup−τ ≤s≤0 E|ξ(s)|2 < ∞, where E {·} stands for mathematical expectation operator with respect to the given probability measure P. The Dini derivative of ψ(t) is defined as D + ψ(t) = lim sups→0+ (ψ (t + s) − ψ(t)) /s.

2

Preliminaries

In this section, some preliminaries including model formulation, lemmas, and definitions are presented. Consider the following stochastic delayed multi-agent system with nonlinear dynamics consisting of N linearly coupled nodes:

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1287

 dx i (t) = Aσ (t) xi (t) + fσ (t) (t, xi (t), xi (t − τ (t))) +

N 

 σ (t) bij xj (t − τ (t)) dt

(1)

j =1

  + gσ (t) t, xj (t), xj (t − τ (t)) dω(t), where i = 1, 2, K, N, xi = [xi1 , xi2 , K, xin ]T ∈ Rn is the state vector of the ith node; σ (t) : [t0 , ∞) → = {1, 2, L, m} is a piecewise constant function depending on t, continuous from the right, specifying the index of the active subsystem, i.e., σ (t) = kn ∈ Γ for t ∈ [tn , tn + 1 ), where tn is the nth switching time instant; Ar is a constant matrix, r ∈ Γ ; the time delay τ (t) may be  unknown but bounded,  i.e., 0 ≤ τ (t) ≤ τ ; ω(t) is a Weiner process defined on , F , {Ft }t≥0 , P ; ωi (t) is independent of ωj (t) for i = j; g : R+ × Rn × Rn → Rn is the noise intensity function matrix; and fr = [fr1 , fr1 , L, frn ]:R+ × Rn × Rn → Rn is a continuous map function.  Br = bir j ∈ RN ×N is the coupling matrix, where bir j is defined as follows: if there is a connection from node j to node i(j = i), then the coupling strength bir j ≥ 0; otherwise bir j = 0. For i = j, biir is defined by N 

biir = −

bir j .

j =1,j =i

The initial conditions of the stochastic switched delayed multi-agent system in (1) are assumed to be xi (t) = ξi (t), t0 − τ ≤ t ≤ t0 , i = 1, 2, K, N, 2 ([−τ, 0] , Rn ). where ξi (t) ∈ LF t0 In this paper, we consider the distributed controller adopting the following form

σ (t)

ui

(t) = Kσ (t−h(t))

N 

σ (t)

bi j xj (t − τ (t)) ,

j =1

where Kr , r ∈ Γ is the feedback gain to be determined and h(t) is the time delay to describe the lag between the switching of feedback control and the switching of system modes and 0 ≤ h(t) ≤ τ . When Kσ (t − h(t)) coincides with the system σ (t) mode, uj (t) is called a matched distributed controller; otherwise, it is called an unmatched distributed controller. Hence, the resulting closed-loop stochastic delayed multi-agent system with asynchronously switching control is given by

1288

X. Wu et al.

 dx i (t) = Aσ (t) xi (t) + fσ (t) (t, xi (t), xi (t − τ (t))) + Kσ (t−h(t))

N 

 σ (t) bij xj (t − τ (t)) dt

(2)

j =1

+ gσ (t) (t, xi (t), xi (t − τ (t))) dω(t). Remark 1 In this paper, we investigate the consensus of stochastic delayed multiagent systems with asynchronous switching control. A distributed controller is introduced to achieve coordination among agents. It is natural to extend our results to force the states of networks to a desired state, such as an equilibrium, a periodic state and a chaotic state, by employing the techniques in leader-following problems (Zhang et al. 2014; Hong et al. 2006). Remark 2 The differences between this paper and (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a, b) mainly reside in model, research problem, and method. The comparisons are given as follows: (1) the model considered here is more general than in (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a, b). In this paper, both stochastic disturbances and time delays are considered for switching networks. It is worth mentioning that stochastic disturbances were overlooked in (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a, b) and time delays were not considered in (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013b). (2) The research problem is also different. In this paper, we investigate the consensus of stochastic delayed multi-agent systems by an asynchronous feedback controller. The exponential stability (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a) and input-to-state stability (Wang et al. 2013b) were provided for systems with asynchronous switching, respectively. (3) Since the model and the research problem are distinct from (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a, b), the methods are also different. In this paper, a comparison principle for stochastic switched systems is firstly presented to deal with the consensus of stochastic delayed multi-agent systems under asynchronous control, which differentiates from the techniques adopted in (Zhao et al. 2012b; Zhang et al. 2011; Zhang and Gao 2010; Wang et al. 2013a, b). Remark 3 The feedback-gain switching is important from two aspects. Firstly, the feedback-gain switching can reduce the quadratic continuous-time cost functional

T   J = 0 uT (s)P u(s) + x T (s)Qx(s) ds. Secondly, as illustrated in this paper and (Zhao et al. 2012b; Zhang and Gao 2010; Wang et al. 2013b), the unmatched feedback controller may deteriorate the system’s performance and even destroy the stability. For example, if the coupling matrix switches between repulsive and attractive coupling, which can be observed in communication networks (Shi et al.

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1289

2013), the feedback-gain switching is useful to achieve consensus by appropriately designing K. Example 2 in simulations will be provided to illustrate this point. Based on these two aspects, it is important to investigate the feedback-gain switching. For more results regarding the importance of the feedback-gain switching, please refer to (Zhao et al. 2012b; Zhang and Gao 2010; Wang et al. 2013b) and the references therein. Remark 4 Stochastic switched systems constitute an important generalization of non-stochastic hybrid dynamical systems, for which significant breakthroughs in the stability theory have been carved out over the last decade (Teel et al. 2014). In order to deal with the stability of stochastic switched delayed systems, an extended comparison principle for stochastic switched delayed systems is presented in Lemma 2, which shows its importance in our proof and can be used in general stochastic switched delayed systems. For more details regarding the challenge of stochastic systems, please refer to the recent review (Teel et al. 2014) and the references therein. The following definitions, assumptions, and lemmas are needed for deriving of the main results. Definition 1 The stochastic delayed multi-agent system with asynchronous switching and nonlinear dynamics in (2) is said to be achieved exponential consensus in mean square if there exist λ > 0 and M0 > 0 such that for any initial values ξ j (s) E  xi (t) − xj (t) ≤ M0 e−λ(t−t0 ) hold for all t ≥ t0 , and for any i, j = 1, 2, K, N. Definition 2 (Hespanha and Morse 1999) For a switching signal σ (t) and any t > t0 , let N(t, t0 ) be the switching numbers of σ (t) over the interval [t0 , t). If N (t, t0 ) ≤

t − t0 + N0 , Ta

for N0 ≥ 0, Ta > 0, then Ta and N0 are called the average dwell time and the chatter bound, respectively. Assumption 1 There exist positive constants ρ 1r , ρ 2r , ρ 1r and ρ 2r such that  fr (t, x1 , y1 ) − fr (t, x2 , y2 )  ≤ ρ1r  x1 − x2  +ρ2r  y1 − y2 ,

(3)

1290

X. Wu et al.

and trace [gr (t, x1 , y1 ) − gr (t, x2 , y2 )]T [gr (t, x1 , y1 ) − gr (t, x2 , y2 )]

(4)

≤ ρ1r  x1 − x2 2 + ρ2r  y1 − y2 2 , for any x1 , x2 , y1 , y2 ∈ Rn and t ∈ [t0 , + ∞).   Lemma 1 (Guan et al. 2010) Let U = aij N ×N , P ∈ Rn×n , x =  T T    T and y = y T , y T , L, y T with x , y ∈ Rn (k = 1, 2, L, N). If x1 , x2 , L, xN k k N 1 2 U = U T and each row sum of U is zero, then x T (U ⊗ P ) y = −



 T   aij xi − xj yi − yj .

1≤i 1 such that ⎧ + ⎨ D EV (t, σ (t)) ≤ λ1 (t)EV (t, σ (t)) + λ2 EV (t − τ (t), σ (t − τ (t))) , t = tn , t ≥ t0 ,    ⎩ EV (tk , σ (tk )) ≤ μEV tk− , σ tk− , k ∈ N,

(6)

and 

D + v(t) > λ1 (t)v(t) + λ2 v(t − τ (t)), t = tn , t ≥ t0 ,   v(tk ) = μv tk− , k ∈ N,

(7)

then EV (t, σ (t)) ≤ v(t), t ∈ [t0 − τ , t0 ] implies that EV (t, σ (t)) ≤ v(t) for t ≥ t0 . Proof See the Appendix. Remark 5 In this paper, the extended comparison principle of stochastic switched systems will be employed to investigate the distributed exponential consensus of stochastic delayed multi-agent systems with asynchronous switching. Usually, the comparison principle (Yang and Xu 2007) is used to study the stability of deterministic dynamical systems with impulsive effects (Guan et al. 2010). Different from (Guan et al. 2010; Yang and Xu 2007), we extend the comparison principle

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1293

into the case of stochastic switched systems, and thus the comparison principle for deterministic systems is generalized to stochastic switched systems (Wu et al. 2014b). Before giving the main results of consensus of multi-agent systems, we need a technical lemma which plays an implemental role in proving the distributed exponential consensus for the multi-agent system in (2). For the stochastic delayed multi-agent system with asynchronous switching in (2), if the effect brought by unmatched control is finally compensated by matched control, then the multi-agent system in (2) can be achieved consensus. Thus, it is crucial to guarantee that there exists enough active time of stochastic delayed multi-agent systems with matched control. In the following lemma, a restriction is put on the activation time of unmatched control and matched control, which is important to present our main results. Lemma 3 Suppose there exists a function V (t, σ (t)) ∈ C 1,2 and positive constants α, β, γ , c, μ > 1, λ2kn , kn ∈ such that ⎧ ⎪ ⎪ βV (t, kn ) + λ2kn V (t − τ (t), kn ), ⎨ t ∈ TU (tn , tn+1 ), L V (t, kn ) ≤ ⎪ − αV (t, kn ) + λ2kn V (t − τ (t), kn ), ⎪ ⎩ t ∈ TM (tn , tn+1 ) , n ∈ N,

(8)

V (t, r) ≤ μV (t, l) , ∀r, l ∈ , r = l,

(9)

ln μ > 0, γ − ηλ2

(10)

Ta >

EV (t, r) ≤ cE  ξ 2 , t ∈ [t0 − τ, t0 ] , γ ∈ ,

(11)

and − αTM (t, s) + βTU (t, s) ≤ −γ (t − s) + (γ + β) τb , t > s > t0 .

(12)

Then EV (t, σ (t)) ≤ M e−λ(t−t0 ) , t ≥ t0 , where λ is the unique positive solution of equation λ + ηλ2 eλτ − λ3 = 0, λ2 =   maxkn μλ2kn , λ3 = γ − lnTaμ , η = e(γ +β)τb and M = ηcE  ξ 2 . Proof See the Appendix.

1294

X. Wu et al.

Remark 6 Condition (12) is inspired by the assumption TU (t,s) TM (t,s)

α−γ β+γ

TU (t,t0 ) TM (t,t0 )



α−γ β+γ

in (Zhai

et al. 2000). However, for t > s ≥ t0 , ≤ is not true for the case TM (t, s) = 0. In (12), (γ + β)τ b is added to guarantee that (12) is still true when TM (t, s) = 0. It is worth mentioning that (12) is easy to satisfy. For example, let the ratio of all active time of matched control TM (t, s) and all active time of unmatched α−γ control TU (t, s) be less than β+γ , and the maximum active time of multi-agent systems with unmatched control be less than τ b . Then (12) holds. The similar assumption can be found in Theorem 2 of (Muller and Liberzon 2012). In the following, Theorem 1 is presented to ensure the consensus of the stochastic delayed multi-agent system with asynchronous switching in (2). Theorem 1 Under Assumption 1, if for any r, l ∈ Γ , l = r, there exist matrices Pr > 0, Kr and positive constants α, β, υ1r , υ2r , γ , μ > 1 such that 2Pr Ar + 2Pr + 2ρ1r I − 2NB (i, j )Ul + υ2r ρ1r − βPr < 0, t ∈ TU (tn+1 , tn ),

(13)

2Pr Ar + 2Pr + 2ρ1r I − 2NB(i, j )Ur + υ2r ρ1r + αPr < 0, t ∈ TM (tn+1 , tn ),

(14)

Pr ≤ μPl ,

(15)

v1r I ≤ Pr ≤ v2r I,

(16)

ln μ > 0, Ta > γ −ηλ 2 − αTM (t, s) + βTU (t, s)

(17)

≤ −γ (t − s) + (γ + β)τb , t > s > t0 ,

(18)

 2r where λ2 = maxr∈ μ 2ρ υ1r +

υ2r υ1r ρ2r

. Then the stochastic delayed multi-agent

system in (1) is achieved consensus by feedback control gain Kr = Pr−1 Ur . Proof See the Appendix. Remark 7 When the feedback control is synchronous with system switching, Theorem 1 becomes the consensus criterion of multi-agent systems with synchronously switching control. In model (2), the switchings are assumed to exist not only in nodes but also in topology, and stochastic disturbances are also considered. Thus, the model (or the controller) here is more general than the models considered in (Zhao et al. 2009; Liu et al. 2010; Lu et al. 2009). On the other hand, the stability of switched stochastic systems without time delay was investigated in (Wei et al. 2011), and the method used in (Wei et al. 2011) can hardly be used to examine

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1295

switched stochastic systems with time delays. Obviously, the presented comparison principle for stochastic switched systems presented in this paper can be utilized to study the stability of switched stochastic systems with time delays. Different from (Wu et al. 2014b), here we investigate the consensus of large-scale multiagent systems with state feedback control, in which the control implementation is asynchronous, where (Wu et al. 2014b) examines the stability of uncoupled neural networks without controller design, not to mention that the asynchronous controller is also included. Remark 8 Note that in the case of biσ j(t) = 0 for σ (t) ∈ Γ , then the stochastic delayed multi-agent system with asynchronous switching in (2) is uncoupled, and the dynamics of each single node is independent of the other nodes. Hence, by means of Theorem 1, sufficient conditions can be obtained to guarantee the global exponential stability for each single node with asynchronous switching. The stability of switched systems with asynchronous switching was studied in (Zhao et al. 2012b; Zhang and Gao 2010). However, in these papers, time delays and stochastic disturbances are not considered. We can design a procedure for the results obtained in Theorem 1 as the following: Step 1: Input matrices Ak , Bk and constants ρ 1k , ρ 2k , ρ 1k and μ, ρ 2k , k ∈ Γ . Step 2: Solve the LMI conditions in (28, 29, 30, and 31) to obtain the constants α, β, υ11 , υ12 , υ21 , υ22 and the matrices Ur and Pr−1 . Get the feedback control gain Kr = Pr−1 Ur . Step 3: Check whether the switching rule satisfies the conditions (32) and (33) or not. Then the stochastic delayed multi-agent system in (1) is achieved consensus by feedback control gain Kr = Pr−1 Ur .

4

Numerical Examples

In this section, two examples are given to illustrate the result in the previous section. Example 1 Consider the following stochastic delayed multi-agent system with four nodes:  dx i (t) = Aσ (t) xi (t) + fσ (t) (t, xi (t), xi (t − τ (t))) + Kσ (t−h(t))

N 

 σ (t) bij xj (t − τ (t)) dt

j =1

+ gσ (t) (t, xi (t), xi (t − τ (t))) dω(t),

(19)

1296

X. Wu et al.

where i = 1,2,3,4, σ (t) ∈ Γ = {1, 2}. Let fr (t, xi (t), xi (t − τ (t))) = D1r h (xi (t)) + D2r h(xi (t − τ (t))),   0 xi (t) , gr (t, xi (t), xi (t − τ (t))) = 0.3 0 xi (t − τ (t)) and 

   10 1.1 0 , A2 = , 01 0 1.1   2 − 0.1 D11 = D12 = , − 5 3.2   −1.6 − 0.1 D21 = D22 = , − 0.26 − 2.5 ⎡ −0.36 0.12 0.12 ⎢ 0.24 −0.72 0.24 B1 = B2 = ⎢ ⎣ 0.12 0.12 −0.36 0.06 0.06 0.06

A1 =

⎤ 0.12 0.24 ⎥ ⎥, 0.12 ⎦ −0.18 t

e . By using this set of where h(xi (t)) = (tanh(xi 1 (t)), tanh(xi2 (t))), τ (t) = 1+e ( t) parameters, the subsystem exhibits chaotic behaviors (Lu 2002).

Step 1: Input constant μ = 1.002 and matrices A1 , A2 , B1 and B2 . It can be obtained that ρ 11 = ρ 12 = 0.1419, ρ 21 = ρ 22 = 0.0618, ρ 1r = ρ 2r = 0.09. Step 2: By solving LMIs (13, 14, 15, and 16), we get constants α = 1.5, β = 0.25, υ21 = 0.6945, υ22 = 0.7532, υ11 = 0.2602, υ12 = 0.3134, and matrixes 

 49.4143 0 , 0 49.4143   97.5356 0 K1 = . 0 97.5356 K1 =

It can be derived that λ2 = 0.7152. Step 3: Suppose that the ratio of stochastic delayed multi-agent systems with matched control to unmatched control is 3:1. Set γ = 1.1 and τ b = 0.15, which ln μ = 0.0154. Conditions (32) and yields that η = e1.15 = 1.3002 and Ta > γ −ηλ 2 (33) hold. Thus, the stochastic delayed multi-agent system in (19) is said to achieve consensus. Figures 2 and 3 depict the state trajectories of subsystems, respectively. We set that the stochastic delayed multi-agent system in (19) runs on each subsystem with period 0.6s, and each subsystem runs with unmatched control in the first 0.15s and then runs with matched control in the following 0.45s. Figure 4 shows

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1297

8 6 4

2

x (t)

2 0 −2 −4 −6 −8 −1.5

−1

−0.5

0 x (t)

0.5

1

1.5

1

Fig. 2 State trajectories of subsystem 1 of Example 1

state trajectories  of xij , and Fig. 5 depicts the time response of consensus error n N  2   x1i − xj i . E(t) = N1 i=1

j =1

Example 2 Consider the following stochastic delayed multi-agent system with 20 nodes:  dx i (t) = Aσ (t) xi (t) + fσ (t) (t, xi (t), xi (t − τ (t))) + kσ (t) Kσ (t−h(t))

N   σ (t) bi j xj (t − τ (t)) dt j =1

+ gσ (t) (t, xi (t), xi (t − τ (t)))dω(t),

where i = 1, 2, L, 20, σ (t) ∈ Γ = {1, 2}, k1 = 1, k2 = − 1 and

(20)

1298

X. Wu et al. 8 6 4

2

x (t)

2 0 −2 −4 −6 −8 −1.5

−1

−0.5

0 x (t)

0.5

1

1.5

1

Fig. 3 State trajectories of subsystem 2 of Example 1



   30 0.5 0 , A2 = − , 02 0 1 ⎡ ⎤ −20 1 1K 1 ⎢ 1 −20 K 1 ⎥ ⎢ ⎥ ⎢ ⎥ , B1 = B2 = 0.12 ∗ ⎢ K ⎥ ⎢ ⎥ ⎣ 1 1 1K 1 ⎦ 1 1 1K −20 20×20

A1 = −

where k1 = 1, k2 = − 1 are coefficients, which can be absorbed into the coupling matrix to represent attractive and repulsive coupling, respectively. This model is slightly different from (2), and it is easy to get the corresponding conditions from Theorem 1. Other matrices are defined the same as in Example 1. Step 1: Input constant μ = 1.002 and matrices A1 , A2 , B1 and B2 . It can be obtained that ρ 11 = ρ 12 = 0.1419, ρ 21 = ρ 22 = 0.0618, ρ 1r = ρ 2r = 0.09. Step 2: By solving LMIs (13, 14, 15, and 16), we get constants α = 1.5, β = 0.25, υ21 = 1.8448, υ22 = 1.8450, υ11 = 1.5339, υ12 = 1.5342, and matrixes 

   2.0835 0 −4.1663 0 K1 = , K2 = . 0 2.7089 0 −3.5409

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1299

30 25 20 15

xij

10 5 0 −5 −10 −15 −20

0

0.5

1 t

1.5

2

Fig. 4 State trajectories of xij of Example 1

It can be derived that λ2 = 0.1892. Step 3: Suppose that the ratio of stochastic delayed multi-agent systems with matched control to unmatched control is 4:1. Set γ = 1.1 and τ b = 1, which yields ln μ = 0.1784. Conditions (32) and (33) hold. Thus, that η = 5.7546 and Ta > γ −ηλ 2 the stochastic delayed multi-agent system in (20) is achieved consensus. Assume that the stochastic delayed multi-agent system in (20) runs on each subsystem with period 1 s and each subsystem runs with unmatched control in the first 0.2s and then runs with matched control in the following 0.8s. Figure 6 depicts state trajectories  of xij , and Fig. 7 shows the time response of consensus n N  2   x1i − xj i . The simulations indicate that the matched error E(t) = N1 i=1

j =1

controller is beneficial to reduce consensus errors and the unmatched controller enlarges the consensus errors.

4.1

Appendix: Proofs

Proof (Proof of Lemma 2) For V (t, σ (t)) ∈ C 1,2 , we get that EV (t, σ (t)) is continuous on each interval t ∈ [tk , tk + 1 ) for k ∈ N. We will prove that

1300

X. Wu et al. 18 16 14

E(t)

12 10 8 6 4 2 0

0

0.5

1 t

1.5

2

Fig. 5 E(t) of Example 1

EV (t, σ (t)) ≤ v(t), t ∈ [t0 , t1 ) .

(21)

If (21) is not true, in view of EV (t, σ (t)) ≤ v(t), t ∈ [t0 − τ , t0 ], there should exist some t ∈ (t0 , t1 ) such that EV (t, σ (t)) > v(t). Set t∗ = inf {t ∈ (t0 , t1 ): EV (t, σ (t)) > v(t) . Since EV(t, σ (t)) and v(t) are continuous on t ∈ [t0 , t1 ), we derive that EV (t ∗ , σ (t ∗ )) = v (t ∗ ) and EV(t, σ (t)) > v(t) for t ∈ (t∗ , t∗ + ε), where ε > 0 is sufficiently small. Hence, for all t ∈ (t∗ , t∗ + ε) EV (t, σ (t)) − EV (t ∗ , σ (t ∗ )) v(t) − v (t ∗ ) > , t − t∗ t − t∗ which yields that      D + EV t ∗ , σ t ∗ ≥ D + v t ∗ . On the other hand, according to (6) and (7), we have

(22)

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1301

250 200 150 100

x

ij

50 0 −50 −100 −150 −200 −250

0

0.5

1

1.5 t

2

2.5

3

Fig. 6 State trajectories of xij of Example 2

D + EV (t ∗ , σ (t ∗ )) ≤ λ1 (t ∗ ) EV (t ∗ , σ (t ∗ )) + λ2 EV (t ∗ − τ (t ∗ ) , σ (t ∗ − τ (t ∗ ))) < λ1 (t ∗ ) v (t ∗ ) + λ2 v(t ∗ − τ (t ∗ )) < D + v (t ∗ ), which contradicts (22). Thus, (21) holds. Assume that EV (t, σ (t)) ≤ v(t), t ∈ 1, 2, · · ·, l. Then, EV (t, σ (t)) ≤ v(t), t ∈ [tl − τ, tl ) [tk−1 , tk ) for k =  ≤ v tl− . According to (6) and (7), EV (tl , σ (tl )) ≤ and EV tl− , σ tl− −    −  μEV tl , σ tl ≤ μv tl− = v (tl ). Employing the similar process of the proof of (21), we can get EV (t, σ (t)) ≤ v(t) for t ∈ [tl , tl + 1 ). By mathematical induction, EV (t, σ (t)) ≤ v(t) is true for t ≥ t0 . This completes the proof. Proof (Proof of Lemma 3) From the Itô’s differential formula [42], we have dV (t, kn ) = L V (t, kn ) dt + Vx (t, kn ) gkn (t, x(t), x(t − τ (t))) dω(t), for t ∈ [tn , tn + 1 ), n ∈ N. It follows that D + EV (t, kn ) = EL V (t, kn ) , t ∈ [tn , tn+1 ), n ∈ N,

(23)

1302

X. Wu et al. 120

100

E(t)

80

60

40

20

0

0

0.5

1

1.5 t

2

2.5

3

Fig. 7 E(t) of Example 2

n )−EV (t,kn ) where D + EV (t, kn ) = lim supt→0+ EV (t+t,kt . According to (9), one sees that for t ∈ [tn , tn + 1 ), n ∈ N

V (t − τ (t), kn ) ≤ μV (t − τ (t), σ (t − τ (t))).

(24)

Combining (24) with (8) yields ⎧ + D EV (t, σ (t)) ≤ λ1 (t)EV (t, σ (t)) ⎪ ⎪ ⎨ + λ2 EV (t − τ (t), σ (t − τ (t))) , t = tn , t ≥ t0 ,   ⎪ EV (tn , kn ) ≤ μEV tn− , kn−1 , n ∈ N, ⎪ ⎩ EV (t, σ (t)) ≤ cE  ξ 2 , −τ ≤ t ≤ t0 , where  λ1 (t) =

β, t ∈ TU (tn , tn+1 ) , − α, t ∈ TM (tn , tn+1 ) , n ∈ N.

For ∀ε > 0, let v(t) be the unique solution of the following delayed system

(25)

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1303

⎧ ˙ = λ1 (t)v(t) + λ2 v(t − τ (t)) + ε, t = tn , t ≥ t0 , ⎨ v(t)   v (t ) = μv tn− , n ∈ N, ⎩ n v(t) = cE  ξ 2 , −τ ≤ t ≤ t0 .

(26)

Then, by Lemma 5, we have EV (t, σ (t)) ≤ v(t), t ≥ t0 . By the formula for the variation of parameters (Lakshmikantham et al. 1989), we see that t

v(t) = P (t, t0 ) v(t0 ) +

P (t, s) (λ2 v(s − τ (s)) + ε) ds,

(27)

t0

where P(t, s), t ≥ s ≥ t0 is the solution of system 

y(t) ˙ = λ1 (t)y(t), t = tn ,   y (tn ) = μy tn− , n ∈ N.

It follows that P (t, s) = e

t

λ1 (u)du N (t,s)

μ

s

.

In view of Definition 2 and (12), we can derive that for ∀t, s ≥ t0 , P (t, s) ≤ ηe−λ3 (t−s) , where η = e(γ +β)τb and λ3 = γ − and (28), we have v(t) ≤ M e−λ3 (t−t0 ) +

ln μ Ta .

t

(28)

Let M = ηcE  ξ 2 . Then, by (26), (27),

ηe−λ3 (t−s) (λ2 v (s − τ (s)) + ε) ds.

(29)

t0

Let ϕ(λ) = ηλ2 eλτ + λ − λ3 . Obviously, ϕ(+∞) = + ∞ and ϕ (λ) = 1 + ηλ2 τ eλτ > 0. Notice from (10) that ηλ2 < γ −

ln μ = λ3 . Ta

(30)

Thus, ϕ(0) = ηλ2 − λ3 < 0. Therefore, there exists a λ such that ηλ2 eλτ = λ3 − λ. The inequality η = e(γ +β)τb > 1 yields that v(t) = cE  ξ 2 < M = ηcE  ξ2 . Thus,

1304

X. Wu et al.

v(t) < M e−λ(t−t0 ) +

ηε , t ∈ [t0 − τ, t0 ]. λ3 − ηλ2

In the following, we will prove that ηε , t > t0 . λ3 − ηλ2

v(t) < M e−λ(t−t0 ) +

(31)

If (31) is not true, there exists a t∗ > t0 such that   ∗ v t ∗ ≥ M e−λ(t −t0 ) +

ηε λ3 − ηλ2

(32)

and v(t) < M e−λ(t−t0 ) +

ηε , t < t∗ λ3 − ηλ2

(33)

Combining (29) with (33) yields v (t ∗ )

t∗ ∗ ∗ ≤ M e−λ3 (t −t0 ) + t0 ηe−λ3 (t −s ) (λ2 v (s − τ (s)) + ε) ds

∗ t∗ ηε + t0 ηeλ3 (s−t0 ) < e−λ3 (t −t0 ) M + λ3 −ηλ 2  2ε × λ2 M e−λ(s−τ (s)−t0 ) + λ3ηλ + ε ds . −ηλ

(34)

2

Noticing that ηλ2 eλτ = λ3 − λ, we have  ηeλ3 (s−t0 ) λ2 M e−λ(s−τ (s)−t0 ) +

 ηλ2 ε + ε ds λ3 − ηλ2 t0   ∗ t λ3 ε ds ≤ ηeλ3 (s−t0 ) λ2 M eλτ e−λ(s−t0 ) + λ3 − ηλ2 t0  t ∗ −t0  ηλ3 ε λ S λτ (λ3 −λ)s 3 ≤ ηλ2 e M e ds + e λ3 − ηλ2 0 ηε ∗ ∗ = M e(λ3 −λ(t −t0 ) − M + eλ3 (t −t0 ) λ3 − ηλ2 ηε − . λ3 − ηλ2 t∗

Therefore, it follows from (34) and (35) that   ∗ v t ∗ < M e−λ(t −t0 ) +

ηε , λ3 − ηλ2

(35)

41 Distributed Consensus of Stochastic Delayed Multi-agent Systems. . .

1305

which contradicts (32); therefore (31) holds. Let ε → 0, and we get from (31) that v(t) ≤ M e−λ(t−t0 ) . It follows that EV (t, σ (t)) ≤ v(t) ≤ M e−λ(t−t0 ) , t ≥ t0 . This completes the proof. Proof (Proof of Theorem 1) Construct a Lyapunov function in the form   V (t, σ (t)) = x T(t) U ⊗ Pσ (t) x(t), t ≥ t0 − τ, where σ (t) = kn ∈ Γ for t ∈ [tn , tn + 1 ) and σ (t) = σ (t0 ) for t ∈ [t0 − τ , t0 ). Then, we have EV (t, σ (t)) ≤ cE  ξ 2 , t0 − τ ≤ t ≤ t0 , where c = maxr {λmax (U ⊗ Pr ), r ∈ Γ }. For simplicity, denote fkn (t, x(t), x (t − τ (t))) and gkn (t, x(t), xt ) by fkn(t) and gkn (t), respectively. For t ∈ [tn , tn + 1 ), n ∈ N, we have L V (t, kn )    = 2x T (t) U ⊗ Pkn IN ⊗ Akn x(t) + fkn (t)     + IN ⊗ Kσ (t−h(t)) Bkn ⊗ In x(t)     + trace gkn (t)T U ⊗ Pkn gkn (t) .

(36)

Obviously,    2x T (t) U ⊗ Pkn IN ⊗ Akn x(t) + fkn (t)     + IN ⊗ Kkn Bkn ⊗ In x(t)      = 2x T (t) U ⊗ Pkn Akn x(t) + U ⊗ Pkn fkn (t)     + U ⊗ Pkn Bkn ⊗ Kkn x(t)      = 2x T (t) U ⊗ Pkn Akn x(t) + U ⊗ Pkn fkn (t)    + NB kn ⊗ Pkn Kkn x(t) . ij

ij

(37)

Let xi j (t) = xi (t) − xj (t), fkn (t) = fkn i (t) − fkn j (t), and gkn (t) = gkn i (t) − gkn j (t). It follows that

1306

X. Wu et al.

L V (t, kn )   ij ≤2 xijT (t) Pkn Akn xij (t) + Pkn fkn (t) 1≤i λs2 ≥ . . . ≥ λsN and λN = min {λsN }. 1≤s≤n

lk Theorem 1. Suppose that Assumptions 1 and 2 hold. Let ηk = 1 − N qk (2 − qk )  and λ = [2ξM (a + L λmax (B  B)) − cdλN ]/ξm , where a = max {|as |} and d = 1≤s≤n

max {|ds |}. If there exists a constant γ > 1, such that γ (ξM /ξm )ηk eλ(tk+1 −tk ) ≤ 1

1≤s≤n

for any k ∈ N, then the drive-response partially coupled dynamical networks (3) can achieve outer synchronization. Proof. Consider the following Lyapunov function:

V (t) =

N 

ei (t)Ξ i ei (t).

i=1

For t ∈ (tk , tk+1 ), by calculating the derivative of V (t) along the trajectory of system (6), one obtains

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

V˙ (t) = 2 =2 =2

N  i=1 N  i=1 N  i=1

+2c

1319

ei (t)Ξ i e˙i (t) ei (t)Ξ i [Aei (t) + B f˜(ei (t)) + c ei (t)Ξ i Aei (t) + 2 N  N 

i=1 j =1

N

j =1 DCij ej (t)]

N

 ˜ i=1 ei (t)Ξ i B f (ei (t))

(7)

ei (t)Ξ i DCij ej (t).

By Assumption 1, the following inequalities can be obtained:

2 ≤2 ≤2

N  i=1 N  i=1 N 

ei (t)Ξ i Aei (t) ei (t)Ξ i Aei (t) (8) ξM ei (t) · aei (t)

i=1

= 2aξM

N  i=1

ei (t)ei (t),

and

2 ≤2 ≤2 ≤2

N  i=1 N  i=1 N  i=1 N 

ei (t)Ξ i B f˜(ei (t)) ei (t)Ξ i B f˜(ei (t))  ξM ei (t) λmax (B  B)f˜(ei (t))

(9)

 ξM ei (t) λmax (B  B)Lei (t)

i=1

N   ei (t)ei (t). = 2ξM L λmax (B  B) i=1

Let es (t) = (e1s (t), e2s (t), . . . , eN s (t)) ∈ RN . Hence, by Assumption 2 and Lemma 1, one has

1320

J. Lu et al.

= = = = ≤ ≤ =

N  N 

ei (t)Ξ i DCij ej (t) i=1 j =1 N  N  n  2c eis (t)ξsi ds Cijs ej s (t) i=1 j =1 s=1 n N N    2c ds eis (t)ξsi Cijs ej s (t) s=1 i=1 j =1 n  2c ds e s (t)Ξs Cs es (t) s=1 n   ds e c s (t)(Ξs Cs + Cs Ξs )es (t) s=1 n   e −cd s (t)(Ξs Cs + Cs Ξs )es (t) s=1 n  e −cdλN s (t)es (t) s=1 N  ei (t)ei (t). −cdλN i=1

2c

(10)

Recalling Eq. (7), it follows from inequalities (8), (9) and (10) that N   V˙ (t) ≤ [2ξM (a + L λmax (B  B)) − cdλN ] ei (t)ei (t)



1 ξm [2ξM (a



+ L λmax

i=1

(B  B)) − cdλ

N]

N 

i=1

= λV (t).

ei (t)Ξ i ei (t)

Then, it follows that, for t ∈ (tk , tk+1 ), V (t) ≤ V (tk+ )eλ(t−tk ) .

(11)

Consider that t = tk+1 , by the continuity of V (t) in (tk , tk+1 ), one has V (tk+1 ) = limt→t − V (t) ≤ limt→t − V (tk+ )eλ(t−tk ) k+1

= V (tk+ )eλ(tk+1 −tk ) .

k+1

(12)

On the other hand, for any k ∈ N, let αk = min{ei (tk ) : i ∈ Dk }. Since qk ∈ (0, 1), it is easy to see that 0 < ηk < 1 and (1 − ηk )(N − lk ) = [ηk − (1 − qk )2 ]lk . According to the selection of nodes in set Dk , one gets

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

(1 − ηk )

 i ∈D / k

1321

ei (tk )ei (tk )

≤ (1 − ηk )(N − lk )αk2 = [ηk − (1 − qk )2 ]lk αk2   ≤ [ηk − (1 − qk )2 ] ei (tk )ei (tk ), i∈Dk

which further implies that 

(1 − qk )2 ≤ ηk

N  i=1

i∈Dk

ei (tk )ei (tk ) +

 i ∈D / k

ei (tk )ei (tk )

ei (tk )ei (tk ).

Therefore, for any k ∈ N, it follows from the second equality of (6) that V (tk+ ) =

N 

ei (tk+ )Ξ i ei (tk+ ) i=1   +   + ei (tk )Ξ i ei (tk+ ) + ei (tk )Ξ i ei (tk+ ) = i∈Dk i ∈D / k    = (1 − qk )2 ei (tk )Ξ i ei (tk ) + ei (tk )Ξ i ei (tk ) i∈Dk i ∈D / k    ≤ ξM ( (1 − qk )2 ei (tk )ei (tk ) + ei (tk )ei (tk )) ≤ ≤

i∈Dk N  ei (tk )ei (tk ) ξM η k i=1 N  ei (tk )Ξ i ei (tk ) (ξM /ξm )ηk i=1

i ∈D / k

(13)

= (ξM /ξm )ηk V (tk ).

Summarizing inequalities (11), (12) and (13), for t ∈ (tk , tk+1 ], it is easy to see that V (t) ≤ V (tk+ )eλ(t−tk ) ≤ V (tk )(ξM /ξm )ηk eλ(t−tk ) + ≤ V (tk−1 )eλ(tk −tk−1 ) (ξM /ξm )ηk eλ(t−tk ) ≤ V (tk−1 )(ξM /ξm )ηk−1 eλ(tk −tk−1 ) (ξM /ξm )ηk eλ(t−tk ) .. . ≤ V (t1 )(ξM /ξm )η1 eλ(t2 −t1 ) . . . (ξM /ξm )ηk eλ(t−tk ) k ≤ V (t1 ) (ξM /ξm )ηi eλ(ti+1 −ti ) ≤

i=1 1 V (t1 ). γk

(14)

1322

J. Lu et al.

Since γ > 1, one can obtain V (t) → 0 as k → ∞. Thus, for i = 1, . . . , N , limt→∞ ei (t) = 0, i.e., the drive-response partially coupled networks (3) reach outer synchronization as t → ∞. Hence, Theorem 1 is proved. Remark 4. It is worth noting that Theorem 1 explicitly presents how many nodes should be controlled for a successful synchronization control of the networks (3): 1 ξm −λ(tk+1 −tk ) lk ≥ (1 − e ), N qk (2 − qk ) γ ξM

(15)

where lk /N represents the proportion of the controlled nodes at each impulsive instant tk . From inequality (15), one concludes that the proportion lk /N should be greater than certain lower bound at tk in order to achieve outer synchronization of (3). In practice, for convenience, the impulsive control gain qk and the number of nodes to be controlled lk can be selected as constants, and the impulsive distances tk+1 − tk (k ∈ N) are set to be a positive constant. Then one has the following corollary. Corollary 1. Assume tk+1 − tk = T > 0, qk = q ∈ (0, 1) and lk = l(k = 1, 2, . . .). Then the drive-response partially coupled network (3) can achieve outer synchronization if one of the following inequalities is satisfied: I n(ξm /ξM )−I n(1− Nl q(2−q)) ; λ 1−(ξm /ξM )e−λT ≤ q < 1; l/N ξm −λT 1 ). q(2−q) (1 − ξM e

(1) 0 < T ≤

(2) 1 − 1 − (3)

l N



Remark 5. The above three conditions, which similarly correspond to the results in the literature (Lu et al. 2012), show the proportional relationships among the proportion of the controlled nodes, the impulsive control gain, and the distances of impulsive instants. The longer the impulsive distances T is, the larger the proportion of the controlled nodes l/N should be. Indeed, the longer the impulsive distances T is, the larger the impulsive control gain q is needed to guarantee the synchronization of drive-response partially coupled network (3). The numerical example shows a clearer relationship of all three. Similarly, one can obtain a corollary from Theorem 1 in the case that the regrouping matrices Cs are symmetric. By Lemma 1, the eigenvalue of matrix Cs can be arranged as follows: 0 = λ s1 > λ s2 ≥ . . . ≥ λ sN . Let λ N = min {λ sN }. 1≤s≤n

Corollary 2. Suppose that Assumptions 1 and 2 hold, and the regrouping matrices lk Cs (s = 1, 2, . . . , n) are symmetric. Let ηk = 1 − N qk (2 − qk ) and λmax =

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

1323

λmax (2A + BB  + L2 I − cdλ N I ). If there exists a constant γ > 1, such that γ ηk eλmax (tk+1 −tk ) ≤ 1 for any k ∈ N, then the drive-response partially coupled networks (3) can achieve outer synchronization.   Proof. Consider the Lyapunov function V (t) = N i=1 ei (t)ei (t). The detailed proof is similar to the proof of Theorem 1, and hence omitted here.

3.2

Impulsive Control Protocol via Concept of Average Impulsive Interval

The criterion in Theorem 1 is equivalent to γ (ξM /ξm )ηk eλsupk∈N {tk+1 −tk } ≤ 1. Hence, the results in Theorem 1 and Corollary 2 may be invalid when supk∈N {tk+1 − tk } is very large. The following applies average impulsive interval technique to analyze the drive-response partially coupled network (3) for a more flexible and less conservative pinning impulsive control law. Theorem 2. Suppose that Assumptions 1 and 2 hold, and the average impulsive interval of impulsive sequence ζ = {t1 , t2 , . . .} is equal to Ta . Let η = 1− Nl q(2−q)  and λ = [2ξM (a + L λmax (B  B)) − cdλN ]/ξm . If λ+

ln(ηξM /ξm ) < 0, Ta

then the drive-response partially coupled networks (3) can achieve outer synchronization. Proof. Choose the same Lyapunov function as given in Theorem 1. By a similar analysis as Theorem 1, one has V (t) ≤ V (t1 )(ηξM /ξm )k eλ(t−t1 ) ≤ V + (t0 )(ηξM /ξm )k eλ(t−t0 ) = V (t0 )(ηξM /ξm )Nζ (t,t0 )+1 eλ(t−t0 ) . If ηξM /ξm = 1, one has V (t) ≤ V (t0 )eλ(t−t0 ) and ln(ηξM /ξm ) = 0. And, λ + ln(ηξM /ξm ) < 0 implies that λ < 0, hence conclusion hold. Ta According to Definition 2, it means that if ηξM /ξm < 1, then

1324

J. Lu et al.

V (t) ≤ V (t0 )eλ(t−t0 ) (ηξM /ξm )

t−t0 Ta −N0 +1

= (ηξM /ξm )1−N0 V (t0 )eλ(t−t0 ) (ηξM /ξm ) = (ηξM /ξm )1−N0 V (t0 )e(λ+

t−t0 Ta

ln(ηξM /ξm ) )(t−t0 ) Ta

.

If ηξM /ξm > 1, then

V (t) ≤ V (t0 )eλ(t−t0 ) (ηξM /ξm )

t−t0 Ta +N0 +1

= (ηξM /ξm )1+N0 V (t0 )eλ(t−t0 ) (ηξM /ξm ) = (ηξM /ξm )1+N0 V (t0 )e(λ+

t−t0 Ta

ln(ηξM /ξm ) )(t−t0 ) Ta

.

Since λ + ln(ηξTMa /ξm ) < 0, outer synchronization of drive-response partially coupled networks (3) is achieved. The proof is completed. Remark 6. Compared with Lu et al. (2012), the model in this chapter is more general. When all the channel matrices Rij are identity matrices, all of the channels of the connections are active. Therefore, the results are also applicable to two linearly complete coupled dynamical networks. In other words, the synchronization criterion proposed in this chapter improves and extends the previous results when reducing to the outer synchronization of two linearly complete coupled networks.

4

Numerical Examples

In this section, two numerical examples are present to illustrate the main theoretical results. Example 1. The first example considers a drive-response partially coupled network with six nodes, and each node is a three-dimensional system. The topology can be described in Fig. 1. Obviously, each level sub-network is strongly connected. The parameters of the network are listed as follows:

A = −0.1 · I3 , ⎡ ⎤ 0.08 0 −0.1 B = ⎣ 0 0.02 0 ⎦ , c = 1, D = 0.02 · I3 , −0.05 0 −0.1

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

V1

1325

V2 X11

X21

X12

X22

X13

X23

V6

V3 X61

X62

X63

X33

V5

X53

X43

X52

X42

X51

X41

X32

X31

V4

Fig. 1 Topology of the partially coupled drive network with six nodes: the solid (dash) arrows represent the active (respectively, inactive) channels

⎤ −11.3 7 0 0.2 0 4.1 ⎢ 4.2 −11.2 7 0 0 0 ⎥ ⎥ ⎢ ⎥ ⎢ 4.1 −11.1 7 0 0 ⎥ ⎢ 0 G=⎢ ⎥, ⎢ 0 0.1 4.1 −11.2 7 0 ⎥ ⎥ ⎢ ⎣ 0 0 0 3.9 −10.9 7 ⎦ 7 0 0 0 4 −11 ⎡

and choose the channel matrices: R12 = diag{0, 0, 1}, R14 = diag{1, 0, 0}, R16 = diag{1, 1, 0}, R21 = diag{1, 1, 0}, R23 = diag{0, 0, 1}, R32 = diag{1, 1, 0}, R34 = diag{0, 0, 1}, R42 = diag{0, 1, 0}, R43 = diag{1, 1, 0}, R45 = diag{0, 0, 1}, R54 = diag{1, 1, 0}, R56 = diag{0, 0, 1}, R61 = diag{0, 0, 1}, R65 = diag{1, 1, 0}, and nonlinear function f (xi (t)) = (tanh(xi1 ), tanh(xi2 ), tanh(xi3 )) . Thus, the Lipschitz constant can be obtained as L = 1. The initial values of these systems

1326

J. Lu et al. 100 90

xi1(t),xi2(t),xi3(t)(i=1,2,...,6)

80 70 60 50 40 30 20 10 0

0

5

10 t

15

20

Fig. 2 Topology of the partially coupled drive network with six nodes: the solid (dash) arrows represent the active (respectively, inactive) channels

are chosen uniformly randomly in the real number interval [−100,100]. The drive and response systems cannot achieve synchronization by itself as shown in Fig. 2. Firstly, applying the regrouping method, let Cij = gij Rij , then collect the sth diagonal elements Cijs of Cij (i, j = 1, 2, . . . , N ) and regroup them in a new matrix Cs = (Cijs )N ×N : ⎡

−4.3 ⎢ 4.2 ⎢ ⎢ ⎢ 0 C1 = ⎢ ⎢ 0 ⎢ ⎣ 0 0 ⎡ −4.1 ⎢ 4.2 ⎢ ⎢ ⎢ 0 C2 = ⎢ ⎢ 0 ⎢ ⎣ 0 0

⎤ 0 0 0.2 0 4.1 −4.2 0 0 0 0 ⎥ ⎥ ⎥ 4.1 −4.1 0 0 0 ⎥ ⎥, 0 4.1 −4.1 0 0 ⎥ ⎥ 0 0 3.9 −3.9 0 ⎦ 0 0 0 4 −4 ⎤ 0 0 0 0 4.1 −4.2 0 0 0 0 ⎥ ⎥ ⎥ 4.1 4.1 0 0 0 ⎥ ⎥, 0.1 4.1 −4.2 0 0 ⎥ ⎥ 0 0 3.9 −3.9 0 ⎦ 0 0 0 4 −4

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .



−7 ⎢0 ⎢ ⎢ ⎢0 C3 = ⎢ ⎢0 ⎢ ⎣0 7

7 −7 0 0 0 0

0 7 −7 0 0 0

0 0 7 −7 0 0

0 0 0 7 −7 0

0 0 0 0 7 −7

1327

⎤ ⎥ ⎥ ⎥ ⎥ ⎥. ⎥ ⎥ ⎦

By some simple calculations, one obtains that ξm = 0.1614 and ξM = 0.1714. It follows that λ = 1.0971. Now, for simplicity, one considers the equidistant impulsive interval. Let the impulsive strength q = 0.9 and the impulsive interval T = 0.1, it is clear that (1 − ξξMm e−λT )/q(2 − q) = 0.1582. Therefore, by Corollary 1, one can conclude that a single controller can pin this drive-response partially coupled network to outer synchronization. Define the total synchronization error as follows:   3 6    E(t) =  (xij (t) − yij (t))2 . i=1 j =1

Figure 3 shows how the total synchronization error E(t) changes over time under different impulsive controllers, in which the number of nodes to be controlled, impulsive interval, and impulsive control gains are varied. One can find that the number of nodes to be controlled, impulsive interval, and impulsive control gains together determine a controller’s ability to achieve synchronization. Example 2. Now consider a NW directed small-world network (Newman et al. 1999). The small-world network is generated by setting N = 100, k = 4, p = 0.1. Other parameters are the same with example 1. To guarantee each level sub-network to be strongly connected, one choose Rij = I except for the edges which are added

300

300 l=1 l=2 l=3

100

0

E(t) 100

0

0.5

1 t (a)

1.5

q=0.5 q=0.7 q=0.9

200

E(t)

200

E(t)

200

300 T=0.05 T=0.1 T=0.15

0

100

0

0.5

1 t (b)

1.5

0

0

0.5

1

1.5

t (c)

Fig. 3 Dynamical behaviors of the synchronization error E(t) under different impulsive controllers. (a) q = 0.9, T = 0.05, (b) q = 0.9, l = 1, (c) T = 0.05, l = 1

1328

J. Lu et al.

0.1 0.08 Synchronization region T

0.06 0.04 0.02 0 1 0.8 0.6 q

0.4 0.2 0

1

0.8

0.4

0.6

0.2

0

I/N

Fig. 4 The synchronization region of the controlled partially coupled network for l, T and q

randomly. In this simulation, one obtains that ξm = 0.0096 and ξM = 0.0103. It follows that λ = 0.7927. Corollary 1 have presented explicitly the proportional relationships among the proportion of the controlled nodes, the impulsive control gain and the impulsive distances. The synchronization region of the controlled partially coupled network for l, T , and q is shown in Fig. 4. Figure 5 shows the estimation of the synchronization region about T and l/N with different q. And Fig. 6 shows the estimation of the synchronization region about q and T with different l/N. It is easy to see that, as mentioned in Remark 5, the longer the impulsive distances T is, the larger the proportion of the controlled nodes l/N should be; the longer the impulsive distances T is, the larger the impulsive control gain q is needed to guarantee the synchronization of driveresponse partially coupled network. Next, choose q = 0.9 and T = 0.02, then (1 − ξξMm e−λT )/q(2 − q) = 0.0862. Therefore, by Corollary 1, it can be concluded that drive-response partially coupled dynamical networks can be outer synchronized if l/N = 9% of the nodes is controlled. Hence, choose l = 10. Figure 7 shows the error trajectories of the smallworld drive-response partially coupled dynamical network. The simulation results verified the main theoretical results very well.

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

1329

1 q=0.2 q=0.4 q=0.6 q=0.8

0.9 0.8 0.7

l/N

0.6 0.5 0.4

Synchronization region

0.3 0.2 0.1 0

0

0.2

0.4

0.6

0.8

1 T

1.2

1.4

1.6

1.8

2

Fig. 5 The synchronization region of the controlled partially coupled networks for different q with respect to T and l/N

0.2 l/N=0.1 l/N=0.2 l/N=0.3 l/N=0.4 l/N=0.5

0.18 0.16 0.14

T

0.12 0.1 0.08 0.06 0.04

Synchronization region

0.02 0

0

0.1

0.2

0.3

0.4

0.5 q

0.6

0.7

0.8

0.9

1

Fig. 6 The synchronization region of the controlled partially coupled network for different l/N with respect to q and T

1330

J. Lu et al. 10 8 6

ei(t), i=1,2,...,100

4 2 0 −2 −4 −6 −8 −10

0

0.2

0.4

0.6

0.8

1

t

Fig. 7 Dynamical behaviors of the synchronization error under pinning on just ten nodes

5

Conclusion

In this chapter, outer synchronization of drive-response partially coupled networks with same connection topologies is theoretically and numerically studied. The approach is based on a regrouping process. The main result in Theorem 1 proposes a pinning impulsive control scheme which is used to guarantee outer synchronization of drive-response partially coupled networks, while Theorem 2 proposes a more flexible impulsive control law by using the concept of average impulsive interval. Finally, two partial coupled small-world networks are given to illustrate the efficiency of the proposed approaches, and moreover the synchronization region is clearly plotted. One of the restrictions in this chapter is that ξM /ξm is not allowed to be too large, otherwise the conditions in Theorems are not easy to satisfy. Thus, in the near future work, it is worth studying the outer synchronization problem in partially coupled dynamical networks by avoiding using the quantity of ξM /ξm .

References A. Arenas, A. Díaz-Guilera, J. Kurths, Y. Moreno, C. Zhou, Synchronization in complex networks. Phys. Rep. 469(3), 93–153 (2008) A.L. Barabási, R. Albert, H. Jeong, Mean-field theory for scale-free random networks. Phys. A Stat. Mech. Appl. 272(1), 173–187 (1999)

42 Outer Synchronization of Partially Coupled Dynamical Networks via. . .

1331

J. Cao, P. Li, W. Wang, Global synchronization in arrays of delayed neural networks with constant and delayed coupling. Phys. Lett. A 353(4), 318–325 (2006) T. Chen, X. Liu, W. Lu, Pinning complex networks by a single controller. IEEE Trans. Circuits Syst. I Regul. Pap. 54(6), 1317–1326 (2007) W. Chen, Z. Jiang, J. Zhong, X. Lu, On designing decentralized impulsive controllers for synchronization of complex dynamical networks with nonidentical nodes and coupling delays. J. Frankl. Inst. 351(8), 4084–4110 (2014) A.B. Horne, T.C. Hodgman, H.D. Spence, A.R. Dalby, Constructing an enzyme-centric view of metabolism. Bioinformatics 20(13), 2050–2055 (2004) A. Hu, Z. Xu, Pinning a complex dynamical network via impulsive control. Phys. Lett. A 374(2), 186–190 (2009) J. Hu, J. Liang, J. Cao, Synchronization of hybrid-coupled heterogeneous networks: pinning control and impulsive control schemes. J. Frankl. Inst. 351(5), 2600–2622 (2014) C. Hua, C. Ge, X. Guan, Synchronization of chaotic Lur’e systems with time delays using sampleddata control. IEEE Trans. Neural Netw. Learn. Syst. 26(6), 1214–1221 (2015) C. Huang, D.W.C. Ho, J. Lu, J. Kurths, Partial synchronization in stochastic dynamical networks with switching communication channels. Chaos Interdisciplinary J. Nonlinear Sci. 22(2), 023108 (2012a) C. Huang, D.W.C. Ho, J. Lu, Partial-information-based distributed filtering in two-targets tracking sensor network. IEEE Trans. Circuits Syst. I Regul. Pap. 59(4), 820–832 (2012b) M. Newmann, The structure and function of complex networks. SIAM Rev. 45(2), 167–256 (2003) M.E.J. Newman, D.J. Watts, Scaling and percolation in the small-world network model. Phys. Rev. E 60(6), 7332–7342 (1999) V.L. Krinsky, V.N. Biktashev, I.R. Efimov, Autowave principles for parallel image processing. Phys. D Nonlinear Phenom. 49(1), 247–253 (1991) X. Li, X. Wang, G. Chen, Pinning a complex dynamical network to its equilibrium. IEEE Trans. Circuits Syst. I Regul. Pap. 51(10), 2074–2087 (2004) C. Li, W. Sun, J. Kurths, Synchronization between two coupled complex networks. Phys. Rev. E 76(4), 046204 (2007) C. Li, S. Wu, G. Feng, X. Liao, Stabilizing effects of impulses in discrete-time delayed neural networks. IEEE Trans. Neural Netw. 22(2), 323–329 (2011) L. Li, D.W.C. Ho, J. Lu, A unified approach to practical consensus with quantized data and time delay. IEEE Trans. Circuits Syst I Regul. Pap. 60(10), 2668–2678 (2013) X. Liu, Stability results for impulsive differential systems with applications to population growth models. Dyn. Stab. Syst. 9(2), 163–174 (1994) B. Liu, W. Lu, T. Chen, Pinning consensus in networks of multiagents via a single impulsive controller. IEEE Trans. Neural Netw. Learn. Syst. 24(7), 1141–1149 (2013) J. Lu, J. Cao, Adaptive synchronization of uncertain dynamical networks with delayed coupling. Nonlinear Dyn. 53(1–2), 107–115 (2008) W. Lu, T. Chen, New approach to synchronization analysis of linearly coupled ordinary differential systems. Phys. D Nonlinear Phenom. 213(2), 214–230 (2006) J. Lu, D.W.C. Ho, Globally exponential synchronization and synchronizability for general dynamical networks. IEEE Trans. Syst. Man Cybern. Part B Regul. Pap. 40(2), 350–361 (2010) J. Lu, D.W.C. Ho, L. Wu, Exponential stabilization in switched stochastic dynamical networks. Nonlinearity 22, 889–911 (2009) J. Lu, D. W. C. Ho, J. Cao, A unified synchronization criterion for impulsive dynamical networks. Automatica 46(7), 1215–1221 (2010) J. Lu, J. Kurths, J. Cao, N. Mahdavi, C. Huang, Synchronization control for nonlinear stochastic dynamical networks: pinning impulsive strategy. IEEE Trans. Neural Netw. Learn. Syst. 23(2), 285–292 (2012) J. Lu, D.W.C. Ho, J. Cao, J. Kurths, Single impulsive controller for globally exponential synchronization of dynamical networks. Nonlinear Anal. Real World Appl. 14(1), 581–593 (2013)

1332

J. Lu et al.

J. Lu, J. Zhong, Y. Tang, T. Huang, J. Cao, J. Kurths, Synchronization in output-coupled temporal Boolean networks. Sci. Rep. 4, 6292–6303 (2014) J.Q. Lu, C.D. Ding, J.G. Lou, J.D. Cao, Outer synchronization of partially coupled dynamical networks via pinning impulsive controllers. J. Frankl. Inst. 352, 5024–5041 (2015) S.H. Strogatz, Exploring complex networks. Nature 410(6825), 268–276 (2001) W. Sun, J. Lü, S. Chen, X. Yu, Pinning impulsive control algorithms for complex network. Chaos Interdisciplinary J. Nonlinear Sci. 24(1), 013141 (2014) H. Tang, L. Chen, J. Lu, K.T. Chi, Adaptive synchronization between two complex networks with nonidentical topological structures. Phys. A Stat. Mech. Appl. 387(22), 5623–5630 (2008) Y. Tang, W.K. Wong, J.A. Fang, Pinning impulsive synchronization of stochastic delayed coupled networks. Chin. Phys. B 20(4), 040513 (2011) Y. Tang, H. Gao, J. Lu, J. Kurths, Pinning distributed synchronization of stochastic dynamical networks: a mixed optimization method. IEEE Trans. Neural Netw. Learn. Syst. 25(10), 1804– 1815 (2014a) Y. Tang, Z. Wang, H. Gao, H. Qiao, J. Kurths, On controllability of neuronal networks with constraints on the average of control gains. IEEE Trans. Cybern. 44(12), 2670–2681 (2014b) X.F. Wang, Complex networks: topology, dynamics and synchronization. Int. J. Bifurcation Chaos 12(05), 885–916 (2002) X. Wang, G. Chen, Pinning control of scale-free dynamical networks. Phys. A Stat. Mech. Appl. 310(3), 521–531 (2002) T. Wang, H. Gao, J. Qiu, A combined adaptive neural network and nonlinear model predictive control for multirate networked industrial process control. IEEE Trans. Neural Netw. Learn. Syst. (2015). https://doi.org/10.1109/TNNLS.2015.2411671 D.J. Watts, S.H. Strogatz, Collective dynamics of ‘small-world’ networks. Nature 393(6684), 440–442 (1998) W. Wu, Synchronization in arrays of coupled nonlinear systems with delay and nonreciprocal time-varying coupling. IEEE Trans. Circuits Syst. Express Briefs 52(5), 282–286 (2005) C. Wu, L.O. Chua, Synchronization in an array of linearly coupled dynamical systems. IEEE Trans. Circuits Syst. I Fund. Theory Appl. 42(8), 430–447 (1995) X. Wu, W. Zheng, J. Zhou, Generalized outer synchronization between complex dynamical networks. Chaos Interdisciplinary J. Nonlinear Sci. 19(1), 013109 (2009) W. Yu, G. Chen, J. Lü, On pinning synchronization of complex dynamical networks. Automatica 45(2), 429–435 (2009) T. Yang, Impulsive systems and control: theory and applications (Nova Science Publishers, Inc., New York, 2001) Z.C. Yang, D. Xu, Stability analysis of delay neural networks with impulsive effects. IEEE Trans. Circuits Syst. II Express Briefs 52(8), 517–521 (2005) X. Yang, J. Cao, J. Lu, Stochastic synchronization of complex networks with nonidentical nodes via hybrid adaptive and impulsive control. IEEE Trans. Circuits Syst. I Regul. Pap. 59(2), 371– 384 (2012) X. Yang, J. Cao, J. Lu, Synchronization of randomly coupled neural networks with Markovian jumping and time-delay. IEEE Trans. Circuits Syst I. Regul. Pap. 60(2), 363–376 (2013) A. Zheleznyak, L.O. Chua, Coexistence of low-and high-dimensional spatiotemporal chaos in a chain of dissipatively coupled Chua’s circuits. Int. J. Bifurcation Chaos 4(03), 639–674 (1994) J. Zhou, Q. Wu, Exponential stability of impulsive delayed linear differential equations. IEEE Trans. Circuits Syst. II Express Briefs 56(9), 744–748 (2009) W. Zhang, Y. Tang, Q. Miao, W. Du, Exponential synchronization of coupled switched neural networks with mode-dependent impulsive effects. IEEE Trans. Neural Netw. Learn. Syst. 24(8), 1316–1326 (2013) J. Zhong, J. Lu, Y. Liu, J. Cao, Synchronization in an array of output-coupled Boolean networks with time delays. IEEE Trans. Neural Netw. Learn. Syst. 25(12), 2288–2294 (2014) Z. Zuo, J. Zhang, Y. Wang, Adaptive fault tolerant tracking control for linear and Lipschitz nonlinear multi-agent systems. IEEE Trans. Ind. Electron. 62(6), 3923–3931 (2015)

Time-Varying Formation Control Under Switching Interaction Topologies Theories and Applications

43

Xiwang Dong, Yongzhao Hua, Zixuan Liang, Qingdong Li, and Zhang Ren

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries and Problem Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Basic Concepts and Results on Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Problem Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1334 1337 1337 1337

This work was supported by the National Natural Science Foundation of China under Grants 61873011 and 61803014, the Beijing Natural Science Foundation under Grant 4182035, the Young Elite Scientists Sponsorship Program by CAST under Grant 2017QNRC001, the Aeronautical Science Foundation of China under Grants 2016ZA51005 and 20170151001, the Special Research Project of Chinese Civil Aircraft, the Key Laboratory of System Control and Information Processing, Ministry of Education, and the Fundamental Research Funds for the Central Universities under Grant YWF-18-BJ-Y-73. Part materials of this chapter have been published in Dong et al. 2014 and Dong et al. 2016 and have obtained the necessary permission from the copyright holders. X. Dong School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Key Laboratory of System Control and Information Processing, Ministry of Education, Shanghai, P.R. China Beijing Advanced Innovation Center for Big Data and Brain Computing, Beihang University, Beijing, P.R. China e-mail: [email protected] Y. Hua · Q. Li · Z. Ren School of Automation Science and Electrical Engineering, Science and Technology on Aircraft Control Laboratory, Beihang University, Beijing, P.R. China Z. Liang () School of Aerospace Engineering, Beijing Institute of Technology, Beijing, P.R. China e-mail: [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_30

1333

1334

X. Dong et al.

3 Time-Varying Formation Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Time-Varying Formation Feasibility and Protocol Design . . . . . . . . . . . . . . . . . . . . . . . . 5 Simulation and Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Numerical Simulation for High-Order Linear Swarm System . . . . . . . . . . . . . . . . 5.2 Quadrotor Formation Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Simulations and Experiments for Quadrotor Swarm Systems . . . . . . . . . . . . . . . . . 6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1340 1342 1349 1349 1352 1354 1364 1366

Abstract Distributed control is one typical form of real-time control, and the unmanned aerial vehicle (UAV) swarm system belongs to the real-time systems. This chapter is focused on designing distributed time-varying formation control protocols for swarm systems with switching interaction topologies. A distributed formation control protocol is firstly constructed using neighboring relative information. Convergence conditions of the constructed protocols on the high-order linear time-invariant swarm systems are proposed together with the formation feasibility conditions. An algorithm to design the distributed time-varying formation control protocol under switching interaction topologies is presented. Moreover, the proposed distributed time-varying formation control protocol is applied to deal with the time-varying formation control problems for the UAV swarm system. A formation control platform consisting of four quadrotor UAVs is introduced. Finally, both numerical and experimental results are presented to demonstrate the effectiveness of the designed distributed time-varying formation control protocol.

Keywords Formation control · Time-varying formation · Unmanned aerial vehicle (UAV) · Formation feasibility · High-order · Switching interaction topology · Swarm system

1

Introduction

Real-time systems find application in command and control systems, process control, flight control, avionics, defense systems, vision and robotics, etc. As one of the important topics in real-time control, formation control of swarm systems has attracted considerable attention due to its broad potential applications in civilian and military areas such as load transportation (Bai and Wen 2010), radiation detection and contour mapping (Han et al. 2013), target search and localization (Pack et al. 2009), reconnaissance (Kopfstedt et al. 2008), surveillance (Nigam et al. 2012), telecommunication relay (Sivakumar and Tan 2010), and so on. In the past decades, several formation control approaches have been proposed in robotics community, such as behavior (Balch and Arkin 1998)-, leader-follower (Desai et al. 2001),

43 Time-Varying Formation Control Under Switching Interaction. . .

1335

and virtual structure (Lewis and Tan 1997)-based approaches, etc. However, Beard et al. (2001) pointed out that behavior-, leader-follower-, and virtual structure-based formation control approaches have their own weaknesses. For example, behaviorbased approaches are difficult to be analyzed mathematically, and leader-follower approaches lack of robustness due to the existence of the leader, just to name a few. In recent years, consensus for linear time-invariant (LTI) swarm systems has been studied extensively (see, e.g., Olfati-Saber and Murray 2004; Ren and Beard 2005; Lin and Jia 2008; Xiao and Wang 2007; Ma and Zhang 2010; Li et al. 2010; Dong et al. 2013; You et al. 2013 and references therein). With the development of consensus theory, more and more researchers find that consensus approaches can be used to deal with formation control problems. Using consensus-based approaches, Ren (2007) discussed formation control problems for second-order swarm systems. Besides, Ren revealed that behavior-, leader-follower-, and virtual structure-based approaches can be treated as special cases of consensus-based approaches and pointed out that the weaknesses of these approaches can be overcome. In Ren and Sorensen (2008), a consensus-based formation control strategy was applied to a multi-robot swarm system. Xiao et al. (2009) investigated finite-time formation control problems for first-order swarm systems based on consensus approaches. Sufficient conditions for second-order swarm systems with undirected interaction topologies to achieve formations were presented in Xie and Wang (2009). Consensus-based formation control problems for second-order swarm systems with time delays were addressed in Liu and Tian (2009). Chen et al. (2008) discussed formation control problems for first-order and second-order swarm systems with bounded input, disturbance, and time delays. In practical applications, many swarm systems are of high order, so formation control problems for high-order swarm systems make more sense. Based on consensus approaches, Lafferriere et al. (2005) proposed a necessary and sufficient condition for swarm systems with a special high-order LTI model, which can be regarded as a series of second-order models, to achieve formations. Fax and Murry (2004) discussed formation stability problems for general high-order LTI swarm systems. Formation stability problems for general high-order LTI swarm systems with fixed and periodic switching undirected interaction topologies were studied in Porfiri et al. (2007). However, both Fax and Murry (2004) and Porfiri et al. (2007) only considered formation stability problems and did not consider the formation feasibility problems. For a swarm system, whether or not a given formation is feasible is a crucial problem. For general high-order LTI swarm systems, Ma and Zhang (2012) proposed a necessary and sufficient condition for formation feasibility. But the formation considered in Ma and Zhang (2012) is time-invariant, and the feasible formation set is very limited. Moreover, the interaction topologies in Ma and Zhang (2012) are assumed to be fixed. Another hot research branch on formation control is its applications to different practical swarm systems, especially the unmanned aerial vehicle (UAV) swarm systems. For UAV swarm systems to achieve time-invariant formations, Abdessameud and Tayebi (2011) presented a consensus-based formation controller with time delays for UAV swarm systems. A consensus approach and an output

1336

X. Dong et al.

feedback linearization method were used together to investigate the formation control problems of UAV swarm systems in Seo et al. (2012). The theoretical results in Abdessameud and Tayebi (2011) and Seo et al. (2012) were validated by numerical simulations. Indoor time-invariant formation flight experiments for quadrotor swarm systems can be founded in Turpin et al. (2012). It should be pointed out that the formations in Abdessameud and Tayebi (2011), Seo et al. (2012), and Turpin et al. (2012) are time-invariant. Dong et al. (2015) studied time-varying formation control problems for UAV swarm systems and showed experimental formation flight results using five quadrotors. However, in Abdessameud and Tayebi (2011), Seo et al. (2012), Turpin et al. (2012), and Dong et al. (2015), it is assumed that the interaction topologies among the UAVs are fixed. It is wellknown that in practical applications, the interaction topologies may be switching due to the existing of interaction channel failures and creations among agents. When interaction topologies are switching, both the analysis and design for cooperative control of swarm systems become much complicated and challenging than the fixed case (Ni and Cheng 2010). Therefore, it is significant to consider the effects of switching topologies on the time-varying formation control of swarm systems. In this chapter, distributed time-varying formation control theory and application problems for general high-order LTI swarm systems with switching interaction topologies are dealt with. Firstly, a distributed time-varying formation control protocol is constructed using neighboring relative information. Then convergence analysis on the constructed formation control protocol to realize the time-varying formation is carried out. An algorithm to design the distributed time-varying formation control protocol for swarm systems with switching interaction topologies to achieve time-varying formation is proposed. Finally, the designed distributed protocol is applied to solve the time-varying formation control problems for UAV swarm systems. Both numerical and experimental results are provided to demonstrate the effectiveness of the theory. Note that the formation control protocol is a real-time controller relying on the continuous neighing feedback. The proposed real-time formation control protocol is applied to UAV swarm systems and implemented by the online digital signal processor (DSP). Therefore, both the topic and content of this chapter are highly relevant to real-time systems. The rest of this chapter is organized as follows. In Sect. 2, basic concepts and useful results on graph theory are introduced, and the problem to be investigated is formulated. In Sect. 3, necessary and sufficient conditions to achieve time-varying formation are presented. In Sect. 4, necessary and sufficient conditions for formation feasibility are proposed, and an algorithm to design the protocol is given. Simulation and experimental results are shown in Sect. 5. Finally, Sect. 6 concludes the whole work. Throughout this chapter, for simplicity of notation, let 0 denote zero matrices of appropriate size with zero vectors and zero number as special cases and 1N be a column vector of size N with 1 as its elements. Let IN represent an identity matrix with dimension N and ⊗ denote Kronecker product.

43 Time-Varying Formation Control Under Switching Interaction. . .

2

1337

Preliminaries and Problem Description

In this section, basic concepts and results on graph theory are introduced, and the problem description is presented.

2.1

Basic Concepts and Results on Graph Theory

An undirected graph G consists of anode set Q = {q1 , q2 , · · · , qN }, an edge  set E ⊆ (qi , qj ) : qi , qj ∈ Q, i = j , and a symmetric adjacency matrix W = [wij ] ∈ RN ×N with nonnegative elements wij . An edge of G is denoted by qij = (qi , qj ). The adjacency elements associated with the edges of G are positive, i.e., wj i > 0 if and only if qij ∈ E. Moreover, wii = 0 for all i ∈ {1, 2, · · · , N }. The set of neighbors of node qi is denoted by Ni = qj ∈ Q : (qj , qi ) ∈ E . The  in-degree of node qi is defined as degin (qi ) = N j =1 wij . The degree matrix of G  is denoted by D = diag degin (qi ), i = 1, 2, · · · , N . The Laplacian matrix of G is defined as L = D − W . An undirected graph is said to be connected if there is a path from each node to every other nodes. More details on graph theory can be found in Godsil and Royal (2001). The following lemma is useful in analyzing formation problems of swarm systems. Lemma 1 (Godsil and Royal 2001). Let L ∈ RN ×N be the Laplacian matrix of an undirected graph G, then (i) L has at least one zero eigenvalue, and 1N is the associated eigenvector; that is, L1N = 0; (ii) If G is connected, then 0 is a simple eigenvalue of L, and all the other N − 1 eigenvalues are real and positive.

2.2

Problem Description

Consider a swarm system with N agents. Suppose that each agent has the LTI dynamics described by x˙i (t) = Axi (t) + Bui (t),

(1)

where i = 1, 2, · · · , N, xi (t) ∈ Rn is the state, ui (t) ∈ Rm is the control input. The interaction topology of the swarm system can be described by an undirected graph G, and each agent can be treated as a node in G. For i, j ∈ {1, 2, · · · , N }, the interaction channel from agent i to agent j is denoted by the edge qij , and the corresponding interaction strength is denoted by wj i . Assumption 1. B is of full column rank.

1338

X. Dong et al.

A time-varying formation is specified by a vector h(t) = [hT1 (t), hT2 (t), · · · , hTN (t)]T ∈ RnN with hi (t) (i = 1, 2, · · · , N) piecewise continuously differentiable. Definition 1. Swarm system (1) is said to achieve time-varying formation h(t) if there exists a vector-valued function r(t) ∈ Rn such that lim (xi (t) − hi (t) − r(t)) = 0 (i = 1, 2, · · · , N),

t→∞

where r(t) is called a formation reference function. Remark 1. The formation definition specified by vectors has been used a lot in previous works on formation control such as Ren (2007), Ren and Sorensen (2008), Xie and Wang (2009), Chen et al. (2008), Lafferriere et al. (2005), Porfiri et al. (2007), etc. Definition 1 presents a general framework, and it can be verified that the definitions in Ren (2007), Ren and Sorensen (2008), Xie and Wang (2009), Chen et al. (2008), Lafferriere et al. (2005), and Porfiri et al. (2007) can be treated as special cases of Definition 1. Definition 2. If there exist control inputs ui (t) (i = 1, 2, · · · , N) such that swarm system (1) achieves time-varying formation h(t), then the formation h(t) is feasible for swarm system (1). Definition 3. Swarm system (1) is said to achieve consensus if there exists a vectorvalued function c(t) ∈ Rn such that lim (xi (t) − c(t)) = 0 (i = 1, 2, · · · , N),

t→∞

where c(t) is called a consensus function. Remark 2. Definitions 1 and 3 imply that consensus problem is just a special case of formation problem in which h(t) ≡ 0 and the consensus function is equivalent to the formation reference function. Therefore, the results in this paper can be applied to deal with consensus problems for high-order LTI swarm systems with switching interaction topologies. Consider the following distributed formation control protocol with time-varying interaction topologies: ui (t) = K1 xi (t) + K2 (xi (t) − hi (t))     + K3 wij (t) xj (t) − hj (t) − (xi (t) − hi (t)) + vi (t), j ∈Ni (t)

(2)

43 Time-Varying Formation Control Under Switching Interaction. . .

1339

where i = 1, 2, · · · , N; K1 , K2 and K3 are constant gain matrices with appropriate dimensions; Ni (t) are the time-varying neighbor sets; and vi (t) ∈ Rm denote the external command inputs that depend on hi (t). Remark 3. Protocol (2) provides a general framework for consensus-based formation protocols. Protocols considered in Ren (2007), Ren and Sorensen (2008), Xie and Wang (2009), Lafferriere et al. (2005), Porfiri et al. (2007), etc. can be regarded as special cases of protocol (2). In protocol (2), gain matrices K1 , K2 , and K3 and vectors vi (t) (i = 1, 2, · · · , N) have their corresponding roles. K1 and vi (t) (i = 1, 2, · · · , N) are used to expand the set of feasible time-varying formation h(t). K2 and K3 can be used to assign the motion modes (see Kailath 1980) of the formation reference and ensure that the states of all agents achieve the desired formation, respectively. It should be pointed out that K1 , K2 , and vi (t) (i = 1, 2, · · · , N) are not necessary for some time-varying formations. Consider the case that the interaction topologies are switching. Let the finite set S¯ denote all the possible interaction topologies with an index set I¯ ⊂ N, where N represents the set of natural numbers. Let σ (t) : [0, +∞) → I¯ be a switching signal whose value at time t is the index of the topology at time t and Gσ (t) and Lσ (t) stand for the corresponding interaction topology and Laplacian matrix, respectively. Assumption 2. The switching time ti (i ∈ N) satisfies that 0 < t1 < · · · < tk < · · · and infk (tk+1 − tk ) = Td > 0. Assumption 3. All interaction topologies in S¯ are connected. Definition 4. A time-varying formation h(t) is feasible for swarm system (1) under protocol (2), if there exist Ki (i = 1, 2, 3) and vi (t) (i = 1, 2, · · · , N) such that it can be achieved. T (t)]T and v(t) = [v T (t), v T (t), · · · , v T (t)]T . Let x(t) = [x1T (t), x2T (t), · · · , xN N 1 2 Under protocol (2), swarm system (1) can be written in a compact form as follows

  x(t) ˙ = IN ⊗ (A + BK1 + BK2 ) − Lσ (t) ⊗ BK3 x(t)   + Lσ (t) ⊗ BK3 − IN ⊗ BK2 h(t) + (IN ⊗ B) v(t).

(3)

The current paper mainly focuses on the following three problems for swarm system (3) with switching interaction topologies: (i) under what conditions the timevarying formation h(t) can be achieved; (ii) under what conditions a time-varying formation h(t) is feasible; and (iii) how to design protocol (2) to achieve timevarying formation h(t).

1340

3

X. Dong et al.

Time-Varying Formation Analysis

In this section, firstly, necessary and sufficient conditions for swarm system (3) with switching interaction topologies to achieve time-varying formation h(t) are presented. Then an explicit expression of the formation reference function is given. T (t)]T . Then swarm Let zi (t) = xi (t) − hi (t) and z(t) = [z1T (t), z2T (t), · · · , zN system (3) with switching interaction topologies can be rewritten as   z˙ (t) = IN ⊗ (A + BK1 + BK2 ) − Lσ (t) ⊗ BK3 z(t) + (IN ⊗ B) v(t) ˙ + (IN ⊗ (A + BK1 )) h(t) − (IN ⊗ In ) h(t).

(4)

The following lemma holds directly. Lemma 2. Swarm system (3) with switching interaction topologies achieves timevarying formation h(t) if and only if swarm system (4) achieves consensus. Let U = [u¯ 1 , u¯ 2 , · · · , u¯ N ] be an orthogonal constant matrix with u¯ 1 =  √ N , then one gets U T Lσ (t) U = diag{0, U˜ T Lσ (t) U˜ }, where U˜ = [u¯ 2 , u¯ 3 , · · · , u¯ N ]. Let θ (t) = (u¯ T1 ⊗ In )z(t) and ς (t) = (U˜ T ⊗ In )z(t), then swarm system (4) can be transformed into

1N

1 θ˙ (t) = (A + BK1 + BK2 ) θ(t) + √ (1TN ⊗ B)v(t) N

1 T 1 ˙ +√ (5) 1N ⊗ (A + BK1 ) h(t) − √ (1TN ⊗ In )h(t), N N

ς˙ (t) = IN−1 ⊗ (A + BK1 + BK2 ) − (U˜ T Lσ (t) U˜ ) ⊗ BK3 ς(t) + (U˜ T ⊗ B)v(t)

˙ (6) + U˜ T ⊗ (A + BK1 ) h(t) − (U˜ T ⊗ In )h(t).

The following theorem presents a necessary and sufficient condition for swarm system (3) to achieve formation h(t). Theorem 1. Swarm system (3) with switching interaction topologies achieves timevarying formation h(t) if and only if lim ς (t) = 0.

t→∞

Proof. Let 1 zC (t) = √ 1N ⊗ θ (t), N

(7)

43 Time-Varying Formation Control Under Switching Interaction. . .

1341

zC¯ (t) = z(t) − zC (t).

(8)

Let e1 ∈ RN be a vector with 1 as its first component and 0 elsewhere. Note that [θ T (t), 0]T = e1 ⊗ θ (t), one has zC (t) = (U ⊗ In )[θ T (t), 0]T .

(9)

Since [θ T (t), ς T (t)]T = (U T ⊗ In )z(t), by (7), (8), and (9), it can be obtained that zC¯ (t) = (U ⊗ In )[0, ς T (t)]T .

(10)

Due to the fact that U T ⊗ In is nonsingular, by (9) and (10), one knows that zC (t) and zC¯ (t) are linearly independent. Therefore, from (7) and (8), one sees that the subsystems with states zC (t) and zC¯ (t) describe the consensus dynamics and disagreement dynamics of swarm system (4), respectively. From Lemma 2, it follows that swarm system (3) achieves time-varying formation h(t) if and only if limt→∞ zC¯ (t) = 0; that is, limt→∞ ς (t) = 0. This completes the proof. Remark 4. Xie and Wang (2009) studied formation problems for second-order swarm systems with fixed undirected interaction topologies and proposed a sufficient condition for swarm systems to achieve constant formation. It can be verified by Theorem 1 that the problems in Xie and Wang (2009) is a special case of the current paper, and the condition in Theorem 3.1 of Xie and Wang (2009) is not only sufficient but also necessary. In the sequel, based on the above analysis, an explicit expression of the formation reference function is given. Theorem 2. If swarm system (3) achieves time-varying formation h(t), then lim (r(t) − r0 (t) − rv (t) − rh (t)) = 0,

t→∞

where r0 (t) = e

(A+BK1 +BK2 )t

N 1  xi (0) , N i=1



t N 1  (A+BK1 +BK2 )(t−τ ) rv (t) = B vi (τ ) dτ, e N 0 i=1

t N 1  rh (t) = − hi (t) − e(A+BK1 +BK2 )(t−τ ) BK2 N 0 i=1



N 1  hi (τ ) dτ. N i=1

1342

X. Dong et al.

Proof. If swarm system (3) achieves formation h(t), then limt→∞ ς (t) = 0. From (7) to (10), one has  lim

t→∞

 1 zi (t) − √ θ (t) = 0. N

(11)

It can be shown that



1 T 1 T 1N ⊗ In z(0) = √ 1N ⊗ In (x(0) − h(0)) , θ (0) = √ N N

(12)

and

t 0

˙ )dτ e(A+BK1 +BK2 )(t−τ ) (u¯ T1 ⊗ In )h(τ

= (u¯ T1 ⊗ In )h(t) − e(A+BK1 +BK2 )t (u¯ T1 ⊗ In )h(0)

t

+ e(A+BK1 +BK2 )(t−τ ) u¯ T1 ⊗ (A + BK1 + BK2 ) h(τ )dτ.

(13)

0

From (5) and (11), (12), and (13), the conclusion of Theorem 2 can be obtained. Remark 5. In Theorem 2, r0 (t) is said to be the consensus function which describes the formation reference of the swarm system without v(t) and h(t). rv (t) and rh (t) describe the impacts of v(t) and h(t), respectively. If h(t) ≡ 0, r(t) becomes the explicit expression of the consensus function. Moreover, from Theorem 2, one sees that the switching interaction topologies have no effect on r(t) and K2 can be used to design the motion modes of the formation reference.

4

Time-Varying Formation Feasibility and Protocol Design

In this section, firstly, necessary and sufficient conditions for time-varying formation feasibility are presented. Then an algorithm to design the protocol for swarm systems with switching topologies to achieve time-varying formation is given. By Assumption 1, there exists a nonsingular matrix Bˆ = [B¯ T , B˜ T ]T with B¯ ∈ m×n ¯ = Im and BB ˜ = 0. and B˜ ∈ R(n−m)×n such that BB R Theorem 3. A time-varying formation h(t) is feasible for swarm system (3) with any bounded initial states if and only if the following conditions hold simultaneously (i) For ∀i ∈ {1, 2, · · · , N }    

˜ hi (t) − hj (t) − B˜ h˙ i (t) − h˙ j (t) = 0, j ∈ Ni (t); lim BA t→∞

(14)

43 Time-Varying Formation Control Under Switching Interaction. . .

1343

(ii) The following system is asymptotically stable

ϕ(t) ˙ = IN −1 ⊗ (A + BK1 + BK2 ) − (U˜ T Lσ (t) U˜ ) ⊗ BK3 ϕ(t). (15) Proof. Necessity: If a time-varying formation h(t) is feasible for swarm system (3), then there exist Ki (i = 1, 2, 3) and v(t) such that the formation h(t) is achieved; that is, lim (zi (t) − c(t)) = 0 (i = 1, 2, · · · , N).

t→∞

(16)

From Theorem 1 and (6), one knows the facts that lim

t→∞





˙ + (U˜ T ⊗ B)v(t) = 0 (17) U˜ T ⊗ (A + BK1 ) h(t) − (U˜ T ⊗ In )h(t)

and that the system described by (15) is asymptotically stable are necessary conditions for (16). Hence, condition (ii) is required. Let U˜ T = [Uˆ , u] ˆ with Uˆ ∈ R(N −1)×(N −1) and uˆ ∈ R(N −1)×1 . Since rank(U˜ T ) = N − 1, without loss of generality, it is assumed that rank(Uˆ ) = N − 1. From (17), one gets lim

t→∞





˙ + ([Uˆ , u] [Uˆ , u] ˆ ⊗ (A + BK1 ) h(t) − ([Uˆ , u] ˆ ⊗ In )h(t) ˆ ⊗ B)v(t) = 0. (18)

Note that U˜ T 1N = 0; it follows that uˆ = −Uˆ 1N −1 .

(19)

T T ¯ = [hT (t), hT (t), · · · , hT (t)]T and v(t) Let h(t) ¯ = [v1T (t), v2T (t), · · · , vN 1 2 N −1 −1 (t)] . From (18) and (19), one has



  lim Uˆ ⊗ In h¯ − hN = 0,

t→∞

(20)

where ˙¯ + (I ¯ − (IN −1 ⊗ In ) h(t) h¯ = (IN −1 ⊗ (A + BK1 )) h(t) ¯ N −1 ⊗ B) v(t), hN = (1N −1 ⊗ (A + BK1 )) hN (t) − (1N −1 ⊗ In ) h˙ N (t) + (1N −1 ⊗ B) vN (t). Since Uˆ is nonsingular, from (20), it follows that for ∀i ∈ {1, 2, · · · , N − 1}     lim (A + BK1 ) (hi (t) − hN (t)) − h˙ i (t) − h˙ N (t) + B (vi (t) − vN (t)) = 0.

t→∞

(21)

1344

X. Dong et al.

Equation (21) implies that for ∀i ∈ {1, 2, · · · , N} and j ∈ Ni (t)        lim (A + BK1 ) hi (t) − hj (t) − h˙ i (t) − h˙ j (t) + B vi (t) − vj (t) = 0.

t→∞

(22) Pre-multiplying the both sides of (22) by Bˆ results in       ¯ + BK1 ) hi (t) − hj (t) − B¯ h˙ i (t) − h˙ j (t) + vi (t) − vj (t) = 0, lim B(A

t→∞

(23) and    

˜ hi (t) − hj (t) − B˜ h˙ i (t) − h˙ j (t) = 0. lim BA

t→∞

(24)

Choosing appropriate v(t) can guarantee (23) holds for all i, j ∈ {1, 2, · · · , N}. From (24), one knows that condition (i) is necessary. Sufficiency: If condition (i) holds for time-varying formation h(t), one has that for ∀i ∈ {1, 2, · · · , N} and j ∈ Ni (t)    

˜ + BK1 ) hi (t) − hj (t) − B˜ h˙ i (t) − h˙ j (t) = 0. lim B(A

t→∞

(25)

For ∀i, j ∈ {1, 2, · · · , N }, one can find vi (t) − vj (t) satisfying (23). From (23) and (25), it can be shown that      

ˆ vi (t) − vj (t) = 0. ˆ + BK1 ) hi (t) − hj (t) − Bˆ h˙ i (t) − h˙ j (t) + BB lim B(A

t→∞

(26)

Pre-multiplying the both sides of (26) by Bˆ −1 , one has        lim (A + BK1 ) hi (t) − hj (t) − h˙ i (t) − h˙ j (t) + B vi (t) − vj (t) = 0.

t→∞

(27) From (27), one knows lim

t→∞

       ˙ + Lσ (t) ⊗ B v(t) = 0. Lσ (t) ⊗ (A + BK1 ) h(t) − Lσ (t) ⊗ In h(t) (28)

Substituting Lσ (t) = U diag{0, U˜ T Lσ (t) U˜ }U T into (28) and pre-multiplying the both sides of (28) by U T ⊗ In lead to

43 Time-Varying Formation Control Under Switching Interaction. . .

lim

t→∞

(U˜ T Lσ (t) U˜ ) ⊗In

1345









˙ U˜ T ⊗ (A + BK1 ) h(t)− U˜ T ⊗In h(t)+ U˜ T ⊗ B v(t) = 0. (29)

Since the interaction topology is connected, from Lemma 1 and the structure of U , one has that U˜ T Lσ (t) U˜ is nonsingular and lim

t→∞









˙ + U˜ T ⊗ B v(t) = 0. U˜ T ⊗ (A + BK1 ) h(t) − U˜ T ⊗ In h(t) (30)

Equations (6) and (30) and condition (ii) ensure that limt→∞ ς (t) = 0. Then from Theorem 1, one can conclude that the time-varying formation h(t) is feasible for swarm system (3) with any bounded initial states. This completes the proof. Remark 6. Theorem 3 indicates that the feasibility of the time-varying formation h(t) depends on the dynamics of each agent, switching interaction topologies and external command input v(t). From (23) and (24), one knows that the application of v(t) can expand the set of feasible time-varying formation h(t) and K1 has no direct effect on the feasible set of h(t) when v(t) is applied. From Theorem 3, the following corollaries can be obtained directly. Corollary 1. If v(t) ≡ 0, a time-varying formation h(t) is feasible for swarm system (3) with any bounded initial states if and only if condition (ii) in Theorem 3 holds, and for ∀i ∈ {1, 2, · · · , N },      lim (A + BK1 ) hi (t) − hj (t) − h˙ i (t) − h˙ j (t) = 0, j ∈ Ni (t).

t→∞

(31)

Remark 7. From (31), it can be found that K1 can be used to expand the set of feasible time-varying formation h(t) in the case that v(t) ≡ 0. Moreover, if h(t) ≡ 0, Corollary 1 presents necessary and sufficient conditions for swarm system (3) with switching interaction topologies to achieve consensus. Corollary 2. If v(t) ≡ 0 and the formation is given by a constant vector h, then the formation is feasible for swarm system (3) with any bounded initial states if and only if condition (ii) in Theorem 3 holds, and for ∀i ∈ {1, 2, · · · , N }, (A + BK1 )(hi − hj ) = 0, j ∈ Ni (t).

(32)

Remark 8. In Corollary 2, if formation h is feasible for swarm system (3) with switching interaction topologies, then for ∀i ∈ {1, 2, · · · , N } and j ∈ Ni (t), hi −hj must belong to the right null space of A+BK1 . Moreover, K1 can be used to expand the set of feasible formation h.

1346

X. Dong et al.

Let λiσ (t) (i = 1, 2, · · · , N) be the eigenvalues of the Laplacian matrix Lσ (t) , √ where λ1σ (t) = 0 with the associated eigenvector u¯ 1 = 1 N and 0 < λ2σ (t) ≤ i ¯ · · · ≤ λN σ (t) . Let λmin = min{λk (∀k ∈ I ; i = 2, 3, · · · , N)}. The following theorem presents an approach to determine K3 . Theorem 4. If condition (i) in Theorem 3 holds and (A, B) is stabilizable, then swarm system (1)  achieves time-varying formation h(t) by protocol (2) with K3 = −1 B T P λ−1 R o 2 where Po is the positive definite solution to the algebraic Riccati min o equation Po (A + BK1 + BK2 ) + (A + BK1 + BK2 )T Po − Po BRo−1 B T Po + Qo = 0, (33) for Ro = RoT > 0 and Qo = DoT Do ≥ 0 with (A + BK1 + BK2 , Do ) detectable. Proof. If (A, B) is stabilizable, so is (A + BK1 + BK2 , B). Thus, for any given RoT = Ro > 0 and Qo = DoT Do ≥ 0 with (A + BK1 + BK2 , Do ) detectable, algebraic Riccati equation (33) has a unique solution PoT = Po > 0. Consider the following Lyapunov function candidate V¯ (t) = ϕ T (t) (IN −1 ⊗ Po ) ϕ(t).

(34)

Taking the derivative of V¯ (t) with respect to t along the solution to system (15), one has

V˙¯ (t) = ϕ T (t) IN −1 ⊗  − (U˜ T Lσ (t) U˜ ) ⊗ K3T B T Po + Po BK3 ϕ(t), (35) where  = (A + BK1 + BK2 )T Po + Po (A + BK1 + BK2 ). Since U T Lσ (t) U = diag{0, U˜ T Lσ (t) U˜ } and U is orthogonal, one knows that ˜T ˜ the eigenvalues of U˜ T Lσ (t) U˜ are λ2σ (t) , λ3σ (t) , · · · , λN σ (t) . Note that U Lσ (t) U is ¯ symmetric, and then there exists an orthogonal matrix Uσ (t) such that  U¯ σT(t) U˜ T Lσ (t) U˜ U¯ σ (t) = diag λ2σ (t) , λ3σ (t) , · · · , λN σ (t) }.

(36)

Let 



T

T

T T T 2 3 N ¯ . ξσ (t) (t) = Uσ (t) ⊗ In ϕ(t) = ξσ (t) (t) , ξσ (t) (t) , · · · , ξσ (t) (t) Then by (35) and (36), it can be obtained that

43 Time-Varying Formation Control Under Switching Interaction. . .

V˙¯ (t) =

N



T  ξσi (t) (t)  − λiσ (t) K3T B T Po + Po BK3 ξσi (t) (t).

1347

(37)

i=2

 −1 T Substituting K3 = λ−1 min Ro B Po 2 into (37), from (33), one has V˙¯ (t) =

N 



T −1 T i ξσi (t) (t) −Qo + 1 − λiσ (t) λ−1 P BR B P o o ξσ (t) (t). o min

i=2

Because QTo = Qo > 0, RoT = Ro > 0, and 1 − λiσ (t) λ−1 min < 0, by Assumption 2, one gets that V˙¯ (t) ≡ 0 if and only if ξσi (t) (t) ≡ 0 (i = 2, 3, · · · , N), which means

that ξσ (t) (t) ≡ 0. Note that ξσ (t) (t) = U¯ σT(t) ⊗ In ϕ(t), V˙¯ (t) ≡ 0 if and only if ϕ(t) ≡ 0. Therefore, system (15) is asymptotically stable. From Theorem 3, one knows that swarm system (1) under protocol (2) achieves time-varying formation h(t). The proof for Theorem 4 is completed. Based on the above results, an algorithm to design protocol (2) for swarm system (1) to achieve time-varying formation h(t) can be summarized as follows. Algorithm. For swarm system (3) to achieve time-varying formation h(t), Ki (i = 1, 2, 3) and vi (t) (i = 1, 2, · · · , N) can be designed in the following procedure: Step 1:

Step 2:

Step 3:

Check the feasible condition (14). If it is satisfied, then vi (t) (i = 1, 2, · · · , N) can be determined by Eq. (23), and K1 can be any constant matrix with appropriate dimension, e.g., K1 = 0; else h(t) is not feasible and stop. If it is required that v(t) ≡ 0, solve the feasible condition (31) for K1 . If there exists constant gain matrix K1 to satisfy condition (31), then continue; else h(t) is not feasible and stop. Choose K2 to specify the motion modes of the formation reference by assigning the eigenvalues of A + BK1 + BK2 at the desired locations in the complex plane. Since (A, B) is controllable, the existence of K2 can be guaranteed. Design K3 to make system (15) asymptotically stable using the approach in Theorem 4.

Remark 9. It should be emphasized that by Eq. (23), vi (t) (i = 1, 2, · · · , N) cannot be uniquely determined. One can first specify a vi (t) (i ∈ {1, 2, · · · , N}) and then determine the other vj (t) (j ∈ {1, 2, · · · , N}, j = i) by Eq. (23). Theorems 3 and 4 can be applied to deal with the time-varying formation control problems for the UAV swarm system directly. Consider a UAV swarm system consisting of N UAVs. For each of these UAVs, since the trajectory dynamics has

1348

X. Dong et al.

much larger time constants than the attitude dynamics, the formation control can be decoupled into an inner-loop control and an outer-loop control. In this case, the inner-loop controller stabilizes the attitude, and the outer-loop controller is used to drive the UAV toward the desired position (Dong et al. 2015; Bayezit and Fidan 2013 and Karimoddini et al. 2013). The current chapter is mainly concerned with the formation control problems in the outer loop, and the inner loop can be controlled by the PD controller in Tayebi and McGilvray (2006). As shown in Seo et al. (2012); Dong et al. (2015) and Wang and Xin (2013), the outer-loop dynamics of UAV i, i ∈ {1, 2, · · · , N} can be approximately described by 

x˙i (t) = vi (t), v˙i (t) = ui (t),

(38)

where xi (t) ∈ Rq , vi (t) ∈ Rq , and ui (t) ∈ Rq denote the position, velocity, and control input vectors of UAV i, respectively. In the following, for the convenience of description, let q = 1 if not otherwise specified. However, all the results hereafter can be directly extended to the higher dimensional case by using Kronecker product. Define ξi (t) = [xi (t), vi (t)]T , B1 = [1, 0]T and B2 = [0, 1]T . Then UAV swarm system (38) can be rewritten as ξ˙i (t) = B1 B2T ξi (t) + B2 ui (t).

(39)

Denote by h(t) = [hT1 (t), hT2 (t), · · · , hTN (t)]T ∈ R2N the time-varying formation, where hi (t) = [hix (t), hiv (t)]T (i = 1, 2, · · · , N) are piecewise continuously differentiable vectors. For the ith UAV (i ∈ {1, 2, · · · , N}), consider the following time-varying formation control protocol with switching interaction topologies ui (t) = K¯ 1 (ξi (t) − hi (t))    + K¯ 2 wij (ξj (t) − hj (t)) − (ξi (t) − hi (t)) + h˙ iv (t),

(40)

j ∈Nσi (t)

where K¯ 1 ∈ R1×2 and K¯ 2 ∈ R1×2 are constant gain matrices. Based on Theorems 3 and 4, the following corollaries can be obtained directly. Corollary 3. UAV swarm system (38) with switching interaction topologies achieves time-varying formation h(t) if and only if (i) For all i ∈ {1, 2, · · · , N } lim

t→∞

    hiv (t) − hj v (t) − h˙ ix (t) − h˙ j x (t) = 0, j ∈ Nσi (t) ;

(ii) The following switched linear system is asymptotically stable

(41)

43 Time-Varying Formation Control Under Switching Interaction. . .

˙ = IN −1 ⊗ (B2 K¯ 1 + B1 B2T ) − (U˜ T Lσ (t) U˜ ) ⊗ B2 K¯ 2 θ (t), θ(t)

1349

(42)

where θ (t) is the state of the system described by (42). Corollary 4. If condition (i) in Corollary 3 holds, then UAV swarm system (38) achieves time-varying formation h(t) by protocol (40) with K¯ 2 = (2λmin )−1 B2T P¯ , where P¯ is the positive definite solution to the following algebraic Riccati equation



T P¯ B2 K¯ 1 + B1 B2T + B2 K¯ 1 + B1 B2T P¯ − P¯ B2 B2T P¯ + I = 0.

5

(43)

Simulation and Experimental Results

In this section, firstly, a numerical example for the high-order linear swarm system is given as Example 1 to illustrate the effectiveness of theoretical results obtained in the previous sections. Then a quadrotor formation platform is introduced. Both a numerical simulation and a practical experiment are carried out on the quadrotor formation platform with four quadrotors in Example 2. In this paper, the control algorithm runs on the online control board. And therefore, the formation control problems of the quadrotor formation platform are real-time control problems. Moreover, to better demonstrate the scalability of the obtained results, a large-scale example with ten quadrotors is given as Example 3. Due to the quantity limitation of the quadrotor UAVs in our lab, experimental results are not presented in the Example 3.

5.1

Numerical Simulation for High-Order Linear Swarm System

In order to illustrate the effectiveness of theoretical results, a numerical example for a third-order swarm system with eight agents is provided. Example 1 (Simulation with eight third-order agents). For simplicity of description, assume that in the example the interaction topologies of the swarm system are randomly chosen from S¯ with interval Td . Note that S¯ consists of four undirected interaction topologies as shown in Fig. 1 and the interaction topologies have 0 − 1 weights. Consider a third-order swarm system with eight agents, where the dynamics of each agent is described by (1) with xi (t) = [xi1 (t), xi2 (t), xi3 (t)]T (i = 1, 2, · · · , 8), and ⎡

⎤ ⎡ 4 −2 2 0 A = ⎣1 3 5⎦, B = ⎣1 2 7 4 0

⎤ 0 0⎦. 1

1350

X. Dong et al.

Fig. 1 Interaction topologies in Example 1. (a) G1 . (b) G2 . (c) G3 . (d) G4

8

7

6

5

8

7

6

5

1

2

3

4

1

2

3

4

(b) G2

(a) G1

8

7

6

5

8

7

6

5

1

2

3

4

1

2

3

4

(d) G4

(c) G3

These eight agents are required to preserve a periodic time-varying parallel octagon formation and keep rotation around the predefined time-varying formation reference. The formation is defined as follows

⎤ ⎡ r sin ωt + (i−1)π 3 ⎢

⎥ ⎢ ⎥ hi (t) = ⎢ 2r sin ωt + (i−1)π (i = 1, 2, · · · , 8). 3 ⎥ ⎣ ⎦ (i−1)π r cos ωt + 3 If the formation specified by the above hi (t) (i = 1, 2, · · · , 8) is achieved, the eight agents will locate on the eight vertices of a parallel octagon, respectively, and keep rotation with an angular velocity of ω. Moreover, the edge length of the desired parallel octagon is periodic time-varying. Choose r = 6 and ω = 2. According to the Algorithm, K1 can be any constant matrix with appropriate dimension, e.g., K1 = 0 and 

−42 sin(2t + π4 (i − 1)) − 6 cos(2t + π4 (i − 1)) vi (t) = −108 sin(2t + π4 (i − 1)) − 24 cos(2t + π4 (i − 1))

 (i = 1, 2, · · · , 8).

The motion modes of the formation reference are placed at −2j , 2j and 0.01 with j 2 = −1 by  K2 =

 3.9988 −4.9905 −3.0122 . −7.0005 −4.9783 −5.9995

Using the approach in Theorem 4, K3 can be obtained to make system (15) asymptotically stable as 

 −13.9520 8.5232 −2.4500 K3 = . 7.0585 −2.4500 5.0634

43 Time-Varying Formation Control Under Switching Interaction. . .

1351

of description, let the initial states of each agent be xij (0) =  For simplicity  ¯ − 0.5 (i = 1, 2, · · · , 8; j = 1, 2, 3), where ¯ is a pseudorandom value with i a uniform distribution on the interval (0, 1). Choose Td = 10s. Figure 2 shows the snapshots of the agents and the predefined formation reference at different time, where the states of eight agents are denoted by the point, triangle, circle, asterisk, x-mark, square, plus, and diamond, respectively, and the state of the predefined formation reference are marked by the pentagram. Figure 3 displays the switching signal. From Fig. 2a, b, one sees that the swarm system achieves a parallel octagon formation and the point corresponding to the predefined formation reference lies in the center of the formation. From Fig. 2b, c, and d, it can be seen that the achieved formation keeps rotating around the predefined formation reference and both the edge length of parallel octagon formation and the formation reference are time-varying. Therefore, the time-varying formation is achieved under the switching interaction topologies.

Fig. 2 State snapshots of eight agents and r(t). (a) t = 0 s. (b) t = 98 s. (c) t = 99 s. (d) t = 100 s

1352

X. Dong et al.

4

σ(t)

3

2

1

0

0

10

20

30

40

50

60

70

80

90

100

Time (sec) Fig. 3 Switching signal

5.2

Quadrotor Formation Platform

Figure 4 shows the quadrotor formation platform which comprises one ground control station (GCS) and four quadrotors with flight control system (FCS). The tipto-tip wingspan of the quadrotor is 65 cm, and the weight is 1600 g. The maximum takeoff weight of each quadrotor is 1800 g, and the maximum flight time is about 12 minutes. The FCS is developed based on a TMS320F28335 DSP running at 135MHz. Three one-axis gyroscopes, a three-axis magnetometer, and a three-axis accelerometer are employed by the FCS to estimate the attitude and acceleration of the quadrotor. The position and velocity of each quadrotor are measured by the global positioning system (GPS) module with an accuracy of 1.2 m circular error probable (CEP) at a rate of 10 Hz. When the quadrotor is near the ground, the height is measured by an ultrasonic range finder. A 2G micro SD card is used to record the main flight parameters onboard. The wireless communications among quadrotors and the GCS are implemented by Zigbee modules. Control commands are sent to a specified quadrotor or broadcasted to all quadrotors through the Zigbee network. The states of all quadrotors are sent to the GCS and monitored by the real-time display module on the GCS. During the formation, each quadrotor needs neither the control of the remote controller nor the control of the GCS. However, to deal with the emergency situation, an RC receiver is kept on each quadrotor. Figure 5 illustrates the hardware structure of the quadrotor system.

43 Time-Varying Formation Control Under Switching Interaction. . .

Fig. 4 Quadrotor formation platform

Fig. 5 Hardware structure of the quadrotor system

1353

1354

5.3

X. Dong et al.

Simulations and Experiments for Quadrotor Swarm Systems

The formation control of the quadrotor swarm system is implemented in the horizontal plane (q = 2); that is, the movements of the quadrotors along X and Y axes are controlled by the formation protocol (40) with a rate of 5 Hz. The height of each quadrotor is specified to be constant. The pitch, roll, and yaw angles of each quadrotor are controlled by three decoupled PD controllers shown in Tayebi and McGilvray (2006) with a rate of 500 Hz, respectively, as the inner loop. Note that the movements of each quadrotor along X and Y axes are decoupled. Using the Kronecker product, the dynamics of the quadrotor swarm system in the horizontal plane can be described by (39) with ξi (t) = [xiX (t), viX (t), xiY (t), viY (t)]T , ui (t) = [uiX (t), uiY (t)]T , hi (t) = [hixX (t), hivX (t), hixY (t), hivY (t)]T (i = 1, 2, · · · , N), B1 = I2 ⊗ [1, 0]T , and B2 = I2 ⊗ [0, 1]T , where i = 1, 2, · · · , N, xiX (t), viX (t), uiX (t), hixX (t), and hivX (t) and xiY (t), viY (t), uiY (t), hixY (t), and hivY (t) are the position, velocity, control input, and desired formation components of quadrotor i along X and Y axes, respectively. From the formation protocol (40), one sees that only the position and velocity of each quadrotor and its neighbors are required to construct the controller. In the experiment, the position and velocity of each quadrotor are obtained by the complementary filter (refer to Brown and Hwang (1996) and Euston et al. (2008) for more details) which combines the accelerometer measurement with the GPS measurement. The neighboring position and velocity are transmitted by the Zigbee network. Due to that the movements of each quadrotor along X and Y axes are decoupled, the controllers of each quadrotor along X and Y axes can be designed separately. For simplicity, it is assumed that all interaction topologies in this section are 0-1 weighted. Example 2 (Simulation and experiment with four quadrotors). Consider the following time-varying formation ⎡

⎤ r cos(ωt + (i − 1)π/2) ⎢ −ωr sin(ωt + (i − 1)π/2) ⎥ ⎥ hi (t) = ⎢ ⎣ r sin(ωt + (i − 1)π/2) ⎦ (i = 1, 2, 3, 4), ωr cos(ωt + (i − 1)π/2) where r = 10 m and ω = 0.1 rad/s. For simplicity, assume that there exist four interaction topologies in set S(as shown in Fig. 6). The interaction topology is randomly chosen from S with interval Td = 10 s. If h(t) is achieved by the quadrotor swarm system under switching interaction topologies, then both the positions and velocities of the four quadrotors locate at the vertexes of a rotating regular square, respectively, in the XY plane. It can be verified that condition (i) in Corollary 3 is satisfied. Due to the limitation of flight space and the requirement of performing the experiment within a visual range, the motion modes of the formation reference r(t) are designed to be stable by choosing K¯ 1 = I2 ⊗ [−1, −0.8] to assign the

43 Time-Varying Formation Control Under Switching Interaction. . .

3

1

3

1

4

4

4

4

1355

3

1

3

1

2

2

2

2

(a) G1

(b) G2

(c) G3

(d) G4

Fig. 6 Switching interaction topologies in Example 2. (a) G1 . (b) G2 . (c) G3 . (d) G4

eigenvalues of B2 K¯ 1 + B1 B2T at −0.4 + 0.9165j , −0.4 + 0.9165j , −0.4 − 0.9165j and −0.4−0.9165j with j 2 = −1. In this configuration, when the desired formation containment is achieved, the formation reference r(t) will be stationary. From Fig. 6, one gets the smallest nonzero eigenvalues of the four Laplacian matrices as 0.5858, 0.5858, 1, and 0.5858, respectively, which means that λmin = 0.5858. Using the approach in Corollary 4, one can obtain the matrix P¯ as   1.4219 0.4142 ¯ P = I2 ⊗ , 0.4142 0.7711 and matrix K¯ 2 = I2 ⊗ [0.3535, 0.6582] to ensure that the UAV swarm system can achieve the desired formation. Choose the initial states of four quadrotors as ξ1 (0) = [9.84, −0.11, 0.19, 0.07]T , ξ2 (0) = [−0.41, 0.04, 10.51, 0.22]T , ξ3 (0) = [−10.47,0.08, 0.48, 0.02]T , and ξ4 (0) = [−0.93, −0.08, −9.11, −0.25]T . Figures 7 and 8 show the state trajectories of the four quadrotors and the formation reference in the simulation and experiment within t = 126s, respectively, where the initial states of the four quadrotors and the formation reference are marked by circles and the final states are denoted by asterisks, diamonds, triangles, squares, and pentagrams, respectively. Define the energy of the formation error as ς H (t)ς (t). Figure 9 depicts the energy curve of the formation error ς (t) in both the simulation and the experiment. Figures 10 and 11 show the control inputs of the four quadrotors along X and Y axes in both the simulation and the experiment, respectively. Figure 12 shows a captured image of four quadrotors in the formation flight. From Figs. 8, 9, 10, 11, and 12, one sees that the quadrotor swarm system achieves the predefined time-varying formation under switching interaction topologies in both simulation and experiment. The video of the experiment can be found at http://v.youku.com/v_show/id_XNjY3OTE4OTI0.html or https://www.youtube.com/watch?v=9cVyDAvDi3M. It should be pointed out that due to the existence of external disturbances, sensor errors, and communication delays in the experiment, there are certain small errors in the experimental results in comparison with the simulation results. For example, the formation reference r(t) in Fig. 7 is stationary, while in Fig. 8, it moves in a small range, and the energy of the formation error ς (t) converges to zero in Fig. 9a, while in Fig. 9b, it converges to a small error bound. These errors occurring in the experiment are inevitable and reasonable.

1356

X. Dong et al.

10 8 6

xiY (m)

4 2 0 -2 -4 -6 -8 -10

-10

-5

0

5

10

xiX (m) 1

viY (m/s)

0.5

0

-0.5

-1

-1

-0.5

0

0.5

1

1.5

v iX (m/s) Fig. 7 State trajectories of four quadrotors and r(t) in simulation. (a) Positions. (b) Velocities

Example 3 (Simulation with ten quadrotors). Consider a quadrotor swarm system with ten quadrotors. The desired time-varying formation for the ten quadrotors is specified by

43 Time-Varying Formation Control Under Switching Interaction. . .

1357

10 8 6

xiY (m)

4 2 0 -2 -4 -6 -8 -10 -10

-5

0

5

10

xiX (m)

(a) Positions 1.5

1

viY (m/s)

0.5

0

-0.5

-1 -1.5

-1

-0.5

0

0.5

1

1.5

v iX (m/s)

(b) Velocities Fig. 8 State trajectories of four quadrotors and r(t) in experiment. (a) Positions. (b) Velocities

1358

X. Dong et al. 5 4.5 4

ς H (t)ς(t)

3.5 3 2.5 2 1.5 1 0.5 0

0

20

40

60

80

100

120

80

100

110

t (s) (a) Simulation 50 45 40

ς H (t)ς(t)

35 30 25 20 15 10 5 0

0

20

40

60

t (s) (b) Experiment

Fig. 9 Energy curve of the formation error ς(t) in Example 2. (a) Simulation. (b) Experiment

43 Time-Varying Formation Control Under Switching Interaction. . .

1359

2

1.5

uiX (t)

1

0.5

0

-0.5

0

20

40

60

80

100

120

100

120

t (s)

(a) Control inputs along X axis 0.4 0.2 0

uiY (t)

-0.2 -0.4 -0.6 -0.8 -1 -1.2

0

20

40

60

80

t (s)

(b) Control inputs along Y axis Fig. 10 Control inputs of the four quadrotors in the simulation. (a) Control inputs along X axis. (b) Control inputs along Y axis

1360

X. Dong et al. 2.5 2

uiX (t)

1.5

1

0.5

0

-0.5

-1

0

20

40

60

80

100

120

t (s)

(a) Control inputs along X axis 2 1.5 1 0.5

uiY (t)

0 -0.5 -1 -1.5 -2 -2.5 -3 0

20

40

60

80

100

120

t (s)

(b) Control inputs along Y axis Fig. 11 Control inputs of the four quadrotors in the experiment. (a) Control inputs along X axis. (b) Control inputs along Y axis

43 Time-Varying Formation Control Under Switching Interaction. . .

1361

Fig. 12 Formation flight image in the experiment

 ⎤ r sin(ωt + (i − 1)π 5)  ⎢ rω cos(ωt + (i − 1)π 5) ⎥ ⎥  hi (t) = ⎢ ⎣ r cos(ωt + (i − 1)π 5) ⎦ (i = 1, 2, · · · , 10),  −ωr sin(ωt + (i − 1)π 5) ⎡

where r = 20 m and ω = 0.15 rad/s. Assume that there exist four interaction topologies in set S which are shown in Fig. 13. The interaction topologies are randomly chosen from S with interval Td = 6s. If h(t) is achieved by the quadrotor swarm system under switching interaction topologies, then both the positions and velocities of the ten quadrotors will form a regular decagon, while they keep rotating around the formation reference, respectively, in the horizontal plane. It can be verified that condition (i) in Corollary 3 is satisfied. Different from Example 2, the motion modes of the formation reference r(t) are designed to be oscillating by choosing K¯ 1 = I2 ⊗[−0.36, 0] to assign the eigenvalues of B2 K¯ 1 +B1 B2T at −0.6j , −0.6j , 0.6j , and 0.6j . In this case, the formation reference will move periodically. From Fig. 13, one gets the smallest nonzero eigenvalues of the four Laplacian matrices as 0.3820, 0.2087, 0.1487, and 0.0979, respectively, which means that λmin = 0.0979. Using the approach in Corollary 4, one can obtain the matrix P¯ as   1.6485 0.7028 ¯ P = I2 ⊗ , 0.7028 1.5510 and the matrix K¯ 2 = I2 ⊗ [3.5895, 7.9214].

1362

X. Dong et al.

1

2

3

4

5

1

2

3

4

5

10

9

8

7

6

10

9

8

7

6

(b) G6

(a) G5

1

2

3

4

5

1

2

3

4

5

10

9

8

7

6

10

9

8

7

6

(c) G7

(d) G8

Fig. 13 Switching interaction topologies in Example 3. (a) G5 . (b) G6 . (c) G7 . (d) G8

Choose the initial states of the ten quadrotors as ξ1 (0) = [1, 2.5, 18.3, −0.6]T , ξ2 (0) = [12.1, 1.9, 16.7, −2.2]T , ξ3 (0) = [20.3, 1.4, 6.6, −3.5]T , ξ4 (0) = [21.7, −1.3, −6.3, −2.1]T , ξ5 (0) = [12.7, −3.4, −14.1, −2.7]T , ξ6 (0) = [1.4, −3.5, −20.8, −0.8]T , ξ7 (0) = [−8.7, −3.4, −17.4, 2.6]T , ξ8 (0) = [−14.6, −0.5, −5.2, 2]T , ξ9 (0) = [−13.9, 1.2, 8.3, 1.8]T , ξ10 (0) = [−12.6, 1.5, 15.6, 0.3]T . Figure 14 shows the state trajectories of the ten quadrotors and the formation reference in the simulation within t = 60 s, where the initial states of the quadrotors and the formation reference are marked by circles and the final states are denoted by points and pentagrams, respectively. Figure 15 depicts the energy curve of the formation error ς (t) in the simulation. Figure 16 shows the control inputs of the ten quadrotors along X and Y axes, respectively. From Fig. 14, the following phenomena can be found: (1) both the position and velocity components of the ten quadrotors form the regular decagon formation; (2) the regular decagon formation keeps rotating around the formation reference r(t); and (3) the states of formation reference move periodically, which means that the whole time-varying formation moves periodically. Therefore, the desired time-varying formation is achieved by the ten quadrotors under the switching topologies. Moreover, due to the fact that each quadrotor only use the neighboring information and the calculation complexity for determining the gain matrices in the protocol (40) is independent with the number of quadrotors, the obtained results have good scalability.

43 Time-Varying Formation Control Under Switching Interaction. . .

1363

25 20 15 10

x iY (t)

5 0 -5 -10 -15 -20 -25 -25

-20

-15

-10

-5

0

5

10

15

20

25

1

2

3

4

5

xiX(t)

(a) Positions 4 3 2

v iY (t)

1 0 -1 -2 -3 -4 -5

-4

-3

-2

-1

0

viX (t)

(b) Velocities Fig. 14 State trajectories of the ten quadrotors and r(t) in Example 3. (a) Positions. (b) Velocities

1364

X. Dong et al. 60

50

ς H (t)ς(t)

40

30

20

10

0

0

10

20

30

40

50

60

t (s) Fig. 15 Energy curve of the formation error ς(t) in Example 3

6

Conclusions

Distributed time-varying formation analysis and feasibility problems for general high-order LTI swarm system with switching interaction topologies were studied. Necessary and sufficient conditions for swarm systems with switching interaction topologies to achieve a given time-varying formation were presented. An explicit expression of the time-varying formation reference function was derived. Necessary and sufficient conditions for formation feasibility were proposed, and approaches to expand the feasible formation set were presented. An algorithm to design the protocol for swarm systems with switching interaction topologies to achieve a given time-varying formation was proposed. The obtained general results were applied to deal with the time-varying formation control problems for the UAV swarm system. A formation control platform consisting of four quadrotor UAVs was introduced. Both numerical and experimental results were presented to demonstrate the effectiveness of the obtained results.

43 Time-Varying Formation Control Under Switching Interaction. . .

1365

8 1

6 0.5

4

0

uiX (t)

2

56

58

60

0 -2 -4 -6 -8

0

10

20

30

40

50

60

t (s)

(a) Control inputs along X axis 8 0.5

6

0

4 -0.5

uiY (t)

2

56

58

60

0 -2 -4 -6 -8 0

10

20

30

40

50

60

t (s)

(b) Control inputs along Y axis Fig. 16 Control inputs of the ten quadrotors in Example 3. (a) Control inputs along X axis. (b) Control inputs along Y axis

1366

X. Dong et al.

References A. Abdessameud, A. Tayebi, Formation control of VTOL unmanned aerial vehicles with communication delays. Automatica 47(11), 2383–2394 (2011) H. Bai, J.T. Wen, Cooperative load transport: a formation-control perspective. IEEE Trans. Robot. 26(4), 742–750 (2010) T. Balch, R.C. Arkin, Behavior-based formation control for multi robot teams. IEEE Trans. Robot. Autom. 14(6), 926–939 (1998) I. Bayezit, B. Fidan, Distributed cohesive motion control of flight vehicle formations. IEEE Trans. Ind. Electron. 60(12), 5763–5772 (2013) R.W. Beard, J. Lawton, F.Y. Hadaegh, A coordination architecture for spacecraft formation control. IEEE Trans. Control Syst. Technol. 9(6), 777–790 (2001) R.G. Brown, P.Y.C. Hwang, Introduction to Random Signals and Applied Kalman Filtering (Wiley, New York, 1996) F. Chen, Z.Q. Chen, Z.X. Liu, L.Y. Xiang, Z.Z. Yuan, Decentralized formation control of mobile agents: a unified framework. Physica A 387(19–20), 4917–4926 (2008) J.P. Desai, J. Ostrowski, V. Kumar, Modeling and control of formations of nonholonomic mobile robots. IEEE Trans. Robot. Autom. 17(6), 905–908 (2001) X.W. Dong, J.X. Xi, Z.Y. Shi, Y.S. Zhong, Practical consensus for high-order swarm systems with uncertainties, time delays and external disturbances. Int. J. Syst. Sci. 44(10), 1843–1856 (2013) X.W. Dong, B.C. Yu, Z.Y. Shi, Y.S. Zhong, Time-varying formation control for unmanned aerial vehicles: theories and applications. IEEE Trans. Control Syst. Technol. 23(1), 340–348 (2015) X.W. Dong, Z.Y. Shi, G. Lu, Y.S. Zhong, Time-varying formation control for high-order linear swarm systems with switching interaction topologies, IET Contr. Theory Appl. 8(18), 21622170 (2014) X.W. Dong, Y. Zhou, Z. Ren, Y.S. Zhong, Time-varying formation control for unmanned aerial vehicles with switching interaction topologies, Control Eng. Practice 46, 26-36 (2016) M. Euston, P. Coote, R. Mahony, K. Jonghyuk, T. Hamel, A complementary filter for attitude estimation of a fixed-wing UAV, in Proceedings of IEEE/RSJ International Conference Intelligent Robots and Systems, 2008, pp. 340–345 J.A. Fax, R.M. Murry, Information flow and cooperative control of vehicle formations. IEEE Trans. Automat. Control 49(9), 1465–1476 (2004) C. Godsil, G. Royal, Algebraic Graph Theory (Springer, New York, 2001) J. Han, Y. Xu, L. Di, Y.Q. Chen, Low-cost multi-UAV technologies for contour mapping of nuclear radiation field. J. Intell. Robot. Syst. 70(1–4), 401–410 (2013) T. Kailath, Linear Systems (Englewood Cliffs, Prentice-Hall, 1980) A. Karimoddini, H. Lin, B. Chen, T.H. Lee, Hybrid three-dimensional formation control for unmanned helicopters. Automatica 49(2), 424–433 (2013) T. Kopfstedt, M. Mukai, M. Fujita, C. Ament, Control of formations of UAVs for surveillance and reconnaissance missions, in Proceedings 17th IFAC World Congress, 2008, pp. 6–11 G. Lafferriere, A. Williams, J. Caughman, J.J.P. Veerman, Decentralized control of vehicle formations. Syst. Control Lett. 54(9), 899–910 (2005) M.A. Lewis, K.H. Tan, High precision formation control of mobile robots using virtual structures. Auton. Robot. 4(4), 387–403 (1997) Z.K. Li, Z.S. Duan, G.R. Chen, L. Huang, Consensus of multiagent systems and synchronization of complex networks: a unified viewpoint. IEEE Trans. Circuits Syst. I-Regul. Pap. 57(1), 213–224 (2010) P. Lin, Y.M. Jia, Average consensus in networks of multi-agents with both switching topology and coupling time-delay. Physica A 387(1), 303–313 (2008) C.L. Liu, Y.P. Tian, Formation control of multi-agent systems with heterogeneous communication delays. Int. J. Syst. Sci. 40(6), 627–636 (2009) C.Q. Ma, J.F. Zhang, Necessary and sufficient conditions for consensusability of linear multi-agent systems. IEEE Trans. Automat. Control 55(5), 1263–1268 (2010)

43 Time-Varying Formation Control Under Switching Interaction. . .

1367

C.Q. Ma, J.F. Zhang, On formability of linear continuous-time multi-agent systems. J. Syst. Sci. Complex. 25(1), 13–29 (2012) W. Ni, D.Z. Cheng, Leader-following consensus of multi-agent systems under fixed and switching topologies. Syst. Control Lett. 59(3–4), 209–217 (2010) N. Nigam, S. Bieniawski, I. Kroo, J. Vian, Control of multiple UAVs for persistent surveillance: algorithm and flight test results. IEEE Trans. Control Syst. Technol. 20(5), 1236–1251 (2012) R. Olfati-Saber, R.M. Murray, Consensus problems in networks of agents with switching topology and time-delays. IEEE Trans. Automat. Control 49(9), 1520–1533 (2004) D.J. Pack, P. DeLima, G.J. Toussaint, G. York, Cooperative control of UAVs for localization of intermittently emitting mobile targets. IEEE Trans. Syst. Man Cybern. Part B-Cybern. 39(4), 959–970 (2009) M. Porfiri, D.G. Roberson, D.J. Stilwell, Tracking and formation control of multiple autonomous agents: a two-level consensus approach. Automatica 43(8), 1318–1328 (2007) W. Ren, Consensus strategies for cooperative control of vehicle formations. IET Control Theory Appl. 1(2), 505–512 (2007) W. Ren, R.W. Beard, Consensus seeking in multiagent systems under dynamically changing interaction topologies. IEEE Trans. Automat. Control 50(5), 655–661 (2005) W. Ren, N. Sorensen, Distributed coordination architecture for multi-robot formation control. Robot. Auton. Syst. 56(4), 324–333 (2008) J. Seo, Y. Kim, S. Kim, A. Tsourdos, Consensus-based reconfigurable controller design for unmanned aerial vehicle formation flight. J. Aerosp. Eng. 226(7), 817–829 (2012) A. Sivakumar, C.K.Y. Tan, UAV swarm coordination using cooperative control for establishing a wireless communications backbone, in Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems, 2010, pp. 1157–1164 A. Tayebi, S. McGilvray, Attitude stabilization of a VTOL quadrotor aircraft. IEEE Trans. Control Syst. Technol. 14(3), 562–571 (2006) M. Turpin, N. Michael, V. Kumar, Decentralized formation control with variable shapes for aerial robots, in Proceedings of IEEE International Conference on Robotics and Automation, 2012, pp. 23–30 J. Wang, M. Xin, Integrated optimal formation control of multiple unmanned aerial vehicles. IEEE Trans. Control Syst. Technol. 21(5), 1731–1744 (2013) F. Xiao, L. Wang, Consensus problems for high-dimensional multi-agent systems. IET Control Theory Appl. 1(3), 830–837 (2007) F. Xiao, L. Wang, J. Chen, Y.P. Gao, Finite-time formation control for multi-agent systems. Automatica 45(11), 2605–2611 (2009) G.M. Xie, L. Wang, Moving formation convergence of a group of mobile robots via decentralised information feedback. Int. J. Syst. Sci. 40(10), 1019–1027 (2009) K.Y. You, Z.K. Li, L.H. Xie, Consensus condition for linear multi-agent systems over randomly switching topologies. Automatica 49(10), 3125–3132 (2013)

Semi-global Consensus of Multi-agent Systems with Impulsive Approach

44

Zhen Li, Jian-an Fang, Tingwen Huang, Wenqing Wang, and Wenbing Zhang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries and Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Consensus Protocol via Low-Gain Feedback Approach . . . . . . . . . . . . . . . . . . . . . 2.4 Impulsive Consensus Protocol via Low-Gain Feedback Approach . . . . . . . . . . . . . 3 Impulsive Consensus Protocol Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Low-Gain-Based Impulsive Consensus Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Low-and-High-Gain-Based Impulsive Consensus Protocol . . . . . . . . . . . . . . . . . . 4 Numerical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1370 1373 1373 1373 1373 1375 1378 1378 1387 1395 1398 1400

Z. Li () · W. Wang School of Automation, Xi-an University of Posts & Telecommunications, Xi-an, China e-mail: [email protected]; [email protected] J.-a. Fang School of Information Science and Technology, Donghua University, Shanghai, China e-mail: [email protected] T. Huang The Science Program, Texas A&M University, Doha, Qatar e-mail: [email protected] W. Zhang Department of Mathematics, Yangzhou University, Jiangsu, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_31

1369

1370

Z. Li et al.

Abstract Consensus analysis is a basic issue of multi-agent systems. As an important topic of this issue, semi-global consensus problems have aroused interests since the capability of actuator is usually limited in the presence of a finite range in practice. In theory, semi-global consensus problems refer to design a oneparameter family of control protocols whose domain of attraction can tend to the entire state space. To deal with these problems, the low-gain feedback control strategy has been recently extended. The presented chapter offers a short survey of current studies on this topic, and then we develop the basic idea of low-gain feedback control strategy to apply a distributed impulsive strategy. Similarly with the low-gain feedback control, the magnitude of the proposed impulsive protocol can converge to zero as the low-gain parameter tends to zero. By utilizing the Lyapunov function and low-gain theory, a parametric discrete-time Riccati equation is developed for calculating control gain matrix. Then, based on low-and-high-gain feedback control, another distributed impulsive strategy is considered such that this control protocol can be limited in a finite range. Furthermore, two algorithms are proposed to solve the corresponding the control gain matrices. Subsequently, future research topics are discussed.

Keywords Multi-agent systems · Semi-global consensus · Low-gain feedback control · Impulsive approach

1

Introduction

In the last few decades, cooperative of autonomous systems has aroused many research interests due to several applications of real-time systems, e.g., sensor networks, distributed computation, and swarm of mobile robots (Belta and Kumar 2004; Sivrikaya and Yener 2004; Samejima and Sasaki 2015; Pérez et al. 2014; Palomares and Martínez 2014; Arieh et al. 2009; Wang et al. 2015; Prüfer 1985; Chen et al. 2014, 2016a; Tang et al. 2014; Lu et al. 2012). In these studies, control protocol is composed by some basic hypotheses. That is, all agents can approach to a final agreement as time evolves, which is the so-called consensus problem. From the dynamics performance, the consensus problem can be categorized by global consensus, semi-global consensus, and so on (Wen et al. 2015; You and Xie 2011; Zhou et al. 2012; Su et al. 2013; Li et al. 2013; Lin and Jia 2010; Chen et al. 2016b). For instance, global consensus problems have been considered for second-order nonlinear multi-agent systems by utilizing the neural-network-based adaptive control in Wen et al. (2015). In You and Xie (2011), the global consensus of discrete-time multi-agent systems has been investigated for the time-varying network topology and communication data rate. Generally, the global consensus renders that the consensus error system is controlled by a protocol whose domain of attraction is the entire state space. Different from the global consensus, the

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1371

semi-global consensus means that the domain of attraction of the consensus error system can approach to the entire state space. Actually, the semi-global consensus originated from saturation issues since the capability of practical actuator is usually limited in the presence of a finite range (Lin et al. 2000). Recently, the saturation issues have been extended from the control systems to the synchronization of networks, the consensus, and output regulation of multi-agent systems (You and Xie 2011; Yang et al. 2014; Su et al. 2013; Li et al. 2016a, b; Zhou et al. 2009, 2010, 2012; Wang et al. 2012, 2014, 2016; Hou et al. 1998). For instance, the global consensus for discrete-time multi-agent systems has been examined in Yang et al. (2014), where the consensus protocol is subjected to input saturation constraints. The semi-global consensus problems have been considered for a kind of linear multi-agent systems with input saturation via low-gain feedback under the timevarying and time-variant topologies in Su et al. (2013). Therefore, a large number of studies have been developed this topic to consensus of multi-agent systems in Belta and Kumar (2004), Sivrikaya and Yener (2004), Samejima and Sasaki (2015), Pérez et al. (2014), Palomares and Martínez (2014), Arieh et al. (2009), Li et al. (2013), Wen et al. (2015), Wang et al. (2015), Lu et al. (2012), Chen et al. (2016a), You and Xie (2011), Yang et al. (2014), and Su et al. (2013). Generally, the input saturation may induce instability or deterioration, e.g., the windup phenomena (Sussmann et al. 1994). To deal with this case, lowgain feedback control strategy has been introduced to the control systems since the traditional methods show analysis of complexity (Lin and Saberi 1993; Lin et al. 2000). The so-called low-gain feedback control strategy usually depends on the parameterized algebraic Riccati equation, which shows that the magnitude of feedback tends to zero as low-gain parameter decreases to zero. In such a setting, the control input of each agent is limited by the saturation bound interval such that the saturation phenomena can be excluded (Lin and Saberi 1993). This control strategy has been developed in Lin and Saberi (1993), Zhou et al. (2008, 2009), Saberi et al. (1995, 2000), Teel (1995), and Lin et al. (2000) and extended in Yang et al. (2014) and Su et al. (2013). For instance, in Lin et al. (2000), a low-gain feedback control for discrete-time linear systems has been improved in the presence of actuator saturation nonlinearity. In Zhou et al. (2008), a parametric Lyapunov equation approach has been developed to adapt the design of low-gain feedback. Then, in Zhou et al. (2009), the similar approach related to low-gain feedback control in Zhou et al. (2008) has been designed for discrete-time systems. In multi-agent systems, the protocols based on the low-gain feedback control have been examined in Su et al. (2013). Up to now, the low-gain feedback control has been developed for different problems of multi-agent systems, e.g., global consensus, semi-global consensus, and output regulation consensus. Based on the low-gain feedback control, there is another feedback control strategy, called high-gain feedback control, which has been proposed in Saberi et al. (2000) and Wang et al. (2012, 2016). As mentioned in Saberi et al. (2000) and Wang et al. (2012, 2016), the high-gain feedback control can achieve performance beyond stabilization in relation to robustness, disturbance rejection, or enhancing the utilization of control capacity. For instance, the high-gain feedback control has been considered in the semi-global consensus of multi-agent systems with input saturation in Su et al. (2013).

1372

Z. Li et al.

On the other hand, impulsive control strategy has been investigated in consensus problem of networked multi-agent systems due to a simple structure and some potential advantages (Liu et al. 2012, 2013; Lu et al. 2015; Zhang et al. 2014; Tang et al. 2015; Guan et al. 2012; Wang et al. 2009). The consensus problem for second-order multi-agent systems has been considered by using some kinds of impulsive control in Guan et al. (2013). In Liu et al. (2013), pinning impulsive consensus approach has been proposed for the networks of multi-agents, in which the consensus protocol can be activated by a single impulsive controller. In Liu et al. (2012), the consensus problem for multi-agent networks has been studied by using position-only measurements impulsive control. Generally, the impulsive control strategy, as a discontinuous control, is activated at a quite sparse sequence in time domain. In theory, an impulsive control protocol can promote consensus by measuring the information between neighboring impulsive instants. Under real network environments, such kind of information may not be applicable if the hardware device is limited to a finite range, i.e., actuator saturation. At this stage, it is a natural way to investigate saturation problem when designing an impulsive consensus protocol. However, unfortunately, the consideration of saturation problem into impulsive consensus protocols is still an open challenging issue since it has widely neglected in most existing works. In this chapter, a mathematical framework will be utilized to combine the impulsive control strategy and the low-gain feedback control strategy. As mentioned above, this chapter aims to propose an impulsive consensus protocol for semi-global consensus of multi-agent systems when the consensus cannot be guaranteed by using the usual feedback protocol. Similarly (Lin et al. 2000; Teel 1995), we call an impulsive consensus protocol as low-gain-based impulsive consensus protocol as the control gain matrix can lead the magnitude of the protocol to approach zero. Combining the low-gain and high-gain feedback control (Saberi et al. 2000), we call an impulsive consensus protocol as lowand-high-gain-based impulsive consensus protocol in the case that can achieve semi-global consensus and enhance utilization of the impulsive control capacity. Based on the Lyapunov function theory and the guaranteed cost control, a parametric discrete-time Riccati equation is applied to solve the low-gain-based impulsive consensus protocol. Then, by utilizing the presented low-gain-based impulsive consensus protocol, a low-and-high-gain-based impulsive consensus protocol is considered for semi-global consensus of linear discrete-time multi-agent systems. Subsequently, two algorithms have been presented to obtain the parametric discrete-time Riccati equation such that the impulsive control gain matrices can be solved. In what follows, a short review related on the results of the low-gain feedback control is given, and some notations and model description are provided in Sect. 2. In Sect. 3, the main results are proceeded to review the results about low-gain-based impulsive consensus protocol and low-and-high-gain-based impulsive consensus protocol, as well as two algorithms are also described. Several examples are given to show our results in Sect. 4. In Sect. 5, a conclusion and future research topics are drawn.

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

2

Preliminaries and Problem Statement

2.1

Notation

1373

The standard notation is provided. In particular, Rn×m and Rn indicate the set of n×m real matrix and the n-dimensional Euclidean space, respectively. The notation X ≥ Y (X > Y ), where X and Y are symmetric matrices, means that X − Y is positive semi-definite (positive definite). In denotes n-dimensional identity matrix. S [a, b] denotes the number of a class of impulse time sequences {km } through the interval [a, b]. ρ(·) denotes the spectral radius of a square matrix. tr(A) means the n×n by the Euclidean trace of the matrix A. A  is the norm of the matrix A ∈ R vector norm, i.e., A = λmax (AT A), where λmax (·) means the largest eigenvalue.

2.2

Graph Theory

Let a graph be G = [V , E ], where V = {1, . . . , N} means agent set and E = {e(i, j )} is the edge set. Ni stands for the neighborhood of agent i in the sense Ni = {j ∈ V |e(i, j ) ∈ E }. The graph G is assumed to be undirected and connected, (i.e., e(i, j ) ∈ E implies e(j, i) ∈ E ) and simple (i.e., without multiple edges and self-loops). Let L = [ij ]N i,j =1 be the Laplacian matrix of graph G , which is defined as: for any pair i = j , ij = j i = −1 if e(i, j ) ∈ E , otherwise ij = j i = 0, i.e.,  ij =

j i = −1, 0,

if e(i, j ) ∈ E ,

otherwise,

  and ii = − N j =1,j =i ij is the degree of vertex i (i ∈ V ). Similarly, let G = [V , E] be a graph, in which the satisfied conditions are assumed to be the same as N  G . N i means the neighborhood of the i-th agent of graph G . Let D = [dij ]i,j =1 be the associated Laplacian matrix of graph G. Moreover, the graphs G and Grepresent the communication topologies of feedback and impulsive protocol, respectively. Apparently, when graph G (or G) is undirected and connected, according to the Gershgorin disk theorem (Horn and Johnson 2001), all the eigenvalues of the coupling configuration matrix L satisfy 0 = λ1 (L ) < λ2 (L ) ≤ . . . ≤ λN (L ). And also, it is well known that λ2 (L ) > 0 if and only if the graph G is connected. For brevity, denote λi = λi (L ) and ηi = λi (D).

2.3

Consensus Protocol via Low-Gain Feedback Approach

As mentioned above, low-gain feedback approach originated from the saturation problems of control systems, which was proposed in Lin and Saberi (1993) and developed in Zhou et al. (2008, 2009), Saberi et al. (1995, 2000), Teel (1995), and Lin et al. (2000). Generally, there are two types of approaches to consider

1374

Z. Li et al.

low-gain feedback control, the parametric algebraic Riccati equation approach and the eigenstructure assignment approach. The parametric algebraic Riccati equation approach usually requires a Lyapunov function that can derive a parametric algebraic Riccati equation related on the control gain. Then, one can apply the guaranteed cost control to minimize the control gain. Such approach is proposed based on the solution of obtaining the parametric algebraic Riccati equation. In this subsection, a short survey of current studies on low-gain feedback approach will be reviewed. Then, consider the continuous-time multi-agent system x˙i (t) = Axi (t) + Bsatw (ui (t)),

i∈V,

(1)

where A ∈ Rn×n , B ∈ Nn×p , xi (t) = [xi1 (t), xi2 (t), · · · , xin (t)]T ∈ Rn means the state vector of the i-th agent, and satw (ui (t)) = [satw (ui1 (t)), satw (ui2 (t)), · · · , satw (uin (t))]T ∈ Rn is a consensus protocol subjected to input saturation satisfying satw (ui (t)) = sign(uij (t)) min{|uij (t)|, w} for some constant w > 0. Then, the leader is described by x˙0 (t) = Ax0 (t),

(2)

where x0 (t) is the state vector of the leader. Definition 1. For any a priori given bounded set X ⊂ Rn , consider the continuoustime multi-agent system in (1) and the leader in (2). If there is a parameter γ ∗ > 0 such that for any γ ∈ (0, γ ∗ ], the following condition holds lim xi (t) − x0 (t) → 0,

t→∞

as long as xi (t) ∈ X for all i = 1, 2, . . . , N . Then, it is said that the multi-agent system in (1) achieves to reach semi-global consensus. The following assumptions are required. Assumption 1. For the pair (A, B), the following assumptions are satisfied: 1. All eigenvalues of A are in the closed left-half s-plane, 2. The pair (A, B) is stabilizable. Assumption 2. The graph G contains a spanning tree rooted at the leader. Recall the basic idea of low-gain feedback control. There is a low-gain parameter γ such that the magnitude of the considered protocol satw (ui (t)) can tend to zero as the low-gain parameter γ tends to zero. In a proper setting of the low-gain parameter γ ∗ ∈ (0, 1], it can guarantee ui (t, γ ∗ ) ∈ [0, w]. In Su et al. (2013), a consensus protocol ui (t) based on the low-gain feedback approach of the multi-agent system in (1) is designed in two steps:

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1375

Algorithm 1. The algorithm of low-gain-based consensus protocol in the continuous-time multi-agent system in (1) and the leader in (2): Step 1.

Solve the parametric algebraic Riccati equation AT Pγ + Pγ A − 2λPγ BB T Pγ + εI = 0,

Step 2.

(3)

where λ ≤ min{λ1 (Ls + H )} is a positive constant, Ls is a Laplacian matrix, and H = {h1 , . . . , hN }. Design a consensus protocol for agent i as ui (t, γ ) = Kγ



(xj (t) − xi (t)) + hi (x0 (t) − xi (t)),

(4)

j ∈Ni

where Kγ = −B T Pγ ∈ Np×n is a control gain matrix and Pγ is a solution of the parametric algebraic Riccati equation in (3). Thus, Pγ → 0 as γ → 0. Meanwhile, there are a lot of results that examine the low-gain feedback approach on the consensus problems of continuous-time multi-agent system. For instance, the semi-global problems have been considered by some kind output regulation of nonlinear control subjected to input saturation in Li et al. (2016a). Then, various kinds of control strategies with input saturation have been considered, including event-triggered control, fuzzy adaptive control, and sliding mode control (Li et al. 2016a, b; Zhou et al. 2009, 2010, 2012; Wang et al. 2012, 2014, 2016; Hou et al. 1998). On the other hand, for discrete-time counterparts of multi-agent system, it is still an open question how to apply the low-gain feedback approach. The main reason is that the current works mainly focus on designing the H∞ -type-based Riccati inequality or another alternative approaches (Hengster et al. 2013).

2.4

Impulsive Consensus Protocol via Low-Gain Feedback Approach

Note that the low-gain and low-and-high-gain control problems are always a hot topic in the control theory, e.g., the low-gain and low-and-high-gain control in linear systems (Zhou et al. 2008, 2009; Saberi et al. 2000), L∞ or H∞ low-gain feedback in constrained control (Teel 1995), and input saturation in multi-agent systems (You and Xie 2011; Yang et al. 2014; Su et al. 2013). However, these results cannot be easily extended into impulsive systems. Therefore, in the following, we will propose a way to design the low-gain-based impulsive consensus protocol. Particularly, we consider the linear discrete-time multi-agent system, in which the motion of agent i is described by xi (k + 1) = Axi (k) + c

 j ∈Ni

(xj (k) − xi (k)),

i∈V,

(5)

1376

Z. Li et al.

where xi (k) = [xi1 (k), xi2 (k) · · · , xin (k)]T ∈ Rn is the state vector of the i-th agent, A ∈ Rn×n , and c is a global coupling gain. Apparently, we can derive from the connected graph G that (L ⊗ In )x = 0 if and only if εj i (k) = 0 holds for all i, j ∈ V , where εj i (k) = xi (k) − xj (k) means the consensus error of the states of agents i and j at time k. Recently, the consensus problems of discrete-time multi-agent systems have been widely investigated in Yang et al. (2014), You and Xie (2011), Chen et al. (2016a), and Qin et al. (2014). In these works, the matrix A plays an important factor to regulate consensus. For instance, in Qin et al. (2014), the consensus can be maintained when ρ(A) ≤ (1 − χ (cL )N −1 )1/(1−N ) , where ρ(A) is spectral radius of matrix A and χ (cL ) means a kind of ergodic coefficient of matrix cL . However, the condition in Qin et al. (2014) is not applied when ρ(A) > (1 − χ (cL )N −1 )1/(1−N ) . It is to say that the consensus protocol in (5) may not guarantee consensus. For this reason, an impulsive consensus protocol will be considered if the consensus of linear discrete-time multi-agent systems in (5) cannot be guaranteed. Such impulsive consensus protocol can be regarded as a compensation control of the discrete-time multi-agent systems (5). In this case, impulsive consensus protocol to ensure semi-global consensus will be considered. Thus, we suppose that the linear discrete-time multi-agent system in (1) cannot achieve consensus. Then, an impulsive protocol ui (k) is defined as the state vector xi (k) is replaced by xi (k − 1) + Bui (k − 1) at impulsive instant km , where ui (k) has the following form: ui (k) = K

∞  

(xj (k) − xi (k))δ[k − km + 1],

(6)

m=1 j ∈N i

where δ[·] is the Dirac discrete-time function, B ∈ Nn×p is an impulsive input matrix, K ∈ Np×n is an impulsive control gain matrix, and the impulsive instants km satisfy k0 < k1 < . . . < km < . . . and lim km = +∞, m→∞

m ∈ N+ .

Motivated by the existing results of guaranteed cost control in Zhou et al. (2008), Yang et al. (2000), and Liu (1995), a distributed impulsive protocol is proposed in the form of (6) with a novel impulsive control gain matrix as well as the cost function in (7), which is related to the parameters γ , μ, and σ . Moreover, it is worth mentioning that γ is the so-called low-gain parameter in low-gain design strategies (Zhou et al. 2008, 2009; Lin et al. 2000). In these works, there is a close relationship between low-gain parameter γ and low-gain feedback gain matrix. It is to say that the multi-agent systems realize semi-global consensus if time goes on, and then, the spectral radius of impulsive protocol tends to zero as the low-gain parameter γ goes to zero. At this stage, the concept of low-gain parameter γ is introduced into distributed impulsive control. To calculate how much energy should be injected

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1377

by the impulsive protocol to ensure semi-global consensus, an optimal impulsive control problem can be considered for solving the minimum cost function: J (ui ) =

S [k0 ,∞]  m=1

 

i∈V j ∈Ni

α1 (h)εj i (h)T Qεj i (h) + α2 (km ) (εj i (km − 1)T

h=km −1

× Qεj i (km − 1) + ui (km − 1)T Rui (km − 1)

,

(7)

where Q ≥ 0, R > 0, 0 < γ < 1, μ > 0, and σ = max{km − km−1√} ≥ 1. Inspired by√ Zhou et al. (2008), denote a new vector x i (k) = ( 1 − γ )−k xi (k) and ui (k) = ( 1 − γ )−k ui (k). One can obtain the following discrete-time multiagent system under the impulsive consensus protocol: 

x(k + 1) = (IN ⊗ Aγ )x(k) + cγ (L ⊗ In )x(k),

k = km − 1,

x(km ) = (IN ⊗ Iγ )x(km − 1) + (D ⊗ Bγ K)x(km − 1), T T where (k)T ]T , Aγ 1 (k) , x 2 (k) , · · · , x N√ √ x(k) = [x √ c/ 1 − γ , I = In / 1 − γ , and Bγ = B/ 1 − γ . Then, the cost function (7) can be divided into

J (u) =

S [k0 ,∞] m=1

(



(8)

√ = A/ 1 − γ , cγ

=

(1 + μ)−σ −1 x(k)T (L ⊗ Q)x(k) + x(km − 1)T

k=km −1

(L ⊗ Q)x(km − 1) + u(km − 1)T (IN ⊗ R)u(km − 1).

(9)

The following definition and assumption is required for deriving main results: Definition 2. For any an impulsive protocol in (6), the linear discrete-time multiagent system in (8) is said to achieve global consensus of agents if the following condition holds lim xi (k) − xj (k) → 0,

k→∞

as long as xi (k0 ) ∈ Rn for all i = 1, 2, . . . , N. Definition 3. For any a priori given bounded set X ⊂ Rn and impulsive protocol in (6), the linear discrete-time multi-agent system in (8) is said to achieve semiglobal consensus of agents if the following condition holds lim xi (k) − xj (k) → 0,

k→∞

1378

Z. Li et al.

as long as xi (k0 ) ∈ X for all i = 1, 2, . . . , N . Particularly, when X = Rn , the linear discrete-time multi-agent systems in (8) is said to achieve global consensus. Assumption 3. The pair (In , B) is stabilizable.

3

Impulsive Consensus Protocol Design

In this section, the semi-global consensus of the linear discrete-time multi-agent system in (8) will be studied by utilizing the impulsive consensus protocol based on the low-gain approach. By modifying the methods in Saberi et al. (2000) and Zhou et al. (2008), the low-gain and low-and-high-gain impulsive consensus protocols are presented by parametric discrete-time Riccati equations.

3.1

Low-Gain-Based Impulsive Consensus Protocol

In this subsection, an impulsive guaranteed cost control is introduced to ensure the consensus of linear discrete-time multi-agent systems in (5). Then, a parametric discrete-time Riccati equation will be applied to the design of the control gain matrix K in the low-gain-based impulsive consensus protocol. Different from the low-gain feedback control (You and Xie 2011; Zhou et al. 2008, 2009; Saberi et al. 2000), several fundamental questions need to be answered when designing the low-gainbased impulsive consensus protocol: 1. How do we design a proper cost function to apply the control cost of distributed impulsive protocol? 2. How do we derive the impulsive control gain matrix K based on these derived criteria? 3. How do we find a proper control gain matrix K to minimize the cost function? These questions will be answered in the end of this subsection. In what follows, the low-gain-based impulsive protocol for ensuring the semiglobal consensus of the linear discrete-time multi-agent system in (8) is considered. Theorem 1. Consider the linear discrete-time multi-agent system in (8) with the cost function (9). If there exists a positive parameter μ and a positive definite matrix P ∈ Rn×n , such that the following criteria hold (Aγ + cγ λi In )T P (Aγ + cγ λi In ) + Q − (1 + μ)P ≤ 0,

(10)

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

(Iγ + ηi Bγ K)T P (Iγ + ηi Bγ K) + Q +

1379

ηi2 T K RK − (1 + μ)−σ +1 P ≤ 0, λi (11)

where 2 ≤ i ≤ N. Then the linear discrete-time multi-agent system in (4) can achieve consensus under the distributed impulsive protocol in (6). Furthermore, the cost function (9) satisfies 1  εj i (k0 )T P ε j i (k0 ), 2

J (u) ≤

i∈V j ∈Ni

where ε j i (k) = x j (k) − x i (k). Proof. Let V (k) = (1/2) can get



i∈V



j ∈Ni

ε j i (k)T P ε j i (k). For k ∈ [k0 , k1 − 1], we

ΔV (k) =V (k + 1) − V (k)

1  = ε j i (k + 1)T P ε j i (k + 1) − ε j i (k + 1)T P ε j i (k + 1) . 2 i∈V j ∈Ni

(12) Due to the fact that L is connected and irreducible, it is easy to see that     i∈V

i∈V j ∈Ni

ε j i (k)T P

j ∈Ni

 

ε j i (k)T P ε j i (k) = 2x T (k)(L ⊗ P )x(k), 



ε j i (k)

= x T (k)(L 2 ⊗ P )x(k),

j ∈Ni

εj i (k)T P

i∈V j ∈Ni



εpi (k) =

p∈Ni

  i∈V

j ∈Ni

εj i (k)

T 

P ε j i (k) , p∈Ni

and    i∈V j ∈Ni

ε pi (k)

p∈Ni

T 

P ε pi (k) = x T (k)(L 3 ⊗ P )x(k). p∈Ni

Along the state trajectory of (8), one gets ΔV (k) =

1  εj i (k + 1)T P ε j i (k + 1) − ε j i (k)T P ε j i (k) 2 i∈V j ∈Ni

1380

Z. Li et al.

= x T (k) L ⊗ (ATγ P Aγ − P ) + cγ L 2 ⊗ (ATγ P + P Aγ )

+ cγ2 L 3 ⊗ P x(k).

(13)

Due to L T = L , there is a unitary matrix Y = [y1 , y2 , . . . , yN ] ∈ RN ×N with yi = [y1i , y2i , . . . , yN i ]T ∈ RN such that Y T L Y =Λ, where Y T Y =IN and√ Λ = diag{0, λ2 , . . . , λN }. Since λ1 = 0, one can construct y1 = 1/ N (1, 1, . . . , 1)T ∈ RN . In this case, utilizing the unitary transform y(k) = T (k)]T ∈ Rn×N , it follows that (Y T ⊗ I )x(k) = [y1T (k), y2T (k), . . . , yN x T (k)(L 2 ⊗ (ATγ P + P Aγ ))x(k) = y T (k)(Y T ⊗ In )(L 2 ⊗ (ATγ P + P Aγ ))(Y ⊗ In )y(k) = y T (k)(Y T L Y Y T L Y ⊗ (ATγ P + P Aγ ))y(k) =

N 

λ2i yi (k)T (ATγ P + P Aγ )yi (k),

(14)

i=2

and x (k)(L ⊗ P )x(k) = T

3

N 

λ3i (y i (k))T P y i (k).

(15)

i=2

From (12), (13), (14), (15), and (16), it yields that

ΔV (k) ≤ − x T (k)(L ⊗ Q)x(k) − μV (k) , and V (k1 − 1) ≤(1 + μ)k1 −k0 −1 V (k0 ) −

k 1 −2

(1 + μ)k1 −h−2 x T (h)(L ⊗ Q)x(h).

h=k0

(16) It is to say that k 1 −2

ΔV (h) =V (k1 − 1) − V (k0 )

h=k0 −σ +1

≤[1 − (1 + μ)

−σ −1

]V (k1 − 1) − (1 + μ)

k 1 −2 h=k0

x T (h)

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

(L ⊗ Q)x(h).

1381

(17)

When k = k1 , one gets ΔV (k1 − 1) =x T (k1 − 1) L ⊗ (Iγ2 P − P ) + DL ⊗ K T BγT P + L D ⊗ P Bγ K

+ DL D ⊗ K T BγT P Bγ K x(k1 − 1). (18) From (16), (17), and (18), it can be obtained ΔV (k1 − 1) ≤ − x T (k1 − 1)(L ⊗ Q)x(k1 − 1) − uT (k1 − 1)(IN ⊗ R)u(k1 − 1) − [1 − (1 + μ)−σ +1 ]V (k1 − 1).

(19)

Repeating the above arguments, when k ∈ [k0 , kM ], one has S [k 0 ,kM ] 



m=1

h=km −1

ΔV (h) + ΔV (km − 1) ≤ −

S [k 0 ,kM ] 

m=1



(1 + μ)−σ −1 x T (h)

h=km −1

(L ⊗ Q)x(h) + x T (km − 1)(L ⊗ Q)x

(km − 1) + uT (km − 1)(IN ⊗ R)u(km − 1)

= − J (kM ).

Therefore, it follows that J (u) = lim J (kM ) M→∞

≤ lim (V (k0 ) − V (kM ) M→∞

=V (k0 ). 

Thus, the proof is completed.

Apparently, by means of a quadratic guaranteed cost control, Theorem 1 renders a condition for achieving the consensus of the linear discrete-time multi-agent system in (8). Under this environment, we will show how to obtain the impulsive control gain matrix K in the following proposition: Proposition 1. Suppose that Assumption 3 and all the conditions in Theorem 1 are satisfied. If there exist positive parameters ω and μ, such that max |1 − ωηi | ≤ δ.

2≤i≤N

(20)

1382

Z. Li et al.

then the cost function (9) is minimized with K = −ωRγ−1 B T Pγ ,

(21)

where Pγ is the unique positive solution to the parametric discrete-time Riccati equation (1 − γ )(1 + μ)−σ +1 Pγ =Pγ + Q − (1 − δ 2 )Pγ BRγ−1 B T Pγ ,

(22)

and δ ∈ (0, 1), Rγ = B T Pγ B + R/λ2 and μ satisfies (A + cλi In )T Pγ (A + cλi In ) + Q < (1 + μ)(1 − γ )Pγ .

(23)

Particularly, when Q = 0 and In − BRγ−1 B T Pγ is Schur, the consensus of discretetime multi-agent system in (8) can also be achieved. Proof. From (20), one has 1 − δ ≤ ωη2 ≤ ωηN ≤ 1 + δ, which means, for 2 ≤ i ≤ N, 1 ≥1 − (1 − ωηi )2 ≥ 1 − δ 2 .

(24)

For brevity, denote Ωi =(Iγ + ηi Bγ K)T P (Iγ + ηi Bγ K) + Q +

ηi2 T K RK − (1 + μ)−σ +1 P . λi

and Ω i = Iγ2 P − (1 + μ)−σ +1 P + Q + (ωηi − ω2 ηi2 )Iγ (ω−1 P Bγ K + ω−1 K T BγT P ) −1

− (ωηi Iγ )2 P Bγ R γ BγT P

where 2 ≤ i ≤ N . From Theorem 1, we know Ωi ≤ 0. At this stage, one gets max Ωi = Iγ2 P + ωηi Iγ (ω−1 P Bγ K + ω−1 K T BγT P ) + ω2 ηi2 ω−2 K T R γ K + Q λi

− (1 + μ)−σ +1 P = Iγ2 P + ωηi Iγ (ω−1 P Bγ K + ω−1 K T BγT P ) + ω2 ηi2 ω−2 K T R γ K + Q −1

−T

−1

− (1 + μ)−σ +1 P + (ωηi Iγ )2 (P Bγ R γ R γ R γ BγT P −P Bγ R γ BγT P )

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1383

= Iγ2 P − (1 + μ)−σ +1 P + Q + (ωηi − ω2 ηi2 )Iγ (ω−1 P Bγ K −1

+ ω−1 K T BγT P ) − (ωηi Iγ )2 P Bγ R γ BγT P + ω2 ηi2 (ω−1 K T −1

−1

+ Iγ P Bγ R γ )R γ (ω−1 K T + Iγ P Bγ R γ )T −1

−1

= Ω i + ω2 ηi2 (ω−1 K T + Iγ P Bγ R γ )R γ (ω−1 K T + Iγ P Bγ R γ )T . (25) where R γ = BγT P Bγ + R/λ2 . Similar to the discrete-time linear regulator problem in Kailath (1980), from (22) and the second equation of (8), one can obtain the minimized impulsive protocol: −1

min{ui (km )} = −ωR γ BγT P Iγ



ε j i (km ),

j ∈N i

where P satisfies Ω i ≤ 0. −1 Thus, it can be derived min{K} = −ωR γ BγT P I and −1

min{Ω i } = Iγ2 P − (1 + μ)−σ +1 P + Q − 2(ωηi − ω2 ηi2 )Iγ2 P Bγ R γ BγT P −1

− (ωηi Iγ )2 P Bγ R γ BγT P −1

≤Iγ2 P − (1 + μ)−σ +1 P + Q − (1 − δ 2 )Iγ2 P Bγ R γ BγT P .

(26)

That is, (25) holds if P is the solution of the following discrete-time Riccati equation: Iγ2 P − (1 + μ)−σ +1 P + Q − (1 − δ 2 )Iγ2 P Bγ Rγ−1 BγT P = 0. To solve the above optimal control problem, it is easy to obtain that Pγ = P /(1 − γ ) is the unique positive definite solution to the parametric discrete-time Riccati equation (20), when the positive parameter μ satisfies (A + cλi In )T Pγ (A + cλi In ) + Q < (1 + μ)(1 − γ )Pγ , where 2 ≤ i ≤ N . −1 In this case, denote I γ = IN ⊗ Iγ − ωD ⊗ (Iγ Bγ R γ BγT P ); then, one has 1 (IN n − ωD ⊗ (BRγ−1 B T Pγ )). Iγ = √ 1−γ

1384

Z. Li et al.

Particularly, when Q = 0, the discrete-time multi-agent system in (9) can achieved consensus from (21), and |λi (In − ωηi BRγ−1 B T Pγ )|max ≤ (1 + μ)−

σ −1 2

1

(1 − γ ) 2 < 1.

It means that |λi (In − BRγ−1 B T Pγ )|max ≤ (1 + μ)−

σ −1 2

1

(1 − γ ) 2 < 1.

(27) 

The proof is completed.

Note that a parameter δ is introduced in Proposition 1. In this case, one can regulate such parameter to solve the parametric discrete-time Riccati equation in (22). From You and Xie (2011), it is not hard to check that when (In , B) is controllable and δ ∈ (0, 1), the discrete-time Riccati equation in (20) has a unique positive definite solution. A special selection is ω = 2/(η2 + ηN ) and 1 1 1 − δ 2 = 4/[(η2 /ηN ) 2 + (η2 /ηN )− 2 ]. For more results of ω and δ can be seen in You and Xie (2011) and Hengster et al. (2013). On the other hand, Proposition 1 shows a way to design the impulsive control gain matrix K in the low-gain-based impulsive consensus protocol. That is, the parameter γ ∈ (0, 1) in (3) is a low-gain parameter, which means that the convergence rate of the linear discrete-time √ multiagent system with the distributed impulsive protocol in (8) is faster than ( 1 − γ )k . For the sake of simplification, in the following, assume that Q = 0. In this case, the parametric discrete-time Riccati equation (22) becomes (1 − γ )(1 + μ)−σ +1 Pγ =Pγ − (1 − δ 2 )Pγ BRγ−1 B T Pγ .

(28)

Then, a further result of the solution Pγ in (20) is given to show that the value of γ can approach to zero. Theorem 2. Suppose that all the conditions in Theorem 1 and Proposition 1 are satisfied. Let Pγ be the unique positive definite solution to the parametric discretetime Riccati equation (28). Then lim Pγ = 0.

γ →0+

Proof. Taking derivative of both sides of (28) with respect to γ , we have  dP dP dPγ dPγ γ γ =(1 + μ)σ −1 − (1 − δ 2 ) BRγ−1 B T Pγ + Pγ BRγ−1 B T dγ dγ dγ dγ

γ dPγ dPγ BRγ−1 B T Pγ + + Pγ . (29) − Pγ BRγ−1 B T dγ dγ

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1385

From (29), one obtains Pγ dPγ (1 − δ 2 )(1 + μ)σ −1  T dPγ  0. dγ It is to say that the positive definite matrix Pγ is monotonically increasing with respect to γ . In this case, the limit of Pγ exists as γ → 0. Denoting limγ →0+ Pγ = P0 , it can be derive that (1 + μ)−σ +1 P0 =P0 − (1 − δ 2 )P0 BR0−1 B T P0 ,

(31)

where R0 = B T P0 B + R/λ2 . Similarly with Saberi et al. (1995), if (In , B) is controllable, the discrete-time Riccati equation (29) has the unique semi-positive definite solution P0 = 0. Thus, the proof is completed. 

In the following, we will illustrate that the linear discrete-time multi-agent system in (5) can achieve semi-global consensus under the distributed impulsive protocol in (6). Theorem 3. Suppose that all the conditions in Theorem 2 are satisfied. Then the linear discrete-time multi-agent system in (4) can achieve semi-global consensus as long as limγ →0+ Pγ = 0.   Proof. Consider V (k) = (1/2) i∈V j ∈Ni εj i (k)T P εj i (k). Denote XL as a bounded set. It follows from Theorem 2 that there always exists a positive constant L such that L =

sup

x(k0 )∈XL ,γ ∈(0,1]

x(k0 )T (L ⊗ Pγ )x(k0 ).

Denote L(V , L ) = {x(k) ∈ RN n×N n : x(k)T (L ⊗ Pγ )x(k) ≤ L } and γL∗ ∈ (0, 1]. Thus, for each γ ∈ (0, γL∗ ], γ−1 B T Pγ )x(km − 1) ≤ ΔL , (D ⊗ ωR holds, where ΔL is a bound since limγ →0+ Pγ = 0. In this case, for any γ ∈ (0, γL∗ ], the dynamics of (5) remains linear within L(V ,  ). Similar to Theorem 1, one knows the derivative of V along the trajectories of the agents within the set L(V ,  ) as

1386

Z. Li et al.

V (k + 1) ≤ (1 + μ)(1 − γ )V (k) ≤ [(1 + μ)(1 − γ )]σ −1 V (km−1 ), holds for k ∈ [km−1 , km − 1], and V (km ) ≤ (1 + μ)−σ +1 (1 − γ )V (km − 1). Therefore, it can be obtained that, for any x ∈ L(V , L ) − {0}, V (km ) − V (km − 1) ≤ [(1 − γ )σ − 1]V (km − 1) < 0. ij

It means that the trajectory εk starting from the level set L(V , L ) can converge to ij the origin εk = 0 asymptotically as time evolves to infinity, i.e., lim εij (k) → 0,

k→∞

i, j = 1, 2, . . . , N.

This completes the proof.



To answer the questions in the beginning of this subsection, the relation of the results derived in the above needs to illustrate. In view of Theorem 1 and Proposition 1, it is easy to see that the impulsive control gain matrix requires the solution of the parametric discrete-time Riccati equation in (27). From Theorem 2, the positive definite matrix Pγ can approach to zero when low-gain parameter γ tends to zero. It is to say that the impulsive control gain matrix K can approach to zero matrix, which leads the magnitude of the impulsive protocol to tend to zero. Then, the linear discrete-time multi-agent system in (5) can achieve semi-global consensus when applying Theorem 3. Different from the usual low-gain feedback design approaches (Lin et al. 2000; Teel 1995; Zhou et al. 2008), note that the parametric discrete-time Riccati equation (22) depends on many parameters, e.g., the low-gain parameter γ , δ, μ, and σ . When solving Pγ from (22), it inevitably leads some difficulties to obtain impulsive control gain matrix K. Thus, the following algorithm is given to show how to design the low-gain-based impulsive consensus protocol: Algorithm 2. The algorithm of low-gain-based impulsive consensus protocol in linear discrete-time multi-agent systems in (5) Step 1. Solve the parametric discrete-time Riccati equation in (28), i.e., (1 − γ )(1 + μ)−σ +1 Pγ =Pγ − (1 − δ 2 )Pγ BRγ−1 B T Pγ , to an optimization problem min γ , subject to (28), where μ ∈ [μm , μM ] and δ ∈ (0, 1) is the initial parameters of (28).

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1387

Step 2. Get Pγ when minimizing γ , and check (6) can hold or not; otherwise, return to Step 1. Step 3. Design a consensus protocol for agent i as ui (k) = Kγ

∞  

(xj (k) − xi (k))δ[k − km + 1],

m=1 j ∈N i

where Kγ = −ωRγ−1 B T Pγ is a control gain matrix and Pγ is a solution of the parametric discrete-time Riccati equation in (28). Thus, Pγ → 0 as γ → 0.

3.2

Low-and-High-Gain-Based Impulsive Consensus Protocol

In this subsection, the low-and-high-gain control techniques are introduced into the design of the distributed impulsive protocol. The low-and-high-gain-based impulsive consensus protocol can be regarded as distributed impulsive control subjected to state saturation, as well as the low-gain-based impulsive consensus protocol proposed above. Different from the low-gain-based impulsive consensus protocol, the low-and-high-gain-based distributed impulsive protocol can enhance the utilization of the control capacity of linear discrete-time multi-agent systems in (8). Firstly, for simplification, suppose that R = λ2 In . At this stage, the parametric discrete-time Riccati equation in (28) becomes γ−1 B T Pγ , (1 − γ )(1 + μ)−σ +1 Pγ =Pγ − (1 − δ 2 )Pγ B R

(32)

γ = B T Pγ B + Ip . where R Inspired by the low-and-high-gain techniques in Lin et al. (2000), the impulsive control gain matrix has the form of γ−1 B T Pγ , K = −(1 + β)ωR

(33)

where β ∈ [0, β ∗ ] is a high-gain parameter and β ∗ is a parameter to be designed. In many works (You and Xie 2011; Saberi et al. 2000), the high-gain parameter β plays an important factor that can be utilized by handling external control inputs, robustness, or disturbance rejection. Obviously, if the low-gain parameter γ lies in a proper range, the semi-global consensus performance of the linear discrete-time multi-agent system in (5) can only depend on the high-gain parameter β. It is to say that the impulsive consensus protocol hinges on a complicated adaptation with offer of the low-gain parameter γ and high-gain parameter β. Although the low-and-high-gain control techniques have many advantages, we only study the case that the distributed impulsive protocol can be treated as a bounded control, i.e., ukm −1  ∈ [0, ΔLH ]. To obtain the mainly results, let XLH be a bounded set, xki 0 ∈ XLH . In this case, the following properties are required:

1388

Z. Li et al.

1. β ∈ [0, β ∗ ], where β ∗ is a parameter to be designed; γ−1 B T Pγ )xkm −1  ≤ ΔLH holds for any xkm −1 ∈ RN n×N n , 2. (1 + β)(D ⊗ ωR where ΔLH is a given bound; 3. X LH = {xk ∈ RN n×N n : xkT (L ⊗ Pγ )xk ≤ LH } is a bounded set for all k ∈ [k0 , +∞) and LH > 0. where Pγ is the unique positive definite solution to the parametric discrete-time Riccati equation (32). Then, the design of low-and-high-gain-based impulsive consensus protocol will be divided into three steps. First, the low-gain parameter γ0 is needed to be designed, then we will give a way to design the low-and-high-gain parameter β0 , and last, combining the low-gain parameter γ0 and the low-and-high-gain parameter β0 , the low-and-high-gain-based impulsive control gain matrix K is obtained.

3.2.1 Design of Low-Gain Parameter γ0 In the following proposition, the bound of the low-gain parameter γ can be derived, and further the procedure of designing low-gain parameter γ0 based on this bound is given. Proposition 2. Consider the linear discrete-time multi-agent system in (5) with low-gain-based impulsive consensus protocol, where the impulsive control gain matrix is given by γ−1 B T Pγ . K = −ωR Suppose that Assumption 2 is satisfied. If there exists a positive parameter μ, such that the following criterion holds (A + cλi In )T Pγ (A + cλi In ) − (1 + μ)(1 − γ )Pγ ≤ 0,

(34)

where Pγ is the unique positive definite solution to the parametric discrete-time Riccati equation (32). Then the semi-global consensus of linear discrete-time multiagent system in (5) can be achieved. Furthermore, the low-gain parameter γ can be ∗ , such that set as γ = γLH sup x∈X LH

ωη 2  N T σ −1 2 ∗ )x (L ⊗ Pγ ∗ )x ≤ (1 + μ) λN tr(BB T )tr(PγLH ΔLH , LH λ2 (35)

holds for all k ∈ [k0 , +∞). Proof. From above subsection, let the low-gain-based impulsive consensus pro γ−1 B T Pγ (x (k − 1) − xi (km − 1)). Let tocol as ui (km − 1) = −ωR  j m j ∈Ni   T V (k) = (1/2) i∈V j ∈Ni εj i (k) Pγ εj i (k). Thus, when k ∈ [km−1 , km − 1], one has

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1389

V (k) − V (km − 1) ≤ [(1 + μ)σ −1 − 1]V (km − 1).

(36)

From Proposition 1, when k = km , one can get V (km ) − V (km − 1) ≤ [(1 − γ )(1 + μ)−σ +1 − 1]V (km − 1).

(37)

From (36) and (37), it can be obtained that V (km ) − V (km−1 ) =V (km ) − V (km − 1) + V (km − 1) − V (km−1 ) ≤ − γ V (km−1 ). Therefore, it yields that the semi-global consensus of linear discrete-time multiagent system in (5) can be derived. γ−1 B T Pγ )x(km − 1) ≤ ΔLH . To obtain Based on the property (ii), (D ⊗ ωR this, observe that γ−1 B T Pγ )x(km − 1)2 ≤ ω(D ⊗ B T Pγ )x(km − 1)2 (D ⊗ ωR = ω(DL L −1 ⊗ B T Pγ )x(km − 1)2 ωη 2 N ≤ (L ⊗ B T Pγ )x(km − 1)2 λ2 ωη 2 1 N ≤ BB T 2 L ⊗ Pγ (L ⊗ Pγ ) 2 λ2 ωη 2 N x(km − 1)2 ≤ λN tr(BB T )tr(Pγ ) λ2 xkTm −1 (L ⊗ Pγ )x(km − 1) ≤ Δ2LH .

(38)

It is to say that, for all m ∈ N+ , one gets the following inequality holds when k ∈ [km−1 , km − 1], x(k)T (L ⊗ Pγ )x(k) ≤(1 + μ)σ −1

Δ

LH λ2 2

ωηN

λN tr(BB T )tr(Pγ )

−1

.

(39)

On the other hand, by utilizing limγ →0+ Pγ = 0, it can be configured as the ∗ such that (35) holds. That is, when X low-gain parameter γ = γLH LH = {xk ∈ T N n×N n : xk (L ⊗ Pγ )xk ≤ LH }, one can observe that (35) holds if R λN

ωη 2 N

λ2

This proof is completed.

tr(BB T )tr(Pγ ∗ ) ≥

(1 + μ)σ −1 Δ2LH . LH

(40) 

1390

Z. Li et al.

From Proposition 2, designing a proper low-gain parameter with respect to xk then amounts to look for the largest γ such that xk lies within the set X LH . Therefore, the low-gain parameter is configured as ∗ ] : xkT (L ⊗ Pγ )xk ≤ LH }, γ0 = max{γ ∈ (0, γLH

(41)

2

−1 where LH = ΔLH λ2 /ωηN λN tr(BB T )tr(Pγ0 ) (1+μ)σ −1 . Moreover, note that Proposition 2 can be regarded as a special case of β = 0. When ΔLH is not ∗ as 1. very small, for brevity, one can also choose γLH

3.2.2 Design of High-Gain Parameter β0 Now, the bound of the high-gain parameter β is estimated, and furthermore the design of high-gain parameter β0 will be provided. The results are presented as follows. Proposition 3. Suppose that Assumption 2 is satisfied. Let Pγ be the unique positive definite solution to the parametric discrete-time Riccati equation (32). Then, the following inequality holds λmax ((B T Pγ B)−1 ) ≤ ( γ −1 − 1)−n − 1,

(42)

where γ = [(1 − γ )(1 + μ)−σ +1 − δ 2 ]/(1 − δ 2 ) ∈ (0, 1). Proof. Let W = Pγ−1 . We first show that the following parametric matrix equation holds W − γ −1 W = −BB T . By utilizing Lemma 1, we can get (Pγ−1 + BB T )−1 = Pγ − Pγ B T (B T Pγ B + I )BPγ . Substituting the above inequality into (32), it yields (1 − δ 2 )((Pγ−1 + BB T )−1 − Pγ ) =(1 − γ )(1 + μ)−σ +1 Pγ − Pγ . It follows that Pγ−1 + BB T = (1 − δ 2 )/[(1 − γ )(1 + μ)−σ +1 − δ 2 ]Pγ−1 = γ −1 Pγ−1 .

(43)

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1391

Then, the parametric matrix equation (43) holds, and we can get BB T Pγ = ( γ −1 − 1)In .

(44)

By utilizing the matrix inverse and taking determinant on both sides of (44), it is easy to see that det((B T Pγ B)−1 ) = det((BB T Pγ )−1 ) = ( γ −1 − 1)−n . Denote all the eigenvalues of (B T Pγ B)−1 by ρi (i = 1, . . . , p). Using the CayleyHamilton Theorem (Horn and Johnson 2001), we have −1

( γ

− 1)

−n

=

p 

ρi ,

i=1

which means tr((B T Pγ B)−1 ) =

p 

ρi

i=1 −1

= ( γ

− 1)

−n

−1−



ρi ρj + . . . +

i=j

p 

ρi

i=1

≤ ( γ −1 − 1)−n − 1. Therefore, we have γ −1 − 1)−n − 1. ρi ≤ tr((B T Pγ B)−1 ) ≤ ( 

The proof is completed.

Lemma 1. Suppose that Assumption 1 is satisfied. Let Pγ be the unique positive definite solution to the parametric discrete-time Riccati equation (32). Then In − γ−1 B T Pγ is Schur when β ≥ 0 satisfies (1 + β)ωηi R βB T Pγ B ≤ Ip ,

(45)

γ −1 −1)−n −1, where 2 ≤ i ≤ N . Moreover, β ∈ (0, β ∗ ) can be estimated by β ∗ = ( where γ is defined in Proposition 3. γ−1 B T Pγ . From (22), it is easy to verify that Proof. Denote I i = In − (1 + β)ωηi R

1392

Z. Li et al.

γ−1 B T Pγ − (1 + β)ω2 ηi2 Pγ B R γ−1 B T Pγ I iT P I i − P ≤ − (1 + β)(1 − δ 2 )Pγ B R γ−T B T Pγ B R γ−1 B T Pγ + (1 + β)2 ω2 ηi2 Pγ B R γ−1 B T Pγ = (1 + β)[(1 − γ )(1 + μ)−σ +1 − 1]Pγ − (1 + β)ω2 ηi2 Pγ B R γ−T B T Pγ B R γ−1 B T Pγ . + (1 + β)2 ω2 ηi2 Pγ B R

Denote γ−1 B T Pγ + (1 + β)2 ω2 ηi2 Pγ B R γ−T B T Pγ B R γ−1 B T Pγ . ξ = − (1 + β)ω2 ηi2 Pγ B R (46) Note that [(1 − γ )(1 + μ)−σ +1 − 1]Pγ < 0 since γ ∈ (0, 1) and σ > 1. To prove I iT P I i − P < 0, we need to show ξ ≤ 0. It can be easily verified that ξ ≤ 0 as β satisfies 0 < (1 + β)Ip ≤

B T Pγ B + Ip . B T Pγ B

γ −1 − 1)−n − 1 from Proposition 3. This proof is In addition, we derive β ∗ = ( completed.

 Proposition 3 and Lemma 1 provide a way to obtain the high-gain parameter β. It is to say that one can calculate β by solving (45) or estimating β ∗ . Apparently, there is a close relationship between the selection of the high-gain parameter β and lowgain parameter γ . To deal with this case, when xkm −1 ∈ X , a high-gain parameter can be configured by β0 = max{β ∈ [0, β1∗ ] : (D ⊗ K)x(km − 1) ∈ (0, Δ]},

(47)

γ−1 B T Pγ0 , β ∗ = 1/B T Pγ0 B, Pγ0 is the unique where K = −(1 + β0 )ωR 1 0 positive definite solution to the parametric discrete-time Riccati equation (32) with γ0 = B T Pγ0 B + Ip . Obviously, it does not affect γ replaced by γ0 of Eq. (41) and R the consensus of the linear discrete-time multi-agent system in (5) when the highgain parameter β0 is configured appropriately.

3.2.3

Design of Low-and-High-Gain-Based Impulsive Control Gain Matrix K The low-and-high-gain-based distributed impulsive protocol will be proposed to ensure the semi-global consensus of the linear discrete-time multi-agent system in (5). The main difficulty of presenting such impulsive protocol based on the low-and-high-gain feedback control is what kinds of the low-gain and high-gain parameters are to be designed. This problem will be answered in the end of this subsection.

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1393

Now, recalling the main goal of this subsection, a case will to be considered that impulsive control gain matrix K in (34) can realize the semi-global consensus of the linear discrete-time multi-agent system in (5) such that ukm −1  ∈ [0, ΔLH ]. For this object, considering γ0 in (41) and β0 in (47) to an impulsive control gain matrix K in (34), an impulsive control gain matrix by an appropriate modification of (31) can be obtained: γ−1 B T Pγ0 , K = −(1 + β0 )ωR 0

(48)

where Pγ0 is the unique positive definite solution to the parametric discrete-time γ0 = B T Pγ0 B + Ip . Riccati equation (32) with γ replaced by γ0 of (41) and R γ−1 B T Pγ0 )x(km − 1) ∈ Then, the parameter LH in (40) and (1 + β0 )D ⊗ ωR 0 [0, ΔLH ] will be given. Theorem 4. Consider the linear discrete-time multi-agent system in (5) with lowhigh-gain-based impulsive consensus protocol, where the impulsive control gain matrix is given by (48) and u(km − 1) ∈ [0, ΔLH ] holds. Suppose that Proposition 2 and 3 are satisfied. Then the semi-global consensus of linear discretetime multi-agent system in (5) can be achieved. Furthermore, LH can be given by Δ λ 2

−1 LH 2 λN tr(BB T )tr(Pγ0 ) (1 + μ)σ −1 . LH = ωηN

(49)

Proof. Let LH be such that LH =

sup x(k)T (L ⊗ Pγ0 )x(k),

x∈X LH

where γ0 is defined in (40).   Then, define V (k) = (1/2) i∈V j ∈Ni εj i (k)T Pγ0 εj i (k) and ui (km − 1) =  γ−1 B T Pγ0 (xj (km − 1) − xi (km − 1)). From property (ii), (41) −(1 + β0 )ωR j ∈N 0 i and (47), (D ⊗ (1 + β0 )ωRγ−1 B T Pγ0 )xkm −1  ∈ [0, ΔLH ] holds. Then from 0 Proposition 3, for k = km , it follows that V (km ) − V (km − 1) ≤(1 + β0 )[(1 − γ0 )(1 + μ)−σ +1 − 1]V (km − 1) + x(km − 1)T (L ⊗ ξ )x(km − 1), where ξ is defined in (44). Due to ξ ≤ 0, one has V (km ) − V (km − 1) ≤(1 + β0 )[(1 − γ0 )(1 + μ)−σ +1 − 1]V (km − 1).

(50)

1394

Z. Li et al.

Combining (36) and (50), it further leads to V (km ) − V (km − 1) =V (km ) − V (km − 1) + V (km − 1) − V (km−1 ) ≤[(1 + β0 )(1 − γ0 )(1 + μ)−σ +1 − β0 V (km−1 ) − V (km−1 ) ≤ − γ0 V (km−1 ) + β0 [(1 − γ0 ) − (1 + μ)σ −1 ]V (km−1 ) < − γ0 V (km−1 ).

(51)

For xi (0) ∈ XLH , it is to say that, the semi-global consensus of linear discrete-time multi-agent system in (5) can be achieved. In order to get ukm −1  ∈ [0, ΔLH ], similarly with (39), observe that γ−1 B T Pγ0 )x(km − 1)2 (D ⊗ (1 + β0 )ωR 0 ≤(1 + β0 )ω(D ⊗ B T Pγ0 )x(km − 1)2 (1 + β )ωη 2 0 N ≤λN tr(BB T )tr(Pγ0 )x(km − 1)T (L ⊗ Pγ0 )x(km − 1) λ2 ≤Δ2LH . Thus, for all k completed.

∈ [k0 , +∞), LH can be given by (48). The proof is 

On the one hand, the low-gain parameter γ0 in (41) depends on the bound ΔLH in property (ii) and the upper bound of impulsive interval σ . Obviously, it is a different choice since the usual selections of low-gain parameter in lowgain feedback control (Saberi et al. 2000; Lin et al. 2000) cannot be directly applied to impulsive control. On the other hand, the high-gain parameter β0 in (47) requires the solution of the parametric discrete-time Riccati equation (30) with γ replaced by γ0 , although the form of impulsive control gain matrix K in (48) is similar to low-and-high-gain feedback control in Saberi et al. (2000) and Lin et al. (2000). Therefore, the parametric discrete-time Riccati equation in (30) plays an important role in designing the low-and-high-gain-based impulsive consensus protocol. To answer the questions in the beginning of above, the relation of the results needs to be shown. Based on Proposition 3, we know that the high-gain parameter β refers to the low-gain parameter γ and the upper bound of impulsive interval σ . Furthermore, Theorem 4 renders how to obtain low-high-gain-based impulsive control gain matrix K in (47) such that u(km − 1) can be limited in [0, ΔLH ]. Then, if solving Pγ from (32), a checking process is required to judge whether (21) can hold or not. Therefore, to obtain the impulsive control gain matrix K, one can transform the above results to the optimization problems stated in Algorithm 3.

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1395

Algorithm 3. The algorithm of low-and-high-gain-based impulsive consensus protocol in linear discrete-time multi-agent systems in (5) Step 1.

From the parametric discrete-time Riccati equation in (32), i.e., γ−1 B T Pγ . (1 − γ )(1 + μ)−σ +1 Pγ =Pγ − (1 − δ 2 )Pγ B R

Step 2. Step 3.

Solve γ0 by (41), and then, solve β0 by (47), where μ ∈ [μm , μM ], σ0 ∈ [σm , σM ], and δ0 ∈ (0, 1) is the initial parameters of (32). Get Pγ0 , and then check if (6) can hold or not; otherwise, return to Step 1. Design a consensus protocol for agent i as ui (k) = K

∞  

(xj (k) − xi (k))δ[k − km + 1],

m=1 j ∈N i

γ−1 B T Pγ0 is a control gain matrix and Pγ0 is where K = −(1 + β0 )ωR 0 a solution of the parametric discrete-time Riccati equation in (32). Thus, ukm −1  ∈ [0, ΔLH ].

4

Numerical Examples

In this section, two examples are provided to show the main results. Example 1. In this example, the linear discrete-time multi-agent system is considered, in which the distributed impulsive protocol topology is given by the global coupling matrix; the small-world coupling matrix is set by the following rules: setting N = 50, m = 5, p = 0.1 in Strogatz (2001), and the other parameters are given as  A=

   −0.1 −0.1 11 ,B = , c = −0.002. 0.2 0.1 01

It is easy to see that |1 − ωηi | ≤ δ when we choose ω = 0.036 and δ = 0.8. For γ = 0.3, γ = 0.03, and γ = 0.003, by utilizing Algorithm 2 with μ = 0.03 and σ = 3, the impulsive control gain matrices can be computed, respectively, as follows: Table 1 The relationship between σ and ρ(K) when μ = 0.03 σ ρ(K)

2 0.0044

3 0.0059

4 0.0072

5 0.0085

6 0.0097

7 0.0108

1396

Z. Li et al.

a

20

xi1

10 0 −10 −20

b

0

100

200

0

100

200

k

300

400

500

300

400

500

20

xi2

10 0 −10 −20

k

Fig. 1 State trajectories of the linear discrete-time multi-agent system without impulsive consensus protocol. (a) Evolution of the states x i1 and (b) evolution of the states x i2

a

20

xi1

10 0 −10 −20

0

50

100

150

200

150

200

k

b

20

xi2

10 0 −10

0

50

100

k Fig. 2 State trajectories of the linear discrete-time multi-agent system under low-gain based impulsive consensus protocol with γ = 0.03 and km − km−1 = 4. (a) Evolution of the states x i1 and (b) evolution of the states x i2

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1397



     0 0.0166 0 0.0049 0 0.0035 K= ,K = , and K = . −0.0166 0.0333 −0.0049 0.0097 −0.0035 0.0069

Table 1 shows the relationship between σ and ρ(K) when μ = 0.03. It can be seen that ρ(K) increases as σ increases. Figure 1 shows the evolution of states in the linear discrete-time multi-agent system. Figure 2 shows the evolution of states in the linear discrete-time multi-agent system under low-gain-based impulsive consensus protocol with γ = 0.03 and km − km−1 = 4. Figure 3 shows the ui (km ) is capable of achieving semi-global consensus with γ = 0.3, γ = 0.03 and γ = 0.003. It can be seen that this example matches our results very well. Example 2. In this example, a case will be considered that A in the linear discretetime multi-agent system (1) is strictly unstable, and then the matrix L and the Laplacian matrix D of the distributed impulsive protocol topology are chosen by the global coupling matrix. The other parameters are given as 

   −0.6 −0.5 10 A= ,B = , c = −0.0001. 0.8 0.6 01

γ=0.3

a 20 ui

0 −20

0

50

100

150

200

150

200

150

200

k

ui

b

γ=0.03

5 0 −5

0

50

100

c

2

ui

k

0 −2

γ=0.003

0

50

100

k

Fig. 3 State trajectories of the low-gain-based impulsive consensus protocol uikm with γ = 0.3, γ = 0.03, γ = 0.003 and km − km−1 = 4. (a) Evolution of the states uikm with γ = 0.3, (b) evolution of the states uikm with γ = 0.03, and (c) evolution of the states uikm with γ = 0.003

1398

Z. Li et al.

a

5000

xi1

0 −5000 −10000

0

50

100

150

200

250

300

350

400

250

300

350

400

k 4

b

1

x 10

xi2

0.5 0 −0.5 −1

0

50

100

150

200

k Fig. 4 State trajectories of the linear discrete-time multi-agent system without impulsive consensus protocol. (a) Evolution of the states x i1 and (b) evolution of the states x i2

Obviously, A is strictly unstable since ρ(A) = 1.2685 > 1. It is easy to check |1 − ωηi | ≤ δ when we choose ω = 0.01 and δ = 0.9. By utilizing Algorithm 2 with μ = 0.61, σ = 4, ΔLH = 10, k0 = 0, and kM = 60, we can obtain γ0 = 0.001 and β0 = 0.4406. The impulsive control gain matrix can be computed as follows: 

 −0.0101 0 K= . 0 −0.0101 It can be seen that ukm −1  ∈ [0, 10]. Figure 4 shows the evolution of states in the linear discrete-time multi-agent system. Figure 5 shows the evolution of states in the linear discrete-time multi-agent system under low-and-high-gain-based impulsive consensus protocol with γ0 = 0.001, β0 = 0.4406, and km − km−1 = 4. Figure 6 shows that the uikm is capable of achieving semi-global consensus with γ0 = 0.001, β0 = 0.4406, and km − km−1 = 4 and furthermore matches our results very well.

5

Conclusion

This chapter offers the semi-global consensus problems of a class of linear discretetime multi-agent systems. Firstly, a short survey of the recent studies and develop-

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

a

1399

10

x i1

5 0 −5 −10 0

10

20

30

40

50

60

40

50

60

k

b

20

x i2

10 0 −10 −20 0

10

20

30

k

Fig. 5 State trajectories of the linear discrete-time multi-agent system under low-and-high-gainbased impulsive consensus protocol with γ0 = 0.001, β0 = 0.4406, and km − km−1 = 4. (a) Evolution of the states x i1 and (b) evolution of the states x i2

γ0=0.01 and β0= 0.4406

a ui1

10

Δ=10

0

−Δ=−10 −10 0

10

20

30

40

k

50

60

50

60

γ =0.01 and β = 0.4406 0

b

0

ui2

10

Δ=10

0

−Δ=−10

−10 0

10

20

30

40

k Fig. 6 The low-and-high-gain-based impulsive consensus protocol uikm−1 with γ0 = 0.001, β0 = i2 0.4406, and km − km−1 = 4. (a) Evolution of the states ui1 km and (b) evolution of the states ukm

1400

Z. Li et al.

ments in the semi-global consensus problems has been reviewed. Subsequently, two novel distributed impulsive consensus protocols are proposed, which are induced by the low-gain feedback control and low-and-high-gain feedback control strategies. Based on the guaranteed cost control and the Lyapunov function theory, a parametric discrete-time Riccati equation has been considered for designing the impulsive control gain matrices. The derived results also reveal that such distributed impulsive consensus protocols not only refer to the impulsive interval but also depend on the low-gain and low-and-high-gain parameters. Moreover, two kinds of algorithms are presented for obtaining impulsive control gain matrices. Finally, simulations are provided to illustrate the theoretical results. Future works on this topics are expected to include and address these important results to continuous-time systems and other applications, which are still a challenging problem.

References D.B. Arieh, T. Easton, B. Evans, Minimum cost consensus with quadratic cost functions. IEEE Trans. Syst. Man Cybern. A Syst. Humans 1(39), 210–217 (2009) C. Belta, V. Kumar, Abstraction and control for groups of robots. IEEE Trans. Robot. 20(5), 865–875 (2004) C.L.P. Chen, Y. Liu, G. Wen, Fuzzy neural network-based adaptive control for a class of uncertain nonlinear stochastic systems. IEEE Trans. Cybern. 44(5), 583–593 (2014) M.Z.Q. Chen, L. Zhang, H. Su, G. Chen, Stabilizing solution and parameter dependence of modified algebraic Riccati equation with application to discrete-time network synchronization. IEEE Trans. Autom. Control 61(1), 228–233 (2016a) C.L.P. Chen, G. Wen, Y. Liu, Z. Liu, Observer-based adaptive backstepping consensus tracking control for high-order nonlinear semi-strict-feedback multiagent systems. IEEE Trans. Cybern. 46(7), 1591–1601 (2016b) Z. Guan, Y. Wu, G. Feng, Consensus analysis based on impulsive systems in multiagent networks. IEEE Trans. Circuits Syst. I Regul. Pap. 59(1), 170–178 (2012) Z. Guan, Z. Liu, G. Feng, M. Jian, Impulsive consensus algorithms for second-order multi-agent networks with sampled information. Automatica 48(7), 1397–1404 (2013) K.M. Hengster, K. You, F.L. Lewis, L. Xie, Synchronization of discrete-time multi-agent systems on graphs using Riccati design. Automatica 49(2), 414–423 (2013) R.A. Horn, C.R. Johnson, Martix Analysis (Springer, New York, 2001) P. Hou, A. Saberi, Z. Lin, P. Sannuti, Simultaneous external and internal stabilization of linear systems with input saturation and non-input-additive sustained disturbances. Automatica 34(12), 1547–1557 (1998) T. Kailath, Linear Systems. (Prentice Hall, Englewood Cliffs, 1980) H. Li, X. Liao, T. Huang, Second-order locally dynamical consensus of multiagent systems with arbitrarily fast switching directed topologies. IEEE Trans. Syst. Man Cybern. Syst. 4345(6), 1343–1353 (2013) Y. Li, S. Tong, T. Li, Hybrid fuzzy adaptive output feedback control design for uncertain MIMO nonlinear systems with time-varying delays and input saturation. IEEE Trans. Fuzzy Syst. 24(1), 841–853 (2016a) H. Li, J. Wang, P. Shi, Output-feedback based sliding mode control for fuzzy systems with actuator saturation. IEEE Trans. Fuzzy Syst. 24(6), 1282–1293 (2016b) P. Lin, Y. Jia, Consensus of a class of second-order multi-agent systems with time-delay and jointlyconnected topologies. IEEE Trans. Autom. Control 55(3), 778–784 (2010) Z. Lin, A. Saberi, Semi-global exponential stabilization of linear systems subject to input saturation via linear feedbacks. Syst. Control Lett. 21(3), 225–239 (1993)

44 Semi-global Consensus of Multi-agent Systems with Impulsive Approach

1401

Z. Lin, A. Saberi, A.A. Stoorvogel, R. Mantri, An improvement to the low gain design for discretetime linear systems in the presence of actuator saturation nonlinearity. Int. J. Robust Nonlinear Control 10(3), 117–135 (2000) X. Liu, Impulsive control and optimization. Appl. Math. Comput. 73(1), 77–98 (1995) Z. Liu, Z. Guan, X. Shen, G. Feng, Consensus of multi-agent networks with aperiodic sampled communication via impulsive algorithms using position-only measurements. IEEE Trans. Autom. Control 57(10), 2639–2643 (2012) B. Liu, W. Lu, T. Chen, Pinning consensus in networks of multiagents via a single impulsive controller. IEEE Trans. Neural Netw. Learn. Syst. 24(7), 1141–1149 (2013) J. Lu, Z. Wang, J. Cao, D.W. Ho, J. Kurths, Pinning impulsive stabilization of nonlinear dynamical networks with time-varying delay. Int. J. Bifurcat. Chaos 12(7), 1250176 (2012) J. Lu, C. Ding, J. Lou, J. Cao, Outer synchronization of partially coupled dynamical networks via pinning impulsive controllers. J. Franklin I. 352(11), 5024–5041 (2015) I. Palomares, L. Martínez, A semisupervised multiagent system model to support consensusreaching processes. IEEE Trans. Fuzzy Syst. 4(22), 762–777 (2014) I.J. Pérez, F.J. Cabrerizo, S. Alonso, E.H. Viedma, A new consensus model for group decision making problems with non-homogeneous experts. IEEE Trans. Syst. Man Cybern. Syst. 4(44), 494–498 (2014) M. Prüfer, Turbulence in multistep methods for initial value problems. SIAM J. Appl. Math. 45(1), 32–69 (1985) J. Qin, H. Gao, C. Yu, On discrete-time convergence for general linear multi-agent systems under dynamic topology. IEEE Trans. Autom. Control 59(4), 1054–1059 (2014) A. Saberi, P. Sannuti, B.M. Chen, H2 Optimal Control (Prentice Hall, Englewood Cliffs, 1995) A. Saberi, P. Hou, A.A. Stoorvogel, On simultaneous global external and global internal stabilization of critically unstable linear systems with saturating actuators. IEEE Trans. Autom. Control 45(6), 1042–1052 (2000) M. Samejima, R. Sasaki, Chance-constrained programming method of it risk countermeasures for social consensus making. IEEE Trans. Syst. Man Cybern. Syst. 5(45), 725–733 (2015) F. Sivrikaya, B. Yener, Time synchronization in sensor networks: a survey. IEEE Netw. 18(4), 45–50 (2004) S. Strogatz, Exploring complex networks. Nature 410(6825), 268–276 (2001) H. Su, M.Z.Q. Chen, J. Lam, Z. Lin, Semi-global leader-following consensus of linear multi-agent systems with input saturation via low gain feedback. IEEE Trans. Circuits Syst. I Regul. Pap. 60(7), 1881–1889 (2013) H.J. Sussmann, E.D. Sontag, Y. Yang, A general result on the stabilization of linear systems using bounded controls. IEEE Trans. Autom. Control 39(12), 2411–2425 (1994) Y. Tang, H. Gao, J. Lu, J. Kurths, Pinning distributed synchronization of stochastic dynamical networks: a mixed optimization approach. IEEE Trans. Neural Netw. Learn. Syst. 25(10), 1804– 1815 (2014) Y. Tang, H. Gao, W. Zhang, J. Kurths, Leader-following consensus of a class of stochastic delayed multi-agent systems with partial mixed impulses. Automatica 53, 346–354 (2015) A.R. Teel, Semi-global stabilization of linear controllable systems with input nonlinearities. IEEE Trans. Autom. Control 40(1), 96–100 (1995) Y. Wang, M. Yang, H.O. Wang, Z. Guan, Robust stabilization of complex switched networks with parametric uncertainties and delays via impulsive control. IEEE Trans. Circuits Syst. I Regul. Pap. 56(9), 2100–2108 (2009) X. Wang, A. Saberi, H.F. Grip, A.A. Stoorvogel, Simultaneous external and internal stabilization of linear systems with input saturation and non-input-additive sustained disturbances. Automatica 48(10), 2633–2639 (2012) C. Wang, X. Yu, W. Lan, Semi-global output regulation for linear systems with input saturation by composite nonlinear feedback control. Int. J. Control 87(10), 1985–1997 (2014) J. Wang, H. Wu, T. Huang, S. Ren, Passivity and synchronization of linearly coupled reactiondiffusion neural networks with adaptive coupling. IEEE Trans. Cybern. 45(9), 1942–1952 (2015)

1402

Z. Li et al.

X. Wang, H. Su, X. Wang, W.G. Chen, An overview of coordinated control for multi-agent systems subject to input saturation. Perspect. Sci. 7(4), 133–139 (2016) G. Wen, C.P. Chen, Y. Liu, Z. Liu, Neural-network-based adaptive leader-following consensus control for second-order nonlinear multi-agent systems. IET Control Theory Appl. 9(13), 1927–1934 (2015) G. Yang, J. Wang, Y.C. Soh, Guaranteed cost control for discrete-time linear systems under controller gain perturbations. Linear Algebra Appl. 312(1–3), 161–180 (2000) T. Yang, Z. Meng, D.V. Dimarogonas, K.H. Johansson, Global consensus for discrete-time multiagent systems with input saturation constraints. Automatica 50(2), 499–506 (2014) K. You, L. Xie, Network topology and communication data rate for consensusability of discretetime multi-agent systems. IEEE Trans. Autom. Control 56(10), 2262–2275 (2011) W. Zhang, Y. Tang, Q. Miao, J.a. Fang, Synchronization of stochastic dynamical networks under impulsive control with time delays. IEEE Trans. Neural Netw. Learn. Syst. 25(10), 1758–1768 (2014) B. Zhou, G. Duan, Z. Lin, A parametric Lyapunov equation approach to the design of low gain feedback. IEEE Trans. Autom. Control 53(6), 1548–1554 (2008) B. Zhou, Z. Lin, G. Duan, A parametric Lyapunov equation approach to low gain feedback design for discrete-time systems. Automatica 45(1), 238–244 (2009) B. Zhou, G. Duan, Z. Lin, Approximation and monotonicity of the maximal invariant ellipsoid for discrete-time systems by bounded controls. IEEE Trans. Autom. Control 55(2), 440–447 (2010) L. Zhou, X. Xiao, G. Lu, Simultaneous semi-global Lp -stabilization and asymptotical stabilization for singular systems subject to input saturation. Syst. Control Lett. 61(3), 403–411 (2012)

Event-Triggered Schemes for LeaderFollowing Consensus of Multi-agent Systems

45

Wenying Xu and Daniel W. C. Ho

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries and Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Leader-Following Consensus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Basic Theory on Graphs and Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Other Useful Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Three Types of Event-Triggered Schemes on Leader-Following Consensus of General Linear Multi-agent Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Centralized Event-Triggered Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Clustered Event-Triggered Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Distributed Event-Triggered Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Discussion on Event Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 An Impulsive Framework for Event-Triggered Consensus Analysis: The Clustered Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Event-Triggered Protocol via State Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Consensus Analysis Based on Impulsive Control Framework . . . . . . . . . . . . . . . . 4.3 The Case with External Disturbance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Numerical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1404 1406 1406 1407 1407 1408 1408 1410 1410 1414 1420 1426 1427 1428 1428 1429 1430 1433 1436 1442 1442 1442

W. Xu () School of Mathematics, Southeast University, Nanjing, China Department of Mathematics, City University of Hong Kong, Hong Kong SAR, China D. W. C. Ho Department of Mathematics, City University of Hong Kong, Hong Kong SAR, China e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_33

1403

1404

W. Xu and D. W. C. Ho

Abstract This chapter is concerned with event-triggered schemes for leader-following consensus of multi-agent systems. Some preliminaries and problem formulation are given in Sect. 2. Three different kinds of effective event-triggered schemes are designed in Sect. 3 for general linear multi-agent systems. Furthermore, an impulsive framework is constructed to further analyze clustered event-triggered schemes from a new perspective in Sect. 4. In this chapter, all proposed eventtriggered schemes are effective to guarantee the leader-following consensus and to exclude Zeno behavior.

1

Introduction

Due to the rapid development of real-world networks such as computer networks, brain networks, and social networks, the investigation of multi-agent systems has attracted much attention of scholars from various research fields, ranging from physics to mathematics, even to engineering and social sciences (Boccaletti et al. 2014; Dudek et al. 1996; Yang et al. 2016; Yu et al. 2010). Multi-agent systems are a large network collecting multiple intelligent agents through wired or wireless communication links. In practice, these agents could be robots, unmanned aerial vehicles (UAVs), and humans. One important research topic of multi-agent systems is collective behaviors, which means that a group of agents aim to achieve a common goal via local interaction. Typical examples include the flocking of birds, the swarming of the fish, and the formation of UAVs. The collective behaviors have been widely investigated in various types of multi-agent systems, e.g., first-order systems, second-order systems, or high-order systems, and continuous-time or discrete-time systems. In addition, the network structure is one of the key factors to achieve collective behaviors, and hence the collective behaviors have been discussed in different network topologies, such as directed topologies, undirected topologies, fixed topologies, and switching topologies. To achieve the common goal of multiple agents (such as consensus, formation, or containment), the following factors are indispensable: (i) information exchange between agents and (ii) an effective control protocol to adjust agent’s behavior. There have been a lot of excellent results on the investigation of communication schemes and the design of control protocols. In Gao and Wang (2011), Hong et al. (2007), and Yu et al. (2011), agents are assumed to continuously get access to the information of their neighbors, and the corresponding control protocol is always updated continuously with latest information of agents. Similarly, for discrete multiagent systems, both interaction among multiple agents and protocol update are always assumed to implement at each step. However, in many scenarios, these assumptions might be far from realistic since they require high communication cost and expensive control action. Then the sample-data control is proposed to lower the communication frequency, where information is just transmitted/received at

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1405

the sampling instants (Gao and Wang 2011; Yu et al. 2011). The corresponding sample-data communication schemes or control protocols are essentially timedriven, since the sampled period is generally predetermined and is always chosen on the basis of the worst case. Therefore, the feasible sampling period is possibly quite conservative. Most available communication schemes and control protocols in multi-agent systems have been designed with the traditional time-triggered mechanisms under which the corresponding operations occur on a predetermined instant (Song et al. 2013; Wen et al. 2012; Xu et al. 2014, 2017c; Yang et al. 2015; Yu et al. 2010). However, recently, an alternative event-triggered scheme becomes more appealing with its advantages of saving communication resources and mitigating unnecessary control update. Under the event-triggered mechanism, both the information is transmitted through the communication network and the control protocol is updated only when a specific event is triggered, instead of time lapses in time-triggered mechanisms. Actually, the event-triggered control has been widely investigated in networked control systems (Lemmon 2010; Tabuada 2007; Wang et al. 2014; Wang and Lemmon 2011; Yu and Antsaklis 2013). However, the results on the investigation of networked control systems are difficult to be extended to the study of multi-agent systems. This is due to the fact that the interaction of agents and distributed implementation of multi-agent systems bring some difficulties in the control performance analysis and the parameter design under event-triggered schemes. In this chapter, we would like to investigate event-triggered schemes for multi-agent systems to reduce both the communication frequency and the control protocol update. The investigation on event-triggered schemes of multi-agent systems may face two basic and challenging issues: (i) The first one is to design an appropriate event condition such that the frequency of information transmission and control protocol update can be reduced on one hand and the anticipated coordinated behaviors are still guaranteed on the other hand. According to the design of event conditions, event-triggered schemes can be classified into several types. The most used ones are centralized event-triggered schemes and distributed event-triggered schemes. If one event condition involves all agents’ information, then the corresponding eventtriggered scheme is considered as centralized, and we call it as a centralized event-triggered scheme. Another case is the event condition just involving local information of agents, and we class the corresponding event-triggered scheme as a distributed event-triggered scheme. (ii) The second issue is to avoid Zeno behavior. Zeno behavior is an undesirable phenomenon in which an event condition is infinitely triggered in a finite time period. The exclusion of Zeno behavior is a very important but quite challenging problem, especially in distributed event-triggered scheme. Actually, an unsatisfactory event condition could lead to the existence of Zeno behavior before or after achieving consensus. Thus it is necessary to prove the exclusion of Zeno behavior only when an event-triggered scheme is used.

1406

W. Xu and D. W. C. Ho

To solve the above issues, more works have been undertaken to the establishment and development of event-triggered schemes of multi-agent systems (Cao et al. 2013; Dimarogonas et al. 2012; Fan et al. 2013; Li et al. 2014; Meng and Chen 2013; Tabuada 2007; Xiao et al. 2012). Firstly, an event-triggered scheme is proposed for a multi-agent system in Fan et al. (2013) to reduce the update frequency of the control protocol. As mentioned before, the information transmission plays an important role in the coordinated movement of multiple agents. Therefore, the event-triggered communication scheme attracts much attention which involves more difficulties on theoretical analysis. Then several centralized and distributed event-triggered schemes are constructed to lower the information transmission between agents (Dimarogonas et al. 2012). However, the Zeno behavior could not be avoided in the distributed event-triggered scheme proposed in Dimarogonas et al. (2012). Next, a novel hybrid scheme combining event-triggered and sample-data characteristics is proposed to successfully avoid Zeno behavior. However, this literature focuses on the investigation of a simple multi-agent system with node dynamics only dependent on local interactions. It is necessary to investigate more general multi-agent systems, such as node dynamics dependent on state information besides local interaction; see Hu and Liu (2017), Hu et al. (2016), Lu et al. (2015), Xu et al. (2014), Zhu and Jiang (2015), and Zhu et al. (2014) for some more recent results. In addition, the eventtriggered schemes in Hu and Liu (2017), Hu et al. (2016), Zhu and Jiang (2015), and Zhu et al. (2014) have been established to specifically reduce the number of local control updates rather than the communication rate between neighboring agents (Xu et al. 2017c). Therefore, it is important to propose a novel event-triggered control protocol for general linear multi-agent systems to further reduce the communication frequency. Motivated by the above observations, this chapter investigates event-triggered schemes for leader-following consensus in general linear multi-agent systems. Firstly, three different types of effective event-triggered schemes are proposed to reduce both the frequency of information transmission and the update times of control protocols. Meanwhile, these event-triggered schemes also guarantee leader-following consensus. Moreover, an impulsive framework is constructed to analyze the effect of event-triggered schemes from a new perspective. In this framework, we investigate two cases and correspondingly design different eventtriggered protocols. Furthermore, some numerical examples are provided to verify the theoretical analysis.

2

Preliminaries and Problem Formulation

2.1

Notations

Let Rn and Rn×m represent the set of all n-dimensional real column vectors and the set of all n × m dimensional real matrices. Similarly, In denotes (1, 1, · · · , 1)T with dimension n. In×n means n-dimension unit matrix and I denotes unit matrix with

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1407

proper dimension. Furthermore, || · || refers to 2-norm for vectors or the induced 2-norm for matrices.

2.2

Leader-Following Consensus

Consider a multi-agent system including one leader and N followers. Let x0 (t) ∈ Rn be the state of the leader, and xi (t) ∈ Rn is the state of follower i at time t, i = 1, 2, · · · , N. Here the state could be the agent’s position, velocity, angle, opinion, and so on. Definition 1 (Leader-following consensus). A multi-agent system is said to achieve leader-following consensus if, for any initial conditions, lim xi (t) − x0 (t) = 0,

t→+∞

2.3

∀i = 1, 2, · · · , N.

(1)

Basic Theory on Graphs and Matrices

In this subsection, some basic graph properties and matrix theory will be introduced Xu et al. (2017a). A directed graph G¯(V¯ , E¯ ) consists of a node set V¯ = {0, 1, 2, · · · , N } and a set of edges E¯ ⊆ V¯ × V¯ . Its subgraph G (V , E ) is an undirected graph consisting of a node set V = {1, 2, · · · , N} and an edge set E ⊆ V × V . A directed edge eij ∈ E in G means that node i can receive information from node j . Then node j is called a neighbor of node i. The set Ni includes all neighbors of node i. If G is undirected, then eij ∈ E denotes ej i ∈ E , that is, node j is the neighbor of node i and vice versa. In a directed graph G , a directed path from node j to node i is a finite ordered sequence of edges, ei,k1 , ek1 ,k2 , · · · , ekl ,j , with distinct nodes ks , s = 1, 2, · · · , l. Moreover, a directed graph is called strongly connected if and only if there exists a directed path between any pair of distinct nodes. Further, if a node has the property that there is a directed path from this node to any other node, then the graph G is said to contain a directed spanning tree, and this node is called the root node. In an undirected graph G , it is called connected if and only if there exists a path between any pair of nodes. Some important matrices are defined as follows. The adjacent matrix A = [aij ] is defined as: when i = j , aij = 1, if eij ∈ E ; otherwise, aij = 0. In addition, aii = 0.  The Laplacian matrix L is defined with lij = −aij when i = j and lii = j ∈Ni aij . The matrix D is a diagonal matrix with off-diagonal elements being 0. Its diagonal element di is defined as di = 1 if node i can receive the information of the leader (node 0); otherwise, di = 0. In addition, define H = L + D,

1408

W. Xu and D. W. C. Ho

and its eigenvalues can be set in increasing order 0 ≤ λ1 ≤ λ2 ≤ · · · ≤ λN . For any matrix M, we let λmin (M) and λmax (M) to denote its smallest and largest eigenvalues.

2.4

Other Useful Lemmas

Lemma 1 (Su et al. 2013). If graph G is undirected, then (1) graph G is connected if and only if its Laplacian matrix L has a simple zero eigenvalue and all the other eigenvalues are positive; (2) the matrix H is positive definite if and only if graph G¯ contains a directed spanning tree with node 0 as the root node. Lemma 2 (Horn and Johnson 2012). For matrices A, B, C, and D with appropriate dimensions, A ⊗ B is defined as ⎞ a11 B · · · a1n B ⎟ ⎜ A ⊗ B = ⎝ ... . . . ... ⎠ , am1 B · · · amn B ⎛

(2)

and it has the following properties: (1) (2) (3) (4)

2.5

a(A ⊗ B) = (aA) ⊗ B ; A ⊗ B + A ⊗ C = (A + B) ⊗ C ; (A ⊗ B)T = AT ⊗ B T ; (AB) ⊗ (CD) = (A ⊗ C)(B ⊗ D).

Problem Formulation

Consider leader-following multi-agent systems including one leader and N followers, which are with general linear dynamics. The dynamics of the leader can be described as x˙0 (t) = Ax0 (t),

(3)

with x0 (t) ∈ Rn being the leader’s state at instant t, and the dynamics of follower i (i = 1, 2, · · · , N ) can be described as x˙i (t) = Axi (t) + Bui (t),

(4)

where xi (t) ∈ Rn is the state of follower i at instant t and ui (t) ∈ Rm is its control input/control protocol at instant t. The matrices A ∈ Rn×n and B ∈ Rn×m

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1409

are constant matrices. Obviously, the trajectory of the leader cannot be affected by followers. The objective of this chapter is to design an effective control protocol ui (t) such that leader-following consensus can be achieved, i.e., xi (t) − x0 (t) = 0 as t → ∞ (i = 1, 2, · · · , N) for any initial conditions.

2.5.1 Continuous-Time Control Protocol Up to now, a large number of results contribute to investigation of continuous control protocols for multi-agent systems. A classical distributed control protocol uci (t) is designed as

uci (t) = K

N

aij (xj (t) − xi (t)) + di (x0 (t) − xi (t)).

(5)

j =1

If follower i can receive the information of the leader, di = 1; otherwise di = 0. Based on the above protocol (5), each agent needs to continuously obtain its neighbors’ current states, and its control protocol is updated continuously. In this case, a lot of energy and resources could be generated for information transmission and control protocol update under this kind of protocol (5). Therefore, an alternative event-triggered control protocol is proposed in a highly efficient way to mitigate the unnecessary information transmission and control protocol update.

2.5.2 Event-Triggered Control Protocol In this chapter, we introduce an event-triggered control protocol with the following form ui (t) = K



(xˆj (t) − xˆi (t)) + di (xˆ0 (t) − xˆi (t))

(6)

j ∈Ni

with

xˆi (t) = exp A(t − tki ) xi (tki ),

i t ∈ [tki , tk+1 ),

(7)

where tki is the k-th triggering instant of follower i. Under the event-triggered control protocol (6), agent i just transmits its states to its neighbors at its own triggering instant tki instead of continuous communication in (5). The protocol ui (t) in (6) is designed with information xˆi (t) instead of xi (t); thus the update frequency of ui (t) is also reduced as compared with those in (5).

1410

3

W. Xu and D. W. C. Ho

Three Types of Event-Triggered Schemes on Leader-Following Consensus of General Linear Multi-agent Systems

This section aims to propose effective event-triggered schemes (ETSs) to address the leader-following consensus problem of multi-agent systems with general linear dynamics. Thus three types of schemes, namely, centralized ETS, clustered ETS, and distributed ETS, are constructed in this section to achieve leader-following consensus and exclude Zeno behavior. Furthermore, one method is proposed to avoid continuous event detection.

3.1

Centralized Event-Triggered Control

In this subsection, we first propose a centralized event-triggered communication scheme. A common event condition is designed for all agents to determine when the agents exchange information with their neighbors. Under this kind of communication scheme, the communication frequency of agents could be significantly reduced. Then the corresponding event-triggered control protocol is constructed to guarantee all followers to track the leader eventually. Under the centralized event-triggered scheme, then all agents share a common triggering time sequence, that is, tk1 = tk2 = · · · = tkN = tk . Thus xˆi (t) = exp (A(t − tk ))xi (tk ),

t ∈ [tk , tk+1 ),

(8)

and then the measurement error for agent i’s state can be defined as ei (t) = xˆi (t) − xi (t),

t ∈ [tk , tk+1 )

(9)

where tk is the k-th triggering instant for all agents. Correspondingly, we call ui (t) as the centralized event-trigged control protocol ui (t) = K



(xˆj (t) − xˆi (t)) + di (xˆ0 (t) − xˆi (t))

(10)

j ∈Ni

where K = B T P with P being a positive definite matrix to be designed subsequently. Note that the error ei (t) exists due to its control input ui (t). Hence the error will decrease (or even vanish) as the followers approach to the leader. It should be emphasized that the trajectory of the leader cannot be affected by the followers, and thus it has no control input. Therefore e0 (t) = 0 all the time. T (t))T and e(t)=(eT (t), eT (t), · · · , eT (t))T . Define x(t)=(x1T (t), x2T (t), · · · , xN N 1 2 A centralized event condition is designed as

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1411

||e(t)||2 ≤ β||(H ⊗ In )x(t) − (D ⊗ In )(IN ⊗ x0 (t))||2

(11)

with β > 0. Here D is a diagonal matrix with off-diagonal elements being 0. Its diagonal element di is defined as di = 1 if node i can receive the information of the leader (node 0); otherwise, di = 0. In addition, H = L + D and L is the Laplacian matrix of the subgraph G . Obviously, the matrix H has N eigenvalues (i.e., λi , i = 1, 2 · · · , N). Here, assume that they can be set in increasing order 0 ≤ λ1 ≤ λ2 ≤ · · · ≤ λN . Here, the “centralized” denotes that the event detector needs all agents’ information to determine the next triggering instant. Specifically, if Eq. (11) holds, no further action is required. Otherwise, the detector will inform each agent to transmit the current state to its neighbors and meanwhile update its control protocol. At the same time, e(t) is reset to zero. The process continues until Eq. (11) is violated. Thus the triggering time sequence {tk } is defined as tk+1 = inf {t > tk : Eq. (11) does not hold.}.

(12)

In this case, all followers share a common event-triggered time sequence. Thus, they always broadcast their states and update their control protocols simultaneously. Remark 1. It should be noted that the centralized event-triggered control protocol ui (t) in (10) depends on the local information. In this section, “centralized” means that all agents share a common triggering time sequence, and hence, all followers transmit and update their information simultaneously. Let δi (t) = xi (t) − x0 (t), then one has δ˙i (t) = Aδi (t) + BK



(xˆj (t) − xˆi (t)) + di (xˆ0 (t) − xˆi (t)).

(13)

j ∈Ni T (t))T , the system (13) can be rewritten as By setting δ(t) = (δ1T (t), δ2T (t), · · · , δN

˙ = (IN ⊗ A)δ(t) + [H ⊗ (BK)][e(t) + δ(t)]. δ(t)

(14)

Assumption 1. There exists a positive definite matrix P and α1 > 0 satisfying AT P + P A − λ1 P BB T P + α1 I < 0.

(15)

Now we present our main result in this section. Theorem 1. Consider the leader-following multi-agent systems (3)–(4). Assume that the communication topology G¯ has a spanning tree with the leader as the root vertex. Under the centralized event-triggered protocol (10) and event-based condition (11), the leader-following consensus can be achieved if Assumption 1

1412

W. Xu and D. W. C. Ho

holds and β < α1 /(μ(λN )3 ). Here the matrix P satisfies (15), and μ is the largest eigenvalue of the P BB T P . Proof. Firstly, a common Lyapunov function is constructed below:

V (t) =

N

δiT (t)P δi (t).

(16)

i=1

By using Eqs. (11) and (13), one obtains V˙ (t) =

N i=1

⎧ N ⎨

δiT (t)(AT P + P A)δi (t) + ⎩

+di (xˆ0 (tk ) − xˆi (tk ))



i=1

δiT (t)2P BK



(xˆj (tk ) − xˆi (tk ))

j ∈Ni

= δ T (t)[IN ⊗ (AT P + P A) − H ⊗ (2P BB T P )]δ(t) − δ T (t)[H ⊗ (2P BB T P )]e(t) ≤ δ T (t)[IN ⊗ (AT P + P A) − H ⊗ (P BB T P )]δ(t) + eT (t)[H ⊗ (P BB T P )]e(t) ≤ δ T (t)(IN ⊗ (AT P + P A) − H ⊗ P BB T P )δ(t) + λN μβδ T (t)(H 2 ⊗ In )δ(t)   ≤ δ T (t) IN ⊗ (AT P + P A − λ1 P BB T P ) δ(t) + λN μβδ T (t)(H 2 ⊗ In )δ(t) ≤ −[α1 − (λN )3 μβ]δ T (t)δ(t)

Obviously, V˙ (t) < 0 if δ(t) ≥ 0. Therefore, limt→∞ δ(t) = 0 as t → ∞, and the leader-following consensus can be achieved. The proof is completed.

Remark 2. In general, the event-triggered frequency is dependent on λN . If λN is very large, then the feasible β will be very small. As a result, Eq. (11) may be much easier to satisfy so that the frequency of the event trigger will increase. On the contrary, a sufficiently small λN will lead to the low frequency of the event trigger. Remark 3. In Ni and Cheng (2010), the leader-following consensus for a general linear system has been investigated. However, two kinds of significant improvements have been made in this section. Firstly, the event-triggered consensus protocol is used in this work, while continuous information transmission and control updated are required in Ni and Cheng (2010). Thus our event-triggered scheme can lower the cost and save more energy. Secondly, an assumption was imposed for the system in Ni and Cheng (2010) that the matrix A has no positive real part eigenvalues, but there is no such requirement in this section, and it covers more general systems. Remark 4. Under the update scheme (8), one finds an interesting phenomenon that the leader only needs to transmit its information to its neighboring followers (linked with the leader) once. Then its neighboring followers are able to accurately estimate

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1413

the leader’s state via the update scheme (8), i.e., x0 (t) = exp (A(t − t0 )) x0 (t0 ). It is due to the fact that the leader has no control input. Theorem 2. Under the event condition (11), Zeno behavior can be excluded. Proof. Firstly, one can consider the derivative of ||e(t)||/||(H ⊗ In )δ(t)||, and then one obtains d dt =



||e(t)|| ||(H ⊗ In )δ(t)||



˙ ˙ eT (t)e(t) ||e(t)||(δ T (t)(H T H ⊗ In )δ(t)) − ||e(t)||||(H ⊗ In )δ(t)|| ||(H ⊗ In )δ(t)||3

≤ (||IN ⊗ A|| + ||H ⊗ (BK)||) +||H ⊗ (BK)||) = ||H 2 ⊗ (BK)||

||e(t)|| + ||IN ⊗ (BK)|| + (||IN ⊗ A|| ||(H ⊗ In )δ(t)||

||e(t)|| ||e(t)||2 + ||H 2 ⊗ (BK)|| ||(H ⊗ In )δ(t)|| ||(H ⊗ In )δ(t)||2

||e(t)||2 ||e(t)|| + 2(||IN ⊗ A|| + ||H ⊗ (BK)||) 2 ||(H ⊗ In )δ(t)|| ||(H ⊗ In )δ(t)||

+||IN ⊗ (BK)||.

(17)

Let φ(t) = ||(H||e(t))|| ⊗In )δ(t)|| , one obtains φ(t) ≤ ψ(t, ψ0 ) which is the solution of the following equation dψ = p0 ψ 2 + 2p1 ψ + p2 ; dt

ψ(t, ψ0 ) = ψ0

(18)

where p0 = ||H 2 ⊗ (BK)||, p1 = ||IN ⊗ A|| + ||H ⊗ (BK)||, and p2 = ||IN ⊗ (BK)||. The taking for ψ(t) to √ inter-event time is bounded by √ the time i − tki ≥ τ . Case evolve from 0 to β, which implies ψ(τ, 0) = c and tk+1 √

1: if p12 = p0 p2 , then τ = √ βp1 2 ; case 2: if p12 < p0 p2 , then τ = βp0 p1 +p1 



 β p p√ 1 1 1 √ √ + √ − arctan arctan with ι = (p2 p0 − p12 )/p02 ; case 3: ιp0 ι p0 ι p0 ι   √ √ √  0 +p1 −p0 √−ι)(p1 +p0 √−ι)  if p12 > p0 p2 , then τ = 2p 1√−ι ln  ((√βp . Hence, one has βp0 +p1 +p0 −ι)(p1 −p0 −ι) 0 τ > 0; in other words, tk+1 − tk ≥ τ > 0. Therefore, there is no Zeno behavior under the event condition (11).

Example 1. Consider a system with a leader and four followers where ⎡

⎤ 0.003 1 0 A = ⎣ −1 0.001 0 ⎦ ; 0 0 −2



⎤ 0.1 B = ⎣ 0.2 ⎦ , 0.1

(19)

1414

W. Xu and D. W. C. Ho

Fig. 1 Fixed topology

0

1

2

4

3

where the eigenvalues of A are −2, 0.002 + 0.9999i and 0.002 − 0.9999i, which implies that they are not required to be in the closed left plane. The topology is fixed and has a spanning tree with the leader as the root vertex (see Fig. 1). By solving (15), one has ⎡

⎤ 20.6592 0.3375 −0.0002 P = ⎣ 0.3375 19.6418 −0.0064⎦ −0.0002 −0.0064 0.2750

(20)

with α1 = 1 and K = [2.1334, 3.9615, 0.0262]. In this example, one chooses β = 0.001, and the centralized ETS (10) is used. Under this scheme, all followers can reach the same state with leader, i.e., followers can track the leader finally (see Fig. 2). In this example, all followers share an event condition, and the triggering instants during [6s, 11s] are displayed in Fig. 3. The number of event trigger is 961 times during time interval [0s, 100s], and the mean time interval (s) is 0.052. Hence, this centralized event trigger protocol is effective to reach leaderfollowing consensus. Moreover, the centralized ETS lowers significantly the cost of information transmission and control protocol’s update as compared with that without event-triggered case (see Fig. 3).

3.2

Clustered Event-Triggered Control

Centralized event-triggered schemes have been discussed in Sect. 3.1. However, it is found that the centralized event-triggered scheme is hard to apply when the network is large-scale. In this subsection, we introduce a novel clustered eventtriggered scheme (clustered ETS), which do not need to collect all followers’ states to determine the next triggering instant. In this subsection, agents are classified into different clusters, and then only agents in the same cluster share a common event condition, and thus their triggering instants are the same. However, the triggering instants for agents in different clusters could be different.

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1415

(1)

x i (t)

4 leader follower1 follower2 follower3 follower4

2 0 -2 -4

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

4

(2)

x i (t)

2 0 -2 -4

(3)

x i (t)

1 0 -1 -2

t

Fig. 2 The states trajectory of a leader and four followers

event-triggered signal without event-triggered signal

6

6.5

7

7.5

8

8.5

Time (t)

Fig. 3 Triggering instants for all followers

9

9.5

10

10.5

11

1416

W. Xu and D. W. C. Ho

In this subsection, the subgraph G among followers is assumed to be disconnected. Thus they can be classified as several connected components, and each component is considered as a cluster (group or family). For convenient discussion, suppose that N followers are classified into m independent clusters, namely, there is no information exchange between two different clusters. Then we reorder the followers by using elementary matrix U (Eves 1966) to ⎛

L1 ⎜ 0 ⎜ U −1 L U = ⎜ . ⎝ .. 0

0 ··· 0 ··· .. . ··· 0 0 ···

0 L2 .. .

0 0 .. .

⎞ ⎟ ⎟ ⎟. ⎠

(21)

Lm

The graph G among followers has m connected components, and Li is the Laplace matrix of the i connected component. T , · · · , yT , yT , · · · , Correspondingly, we let y(t) = U x(t) with y(t) = (y11 1l1 21 T , · · · , y T , · · · , y T )T and l + l + · · · + l = N . y2l 1 2 m mlm m1 2 Under the clustered ETS, agents cp (p = 1, 2, · · · , lc ) in cluster c share a common triggering time sequence, that is, tkc1 = tkc2 = · · · = tkclc = tkc , c = 1, 2, · · · , m. Here tkc is the k-th triggering instant of agents in cluster c. Similarly, assume that follower i belongs to cluster c, and define   yˆi (t) = exp A(t − tkc ) yi (tkc ),

c t ∈ [tkc , tk+1 ).

(22)

and   ei (t) = exp A(t − tkc ) yi (tkc ) − yi (t).

(23)

Correspondingly, the protocol ui (t) is called as the clustered event-triggered control protocol: ui (t) = Kc



(yˆj (t) − yˆi (t)) + di (yˆ0 (t) − yˆi (t))

(24)

j ∈Ni

where Kc = B T Pc with a positive definite matrix Pc to be designed later. Then a new event condition is presented with the following form ||ec (t)||2 ≤ βc ||(Hc ⊗ In )Yc (t) − (Dc ⊗ In )(Ilc ⊗ x0 (t))||2

(25)

T , eT , · · · , eT )T with H = L + D , Y = (y T , y T , · · · , y T )T , where ec = (ec1 c c c c clc clc c2 c1 c2 Dc = diag{dc1 , dc2 , · · · , dclc }. Then the triggering time sequence {tkc } of cluster c is defined as

45 Event-Triggered Schemes for Leader-Following Consensus of. . . c tk+1 = inf {t > tkc : Eq. (25) does not hold.}.

1417

(26)

Remark 5. The clustered ETS is a novel scheme for the information transmission and the control protocol update, which relaxes the requirement of collecting all followers’ states for event detection in centralized ETS. This kind of control protocol implies that followers in the same cluster share a common event condition, and they will update their information simultaneously, but will not be affected by agents in other clusters. Theorem 3. Consider the leader-following multi-agent systems (3)–(4) with the clustered event-triggered protocol (24). Assume that there is at least a follower in each cluster that can receive the information from the leader. If there exist the positive definite matrices Pc and α1c > 0 (c = 1, 2, · · · , m) satisfying Assumption 1, then the leader-following consensus can be achieved under clustered event-based condition (25) with βc < α1c /(μc (λcN )3 ), here μc being the largest eigenvalue of Pc BB T Pc . In addition, Zeno behavior can be avoided under clustered ETS (24). Proof. Let δcp (t) = ycp (t) − x0 (t). Then consider the Lyapunov function

V (t) =

lc m

T δcp (t)Pc δcp (t),

c=1 p=1

T , δ T , · · · , δ T )T , then for c = 1, 2, · · · , m. Let Δc = (δc1 clc c2

V˙ (t) =

lc m

T δcp (t)(AT Pc + Pc A)δcp (t)

c=1 p=1

+

⎧ lc m ⎨ ⎩

c=1 p=1

T δcp (t)2Pc BKc



(δj (t) − δcp (t)

j ∈Ncp

 + ej (t) − ecp (t)) − dcp (δcp (t) + ecp (t)) . ≤

m

ΔTc (t)(Ilc ×lc ⊗ (AT Pc + Pc A) − Hc ⊗ Pc BB T Pc )Δc (t)

c=1

+

m

ecT (t)(Hc ⊗ Pc BB T Pc )ec (t)

c=1

≤−

m

α1c − βc μc (λcN )3 ΔTc (t)Δc (t). c=1

1418

W. Xu and D. W. C. Ho

Fig. 4 Fix topology that has a disconnect subgraph among followers

0

1

3

Cluster I

2

Cluster II

4

5

Thus V˙ (t) < 0 if Δc (t) = 0, which implies that as t → ∞, Δc (t) → 0 for all c = 1, 2, · · · , m. In other words, limt→∞ (ycp (t) − x0 (t)) = 0, i = 1, 2, · · · , N. Moreover, similar to Theorem 2, we conclude that for each cluster c, there exists c τ c > 0 such that tk+1 − tkc > τ c . Therefore, for all agents, Zeno behavior can be excluded. The proof is completed.

Example 2. An example with a leader and five followers is considered here, whose dynamics is defined as (19). The system topology is shown as Fig. 4. Moreover, we can see its subgraph G among followers is disconnected, and thus it can be divided into two connected components which are called Cluster 1 and Cluster 2. Cluster 1 contains followers 1 and 2, and Cluster 2 includes followers 3, 4, and 5. In addition, we choose α11 = α12 = 1. By solving (15), one has ⎡

11.1066 P1 = ⎣ 0.2785 −0.0005 ⎡ 15.3958 P2 = ⎣ 0.2979 −0.0003

⎤ 0.2785 −0.0005 10.1885 −0.0094⎦ −0.0094 0.2524 ⎤ 0.2979 −0.0003 14.4716 −0.0070⎦ −0.0070 0.2525

K1 = [1.1663, 2.0646, 0.0233], and K2 = [1.5991, 2.9234, 0.0238]. Then one chooses β1 = β2 = 0.001. In this case, each cluster shares a common event condition. Hence, two different event-triggered protocols (24) are used here. From Fig. 5, the leader-following consensus can be reached under the clustered ETS. In addition, event conditions are triggered 527 times for followers in Cluster 1 and 2091 times for followers in Cluster 2 during [0s, 50s]. Their mean time intervals are 0.095 and 0.0239, respectively. Figure 6 presents the triggering instants for each cluster during the time interval [4s, 9s]. It is clearly displayed that the clustered ETS has significantly low number of event triggers for information transmission and control update compared with the case without event-triggered.

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1419

4 leader follower1 follower2 follower3 follower4 follower5

(1)

xi (t)

2 0 -2 -4

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

(2)

xi (t)

4 2 0 -2 -4

2

(3)

xi (t)

1 0 -1 -2

t Fig. 5 The states trajectory of a leader and five followers

cluster1 cluster2 without event-triggered signal

4

4.5

5

5.5

6

Fig. 6 Triggering instants for each cluster

6.5 7 Time (t)

7.5

8

8.5

9

1420

3.3

W. Xu and D. W. C. Ho

Distributed Event-Triggered Control

In the previous subsections, centralized ETS and clustered ETS have been discussed to guarantee leader-following consensus. In this subsection, we further discuss a distributed event-triggered scheme (distributed ETS), where each agent is able to independently determine its own behavior, and its event condition is designed with just local information. Under the distributed ETS, each agent has its own triggering instants, and thus

xˆi (t) = exp A(t − tki ) xi (tki ),

i t ∈ [tki , tk+1 ),

(27)

where tki is the k-th event-triggered instant for agent i and the measurement error for agent i’s state can be written as ei (t) = xˆi (t) − xi (t),

i t ∈ [tki , tk+1 ).

(28)

Correspondingly, the protocol ui (t) is called as the distributed event-triggered consensus protocol: ui (t) = K



(xˆj (t) − xˆi (t)) + di (xˆ0 (t) − xˆi (t))

(29)

j ∈Ni

where K = B T P and P is a positive definite matrix to be designed later. Note that it is not easy to design an effective event condition to both guarantee leader-following consensus and exclude Zeno behavior. Thus an alternative design idea is applied for the distributed event condition as compared with centralized and clustered cases. The triggering time sequence {tki } for every agent i is determined by   i = max tki + τi , inf t : t > tki and ||ei (t)||2 > tk+1  κi ||[ (xj (t) − xi (t)) + di (x0 (t) − xi (t))]||2

(30)

j ∈Ni

where τi > 0 is a constant and will be determined subsequently. Note that agent i will transmit its current state to its neighbors and update its control protocol only i ), no further action is when t = tki . Then, ei (t) is reset to zero. When t ∈ (tki , tk+1 required. In this section, every agent i has its event-triggered time sequence, which is determined by its neighbors’ information. Hence this event-triggered scheme (30) is considered to be distributed.

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1421

Let δi (t) = xi (t) − x0 (t) and δˆi (t) = xˆi (t) − xˆ0 (t), then δ˙i (t) = Aδi (t) + BK



(xˆj (t) − xˆi (t)) + di (xˆ0 (t) − xˆi (t))

j ∈Ni

= Aδi (t) + BK



δˆj (t) − δˆi (t) − di δˆi (t).

(31)

j ∈Ni

Note that x0 (t) = xˆ0 (t); thus δˆi (t) = δi (t) + ei (t). By setting δ(t) = T (t))T , we have (δ1T (t), δ2T (t), · · · , δN ˙ = (IN ⊗ A)δ(t) + (H ⊗ BK)(e(t) + δ(t)). δ(t)

(32)

Now we present our main result in this section. Theorem 4. Consider the leader-following multi-agent systems (3)–(4). Assume that the communication topology G¯ has a spanning tree with the leader as the root vertex. If there exist a positive definite matrix P and α1 > 0 satisfying Assumption (1), then the leader-following consensus can be achieved under the distributed event-triggered protocol (29) and the event condition (30) with κi ≤ ρ1 /λN , c = ρ2 /(λN N), and τi < τ satisfying ⎧ √ cp1 ⎪ if p12 = p0 p2 ⎪ ⎪ √cp0 p1 +p12 √ ⎨ 1 1 1 τ = √ιp [arctan ( √cι + pp√ ) − arctan ( pp√ )] if p12 < p0 p2 0 0 ι√ ⎪  √ √ 0 ι ⎪ ⎪ ⎩ 1√ ln  (√cp0 +p1 −p0 √−ι)(p1 +p0 √−ι)  if p2 > p0 p2 . 1 2p −ι ( cp +p +p −ι)(p −p −ι) 0

0

1

0

1

(33)

0

Here μ is the largest eigenvalue of P BB T P , and ρ1 > 0 and ρ2 > 0 satisfy ρ1 + ρ2 ≤ ρ < μ(λα1 )2 . In addition, ι = (p2 p0 − p12 )/p0 , p0 = ||H 2 ⊗ (BK)||, N p1 = ||IN ⊗ A|| + ||H ⊗ (BK)||, and p2 = ||IN ⊗ (BK)||. Furthermore, Zeno behavior can be avoided. Proof. Consider the following Lyapunov function V (t) = V˙ (t) =

N

δiT (t)(AT P + P A)δi (t) +

i=1

+di (xˆ0 (t) − xˆi (t)) =

N i=1



δiT (t)(AT P + P A)δi (t) +

N 

N

δiT (t)2P BK

i=1



δi (t)2P BK

j ∈Ni

then

(xˆj (t) − xˆi (t))

j ∈Ni

i=1

N 

T i=1 δi (t)P δi (t),

(δj (t)

1422

W. Xu and D. W. C. Ho

−δi (t) + ej (t) − ei (t)) − di (δi (t) + ei (t))



= δ T (t)(IN ⊗ (AT P + P A) − H ⊗ 2P BB T P )δ(t) −δ T (t)[H ⊗ (2P BB T P )]e(t) ≤

N

δiT (t)(AT P + P A − λ1 P BB T P )δi (t) + λN μeT (t)e(t)

i=1

≤ −α1

N

δiT (t)δi (t) + λN μeT (t)e(t)

i=1

If one guarantees eT (t)e(t) ≤ ρδ T (t)(H ⊗ In )δ(t)

(34)

with 0 < ρ p0 p2 , then τ = 2p 1√−ι ln  ((√cp . Hence, for agents in cp0 +p1 +p0 −ι)(p1 −p0 −ι) 0 M2 (t), the event time interval can be chosen as τi ≤ τ , which leads to that Eq. (38)

1: if p12 = p0 p2 , then τ =

can be guaranteed. Thus it can be concluded that V˙ (t) < 0 if δi (t) = 0. That implies xi (t) → x0 (t) (i = 1, 2, · · · , N) as t → ∞. Therefore, the leader-following consensus can be achieved.

Remark 6. Comparing with the static consensus law in previous works (Fan et al. 2013; Meng and Chen 2013; Li et al. 2014), the protocol in (29) is considered to be a dynamic one. To be specific, the static consensus control in Fan et al. (2013), Meng and Chen (2013) and Li et al. (2014) is chosen to be a constant based on xˆi (t) = xi (tki ), i = 1, · · · , N until a new updated signal is received. i ), it varies with Despite the protocol in (29) depends on xi (tki ) when t ∈ [tki , tk+1

1424

W. Xu and D. W. C. Ho

  xˆi (t) = exp A(t − tki ) xi (tki ). In fact, previous static control laws are not suitable for our issue. In this section, the matrix A in systems (3) and (4) may allow to have roots with positive real parts, which means that the system could be unstable even diverging. Thus if e˜i = xi (t) − xi (tki ) is chosen instead of Eq. (28), then it will lead to a great increase in the number of events triggered due to the fact that Eq. (30) is much easier to satisfy. Furthermore, it is noted that when our system degenerates to a special case with A = 0, our control scheme will be similar to those in Fan et al. (2013), Meng and Chen (2013) and Li et al. (2014). Therefore, our control scheme has a wide range of applications. Remark 7. It is a challenging issue how to design a distributed event condition to guarantee asymptotic consensus and the exclusion of Zeno behavior. The previous work proposed a distributed event condition to successfully achieve asymptotic consensus. However, the Zeno behavior is hard to avoid (Dimarogonas et al. 2012). On the other hand, some distributed event conditions were designed without Zeno behavior. However, the final behavior degenerates to bounded consensus (Garcia et al. 2014). Therefore, it is highly expected to design a distributed event condition to achieve two goals, i.e., asymptotic consensus and the exclusion of Zeno behavior. Inspired by Fan et al. (2015), we design a distributed event-triggered scheme for a general linear multi-agent system to successfully achieve the above two goals. Under this scheme, both the event-based condition and the consensus protocol are distributed. As compared with the event-triggered mechanism only for the control update in Fan et al. (2015), our event-triggered scheme aims to reduce both the communication frequency and the number of control protocol updates. Thus an alternative distributed event-triggered protocol is proposed in this section, which just involves the information of neighbors at their own triggering instants. Example 3. In this example, we consider the case of distributed ETS. Here the matrices A and B are defined in (19), and the communication topology is presented in Fig. 1. By solving (15), one has ⎡

⎤ 19.4475 0.3200 −0.0002 P = ⎣ 0.3200 18.5426 −0.0055⎦ −0.0002 −0.0055 0.2525

(41)

with α1 = 1 and K = [2.0087, 3.7300, 0.0241]. One can choose κ1 = κ2 = κ3 = κ4 = 0.001, τ1 = 0.06, τ2 = 0.05, τ3 = 0.04, and τ4 = 0.03. From Fig. 7, under our distributed ETS (29), all followers can asymptotically track the leader. Moreover, Fig. 8 shows event-triggered time instant for each follower during [6s, 9s]. The numbers of event trigger are totally 790, 967, 1207, and 1429 times, respectively, during [0s, 50s], and the mean time interval (s) is 0.0633, 0.0517, 0.0414, and 0.0350, which are presented in Table 1. The distributed ETS reduces substantially the frequency of information transmissions and control updated compared to the without event-triggered case (see Table 1).

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1425

(1)

xi (t)

2 leader follower1 follower2 follower3 follower4

1 0 -1 -2

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

20

25

30

35

40

45

50

2

(2)

xi (t)

1 0 -1 -2

1

(3)

xi (t)

0 -1 -2

t Fig. 7 The states trajectory of a leader and four followers

follower1 follower2 follower3 follower4 without event-triggered signal

6

6.5

7

Fig. 8 Triggering instants for each follower

7.5 Time (t)

8

8.5

9

1426

W. Xu and D. W. C. Ho

Table 1 Event time intervals for each follower Case

Followers 1 2 3 4 1&2&3&4

Event-triggered

Without event-triggered

3.4

Nos of event trigger 790 967 1207 1429 50,001

Mean time interval 0.0633 0.0517 0.0414 0.0350 0.0010

Discussion on Event Detection

In this section, we will give some discussion on event detection, and only the distributed ETS is taken as an example in the following discussion. By the distributed triggering instants determined by (30), the event detection is not required to be continuously executed. Assume that the last triggering instant of agent i is tki , then the event detection is not needed during time interval (tki , tki + τi ] according to (30). Then the activity of event detection starts from time tki + τi until i . Thus the event detector of agent i needs to agent i’s next triggering instant tk+1 observe the relative state information between agent i and it neighboring agents i ) for the event detection. Besides this, the event detector could during [tki + τi , tk+1 compute the relative state information by receiving partial information of neighbors’ states instead of the observation process. j j j For agent j ∈ Ni , only the information of {tk , xj (tk ), qj (tk )} and {tkl , xj (tkl ), j qj (tkl )} (l ∈ Nj ) are sent to the event detector of agent i. Here qj (tk ) is defined as j

qj (tk ) =

    j j j j xˆp (tk ) − xˆj (tk ) + dj xˆ0 (tk ) − xˆj (tk ) .

(42)

p∈Nj

To better illustrate this point, we will explain (1) when the control protocol of agent j j j j is updated and (2) how to use information of {tk , xj (tk ), qj (tk )} and {tkl , xj (tkl ), qj (tkl )} to compute the state of xj (t) and then compute the relative state information between agents i and j . The control protocol of agent j is updated in the following two cases (a) and (b). Case (a)

The control protocol of agent j is updated at its own triggering instants. j

Step (1) Suppose that agent j triggers at time tk ; it means that agent j j j j updates its control protocol at time tk and sends {tk , xj (tk ), qj (tjk )} to the event detectors of all its neighbors immediately. j j Step (2) From step (1), the triggering information {tk , xj (tk ), qj (tjk )} of j

agent j ∈ Ni is sent to detector i whenever agent j triggers at time tk , j j j and then detector i collects this information xj (tk ) and qj (tk ) at time tk .

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1427 j

Hence detector i can compute agent j ’s state at time t > tk by xj (t) = exp(A(t

j j − tk ))xj (tk ) + exp(At) j



t j

exp(−As)BK

tk

j

exp(A(s − tk ))qj (tk )ds

(43) j

until detector i receives information of agent j . Note that tk is the triggering instant of agent j in (43). Case (b) The control protocol of agent j will be updated at its neighbors’ triggering instants as well. Step (1) Suppose that agent l(= i) is a neighbor of agent j . It triggers at time tkl and sends {tkl , xl (tkl ), ql (tkl )} to agent j so that the control protocol of agent j is updated by using the newest information of agent l according to the definition of qj . Then agent j sends the newest information of {tkl , xj (tkl ), qj (tkl )} to its neighbors’ event detectors. Step (2) From step (1), agent j ∈ Ni sends information {tkl , xj (tkl ), qj (tkl )} to the detector of agent i whenever agent j ’s control protocol updates at time tkl , (l ∈ Nj ), and then detector i collects this information xj (tkl ) and qj (tkl ) at time tkl . Hence detector i can compute agent j ’s state at time t > tkl by  xj (t) = exp(A(t

− tkl ))xj (tkl ) + exp(At)

exp(A(s − tkl ))qj (tkl )

t tkl

exp(−As)BK (44)

until agent i receives information of agent j . Note that tkl (l ∈ Nj ) is the triggering instant of agent j ’s neighbors in (44).

3.5

Summary

This section has studied a leader-following consensus problem in multi-agent systems with general linear dynamics. Three different types of event-triggered schemes, namely, centralized ETS, clustered ETS, and distributed ETS, form a framework and have been investigated. They are effective to guarantee that all followers can track the leader ultimately on the one hand and reduce the communication frequency and control protocol updates on the other hand. Moreover, the positive inner-event time intervals have been assured for the exclusion of Zeno behavior in these ETSs. Finally, Table 2 is provided to present the characteristics of three kinds of event-triggered schemes. It should be emphasized that the proposed distributed

1428

W. Xu and D. W. C. Ho

Table 2 The characteristics of centralized, distributed, and clustered ETSs Case Centralized ETS Distributed ETS Clustered ETS

Zeno behavior No No No

Network (more suitable for) Small scale Large scale Mixture of small/large-scale

Detector cost Low High Moderate

event-triggered scheme has completed one challenging task of distributed schemes, i.e., to simultaneously achieve both asymptotic consensus and the exclusion of Zeno behavior.

3.6

Notes

The materials of Sect. 3 are mainly taken from Xu (2017) and Xu et al. (2015, 2017a, b, c) with modifications. Sections 3.1, 3.2, 3.3, 3.4 and 3.5 are mainly based on Xu (2017) and Xu et al. (2017b).

4

An Impulsive Framework for Event-Triggered Consensus Analysis: The Clustered Case

Various event-triggered schemes have been proposed to reduce the frequency of network communication and the control updates in the previous section. In this section, we focus on the cluster event-triggered scheme analysis under an impulsive framework. This provides a new perspective to understand and analyze the effect of event-triggered idea on the leader-following consensus. In the impulsive framework, the issue of information exchange can be interpreted equivalently as the problem of impulse response. Hence necessary and sufficient conditions are proposed to guarantee their equivalent relationship. Note that the impulse occurs only when an event is triggered instead of time lapses, which is different from conventional impulsive systems. In the impulsive framework, several kinds of event-triggered consensus protocols are constructed with respect to different types of information transmissions. Firstly, if the agents’ states could be accurately obtained, then a state-based event-triggered protocol is proposed to guarantee leader-following consensus. Secondly, if the external disturbances are taken into consideration for agents’ states, then a modified clustered event-triggered protocol is proposed with state feedback to achieve L∞ leader-following consensus. In this impulsive framework, an alternative method is presented for the analysis of leader-following consensus and the exclusion of Zeno behavior. Finally, some numerical examples and an application of unmanned aerial vehicle helicopters are given to verify our theoretical analysis.

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

4.1

1429

Event-Triggered Protocol via State Feedback

In this section, we still consider continuous-time multi-agent systems with one leader and N followers. The dynamics of the leader and follower i are defined in (3) and (4), respectively. In this section, we further investigate the clustered event-triggered scheme (clustered ETS) from a new perspective. Under clustered ETS, all followers are grouped into several clusters, and agents in the same cluster share a common event condition. Based on this point, several different clustered event-triggered strategies will be proposed in the following sections, and the effect of these clustered eventtriggered schemes will be analyzed from a new perspective. Firstly, assume that all followers are classified into m clusters according to their properties or practical needs. In this section, our goal is to design an appropriate clustered event-triggered protocol with local states of agents and then discuss the effect of the protocol from a new perspective. Suppose that agent i belongs to cluster c (c = 1, 2, · · · , m) and its eventtriggered control protocol ui (t) is designed as: ⎡ ui (t) = K c ⎣



⎤ (xˆj (t) − xˆi (t)) − di (xˆi (t) − x0 (t))⎦ .

(45)

j ∈Ni

If agent i is able to receive the information of the leader, then di = 1; otherwise, di = 0. Here the matrix K c will be determined subsequently, and 

xˆi+ (tkc ) = xi (tkc ), i = 1, 2, · · · c ]. x˙ˆi (t) = Axˆi (t), t ∈ (tkc , tk+1

(46)

Under clustered ETS, agents do not always get access to their neighbors’ states, and xˆi (t) is used in the design of control input (45) instead of xi (t). Here xˆi (t) is the state estimation of agent i, when t = tkc ; otherwise, xˆi (t) = xi (t). Note that the information of the leader in Eq. (45) is x0 instead of xˆ0 . This is due to the leader without control input. Only when the leader sends its current state to its neighbors at the initial instant t = 0, then x0 (t) = xˆ0 (t) holds all the time. From Eqs. (45) and (46), the control inputs in cluster c only receive and update their information at a time sequence {tkc }∞ k=1 . Thus the next key problem is to determine a time sequence for each cluster. Define the error function of agent i ei (t) = xˆi (t) − xi (t).

(47)

Obviously, ei (t) is a piecewise continuous function. If agent i belongs to cluster c, ei (t) is always reset to zero at triggering instant tkc , i.e., ei+ (tkc ) = 0, due to xˆi+ (tkc ) = xi (tkc ) when i = 1, 2, · · · .

1430

W. Xu and D. W. C. Ho

Our aim is to guarantee all followers to track the leader under clustered eventtriggered protocol with state feedback. It should be noted that the event-triggered time sequence is determined by a predefined event condition instead of time lapse. The event condition for cluster c (c = 1, 2, · · · , m) is designed as   ec T ec ≤ αc x c T (L c ⊗ In )x c + (x c − Imc ⊗ x0 )T (D c ⊗ In )(x c − Imc ⊗ x0 ) (48) where x c = [xcT1 , · · · , xcTmc ]T and ec = [ecT1 , · · · , ecTmc ]T . Here {c1 , c2 , · · · , cmc } m is the subsequence ! of {1, 2, · · · , N}, c=1 {c1 , c2 , · · · , cmc } = {1, · · · , N} and {k1 , k2 , · · · , kmi } {p1 , p2 , · · · , pmp } = ø with k = p ∈ {1, 2, · · · , m}. The matrix D c is a diagonal matrix with the off-diagonal elements being 0 and the diagonal elements being dci , and L c is the Laplacian matrix with respect to the subgraph including agents in the cluster c. In addition, H c = L c + D c , and obviously, the matrix H c has mc eigenvalues, (i.e., λci , i = 1, 2 · · · , mc ). Here, assume that they can be set in increasing order 0 ≤ λc1 ≤ λc2 ≤ · · · ≤ λcmc . Thus an event-triggered time sequence for cluster c is obtained as follows: "  c tk+1 = inf t > tkc | Eq. (48) is violated.

(49)

c with t0c = 0. In addition, two event time instants tkc and tk+1 are generally called as adjacent triggering instants. The event condition (48) is designed with the information of members in the same cluster, instead of all followers. Thus members in the same cluster will update their information simultaneously. This kind of eventtriggered protocol ui (t) is called as clustered event-triggered protocol.

4.2

Consensus Analysis Based on Impulsive Control Framework

In this subsection, the effect of event-triggered scheme for multi-agent systems is considered from a new perspective. Specifically, a new framework based on impulsive systems is proposed to analyze whether our designed clustered eventtriggered scheme is sufficient to guarantee the leader-following consensus. Firstly, define δi (t) = xi (t) − x0 (t) and δˆi (t) = xˆi (t) − x0 (t), and then systems (3) and (4) become ⎡ δ˙i (t) = Aδi (t) + BK c ⎣

j ∈Ni

T (t)]T . with δ(t) = [δ1T (t), δ2T (t), · · · , δN

⎤ (δˆj (t) − δˆi (t)) − di δˆi (t)⎦

(50)

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1431

Thus, for cluster c, one has δ˙c (t) = (Imc ⊗ A)δ c (t) − (H c ⊗ BK c )[δ c (t) + ec (t)]

(51)

with δ c = [δcT1 , δcT2 , · · · , δcTmc ]T where followers cj (j = 1, 2, · · · , mc ) are in cluster c. Let us set δ˜ = [δ T , eT ]T and δ˜c = [δ c T , ec T ]T , and then one obtains m impulsive systems: ⎧ $ # c c ⎪ −H c ⊗ BK c ˙˜c (t) = Imc ⊗ A − H ⊗ BK ⎪ ˜c ⎪ δ ⎪ c ⊗ BK c c ⊗ BK c δ (t) ⎪ H I ⊗ A + H m ⎪ c ⎪ ⎨ when t = tkc , k = 0, 1, 2 · · · $ # ⎪ 0 Imc ⊗ In + c c ⎪ ˜ ˜ c ), ⎪ δ (tk ) = δ(t ⎪ k ⎪ ⊗ I 0 0 m n ⎪ c ⎪ ⎩ when k = 0, 1, 2 · · ·

(52)

remark with c = 1, 2 · · · , m. Remark 8. By introducing an impulsive system (52), the effect of event-triggered information transmission on the dynamics of multi-agent systems (3) and (4) can be regarded as the investigation of the impulsive effect on the stability of system (52). Their equivalence relationship will be proved in the following theorem. Moreover, the event condition (48) for cluster c is equivalent to $ # c 0 ˜δ c T (t) −αc H ⊗ In δ˜c (t) ≤ 0, 0 Imc ⊗ In

(53)

that is, δ˜c T (t)M c δ˜c ≤ 0 with # Mc =

$ 0 −αc H c ⊗ In . 0 Imc ⊗ In

(54)

Assumption 2. The communication graph for each cluster is undirected and connected, and there is at least one follower in each cluster that can directly receive the information of the leader. Theorem 5. (State feedback case) For systems (3) and (4), suppose that Assumption 2 holds, then all followers can track the leader for any initial value under the clustered event-triggered protocol (45) and the event condition (48) if and only if the origin of impulsive system (52) is globally asymptotically stable under event conditions (53) for impulses occurrence.

1432

W. Xu and D. W. C. Ho

Proof. [Necessity] If all followers track the leader finally, then xi (t) − x0 (t) → 0 as t → ∞, that is, δi (t) → 0. Thus, the control input ui (t) approaches to zero as well. By Eq. (48), one can conclude that ei (t) → 0. Therefore, the origin of the impulsive system is globally asymptotically stable. (Sufficiency). Obviously, in impulsive system (52), δi (t) = 0 as t → 0 under event conditions (53) for impulses. Then the leader-following consensus in systems (3) and (4) can be achieved finally.

Remark 9. In this section, we introduce an impulsive system to analyze the leaderfollowing consensus in multi-agent systems. Thus the key issue is to design an appropriate condition to determine the impulses occurrence which has a positive effect to the consensus objective. Compared with traditional impulsive control based on the lapses of time (Yang et al. 2011; Lu et al. 2010, 2012), our impulses are executed only when external conditions are satisfied, which mitigate the unnecessary waste of impulses. Theorem 6. Suppose that Assumption 2 holds. Then the impulsive system (52) is globally asymptotically stable under event conditions in (53) if there exist positive numbers αc , βc and positive definite matrices Pc ∈ Rn×n (c = 1, 2, · · · , m) such that the following equations hold: AT Pc + Pc A − 2λc1 Pc BB T Pc + (αc λcmc + βc )In < 0, AT Pc + Pc A + 2λcmc Pc BB T Pc + βc In < In ,

(55)

and K c = B T Pc , (c = 1, 2, · · · , m). m c T Proof. First build a Lyapunov function candidate V (t) = c=1 δ (t)(Imc ⊗ Pc )δ c (t) + ec T (t)(Imc ⊗ Pc )ec (t). When t = tkc , c = 1, 2, · · · , m and k = m cT T c 0, 1, · · · , then one has V˙ (t) = c=1 {δ [Imc ⊗ (A Pc + Pc A) − H ⊗ T T c c T c T c 2Pc BB Pc ]δ + e [Imc ⊗ (A Pc + Pc A) Pc ]e . By inequalities + H c⊗T 2PccBB c unless δ(t) ˜ ˜ ˜ δ δ in (55), one has V˙ (t) < −βρV (t) + m M = 0 with c=1 ρ = 1/ max{λmax (Pc )|1 ≤ c ≤ m} and β = min{βc | 1 ≤ c ≤ m}. When t = tkc , which means that an event condition for cluster ci is violated at tkci , then its corresponding impulse is triggered immediately. Then

V (δ˜+ (tkci )) =

m [δ c+ (tkci )]T (Imc ⊗ Pc )δ c + (tkci ) + [ec+ (tkci )]T (Imc ⊗ Pc ) c=ci

c=1

ec+ (tkci ) ≤

m

[δ c (tkc )]T (Imc ⊗ Pc )δ c (tkc ) +

c=ci

c=1

(Imc ⊗ Pc )e

c

(tkci )




4p0 p2 , then τ = ln  √ 

Δ

(2 αc p0 +p1 + Δ)(p1 − Δ)

c that τ > 0, which implies that tk+1 − tk c ≥ τ > 0. Therefore, Zeno behavior can be avoided under event-triggered conditions (48) and (53).



4.3

The Case with External Disturbance

In this subsection, we will consider the case where the external disturbance is taken into consideration for the states of all followers. Thus the dynamics of followers is modeled as x˙i (t) = Axi (t) + Bui (t) + Ds w¯ i (t), i = 1, 2, · · · , N

(56)

where w¯ i ∈ L∞ [0, ∞) is the external disturbance and Ds is a real matrix with compatible dimension. Letting ζi (t) = xi (t) − x0 (t) and using the event-triggered consensus protocol ui (t) (refer to Eq. (45)), for each cluster c (c = 1, 2, · · · , m), one has ζ˙ c (t) = (Imc ⊗ A)ζ c (t) − (H c ⊗ BKdc )(ζ c (t) + ec (t)) + (Imc ⊗ Ds )w¯ c (t), (57)

1434

W. Xu and D. W. C. Ho T

T

T (t), ζ T (t), · · · , ζ T (t)]T , ζ (t) = [ζ 1 (t), ζ 2 (t), · · · , where ζ c (t) = [ζc1 cmc c2 T

T

ζ m T (t)]T , w¯ c (t) = [w¯ cT1 (t), w¯ cT2 (t), · · · , w¯ cTmc (t)]T , w(t) ¯ = [w¯ 1 (t), w¯ 2 (t), · · · ,

m w¯ m T (t)]T , and ec (t) is defined!as Eq. (48) with i=1 {i1 , i2 · · · , imi } = {1, 2, · · · , N} and {i1 , i2 · · · , imi } {j1 , j2 · · · , jmj } = ø. Note that the matrix Kdc is used in this subsection instead of K c in Eq. (45). A modified event-triggered condition for cluster c is proposed:

 ec T ec ≤αˆ c x c T (L c ⊗ Pc BB T Pc )x c + (x c − Imc ⊗ x0 )T (D c ⊗ Pc BB T Pc ) % (x c − Imc ⊗ x0 ) + εc (58) with εc > 0. Next, our multi-agent systems (3) and (56) can be rewritten as an impulsive system: ⎧ $ # c c −H c ⊗ BKdc ⎪ ˙˜ c (t) = Imc ⊗ A − H ⊗ BKd ⎪ ζ ζ˜ c (t) ⎪ ⎪ ⎪ H c ⊗ BKdc Imc ⊗ A + H c ⊗ BKdc ⎪ # $ ⎪ ⎪ ⎪ Imc ⊗ Ds ⎨ + w¯ c (t) when t = tkc , k = 0, 1, 2 · · · −Imc ⊗ Ds $ # ⎪ ⎪ ⎪ 0 ⎪ c + (t c ) = Imc ⊗ In ˜ ⎪ ζ ζ˜ (tkc ), ⎪ k ⎪ ⊗ I 0 0 ⎪ m n c ⎪ ⎩ when k = 0, 1, 2 · · ·

(59)

with c = 1, 2 · · · , m, ζ˜ c (t) = [ζ c T (t), ec T (t)]T , and ζ˜ (t) = [ζ T (t), eT (t)]T . Correspondingly, we obtain the event condition for impulses: $ # c 0 ˜ζ c T (t) −αˆ c H ⊗ In ζ˜ c (t) ≤ εc . 0 Imc ⊗ In

(60)

Definition 2. The leader-following L∞ consensus of multi-agent systems (3) and (56) is said to be achieved by event-triggered protocol (45) if for a given positive definite matrix P ∈ Rn×n and scalars κi , (i = 1, 2, 3), the following inequality holds 2 T ζ (t)2L∞ < κ1 w(t) ¯ L∞ + κ2 ζ (0) P ζ (0) + κ3 .

(61)

Theorem 8. For systems (3) and (56), suppose that Assumption 2 holds. Then the leader-following L∞ consensus can be achieved under the event-triggered protocol (45) with the event condition (58) if there exist positive numbers αˆ c , βˆc and positive definite matrices Pc ∈ Rn×n (c = 1, 2, · · · , m) such that the following inequalities hold:

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1435

AT Pc + Pc A − 2λc1 Pc BB T Pc + βˆc Pc DD T Pc + αˆ c λcmc In + ιIn < 0, AT Pc + Pc A + 2λcmc Pc BB T Pc + βˆc Pc DD T Pc + ιIn < In ,

(62)

and Kdc = B T Pc , (c = 1, 2, · · · , m). In addition, Zeno behavior can be excluded. Proof. Build a Lyapunov function candidate: V (ζ˜ ) =

m

ζ c T (t)(Imc ⊗ Pc )ζ c (t) + ec T (t)(Imc ⊗ Pc )ec (t)

c=1

with a positive definite matrix Pc . Similarly with the proof of Theorem 6, on one hand, when t = tkc , (c = 1, 2, · · · , m and k = 0, 1, · · · ) V (ζ˜ + (tkci )) < V (ζ˜ (tkci ));

(63)

on the other hand, when t = tkc , then one has ˜ ≤ V˙ (δ)

m 

ζ c T [Imc ⊗ (AT Pc + Pc A) − 2H c ⊗ Pc BB T Pc + βˆc Imc ⊗ Pc Ds DsT Pc

c=1

+ Imc ⊗ In ]ζ c + ec T [Imc ⊗ (AT Pc + Pc A) + 2H c ⊗ Pc BB T Pc + βˆc Imc  2 (64) ⊗ Pc Ds DsT Pc + Imc ⊗ In ]ec + w¯ cT w¯ c − ιζ˜ T ζ˜ βˆc By inequalities in (62), one has V˙ (t) ≤ −ρV (t) +

2 T w¯ w¯ βˆ

+

m

c=1 ε

c

with

ρ = ι/ max{λmax (Pc )|1 ≤ c ≤ m} and βˆ = min{βˆc |1 ≤ c ≤ m}. Then we integrate both sides of the above inequality over the infinite horizon and use &t Eq. (63) repeatedly. Then one has V (t) < V (0)exp(−ρt) + s=0 exp(s − t)·  m c  2 T w ¯ (t) w(t) ¯ + c=1 ε ds, i.e., ˆ β

ρ¯ ζ˜ T (t)ζ˜ (t) < V (0)exp(−ρt) +

2 2 w(t) ¯ + εc , L ∞ βˆ m

c=1

and hence '

2 1 2 w(t) ¯ + ζ˜ T (0)P ζ˜ (0) + εc ζ˜ (t)L∞ < ρ¯ L ∞ ρ βˆ m

2

c=1

(

1436

W. Xu and D. W. C. Ho

where ρ¯ = 1/ min{λmin (Pc )|1 ≤ c ≤ m}, P diag(P1 , P2 , · · · , Pm ). Due to ei (0) = 0, one has

=

diag(P¯ , P¯ ), and P¯

2 T ¯ ¯ ζ (t)2L∞ 0 and ζ > 0 such that w ¯ L∞ ≤ w¯ and ζ L∞ ≤ ζ . d Therefore dt (ec ) ≤ Imc ⊗ A + H c ⊗ BKdc ec  + H c ⊗ BKdc ζ + Imc ⊗ Ds w¯ , and one has ec (t) ≤ ψ c (t, ψ0c ) which is the solution of the following equation dψ c (t) = r1 ψ c (t) + r2 ; dt

ψ c (t, ψ0c ) = ψ0c

with r1 = Imc ⊗ A + H c ⊗ BKdc  and r2 = H c ⊗ BKdc ζ + Imc ⊗ Ds w¯ . The inter-event time is bounded by ψ c (t) to evolve from 0 to √ the time ctaking for √ c c c c ε , which implies ψ(τ , 0) = ε and tk+1 − tk ≥ τ c . In addition, one has √

c

ψ c (t) = rr21 [exp(r1 t) − 1] and τ c = r11 ln( r1 r2ε + 1) > 0. To sum up, the interevent time for agents in cluster c is larger than a positive number τ c . Therefore, the Zeno behavior is avoided.



4.4

Numerical Examples

In this section, some numerical examples are provided to verify the correctness of our theoretical theory. Example 4. We consider a multi-agent system with one leader and five followers with

45 Event-Triggered Schemes for Leader-Following Consensus of. . . Fig. 9 Communication topology

1

1437

Cluster 1

2

0 3 4

⎤ ⎡ ⎤ −1 1 0 1 A = ⎣ −2 −3 0 ⎦ , B = ⎣ 2 ⎦ . 0 0 −1 1

Cluster 2

5



(66)

The communication topology is shown in Fig. 9. We can classify these five followers into two clusters: Cluster 1 and Cluster 2 (see Fig. 9). Firstly we design event-triggered state feedback protocols (45) for these two clusters. According to the discussion in Sect. 4.1, K 1 = B T P1 and K 2 = B T P2 and P1 and P2 can be obtained by solving inequalities (55); however, we do not find an appropriate method to solve (55) directly. Then, one finds that if there exist positive definite matrices Pc ∈ Rn×n (c = 1, 2) such that AT Pc + Pc A + (αc λcmc + βc )In < 0, AT Pc + Pc A + 2λcmc Pc BB T Pc + βc In < In

(67)

hold, then the matrices Pc are also solutions of (55). Set α1 = α2 = 0.05, β1 = β2 = 0.01, by solving (67), we obtain that K 1 = [0.2728, 0.2828, 0.2778], K 2 = [0.0876, 0.3203, 0.1357]. From Fig. 10, all followers in Cluster 1 and Cluster 2 can track the leader eventually via event-triggered state feedback protocol (45). In addition, the event conditions for Cluster 1 and Cluster 2 are, respectively, triggered 11 times and 52 times during [0, 6] (see Fig. 11). The average time intervals are 0.5464(s) and 0.1156(s). Moreover, it is displayed in Table 3 that the number of event trigger decreases as the parameter α1 increases for Cluster 1 or as the parameter α2 increases for Cluster 2. Example 5. Similar to Example 4, a multi-agent system with one leader and five followers is considered, and the matrices A and B are referred as (66). However, the external disturbance is involved in this example with Ds = [0, 0.5, 0.5]T . The communication topology is the same as that in Example 4 (see Fig. 9), and then choose αˆ 1 = 0.1, αˆ 2 = 0.05, ε1 = 0.05, and ε2 = 0.05.

(1)

xi (t)

1438

W. Xu and D. W. C. Ho

1.5 1 0.5 0 -0.5 -1

0

1

2

3

4

leader follower1 follower2 follower3 follower4 follower5 6

0

1

2

3

4

5

6

0

1

2

3

4

5

6

(2)

xi (t)

2 1

0 -1 -2

(3)

xi (t)

1

0.5 0 -0.5 -1 -1.5

t Fig. 10 The trajectories of a leader and five followers under the event-triggered protocol (45) via the state feedback for the case without disturbance

3.5 3 2.5

no event-triggered instants

2

cluster 1

1.5

cluster 2

1 0.5

0

1

2

3

4

5

6

t Fig. 11 Event-triggered signals of clusters 1 and 2 under event condition (48) designed with agents’ states for the case without disturbance

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1439

Table 3 Event time intervals for each cluster via state feedback Case

Cluster I

Cluster II

α1 / α2 0.06 0.05 0.04 0.03 0.06 0.05 0.04 0.03

Nos of event trigger 10 11 12 14 51 52 55 58

Mean time interval 0.6010 0.5464 0.5008 0.4292 0.1178 0.1156 0.1092 0.1036

Here, the disturbance ω is shown in Fig. 12a. In other words, ω is randomly generated, respectively, from the set [0, 1] when t ∈ [0, 10] and from the set [0, 0.3] when t ∈ [15, 25]. The following parameters are computed, γ1 = 7.068, γ3 = 1.31, βˆ1 = 8, and βˆ2 = 7.41. Set xi (0) = [0, 0, 0] with i = 1, 2, . . . , 5, and then the consensus tracking errors between followers and the leader are presented in Fig. 12b, when different disturbances are involved. It is easy to see that the bounds of consensus tracking errors are significantly reduced as the time goes from the time interval [0, 10] to [15, 25]. In addition, during the interval [0, 10], the event conditions of Cluster 1 and Cluster 2 are triggered 57 and 98 times, respectively, while they are triggered 35 and 55 times in [15, 25] (see Fig. 12c–d). Example 6. Application to UAV helicopters Unmanned aerial vehicles (UAVs) are autonomous flying vehicles equipped with sensing devices and possibly weapons. They are generally used to manipulate physical objects or engage some kind of equipment in remote. Here, consider the movement of a group of UAVs involving one leader and four followers. The leader is commanded to fly on some predefined trajectories, and each follower is controlled by using the measurement of the relative position and ground speed through a wireless modem (Yun et al. 2008). For illustration purposes, the movement of five coupled UAVs is considered. By reserving the monomials and linearizing method, the dynamic model of coupled UAVs is proposed as follows: Chen et al. (2015) and Mao et al. (2007): ⎧ p˙ ⎪ ⎪ ⎪ l ⎪ ⎨ v˙ l ⎪ p˙ fi ⎪ ⎪ ⎪ ⎩ v˙fi

= −pl + 0.2132vl = −0.5vl = −pfi + 0.2132vfi + spi upfi

(68)

= −0.5vfi + svi uvfi

where pl and pfi (i = 1, 2, 3, 4) are position of UAV-leader and UAV-follower and vl and vfi (i = 1, 2, 3, 4) are the ground speeds. Here, in the wireless networks, UAV-followers 1 and 2 can share information with each other, and UAV-followers 3

1440

W. Xu and D. W. C. Ho 1

disturbance ω

ω

0.8 0.6 0.4 0.2 0

xi (t) – x0 (t)

0 3 2.5 2 1.5 1 0.5 0 -0.5

5

10

15

20

25

agents in cluster 1 agents in cluster 2

0

5

10

t

15

20

25

2.5 2 cluster 1 cluster 2

1.5 1 0.5

0

1

2

3

4

5

6

7

8

9

10

24

25

2.5 2 cluster 1 cluster 2

1.5 1 0.5 15

16

17

18

19

20

21

22

23

t Fig. 12 (a) The disturbance ω; (b) the corresponding state errors xi − x0 between followers and the leader; (c) the event-triggered signals during the time interval [0, 10]; (d) the event-triggered signals during the time interval [15, 25]

and 4 can share information with each other. Only UAV-followers 1 and 3 can obtain the position and ground speed of UAV-leader. Thus, we denote UAV-followers 1 and 2 as Cluster 1, and UAV-followers 1 and 2 as cluster 2. For illustration purposes, let x0 = [pl , vl ]T , xi = [pfi , vfi ]T , and ui = [upfi , uvfi ]T , and hence the model (68) is rewritten into 

x˙0 = A0 x0 x˙i = Ai xi + ui

(69)

(2)

x i (t)

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1441

3 2.5 2 1.5 1 0.5 0 -0.5 -1 -1.5 -2 1

leader follower1 follower2 follower3 follower4 leader follower1 follower2 follower3 follower4

0.5

6 0

4

-0.5 (1) x i (t)

t

2

-1 -1.5 0

2.5 cluster1 cluster2

2

1.5

1

0.5 0

1

2

3

4

5

6

t Fig. 13 The trajectories of five UAV helicopters under the event-triggered protocol (45) via state feedback without disturbance (left) and the corresponding event-triggered signals of clusters 1 and 2 under the event condition (48) designed with state feedback (right)

with #

$ −1 0.2132 A0 = Ai = . 0 −0.5

(70)

1442

W. Xu and D. W. C. Ho

To reduce the unnecessary transmissions, an event-triggered scheme is proposed to determine the transmission instants. Hence, the event-triggered controllers designed as u1 = (xˆ2 − xˆ1 ) + (xˆ0 − xˆ1 ), u2 = xˆ1 − xˆ2 , u3 = (xˆ4 − xˆ3 ) + (xˆ0 − xˆ3 ), and u4 = xˆ3 − xˆ4 with xˆi (i = 0, 1, · · · , 4) are defined as (3). The parameters spi = and svi are chosen as 0.3153 and 0.4759, respectively, for i = 1, 2, 3, 4. Event condition is designed as (48) with α1 = 0.01 and α2 = 0.02. Then it is well presented in Fig. 13 that all followers can track the leader eventually. In addition, the number of triggering is 27 for Cluster 1 and 15 for Cluster 2 between [0, 10], which implies that the transmissions between UAV helicopters are significantly reduced as compared with the case without event-triggered scheme.

4.5

Summary

This section has proposed an impulsive framework to describe the effect of eventtriggered information transmission in multi-agent systems. Under this framework, the issue of the event condition on exchanging information is transformed into the problem of determining the event condition of the impulse needed. Then we have investigated two cases and designed different event-triggered protocols. Firstly, if the agent states are available, a state feedback event-triggered protocol has been proposed to effectively guarantee leader-following consensus and avoid Zeno behavior phenomenon. In addition, when the external disturbance is taken into consideration for the followers’ states, a modified event-triggered protocol with agents’ states is effective to achieve L∞ leader-following consensus. At last, some numerical examples and an application of unmanned aerial vehicle helicopters have verified the proposed theoretical results.

4.6

Notes

The materials of Sect. 4 are mainly taken from Xu (2017) and Xu and Ho (2016) with modifications. Sections 4.1, 4.2, 4.3, 4.4, and 4.5 are mainly based on Xu (2017), Xu and Ho (2016), and Xu et al. (2016). Acknowledgments This work was supported in part by the Research Grants Council of the Hong Kong Special Administrative Region (CityU 11200717) and a CityU grant (7005029), in part by the Natural Science Foundation of Jiangsu Province under Grant BK20180367, the National Natural Science Foundation of China under Grant 61803082 and the Fundamental Research Funds for the Central Universities, and in part by the Alexander von Humboldt Foundation of Germany. This work was also supported by ZhiShan Youth Scholar Program from Southeast University.

References S. Boccaletti, G. Bianconi, R. Criado, C.I. Del Genio, J. Gómez-Gardeñes, M. Romance, I. Sendina-Nadal, Z. Wang, M. Zanin, The structure and dynamics of multilayer networks. Phys. Rep. 544(1), 1–122 (2014)

45 Event-Triggered Schemes for Leader-Following Consensus of. . .

1443

M. Cao, F. Xiao, L. Wang, Consensus in networks of multiple double-integrators based on edgeevent driven sampled-data control, in Proceedings of the 32rd Chinese Control Conference, Xi’an, July 2013 (IEEE, 2013), pp. 6970–6975 S. Chen, D.W.C. Ho, C. Huang, Fault reconstruction and state estimator design for distributed sensor networks in multitarget tracking. IEEE Trans. Ind. Electron. 62(11), 7091–7102 (2015) D.V. Dimarogonas, E. Frazzoli, K.H. Johansson, Distributed event-triggered control for multiagent systems. IEEE Trans. Autom. Control 57(5), 1291–1297 (2012) G. Dudek, M.R.M. Jenkin, E. Milios, D. Wilkes, A taxonomy for multi-agent robotics. Auton. Robots 3(4), 375–397 (1996) H.W. Eves, Elementary Matrix Theory (Courier Corporation, 1966) Y. Fan, G. Feng, Y. Wang, C. Song, Distributed event-triggered control of multi-agent systems with combinational measurements. Automatica 49(2), 671–675 (2013) Y. Fan, L. Liu, G. Feng, Self-triggered consensus for multi-agent systems with Zeno-free triggers. IEEE Trans. Autom. Control 60(10), 2779–2784 (2015) Y. Gao, L. Wang, Sampled-data based consensus of continuous-time multi-agent systems with time-varying topology. IEEE Trans. Autom. Control 56(5), 1226–1231 (2011) E. Garcia, Y. Cao, D.W. Casbeer, Decentralized event-triggered consensus with general linear dynamics. Automatica 50(10), 2633–2640 (2014) Y. Hong, L. Gao, D. Cheng, J. Hu, Lyapunov-based approach to multiagent systems with switching jointly connected interconnection. IEEE Trans. Autom. Control 52(5), 943–948 (2007) R.A. Horn, C.R. Johnson, Matrix Analysis (Cambridge University Press, Cambridge/New York, 2012) W. Hu, L. Liu, Cooperative output regulation of heterogeneous linear multi-agent systems by eventtriggered control. IEEE Trans. Cybern. 1(47), 105–116 (2017) W. Hu, L. Liu, G. Feng, Consensus of linear multi-agent systems by distributed event-triggered strategy. IEEE Trans. Cybern. 46(1), 148–157 (2016) M. Lemmon, Event-Triggered Feedback in Control, Estimation and Optimization. Networked Control Systems (Springer, London, 2010), pp. 293–358 L. Li, D.W.C. Ho, S. Xu, A distributed event-triggered scheme for discrete-time multi-agent consensus with communication delays. IET Control Theory Appl. 8(10), 830–837 (2014) J. Lu, D.W.C. Ho, J. Cao, A unified synchronization criterion for impulsive dynamical networks. Automatica 46(7), 1215–1221 (2010) J. Lu, J. Kurths, J. Cao, N. Mahdavi, C. Huang, Synchronization control for nonlinear stochastic dynamical networks: pinning impulsive strategy. IEEE Trans. Neural. Netw. Learn. Syst. 23(2), 285–292 (2012) W. Lu, Y. Han, T. Chen, Synchronization in networks of linearly coupled dynamical systems via event-triggered diffusions. IEEE Trans. Neural. Netw. Learn. Syst. 26(12), 3060–3069 (2015) G. Mao, S. Drake, B.D.O. Anderson, Design of an extended Kalman filter for UAV localization, in Information, Decision and Control, Adelaide, June 2007 (IEEE, 2007), pp. 224–229 X. Meng, T. Chen, Event based agreement protocols for multi-agent networks. Automatica 49(7), 2125–2132 (2013) W. Ni, D. Cheng, Leader-following consensus of multi-agent systems under fixed and switching topologies. Syst. Control Lett. 59(3), 209–217 (2010) Q. Song, F. Liu, J. Cao, W. Yu, M-matrix strategies for pinning-controlled leader-following consensus in multiagent systems with nonlinear dynamics. IEEE Trans. Cybern. 43(6), 2168– 2267 (2013) H. Su, M.Z.Q. Chen, J. Lam, Z. Lin, Semi-global leader-following consensus of linear multi-agent systems with input saturation via low gain feedback. IEEE Trans. Circuits Syst. I: Regul. Pap. 60(7), 1881–1889 (2013) P. Tabuada, Event-triggered real-time scheduling of stabilizing control tasks. IEEE Trans. Autom. Control 52(9), 1680–1685 (2007) X. Wang, M.D. Lemmon, Event-triggering in distributed networked control systems. IEEE Trans. Autom. Control 56(3), 586–601 (2011)

1444

W. Xu and D. W. C. Ho

B. Wang, X. Meng, T. Chen, Event based pulse-modulated control of linear stochastic systems. IEEE Trans. Autom. Control 56(3), 586–601 (2014) G. Wen, Z. Duan, W. Yu, G. Chen, Consensus in multi-agent systems with communication constraints. Int. J. Robust Nonlinear Control 22(2), 170–182 (2012) F. Xiao, X. Meng, T. Chen, Average sampled-data consensus driven by edge events, in Proceedings of the 31st Chinese control Conference, Heifei, July 2012 (IEEE, 2012), pp. 6239–6244 W. Xu, Event-triggered consensus schemes of multi-agent systems. Ph.D. thesis, Department of Mathematics, City University of Hong Kong, Hong Kong (2017) W. Xu, D.W.C. Ho, Clustered event-triggered consensus analysis: an impulsive framework. IEEE Trans. Ind. Electron. 63(11), 7133–7143 (2016) W. Xu, J. Cao, W. Yu, J. Lu, Leader-following consensus of non-linear multi-agent systems with jointly connected topology. IET Control Theory Appl. 8(6), 432–440 (2014) W. Xu, D.W.C. Ho, L. Li, J. Cao, Leader-following consensus of general linear multi-agent systems: event-triggered schemes, in 10th Asian Control Conference, Kota Kinabalu, Malaysia, June 2015 (IEEE, 2015), pp 1–6 W. Xu, D.W.C. Ho, J. Zhong, J. Lu, L. Li, An impulsive framework for consensus learning via event-triggered scheme, in 2016 IEEE International Conference on Industrial Technology, Taipei, Mar 2016 (IEEE, 2016), pp 1366–1371 W. Xu, G. Chen, D.W.C. Ho, A layered event-triggered consensus scheme. IEEE Trans. Cybern. 47(8), 2334–2340 (2017a) W. Xu, D.W.C. Ho, L. Li, J. Cao, Event-triggered schemes on leader-following consensus of general linear multiagent systems under different topologies. IEEE Trans. Cybern. 47(1), 212– 223 (2017b) W. Xu, Z. Wang, D.W.C. Ho, Finite-horizon H∞ consensus for multiagent systems with redundant channels via an observer-type event-triggered scheme. IEEE Trans. Cybern. (2017c). https:// doi.org/10.1109/TCYB.2017.2707590 X. Yang, J. Cao, J. Lu, Synchronization of delayed complex dynamical networks with impulsive and stochastic effects. Nonlinear Anal. Real World Appl. 12(4), 2252–2266 (2011) S. Yang, Z. Guo, J. Wang, Robust synchronization of multiple memristive neural networks with uncertain parameters via nonlinear coupling. IEEE Trans. Syst. Man Cybern. Syst. 45(7), 1077– 1086 (2015) S. Yang, Q. Liu, J. Wang, A multi-agent system with a proportional-integral protocol for distributed constrained optimization. IEEE Trans. Autom. Control (2016). https://doi.org/10.1109/TAC. 2016.2610945 H. Yu, P.J. Antsaklis, Event-triggered output feedback control for networked control systems using passivity: achieving L2 stability in the presence of communication delays and signal quantization. Automatica 49(1), 30–38 (2013) W. Yu, G. Chen, M. Cao, Some necessary and sufficient conditions for second-order consensus in multi-agent dynamical systems. Automatica 46(6), 1089–1095 (2010) W. Yu, W.X. Zheng, G. Chen, W. Ren, J. Cao, Second-order consensus in multi-agent dynamical systems with sampled position data. Automatica 47(7), 1496–1503 (2011) B. Yun, B.M. Chen, K.Y. Lum, T.H. Lee, A leader-follower formation flight control scheme for UAV helicopters, in Proceedings of the IEEE International Conference on Automation and Logistics, Qingdao, Sept 2008 (IEEE, 2008), pp. 39–44 W. Zhu, Z.-P. Jiang, Event-based leader-following consensus of multi-agent systems with input time delay. IEEE Trans. Autom Control 60(5), 1362–1367 (2015) W. Zhu, Z.-P. Jiang, G. Feng, Event-based consensus of multi-agent systems with general linear models. Automatica 50(2), 552–558 (2014)

Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent Systems Based on Multistep Predictive Mechanism

46

Wenle Zhang, Jianchang Liu, and Honghai Wang

Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries on Graph Theory and Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Preliminaries on Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Analysis on Ultra-fast Formation Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Designs of Control Gain and Coupling Gain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Simulation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1446 1448 1448 1448 1452 1452 1459 1461 1461 1462 1464 1464

Abstract This chapter presents a distributed control protocol with predictive information to solve the ultra-fast formation control problem of high-order, discrete-time multi-agent systems. Firstly, based on the local neighbor-error information, a multistep regulation-error predictive algorithm is established. By predicting the dynamics of a network several steps ahead and adding the predictive information into the control strategy, a novel ultra-fast formation control protocol with selffeedback term is proposed. Compared with the routine formation control protocol, the asymptotic convergence factor, which determines the convergence speed,

W. Zhang · J. Liu · H. Wang College of Information Science and Engineering, Northeastern University, Shenyang, P. R. China State Key Laboratory of Synthetical Automation for Process Industries, Northeastern University, Shenyang, P. R. China e-mail: [email protected]; [email protected]; [email protected] © Springer Nature Singapore Pte Ltd. 2022 Y.-C. Tian, D. C. Levy (eds.), Handbook of Real-Time Computing, https://doi.org/10.1007/978-981-287-251-7_36

1445

1446

W. Zhang et al.

is improved by a power of q + 1. It is not difficult to see that the bigger the value for q is, the faster the convergence speed is. Secondly, some sufficient conditions for ultra-fast controller design are given herein, and they decouple the design of the synchronizing gains from the detailed graph properties, and explicitly reveal how the agent dynamic and the communication graph jointly affect ultra-fast formationability of high-order, discrete-time multi-agent systems. Finally, some simulations are worked out to illustrate the effectiveness of our theoretical results.

Keywords Multi-agent system · Ultra-fast formation control · Predictive algorithm · Distributed control · Asymptotic convergence factor

1

Introduction

Multi-agent systems usually consist of a group of agents cooperating to complete certain tasks for the group, and their coordination control has generated considerable research interest (Meng et al. 2014). In this chapter, we study the formation control problem for a group of agents, which has attracted much attention for the potential applications, such as satellite attitude control, unmanned aircraft formation flying and sampling, distributed sensor networks, and automated highway systems (AHS) (Yongfang and Zhiyong 2012). Compared with the traditional monolithic systems, the formation control reduces the systems cost, breaches the size constraints, and prolongs the life span of the systems (Kristiansen and Nicklasson 2009). Furthermore, the robustness and flexibility are enhanced. In Meng and Jia (2014) and Meng et al. (2014), the authors deal with formation control problems for multi-agent systems by using iterative learning control design approaches. The authors of Dong et al. (2013) formulate and study the distributed formation problem of multi-agent systems, and a formation controller is designed in a general form on the basis of artificial potential functions. A novel formation control strategy based on interagent distances for single-integrator modeled agents in the plane is proposed in Oh and Ahn (2011). The authors of Mastellone et al. (2011) study the problem of formation control and trajectory tracking for a group of robotic systems modeled by Lagrangian dynamics. In conclusion, it is not difficult to see that, most of the existing work on formation control has been only focused on how to design the asymptotical control laws to stabilize the desired relative equilibrium, while lacked consideration of the convergence speed toward formationability. However, in many practical applications, the formation control algorithms, which obtain the formation faster or in finite time, are more desirable, especially when multi-maneuver is needed and a high precision control is required. In other words, the convergence rate or speed is an important index to test the performance of different kinds of formation control protocols. As one of very few articles that solve the formation control problem in finite time (Chen and Guangming 2013; Feng et al. 2011; Hu and Zhang 2014)

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1447

consider agents that are modeled by single or double integrators. However, in some applications, agents of higher dynamical order are required if formationability of more than two variables is aimed at. Obviously, it is a very strict model constraint. Therefore, the topic of this chapter is that designing a new formation control protocol to solve the ultra-fast formationability for high-order discrete-time multiagent systems. It is worth noting that the ultra-fast formationability means that the control protocols can incredibly fast drive all agents close to desired formation. Most previous works on the formation control for multi-agent systems have been based on the implicit assumption that the available information at the next discrete time step is solely determined by the current information. However, in natural biogroups, individuals typically have some higher-level intelligence, namely predictive intelligence, which is the ability of predicting the future information of some group members based on their past and current information (Zhang et al. 2008, 2011). Motivated by the above analysis, using the local neighbor-error knowledge, a multistep regulation-error predictive mechanism is established based on the future evolution of the network dynamic without predictive information. By predicting the dynamics of a network several steps ahead and adding this information into the control strategy, a novel ultra-fast formation control protocol with self-feedback term is proposed. The ultra-fast formation control protocol consists of three parts: actual neighbor-error, desired neighbor-error, and self-feedback term. It can incredibly fast reduce the gap between the actual neighbor-error and desired neighbor-error. By comparing it with the routine formation control protocol, it is shown that drastic improvements can be achieved in terms of the speed of convergence toward formationability. Specifically, the asymptotic convergence factor is improved by the power of q + 1 compared to the routine formation control protocol. The bigger the value for q is, the faster the convergence speed is. To some extent, the ultra-fast formation control algorithm overcomes the influence of communication topology to the convergence speed. Furthermore, some sufficient conditions for ultra-fast formationability design are given herein, and they decouple the design of the synchronizing gains from the detailed graph properties, and explicitly reveal how the agent dynamic and the communication graph jointly affect ultra-fast formationability of high-order, discrete-time multi-agent systems. Finally, some simulations are worked out to illustrate the effectiveness of our theoretical results. The remainder of this chapter is organized as the following: The preliminaries and problem formulation is introduced in Sect 2. The main theoretical results are proposed in Sect. 3. Three simulation examples are provided in Sect. 4. Some concluding remarks are drawn in Sect. 5. Notation 1 Let Z, R+ , R, C, Rm × n and Cm × n be the sets of integral number, positive real numbers, real numbers, complex numbers, real matrices and complex matrices, respectively. Re (C), Im (C), and C denote real part, imaginary part and size of complex number C, respectively. Given a matrix A, Re (A) and ρ(A) are the real part and spectral radius of its eigenvalue, respectively. The transpose (or conjugate transpose) of matrix A is denoted by AT (or AH ). The inverse and Moore-

1448

W. Zhang et al.

Penrose inverse of matrix A are denoted by A−1 and A+ , respectively. The product of n matrix A is denoted by An . In is the identity matrix with dimension n × n. 1n and 0n denote the n × 1 column vectors whose elements are all ones and all zeros.  ·  represents the standard 2 norm on vectors or their induced norms on matrices. Diag (A1 , . . . , AN ) is a block diagonal matrix with main diagonal block matrix Aj and zero off-diagonal block matrices. The Kronecker product of matrices A ∈ Rm × n and B ∈ Rp × q is denoted by A ⊗ B, and it satisfies the following properties: (a) (A ⊗ B)(C ⊗ D) = (AC) ⊗ (BD); (b) (A ⊗ B)T = AT ⊗ BT ; (c) A ⊗ B + A ⊗ C = A ⊗ (B + C).

2

Preliminaries on Graph Theory and Problem Formulation

2.1

Preliminaries on Graph Theory

A directed communication network G = (V , E, A ) consists of three parts, i.e., a node set V , a directed edge set E ⊆ V × V , and an adjacency matrix A = αij ∈ R N ×N with nonnegative weights. Denote a directed edge by eij = (j, i), and it indicates a directed link from node j to node i. Then, α ij > 0 when eij ∈ E , and α ij = 0 otherwise. Furthermore, it is assumed that there are no self-loops, i.e., αii = 0, ∀i ∈ V .Denote the set of neighbors of node i } ,and the in-degree matrix can be written as D = by Ni  {j ∈ V | (j, i) ∈ E diag (d1 , . . . , dN ) with di = j ∈Ni αij .Define L = D − A as the graph Laplacian matrix. path from     node  vi1 to node vik is a sequence of edges  A directed vi1 , vi2 , vi2 , vi3 , . . . , vik−1 , vik ,with vij −1 , vij ∈ E for j = 2, . . . , k, and the graph is said to contain a directed spanning tree if there exists a vertex such that every other vertex in V can be connected by a directed path starting from it. Note that for an undirected graph, G , L is a symmetric matrix. Lemma 1 (Royle and Godsil 2001) All the eigenvalues of L have nonnegative real parts. Zero is an eigenvalue of L ,with 1N as the corresponding right eigenvector. Lemma 2 (Lin et al. 2005) Zero is a simple eigenvalue of L if, and only if, graph G has a spanning tree.

2.2

Problem Formulation

In this chapter, we study the ultra-fast formation control problem for high-order, discrete-time multi-agent systems. The system to be considered consists of N autonomous agents, agent i is assumed to have the following dynamics xi (k + 1) = Ax i (k) + Bui (k)

∀i ∈ V , k = 0, 1, . . .

(1)

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1449

where xi (k) ∈ Rn × 1 and ui (k) ∈ Rm × 1 respectively represent the state, control input of agent i. A ∈ Rn × n and B ∈ Rn × m are the state and input matrices, respectively. T  A desired formation vector F = F1T , F2T , . . . , FNT , Fi ∈ R n×1 is given. It is well known that the formationability can be achieved if and only if   lim  [xi (k) − Fi ] − xj (k) − Fj = 0,

k→∞

∀i, j ∈ V

(2)

denote the coupling gain and control gain by c ∈ R+ and K ∈ Rm × n , respectively. By predicting the dynamics of a network several steps ahead and adding this information into the control strategy, a novel ultra-fast formation control protocol with the self-feedback term is proposed as follows: ui (k) = cK

q    εˆ i (k + h) − fi + i (k)

(3)

h=0

Obviously, we can see that protocol (3) consists of three parts: Part 1: actual neighbor-error (conclude predictive neighbor-error) εˆ i (k + h) =



  αij xˆj (k + h) − xˆi (k + h)

(4)

j ∈Ni

Part 2: desired neighbor-error fi =



  αij Fj − Fi

(5)

j ∈Ni

Part 3: self-feedback information (conclude predictive information) i (k) = K



q 

xˆi (k + h)

(6)

h=1



where K is self-feedback gain which satisfies BK = A − In . To guarantee the existence of the value for K , we assume that Rank(B) = Rank(B, A − In ). Obviously, the self-feedback gain can be easily obtained by solving the above linear matrix equation. Next, we will give an important assumption as follows: Assumption 1 The global topology and desired formation, L and F,   i.e., matrices are known for each agent.where i = 1, . . . , N, εi (k) = j ∈Ni αij xj (k) − xi (k) is called actual neighbor-error, and it is the available information for each agent. Differing from the other works, in this chapter, agent i considers the self-feedback information xi (k) that makes possible to achieve ultra-fast formation control. In

1450

W. Zhang et al.

addition, the corresponding predictive mechanism is constructed on this basis of the future evolution of the network dynamic without predictive information. Specifically, observe protocol (3), if q = 0, then one has ui (k) = cKξi (k)

(7)

where ξ i (k) is the regulation-error, i.e., ξ i (k) = εi (k) − fi . Insert Eq. (7) into Eq. (1), the dynamic equation of xi (k) can be written as xi (k + 1) = Ax i (k) + cBKξi (k)

(8)

Therefore, one can obtain εi (k + 1) = Aεi (k) + cBK



  αij ξj (k) − ξi (k)

(9)

j ∈Ni

   T T T (k) T ,ξ(k) = Let ε(k) = ε1T (k), . . . , εN ξ1 (k), . . . , ξNT (k) ,and f = T  T f1 , . . . , fNT . Considering the fact ε(k) = ξ (k) + f, it is possible to rewrite Eq. (9) in compact form as ξ (k + 1) = ξ(k) + ∗ f

(10)

where  = IN ⊗ A − cL ⊗ (BK) and ∗ = IN ⊗ A − INn . Thus, the corresponding predictive mechanism can be obtained as follows: ξˆ (k + h) = ξˆ (k + h − 1) + ∗ f

(11)

 T and h = 1, . . . , q. It is where ξˆ (k + h) = ξˆ1T (k + h) , . . . , ξˆNT (k + h) easily seen that protocol (3) can be implemented in a distributed manner if the corresponding predictive mechanism satisfies the distributed nature. In order to elaborate the idea of the distributed implementation for protocol (3), define Ej = T  T ejT(p−1)+1 , ejT(p−1)+2 , . . . , ejp and ej = [0, . . . ,0,1jth , 0, . . . , 0]. One has ⎧ M−1  ⎪ ⎪ ⎪ ξi (k) = Ei ξ(k) = Ei M ξ (k − M) + Ei l ∗ f ⎪ ⎪ ⎪ l=0 ⎪ ⎨ M−2  ξi (k − 1) = Ei ξ (k − 1) = Ei M−1 ξ (k − M) + Ei l ∗ f ⎪ ⎪ l=0 ⎪ ⎪ ⎪ : : : ⎪ ⎪ ⎩ ξi (k − M + 1) = Ei ξ (k − M + 1) = Ei ξ (k − M) + Ei ∗ f

(12)

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1451

 T T (k), . . . , zT (k) Similar to Zhang and Liu (2014a), denote Zi (k) = z1,i M,i as the M-length historical regulation-error sequence for the ith individual with zl, i (k) = ξ i (k + 1 − l), (l = 1, . . . , M). Then, the above equations can be rewritten as Zi (k) − i = i ξ (k − M) where i =

 M−1 l=0

Ei l ∗ f

T

, . . . , (Ei ∗ f )T

(13)

T and i = [(Ei M )T , . . . ,

(Ei )T ]T . It is worth noting that matrix i ∈ RnN × nM . Obviously, as long as local information sequence is sufficiently long, matrix i must be column full rank. In other words, there must exist a Moore-Penrose inverse + i of matrix i such that ξ (k − M) = + i [Zi (k) − i ]

(14)

Then, the regulation-error of an arbitrary agent i can be predicted one step ahead by ξi (k + 1) = Ei ξ (k + 1) = Ei M+1 ξ (k − M) + = Bi,i Zi (k) + known(F ) where Bi,i = Ei M+1 + i ,and known(F ) = Eq. (15) and Assumption 1, one can obtain

M

l=0 Ei 

M 

Ei l ∗ f

l=0

l ∗ f

(15)

− Bi,i i . Consider

⎧  T ⎪ ξˆi (k + 1) = Bi,i Zi (k) + known(F ) = Bi,i ξiT (k), . . . , ξiT (k − M + 1) + known(F ) ⎪ ⎪ T  ⎪ ⎪ ⎨ ξˆi (k + 2) = Bi,i Zi (k + 1) known(F ) = Bi,i ξˆ T (k + 1) , . . . , ξ T (k − M + 2) + known(F ) i i , ⎪ : : : ⎪ ⎪  ⎪ T ⎪ˆ ⎩ ξi (k + q) = Bi,i Zi (k q − 1) + known(F ) = Bi,i ξˆiT (k + q − 1) , . . . , ξiT (k−M +q) +known(F ) (16)

and ⎧ xˆi (k + 1) = Ax i (k) + cBKξi (k) ⎪ ⎪ ⎨ xˆi (k + 2) = Axˆi (k + 1) + cBK ξˆi (k + 1) ⎪ : : : ⎪ ⎩ xˆi (k + q) = Axˆi (k + q − 1) + cBK ξˆi (k + q − 1)

(17)

In conclusion, it has been shown that sufficiently long local information sequence observed by each individual is capable of constituting the local predictive mechanism. In other words, protocol (3) can be implemented in a decentralized way, which further improves its generality.

1452

W. Zhang et al.

From Eq. (3), we see that the control protocol is constructed by the current regulation-error information, predictive regulation-error information several steps ahead, and multistep self-feedback information, i.e., each agent can get more comprehensive information to generate more superior formation control strategy, which will make the whole multi-agent systems achieve desired formation faster. Here, we call q the convergence step. It is worth noting that, when q = 0, i (k) = 0 and this new formation control protocol is the same as the routine formation control protocol, i.e., ui (k) = cKξ i (k). In this chapter, we define the asymptotic convergence factor 1  ξ(k) k (18) rasym = sup lim ξ(0) =0 k→∞ ξ(0) to measure the convergence speed toward formationability, where ξ (k) is the global regulation-error. The smaller the asymptotic convergence factor rasym is, the faster the convergence speed toward formationability is. An arbitrary desired asymptotic convergence factor γ (0 < γ < 1) is given in this chapter. Without loss of generality, the ultra-fast formation control can be achieved if and only if rasym ≤ γ , which implies the control protocols can incredibly fast drive all agents close to desired formation. Definition 1 (Hengster-Movric et al. 2013) A covering circle C(c0 , r0 ) of the graph matrix eigenvalues is an open circle centered at c0 ∈ R, containing all nonzero eigenvalues of the graph matrix. Lemma 3 (Zhang and Liu 2014b) Let λi = xi + yi i with i2 = − 1, δ, c ∈ R+ , the inequality |1− cλi | < δ holds if and only if there exists a covering circle C(c0 , r0 ) of λi , such that the following condition is satisfied r0 ≤δ c0

(19)

Furthermore, if Eq. (19) is satisfied, then c = 1/c0 guarantees |1 − cλi | < δ.

3

Main Results

In this chapter, assume that the communication topology among agents is a directed graph, and an undirected graph is only a special case.

3.1

Analysis on Ultra-fast Formation Control

Theorem 1 Given a set of desired formation vectors Fi , and a communication graph containing a spanning tree, the ultra-fast formation control for the discrete-

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1453

time, multi-agent systems (1) can be achieved under protocol (3) if and only if the following conditions hold.   (a) A Fj − Fi = Fj − Fi , ∀i, j ∈ V . (b) ρ(A − cλi BK) < 1, ∀ i ∈ {2, . . . , N}. Moreover, one selects the convergence γ step q = min Z|Z ≥ ln ln ρ − 1 . The proof of Theorem 1 depends on the following lemmas. Lemma 4 Assume that communication topology G has a spanning tree, the formationability for the discrete-time multi-agent systems (1) can be achieved if and only if lim  ξi (k) = 0,

k→∞

∀i ∈ V

(20)

Proof 1 It is well known that the formationability for the discrete-time multi-agent systems (1) can be achieved if and only if Eq. (2) is satisfied. Therefore, the problem is transformed to prove Eq. (20) is equivalent to Eq. (2). Without loss of generality, we only need to prove ξi (k) = 0 ⇐⇒ xi (k) − Fi = xj (k) − Fj ,

∀i, j ∈ V

(21)

Necessary: When ξi (k) = 0, ∀i ∈ V , one has (L ⊗ In ) [x(k) − F ] = 0N n

(22)

  T (k) T , x (k) = where L is a graph Laplacian matrix, x(k) = x1T (k), . . . , xN i T  (xi, 1 , . . . , xi, n )T , F = F1T , . . . , FNT , Fi = (Fi, 1 , . . . , Fi, n )T , and i = 1, . . . , N. Denote the element in the j column of the i row of Laplace matrix L by li, j , one can obtain li,1 [x1 (k) − F1 ] + li,2 [x2 (k) − F2 ] + · · · + li,N [xN (k) − FN ] = 0n ,

∀i ∈ V (23)

Further, it is easily observed that       li,1 x1,τ (k) − F1,τ + li,2 x2,τ (k) − F2,τ + · · · + li,N xN,τ (k) − FN,τ = 0, ∀i ∈ V . (24) where τ = 1, . . . , n. For notational convenience, it is possible to rewrite Eq. (24) in compact form as

1454

W. Zhang et al.

  L xτ∗ − Fτ∗ = 0N

(25)

T T   and Fτ∗ = F1,τ , . . . , FN,τ . According to where xτ∗ = x1,τ , . . . , xN,τ Lemma 1 and 2, it is clear that the vectors (k, k, . . . , k)T , k ∈ R+ are all the eigenvectors of Laplacian matrix L associated with λ1 = 0. Thus, one can get xi,τ − Fi,τ = xj,τ − Fj,τ ,

∀i, j ∈ V , τ = 1, . . . , n.

(26)

Then, xi (k) − Fi = xj (k) − Fj , ∀i,   j ∈ V .  xj (k) − Fj − [xi (k) − Fi ] , it is Sufficiency: Due to ξi (k) = j ∈Ni αij easily seen that ξ i (k) = 0 is satisfied when xi (k) − Fi = xj (k) − Fj . T  Lemma a setof desired formation vectors Fi , let f = f1T , . . . , fNT and   5 Given fi = j ∈Ni Fj − Fi . Define matrix ∗ = IN ⊗ A − INn . Assume that the graph topology G contains a spanning tree, and L is corresponding Laplacian matrix. Then, one has ∗ f = 0N n is equivalent to   A Fj − Fi = Fj − Fi , ∀i, j ∈ V . Proof 2 Necessary: Sincethe graph topology G contains a spanning tree, by Lemma 1 and 2, one has i∈V lij = 0, where lij is the same as that defined in previous section. Then, for ∀j, one can obtain that      A (li1 F1 + · · · + liN FN ) = A li1 F 1 − Fj + · · · + liN FN − Fj     = li1 A F 1 − Fj + · · · + liN A FN − Fj

(27)

= li1 F1 + · · · + liN FN   The last equation follows directly from A Fj − Fi = Fj − Fi , ∀i, j ∈ V . Obviously, Eq. (27) implies that ∗ f = 0Nn . Sufficiency: Conversely, when ∗ f = 0Nn , one has A (li1 F1 + · · · + liN FN ) = li1 F1 + · · · + liN FN

(28)

Considering the fact L 1N = 0N , for ∀j, the above equation can be rewritten as          A li1 F 1 − Fj + · · · + liN FN − Fj = li1 F1 − Fj + · · · + liN FN − Fj (29) Therefore, one can get

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1455

         li1 A F1 − Fj − F1 − Fj + · · · + liN [( A FN − Fj − FN − Fj = 0N n (30)     For convenience, let yi = A Fi − Fj − Fi − Fj , ∀i ∈ V , it is possible to rewrite Eq. (30) in compact form as (L ⊗ In ) y = 0N n

(31)

  T T . From the proof of Lemma 4, one can obtain that Where y = y1T , . . . , yN         A Fs − Fj − Fs − Fj = A Ft − Fj − Ft − Fj , ∀s, t ∈ V

(32)

which implies that A (Fs − Ft ) = Fs − Ft , ∀s, t ∈ V

(33)

Next, we will give the proof of Theorem 1. Proof 3 In view of Lemma 4, this formation control problem is transformed to find a necessary and sufficient condition for the formationability of the multi-agent systems (1) such that limk→∞  ξi (k) = 0, ∀i ∈ V . Since the communication graph contains a spanning tree, one has L1N = 0N , w T L = 0TN and wT 1N = 1, where 1N and wT ∈ R1 × N are right and left eigenvector of Laplacian matrix L associated with λ1 = 0. Insert Eq. (3) into Eq. (1), one can get xi (k + 1) = Ax i (k) + cBK

q 

ξˆi (k + h) + BK

h=0

q 

xˆi (k + h)

(34)

h=1

Similar to Eq. (9), the following dynamic equation can be obtained εi (k + 1) = Aεi (k) + cBK

 j ∈Ni

+ (A − In )

αij q 

q   ξˆj (k + h) − ξˆi (k + h) h=0

(35)

εˆ i (k + h)

h=1

    T (k) T , εˆ (k + h) = εˆ T (k + h) , . . . , εˆ T (k + h) T , Let ε(k) = ε1T (k), . . . , εN N 1  T and ξˆ (k + h) = ξˆ1T (k + h) , . . . , ξˆNT (k + h) , it is possible to rewrite Eq. (35) in compact form as

1456

W. Zhang et al.

ε (k + 1) = (IN ⊗ A) ε(k) − (cL ⊗ BK)

q 

ξˆ (k + h)

h=0

+ (IN ⊗ A − InN )

q 

(36)

εˆ (k + h)

h=1

 T Define ξ(k) = ξ1T (k), . . . , ξNT (k) , according to this fact ε(k) = ξ (k) + f, Eq. (36) is equivalent to ξ (k + 1) = ξ(k) − ( − IN n )

q 

ξˆ (k + h) + (q + 1) ∗ f

(37)

h=1

where  and ∗ are the same as those defined in previous section. Considering the corresponding predictive mechanism (11), Eq. (37) can be rewritten as  ξ (k + 1) = ξ(k) + ( − IN n ) ξ(k) + ∗ f + 2 ξ(k) + ∗ f + ∗ f + · · · + q ξ(k) + q−1 ∗ f + · · · + ∗ f + (q + 1) ∗ f   = ξ(k) + ( − IN n )  + 2 + · · · + q ξ(k)   + ( − IN n ) IN n +  + · · · + q−1 ∗ f   + ( − IN n ) IN n +  + · · · + q−2 ∗ f + · · · + ( − IN n ) ∗ f + (q + 1) ∗ f   = q+1 ξ(k) + IN n +  + · · · + q ∗ f (38) Next, we will analyze the second term of the right side of Eq. (38). Firstly, we assume INn +  + . . . + q is nonsingular. Then, (INn +  + . . . + q ) ∗ f = 0Nn is equivalent to ∗ f = 0Nn . In view of Lemma 5, it is clear that it is also equivalent to A Fj − Fi = Fj − Fi , ∀i, j ∈ V . Conversely, when matrix INn +  + . . . + q is singular, one can obtain much more relaxed constraints than A Fj − Fi = Fj − Fi , ∀i, j ∈ V . In other words,   A Fj − Fi = Fj − Fi , ∀i, j ∈ V is unnecessary and sufficient condition for (INn +  + . . . + q )∗ f = 0Nn . Without loss of generality, we assume that INn +  + . . . + q is nonsingular in this chapter such that  A Fj − Fi = Fj − Fi , ∀i, j ∈ V is necessary and sufficient condition for (INn +  + . . . + q )∗ f = 0Nn . Using the condition that A Fj − Fi = Fj − Fi , ∀i, j ∈ V , Eq. (38) is reduced to the following form:

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

ξ (k + 1) = q+1 ξ(k)

1457

(39)

Denote the Jordan canonical form of the matrix L by J, then there exists a nonsingular matrix  such that L −1 = J, where the diagonal entries of J are the eigenvalues of L. Introduce the state transformation ξ˜ (k) = ( ⊗ In ) ξ(k). Equation (39) can be represented in terms of ξ˜ (k) as follows: ξ˜ (k + 1) = [IN ⊗ A − cJ ⊗ (BK)]q+1 ξ˜ (k)

(40)

 T ξ˜1T (k), ξ˜∗T (k) , where ξ˜1 (k) ∈ R n is a vector consisting of the first n elements of ξ˜ (k), and ξ˜∗ (k) =  T   ξ˜2T (k), ξ˜2T (k), . . . , ξ˜NT (k) . It is very obvious that ξ˜1 (k) = w T ⊗ In ξ(k) =     T w ⊗ In (−L ⊗ In ) x(k) = − w T L ⊗ In x(k) = 0n . Since the communication graph among agents is a connected digraph, the Jordan canonical form J of the matrix L can be written as Partition ξ˜ (k) ∈ R N n into two parts, i.e., ξ˜ (k) =



0 0 ··· ⎢ 0 J (λ2 ) · · · ⎢ J =⎢. .. . . ⎣ .. . . 0 0 ··· J

0 0 .. .

⎤ ⎥ ⎥ ⎥ ⎦

(41)

(λN )

where the ith Jordan block(* is 1 or 0) ⎡ ⎢ ⎢ J (λi ) = ⎢ ⎢ ⎣

λi 0 .. .



λi .. .

0 0

⎤ ··· 0 ⎥ .. . 0⎥ ⎥ .. ∗ ⎥ . ⎦ · · · λi

(42)

By simple computation, Eq. (40) can be rewritten as ⎡

⎤ ⎡ ξ˜1 (k + 1) A0 ⎢ ξ˜2 (k + 1) ⎥ ⎢ 0 Q2 ⎢ ⎥ ⎢ ⎢ ⎥ = ⎢. . .. ⎣ ⎦ ⎣ .. .. . ξ˜N (k + 1)



0 0

Aq+1 ⎢ ⎢0 =⎢ ⎢ .. ⎣. 0

··· 0 ··· × . . .. ..

⎥ ⎥ ⎥ ⎦

ξ˜N (k) ⎤⎡ ⎤ ··· 0 ξ˜1 (k) ⎥⎢ ˜ ··· × ⎥ ⎢ ξ2 (k) ⎥ ⎥⎢ . ⎥ . . .. ⎥⎣ . ⎥ .. . ⎦ ⎦ q+1 ξ˜N (k) · · · QN

· · · QN 0 q+1 Q2 .. . 0

⎤ ξ˜1 (k) ⎢ ξ˜2 (k) ⎥ ⎥ ⎢ ⎢ . ⎥ ⎣ .. ⎦

⎤q+1 ⎡

(43)

1458

W. Zhang et al.

where × is a arbitrary matrix, and Qi = A − cλi BK, i = 2, . . . , N. Due to the state matrix of the above equation being an upper triangular matrix, it is clear that ξ˜i (k), i = 2, . . . , N, converge asymptotically to 0 if and only if the following N − 1 subsystems ξ˜i (k + 1) = (A − cλi BK)q+1 ξ˜i (k),

i = 2, . . . , N

(44)

along the diagonal are asymptotically stable, where λi are the eigenvalues of graph matrix L. In other words, limk → ∞  ξ i (k)  = 0 is equivalent to   ρ (A − cλi BK)q+1 = ρ q+1 (A − cλi BK) < 1

(45)

Further, ρ q + 1 (A − cλi BK) < 1 is equivalent to ρ(A − cλi BK) < 1. In addition, given any control gain K ∈ Rm × n and coupling gain c ∈ R+ , define J (c, K) = diag (A − cλ2 BK, . . . , A − cλN BK)

(46)

Based on Eq. (18) and Corollary 3.1 in You and Xie ( 2011 ), one can get that asymptotic convergence factor rasym = ρ q+1 (J (c, K))

(47)

under protocol (3). Obviously, the asymptotic convergence factor is improved by a power of q + 1 compared to the routine formation control protocol. The bigger convergence step q, the smaller asymptotic convergence factor, and the faster convergence speed, i.e., protocol (3), can incredibly fast drive all agents close to the desired formation. Moreover, an arbitrary desired asymptotic convergence factor γ (0 < γ < 1) is given in this chapter. The performance index of convergence q + 1 ≤ γ . By simple computation, one has q ∈ speed is achieved   if rasym = ρ γ Z|Z ≥ ln ln ρ − 1 . However, the bigger the value for q is, the more the predictive information is. In other words, bigger q will increase the amount of computations   γ needed. Therefore, we select the convergence step q = min Z|Z ≥ ln − 1 . ln ρ

Remark 1 It is worth noting that we select the convergence step q =   γ min Z|Z ≥ ln − 1 in the whole of this chapter, which is ignored in the ln ρ remaining parts. In most of previous works, the convergence speed is limited by the communication topology. Without loss of generality, the better the connectivity of communication topology is, the faster the convergence speed is, and vice versa. Differing from other works, from the proof of Theorem 1, we can see that the proposed ultra-fast formation control algorithm in this chapter can overcome the influence of communication topology on the convergence speed to some extent. Moreover, in view of Theorem 1, the necessary and sufficient conditions for ultra-fast formationability are the same as ones for

46 Ultra-fast Formation Control of High-Order, Discrete-Time Multi-Agent. . .

1459

general formationability. This is very important, because a unified framework (Li et al. 2010, 2011) is still kept under ultra-fast formation control protocol (3).

3.2

Designs of Control Gain and Coupling Gain

In the remainder of this chapter, we will give some theoretical results for formationability design, decouple the design of the synchronizing gains from the detailed graph properties, and explicitly reveal how the agent dynamic and the communication graph jointly affect ultra-fast formationability of high-order, discrete-time multi-agent systems. Theorem 2 Given a set of desired formation vectors Fi and a communication graph containing a spanning tree, the ultra-fast formation control for the discretetime multi-agent systems (1) can be achieved under protocol (3) if the following conditions hold.   (a) (A, B) is a stabilizable pair and A Fj − Fi = Fj − Fi , ∀i, j ∈ V . (b) There exists a covering circle C(c0 , r0 ) of the graph matrix eigenvalues λj , j = 2, . . . , N such that r0 ≤ δc (48) c0 PA Moreover, the coupling gain c = 1/c0 and the control gain K = (BT PB)−1 BT guarantee ultra-fast formation control, where δ c = 1 if A is stable, otherwise 1/ j |λuj (Am∗ )| ≤ δc < 1, and P > 0 is a solution to linear matrix inequality (LMI)   P > AT PA − (1 − β 2 )AT PB(BT PB)−1 BT PA with β = maxj ∈{2, . . . , N} 1 − cλj . It is worth noting that the corresponding definitions of 1/ j | λuj (Am∗ ) | are the same as ones in Hengster-Movric et al. (2013), so it is omitted here for brevity. Proof 4 Synthesize Theorem 1 of this chapter and Theorem 1 in Hengster-Movric et al. (2013), we know that if there exists a coupling gain c such that max

j ∈{2,...,N }

| 1 − cλj |< δc

(49)

then there exists the control gain K = (BT PB)−1 BT PAguaranteeing ultra-fast formation control, where δ c = 1 if A is stable, otherwise 1/ j |λuj (Am∗ ) | ≤ δc < 1, T 2 T T −1 T and P > 0 is a solution  to LMI  P > A PA − (1 − β )A PB(B PB) B PA with β = maxj ∈ {2, . . . , N} 1 − cλj . In view of Lemma 3, Eq. (49) is equivalent to r0 ≤ δc , c0 and c = 1/c0 . Therefore, the proof of Theorem 2 is completed.

(50)

1460

W. Zhang et al.

Remark 2 It is worth noting that, for the single input case, the sufficient condition given in Theorem 2 is also necessary. This follows directly from Theorems 3.1 and 3.2 of You and Xie ( 2011 ) . Meanwhile, inequality (Eq. 48 ) implies that the more unstable open loop matrix, the stronger condition required on the directed graph to achieve ultra-fast formation control under protocol (3). The eigenratio (λ2 /λN ) → 1 means that the communication graph is almost complete. Inthis case, there must exist a small enough covering circle C(c0 , r0 ) such that j | λuj (Am∗ ) |→ ∞. Furthermore, the following theoretical result can be established when the communication topology is undirected. Corollary 1 Assume that communication topology G is an undirected graph containing a spanning tree, the ultra-fast formation control for the discrete-time multi-agent systems (1) can be achieved under protocol (3) if the following condition holds:   (a) (A, B) is a stabilizable pair and A Fj − Fi = Fj − Fi , ∀i, j ∈ V T −1 T 2 (b) λλNN −λ +λ2 < δc . Moreover, the control gain K = (B PB) B PA and the coupling

1+δc c gain 1−δ λ2 < c < λN solve the ultra-fast formation control problem, where P > 0 is a solution to LMI above.

Proof 5 Since the communication topology is an undirected graph containing a spanning tree, the eigenvalues λ2 ≤ . . . ≤ λN of graph matrix L are all positive real numbers. By Theorem 2, one has 1 − δc 1 + δc 0,       kp · ki + kp · kd + kp 2 · ∅ + 1 − ωpso · kp + ki − ki > 0.

(14) (15)

On the other hand, the updated X(s) is as follows. X (s) =

∅1 · (s + 1) · GPID (s)  · (Xlbest (s) − X (s))  s· s + 1 − ωpso +

=

 ∅2 · (s + 1) · GPID (s)    · Xgbest (s) − X (s) s· s + 1 − ωpso

  ∅· (s + 1) · GPID (s)   · (1 − θ) · Xlbest (s) + θ· Xgbest (s) − X (s)  s· s + 1 − ωpso

(16)

1474

D. C. Levy et al.

After being combined with the Eq. (16), the Eq. (7) is presented below. V (s) =

   ∅· GPID (s)  · (1 − θ) · Xlbest (s) + θ· Xgbest (s) − X (s)  s· s + 1 − ωpso

(17)

Thus, the Eq. (17) is turned into the following time-varying function formula (18) after the inverse Laplace Transformation. 

  v (t + 1) = ωpso · v (t) + ∅· (1 − θ) · kp · (xlbest (t) − x (t)) + ki ·

t

(xlbest (t) 0

    d (xlbest (t) − x (t)) −x (t)) · dt + kd · + θ· kp · xgbest (t) − x (t) + ki · dt     t   d xgbest (t) − x (t) xgbest (t) − x (t) · dt + kd · dt 0 (18) Based on the above in Eqs. (14) and (15) and our professional experiences, we design the following three coefficients of the PID controller, t kp = e(ωpso −1)· MaxT t e(ωpso −1)· MaxT ki = t 1 + e(ωpso −1)· MaxT 2

t kd = e(ωpso −1)· MaxT

(19) (20) (21)

where t is the present generation, and MaxT is the maximum generation. Consequently, our proposed PID controlling PSO is comprised of the (18) and (2). Being different from the (1) in SPSO, the (18) not only includes the proportional terms of (xlbest (t) − x(t)) and (xgbest (t) − x(t)) but also encompasses their integral terms and derivative terms. These terms enable the PID controlling PSO to achieve a proper response, eliminate the steady-state errors, and improve particles’ evolutionary dynamics simultaneously so that the PID controlling PSO enhances the diversity of the swarm and converges fast to the global best position. Concerning the inertia weight coefficient, we adopt the following formula (22) (Wang et al. 2010): ωpso =

1 1 + 1.5· e(−2.6·f)

(22)

47 Particle Swarm Optimization of Real-Time PID Controllers

1475

where f is supposed to decrease linearly from 1 to 0. In addition, the cognitive coefficient is supposed to decrease linearly from 2 to 0, while the social coefficient is supposed to increase linearly from 0 to 2. In order to promote the evolutionary process of the PID controlling PSO, we adopt an enhancement learning strategy (ELS) to help particles perform comprehensive learning from their own local and neighboring best positions, other local best positions, and their global best position. It is evident that particles are easily trapped into local optima after some iterations. Therefore, for a specific local best particle, we first randomly select some other local best particles from the population whose total number is equal to their dimensional number. Then, we take turns to choose one different dimension from the selected local best particles, which position is j j j xlbest (k) and velocity vector is vlbest (k). Next, we use xlbest (k) to replace the same dimension j of the specific local best particle as a temporary-specific local best particle xlbest . Successively, we compare the fitness value of a specific local best particle with the fitness(xlbest ). If the fitness value of a specific local best particle is more than the fitness(xlbest ), the position of the specific local best particle in the j dimension j is moved to xlbest (k). The same method is also exploited to learn from their neighboring best positions. It has been observed that normal PSOs are easily stagnated in local optimum because of the lack of diversity of the population. Thus, particles remain in a local optimum for unpredictable generations. In order to increase search diversity and avoid getting trapped in local optimum, many leaping-out mechanisms are proposed (Wang et al. 2010; Liang et al. 2006; Montes de Oca et al. 2009; Ratnaweera et al. 2004; Zhan et al. 2009). However, the performance can be affected by many factors and is hard to predict after introducing the leaping-out algorithms. In the PID controlling PSO, we first randomly select the local best particle xlbest (k) out of the population. If it is not the global best particle xgbest , we randomly choose j one dimension j from the selected particle, whose position is xlbest (k) and velocity j j vector is vlbest (k). Thereafter, we use xlbest (k) to replace the same dimension j of the global best particle as a temporary global best particle xgbest . Otherwise, we use the following formula     j j j xlbest (k) + xmax − xmin · Gaussian μ, σ2

(23)

j j to do it, where the search range xmin , xmax is the same as the lower and upper bounds of the problem, and the Gaussian(μ, σ2 ) is a random number of a Gaussian distribution with a zero mean μ and a standard deviation σ. Similar to some timevarying neural network training schemes, it is suggested that $\sigma$ be linearly decreased with the generation number, which is given by

1476

D. C. Levy et al.

σ=1−

t MaxT

(24)

where t is the present generation, and MaxT is the maximum generation. Next, we compare the fitness(xgbest ) with the fitness(xgbest ). If the fitness(xgbest ) is more than the fitness(xgbest ), the position of the global best particle in the dimension j is moved j

to xlbest and its updated fitness(xgbest ) value is equal to the fitness(xgbest ).

3

Algorithms

Based on the aforementioned contexts, our proposed PID controlling PSO can be depicted below in detail. Step 1: Initialize parameters including the number PN of particles, dimensional size D of each particle, maximum generation number MaxT, initial velocity v and position x of each particle, inertia weight coefficient ωpso , cognitive coefficient c1 , and social coefficient c2 . Calculate the initial fitness of each particle, and set the initial local best position xlbest and global best position xgbest . Step 2: If the specific local optimal value xlbest (k) does not evolve for some certain iterations, improve the specific local best position by the above-mentioned ELS. Thereafter, according to the Eqs. (19, 20, and 21), calculate the three parameters MaxT of the PID controller. Then in terms of the (18) and (2), calculate the next velocity v(t) and position x(t) of each particle. Next, calculate the fitness of each particle, set the local best position xlbest and the global best position xgbest . Thereafter, update the global best position xgbest with the temporary global best mutation position xgbest if the fitness(xgbest ) is more than the fitness(xgbest ). Step 3: Observe if the global best fitness(xgbest ) meets the given threshold or not, or observe if the maximum generation number MaxT reaches or not. If not, go back to Step 2. Step 4: Otherwise, the operation can be terminated. Finally, output the global best position xgbest , and its corresponding global best fitness as well as convergent generation number.

47 Particle Swarm Optimization of Real-Time PID Controllers

1477

The pseudo-code for the PID controlling PSO is presented below in Algorithm 1. Begin /*initialize the swarm*/ FOR{i = 1 to PN} create particle p i with dimension D, velocity vi and position xi from 1 to PN set xlbest (i) = xi calculate fitness(xi ) ENDFOR set xgbest = best(xlbest (i)) calculate inertia coefficient ω pso , cognitive coefficient c1 and social coefficient c2 set maximum generation number MaxT and ELS factor β /*update velocity and position with an evolutionary PID style strategy*/ FOR{t = 1 to MaxT} calculate PID controller parameters: MaxT FOR{i = 1 to PN} /*improve local best position at a given generation*/ IF{repeat_num(i)>=10} set repeat_num(i)=0, tmp_xlbest (i)=xlbest (i) and update ELS factor β randomly create a D dimensional array ar between 1 and PN FOR {ii=1 to D} ii ii (i)=xlbest (ar (ii)) set tmp_xlbest IF{fitness(tmp_xlbest (i))>fitness(xlbest (i))} ii ii (i)=xlbest (i) set tmp_xlbest ENDIF ENDFOR set x(i)= xlbest (i) set xlbest (i)=tmp_xlbest (i)

/*neighboring learning*/ set change_num(i)=change_num(i)+1 IF{change_num(i)>=5} set Nxlbest (i)=xlbest (i)+unifrnd(-1,1) × xlbest (i) IF{fitness(Nxlbest (i))