168 REAL-TIME LOGIC, GRAPH-THEORETIC ANALYSIS, AND MODECHART

i@(↑ ICP I50NFC SENSOR, i + 1) − 20 ≤ @(↑ ICP I50NFC SENSOR, i)

i@(↑ FCP I50NFC, i + 1) − 20 ≤ @(↑ FCP I50NFC, i)

i@(↑ FCP P50NFC, i + 1) − 20 ≤ @(↑ FCP P50NFC, i)

Safety assertion:

i@((↓ ICP I50FC CMDS, i) ≤ @(↑ ICP I50FC SENSOR, i) + 10

(↓ ICP I10FC CMDS, i) ≤ @(↑ ICP I10FC SENSOR, i) + 50)

;50 Hz and 10 Hz loops must maintain a maximum 10 ms and 50 ms

;“transport lag,” respectively, between sensor input and

;effector output

Negation of safety assertion in RTL:

i@((↑ ICP I50FC SENSOR, i) + 10 < @(↓ ICP I50FC CMDS, i) (↑ ICP I10FC SENSOR, i) + 50 < @(↓ ICP I10FC CMDS, i))

6.7.5 RTL Representation Converted to Presburger Arithmetic

We now convert the RTL formulas into the Presburger arithmetic format to aid in subsequent graphing. The notation convention is to use an “S ” or an “E ” to represent the start or end task events, respectively.

Presburger Arithmetic Representation:

Workloads:

; 50 Hz FC workloads

E ICP I50FC SENSOR(i) − 2 ≤ S ICP I50FC SENSOR(i)

E FCP I50FC(i) − 1 ≤ S FCP I50FC(i)

E FCP P50FC(i) − 5 ≤ S FCP P50FC(i)

E FCP O50FC(i) − 1 ≤ S FCP O50FC(i)

E ICP I50FC CMDS(i) − 1 ≤ S ICP I50FC CMDS(i)

; 10 Hz FC workloads

E ICP I10FC SENSOR(i) − 2 ≤ S ICP I10FC SENSOR(i)

E FCP I10FC(i) − 1 ≤ S FCP I10FC(i)

E FCP P10FC(i) − 40 ≤ S FCP P10FC(i)

E FCP O10FC(i) − 1 ≤ S FCP O10FC(i)

E ICP I10FC CMDS(i) − 1 ≤ S ICP I10FC CMDS(i)

; 50 Hz NFC workloads

E ICP I50NFC SENSOR(i) − 5 ≤ S ICP I50NFC SENSOR(i)

E FCP I50NFC(i) − 1 ≤ S FCP I50NFC(i)

E FCP P50NFC(i) − 2 ≤ S FCP P50NFC(i)

precedence:

;precedence between start and stop events

;50 Hz FC workloads

S ICP I50FC SENSOR(i) ≤ E ICP I50FC SENSOR(i)

S FCP I50FC(i) ≤ E FCP I50FC(i)

S FCP P50FC(i) ≤ E FCP P50FC(i)

S FCP O50FC(i) ≤ E FCP O50FC(i)

SICP I50FC CMDS(i) ≤ E ICP I50FC CMDS(i)

;10 Hz FC workloads

SICP I10FC SENSOR(i) ≤ E ICP I10FC SENSOR(i)

S FCP I10FC(i) ≤ E FCP I10FC(i)

S FCP P10FC(i) ≤ E FCP P10FC(i)

S FCP O10FC(i) ≤ E FCP O10FC(i)

SICP I10FC CMDS(i) ≤ E ICP I10FC CMDS(i)

;50 Hz NFC workloads

SICP I50NFC SENSOR(i) ≤ E ICP I50NFC SENSOR(i)

S FCP I50NFC(i) ≤ E FCP I50NFC(i)

SFCP P50NFC(i) ≤ E FCP P50NFC(i)

;precedence between end of first task and beginning of next task

;50 Hz FC precedence relations

EICP I50FC SENSOR(i) ≤ S FCP I50FC(i)

E FCP I50FC(i) ≤ S FCP P50FC(i)

E FCP P50FC(i) ≤ S FCP O50FC(i)

EFCP O50FC(i) ≤ S ICP I50FC CMDS(i)

;10 Hz FC precedence relations

EICP I10FC SENSOR(i) ≤ S FCP I10FC(i)

E FCP I10FC(i) ≤ S FCP P10FC(i)

E FCP P10FC(i) ≤ S FCP O10FC(i)

E FCP O10FC(i) ≤ S ICP I10FC CMDS(i)

170 REAL-TIME LOGIC, GRAPH-THEORETIC ANALYSIS, AND MODECHART

; 50 Hz NFC precedence relations

E ICP I50NFC SENSOR(i) ≤ S FCP I50NFC(i)

EFCP I50NFC(i) ≤ S FCP P50NFC(i)

;precedence between beginning of prior task and beginning of next task

SFCP I50FC(i) − 2 ≤ S ICP I50FC SENSOR(i)

S FCP P50FC(i) − 1 ≤ S FCP I50FC(i)

S FCP O50FC(i) − 5 ≤ S FCP P50FC(i)

S ICP I50FC CMDS(i) − 1 ≤ S FCP O50FC(i)

S FCP I10FC(i) − 2 ≤ S ICP I10FC SENSOR(i)

S FCP P10FC(i) − 1 ≤ S FCP I10FC(i)

S FCP O10FC(i) − 40 ≤ S FCP P10FC(i)

S ICP I10FC CMDS(i) − 1 ≤ S FCP O10FC(i)

S FCP I50NFC(i) − 5 ≤ S ICP I50NFC SENSOR(i)

S FCP P50NFC(i) − 1 ≤ S FCP I50NFC(i)

periodicity:

; 50 Hz FC tasks, p = 20

S ICP I50FC SENSOR(i) + 20 ≤ S ICP I50FC SENSOR(i + 1)

S FCP I50FC(i) + 20 ≤ S FCP I50FC(i + 1)

S FCP P50FC(i) + 20 ≤ S FCP P50FC(i + 1)

S FCP O50FC(i) + 20 ≤ S FCP O50FC(i + 1)

S ICP I50FC CMDS(i) + 20 ≤ S ICP I50FC CMDS(i + 1)

S ICP I50FC SENSOR(i + 1) − 20 ≤ S ICP I50FC SENSOR(i)

S FCP I50FC(i + 1) − 20 ≤ S FCP I50FC(i)

S FCP P50FC(i + 1) − 20 ≤ S FCP P50FC(i)

S FCP O50FC(i + 1) − 20 ≤ S FCP O50FC(i)

S ICP I50FC CMDS(i + 1) − 20 ≤ S ICP I50FC CMDS(i)

; 10 Hz FC tasks, p = 100

S ICP I10FC SENSOR(i) + 100 ≤ S ICP I10FC SENSOR(i + 1)

S FCP I10FC(i) + 100 ≤ S FCP I10FC(i + 1)

S FCP P10FC(i) + 100 ≤ S FCP P10FC(i + 1)

S FCP O10FC(i) + 100 ≤ S FCP O10FC(i + 1)

INDUSTRIAL EXAMPLE: NASA X-38 CREW RETURN VEHICLE 171

S ICP I10FC CMDS(i) + 100 ≤ S ICP I10FC CMDS(i + 1)

S ICP I10FC SENSOR(i + 1) − 100 ≤ S ICP I10FC SENSOR(i)

S FCP I10FC(i + 1) − 100 ≤ S FCP I10FC(i)

S FCP P10FC(i + 1) − 100 ≤ S FCP P10FC(i)

S FCP O10FC(i + 1) − 100 ≤ S FCP O10FC(i)

S ICP I10FC CMDS(i + 1) − 100 ≤ S ICP I10FC CMDS(i)

; 50 Hz NFC tasks

S ICP I50NFC SENSOR(i) + 20 ≤ S ICP I50NFC SENSOR(i + 1)

S FCP I50NFC(i) + 20 ≤ S FCP I50NFC(i + 1)

S FCP P50NFC(i) + 20 ≤ S FCP P50NFC(i + 1)

S ICP I50NFC SENSOR(i + 1) − 20 ≤ S ICP I50NFC SENSOR(i)

S FCP I50NFC(i + 1) − 20 ≤ S FCP I50NFC(i)

S FCP P50NFC(i + 1) − 20 ≤ S FCP P50NFC(i)

Priority assertions:

EFCP I50FC(i) ≤ S FCP I10FC(i)

;50 Hz FC higher priority than 10 Hz FC

EFCP I50FC(i) ≤ S FCP I50NFC(i)

;50 Hz FC higher priority than 50 Hz NFC Negation of safety assertion:

SICP I50FC SENSOR(I ) + 11 ≤ E ICP I50FC CMDS(I)

SICP I10FC SENSOR(I ) + 51 ≤ E ICP I10FC CMDS(I)

6.7.6Constraint Graph Analysis

To verify the satisfaction of the safety assertion, the Presburger formulas are represented in a constraint graph shown in [Rice and Cheng, 1999]. The system specification alone produces a graph with no positive cycles. Negation of the safety assertion, however, yields edges that produce positive cycles between clusters, thus it verifies critical system performance. For example, a positive cycle with vertices S ICP I50FC SENSOR, E ICP I50FC CMDS, S ICP I50FC CMDS, S FCP O50FC, S FCP P50FC, S FCP I50FC, and back to S ICP I50FC SENSOR, yields a cycle with weight 1.