Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic.
University of Auckland, NZ


Study difference between classical (RTOS) model of computation vs. the synchronous model of computation

Improved state representation and formal functional and non-functional (timing) verification of programs designed in reactive languages

Different design decisions for implementing the same safety critical application.


Implementing the cardiac pacemaker control logic in SystemJ and comparing with the SCJ implementation.

Features compared:
◦ Scheduling policies
◦ Real-time and response-time analysis
◦ Memory model (if you are interested, after the presentation).

• The dips below the X-axis are the pacing signals
• Scenario D: A normal working heart.
• Scenario A: Atrial and ventricle pace are produced
• Scenario B: Only atrial pace produced
• Scenario C: Only ventricle pace produced


Globally Asynchronous
Locally Synchronous
(GALS) MoC.

Signals are used for communication within each synchronous island
(clock-domain).

Channels and modified-
CSP style rendezvous between reactions in different clock-domains.

S/O1
L1
!S/O2 input signal S;
L1: pause ; present (S) emit O1; else emit O2;
L2: pause ;
L2

L1 L2
L1L
2
A/B C/D A&&C/
{B,D}
L1’ L2’
L1’
L2’


Only synchronous parallel composition

All communication via signals

Input and Output to the heart model also via signals

No need for asynchrony, because only one mode runs at any given time


States are explicitly demarcated at pause


Smaller state space compared to SCJ
Every FSM transition is atomic
◦ Easier to verify, since synchrony avoids interleaving altogether .
◦ Further reduction in state space, because change in signals
(and update of data) is not visible until completion of transition.

We verified for the pacemaker liveness properties
(via SPIN model-checker)
◦ If Ventricle/Atrial sense is not detected Ventricular/Atrial pace will always be generated.

SCJ vs. SystemJ – tasks and scheduling model

Task priority
◦ SCJ needs unique priority for each task
◦ All SystemJ reactions have equal priority (or no priority)

Task ordering
◦ Priorities and schedule together determine task-ordering in SCJ
◦ Reactions in SystemJ can be run in any order – more optimization chances, outputs are always deterministic.

Response time
◦ SCJ (RTOS) definition – time from release to completion of a task.
◦ Time from one or more inputs to generation of one or more outputs via one or more tasks (reactions/CDs) interacting together.

Event handling
◦ SCJ supports Periodic and Aperiodic event handlers, no sporadic events (?) and what happens with multiple incoming events?
◦ SystemJ can be considered to have only sporadic event handling with minimum statically guaranteed inter-arrival time. Multiple events can always be captured.

SystemJ – timing model guaranteeing real-time properties
A
A
𝑊
𝐴𝐵
I/{}
𝑊𝐶𝑅𝑇
B
B
𝑊
𝐵𝐶
T/{O}
𝑊𝐶𝑅𝑇
C
C



WCRT = max(𝑊
𝐴𝐵
, 𝑊
𝐵𝐶
)
𝐼 → 𝑂 (response time from I to O) =
WCRT * 2
Verifying real-time property: []𝐼 →⋄
𝑀
𝑂


Timers
◦ SCJ handles timing via one shot timer handlers, triggered via external timers
◦ SystemJ converts wait statements to logical time – bounded self-transitions.
 The resultant system is still real-time analyzable.
 The wait is exact.
𝑊𝐶𝑅𝑇 d<10
A
𝑊𝐶𝑅𝑇 d==10
B


We run the pacemaker on 3 different platforms:
◦ Standard JOP – all SystemJ compiled to simple
Java
◦ TP-JOP, separated control and dataprocessing.
◦ JOP+, JOP with support for reactivity and control processing.

Experimental results
Logic Element usage
Average Tick times (us)
Generated memory footprint (KB)

Conclusions






SystemJ is easier to verify (functional and nonfunctional):
◦ One is just programming an automaton
◦ Reduced state space representation, every change in data/signal is not a new state, only pause makes a new state
Time (real and logical) is a first class language construct.
SystemJ allows handling multiple events, since it is clock-driven.
No preemption of transitions, preemptions only allowed once transition is finished.
Correct by construction achieved via SPIN and SMT.
Verified, pacemaker control-logic implemented in
SystemJ.