14_advanced_elevator

14AdvancedElevatorBehaviorsDistributedEmbeddedSystemsChrisSzilagyiMarch15,2010©Copyright2010,PhilipKoopman2Overview‹Wherewe’vebeen:•End-to-endscheduling‹Today:•Timetriggereddesign,revisited•Advancedelevatortopics‹Wherewe’regoing:•Verification,validation,andcertificationPhotoCredits::240_Sparks_Elevators.jpg:Carnival_Sensation_Grand_Atrium_elevators.JPG3Project7-Implementation‹WorkingelevatorrequiredforsubmissionthisThursday•Mustpasstheonerequiredacceptancetest•Mustalsopassallunitandintegrationtests•Musthaveacompleteandconsistentdesignportfolio‹Designrequirementsinthislectureareforprojects8andup•Don’tworryaboutfancydispatchersanddrivesifnotdesignedyet•Getthesimpleversionworkingfirst‹Debuggingtips•~ece649/project/codebase/debugging.html•Usethe-seedoptionforexactrepetitionofevents•Use-breaktospecifytimesto“pause”theelevator–ThenwatchtheGUIinslowmode,watchoutputs,oraddyourownbreakpoints‹AdditionalofficehourWednesdayMarch17th(4:30-5:30PM)•Location:UndergradLounge4Time-Triggeredvs.Event-Triggered‹Event-triggered•Actionsoccurinresponsetoaneventinthesystem•ETisgoodforsystemsthatarenaturallytransactional–Financialsystems–Systemsbackedbydatabases•Recordeventsinordertomaintainstate‹Time-triggered•Actionsoccurbasedontheprogressionoftime•Decisionsbasedonstatevariables•TTisgoodforsystemsthatarestateoriented”–Systemswithphysicalstatethatneedstoberepresentedinthesystem•Infereventsfromchangesinstatevariables–Havetosamplestatevariablesfastenough–Mightmisseventsthatoccurfasterthanthetime-triggeredperiod5Time-triggeredvs.Event-triggered:FaultRecovery‹Event-triggered•Makesurethatthemessagegotthrough–Okforpoint-to-point(e.g.TCP:SYN/ACK)–Multicastacknowledgementismessyandexpensive–EvenworseinthepresenceofByzantinefaults»ByzantineÎdifferentnodesreceivedifferentvalues‹Time-triggered•Resilienttotransientfaults(e.g.lostmessages)•Faultrecovery(retransmission)happensautomatically‹Whataboutwastedbandwidth?(usualcounterargumentforTT)•Tomeetreal-timedeadlines,youhavetoleavebandwidthfreeforhigh-prioritymessagesnomatterwhat•Mightaswellsendthemessagesallthetime•TTmakesschedulesandreal-timeguaranteeseasiertomake6Time-Triggeredvs.Event-Triggered‹Time-triggeredisnotalwaystheanswer,BUT…Probablytherightanswerformostembeddedapplications‹Mostpeopleunderstandevent-triggered•Time-triggeredrequiresadifferentwayofthinkingaboutdesign•LearnaboutTTsoyoucanunderstandthetradeoffs7HowdoIknowifmydesignistime-triggered?‹Time-triggereddesignsDO:•Performactions(computations)andwriteoutputseveryperiod•Makedecisionsbasedonlyonthecurrentstateofthesystem‹Puretime-triggereddesignsDONOT:•Haveactionsonarcs•Makedecisionsbasedonhowthecurrentstatewasreached•Haveentryactions(*annotation)‹YourprojectMUSTbetime-triggered!8EntryActionsonStates‹Thisisnotatime-triggeredbehavior‹Bestpractice:•Eliminateentryactionswhereverpossible‹Alternative(notthebestpractice):•Addanadditionalstatebetweenthetwostates•Thisaddscomplexity•Thisaddslatency(payattentiontosafetyconstraints)‹DoNOTadda“thisisthefirsttime”flagvariabletoworkaroundthis!‹DoNOTtakemorethanonetransitionperloopexecution•Needtohaveaworst-caseboundonexecutiontime•Approximateprocessorconstrainednodes.9AdvancedElevatorTopics‹Commitpoint‹Dispatcheralgorithmsandthedesiredfloormessage‹Raceconditionsfordistributedsystems‹Startupconditions‹Passengerinteractions‹Real-worldelevatordesigncomplexities10CommitPointCalculation‹Stoppingdistance:Thedistancebetweenwhereyouarenowandwhereyoucanstop•Assumesfollowingnormal(non-emergency)accelerationprofile•Athighspeeds,thismightbemultiplefloorsaway‹CommitPoint:Theelevatorpositionatwhichyoumustdecidewhethertostopatparticularfloor•Occurswhenelevatorreachesthestoppingdistancefromthatfloorlocation•Thisisafunctionofelevatorspeed!‹Whenyoupassthecommitpoint,youlosetheoptionofstopping•Evenifyoustillhaven’treachedtheflooryet•Thinkofthe“pointofnoreturn”forthatfloor11Elevatormotionprofiles123Acceleration(m/s2)Velocity(m/s)0.51.01.0-1.0Position(m)123450.00Time(s)1234565.7512UsingTheCommitPoint‹Thecommitpointgetsfurtherawayasspeedincreases•Whenstopped,thecommitpointisexactlyatthefloor(stoppingdistance=0)•Athighspeeds,commitpointisseveralfloorsawayfromelevatorposition‹Thecourseprojectelevatorcanstop“instantly”fromslowspeed•But,fromfastspeedyouneedtorampdown‹Computationmustbeconservative,takeintoaccount•Granularityofsensorinputs•Worstcasenetworkdelays‹Controllersneedtohaveaconsistentnotionofcommitpoint•Nottoodifficultinthefault-freecase,orwithdroppedmessagefaults‹Inrealelevators,howdoescommitpointaffectcarfloorindicator?•Why?13DispatcherMessages–Whatdotheymean?‹DesiredFloor•Floor–thefloorweintendtogotonext•Direction–thedirectionweintendtogoafterwereachthedesiredFloor•Hallway–whichdoorsshouldopen‹DesiredDwell•Howlongtoholdthedoorsopen•Mightvarydependingonwhetheryouransweringahallcalloracarcall•Mightvarydependingonmode(uppeak,downpeak)‹StartinginProject8:Followtheaboveusage.Forexample:•Iftheelevatorisstoppedandopening