# DEMES: a Discrete-Event methodology for Modeling and Simulation of Embedded Systems

<sup>1</sup>Gabriel Wainer SMSCS

<sup>2</sup>Rodrigo Castro *MSCS* 

<sup>1</sup>Department of Systems and Computer Engineering VSim Centre. Carleton University. Ottawa, ON. K1S 5B6. Canada.

mputer Engineering<sup>2</sup> Computer Science Departmentrsity. Ottawa, ON.Universidad de Buenos Aires and CIFASIS-da.CONICET (Rosario, Santa Fe). Argentina.http://www.sce.carleton.ca/faculty/wainer

In the last thirty years, the Software Engineering community has spent a tremendous effort in creating formal methods and tools for developing embedded systems, in particular, those with real-time constraints. Despite these efforts. most existing methods are still hard to scale up, and they require expensive testing efforts with no guarantees for bug-free products. Instead, systems engineers have often relied on modeling and simulation (M&S) techniques to improve the development task and obtain higher quality products. M&S-based testing is widely used for the early stages of a project; however, when the development tasks switch towards the target environment, early models are often abandoned. In order to deal with these issues, we introduce DEMES (Discrete-Event Modeling of Embedded Systems) an M&S-based development methodology based on discrete-event systems specifications. DEMES combines the advantages of a practical approach with the rigor of a formal method, in which one consistently use models throughout the development cycle.

## **Introduction to DEMES**

Formal methods for embedded systems development use mathematical notations to define the system's requirements, allowing proving system properties (liveness, timeliness, etc.). These techniques have had success, but they are still difficult to apply and do not scale up well. Instead, construction of system models and their analysis through simulation (M&S) reduces cost and risk, allowing exploring changes and testing of dynamic conditions in a risk-free environment. This is a useful approach, moreover considering that testing under actual operating conditions may be impractical and in some cases impossible. Despite the net gains, most project managers are reluctant to use M&S because they require extra initial resources for models that will not be part of the final application. DEMES deals with these issues by using a model-based. The approach combines the advantages of M&S with the rigor of a formal methodology based on DEVS (Discrete Event Systems Specification) formalism [1]; it supports rapid prototyping and encourages reuse. DEVS is a well-defined formalism that is expressive, operates at a high level of specification, and it can be used to represent both computing systems and the physical systems they control. DEVS models have a rich structural representation of components, and formal means for explicitly specifying their timing, which is central for real-time systems.

DEMES enables the incremental construction of such embedded applications using a discrete-event architecture for both simulation and the target product architecture. The use of DEVS for DEMES offers the following advantages:

- **Reliability:** logical and timing correctness rely on DEVS system theoretical roots and sound mathematical theory.

- **Model reuse:** DEVS has well-defined concepts for coupling of components and hierarchical, modular model composition.

- Hybrid modeling and knowledge reuse: it has been proven that DEVS is the most general discrete event formalism (i.e., every other method can be expressed as DEVS), and many techniques used for embedded systems have been mapped into DEVS (e.g., Verilog, VHDL, Timed Automata, State Charts, etc.). Hence, we can use different methods while keeping independence at the level of the executive, using the most adequate technique on each part of system architecture and reusing existing expertise.

- **Process flexibility:** these hybrid modeling capabilities are transparent for the executive, which is defined by an abstract mechanism that is independent from the model itself. Existing DEVS tools have showed their ability to execute such variety of models with high performance.

- **Testing:** defining experimental frames (i.e., the set of conditions under which the system is observed or experimented with) can be automated.

DEMES uses M&S for the initial stages, and replaces models incrementally with hardware surrogates without modifying the original models. The transition can be done in incremental steps, incorporating models in the target environment after thorough testing in the simulated platform, allowing reusing of models throughout the process. The approach does not impose any order in the deployment in the actual hardware platform, providing flexibility to the overall process. Figure 1 shows the architecture of the process used in DEMES.



Figure 1. DEMES development cycle.

Initially (1), we define a specification model of the System of Interest (SoI) using a formal model (using DEVS or alternative techniques translated to equivalent DEVS models). Once the DEVS specification model is complete, model-checking can be used for validation of the model properties (2). The same models are then used to run DEVS simulations of the behavior of the different submodels under specific loads (3). In brief, we first study system properties analytically, and complement the proofs using simulation, which can also be used for hardware/software codesign (and for training).

The same DEVS specification model is used to derive test cases (4), which can be also used for the simulation studies. Deriving test cases from both the model (4) and from the simulation results (5) allows us to check that the models conform to the requirements. Once we are satisfied with both analytical and simulated results, the models are incrementally moved into a target platform. A real-time Executive (6) executes the models on the particular hardware (9). If the hardware is not readily available, the software components can still be developed incrementally and tested against a model of the hardware to verify viability and take early design decisions. As the design process evolves, both software and hardware models can be refined, progressively setting checkpoints in real prototypes. The executive allows to execute dynamic models and to schedule static and dynamic tasks.

At this point, those parts that are still unverified in the formal and simulated environments are tested, increasing the confidence of the engineer into the implemented system (7). Any modifications require going back to the same model specifications (8), which ensure that we can provide a consistent set throughout the development. This software lifecycle is cyclic, allowing refinement following a spiral approach. On each cycle of the spiral, we end with a prototype application consisting of software/hardware components interacting with simulated components.

## **Other Model-Based approaches**

Different techniques have been proposed to deal with the issues discussed earlier. For instance, BIP [2] defines components as the superposition of three layers: Behavior (a set of transitions); Interactions (between transitions) and Priorities (to choose amongst interactions). BIP preserves properties during model composition and supports analysis and transformations across heterogeneous boundaries (untimed/timed, asynchronous/synchronous, event /data-triggered).

Ptolemy II [3] is a structured and hierarchical method for modeling heterogeneous systems using specific MoC that covers the flow of data and control. ECSL (Embedded Control Systems Language) supports the development of distributed controllers [4], including a domainspecific environment for automotive systems (extending the Matlab family with capabilities for specification, verification, scheduling, performance analysis, etc.).

SystemC and Esterel are system-level languages used to simulate and execute models, which have widespread industry adoption [5]. SystemC represents hardware/software systems at different abstraction levels, allowing choosing the desired level of detail for each component. Esterel is used for hardware/software synthesis through a synchronous reaction-based language and higher-level statements for concurrency.

One of the most popular techniques, UML-RT, provides an object-oriented methodology. A comparison between DEVS and UML-RT [6] shows that, although available in the UML-RT Profile, time, scheduling and performance are coded using UML constructions (i.e., not formally defined). Instead, DEVS provides sound syntax/semantics for structure, behaviour, time representation and composition, which lend themselves to well-defined computation. DEVS, however, is not intended for software design and development, and "it is key to support the transformation of simulation models to their software model counterparts and their complementary roles in handling modeling and computational complexity of embedded systems". DEMES software development environment focuses on complementing these shortcomings.

## **Modeling with DEVS**

A real system modeled with DEVS [1] is described as a hierarchical and modular composite of models that can be behavioral (atomic) or structural (coupled). A DEVS *atomic model* is:

AM =  $\langle X, S, Y, \delta_{int}, \delta_{ext}, \lambda, ta \rangle$ 

Every state  $s \in S$  is associated with a lifetime, defined by the time advance function ta(s). When a model receives an input event X, the external transition function  $\delta_{ext}$  is triggered. This function uses the input event, the current state and the time elapsed since the last event to determine the next model's state. If no events occur before ta(s), the model activates the output function  $\lambda$  (outputs Y) and moves to a new state determined by the internal transition function  $\delta_{int}$ . A DEVS *coupled model* is:

 $CM = \langle X, Y, D, \{M_i\}, \{Z_{ij}\}, select >$ 

CM represents a set of basic components  $M_i$  (i  $\in$  D) interconnected through their interfaces (X, Y). The translation function  $Z_{ij}$  converts the outputs of a model into inputs for others, and the select function is used for tie-breaking. The closure under coupling (i.e., a coupled model has an atomic equivalent) enables model reuse.

In the last few years, DEVS has been used for modeling applications with real-time constraints. RT-DEVS [7] introduced a DEVSbased framework for the transformation from the system design to the implementation of embedded systems. In [8] the authors present a formal mapping of DEVS models into timed Communicating Sequential Process (tCSP) for hardware/software codesign. DEVS/DOC [9], a codesign methodology, was used to predict architectural decisions that could lead to incorrect system behavior, introducing a modeling layer on top of fine grained DEVS modeling constructs. In [10] DEVS was implemented on a TINI Chip using a just-as-needed real time environment to run on the chip efficiently. A codevelopment methodology defined in [11] facilitated the repetitive testing of on-going system specifications. PowerDEVS, which supports continuous and hybrid systems with quantized state numerical methods was extended with realtime support.

# **E-CD++: an environment for DEMES**

CD++ [12] provides a mechanism to build DEVS models (which can be implemented in C++ or using a built-in language) using DEVS formal specifications. The *ButtonInputModule* model shows parts of the transition functions for a component of a cruise control system (CCS).

ButtonInputModule::ButtonInputModule ( const string &name ) : Atomic( name ), in\_BUTTON( addInputPort("in\_BUTTON") ), out\_ON( addOutputPort("out\_ON") ), out\_RESUME( addOutputPort("out\_RESUME")) {reactionTime = VTime( 0, 0, 0, 15 );}

```
Model &ButtonInputModule::externalFunction (
  const ExternalMessage &msg ) {
    if( msg.port() == in_BUTTON ) {
        inType=(int)msg.value();
        holdIn( active, reactionTime );}}
Model &ButtonInputModule::outputFunction (
        const InternalMessage &msg ) {
        switch(inType) {
        case ON: //take action {
            sendOutput( msg.time(), out_ON, HIGH); }
        case OFF: //take action {
            sendOutput( msg.time(), out_OFF, HIGH);
        ...} ... } }
Model &ButtonInputModule::internalFunction (
```

const InternalMessage & ) {passivate();}

RT-CD++ [13] integrates simulation models and hardware components for the DEMES methodology. We thoroughly tested the performance of RT-CD++ using real applications and synthetic benchmarks. In all cases, we obtained a small overhead (2% to 3% for large models) thanks to the use of a Flat Coordinator executive, which enhanced performance by lowering the internal messaging overhead. Figure 2 outlines the software hierarchy generated to execute the CCS model above. Root Coordinator manages the interaction with an Experimental Frame (used to test the model). Coordinators synchronize the subcomponents. Each external input can be associated to a timing constraint. When the processing of such an event is completed, the *Coordinator* checks to see if the deadlines were met (to obtain performance metrics, or to provide alternate actions if a deadline is missed).



Figure 2. RT-CD++ simulation scheme

RT-CD++ was the base for Embedded CD++ (E-CD++) [14]. The time advance function is tied to the real-time clock, and inputs/outputs can interact with external devices. The engine runs on a single board computer (SBC), interacting with hardware components. An Eclipse-based IDE (E-CD++ Eclipse-based IDE) helps non-expert users following the DEMES methodology (including a graphical environment based on DEVS-Graphs). We included a Flexible Dynamic Structure algorithm in E-CD++ based on Dynamic structure DEVS [15], supporting structural changes for changing environments.





## **Applying E-CD++ for DEMES**

We show how to use DEMES to develop embedded applications incrementally, integrating simulation models and hardware components. Initially, we develop models entirely in E-CD++, and we replace them with hardware surrogates at later stages of the process, making the transition in incremental steps, incorporating models in the target environment with hardwaresoftware components after thorough testing in the simulated platform (using the specification models throughout the process).

On web reference <u>http://youtube.com/arslab</u> the reader will find a sample application built as an experimentation environment for the construction of robotic controllers. We also built a model of the CODEC of the Analog Devices 2189M EZ-KITLITE. This was originally built as a DEVS model, and it was later replaced it by a hardware prototype on a DSP board. These examples were used to experiment model-tohardware transition without modifying the original design.

## **Elevator** Application

We show the ideas above with a simple example of an elevator servicing a four-floor building. Initially we model and simulate the entire system, using the structure presented in Figure 4.



Figure 4. Scheme of the elevator system

The system consists of an Elevator Control Unit (ECU), the Elevator Box (formed by two atomic models: the engine and a sensor controller), a button and display controllers. Most of the logic of the ECU is located in the external transition function, which handles the buttons pressed and schedules the next internal transition to control the engine or to display a new value (e.g., the elevator starts moving, or a new floor is reached). Users can define the activation time for the engine, customizing its timing behavior. Different experimental frames were applied to this model, allowing the analysis of different scenarios. We started by analyzing the behavior of each submodel independently (using the specifications for their physical counterparts) and then conducted integration tests as in Table 1.

| Time               | Deadline  | In-port  | Out-Port    | Val. |
|--------------------|-----------|----------|-------------|------|
| Experimental Frame |           |          |             |      |
| 00:11:510          | 00:11:700 | btn_3    | led3        | 1    |
| 00:14:600          | 00:14:800 | sensor_2 | flr_display | 1    |
| 00:19:500          | 00:19:700 | sensor_3 | flr_display | 1    |
|                    |           |          |             |      |
| Outputs            |           |          |             |      |
| 00:11:510          | 00:11:700 |          | led3        | 1    |
| 00:11:510          |           |          | dir_display | 1    |
| 00:14:610          | 00:14:800 |          | flr_display | 2    |
| 00:19:510          | 00:19:700 |          | led3        | 0    |
| 00:19:510          |           |          | flr_display | 3    |
| 00:19:510          |           |          | dir_display | 0    |
|                    |           |          |             |      |

Table 1. Experimental frame for the elevator.

Once satisfied with the overall behavior of the simulated model, we progressively replaced the models by hardware components. The first step was to replace the button controller (using a keypad to send requests to the simulated ECU, which remain unchanged). Replacing this component is straightforward (we only removed the original component from the coupled model definition file and changed the coupling data).

Testing the model only requires reusing the experimental frames used for simulation. As we built the button controller model following the hardware specifications for the actual buttons, and the interfaces of the models do not change, the transition is transparent (the results obtained were equivalent to Table 1, regardless of the changes). After conducting extensive tests, we also moved the remaining components to the microcontroller (and only the elevator's engine is still simulated).

## Embedded Network Control

In this section we show how to apply DEMES to design a supervisory control for network Quality of Service (QoS) embedded in a Network Processor. The goal is to enforce lowlevel traffic shaping actions according to highlevel QoS policies (which assign finite network resources to multiple competing traffic flows) and the evolving performance of traffic [16]. This discipline spans several domains, specification languages and temporal dynamics. At the higher levels, we find coarse-grained global policies (with a few changes per day). At lower levels, QoS shaping algorithms modify the assignment of network resources to data-flows (every few seconds). At the lowest levels, specific algorithms take granular decisions at the microsecond time scale on a per-packet basis. This scenario makes it difficult to design and test QoS management, and to verify and validate the system-wide effects of layer-specific changes.

We designed a QoS shaper prototype that accepts policies from higher levels while knowing the status of the lowest level traffic (e.g., the current packet drop-rate). Depending on the policies and the drop-rate, control actions are sent to the lower packet-level algorithms to enforce granular decisions. QoS I/O information is exchanged through real-time ports between E-CD++ and the packet handling circuitry.

When a high-level QoS policy changes, model's parameters get different values, adapting the QoS Controller with a new behavior for the shaping actions. These actions regulate the threshold levels at the low-level algorithm RED (Random Early Detection). RED discards packets arriving from incoming queues according to a probability associated to the queue length. This probability increases linearly (growing from 0 when a Queue Minimum Threshold QmT is crossed, and stopping at 1 when a Queue Maximum Threshold QMT is reached). Our experimental shaper sends commands to RED indicating that QmT and QMT should be adjusted to new values, thus affecting the packet drop-rate. We used an Intel IXP2400 Network Processor, an OC-48/2.5 Gbps line rate packet chip structured in two internal levels: a slow data path with an Intel XScale Core processor (XScale), and a fast data path with 8 multi-threaded pipelined MicroEngines (ME). IXP2400 allows implementing reconfigurable rule engines that can be adapted on demand while sustaining high performance packet handling tasks [17].

We embedded E-CD++ into the XScale and interfaced it to the MEs. The embedded models executed by E-CD++ interact in real-time with specialized packet handling code (microblocks) ran distributed in the MEs. We then followed DEMES for an incremental co-development prototype of the QoS system.



Figure 5. Modeling a QoS processing system

We first verified the system behavior in a PC with a standalone version of the E-CD++ simulator. Once the functionality of the *QoS Controller* was verified, we moved it into the XScale processor. In this stage, as the simulator's experimental frame changed, a new verification phase was conducted to reassess simulation results (Figure 5, left). *QoS Actuator* and *Traffic Sensor* send commands and sense droprate values, respectively. They talk to their counterparts in the *Packet Processing* system: a *QoS Shaper* and a *Metering System*. In the last stage, we move from embedded simulation to real-time execution of models (Figure 5, Right).

The MEs replace their DEVS equivalent models (which originally performed the traffic generation and consumption, and functions *QoS Shaper*, *Metering System* and *Packet Processing Pipeline*). *QoS Actuator* and *Traffic Sensor* are deployed into special Software/Hardware *Mapper* models (signal adapters that invoke IXP libraries to perform the mapping). The switch is transparent for the DEVS *QoS Controller* system. Finally, the whole system is validated using a constant-rate packet-dropping generator code running on the MEs. In the meantime, a separate development team reprogrammed other hardware pieces, preparing the RED algorithm to react to the new Shaping commands, interleaving the software and hardware co-development process and starting a new incremental cycle of system verification and validation.

# Conclusion

M&S techniques can offer significant support for the design and test of complex embedded applications. DEMES allows for a seamless transition capability for studying models through simulation in a model-based environment, and then execute the same models directly in hardware. We showed the use of DEVS as the basis for DEMES, which allowed us to develop incrementally different applications including hardware components and DEVS models. The transition from simulated models to the actual hardware can be incremental, incorporating deployed models into the framework when they are ready. This approach does not impose any order in the deployment of the hardware components, providing flexibility to the overall process. The use of DEVS improves reliability (in terms of logical correctness and timing), enables model reuse, and permits reducing development and testing times. Consequently, the development cycle is shortened, its cost reduced, and quality and reliability of the final product improved.

Testing and maintenance phases are highly improved due to the use of a formal approach.

Relying on experimental frameworks facilitates testing in a cost-effective manner, allowing users to build and reuse test frames for each submodel. Since DEVS is closed under coupling, models can be decomposed in simpler versions, always obtaining equivalent behaviour. Finally, the semantics of models are not tied to particular interpretations, thus existing models can be reused.

E-CD++ provides us with a tool for DEMES, in which embedded systems can be designed following DEVS-based methodologies, and be implemented on different hardware (FPGA, SBCs, general purpose processors or specialized ones like the IXA platform). The verified models can be deployed to the targets without modifying a single line of code.

We are currently working on a verification toolkit to use the timing properties of the DEVS models under development. In this way, we will have an environment for DEMES in which the user builds models, test them in the simulated environment, uses verification tools to analyze timing properties, and downloads the resulting application to the target platform, being able to provide rapid prototyping and enhanced development capabilities.

## References

[1] B. P. Zeigler, H. Praehofer and T. G. Kim. *Theory of Modeling and Simulation.* 2nd. ed. Academic Press, 2000.

[2] A. Basu, M. Bozga and J. Sifakis. "Modeling heterogeneous real-time components in BIP". *In Proceedings of SEFM 2006*. Pune, India, 2006.

[3] J. Eker, J. Janneck, E. Lee, J. Liu, X. Liu, J. Ludvig, S. Neuendorffer, S. Sachs and Y. Xiong. "Taming heterogeneity—the Ptolemy approach". *Proceedings of the IEEE*, V 91, 127-144, 2003.

[4] K. Balasubramanian, A. Gokhale, G. Karsai,
J. Sztipanovits and S. Neema. "Developing Applications Using Model-Driven Design Environments". *COMPUTER*, V. 39, pp. 33-40, 2006.
[5] J. Brandt and K. Schneider, "How different are esterel and SystemC?". In *Embedded Systems Specification and Design Languages.*, vol. 10, Springer, 2008. pp. 3-13.

[6] D. Huang and H. Sarjoughian. "Software and simulation modeling for real-time softwareintensive systems". *In Proceedings of Eighth IEEE International Symposium on Distributed*  Simulation and Real-Time Applications. DS-RT 2004. pp. 196-203. 2004.

[7] T. G. Kim, S. M. Cho and W. B. Lee, "DEVS framework for systems development: Unified specification for logical analysis, performance evaluation and implementation". In *Discrete Event Modeling & Simulation: Enabling Future Technologies.* Springer. 2000.

[8] S. Schulz, J. W. Rozenblit, M. Mrva and K. Buchenriede. "Model-based codesign". *Computer*, vol. 31, pp. 60-67, 1998.

[9] D. Hild, H. Sarjoughian and B. Zeigler. "DEVS-DOC: a modeling and simulation environment enablingdistributed codesign". *IEEE Trans. On Systems, Man and Cybernetics A*, (32), 78-92, 2002.

[10] X. Hu, B. P. Zeigler and J. Couretas. "Devson-A-chip: Implementing DEVs in real-time java on A tiny internet interface for scalable factory automation". *In Proc. of IEEE SMC*. Tucson, AZ. 2001.

[11] K. C. Kang, J. Y. Lee and H. J. Kim. "Codevelopment of real-time systems and their simulation environments". *In Proc. of APSEC 2000*. Singapore, 2000.

[12] G. Wainer. "Discrete-Event Modeling and Simulation: a Practitioner's approach". *CRC Press. Taylor and Francis.* 2009.

[13] G. Wainer, E. Glinsky and P. MacSween, "Model-driven architecture of real-time systems". In *Model-Driven Software Development - Research and Practice in Software Engineering.* vol. II, Springer-Verlag, 2005.

[14] Y. H. Yu and G. Wainer. "E-CD++: An engine for executing DEVS models in embedded platforms". *Proc. of SCSC*. San Diego, CA, 2007.
[15] F. J. Barros. "Modeling Formalisms for Dynamic Structure Systems". *ACM Transactions on Modeling and Computer Simulation*, vol. 7, pp. 501-515, October 1997.

[16] A. Kuzmanovic and E. W. Knightly. "Measurement-Based Characterization and Classification of QoS-Enhanced Systems". *IEEE Trans. Parallel Distrib. Syst.*, V. 14, pp. 671-685, 2003.

[17] S. Gavrilovska, A. Kumar and K. Schwan. "The execution of event-action rules on programmable network processors". *In Proceedings* of Workshop on Operating System and Architectural Support for the on-Demand IT Infrastructure (OASIS 2004), Boston, MA, 2004. Gabriel Wainer received the M.Sc. (1993) and Ph.D. degrees (1998, with highest honors) of the University of Buenos Aires, Argentina, and Université d'Aix-Marseille III, France. He is an Associate Professor at the Department of Systems and Computer Engineering, Carleton University. He is the author of four books and numerous research articles, edited four other books, and helped organizing numerous conferences, including being one of the founders of SIMUTools and SIMAud. Prof. Wainer is the Vice-President Publications, and was a member of the Board of Directors of SCS. He is Special Issues Editor of the SIMULATION, member of the Editorial Board of Wireless Networks, JDMS, and International Journal of Simulation and Process Modelling. He is the head of the Advanced Real-Time Simulation lab. at Carleton University's Centre for advanced Simulation and Visualization (V-Sim). He has been the recipient of various awards, including IBM Eclipse Innovation, SCS Leadership, various Best Papers, and the First Bernard P. Zeigler DEVS M&S.

Rodrigo Castro received a Ph.D degree (2010) in EE from Universidad Nacional de Rosario, Argentina. Since 2007 he is a Lecturer at the Computer Science Department, Universidad de Buenos Aires (UBA), Argentina, where he is the head of the Discrete Event Simulation Group. He is also a lecturer at the Faculty of Engineering, UBA. He has been a visiting scholar at the Advanced Real-Time Simulation lab (Carleton University, Canada) and the Modeling and Simulation Research Group (ETH Zurich, Switzerland). Since 2000, he has participated in several projects with industry (Siemens, CISCO, Hewlett-Packard) in the areas of networking and performance optimization. Dr. Castro was awarded an Emerging Leaders in the Americas grant by the Government of Canada, and he received recognitions from the Organization of Ibero-American States for the Education, Science and Culture (OEI) and UBA.