Abstract-Embedded systems often involve transmitting feedback signals between multiple control tasks that are implemented on different electronic control units communicating via a shared bus. For ensuring stability and control performance, such designs require all control signals to be delivered within a specified deadline, which is ensured through appropriate timing or schedulability analysis. In this brief, we study controller design that allows control feedback signals to occasionally miss their deadlines. In particular, we provide analytical bounds on deadline misses such that the control loop retains its stability and meets its control performance requirements. We argue that such relaxation allows us to 1) use lower quality communication resources (e.g., event-triggered instead of time-triggered communication) and 2) provide more flexibility-e.g., use simulation-in communication timing analysis since analytical worst-case delay bounds for reallife communication protocols are often pessimistic. We illustrate this approach using the FlexRay communication protocol for distributed automotive control systems.
I. INTRODUCTION
T HE DESIGN of distributed control systems-where control tasks are implemented on different electronic control units (ECUs) communicating via a shared bus-typically require end-to-end timing guarantees from the embedded implementation platform. For example, in Fig. 1 , the controller may be designed with the assumption of a specified maximum sensorto-actuator delay, which includes the computation times of the software tasks and the signal transmission delays on the communication bus. Such delay assumptions are guaranteed using appropriate scheduling policies along with necessary timing or schedulability analysis. For many real-life communication protocols like CAN or FlexRay, providing tight analytical timing bounds is often difficult and leads to either pessimistic results or resource overprovisioning [2] . In many cases, this problem is circumvented using resource reservation techniques like time-triggered protocols that provide better timing guarantees and are easier to analyze. However, they are also usually more conservative and lead to poor resource utilization.
In contrast to this constraint on all control signals having to meet their deadlines, in this brief, we propose controller design techniques that allow control signals to occassionally miss their deadlines (or be dropped). Our main technical contribution is to provide an analytical bound on such deadline misses such that stability and control performance are nevertheless guaranteed. We believe that such relaxation may be exploited in the implementation platform design and analysis stages. For example, instead of using time-triggered communication that ensures all control signals are delivered in time, priority-based communication protocols may be used with certain signals missing their deadlines. Furthermore, bounds on deadline misses from our controller design stage may be used as an additional safety margin, thereby allowing less precise and hence less pessimistic, e.g., simulation based-timing analysis techniques for the implementation platform. It is worth mentioning that recently there has also been work on verification of communication schedules, which ensure that bounds on allowable control signal deadline misses are satisfied by the implementation platform [1] , [8] , [9] , [16] . These results may be coupled with our proposed design to provide certifiable implementations where needed. The issue of incorporating feedback signal delay into controller design has been widely studied by the networked control systems community [10] - [12] . One of the seminal results on bounding signal deadline misses while guaranteeing stability, along the lines of our work, may be found in [17] . Since then a number of other papers have reported various special cases of this result [7] , [13] , [15] . These results mostly provide bounds over an infinite horizon of samples (i.e., address asymptotic behavior), which are usually difficult to check or formally verify for an implementation platform. in addition, all such results are concerned with stability and not performance, which is important in real-life settings. We attempt to overcome these shortcomings; our proposed design method has better applicability, which we illustrate using a FlexRay based [5] distributed controller design example from the automotive domain.
II. PROBLEM FORMULATION
We study the design of feedback controllers for linear timeinvariant dynamical systems (or plants)
where x(t) is the n × 1 vector of state variables and u(t) is the control input to the system. A t is a n × n system matrix and B t is a n × 1 vector. A typical feedback control loop performs the following three sequential operations: 1) measure the states x(t) (measure); 2) compute input signal u(t) (compute); 3) apply the computed u(t) to the plant (1) (actuate). In a digital implementation platform of such feedback loops, these operations are performed only at discrete-time intervals (sampling instants). When the time interval between two consecutive sampling instants is constant, the continuous-time system (1) can be transformed into the discrete-time system
where the sampling instants are
are the values of x(t) and u(t) at t = h k and
In the rest of this brief, we consider the discrete-time statespace model shown in (2) as our model of dynamical systems.
Control Objectives:
We consider the set-point tracking problem where the control objectives are the following. 1) Achieve exponential stability, that is
where 0 < λ < 1 and c is a constant. 2) Achieve y[k] → r as k → ∞, r is the reference. The input u[k] is designed to meet these objectives.
A. Distributed Implementation
The distributed implementation platforms we consider are of the form shown in Fig. 1 . In this setup, there are multiple ECUs; multiple tasks are mapped onto each ECU and are executed according to the scheduling policy implemented on the ECU. Here, a control application is partitioned in two tasks-a plant task T p and a controller task T c . These tasks run on two different ECUs that communicate over a shared bus. A bus protocol allows messages (generated by tasks on the ECUs) to be scheduled on the bus. Each such message is associated with an input and an output buffer. When a message is generated, it is placed on the output buffer of the ECU, it waits for bus access and gets transmitted according to the bus schedule. Similarly, when a message arrives at the receiving ECU, it is placed on its input buffer and the corresponding task reads the message when necessary. T p runs periodically with period h and performs two operations: 1) reading the feedback signal x[k] from sensors (i.e., measure) and placing it as message m x in the output buffer and 2) reading message m c (i.e., the feedback component of u [k] ) from the input buffer, adding feedforward part to it, and applying (i.e., actuate) it to the physical system using an actuator. (Fig. 3) is the sensor-to-actuator delay τ . As shown in Fig. 2 , the time duration between reading the sensor data and receiving the next control input from the input buffer is the delay τ . It should be noted that T p sends m x , which is the current state x [k] . At the same time, T p reads m c which is the feedback component of the control input computed using the older state x[k − τ/h ] and applies it to the physical system. Clearly, τ > 0 and τ/h ≥ 1. Such a setting is common in real life applications where the computational processes and control algorithms run at distributed locations and signals are exchanged over the network or a communication bus [6] , [14] .
B. Communication Bus
We will illustrate our proposed design approach using the priority based (or event-triggered) dynamic segment of FlexRay as the communication bus. FlexRay [5] is commonly used in the automotive domain and supports both time-triggered and event-triggered communication. The timetriggered communication guarantees that all control signals are delivered in time, but the time-triggered (or static) segment is considered as a premium resource. The dynamic segment on the other hand might cause high variations in feedback delays and occasional deadline misses (depending on the other messages being scheduled). Our proposed controller design opens up the possibility of using the less expensive dynamic segment of FlexRay, while ensuring that both stability and performance constraints are nevertheless satisfied. Fig. 4 shows a typical delay variation experienced by control messages in the dynamic segment. We briefly describe the working of the FlexRay protocol in Appendix A5 (see [5] for more details). 
D. Control Scheme
On the basis of the above classification of samples, we apply two different control algorithms for ideal and nonideal sampling. The overall control scheme is the following:
where K is the feedback gain and F 1 and F 2 are the feedforward gains. 1 Clearly, we apply feedback control only for the ideal samples and apply feedforward control (which does not need any communication over the bus) in the case of nonideal samples. The closed-loop system follows (6) for the ideal samples and (7) for the nonideal samples
With the ideal samples, the system is stabilizable if there exist a feedback gain K such that the closed-loop system (6) is stable. The stabilizability condition for the above system is derived in Appendix A1. We present a design methodology for computing the feedback and the feedforward gains K , F 1 , and F 2 in Appendix A2, A3, and A4.
E. Closed-Loop System
Depending on the occurrence of ideal and nonideal samples ( A o (see Appendix A3 and A4). An arbitrary ordering of ideal and nonideal samples can be modeled as follows:
where n i are integers such that i n i = k (integer) and w [k] is given by
for the ideal samples and
for the nonideal samples. Since the number of nonideal samples is (typically) significantly lower than the number of ideal samples (for a sufficiently large value of k), the steady state value of w[k] is mainly dominated by (9) . Thus, by putting
, we obtain from (9)
Let us define the steady state values of the states as
When k is sufficiently large (i.e., k → ∞)
Clearly, with k → ∞ and stable (12) 
In the following, we analyze the stability and the performance of the system given by (12) .
III. STABILITY AND PERFORMANCE ANALYSIS
For any matrix A i , there exist constant scalars η i and λ i such that the following inequality holds:
where k ≥ 1. Therefore, we have
Here, we assume that the system (6) is stabilizable satisfying the condition (34) and thus a n n + 1 ≤ λ 1 < 1. 
The value of μ(k) denotes the ratio between number of ideal and nonideal samples (Fig. 5) and κ is the number of nonideal samples among k consecutive samples.
A. Stability Analysis
Here, we study exponential stability as defined in (4) of the system (12) .
Theorem 1 (Exponential Stability): Consider the switched system (12) where A cl and A o satisfy (14) . Let μ(k) and κ be defined as per (15) . The switched system (12) will be exponentially stable if the following conditions are satisfied; C1: μ(k) > μ * > 1 for k > (μ * + 1) where
We assume that the number of ideal samples is greater than the number of nonideal samples over k initial sampling intervals, i.e., μ(k) > 1.
Let us start with the case where κ = 1, i.e., there is only one nonideal sample among the initial μ(k) + 1 samples. In this case a maximum of two switchings are possible, i.e., the nonideal sample occurs somewhere in between μ(k) ideal samples. Without loss of generality, we assume r = 0. Hence,
, and by utilizing the properties given by (14), we get
Similarly, for κ = 2, a maximum of four switchings are possible, e.g.,
Hence, for any κ
Case I with κ = 1:
From Cases I and II, it may be noticed that if the conditions C1 and C2 are satisfied, we get
. This shows that x[k] decreases with k when conditions C1 and C2 are satisfied.
Furthermore, (λ
Clearly, for a given combination of λ 1 , λ 2 , and μ(k) satisfying the conditions C1 and C2 stated in Theorem 2, λ * < 1. Therefore, the system (12) is globally exponentially stable with stability degree λ * if C1 and C2 are satisfied. The stability degree is higher with higher μ(k) and lower λ * .
B. Performance Analysis
In this brief, we consider the ability to respond to an external disturbance as a measure of performance. This is defined by the tuple {S, χ} whose components are related as
where 0 ≤ S ≤ 1, χ is a positive integer and x ss is as per (11 (14) . The switched system is guaranteed to meet the performance requirement if no more than κ s nonideal samples occur within any interval of χ consecutive samples, where κ s is given by
Proof: We assume that the minimum ratio between the number of ideal and nonideal samples in any χ consecutive samples is μ s , μ s > 1 and
where κ s is the maximum number of nonideal samples that can occur in any χ consecutive samples. From (19), we get
Next, from (21), we have
Combining (23) and (25), we obtain
C. Illustrative Example
We now illustrate the above results using an example. Let us assume that μ * = 1.9 for a given system and consider a sequence of ideal and nonideal samples, as shown in Fig. 5 . Clearly, μ(k) > μ * for all k > 3 and the system under consideration is exponentially stable as per Theorem 1. Furthermore, we assume that a given performance requirement {S, χ} = { * , 5} results in κ s = 2. The sequence shown in Fig. 5 does not guarantee this performance requirement.
IV. EXPERIMENTAL VALIDATION
To illustrate the applicability of our proposed design method we used an automotive cruise control system as an example. It receives the reference or the commanded vehicle's speed from the driver and regulates the speed following the driver's command. Based on the reference speed and the feedback signals, the cruise control system regulates the vehicle's speed by adjusting the engine throttle angle to increase or decrease the engine drive force. In this case study, we have used a model of a cruise controller that was developed in consultation with a major German automotive company. The linearized continuous-time model of this cruise control system is shown in (27). The state v 1 (t) captures the speed of the vehicle and u(t) is the engine throttle angle. The objective is to choose u(t) such that v 1 (t) = r , i.e., a constant desired speed. We have chosen r = 100. In addition, we need to satisfy design requirements, such as the settling time of the velocity v 1 (t) should be less than 5 ṡ 
v(t) = A t v(t) + B t u(t) y(t) = C t v(t) v(t)
= ⎡ ⎣ v 1 (t) v 2 (t) v 3 (t)
A. Implementation Details
This cruise control application was implemented in a distributed fashion, as shown in Fig. 1 . Following the notation introduced earlier, the states v i (t) are measured by the task T p at the sampling times t = h k with k = {0, 1, 2 . . .}, and
The control input u(t) is computed in T c and u(t) (which utilizes v[k]) is denoted by u[k]. The output u[k] is sent to the task
T p via the dynamic segment of the FlexRay communication bus. T p applies the control input to the engine throttle angle. The resulting discrete-time system is modeled as (2).
1) FlexRay Parameters:
Configuring the FlexRay dynamic segment involves assigning values to a number of parameters, which in turn determines the priorities of messages and hence the delays experienced by them. These configuration parameters were specified using the EB Designer Pro tool (from Elektrobit). The cycle length was set to gdCycle = 5 ms with the static segment of length 2 ms and 10 static slots. The rest of the cycle was distributed to the dynamic segment and the NIT (Appendix A5). Further, the dynamic segment consisted of 60 minislots where the duration of one minislot was 0.05 ms. The value pLatestTx was set to 50 for all messages in the network (the last minislot where a message transmission may begin is when the minislot counter is equal to pLatestTx). To simulate higher priority network traffic coming from the rest of the network (i.e., from other ECUs), we considered a preexisting FlexRay network with several messages already mapped on to the DYN segment. The configuration parameters for these message are listed in Table I 
B. Design and Analysis
We chose a sampling period of 40 ms and discretized the continuous system in (27) with h = 40 ms according to (3) . The resulting discrete-time system is given by (28). The absolute values of the eigenvalues of A in (28) are given by {0.6703, 1.1646, 1.1646}. Therefore, the resulting discretetime open-loop system is unstable 
1) Stabilizability: For the system in (28), a n = 1.9836. Since n = 3 and |a n | < (n + 1), the system is stabilizable with control input
2) Controller Synthesis: The feedback gain was designed (see appendix for details) with p i = 0. 4959 (i = 1, 2, 3, 4) and K = 1.9833 2.3580 0.3652 . The corresponding A cl 
4) Performance Analysis:
To meet the settling time requirement of 5 s, we chose χ = 5/ h = 125 samples (h = 40 ms) and S = 0.05 (i.e., 95% disturbance is to be rejected within any 125 samples). Therefore, the performance requirement becomes {S, χ} = {0.05, 125}. For this performance requirement, μ s = 16.8571 and κ s = 7, i.e., a maximum of seven nonideal samples may be tolerated within any 125 consecutive samples, to meet the settling time requirement.
C. Cosimulation
We developed a SystemC (www.systemc.org) based cosimulation framework to simulate the behavior of the resulting implementation. This simulation framework, as shown in Fig. 6 , is made up of two main modules: the FlexRay event simulator to simulate communication delays, and the discretetime system model to simulate the discrete-time system under consideration. The FlexRay simulator consists of several submodules: 1) the FlexRay clock provides the FlexRay communication model with the actual slot counter, minislot counter, and cycle counter values; 2) an event generator generates input event streams based on the system description; and 3) the FlexRay communication model implements the FlexRay specification and computes the message delays for the transmitted event streams. Furthermore, the message delays serve as an input to the discrete-time control system model to compute sensor-to-actuator delays and to simulate the stability and performance of the system. We used the Elektrobit (EB) Tresos Designer Pro tool [4] to specify the FlexRay bus configuration parameters, such as gdCycle, pLatestTx, the lengths of the static and dynamic segments, and other protocol parameters. Additionally, message properties and schedule parameters of existing messages were imported into the simulation framework.
1) Discrete-Time Control System Model:
The discrete-time system model was implemented in MATLAB as a discretetime control system of the form (2). As described earlier, the control application was partitioned into two tasks: T p and T c . The plant task T p was triggered with an offset o p , the controller task T c was run on a different ECU with an offset o c > o p +r max, p where r max, p is the worst-case response time of the task T p on its ECU. Both T p and T c were triggered periodically with period h (which is the sampling period of the control application). 
The sensor-to-actuator delay has two components ( (S x , B x , R x ) = (11, 0, 2) (i.e., it is the highest priority message). As m x is the highest priority message,
The delay variation in the feedback loop stems from the transmission delay of m c , i.e., from d c . The sizes of m x and m c were set to 4 minislots. All of these parameters are typical of the automotive case study under consideration. 
D. Results
We carried out 120 simulations with different schedules (i.e., values of (S c , B c , R c ) for m c ) at each simulation run. The simulation time was set to 100 s which corresponds to 2500 generated samples with a sampling period h = 40 ms. During each simulation we plotted the distribution of sensorto-actuator delay τ and analyzed the stability and performance of the discrete-time system. We will now discuss our observations for three example schedules that were synthesized for m c .
1) Example Schedule 1:
The message m c was assigned the schedule (45, 0, 4). Fig. 8(a) shows the delay distribution obtained from the cosimulation framework. τ varies between τ min = 3.95 ms and τ max = 44.5 ms. The number of nonideal samples is 36 (i.e., those for which τ h > 1). Fig. 8(b) shows how μ(k) varies with the sample number k. Here, μ * = 27.9895, and μ(k) > μ * for all k ≥ 29 (since μ * + 1 = 29). Hence, we conclude that condition C1 for stability is satisfied and clearly, condition C2 is also satisfied. The resulting system is stable. The sequence of the ideal and the nondeal samples meets the criterion (26) which is reflected in the resulting output plot Fig. 8(c) (i. e., settling time is 5 s or {S, χ} = {0.05, 125}).
In the simulation, r = 100 and the initial speed
reaches r = 100 in 1.76 s (i.e., the settling time = 1.76 s). We simulated external disturbances by periodically making v 1 [k] = 80 (from v 1 [k] = 100). We could see that the maximum time taken to reject a disturbance is less than 2 s. Therefore, both stability and performance requirements are met for this choice of the schedule.
2) Example Schedule 2: In this example, we assigned the schedule (47, 0, 4) to m c . Note that the slot number is 47 (instead of 45 as in the previous example) indicating a lower priority of the message m c . Naturally, transmission with a lower priority results in a higher possibility of getting delayed, which is reflected in the following results. The delay distribution for m c is shown in Fig. 8(d) . There are 241 nonideal samples, i.e., where τ/h > 1. The μ(k) ≈ 14 violates C1. The conditions C2 and (26) are satisfied. We simulated the discrete-time model with same disturbance that was applied to Example 1 and Fig. 8 shows the plot of v 1 [k] for our new schedule. The overall system is stable even though C1 is violated. However, the system response deteriorated [which can be seen from the overshoot in v 1 [k] in Fig. 8(e) ] due to higher number of nonideal samples.
3) Example Schedule 3: We now show that the system can become unstable when the conditions C1, C2 and (26) 
V. CONCLUSION
The relaxed requirement on feedback signals to meet deadlines offers an additional safety margin while designing the implementation platform. In particular, we showed that the analytical bounds on allowed deadline misses from the controller design phase, may be checked against deadline misses suffered by messages in an implementation platform. The latter were obtained via simulation in this brief (as illustrated in the examples in Section IV-D). By having the latter bounds to be smaller than the former bounds, a safety margin may be ensured (as in Example Schedule 1). We believe that this would be the more pragmatic use of our results in real-life scenarios, where simulation-based timing analysis is prevalent. However, checks that guarantee that deadline miss bounds from the platform are smaller than what can be tolerated by the controller, may be designed using formal verification techniques; some results in this direction have already been reported recently [1] , [8] , [9] , [16] . As a part of future work, they could be further refined to better match our proposed controller design.
APPENDIX

A. Stabilizability With Ideal Sampling
Without loss of generality, we assume r = 0 in the closedloop system (6) . The resulting system becomes
The stabilizability analysis essentially reduces to finding the conditions for which there exists a feedback gain K that can make the system (31) stable. First, we transform the state-space model into a controllable canonical form by a transformation [3] z
where z [k] are the new states and T is the nonsingular transformation matrix. We obtain the controllable canonical form as shown in (33)
where a i is obtained by the transformation and n is the dimension of system (2).
Theorem 3 (Stabilizability Condition):
There exists a feedback gain K that places all the poles of the system (6) within the unit circle iff the following condition holds:
(34) Proof: The control input for the ideal samples is shown in (35) (with
where K =K T . Let us introduce an additional state
. Based on this additional state, we introduce new system states
Therefore, the closed-loop system leads to (36) which is of dimension (n+1)
The above closed-loop system can be rewritten as follows:
The resulting characteristic equation for the above closed-loop system is obtained by making |λI − A cl | = 0 and is given by
The system (31) is stablizable if it is possible to place (n + 1) stable poles of the closed-loop system. It may be noted that all the coefficients of the above polynomial can be designed except the coefficient of λ n .
is the vector consisting poles of the closed-loop system. Then, the characteristic equation of the closed-loop system becomes
For stabilizability, | p i | < 1 andK should be such that equations (38) and (39) are identical
We can see from (40) that it is possible to design functions
For stability of the system (31),
. Therefore, the condition (34) is the necessary condition for stabilizability.
B. Design of Feedback Gain K
For a given open-loop system matrices (A, B) of n-order system. 1) Compute a n and if |a n | < (n + 1), the system is stabilizable and controller synthesis is possible. 2) Choose p = −[ p 1 p 2 · · · p n+1 ] such that each element lies within the unit circle and n+1 i=1 | p i | = −a n .
3) Utilizing the closed-loop poles p, computeK from the equations (40). 4) Compute K by K =K T .
C. Design of Feedforward Gain F 1 for Ideal Samples
In the cases of ideal samples, the closed-loop dynamics is as follows:
where B cl = 0 0 · · · 1 and C cl = 1 0 · · · 0 are of dimensions (n + 1) × 1 and 1 × (n + 1) respectively. The feedforward gain F 1 has to be chosen such that y[k] → r as k → ∞, i.e., the steady state error is zero. In the steady state of the closed-loop system (42),
For y[k] = r in steady state, we obtain
D. Design of F 2 for Nonideal Samples
In the case of nonideal samples, the closed-loop dynamics is as follows:
where A o = {A cl |K = 0}. For y[k] → r as k → ∞ (similar to the computation of F 1 )
E. FlexRay Protocol
The FlexRay communication protocol [5] is organized as a periodic sequence of communication cycles. Each cycle is of fixed length gdCycle and is indexed by a cycle counter that is incremented from 0 to 63 after which the counter is reset to 0. This communication pattern that is repeated periodically is known as the 64-cycle matrix. Further, every cycle consists of: 1) a mandatory static segment (ST); 2) an optional dynamic segment (DYN); and 3) a segment for clock synchronization which is referred to as Network Idle Time (NIT). In the following we will discuss the communication specification of the DYN segment of FlexRay.
1) FlexRay Dynamic Segment:
The DYN segment is partitioned into equal-length minislots that are indexed by a minislot counter which starts counting from 1 up to N minislots in every cycle. Additionally, a slot counter counts the communication slots that indicate time windows for admissible message transmissions. Each FlexRay message m i is assigned a static schedule (S i , B i , R i ) for uniquely specified transmission points. A message m i can successfully be transmitted via the DYN segment if the following requirements are satisfied: 1) the assigned slot number S i ∈ S DYN is equal to the current slot counter value, where S DYN is the set of available slot numbers in the DYN segment; 2) the actual communication cycle is element of the set of feasible cycles γ n ∈ i where γ n = (B i + N × R i ) mod 64 with N ∈ [0, 1, 2, ...], R i = 2 r for r ∈ [0...6] and B i < R i ; 3) the minislot counter must not exceed the specified value of pLatestTx of the corresponding ECU. A more detailed description of FlexRay protocol can be found in [5] . In a FlexRay schedule (S i , B i , R i ) , the slot number S i denotes the priority of the message and a higher S i indicates a lower message priority. Therefore, a higher S i essentially indicates a lower quality (and less expensive) communication.
