Semantics-preserving cosynthesis of cyber-physical systems by Roy, Debayan et al.
This is a repository copy of Semantics-preserving cosynthesis of cyber-physical systems.
White Rose Research Online URL for this paper:
http://eprints.whiterose.ac.uk/164989/
Version: Accepted Version
Article:
Roy, Debayan, Zhang, Licong, Chang, Wanli orcid.org/0000-0002-4053-8898 et al. (2 
more authors) (2018) Semantics-preserving cosynthesis of cyber-physical systems. 
Proceedings of the IEEE. pp. 171-200. ISSN 0018-9219 
https://doi.org/10.1109/JPROC.2017.2779456
eprints@whiterose.ac.uk
https://eprints.whiterose.ac.uk/
Reuse 
Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless 
indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by 
national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of 
the full text version. This is indicated by the licence information on the White Rose Research Online record 
for the item. 
Takedown 
If you consider content in White Rose Research Online to be in breach of UK law, please notify us by 
emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. 
ABSTRACT | Software-based control of physical systems 
is common in domains such as automotive, avionics, and 
industrial automation. Safety of such systems is determined 
by control-theoretic properties such as stability, settling time, 
and peak overshoot. These properties strongly depend on the 
software code generated from high-level controller models, and 
the implementation of such code on an embedded platform. To 
ensure safety, the semantics of the system model considered 
for controller design must be faithfully preserved in the 
platform implementation. However, traditionally, controller 
design and implementation platform design are carried out in 
isolation, followed by their integration, which often relies on 
simulations to estimate the behavior of the controllers. Thus, 
safety properties that were proven at the model level using 
control-theoretic tools can no longer be established in an actual 
implementation. This makes the design of embedded control 
Manuscript received March 25, 2017; revised August 4, 2017; accepted August 4, 2017. 
Date of current version December 20, 2017. This work was supported by Deutsche 
Forschungsgemeinschaft (DFG) through the Technical University of Munich (TUM) 
International Graduate School of Science and Engineering (IGSSE).
D. Roy, L. Zhang, and S. Chakraborty are with the Real-Time Computer Systems, 
 Department of Electrical and Computer Engineering, Technical University of Munich, 
80333 Munich, Germany (e-mail: debayan.roy@tum.de; licong.zhang@tum.de; 
 samarjit@tum.de).
W. Chang is with the DFQBSUNFOUPG$PNQVUFS4DJFODF6OJWFSTJUZPG:PSL6,	FNBJM
XBOMJDIBOH!ZPSLBDVL
.
S. K. Mitter is with the Laboratory for Information and Decision Systems, Electrical
Engineering and Computer Science, Massachusetts Institute of Technology, 
 Cambridge, MA 02139 USA (e-mail: mitter@mit.edu).Digital Object Identifier: 10.1109/
JPROC.2017.2779456
systems costly, error prone, and hinders certification. In 
this paper, we review recent efforts in control-platform 
cosynthesis techniques toward addressing this problem. 
Here, the control and the embedded systems communities 
KDYH FRPH WRJHWKHU WR DGRSW D F\EHU§SK\VLFDO V\VWHP
(CPS)-oriented design paradigm. This cosynthesis paradigm 
integrates the design of control algorithms and platform 
parameters within a holistic optimization framework and 
accounts for relevant details from both sides. We survey the 
evolution of design approaches for such cosynthesis and 
VKRZKRZ§WKHRULJLQDOO\GLVMRLQW§FRQWUROOHUDQGWKHSODWIRUP
design methods are gradually converging.
KEYWORDS _ &RQWURO V\VWHPV FRV\QWKHVLV F\EHU§SK\VLFDO
systems; embedded control systems; embedded systems; 
platform aware; safety
I . IN TRODUCTION
Over the last ten years the concept of cyberphysical 
 systems (CPSs) has emphasized the integrated modeling 
and analysis of computational platforms and the physi-
cal processes that are controlled by such platforms. One 
typical class of CPSs is made up of embedded control sys-
tems. In such a system, physical processes are controlled 
by a piece of software running on an embedded plat-
form. Such systems are commonly found in  automotive, 
 avionics, industrial automation, and medical devices.
Semantics-Preserving 
Cosynthesis of CyberPhysical 
Systems
While control theory provides methods for designing provably correct controllers, 
there is a lack of available techniques to ensure that high-level controller models 
are transformed into implementations while preserving model-level semantics and 
safety properties. This paper reviews recent efforts to address this issue using 
cyberphysical system (CPS)-oriented controller/platform cosynthesis techniques.
By DEBAYA N  ROY ,  Student Member  IEEE,  L ICONG  ZH A NG,  Student Member  IEEE, 
WA NLI  CH A NG,  Member  IEEE,  SA NJOY  K. M I T T ER ,  Fellow IEEE,  A ND  
SA M A RJI T  CH A K R A BORT Y,  Senior Member  IEEE
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 171 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
172 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
These systems are often safety critical with strict require-
ments on stability and performance (characterized by set-
tling time, peak overshoot, or similar metrics) [1] and must 
d\\k Z\ikX`e Z\ik`ÔZXk`fe jkXe[Xi[j R)T# R*T% KiX[`k`feXccp#
the design of control algorithms and the embedded plat-
forms on which such algorithms are to be implemented are 
designed by different groups of engineers with different 
expertise. Such separation of concerns while common in the 
general- purpose computing domain becomes problematic for 
 embedded control systems. Here, a fundamental challenge in 
ensuring that safety properties at the model level (or control-
ler design stage) hold true in an implementation requires that 
model-level semantics are faithfully preserved when generat-
ing implementations from the models. This is, however, not 
straightforward considering that current  controller design 
methods are mostly based on idealistic assumptions on the 
implementation platform, such as: computing the control 
law takes negligible time; there are no sensor-to- controller 
and controller-to-actuator delays; control inputs can be 
Zfdglk\[n`k_ `eÔe`k\gi\Z`j`fe2Xe[n_\ejf]knXi\Zf[\
`j^\e\iXk\[]ifd_`^_$c\m\cdf[\cjjlZ_Xjk_fj\jg\Z`Ô\[
in Matlab/Simulink), the code generator does not introduce 
any side effects and accurately preserves the model level 
semantics. As implementation platforms become more com-
plex, distributed, and heterogeneous, these assumptions are 
increasingly not true, thereby resulting in a large deviation 
in the behavior of an implementation from the designed 
 controllers at the model level, and often violating safety prop-
erties that were true at the model level.
?\i\# k_\ hl\jk`fe `j1 ?fn j_flc[ gcXk]fid ZfeÔ^l-
ration parameterse.g., scheduling policies/parameters, 
arithmetic precision, code generation policiesbe chosen 
so that model-level semantics are preserved in an implemen-
tation? Given an already designed (model-level) controller, 
the choice of such platform parameters may be restricted or 
in the worst case there might not be any feasible platform 
parameters. Since there might be multiple controllers that 
jXk`j]p^`m\ejkXY`c`kpXe[g\i]fidXeZ\jg\Z`ÔZXk`fejjX]\kp
properties), a better approach is to determine the controller 
Xe[ gcXk]fid ZfeÔ^liXk`fe gXiXd\k\ij kf^\k_\i% @e fk_\i
words, by cosynthesizing the controller and platform con-
Ô^liXk`fegXiXd\k\ijÇ`%\%#XjXgXikf]XZfddfefgk`d`-
zation frameworkwe can ensure that the two designs are 
compatible (or model-level semantics are preserved) and 
there is a larger set of parameters that may be explored [4].
In this paper, we survey such cosynthesis techniques for 
embedded control systems design and implementation. We 
Ôijkjkl[pk_\gifYc\djn`k_j\gXiXk`fef]ZfeZ\iej#n_\i\
controller design and platform implementation are carried 
flk`e`jfcXk\[[\j`^ejgXZ\jn`k_flkjl]ÔZ`\ekbefnc\[^\
of each other. Subsequently, we survey different works 
that follow a CPS-oriented approach and broadly classify 
them in terms of whether 1) the implementation platform 
`jÔo\[Xe[k_\ZfekifcXc^fi`k_d`jX[Xgk\[kfÔkk_\gcXk-
form architecture [as in networked control systems (NCSs) 
where the characteristics of the wireless network such as 
delay and packet loss probabilities are given and the control 
Xc^fi`k_djXi\[\j`^e\[kXb`e^k_\d`ekfXZZflekT2)  k_\
control algorithm and its assumptions are given and the 
platform is designed to meet these assumptions as closely 
as possible (e.g., by designing appropriate scheduling and 
i\jfliZ\ XccfZXk`fe gfc`Z`\j 2 fi *  `k `j X kil\ Zfjpek_\j`j
where the parameters of the control algorithms and the 
implementation platform are jointly determined within an 
integrated optimization framework.
Recently, a lot of work in this area has been done, 
especially in the context of automotive embedded con-
trol  systems. This is because automotive software systems 
implement a large number of safety-critical control loops. 
They have to be implemented on a resource-constrained, 
distributed, and heterogeneous platform architecture, 
Xe[ `eZi\Xj`e^cpe\\[kfY\Z\ik`Ô\[%K_`jZfdY`eXk`fef]
requirements makes it a challenging and a particularly suit-
able domain for studying design methods for embedded con-
trol systems. Hence, most of the examples we review in this 
paper are from this domain. However, the problems and the 
solutions that we discuss in this paper are also relevant to 
other CPS domains. In particular, we survey several works 
on NCSs that are commonly found in avionics, power grid, 
and  industrial-automation-related CPSs. We believe that 
it is possible to leverage the progress made in NCSs and 
extend existing cosynthesis approaches from the automotive 
domain to other CPS domains as well.
A. Separation of Concerns
Automatic control is a well-studied subject with sev-
eral decades of history and a large pool of design methods. 
Early works on design and analysis of a control system have 
focused on the mathematical model of the closed-loop sys-
tem, including the plant and the controller. The controller 
is designed such that the system is stable and certain perfor-
mance requirements, e.g., settling time, peak overshoot, and 
\e\i^pZfejkiX`ekjXi\jXk`jÔ\[%?fn\m\i#k_\j\nfibj[fefk
consider implementation related details such as nonnegligi-
ble and variable times for software execution and data trans-
d`jj`fe#]Xlckpe\knfibj#Xe[Ôe`k\gi\Z`j`feXi`k_d\k`Z%
Embedded platform design is also well known and is 
composed of several stages: 1) task partitioning and map-
g`e^2) ]iXd\gXZb`e^]fiZfddle`ZXk`fed\jjX^\j 2Xe[
* kXjb Xe[ ]iXd\ jZ_\[lc`e^% GcXk]fid [\j`^e Xe[ XeXcp-
sis consider timing properties, e.g., application latencies,
periods, relative deadlines, task execution times, and mes-
sage frame transmission times. The main focus has been to
synthesize implementations that are schedulable (i.e., all
real-time software tasks meet their deadlines), and resource
\]ÔZ`\ek `%\%# d`e`dld ljX^\ f] ZfdglkXk`fe Xe[ Zfd-
munication resources). However, this theory is not directly
applicable to control applications as control require-
ments such as stability and performance cannot always be
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 173
expressed as timing properties such as deadlines and periods 
(and when expressed in this form, the parameters can be 
overly pessimistic).
B. Safety Challenges for CPS Design: 
The Semantic Gap
In the context of CPSs, the separate design of controllers 
and platform parameters leads to a semantic gap between the 
system models considered in the controller design and the 
actual implementation. On one hand, the controller design 
`jfecp`eÕl\eZ\[Ypk_\g_pj`ZXcgcXek%K_\i\]fi\#jpjk\d
stability and performance are derived without considering 
the cyber part, i.e., the implementation on the embedded 
platform. However, the implementation-related timing 
properties such as sampling period and sensing-to-actuation 
delay may degrade the performance and in the worst case 
may also cause system instability. Thus, the semantics of the 
control models may not be preserved in the implementation 
when the controller design is oblivious to the implementa-
tion details. On the other hand, the synthesis of platform 
parameters is based on the software-level timing details and 
does not consider control-theoretic metrics such as stability 
and performance. An incorrect timing characterization of 
control properties can result in an inconsistency between 
models and their implementation. For example, the perfor-
mance requirement can enforce a strict constraint on appli-
cation latency which if not correctly modeled may not be 
jXk`jÔ\[Ypk_\`dgc\d\ekXk`fe%
?\eZ\#`k`j[`]ÔZlckkf[\j`^eXjX]\:GJn`k_jlZ_j\gX-
ration of concerns due to the associated semantic gap. We 
[\Ôe\ Xe \dY\[[\[ Zfekifc jpjk\d kf Y\ jX]\ n_\e k_\
corresponding software implementation meets the con-
trol requirements on stability and performance even in the 
worst case. Now, to ensure safety with separation of con-
cerns, the whole process is usually carried out in an itera-
tive manner as shown in Fig. 1. Here, the controllers and 
platform parameters are separately designed followed by 
integration and testing. In case a test shows that the require-
ments are not met, the steps are reiterated, possibly without 
any systematic feedback for improvement. This paradigm 
relies strongly on the prior experience of engineers and can 
be error prone. With the increasing size and complexity of 
modern embedded systems, this design paradigm is not sus-
tainable. This leads to the need for new design approaches 
that can guarantee safety in a correct-by-design manner and 
do not depend on testing.
C. Bridging the Semantic Gap: CPS-Oriented 
Approaches
Due to the strong dependency between controller and 
platform design, both the control and the embedded sys-
tems design methods are gradually moving toward a CPS-
oriented design paradigm. Control theorists have started 
accounting for implementation details and constraints of 
the underlying embedded platform and are integrating 
them in the mathematical models for controller design. For 
example, properties such as the sensing-to-actuation delay, 
input and output jitter, packet drops, deadline misses, and 
Ôe`k\ gi\Z`j`fe Xi`k_d\k`Z Xi\ df[\c\[ Xe[ Zfej`[\i\[ `e
the controller design phase, so that the designed controllers 
are platform aware. In the same vein, embedded systems 
engineers have also begun to study properties of control 
loops and are considering them in platform design methods. 
These properties include stability, performance, and robust-
ness of control loops, and steady state and transient state 
characteristics. Consequently, the platform parameters 
such as task and message schedules can be tuned accord-
ing to control objectives, rather than solely on intermediate 
objectives such as deadlines and latencies.
These CPS-oriented approaches, as shown in Fig. 1, con-
sider realistic details of one side while designing parameters 
on the other side. In particular, they mathematically trans-
late control properties into timing characteristics and vice 
versa to bridge the semantic gap. However, these methods 
consider the parameters on one side as given and design 
the parameters on the other side accordingly, and thus, it 
provides limited opportunity for optimization. They may 
i\jlck`eXjlYfgk`dXc[\j`^eZfeÔ^liXk`fen`k_i\jg\Zkkf
Fig. 1. Different design paradigms.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
174 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
Zfekifcg\i]fidXeZ\#i\jfliZ\\]ÔZ`\eZp#fiYfk_%@efi[\i
kfXZ_`\m\_`^_\i[\j`^e\]ÔZ`\eZp#`k`j`dgfikXekkf[\j`^e
the control and the platform parameters together from joint 
jg\Z`ÔZXk`fej`eX_fc`jk`Zfgk`d`qXk`fe]iXd\nfib%
D. Ensuring Safety and Optimality: Cosynthesis 
of CPSs
In many cost-sensitive domains (such as automotive) it 
is not only necessary to ensure safety but it is equally desir-
able to achieve design optimality. In this survey, we empha-
size on the importance of control-platform cosynthesis for 
CPSs toward ensuring safety and design optimality.
In recent years, a group of cosynthesis approaches have 
emerged that consider the design of control and platform 
parameters as a holistic optimization as shown in Fig. 1. 
Generally, the cosynthesis problem is formulated as a non-
convex optimization problem and is solved using a cus-
tomized design space exploration (DSE) technique. The 
solutions provide both sets of parameters which are tuned 
according to certain objectives such as control performance 
Xe[i\jfliZ\\]ÔZ`\eZp%K_\i\]fi\#k_\jpek_\j`q\[gXiXd\-
k\iji\gi\j\ekfgk`dXc[\j`^eZfeÔ^liXk`fej%Dfi\fm\i#k_\
control model semantics are fully preserved in the imple-
mentation. This is because the controllers are designed 
according to the detailed constraints from the platform side 
and the platform parameters are synthesized considering 
stability and performance requirements from the control 
side. The synthesized parameters are, therefore, correct by 
design and ensure safety.
However, there exist considerable challenges that need 
to be addressed, if these approaches are to be applied to 
industrial scale applications. These challenges include 
handling complexity and scalability, developing closed-
form optimization frameworks, inadequate toolchains, 
Xe[Z\ik`ÔZXk`fe `jjl\j%Dfi\fm\i# \o`jk`e^XggifXZ_\j[f
not consider several aspects of platform architectures, e.g., 
memory hierarchy, heterogeneous networks, or multicore 
processors, all of which are common in modern embedded 
 systems. Furthermore, they also do not take into account 
complex characteristics of control systems, e.g., time vari-
ance, nonlinearity, or input saturation. Hence, control- 
platform cosynthesis is a promising research direction with 
a number of open problems.
E. Paper Organization
We start with traditional problems and approaches that 
exist in both control theory and the embedded systems 
literature. In Section II, the basics of control theory are 
reviewed, particularly, system models, stability theorems, 
performance metrics, and common controller design meth-
ods. Subsequently, Section III provides the background on 
embedded systems design such as platform models, imple-
mentation constraints, and platform design and analysis 
k\Z_e`hl\j% J\Zk`fe @M Ôijk jkXk\j k_\ jX]\kp Z_Xcc\e^\j
associated with the design and implementation of CPSs. 
Subsequently, it reviews works on 1) how control engi-
neers can consider implementation details in controller 
[\j`^e2 Xe[ )  _fn \dY\[[\[ jpjk\dj \e^`e\\i ZXe kXb\
into account the control properties in platform design. This 
is followed by Section V, where recent works on control-
platform cosynthesis are studied and the general design 
Õfn]fijlZ_XggifXZ_\j`jflkc`e\[%=`eXccp#gfjj`Yc\]lkli\
research directions and challenges are discussed in Section 
VI, followed by some concluding remarks (Section VII).
II .  FEEDBACK CON TROL SYSTEMS
Control systems form an integral part of technological 
X[mXeZ\d\ek `e Xcdfjk Xep Ô\c[% K_\p _\cg `e \ejli`e^
the intended functionality from machines and make pro-
cesses run by adapting to the environment variables. More 
often than not, they are based on the theory of feedback as 
[\g`Zk\[ `e =`^% )% @e ]\\[YXZb Zfekifc jpjk\dj# X Zfekifc
action is decided based on the values of plant state variables 
and the reference that the plant must follow. In practice, 
some variables of the plant may not be measurable, and 
therefore, the corresponding values are estimated using an 
estimator. The basic idea is to mitigate the error between 
the plant output and the reference and therefore manipu-
late the plant to satisfy requirements on stability and per-
formance. In this section, we will discuss how such a system 
can be mathematically modeled and the requirements can 
be mathematically expressed. Subsequently, we will also 
mention some techniques to design feedback controllers 
jlZ_k_Xkjg\Z`Ô\[i\hl`i\d\ekjXi\jXk`jÔ\[%
A. System Model
In this paper, we predominantly survey works which 
consider linear and time-invariant (LTI) systems with 
 single-inputsingle-output (SISO). The mathematical model 
of the dynamic behavior of such a system in continuous time 
can be represented as 
  x ̇(t) = Ax(t) + Bu(t) 
(1)
 y(t) = Cx(t) 
Fig. 2. Block diagram of feedback control systems.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 175
where vector  x(t) ∈  ℝ n×1 represents the states of the system, 
and  y(t) and  u(t) represent, respectively, the system output 
and the control input at instant  t . Here, the constant matri-
ces  A ∈  ℝ n×n ,  B ∈  ℝ n×1 , and  C ∈  ℝ 1×n are, respectively, the 
state, input, and output matrices.
Considering that the controller is implemented on an 
embedded platform, the control input is applied to the plant 
only at discrete instants  k ∈  ℤ * . Let us assume that the time 
interval between two consecutive instants is a constant  h 
and the control input to the plant is held constant until the 
next input is generated and applied, i.e.,  u(t) = u(kh) , where 
kh ≤ t < (k + 1)h . This is equivalent to a system with a sam-
ple and hold device connected at the input, and correspond-
ingly,  h is the sampling period of the system. Consequently, 
the equivalent statespace model of the sampled data 
( discrete-time) system is given by 
  x[k + 1] = φx[k ] + Γu[k] ) 
 y[k ] = Cx[k] 
where the discrete-time state and input matrices  φ and  Γ can 
be derived from the continuous time matrices for a given 
sampling period  h as follows:
  φ =  e Ah , Γ =  ∫ 
0
  h
 ( e At dt) ⋅ B * 
B. Notions of Stability
For a given system model, the goal of a control engi-
neer is to design a control law that computes the control 
`eglk jlZ_ k_Xk k_\ Zcfj\[$cffg jpjk\d jXk`jÔ\j jg\Z`ÔZ
requirements. One of the most important requirements is 
the  stability of control loops. There are different notions 
of stability in control theory among which two important 
[\Ôe`k`fejXi\^`m\e_\i\%Kf[\Ôe\jkXY`c`kp#n\dljkÔijk
introduce the equilibrium state  x e of a system as the state 
to which it converges in the absence of a control input (an 
unforced system), i.e.,  u[k] = 0 .
1) Stability in the sense of Lyapunov: The equilibrium 
state  x e is stable in the sense of Lyapunov when the follow-
ing holds:
  ∀ 
 
ϵ∈ R + 
 k∈ Z * 
x[0]
 
  ∃ 
δ∈ R + 
 ( || x[0] −  x e || ≤ δ ) ⇒ (|| x[k] −  x e || < ϵ). (4)
Moreover,  x e is uniformly stable in the sense of Lyapunov 
when (4) holds and  δ is independent of the initial state.
2) Asymptotic stability:  x e is said to be asymptotically 
 stable when besides being stable in the sense of Lyapunov 
the following expression holds:
  ∀ 
x[0]
  ∃ 
δ∈ R + 
 (| | x[0 ] −  x e || ≤ δ ) ⇒  lim k→∞ | | x[k] −  x e || = 0. (5)
Moreover,  x e is uniformly asymptotically stable when 
δ is independent of the initial state in (5).  x e is globally 
asymptotically stable if, despite  δ being arbitrarily large, the 
jkXk\jÔeXccpZfem\i^\kfx e .
C. Stability Analysis
For an unforced LTI system given by  x[k + 1] = φx[k] 
with initial state  x[0] , we can write as follows:
  x[k + 1] =  φ k+1 x[0]. (6)
Without loss of generality, we can assume  x e = 0 from the 
[\Ôe`k`fef]\hl`c`Yi`ldjkXk\%K_\i\]fi\#]fiXjpjk\dkfY\
Xjpdgkfk`ZXccp jkXYc\ ]fi X Ôe`k\ efeq\if `e`k`Xc jkXk\# k_\
following must hold:
  lim 
k→∞
 || φ k || = 0. (7)
This is only possible when the eigenvalues of  φ , i.e.,  λ i s, 
∀ i =(#)#%%%#n , satisfy the following:
  | λ i | < 1. (8)
Here,  λ i s also represent system poles. Thus, for a system to 
be asymptotically stable all the poles must lie within the unit 
circle in a complex  z -plane.
However, this constraint is only valid for LTI systems 
and a more powerful technique for analyzing stability of 
both linear and nonlinear systems is the second method of 
Lyapunov. According to this theorem [5], for a discrete-time 
unforced system  x [k + 1] = f(x[k]) , where  f(0) = 0 , if a sca-
lar continuous function  V(x[k]) exists such that 
  i) V(0) = 0 ii)  ∀ 
x≠0
 V(x) > 0 iii)  lim 
||x||→∞
 V(x) → ∞
 (9)
 iv)  ∀ 
x≠0
 ∆V(x[k]) = V(x[k + 1]) − V(x[k]) < 0 
then  x e = 0 is globally asymptotically stable and  V(x) is a 
Lyapunov function.
K_`jd\k_f[ZXeY\j`dgc`Ô\[Xe[Xggc`\[]fiCK@jpj-
tems  x[k + 1] = φx[k] , where  x e is asymptotically stable 
if and only if, for a given positivedefinite real symmet-
ric matrix  Q#k_\i\\o`jkjXgfj`k`m\Æ[\Ôe`k\i\Xcjpdd\ki`Z
matrix  PjlZ_k_Xkk_\]fccfn`e^Zi`k\i`fe`jjXk`jÔ\[1
  φ ′  Pφ − P = − Q. (10)
Here,  V(x[k]) =  x ′  [k]Qx[k] is a Lyapunov function for the 
system and  ∆V(x[k]) = − x ′  [k]Px[k] [5].
D. Quality of Control
Although stability is an essential requirement, different 
control applications may also need to satisfy different per-
formance criteria. The performance of a controller is often 
d\Xjli\[YpXd\ki`Zk_XkhlXek`Ô\jk_\hlXc`kpf]Zfekifc
(QoC). Thus, the goal of a control engineer is to design a 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
176 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
controller which not only meets the performance criteria 
but preferably has a higher QoC.
The performance measures of a control loop have 
evolved over the years from common metrics such as peak 
overshoot, rise time, settling time, and steady state error, to 
more complex cost functions and gains. Here, we will not 
discuss the common metrics, however, readers are encour-
aged to read [5] for more insights. We list some important 
performance measures as follows.
1) Integral cost function: System response to a given ref-
erence  r[k] can be analyzed for QoC based on several cost 
functions [6]. These cost functions consider tracking error 
e[k] = r[k] − y[k] and are given as follows:
  ∑ 
0
 
∞
 e [k] )   ∑ 
0
 
∞
 |e[k]|   ∑ 
0
 
∞
 k | e[k]|. (11)
Moreover, a more general quadratic cost which is a function 
of system states and control input can be considered. This is 
i\gi\j\ek\[]fiÔe`k\Xe[`eÔe`k\_fi`qfe#i\jg\Zk`m\cp#Xj
 J =  1 __ )[x [N ] ′ Sx[N ] +  ∑ 0 
N−1
 (x [k] ′ Qx[k]
     +)x [k ] ′ Mu[k] + u [k] ′ Ru[k])] () 
and 
  J =  1 __ )∑ 0 
∞
 (x [k ] ′ Qx[k ] +)x [k ] ′ Mu[k ] + u [k ] ′ Ru[kT % (* 
Here,  S and  QXi\jpdd\ki`Zgfj`k`m\Æj\d`[\Ôe`k\dXki`Z\j
while  R`jXjpdd\ki`Zgfj`k`m\Æ[\Ôe`k\dXki`o%S ,  Q ,  R , and 
MXi\Zf\]ÔZ`\ekdXki`Z\jlj\[]fin\`^_`e^[`]]\i\ekk\idj
according to their dimensions or importance.
2)  & ) gain: For a given input, let  γ uY\[\Ôe\[Xjk_\iXk`f
of the output and the input energy of a system and can be 
represented as follows:
  γ u =  
||y| | )  _____
||u| | ) 
 =  ( 
 ∫ 0 
 ∞ | |y(t)| | ) dt
 ___________
 ∫ 0 
 ∞ | |u(t)| | ) dt
 ) 
(&)
 . (14)
Now, the  & ) gain  γ  & ) f]Xjpjk\d`j[\Ôe\[Xj]fccfnjR.T1
  γ  & )  =  sup 
u∈ & ) 
 γ u . (15)
By the second method of Lyapunov, it can be stated that a 
system is asymptotically stable when  γ  & ) `jÔe`k\%Dfi\fm\i#
the  & ) gain gives an idea of the robustness of a system and, 
therefore, is used as a performance measure.
Given a performance measure, the task of a control 
engineer is to design a controller that optimizes the system 
 performance. However, this is not trivial as the design param-
eters, e.g., control gains, affect the control performance in a 
nonlinear and complex manner. Therefore, engineers may 
often need to do extensive analysis. For example, using root 
locus diagram, an engineer can analyze how control gains 
X]]\Zkk_\jpjk\dgfc\jn_`Z_`eklie`eÕl\eZ\k_\kiXej`\ek
response of the system. However, with performance metrics, 
such as gains and cost functions, control theorists have come 
up with novel design approaches for optimal control.
E. Control Design
Over the years, different techniques to design controllers 
that stabilize the system and also optimize QoC have been 
developed. A naive approach could use simulation where a 
controller is assumed to be given and then the closed-loop 
system is simulated for a certain given initial condition and 
i\]\i\eZ\%@eZXj\[\j`^ei\hl`i\d\ekjXi\efkjXk`jÔ\[#k_\e
a different controller is assumed heuristically and the process 
is repeated until a suitable controller is found. However, this 
iterative approach is time consuming and cumbersome, and 
therefore, systematic mathematical approaches are more 
common. Here, we discuss three such approaches.
1) Pole placement technique: This design approach [8] 
exploits the fact that an LTI system is asymptotically sta-
ble when (8) holds. Now, for a state-feedback controller to 
reject impulse disturbance, control law can be written as 
  u[k] = −Kx[k] (16)
where vector  K ∈  R 1×n represents feedback control gains. 
K_\i\]fi\#) ZXeY\i\]fidlcXk\[Xj
  x[k + 1] = (φ − ΓK)x[k]. (17)
Now, a system represented by (17) will be asymptotically 
stable when the eigenvalues of  φ cl = φ − ΓK satisfy (8). 
The pole placement approach exploits this, and therefore, 
the control gains can be calculated for single-input systems 
using the Ackermanns formula 
  K =  [ 0 0 ⋯ 1 ]  γ c 
−1 H(φ) (18)
where  γ c is the controllability matrix
  γ c =  [ Γ  φΓ   φ ) Γ  ⋯   φ (n−1) Γ ] . (19)
For the eigenvalues  λ i s,  H(φ) is given by the following:
  H(φ) = (φ −  λ 1 I) (φ −  λ ) I)⋯(φ −  λ n I % )' 
However, this approach is only applicable when the system 
is controllable, i.e.,  γ c has full rank. Otherwise, not all the 
eigenvalues or poles can be freely selected. This means that 
the system is stabilizable only when the closed-loop poles 
which cannot be manipulated are already stable.
2) Linear quadratic regulator (LQR): This design 
approach [5] not only designs an asymptotically stable sys-
tem but also considers optimization of the quadratic cost 
^`m\eYp() Xe[(* %Efn#k_\c`e\Xi]\\[YXZbZfekifc]fi
k_\Ôe`k\_fi`qfeZXj\`j^`m\eYp
  u[k] = −K[k ] x[kT )( 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 177
where control gains  K[⋅] can be different for different sam-
ples. Here, the gains can be calculated from a dynamic 
I`ZZXk`\hlXk`feYp`k\iXk`e^YXZbnXi[jR/T%=fiXe`eÔe`k\
horizon, the gain is constant for all samples and is obtained 
by solving the algebraic Riccati equation until a stationary 
solution is reached [8].
3) Linear quadratic Gaussian control (LQG): The limita-
tion when using LQR is that all the states must be measur-
able to compute the control input. However, the measured 
states may not be accurate as there may be some noise in 
the measurement or noise inherent in the system. The noisy 
system model can be represented as 
  x[k + 1] = φx[k] + Γu[k] + w[k] )) 
 y[k] = Cx[k] + v[k] 
where for the sake of simplicity  w and  v can be assumed 
to be white noise. Now, to design an optimum controller 
n_`Z_d`e`d`q\jk_\cfjj]leZk`fe^`m\eYp(* #n\ZXe
Xggcpk_\j\gXiXk`fek_\fi\dR/T%?\i\#n\Ôijk\jk`dXk\
the states  x ̂[k] and then apply the LQR technique to design 
the controller using the estimated states  x ̂[k] . In this 
approach, the state estimation is realized using Kalman 
Ôck\i`e^R/T#n_\i\k_\fYa\Zk`m\`jkfd`e`d`q\k_\mXi`-
ance of the estimation error. This can be realized, for 
example, using a one-step-ahead predictor, where the 
next states are predicted based on the current state esti-
mations, control input, and system output which can be 
expressed as follows:
 x ̂[k + 1|k] = φ x ̂[k|k − 1] + Γu[k] + K[k](y[k] − C x ̂[k|k −(T %)* 
To minimize error variance, the Kalman gains  K[⋅] can be 
calculated by solving the parametric optimization problem 
YXj\[fek_\gi\[`Zkfidf[\c`e)* R/T%K_`jZXeY\i\g-
resented as 
  x ̂[k | k ] =  x ̂[k | k − 1 ] +  K f [k ] (y[k ] − C x ̂[k | k − 1 ] ) 
  v ̂[k | k ] =  K v [k ] (y[k ] − C x ̂[k | k −(T  )+ 
  x ̂[k + 1 | k ] = φ x ̂[k | k ] + Γu[k ] +  v ̂[k | k ] . 
K_\BXcdXeÔck\i^X`ej#`%\%#K f [⋅] and  K v [⋅] , can be obtained 
by solving a Ricatti equation [8].
These mathematical design approaches guarantee stabil-
ity and, in particular cases, optimal performance. However, 
they do not consider the controller implementation on the 
\dY\[[\[gcXk]fidn_`Z_dXp`eÕl\eZ\k_\jpjk\ddf[\c
and therefore nullify the safety guarantees. Moreover, for 
an embedded implementation, the resources needed by a 
control software must also be an important consideration 
in the controller design stage. Consequently, the aforemen-
tioned techniques must be extended to consider resource 
ZfejkiX`ekjXe[jg\Z`ÔZZ_XiXZk\i`jk`Zjf]k_\`dgc\d\ekX-
tion platform.
F. Nonlinear Dynamical Systems
Although we do not consider it in this survey, an impor-
kXeki\j\XiZ_[`i\Zk`fe`ek_\Ô\c[f]Zfekifck_\fip`jk_\
stabilization and control of nonlinear dynamical  systems. In 
the context of CPSs, most of the works consider linear mod-
els of the physical system as commonly found in  electrical 
circuits, mechanical systems, and chemical processes. 
However, new models found in the domains of avionics, 
autonomous vehicles, and power grid are inherently nonlin-
ear due to their complex interaction with the environment. 
Naturally, the problems of stability analysis and  controller 
design for nonlinear systems considering the details of 
platform implementation have become relevant. Toward 
this, there have been works focusing on NCSs, where the 
control loop is closed over a communication network. 
:fii\jgfe[`e^cp# j\m\iXc e\knfib$jg\Z`ÔZ Z_XiXZk\i`jk`Zj
such as time-varying network delays, packet drops, and 
hlXek`qXk`fe`eÕl\eZ\Zfekifcgifg\ik`\j%
Besides techniques derived from traditional nonlinear 
control theory, two important approaches toward solving 
problems of nonlinear NCS are: 1) fuzzy-model-based con-
kifc2Xe[) ]fidXcjpek_\j`jf]_pYi`[Zfekifcjpjk\dj%K_\i\
_XjY\\ej`^e`ÔZXekgif^i\jjfek_\j\knfXggifXZ_\jn_\i\
several implementation aspects have also been considered. 
However, most of these works assume very abstract platform 
models. They do not really derive the abstraction from real 
platform parameters such as network schedules, communi-
cation protocols, size of gateway buffers, or switch latencies. 
Hence, an integrated approach that closely binds controller 
design with platform parameter estimation is still missing. 
We discuss this topic again in Section VI-B. However, for 
more detailed survey on fuzzy-model-based nonlinear con-
trol and formal synthesis of hybrid control systems the read-
\ijXi\i\]\ii\[kfR0TXe[R('TÆR()T#i\jg\Zk`m\cp%
III .  EMBEDDED PL ATFOR MS: DESIGN 
A ND A NA LYSIS
Embedded systems are widely used in various domains such 
as automotive, consumer electronics, healthcare, avionics, 
and industrial automation. In each of these domains, an 
underlying electrical/electronic (E/E) platform is required, 
which provides computation and communication services 
to the functional software. A typical hardware  architecture 
for such a platform consists of one or more processing 
le`kj% =`^% * j_fnj Xe \oXdgc\ f] X [`jki`Ylk\[ \dY\[-
ded  platform. Here, each processing unit has one or more 
processing cores, memory systems and input/output (I/O) 
ports. In the case of distributed architectures, multiple pro-
cessing units are connected by one or more communication 
bus systems. Data can be transmitted between process-
ing units as messages packed into frames over the bus. In 
a large-scale  system, heterogeneous bus protocols are used 
where communication  gateways can connect different bus 
clusters. Toward implementing software applications on 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
178 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
jlZ_ gcXk]fidj# `e k_`j j\Zk`fe# n\ n`cc Ôijk [\jZi`Y\ k_\
implementation model and associated implementation con-
straints, followed by common implementation techniques.
A. Platform Implementation Model
A software application can be implemented as several 
pieces of software codes called tasks. These tasks can be 
data dependent in the sense that the output of one task is 
considered as an input to another task. Two data-dependent 
tasks can be mapped on different processors due to reasons 
such as spatial distribution of sensors and actuators. In such 
a case, the data between them are transmitted over a com-
munication bus via messages packed into frames. Thus, an 
application can be modeled as a directed task graph. Here, 
each vertex is a task and directed connecting lines represent 
data transmitted from source to target tasks. Subsequently, 
we will explain the timing models of tasks and data frames.
1) Task Model: Typically, in an embedded application, a 
task is executed multiple times triggered either a) periodi-
cally via time interrupts, i.e., in a time-triggered fashion; 
or b) aperiodically via events, i.e., in an event-triggered 
fashion. Moreover, when multiple tasks are mapped on a 
common processor, certain arbitration mechanisms are 
necessary. This is achieved by the operating system (OS), 
which is a software that schedules the tasks and allocates 
resources. Depending on the requirements of the applica-
tions, different scheduling schemes can be employed by the 
OS. Common scheduling schemes include time-triggered 
KK  jZ_\d\ \%^%# \:fj # Ôo\[$gi`fi`kp gi\\dgk`m\ =GG 
scheme (e.g., OSEK), and dynamic scheduling schemes 
jlZ_Xj\Xic`\jk[\X[c`e\Ôijk<;= %
In TT static scheduling, processor time allocation is pre-
ZfeÔ^li\[# `%\%# `k `j befne n_\e X kXjb n`cc Y\ \o\Zlk\[
by the processor. In this scheme, a periodic task is charac-
terized by a tuple  T i ~ { p i ,  o i ,  e i } , where  p i ,  o i , and  e i repre-
sent, respectively, the period, the schedule offset, and the 
execution time. Since the execution time of a task is usually 
not deterministic, the worst case execution time (WCET) is 
used to represent the task schedule.
In contrast, in an FPP scheme, it is not known when a 
task will allocate a processing resource. Instead, it is decided 
at runtime by the OS according to the preset priority of the 
task. Without loss of generality, a periodic task can be char-
acterized by the tuple  T i ~ { p i ,  a i ,  pi i ,  e i } , which represent, 
respectively, the period, release time, priority, and execu-
tion time. The release time determines when a task instance 
is dispatched to be scheduled by the OS. Here, tasks are 
executed according to their priorities. If a task is currently 
running and a higher priority task arrives, the current task 
will be preempted. It will be resumed again when all task 
instances with higher priority are processed completely.
In the case of EDF scheduling scheme, the priorities of 
k_\kXjbjXi\efkXjj`^e\[f]Õ`e\#YlkXi\[\k\id`e\[fec`e\
according to remaining time to the deadline. Here, a task is 
represented as  T i ~ { d i ,  e i } .  d i is the relative deadline which 
`jk_\k`d\k_Xkk_\gifZ\jjfi_XjkfÔe`j_\o\Zlk`e^k_\kXjb
after the task release.
Each of these scheduling schemes has its own advan-
kX^\jlZ_Xjk`d`e^gi\[`ZkXY`c`kp#i\jfliZ\\]ÔZ`\eZp#Xe[
implementation overhead, and the appropriate scheme can 
be chosen depending on requirements.
2) Frame Model: Each message frame may be packed 
with one or more data items and is transmitted over the 
bus according to different communication protocols. For 
example, message transmission may be achieved through a 
wireless medium (e.g., Zigbee, Bluetooth, and WLAN) or a 
wired medium (e.g., CAN, FlexRay, and Ethernet). Typical 
bus protocols include a) CAN, FlexRay, LIN, Ethernet, and 
DFJK `e k_\ Xlkfdfk`m\ [fdX`e2 Y  GifÔE\k# GifÔYlj#
and EtherCAT in industrial automation; and c) AFDX in the 
avionics domain. Different communication protocols imple-
ment different scheduling schemes, which is determined by 
the media-access control (MAC) layer. For example, the 
:8E Ylj \dgcfpj X Ôo\[$gi`fi`kp efegi\\dgk`m\ =GEG 
scheme, Ethernet implements collision sense multiple 
access/collision detection (CSMA/CD), EtherCAT imple-
ments polling, while FlexRay implements a hybrid scheme 
composed of a time-division multiple-access (TDMA)-
YXj\[jkXk`Zj\^d\ekXe[XÕ\o`Yc\K;D8=K;D8 $YXj\[
dynamic segment.
For different protocols, frame timing models can be 
represented differently. For example, a CAN frame sched-
ule can be represented as  f  r i ~ { p i ,  a i ,  pi i ,  c i } where  c i repre-
sents the frame transmission time over the bus. However, a 
static FlexRay or TDMA frame timing is expressed as a tuple 
 f  r i ~ { s i ,  b i ,  r i } where  s i is the slot id in which the frame is 
transmitted,  b i is the TDMA cycle when the frame is sent 
]fik_\Ôijkk`d\#Xe[r i represents the number of bus cycles 
after which the frame is sent again.
B. Implementation Constraints
The platform implementation often consists of determin-
ing various parameters associated with the processors and 
Fig. 3. A distributed embedded platform.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 179
the communication network. In processors, these param-
eters include task partition and mapping, and scheduling 
parameters such as the static task schedule or priorities. On 
the communication side, various parameters of the network 
need to be determined. The exact parameters depend on the 
protocol and the implementation. For example, the design 
parameters for CAN are the priorities of the messages. For 
=c\oIXp#k_`jnflc[`eZcl[\k_\n_fc\ZfeÔ^liXk`fef]k_\
FlexRay communication cycle, i.e., the frame packing and 
frame-to-slot assignment.
Different constraints need to be considered when 
 determining the platform parameters. These constraints 
may be enforced by the platform or are derived from applica-
tion requirements. We discuss some important constraints 
as follows.
1) Processor Utilization:K_`j`j[\Ôe\[Xjk_\]iXZk`fef]
computation time for which the processor may be busy in 
the worst case for a given task mapping. Let us denote the 
WCET and the period of a task  T i as  e i and  p i ,  respectively. 
Now, for a set of tasks  .( P i ) mapped onto a processor 
P i , the processor utilization  U( P i ) is given by the following 
expression:
  U( P i ) =  ∑ 
 T i ∈.( P i )
  
 e i  __  p i % ), 
The processor utilization usually must be lower than a cer-
tain value, beyond which, the tasks are no longer schedula-
ble (in practical cases, the value is much smaller the 100% 
for reliability reasons).
2) Bus Load: Bus load depends on the communication 
protocol used by the bus. For example, let us consider the 
FlexRay static segment. It is partitioned into  N slots of equal 
c\e^k_%@e=c\oIXp#k`d\` jfi^Xe`q\[XjXe` eÔe`k\i\g\k`k`fe
of 64 bus cycles. Here, the total number of slots in 64 cycles 
is  64N . If  Θ is the set of frames mapped onto a FlexRay bus, 
then the constraint on bus load  U FR is derived as follows:
  U FR =  ∑ 
f r i ∈Θ
  64 __ r i  ≤ 64N% )- 
However, for bus systems, besides the reliability, the exten-
sibility (i.e., provision for mapping future messages) of the 
[\j`^e Xcjf e\\[j kf Y\ Zfej`[\i\[ R(*T% K_`j `j Y\ZXlj\
industrial systems often follow an iterative design para-
[`^dn_\i\k_\gi\m`fljm\ij`fe`jÔijk`e_\i`k\[Xe[k_\e
extended with new features. Now, if a bus is too highly 
loaded, it reduces the possibility of adding future messages.
3) Application-Level Constraints: In addition to the con-
straints imposed by limited platform resources, applica-
tion requirements must also be considered in the design. 
Consider an application represented by a chain of tasks and 
messages as  a i ~  T 1 → f  r 1 →  T ) → f  r ) → ⋯ →  T n . In such an 
application, the tasks and messages must be scheduled in a 
nXpjlZ_k_Xkk_\kXjb[\g\e[\eZpZfejkiX`ekjXi\jXk`jÔ\[%
For example,  T 1dljkÔe`j_Y\]fi\f  r 1 is sent and  T ) must 
start only when  f  r 1 has arrived. Furthermore, there may be 
constraints on application latency, i.e., the time between 
the start of  T 1 and the completion of  T n . This constraint is 
imposed on hard real-time distributed applications and cor-
respondingly they must satisfy strict deadlines. Even the 
sensing-to-actuation delay of a control application can be 
expressed as a latency requirement.
4) Task- and Frame-Level Constraints: Application-level 
requirements are typically translated to deadlines of tasks 
and messages. Deadline constraints specify when the execu-
k`fef]XkXjbfikiXejd`jj`fef]Xd\jjX^\ e\\[jkfY\Ôe-
ished after its release. In this regard, the response time of 
XkXjbfiX]iXd\ `j[\Ôe\[Xjk_\k`d\\cXgj\[Y\kn\\e
the release of the task (or frame) and the completion of task 
execution (or frame transmission). Response time not only 
depends on the code size in a task or the data size in a frame 
but also on the scheduling scheme on the processor and the 
bus. Denoting the response time of a task or a frame as  R i , 
and the deadline it must satisfy as  d i , then the deadline con-
straint is given as follows:
  R i ≤  d i% ). 
In addition, for shared resources, tasks and messages must 
Xcjf jXk`j]p ZfejkiX`ekj i\cXk\[ kf i\jfliZ\ ZfeÕ`Zkj% JlZ_
a constraint typically states that no two tasks or messages 
must be allocated to the same resource at the same time.
C. Platform Analysis
GcXk]fidXeXcpj`jm\i`Ô\j`]k_\jpjk\d[\j`^ed\\kjk_\
jg\Z`Ô\[ZfejkiX`ekjXe[k`d`e^i\hl`i\d\ekj%K_\XeXcpj`j
techniques depend on the implemented scheduling strategy 
on a platform. Considering the wide spectrum of scheduling 
algorithms available in different domains, we would not go 
`ekfk_\[\kX`cjf]Xepjg\Z`ÔZXeXcpj`j%
Early works on this topic have focused on providing 
schedulability tests and worst case response time (WCRT) 
analysis. For example, Liu and Layland [14] and Xu and 
Parnas [15] address the problem of schedulability tests 
for rate-monotonic, deadline-monotonic, and EDF sched-
uling schemes. Bril [16] and Bril et al. [17] propose the 
response time analysis for tasks. For example, in FPP 
scheduling, the WCRT of a task  t i can be computed using 
an iterative algorithm based on the following recurrence 
relation [16]
  R i =  e i +  ∑ 
 Π j > Π i 
 ⌈ 
 R i  __ p j ⌉  e j% )/ 
In the case of communication networks, Davis et al. [18] 
address the problem of timing analysis of the CAN bus and 
Pop et al. [19] and Zeng et al.R)'TZfej`[\ik_\=c\oIXpYlj%
Much effort has also been spent in deriving formal 
methods for compositional timing analysis. In this context, 
e\knfib ZXcZlclj R)(T# i\Xc$k`d\ ZXcZlclj R))T# R)*T# Xe[
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
180 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
JpdK8&JXggifXZ_R)+T_Xm\Y\\e[\m\cfg\[%K_\j\d\k_-
f[j_Xm\Y\\eXggc`\[kfgifZ\jjfijZ_\[lc`e^R)*TXe[kf
XeXcpq\Zfddle`ZXk`fee\knfibjjlZ_Xj=c\oIXpR),TXe[
jn`kZ_\[ <k_\ie\k kfgfcf^`\j R)-TÆR)/T% @e X[[`k`fe# k_\
problem of combined task and message timing analysis has 
XcjfY\\eX[[i\jj\[R)0TÆR*(T%@ek_`jZXj\#k`d`e^gifg\i-
ties are considered at the application level.
D. Platform Design
Another important research focus in embedded systems 
is the design of platform parameters according to the con-
straints and timing requirements. Here, the design is mostly 
aimed at task mapping, frame packing, and task and mes-
jX^\jZ_\[lc`e^R*)TÆR*,T%J\m\iXcnfibjXcjfZfej`[\ik_\
combined synthesis of task and message schedules from 
the application-level timing requirements such as latencies 
Xe[i\jgfej\k`d\jR*-TÆR*0T%@ek_\j\XggifXZ_\j#ljlXccp
a constraint programming (CP) problem is formulated and 
jfcm\[n`k_` ek\^\ic`e\Xigif^iXdd`e^@CG fijXk`jÔXY`c`kp
modulo theories (SMTs) solvers, heuristics or metaheuris-
tics methods. These approaches can usually guarantee that 
the requirements are met and further tune the parameters 
according to certain optimization objective(s). When multi-
gc\ZfeÕ`Zk`e^fYa\Zk`m\jXi\Zfej`[\i\[#XGXi\kf]ifekZXe
be generated or a DSE algorithm [40] can be applied to help 
the designer analyze different tradeoffs.
E. Hardware/Software Codesign
One additional direction of embedded systems design 
that has received attention in the past decade is hardware/
software (HW/SW) codesign. Traditionally for electronic 
jpjk\dj# k_\ _Xi[nXi\ `j [\j`^e\[ Ôijk# ]fccfn\[ Yp k_\
design of the software. HW/SW codesign approaches design 
both hardware and software components concurrently, thus 
\eXYc`e^]Xjk\ik`d\kfdXib\kXe[XZ_`\m`e^dfi\\]ÔZ`\ek
design. However, these approaches only consider cost, per-
formance, reliability, and power consumption as design 
objectives. They do not consider high-level control require-
ments such as stability and performance, when the software 
in question implements a feedback control loop. This survey 
focuses on the design of embedded control system from a 
CPS perspective and we refer the reader to [41] for a survey 
on HW/SW codesign. It may be noted that many optimiza-
tion techniques used in HW/SW codesign, when appropri-
ately adapted, can be utilized in the design of embedded 
control systems.
I V.  CPS - OR IEN TED A PPROACHES TO 
EMBEDDED CON TROL SYSTEMS 
DESIGN
Our setup consists of a group of physical plants controlled 
by software running on a single processor or on a network 
f] gifZ\jjfij% @e k_`j j\Zk`fe# n\ Ôijk jkl[p k_\ `ek\igcXp
between the control system and the embedded platform 
using a motivational example. In doing so we point out 
the associated safety challenges. We will also discuss how 
the control and the embedded systems communities have 
attempted to address these challenges from their own 
perspectives.
A motivational example: As an example, we have con-
sidered a second-order system with the following system 
matrices:
  A =  [ −'%)  0 . 667  − 10 − 100 ] B =  [ 
0 
100
 ]  C =  [ 1  0 ]% )0 
For a sampling period of  h ='%')j#k_\[`jZi\k\$k`d\dXki`-
Z\jZXeY\ZXcZlcXk\[lj`e^* Xj]fccfnj1
  φ =  [ '%00,* 0.0057 −'%'/-) '%(*+0] Γ =  [ 
0.0076 '%/-+*]% *' 
Let us consider the control law as  u[k ] =  − Kx[k] + Fr  
where  K and  F are the feedback and the feedforward gains 
and  r is the reference. Without loss of generality, we can 
assume  r = 0 and use the pole placement technique 
described in Section II-E to calculate the feedback gain. 
=\\[]finXi[ ^X`e ZXe Y\ ZXcZlcXk\[ lj`e^ k_\ ÔeXc mXcl\
theorem, i.e.,  lim 
t→∞
 y(t) = r , and is given by the following 
relation:
  F =  1 ____________ 
C  (I − ϕ + ΓK ) −1 Γ
% *( 
For both the closed-loop poles at 0.9,  K and  F can be calcu-
lated as follows:
  K =  [ '%.'*)  − 0.7811 ]  F ='%/-/0% *) 
Using these values, we have simulated the closed-loop sys-
tem for unit step reference and plotted the output in Fig. 4.
Next, let us assume that the control code is implemented 
as three tasks  T s ,  T c , and  T a in temporal order where the 
WCETs of the tasks are  1ms# *ms , and  1ms , respectively. 
These tasks are mapped on different ECUs, each with a TT 
scheduler. The data between  T s and  T c are transmitted as a 
message  m s and the data between T c and  T a are transmitted 
Fig. 4. Closed-loop simulation curves with delay.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 181
as another message  m c . The messages are transmitted 
over CAN. Now, let us consider two scenarios where the 
WCRTs of  m s and  m c are, respectively, calculated as follows: 
:Xj\ (  )ms Xe[ *ms2 Xe[ :Xj\ )  -ms and 8ms . We can 
schedule the tasks in a way such that all task depend-
\eZp ZfejkiX`ekj Xi\ jXk`jÔ\[ Xe[ k_\ \e[$kf$\e[ [\cXp
is  minimum. Now, for both cases, we have simulated the 
closed-loop system for a unit step reference signal. We have 
modeled the tasks  T s and  T a and the messages  m s and  m c 
as delay blocks of appropriate values, while  T c executes the 
ZfekifccXn]fccfn\[YpX[\cXpf]*ms . The response curves 
for both the cases are shown in Fig. 4. It may be noted that 
the overshoot and the settling time have increased from the 
ideal case with no delay. Thus, we may say that the perfor-
mance has deteriorated, and more importantly, it does not 
match the expected values that were obtained at the model 
level. This performance degradation can be attributed to 
the delays introduced in the loop which will be studied 
later in this section. Fig. 5 shows the interplay between the 
control models and the platform implementation, i.e., how 
the task and message schedules affect the sampling period 
and the closed-loop delay of the control loop. Thus, control-
ler design without considering the timing properties of the 
platform implementation is unreliable and in the worst case 
may even result in an unstable system in spite of the model-
level controller being stable.
As mentioned earlier, safety properties of embedded 
control systems is usually captured in terms of stability 
and performance guarantees. We can observe in the above 
example that when the controller is designed separately 
from the embedded platform and is oblivious to the imple-
mentation details, no such guarantees at the implemen-
tation level are possible. In practice, costly testing and 
integration efforts are necessary to obtain an acceptable 
implementation by iteratively changing the controller 
model and the platform parameters. 
To address this issue, new controller design techniques 
that account for platform characteristics and resource con-
straints are discussed in Section IV-A. These techniques 
analyze properties of the platform architecture and incor-
porate them into the controller model, and then determine 
the appropriate parameters corresponding to this aug-
mented model in order to ensure stability and performance. 
Similarly, on the embedded systems side, new techniques for 
platform design have been proposed that take into account 
the particular requirements of embedded control systems; 
we discuss them in Section IV-B. Here, a given control sys-
k\d` jÔijkXeXcpq\[kf[\k\id`e\k`d`e^ZfejkiX`ekjk_XkjXk-
isfy stability and performance requirements. Subsequently, 
platform parameters are synthesized taking these timing 
constraints into account. Both the aforementioned design 
gXiX[`^dj _Xm\ dX[\ j`^e`ÔZXek gif^i\jj `e Yi`[^`e^ k_\
semantic gap between controller design and its implementa-
tion that is illustrated in the results shown in Fig. 4.
A. Platform-Aware Controller Design
The control theory community has looked into new con-
troller design methods that take into account the implemen-
tation platform characteristics. Here we review some of the 
important work in this direction.
1) Sensing-to-Actuation Delay: The discrete-time control 
system model described in Section II-A assumes that there is 
a negligible time delay between sensing and actuation. This 
implies that the computation of control input takes negli-
gible time. This is an idealistic assumption as embedded 
processors often have limited computation bandwidth and 
take nonnegligible time for computation. Moreover, sensors 
and actuators are often spatially distributed and the control 
loop may involve some communication over a shared net-
work, which may introduce additional delays. Assuming a 
sensing-to-actuation delay (or closed-loop delay) of  τ where 
0 < τ ≤ h ,  u(t) = u[k − 1] for  kh ≤ t < kh + τ , and  u(t) = u[k] 
for  kh + τ ≤ t < (k + 1)h . Consequently, the discrete-time 
state-space model for the delayed system [8] becomes the 
following:
  x[k + 1] = φx[k ] +  Γ 0 u[k] +  Γ 1 u[k − 1] ** 
 y[k] = Cx[k]. 
Here,  Γ 0 and  Γ 1 for a sampling period  h and a delay  τ are 
given as follows:
  Γ 0 =  ∫ 
0
  h−τ
 ( e At dt) ⋅ B   Γ 1 =  ∫ 
h−τ
 
  h
  ( e At dt) ⋅ B% *+ 
Consequently, we can consider an augmented state vector 
as  z[k] =  [ x[k] u[k − 1] ] ′ , for which the statespace model 
can be written as 
  z[k + 1] =  φ z z[k] +  Γ z u[k] *, 
 y[k] =  C z z[k] 
where  φ z ,  Γ z , and  C z are as follows:
  φ z =  [ φ   Γ 1  0 0 ]   Γ z =  [ 
 Γ 0  
I
 ]   C z =  [ C  0 ]% *- Fig. 5. Task/message schedules in a controller implementation.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
182 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
This model is identical to the ideal discrete time model 
^`m\e Yp ) % K_\i\]fi\# efn k_\ jkXe[Xi[ Zfekifcc\i
design methodology that was explained in Section II 
ZXeY\Xggc`\[%K_`jjpjk\ddf[\c_XjY\\elj\[`eR+)T
Xe[R+*T%
2) Input and Output Jitter: The closed-loop delay intro-
duced in a controller implementation may not be a constant 
value and instead be time varying, resulting in output jitter. 
Similarly, a control task may not be sampled at regular inter-
vals, thereby resulting in input jitter. This nondeterminism 
in timing may be induced by event-triggered preemptive 
scheduling of shared resources, or by asynchronous clocks 
in a distributed system, among other reasons. Moreover, 
this nondeterministic behavior may cause system instabil-
ity or inadequate QoC. Thus, it is important to analyze the 
`eÕl\eZ\f]`eglkXe[flkglka`kk\ifejkXY`c`kpXe[g\i]fi-
mance of a control loop.
Toward this, there have been some work in NCSs that 
considers stochastic or approximate analysis of system 
stability [44][48]. However, Cervin [49] has proposed 
an analysis of system stability and worst case perfor-
mance considering both input and output jitter. In [49], 
the assumption is that only the worst case delay, i.e., 
input and output jitter, is given without any information 
on the statistical distribution. Cervin introduces a novel 
technique to transform the closed-loop system model by 
adding two error paths corresponding to input and output 
a`kk\i% @efe\\iifigXk_# k_\ `eÕl\eZ\f]flkglk a`kk\i `j
modeled as an error in the actuation signal. In the second 
\iifigXk_#k_\`eÕl\eZ\f] `eglk a`kk\i `jdf[\c\[XjXe
error in the measurement. Subsequently, the stability and 
the performance of the transformed closed-loop system 
are analyzed in the frequency domain. This analysis can 
be very useful in practice to ensure safety of an implemen-
tation in the presence of jitter without extensive simula-
tions or testing.
3) Processor Architecture and Operating Systems: Design 
of embedded systems often starts with the selection of 
architectural components, e.g., processors, buses, and 
the OS along with its scheduling policy and parameters. 
However, at this stage, the designer only has a very rough 
idea of the applications. Therefore, the choice of proces-
sor architecture and OS is almost oblivious of the applica-
tions that will run on the processor. However, there are 
certain OS features that invalidate the assumptions made 
in the controller design if not taken into account. For 
example, an OS such as ERCOSek, running on a proces-
jfi dXp f]]\i fecp X gi\ZfeÔ^li\[ j\k f] jXdgc`e^ g\i`-
ods. Controllers implemented on such a processor must 
be implemented according to a sampling period selected 
]ifd k_`j j\k% K_\ jkiX`^_k]finXi[ jZ_\d\ `j kf Ôe[ k_\
largest sampling period  H j ]ifd k_\ gi\ZfeÔ^li\[ j\k
" = { H 1 ,  H ) , …,  H k } for which a controller can be designed 
satisfying the requirements. However, this might result in 
using an unnecessarily high sampling rate, and thereby 
overloading the processor.
To address this issue, Goswami et al. [50] have pro-
posed to design controllers with nonuniform sampling. The 
idea is to choose a sampling order  ∏  h i =  h 1 →  h ) → ⋯ → 
h n → repeat . Here,  h i ∈ " and  h avg =  1 __ n  ∑ 
i=1
n
 h i . Then, the control-
ler is designed such that the obtained performance  J ( ∏  h i ) 
]fi k_\ Xjjld\[ jXdgc`e^ fi[\i jXk`jÔ\j k_\ i\hl`i\d\ek 
 J ̅ while  h avg >  H j . Higher  h avg implies savings in computa-
tion resource. Goswami et al. [50] also suggest a design 
technique for such a multirate controller. The controller 
is designed for the average sampling period  h avg using the 
pole placement technique described in Section II-E. The 
closed-loop system  φ cl ( ∏   h i ) =  φ cl ( h 1 )  φ cl ( h ) )⋯ φ cl ( h n ) 
can be analyzed for stability and performance using stand-
ard techniques.
A similar approach is also valid for multicore architec-
tures where a TDMA-based execution policy is employed 
to eliminate interapplication interference or to offer com-
positionality. In such an architecture [51], processor time 
is partitioned into slots where each slot is dedicated to an 
application. Correspondingly, several instances of a con-
troller may run in its TDMA slot thus resulting in a shorter 
sampling period. However, the last instance may either 
_Xm\kfnX`k]fik_\e\ok[\[`ZXk\[jcfkkfÔe`j_fik_\k`d\
gap between the last instance of the current slot and the 
Ôijk`ejkXeZ\fek_\e\okjcfk`jdlZ_cXi^\i%@eYfk_ZXj\j#
the controller implementation naturally resembles a mul-
tirate case with only two sampling periods. Valencia et al. 
R+)T _Xm\ jkl[`\[ jlZ_ Xe `dgc\d\ekXk`fe f] Zfekifcc\ij
in multicore architectures. The sampling order for a given 
TDMA policy is derived. Subsequently, a linear matrix 
inequality (LMI)-based approach is proposed to design 
the controller. Here, the two sampling periods result in 
two different subsystems and the overall system switches 
between the two. Therefore, it is suggested to design the 
controller corresponding to the shorter sampling period 
(the dominant one) using pole-placement technique. The 
stability of the overall switching system can be ensured 
Yp Ôe[`e^ X Zfddfe P such that (10) holds for both 
subsystems.
4) Deadline Misses, Packet Drops, and Fault Tolerance: 
A controller can be designed assuming a closed-loop 
delay and sampling period as discussed in Section IV-A1. 
Subsequently, in the schedulability analysis, the control-
ler is treated as a hard real-time application where the 
delay is considered as a deadline and the sampling period 
as the dispatch period. A system is schedulable if all the 
WCRTs satisfy the deadline constraints. This schedulabil-
ity test is conservative in nature because it relies on a criti-
cal instant (i.e., all the controllers are contending to run at 
the same time,) and on WCET estimates of the controller 
tasks (which are pessimistic in nature). Since the worst 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 183
case occurs rarely, this results in a poor resource utili-
zation. Similarly, in NCSs, there is a hard constraint on 
in-time packet delivery. However, there may be momen-
tary faults in the network which can corrupt the data. In 
highly constrained networks, there may be some packet 
losses as well.
@e [fdX`ej jlZ_ Xj Xlkfdfk`m\# \]ÔZ`\ek lk`c`qXk`fe f]
resources is of utmost importance in order to minimize cost. 
Hence, the goal is to map as many applications as possible 
on a given embedded platform (single processor or network 
of processors). Moreover, for control applications, dead-
c`e\fi`e$k`d\gXZb\k[\c`m\ip`jefkXeXZZliXk\i\Õ\Zk`fe
of stability and QoC and designs driven by them might be 
overly conservative. This is because of the inherent robust-
ness of control loops, which allows for certain deadline 
misses. However, quantifying such deadline miss patterns 
is not straightforward.
Recently, a number of works have addressed this issue 
R,)TÆR,0T%Dfjkf]k_\dZfej`[\iXjn`kZ_\[jpjk\ddf[\c
to represent a control-loop with deadline misses or packet 
[ifgj R,)TÆR,+T# R,/T# R,0T% K_\i\ ZXe Y\ j\m\iXc nXpj `e
which deadline misses or packet drops can be modeled, i.e., 
1) as an open-loop system, i.e.,  u [k ] ='2) Xjk_\cXjkZfe-
trol input being used, i.e.,  u [k ] = u [k −(T2 fi *  Xj knf
consecutive misses, i.e.,  u[k ] = u[k −)T%K_\gifYXY`c`kpf]
a deadline miss can either be stochastic or guided by the 
(m, k $Ôidilc\ `%\%# fecp m out of  k times deadlines can 
be missed).
It is natural to study the impact of deadline misses on 
the performance of control loops. Towards this, Geelen 
et al. R,*TXe[8ekle\jXe[?\\d\cjR,+T_Xm\Zfej`[\i\[
stochastic systems with packet drops or deadline misses. 
For a given ideal input signal (i.e., without any misses), 
mean and variance of the output signal are calculated in 
time domain and in frequency domain. Furthermore, van 
Horssen et al.R,)T_Xm\jkl[`\[g\i]fidXeZ\[\^iX[Xk`fe
for switched systems with  (m, k $Ôid[XkX cfjj\j#n_\i\
a system switches between closed-loop and open-loop 
 subsystems. Here, van Horssen et al. have represented the 
system with deadline misses as an automaton for which 
a stable controller can be designed using an LMI-based 
approach. Correspondingly, the loss in performance can 
be calculated by comparing the quadratic costs corre-
sponding to the stable controller and the ideal (without 
misses) LQR controller. Van Horssen et al.R,)T_Xm\]li-
ther proposed that the performance can be improved at 
the cost of online computation by deadline-miss-aware 
controller updates.
In the same vein, Majumdar et al. [59] have consid-
ered  & ∞ -to-RMS gain as the performance measure, and, 
for a given successful packet transmission rate, an upper 
bound on  & ∞ -to-RMS gain is derived. This gain measure 
of a discrete-time LTI system with input disturbance Z and 
||Z| | ∞ =  sup 
k≥0
|| Z[k] | | ) is given by the following expression 
and indicates how a system reacts to disturbance:
  sup 
||Z| | ∞ ≠0,x[0]=0
  
 (lim  sup N→∞  
1 __ 
N
 ∑ 
j=0
 
N
 y ′  [j ] y[j ]) 
 1 __ )
 
  ____________________ 
| | Z|  | ∞  % *. 
The lower the gain value is, the smaller is the effect of dis-
turbance and the better is the robustness. Considering this, 
an expression for the minimum successful transmission rate 
r min is derived for which the system is stable. Later, Saha 
et al. [58] have derived that the successful transmission rate 
at which the performance is optimal is either the minimum 
possible rate  r min (constrained by stability) or the maximum 
possible rate  r max (constrained by network availability).
In addition, Goswami et al. [57] have studied a restric-
k`fe fe [\X[c`e\ d`jj\j fm\i X Ôe`k\ _fi`qfe k samples) 
and proposed an exponential stability criterion in terms of 
allowable deadline misses. This criterion forces a bound on 
the rate at which the system must approach the equilibrium 
state from a given initial state which is mathematically given 
by [60] 
  ||x[k] −  x e || ≤  c 1 +  c )  β k ||xR'Tss */ 
where  c 1 ≥ 0 ,  c ) > 0 , and  0 < β < 1 . Furthermore, Goswami 
et al. [57] have considered a performance measure tuple 
{ S, χ} as follows:
  S ≥  
||x[k + χ] −  x e ||  ___________
|| x[k]||
 ×(''% *0 
This implies that  χ samples after the disturbance has 
arrived, at least  (100 − S)% of the disturbance is rejected. 
Subsequently, the number of samples  κ s that can be missed 
out of  χ samples can be calculated to meet the performance 
requirement given by  S .
5) Finite Precision Arithmetic: Traditionally, control-
lers are designed by solving a set of differential equations 
in a way that stability and performance requirements are 
met. At the model level, no assumptions on the arithme-
tic precision of computations are made. However, for an 
embedded implementation, the control law is calculated 
YpXgifZ\jjfi k_XkXccfnjfecpÔo\[gi\Z`j`feXi`k_d\k`Z
operations. As a result, safety and performance guarantees 
are no longer valid due to quantization errors. Moreover, it 
may so happen that the system constantly oscillates around 
the equilibrium state.
To address this, there has been work on quantization-
\iifi$XnXi\m\i`ÔZXk`fef]Zfekifcjf]knXi\R-(TÆR-+T%K_\
^fXc `j kf m\i`]p k_Xk k_\ ÔeXc `dgc\d\ekXk`fe i\jlckj `e X
giXZk`ZXccpjkXYc\jpjk\d#`%\%#k_\ÔeXcjkXk\f]k_\jpjk\d`j
within a bounded region of the equilibrium state.
Furthermore, Majumdar et al. [65] have proposed 
to synthesize controllers by cooptimizing the LQR cost 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
184 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
function and the quantization error, thereby constructing a 
Pareto front of the two objectives. The proposed approach 
ZXe Y\ gXik`k`fe\[ `ekf knf jkX^\j% @e k_\ Ôijk jkX^\# Xe
upper bound on the quantization error in the computation 
of control law is calculated. For a given implementation and 
the bounds on plant states, the range of each controller vari-
able is analyzed and the bitwidths allocated accordingly. For 
given bitwidth allocations, the maximum quantization error 
in an arithmetic operations is calculated. Subsequently, 
since the computation of the control law involves multi-
ple arithmetic operations, the quantization error accumu-
lates accordingly. In addition to the quantization error in 
the computation, the approach also considers quantization 
error in measurement, for which the bound will simply 
depend on the allocated bitwidths. The errors are modeled 
as disturbance in the observer dynamics and the feedback 
gain codes. Subsequently, in the second stage, a multiobjec-
tive optimization problem is formulated and solved using 
particle swarm optimization (PSO) [66]. The objectives 
Zfej`[\i\[Xi\CHIÆCH>hlX[iXk`ZZfjk]leZk`feRj\\(* T
and  & ) induced gains from input disturbance to output [see 
(14) and (15)], where the input disturbances are the two 
quantization errors. Finally, the PSO algorithm generates 
several Pareto points that depict the tradeoff between per-
formance and quantization error.
B. Controller-Aware Platform Design
As discussed in Section III, traditional approaches of 
platform design are based on timing requirements, which 
might be overly conservative. In the context of CPS, a more 
appropriate approach is to consider the control properties of 
the system at the platform design stage. These control prop-
erties include stability, QoC, and robustness, among others. 
This design approach will ensure either 1) optimal QoC of 
k_\fm\iXccjpjk\d]fiX^`m\egcXk]fidi\jfliZ\2fi) d`e`-
mize resource usage while satisfying all performance and 
stability constraints. Toward this, in this section, we will 
discuss some of the platform design approaches that have 
been proposed in the literature.
1) Stability- and Performance-Aware Platform Design: In 
Section IV-A, we have discussed several platform character-
`jk`Zj k_Xk dXp `eÕl\eZ\ k_\ jkXY`c`kp Xe[ g\i]fidXeZ\ f]
control systems if not considered at the controller design 
jkX^\% Dfjk f] k_\j\ gcXk]fid Z_XiXZk\i`jk`Zj Xi\ ZfeÔ^-
urable, subject to certain constraints. For example, the 
sensing-to-actuation delay and jitter can be manipulated 
by changing the schedule parameters to the extent that the 
overall system still remains feasible. Now, given a set of con-
trollers, how to determine platform parameters considering 
k_\`i`eÕl\eZ\fejkXY`c`kpXe[g\i]fidXeZ\`jXe`dgfikXek
research problem.
Toward this, Mancuso et al. [67] have addressed the 
problem of calculating the priorities and periods of the con-
trol tasks. It is assumed that several control loops run on a 
given platform with FPP scheduling. An optimization prob-
lem is also formulated with the objective of maximizing the 
overall QoC. Here, the control performance of each loop is 
measured by the LQR cost function approximated as a linear 
function of sampling period and delay. Solving the optimiza-
k`fegifYc\d`j[`]ÔZlck[l\kfk_\efec`e\Xi[\g\e[\eZpf]
the WCRT of a task on priority assignment. Consequently, a 
branch and bound technique is proposed to solve the prob-
lem. Furthermore, Aminifar et al. [68] have proposed a scal-
able algorithm to determine the priorities and periods of 
control tasks taking into account both worst-case delay and 
jitter. However, only the stability of control loops is consid-
ered instead of optimizing the overall QoC. The impact of 
delay and jitter on stability of a control loop is studied using 
the Jitter Margin Toolbox [69]. Finally, a stability condition 
in terms of delay and jitter is derived as a linear inequality.
In the same vein, Aminifar et al. [70], [71] have studied 
server-based scheduling of control tasks. The server-based 
scheduling of real-time tasks is introduced to achieve isola-
tion, i.e., misbehavior in one task will not effect the others. 
In [70] and [71], Aminifar et al._Xm\[\Ôe\[g\i`f[`Zj\im\i
as a tuple of budget  Q , period  P , and deadline  D . It is assumed 
that each server is assigned to only one control task. The 
server ensures that  Q amount of processor time is allocated 
to the assigned task in each period  P before the deadline  D . 
Here, the constraint is that the resource reserved by a server 
must be greater than or equal to the resource requirement 
of the assigned task. A task runs only when its dedicated 
server allocate processor time to it. Now, given the period 
and the best and the worst case execution times of a control 
task, it is possible to derive the best and worst case response 
time of the task. Corresponding to these values, nominal 
delay and jitter can be calculated which can be subsequently 
analyzed to determine the stability of the system. It may be 
noted here that in this server-based approach, each task can 
be analyzed independent of other tasks running on the same 
processor. The idea is to calculate the parameters of each 
server taking into consideration the stability and the worst 
case performance of the assigned control loop. Although, 
the server-based approach is pessimistic in nature, it offers 
compositionality and isolation, which are important aspects 
to guarantee safety in control systems (i.e., model-level 
guarantees are preserved in an implementation).
) IfYljk$:fekifc$8nXi\GcXk]fid;\j`^eXe[M\i`ÔZXk`fe1 In 
Section IV-A4, we have mentioned that any control-loop has 
some inherent robustness. Hence, occasional deadline misses 
or packet drops may not make the system unstable or violate 
its performance requirements. We have also mentioned pre-
vious work that derived the minimum rate of ideal closed-
loop action [ (m, k $Ôide\jjTe\Z\jjXipkf\ejli\jkXY`c`kpXe[
performance of the system. Given these rates for multiple 
control loops, the task of an embedded systems engineer is 
to implement the corresponding controllers on an embedded 
gcXk]fidjlZ_k_Xkk_\j\ZfejkiX`ekj&iXk\jXi\jXk`jÔ\[%
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 185
In this context, Majumdar et al. [59] have proposed a 
jkXk`ZjZ_\[lc`e^Xc^fi`k_dk_XkjXk`jÔ\jk_\m, k $Ôide\jj
of all the controllers and at the same time tries to maxi-
mize the overall QoC of the system. The algorithm solves a 
 multiobjective optimization problem where  (m, k $Ôide\jj
is treated as one of the constraints. The optimization objec-
tives are the QoCs of all the control systems. Next, the 
 multiobjective optimization problem is transformed into 
a single-objective problem by a weighted combination of 
the QoCs. Here, the weights are assigned in a way such 
that the control loop, which is the most sensitive to the 
iXk\f]gXZb\k[ifgj#_XjdXo`dld`eÕl\eZ\fek_\fYa\Z-
tive. Consequently, the solution to the problem will be an 
undominated one in the multiobjective space.
Another body of research that studies the impact of 
missed control action on stability and performance is plat-
]fid$XnXi\ ]fidXc m\i`ÔZXk`fe f] Zfekifc jf]knXi\ R,,T#
R,-T# R.)T# R.*T%?\i\#Xe\dY\[[\[gcXk]fidXiZ_`k\Zkli\
is represented as a network of time-stamped event count 
automata (TS-ECA) where each message is stamped with a 
time as it moves from one buffer to another. Moreover, the 
(m, k $Ôidilc\ZXeY\]fidlcXk\[XjXc`e\Xik\dgfiXccf^`Z
(LTL) formula where all possible combinations of allowed 
misses can be represented. Subsequently, the network of 
KJ$<:8jXi\df[\cZ_\Zb\[kfm\i`]pjXk`jÔXY`c`kpf]k_\CKC
]fidlcX%K_lj#XZfekifc jf]knXi\ZXeY\ ]fidXccpm\i`Ô\[
using model checking to ensure that all the control applica-
tions satisfy the constraints on their deadline misses.
=lik_\idfi\#9\_iflq`XeR.*T_Xjgifgfj\[XeXeXcpk`-
cal technique to verify  (m, k $Ôide\jj%K_\Xlk_fijXjjld\
that the control tasks are running on a processor according 
to a TDMA scheme where each application is assigned a 
dedicated slot to execute. For such an architecture, given a 
sampling period between the best and worst case response 
time, the proposed technique can calculate an upper bound 
on the percentage of dropped samples. The estimation is 
YXj\[ fe Xe XeXcpj`j f] X Ôe`k\ i\^lcXi n`e[fn n`k_ k_\
assumption that tasks arrive periodically. This technique 
is faster than timed-automata-based approaches that were 
proposed earlier.
3) Application-Criticality-Aware Platform Design: Mixed 
criticality systems are becoming increasingly more com-
mon; here, applications of different criticality share the 
same resource. These applications have different require-
ments, e.g., hard real-time applications have strict timing 
requirements, while control applications have stability and 
performance requirements. Thus, techniques discussed in 
Section IV-B1 are not applicable in a straightforward man-
ner for platform design in such cases.
Toward this, Wu et al. [74] have considered control and 
noncontrol tasks running on a processor with EDF schedul-
ing strategy. Upper and lower bounds are assumed on sam-
pling periods and relative deadlines of all applications. Here, 
the bounds for control applications are derived from stability 
and performance requirements. Subsequently, an optimiza-
tion problem is formulated and solved where the variables 
are the periods and deadlines of all tasks. The objective is to 
maximize the overall QoC of the system while satisfying the 
deadline constraints of noncontrol tasks. The QoC metric 
of each control loop is the loss in LQR cost due to sampling 
period and output jitter.
Later, Schneider et al. [75], [76] have considered a simi-
lar problem for an FPP scheduling scheme. A multilayered 
scheduling approach is proposed. In this approach, real-time 
and control applications form the top and bottom layers, 
respectively. The scheduling algorithm starts with the worst 
priority and iteratively approaches the best priority where 
in each iteration one task is assigned the worst priority 
]ifdk_\XmX`cXYc\j\k%@e\XZ_`k\iXk`fe#k_\Xc^fi`k_dÔijk
ki`\jkfÔe[XkXjbn`k_k_\cfe^\jk[\X[c`e\]ifdk_\gffc
of unassigned tasks in the top layer. Correspondingly, the 
WCRT of the task is calculated if the current worst available 
gi`fi`kp `j Xjj`^e\[% @] k_\ [\X[c`e\ `j jXk`jÔ\[# k_\ kXjb `j
assigned the priority. Otherwise, the algorithm then tries to 
Ôe[k_\Zfekifcc\in_`Z_i\dX`ejjkXYc\Xe[]fin_`Z_k_\
performance degradation is minimum if assigned the worst 
available priority. If such a controller is found, then the 
priority is assigned. As performance degradation is a non-
linear function of sensing-to-actuation delay, the obtained 
overall QoC may not be the guaranteed optimum. However, 
this algorithm is at least more analytical than a deadline 
 monotonic scheme and will be more useful in mixed criti-
cality scenarios.
4) Using Hybrid Architectures: Time-triggered archi-
tectures (TTAs) have inherent timing determinism. This 
makes it easier to implement control algorithms on them. 
?fn\m\i# KK8j dXp efk Y\ i\jfliZ\ \]ÔZ`\ek% =fi \oXd-
ple, in TDMA, if a slot is allocated to a message it will be 
consumed irrespective of whether any data are sent and it 
cannot be reallocated to a different message. As a result, 
time-triggered slots are judiciously used. On the other 
hand, event-triggered architectures (ETAs) offer higher 
i\jfliZ\ \]ÔZ`\eZp Ylk k`d`e^ efe[\k\id`e`jd dXb\j `k
[`]ÔZlckkf`dgc\d\ekZfekifcXc^fi`k_djfek_\d%@]lj\[#
the worst case delay values have to be considered, which 
makes a design pessimistic. Moreover, a control law need 
not be computed at high frequency if the controlled plant is 
in the equilibrium state [77], which makes TTAs unsuitable 
candidates if resource usage is to be maximized. Ideally, 
the resource allocated to a controller could be dynami-
cally determined based on the state of the system. This fact 
has been exploited for hybrid platform architectures that 
 support both TT and ET task execution and message trans-
mission [78].
Examples of work along these lines include that of 
Goswami et al. [79]. Distributed control applications using 
FlexRay communication bus are studied. A controller is 
proposed which can switch from an event-triggered mode 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
186 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
to a time-triggered mode based on the occurrence of distur-
bances. The performance of such a hybrid implementation 
is almost equivalent to one in which only TT communica-
tion is used.
Later, Masrur et al. [80], [81] have proposed worst 
case performance analysis techniques for such a setup. In 
particular, these works calculate the minimum number of 
TT slots required such that all the applications satisfy the 
corresponding performance requirements. The analysis 
consists of two nested layers. The inner layer considers the 
case of a single slot assigned to several applications and 
investigates if such an assignment is safe. Here, two differ-
ent arbitration policies are considered: 1) FPNP [80]; and 
) =GGR/(T%@e=GEG#n_\eXeXggc`ZXk`fe^\kjXKKjcfk#
it stays there for a certain dwell time which is enough to 
stabilize the system even in the worst case. In FPP, a lower 
priority application may be preempted by a higher priority 
one. Preemption is only allowed at a point where the higher 
priority application if not given a TT slot will not satisfy 
the performance requirement. However, a retransmission 
cost is considered due to preemption. For both arbitration 
policies, worst case analysis can be carried out by extending 
the WCRT analysis for nonpreemptive deadline monotonic 
scheduling schemes. In the outer layer, a slot provision-
ing algorithm maps applications to slots one by one using 
X Zljkfd`q\[ Ôijk Ôk _\li`jk`Z% @k lj\j k_\ `ee\i cXp\i kf
determine the feasibility of mapping the current applica-
tion to the slots which are already provisioned. If it is not 
feasible, then a new slot is added. It may be noted that such 
_pYi`[`dgc\d\ekXk`fejdXpi\hl`i\ilek`d\i\ZfeÔ^liX-
k`fef]k_\le[\icp`e^gcXk]fidR/)T#R/*T#n_`Z__XjY\\e
addressed in [84].
Recently, Balszun et al. [85] have proposed a control 
algorithm for mixed TT and best effort communication. The 
algorithm uses TT communication to guarantee worst case 
performance requirement while exploiting best effort com-
munication to improve the performance and thereby achiev-
ing higher average performance.
5) Event-Triggered and Self-Triggered Control: Traditionally, 
a controller is implemented on an embedded platform as a 
group of tasks dispatched periodically. However, when the 
system is in steady state it is not necessary to apply control 
inputs as frequently as when the system is in a transient 
state. Moreover, periodic execution of control tasks at high 
frequency may be very expensive in resource-constrained 
embedded systems. In this context, two new implementa-
tion techniques have come up: event-triggered [86] and 
self-triggered control [87]. In event-triggered control, the 
 control law is executed only when a certain error threshold 
is violated based on the current system states. This decision 
is taken by a feedback scheduler which also monitors the sys-
tem states. On the other hand, self-triggered controllers cal-
culate the current control input and also the next sampling 
instant based on the current system states. Therefore, they 
do not require an additional feedback scheduler.
In both cases, stability and performance analysis tech-
niques that are based on a known sampling period are no 
longer valid. Tabuada has derived a constraint for task acti-
vation such that the system is stable with respect to meas-
urement noise [86]. This constraint is based on the current 
state and the difference norm between 1) the current state; 
Xe[)  k_\jkXk\lj\[ `e k_\ZXcZlcXk`fef] k_\ cXjkZfekifc
input. Here, nonlinear systems given by  x ̇= f(x, K(x + e)) 
have been studied, where  e is the measurement noise and 
u = K(x + e) is the control input. Notion of input-to-state 
stability (ISS) in this case is given by [88]
  | | x[k]|| ≤ β(x [0], k) + γ (sup u[k] :k ∈  Z * ) (40)
where the functions  β and  γ are of class  %& and  % , respec-
tively. Now, a closed-loop system is ISS with respect to the 
measurement noise if there exists an ISS Lyapunov function 
V(x) such that  V(x) is continuous and 
  α 1 (| x|) ≤ V(x) ≤  α ) ( | x |) ∀ x[0] ∈  ℝ n 
  
∂ V
 ___
∂ x
 f(x, K(x + e)) ≤ − α 3 ( | x | ) + σ ( | e |) 
(41)
where  α 1 ,  α ) ,  α * , σ ∈  % ∞ -function.
Based on the derivation in [86], Anta et al. have calcu-
lated the next activation time for self-triggered control that 
renders the closed-loop system ISS [87]. In addition, there 
have been other works that determine triggering condi-
tions or trigger instants such that the system is stable, e.g., 
( jkXYc\`ek_\j\ej\f]CpXglefmR/0T2Xe[) le`]fidcp
globally asymptotically stable [90]. Furthermore, a recent 
work also considers ISS taking output quantization [91] 
into account.
Besides safety, it is also important to consider control 
performance while designing event-triggered controllers. 
Toward this, Martí et al. R0)T _Xm\ gifgfj\[ jpek_\j`q`e^
triggering instants such that resource usage is minimized 
while maintaining optimal performance. The optimal per-
formance is determined by the corresponding LQR cost 
for which the controller is designed. The trigger synthesis 
requires solving an online optimization problem which may 
be computationally expensive. Velasco et al.R0*T_Xm\jl^-
gested approximations for solving the optimization problem 
in order to reduce computational complexity.
On the platform side, the problem with event- 
ki`^^\i\[fij\c]$ki`^^\i\[Zfekifc `j k_Xk `k `j[`]ÔZlckkf
accurately analyze the schedulability of the system as task 
activation patterns are not known in advance. Toward 
this, Velasco et al. [94] have proposed a schedulability 
analysis of event-driven controllers. Here, the worst case 
activation is based on an assumed minimum interevent 
time. Later, Aminifar et al. [95] have analyzed the request 
bound function of a self-triggered controller for the worst 
case request pattern. This approach starts by discretizing 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 187
the space and then calculating the maximum possible 
sampling interval for each polytope such that the open-
loop system is stable. Subsequently, a state-transition 
graph is constructed from which the worst case request 
pattern can be obtained.
Besides stability, performance, and schedulability analy-
sis, another important component of event- or self-triggered 
control is its implementation, which has attracted quite 
some research. For example in sensor/actuator networks, 
Mazo and Tabuada [96] have proposed to employ a tree 
wave-algorithm for computing control inputs and for eval-
uating triggering conditions (in event-triggered control), 
and for calculating trigger times (in self-triggered control). 
Here, each sensor node computes its contribution to gain 
and error. Furthermore, for several control applications 
sharing a common platform resource, Samii et al.R0.TÔijk
analyze the worst case schedulability based on minimum 
interevent time and calculate an upper bound on interevent 
time to ensure worst case performance. Subsequently, a 
dynamic scheduler that explores several schedule options at 
runtime is proposed. Out of these, one is selected based on 
the desired tradeoff between control performance and pro-
cessor utilization.
One challenge in implementing self-triggered control-
lers is the computation time for the next activation, which 
may sometimes undermine the advantages of using self-
triggered control. For this, Saha et al. [98] have proposed a 
hybrid implementation approach. Here, for a certain discre-
tized region around a given operating point, trigger times 
are precalculated and stored in the cache. Now, if the cur-
rent state is within the precalculated region, trigger times 
can be just fetched from the cache. However, when it is not 
in the cache, then the trigger time calculation task is dis-
patched with a very low priority such that it does not inter-
fere with other control tasks. In the worst case, the control 
loop goes back to periodic execution. Furthermore, in the 
wireless network domain, Araújo et al. [99] have shown how 
event-triggered control can be implemented over the IEEE 
/')%(,%+ jkXe[Xi[% @e jlddXip# Xck_fl^_ g\i`f[`Z `dgc\-
mentation has been preferred for simple design and analysis 
techniques, event-triggered control has also become popular 
]fiY\kk\ii\jfliZ\\]ÔZ`\eZp%
V. CON TROL-PL ATFOR M COSY N THESIS
The design approaches, discussed in Section IV, are far from 
being holistic. These approaches focus on the design either 
on the control side or on the platform side and consider the 
parameters on the other side as given. Thus, the opportunity 
for optimization is very restrictive. Toward optimal design of 
CPS, semantics-preserving control and platform cosynthesis 
approaches have emerged in recent years. In this section, we 
will review these approaches for both single-processor and 
distributed systems. Furthermore, we will present a general 
cosynthesis framework.
A. Existing Cosynthesis Approaches
1) Single-Processor Systems: Here, the problem setting 
consists of a number of applications mapped on a shared 
processor. It is required to compute the control law and the 
task schedules for each of the applications. In this  setting, 
one of the earliest approaches on integrated controller 
design and scheduling is proposed by Aminifar et al. [100]. 
The proposed approach optimizes the expected control 
quality while guaranteeing the worst case performance. 
Here, an application is represented by an acyclic graph of 
tasks. The execution time of each task is assumed to follow 
a distribution between the best case and the worst case val-
ues. The jitter is modeled as some stochastic disturbance. 
The sensitivity of a control loop is measured as gain from 
the stochastic control input to output. The worst case sen-
j`k`m`kpXeXcpj`j`emfcm\jÔe[`e^k_\cfn\jkgi`fi`kp^iflgkf
which the application must be assigned such that the worst 
case performance is ensured. Now, the proposed cosynthe-
sis approach employs an iterative scheme. In each iteration, 
the applications are assigned periods based on a hybrid 
search technique. Subsequently, for given sampling periods, 
Xggc`ZXk`fejXi\Ôijk^iflg\[YXj\[fenfijkZXj\j\ej`k`m`kp
analysis of the control loops. Applications with same sensi-
tivity are grouped together. Now, based on delay and jitter 
analysis, LQG controllers are synthesized for expected value 
of delay to tackle uncertainties. Then, within each priority 
cluster, control applications are assigned concrete priorities 
such that the expected performance is optimized.
For server-based controller implementation, Aminifar 
et al. [101] have proposed extension to the earlier work [70], 
which is discussed in Section IV-B1. Here, controller-server 
codesign is considered and thus a controller is designed 
together with the dedicated server parameters. In the same 
vein, Valencia et al.R(')T_Xm\gi\j\ek\[XZf[\j`^e]iXd\-
nfibXjXe\ok\ej`fekf k_\nfibR+)Tn_`Z_ `ji\m`\n\[
`e J\Zk`fe @M$8* % 8 kiX[\f]] XeXcpj`j Y\kn\\e i\jfliZ\
utilization and QoC is offered for controllers implemented 
on a composable platform. Furthermore, Xu et al. R('*T#
[104] consider partial codesign where task priorities are 
given, however, task dispatch periods need to be calculated 
along with the controllers. These works determine the per-
turbed dispatch period by exploiting the periodic delay pat-
k\ie jlZ_ k_Xk X Ôe`k\ Xe[ j_fik _pg\ig\i`f[ `j fYkX`e\[%
Subsequently, LQG controllers are designed considering 
the delay pattern and also the distribution of execution time.
2) Distributed Systems: For distributed embedded control-
lers, communication network schedules must also be calcu-
lated during the cosynthesis. Samii et al. [105], as one of the 
Ôijk]\n#gifgfj\[XZfekifc$gcXk]fidZfjpek_\j`jXggifXZ_
for distributed systems. Both staticcyclic scheduling and 
priority-based scheduling are considered on the processor 
and on the bus. The design follows an iterative approach. In 
each iteration, sampling periods of all the applications are 
Ôijk j\c\Zk\[XZZfi[`e^ kfX^\e\k`ZXc^fi`k_d%Efn# ]fiX
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
188 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
jg\Z`ÔZj\kf]g\i`f[j#`ek_\ZXj\f]jkXk`ZÆZpZc`ZjZ_\[lc-
ing, the schedules are synthesized and delay distributions 
are derived. The control gains are synthesized for each appli-
cation based on the corresponding expected delay value, 
while the QoC is computed based on the stochastic delay 
using Jitterbug toolbox [106]. For priority-based scheduling, 
the different priority sets are iterated over, and for each set, 
the delay distributions are obtained through timing analysis. 
Correspondingly, the control gains and the associated QoC 
values are computed. Later, Samii et al. [107] extend their 
nfibn`k_ jg\Z`ÔZZ_XiXZk\i`qXk`fef] k_\=c\oIXpgXiXd-
eters. In the same vein, Aminifar et al. [108] have extended 
the approach developed for single-processor architecture 
[100], as mentioned in Section V-A1, with added complex-
ity due to schedule computation for the communication bus 
(CAN bus).
Furthermore, Schneider et al. [109] have proposed a 
method to codesign controllers and a FlexRay-based dis-
tributed system. TT scheduling scheme is assumed on the 
processor and FlexRay protocol is considered on the bus. 
The whole approach is divided into three stages: the con-
troller design, the platform constraints, and the platform 
ZfeÔ^liXk`fejpek_\j`j%@ek_\ÔijkjkX^\#\XZ_Zfekifcc\i`j
designed with the sampling period selected from a precon-
Ô^li\[ j\k ^`m\e Yp k_\ =c\oIXp gifkfZfc # jlZ_ k_Xk k_\
control performance is optimized. In the second and third 
stages, the platform parameters are synthesized according 
to the selected sampling period and one sample sensing-to-
XZklXk`fe[\cXp%K_`jgXg\iX[[i\jj\jk_\jg\Z`ÔZj\dXek`Zj
of the FlexRay protocol and consider different performance 
d\ki`ZjjlZ_Xjj\kkc`e^k`d\Xe[Xdf[`Ô\[hlX[iXk`ZZfjk
function. The cost function is as follows:
  ∑ 
0
 
N
 ∫ 
kh
 
(k+1)h
 [λu  [k] ) + (1 − λ)e (t) ) ]dt% +) 
It is to be noted here that the cost for each discrete step is 
integrated over the sampling period  h which is different 
from the quadratic cost usually considered in the literature. 
This is required to compare controllers designed for differ-
ent sampling periods based on this metric. Therefore, the 
quadratic cost will be calculated until a certain given time 
 T R from which the number of samples  N for a given sam-
pling period  h can be calculated as  T R / h .
Later, Goswami et al. [110] have assumed variation in 
delay during the controller design instead of one sample 
delay. Optimal controllers are designed for selected sam-
pling periods and different sensing-to-actuation delays. The 
control performance curve depending on the period and 
delay is then discretized and approximated with piecewise 
linear functions. This function is considered together with 
the platform constraints into an ILP problem. The whole 
scheme then iterates through different combinations of the 
jXdgc`e^g\i`f[jXe[[\Z`[\jfek_\ZfeÔ^liXk`fek_Xkfgk`-
mizes the overall system performance.
Recently, Roy et al. [111] have also considered FlexRay-
based distributed systems. In aforementioned approaches, 
iteration over different sets of sampling periods serves as the 
outer loop of the cosynthesis problem. In contrast to them, 
Roy et al.R(((TÔijk[\j`^egifjg\Zk`m\fgk`dXcZfekifcc\ij
at all possible sampling periods for each application. Then, 
the tables of prospective controllers and their corresponding 
performance are considered in the cooptimization problem. 
Here, a nested two-layer hybrid optimization scheme is pro-
posed to generate a Pareto front for the objectives of overall 
control performance and communication resource utiliza-
k`fe%K_`j `jXcjffe\f] k_\Ôijknfibj kfZfej`[\i[\j`^e
objectives from both control and platform sides.
B. General Cosynthesis Framework
=`^% - j_fnj k_\ ^\e\iXc [\j`^e Õfn ]fi Zfekifc$
platform cosynthesis. The cosynthesis methods usually 
start with modeling of the control systems and the under-
lying embedded platform. The model on the control side 
is typically the system dynamics of the control plants and 
limitations of the physical devices such as the actuator limit. 
Most of the related research works focus on LTI systems 
R('*T#R(',T#R('0TÆR(((T%Jpjk\ddf[\c`e^]lik_\i`eZcl[\j
the controller type (e.g., state feedback). On the platform 
side, the model includes the relevant aspects of platform 
architecture, for example, whether it is a single processor 
jpjk\d R(''TÆR('+T# R(()T fi X [`jki`Ylk\[ jpjk\d R(',T#
R('/TÆR(((T# R((*T# R((+T% K_\ gcXk]fid df[\c Xcjf `eZfi-
porates the scheduling schemes on the processors (e.g., TT 
jZ_\[lc`e^ R(')T# R(',T# R('0TÆR(((T fi gi`fi`kp$YXj\[
jZ_\[lc`e^R(''T# R('*TÆR(',T %Jg\Z`ÔZjf] k_\Yljgifkf-
cols must also be considered in the platform model (e.g., 
FlexRay [107], [109][111]; CAN [107]). Furthermore, the 
Fig. 6. Design flow for control-platform cosynthesis.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 189
task partitions of the control software and the execu-
tion times of the tasks are also modeled. In terms of 
exe cution time, most approaches assume that a model is 
available, be it WCET [109][111] or a distribution of the 
execution time [105], [108]. Usually the task mapping is also 
Zfej`[\i\[Xjgifm`[\[Ypk_\jg\Z`ÔZXk`fe%
Besides the models, design requirements can also be 
jg\Z`Ô\[% K_\p ZXe Zfd\ ]ifd Yfk_ Zfekifc Xe[ gcXk]fid
sides. Requirements from the control side are typically 
related to the control performance (e.g., settling time 
[109], [111]; cost function [105], [108], [110]) and stability. 
K_\pljlXccpi\Õ\Zk k_\Hf:f] k_\[\j`^e\[Zfekifcc\i `e
terms of transient response, steady-state error, and energy 
consumption. On the platform side, the requirements may 
include, for example, upper bounds on processor utilization 
Xe[YljcfX[%K_\j\i\hl`i\d\ekjXi\jg\Z`Ô\[[l\kfi\X-
sons such as limited resource bandwidth, reliability, extensi-
Y`c`kpf]k_\jpjk\dfiZ\ik`ÔZXk`fei\hl`i\d\ekj%
Subsequently, constraints can be formulated from the 
models and the requirements. On the control side, the con-
straints may include some minimal performance require-
ment and limits of the physical devices such as the input 
saturation. On the platform side, the constraints come from 
the models of the scheduling scheme, the limitations of the 
resources and the design requirements. The constraints are 
usually expressed mathematically.
Kpg`ZXccp#k_\^fXcf]XZfjpek_\j`jk\Z_e`hl\`jkfÔe[X
mXc`[gXiXd\k\ij\kk_XkjXk`jÔ\jXcck_\ZfejkiX`ekj%@edXep
a case, multiple such parameter sets can be found. Moreover, 
based on design requirements, optimization objectives may 
also be considered in the cosynthesis problem. In that case, 
one or more parameter sets that optimize the objectives, 
while being feasible, must be synthesized. Such objectives 
include, e.g., control performance [105], [108], [110], [111], 
Xe[ i\jfliZ\ lk`c`qXk`fe R(((T% F]k\e dlck`gc\ ZfeÕ`Zk`e^
objectives are also considered. In such a scenario, tradeoff 
between the objectives must be explored, for example, by 
constructing a Pareto front [111].
Once such a synthesis problem is formulated, it needs 
kf Y\ jfcm\[ \]ÔZ`\ekcp% 8jjld`e^ k_Xk k_\ ZfejkiX`ekj Xi\
precise characterization of the semantics of the closed-loop 
system and the embedded platform, the design problem 
Yf`cj[fnekfÔe[`e^XmXc`[gXiXd\k\ij\kk_XkjXk`jÔ\jXcc
the constraints. Common approaches used to solve the opti-
mization problems include ILP [110], SMT, metaheuristics 
such as genetic algorithms [105] and PSOs. However, in 
the case of control-platform cosynthesis, hybrid techniques 
are often employed to solve the whole problem due to the 
complexity. It is often the case that in order to tackle com-
plexity, the whole design problem is partitioned into several 
subproblems while retaining the feasible regions of design 
space as much as possible. Now, different subproblems 
may be solved using different approaches. For example, 
control performance often depends nonlinearly on design 
parameters such as control gains and closed-loop delay, and 
thus optimal control design problem may be solved using 
metaheuristic algorithms. On the other hand, TT schedule 
jpek_\j`jgifYc\dÔkjm\ipn\cc` ekfk_\c`e\Xigif^iXdd`e^
model while priority-based scheduling may require a heu-
ristic search. Thus, different problem settings may call for 
different hybrid approaches and this imposes a major chal-
lenge towards considering more complex CPS architectures 
in the future.
V I.  F U T U R E OU TLOOK A ND 
CH A LLENGES
Although there have been efforts in developing cosynthe-
sis techniques for CPS, there are still a number of open 
problems. In this section, we will discuss these problems 
and classify them as follows. 1) Architectural aspects, such 
as memory hierarchy, heterogeneous networks and mul-
ticore processors, must be considered in the cosynthesis. 
) :fdgc\oZcfj\[$cffg[peXd`Zj#jlZ_Xj`eglkjXkliXk`fe#
k`d\$mXi`XeZ\Xe[efec`e\Xi`kp#ZXeY\df[\c\[%* 9\j`[\j
being safe, CPS must also be secure, reliable, and energy 
\]ÔZ`\ek%N\Xcjf `[\ek`]p j\m\iXc Z_Xcc\e^\j kfnXi[ k_\j\
\ok\ej`fej#\%^%#gifYc\dZfdgc\o`kp#Z\ik`ÔZXk`fe#Xe[cXZb
of tool support.
A. New Architectural Considerations
Dfjkf]k_\XmX`cXYc\Zfjpek_\j`jk\Z_e`hl\jXi\jg\Z`ÔZ
to certain architectural consideration and cannot be trivially 
applied when considering additional platform details. New 
techniques are required to deal with them. Here, we will 
discuss three such architectural aspects which are becoming 
relevant in the context of embedded control systems.
1) Memory Hierarchy: Memory architecture plays an 
important part in determining the cost and size of a pro-
cessor chip. Larger the storage capacity of faster memory is, 
higher is the cost and space required. Typically, a proces-
sor has access to several levels of memory, such that, faster 
the memory access speed is, smaller is the capacity. For the 
sake of simplicity, let us assume two levels of memory, i.e., 
X ]Xjk\ife$Z_`gZXZ_\d\dfipXe[Xjcfn\if]]$Z_`gÕXj_
memory. The access speed of cache is many times faster 
k_Xe k_\ ÕXj_% N_\e X gifZ\jjfi \o\Zlk\j Xe `ejkilZk`fe
Ôijk` kZ_\Zbjk_\ZXZ_\Xe[` ]gi\j\ek\o\Zlk\j[`i\Zkcp]ifd
cache. This is called cache hit and is very fast. In case the 
instruction is not in the cache, then the processor brings it 
]ifdk_\ÕXj_kfk_\ZXZ_\Xe[\o\Zlk\j`k%K_`j`jXZXZ_\
miss. However, the next time when the instruction is called 
again, if it is still in the cache, it will result in a cache hit.
Consider a scenario when several control codes are run-
ning on a processor in round-robin fashion. If the cache is 
larger then lower is the probability of cache misses. It is 
desirable to have more number of cache hits than misses 
for control applications. This is because longer access time 
of cache misses will result in higher WCET, and therefore, 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
190 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
higher closed-loop delay. This in turn results in perfor-
mance degradation and in worst case system instability. 
Thus, to improve QoC of closed-loop systems it is desirable 
to have larger cache, however, it will increase the cost of 
the system. For cost-sensitive systems, the question is can 
we achieve better QoC by exploiting certain characteris-
tics of memory hierarchy and management. Along similar 
lines, the embedded systems community have exploited the 
cache reuse by code rearrangement during compile-time 
[115][117] or runtime [118]. However, this is not applica-
Yc\]fiZfekifcXggc`ZXk`fejY\ZXlj\`k`j[`]ÔZlckkfXeXcpq\
the timing properties for such compile-time rearrangement 
in the design stage.
Until recently, to the best of our knowledge, there has 
not been any work on memory-aware design of embedded 
Zfekifcjpjk\dj%@eR+*T#:_Xe^et al. have proposed a novel 
approach to maximize cache reuse without losing timing 
determinism. In this approach, the schedule is still round 
robin, however, in each round a controller is executed mul-
tiple times in succession instead of once. In each round, the 
\o\Zlk`fe k`d\f] k_\Ôijk `ejkXeZ\n`ccY\ k_\jXd\Xj `e
the case of standard round robin. However, the second and 
subsequent instances take less time due to cache reuse. This 
is because some part of the code can be expected to be in 
the cache if the code size is comparable to the cache size. 
In this scheme, the controller executes with nonuniform 
sampling with average sampling period less than the stand-
ard round-robin case. Consequently, we can expect that it 
is possible to design a controller with better performance 
for the reduced average sampling period. Chang et al.R+*T
have introduced a technique to design a controller for such a 
case. However, it does not consider determining a schedule 
which optimizes the overall QoC of the system. Thus, we 
believe it is possible to extend this idea and to do a cosyn-
thesis of controller and platform schedules offering tradeoff 
between QoC and cache size.
Furthermore, modern processor chips are equipped 
with scratchpad memory in addition to cache. Scratchpad 
memories are as fast as cache but are programmable. A soft-
ware code can determine which memory block to fetch and 
store in the scratchpad. We imagine that scratchpad-cen-
tric design of embedded controllers will be an important 
i\j\XiZ_kfg`Z`ek_\]lkli\%K_\`[\X`jkf[\m\cfg\]ÔZ`\ek
scratchpad allocation algorithm to reduce code execution 
time and correspondingly design the controller to improve 
QoC. Here, program analysis techniques can help iden-
tify frequently invoked part of the code. These parts can 
be stored in the scratchpad thus optimizing the program 
execution time.
2) Heterogeneous Networks: The cosynthesis techniques 
]fi [`jki`Ylk\[ :GJ [`jZljj\[ `e J\Zk`fe M$8) gi\[fd`-
nantly consider a single bus. However, modern CPS such as 
automotive systems typically consist of several bus clusters 
connected via gateways. Each bus cluster serves a certain 
functional domain, e.g., FlexRay for chassis, high speed 
CAN or FlexRay for powertrain, low speed CAN and LIN 
for body, MOST and Ethernet for infotainment. Today, with 
increasing demand for advanced driver assistance systems 
(ADAS) and autonomous driving, the need for interdo-
main interaction and communication has also increased. 
Control applications across heterogeneous network have 
also emerged. Designing such applications is not a straight-
forward extension of existing techniques. The problem 
is that different communication protocols have different 
timing models, and therefore, require different analysis 
framework. For example, CAN employs FPNP scheduling 
n_`c\ =c\oIXp lj\j K;D8 ]fi jkXk`Z j\^d\ek Xe[ Õ\o`Yc\
TDMA for the dynamic segment. Designing an application 
XZifjj:8EXe[=c\oIXpn`cci\hl`i\Ôe[`e^K;D8jZ_\[-
ules for FlexRay messages and priorities for CAN messages. 
Moreover, interdomain communication also involves trans-
mission of messages across communication gateways. This 
requires additional timing analysis and buffer characteri-
zation for gateways. Therefore, the design of applications 
across different network domains leads to increase in design 
dimensions and a more complicated timing analysis.
In this context, Glaß et al. [119] have proposed a hybrid 
analysis framework where different timing analysis tech-
niques can be composed together to determine, for example, 
end-to-end delay of a message. However, control applica-
tions over such heterogeneous networks are not yet con-
sidered. Control properties depend nonlinearly on timing 
properties, thereby adding to the complexity of the problem. 
Therefore, cosynthesis of controllers, heterogeneous net-
work schedules and gateway parameters will be challenging 
to explore.
3) Multicore Processors: Multicore processors are becom-
ing increasingly more popular in embedded systems due to 
their higher instruction throughput as compared to single-
core processors. High throughput is achieved through simul-
taneous processing of multiple tasks in parallel on different 
processing cores. However, the cores may share different 
hardware components, e.g., memory, I/O, and on-chip bus. 
Simultaneous access to these shared resources may result in 
contention. Access to shared resources if not properly man-
aged or synchronized may result in nondeterministic timing 
Y\_Xm`fin_`Z_`j[`]ÔZlckkfXeXcpq\%
There have been few works addressing this problem from 
Yfk__Xi[nXi\R()'T#R()(TXe[jf]knXi\R())Tg\ijg\Zk`m\%
Recently, Tabish et al. have proposed a scratchpad- centric 
jfclk`feR()*T%K_\p_Xm\Xjjld\[k_Xk\XZ_Zfi\_Xj` kjfne
scratchpad with size greater than any two tasks running on 
the core. The access to main memory is with TDMA-based 
schedule via a direct memory access (DMA). The idea is 
that the codes for the next task can be prefetched in one half 
of the scratchpad while the current task is running from the 
other half. In this approach, there is no resource conten-
tion. Additionally, the WCETs of the tasks are also reduced 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 191
as the instructions are already in the scratchpad before 
execution. Consequently, control codes can be mapped 
on such an architecture to achieve higher QoC. However, 
large-sized and dedicated scratchpad for each core substan-
tially increases the cost of the system which may not be 
acceptable in cost-sensitive domains. Therefore, we believe 
there is a possibility of using smaller dedicated scratchpad 
or shared scratchpad. And program analysis techniques 
may be used for appropriate memory partitioning and code 
mapping. Program analysis integrated with cosynthesis of 
controllers, processor, and memory access schedules may 
result in an improved overall QoC and better load balancing 
across the cores.
B. Complex System Dynamics
The cosynthesis approaches developed so far mostly 
consider LTI systems. However, systems often demonstrate 
complex dynamics with time variance, input saturation, 
and nonlinearity. Although there are works that study these 
aspects from control theory perspective, almost none actu-
ally evaluates the possibility of a true cosynthesis for such 
system dynamics.
1) Input Saturation: Primitive control design approaches 
do not consider any constraint on control input. However, 
this is not realistic as actuators often have limited range and 
energy is often an important factor for most control loops. 
Toward these considerations, model predictive control 
(MPC) is very popular. Typically, an MPC controller solves 
a constrained optimization problem online. Solution to the 
optimization problem gives a set of  N control inputs corre-
sponding to  Nk`d\jk\gjlgkfXÔe`k\_fi`qfe%K_\gifYc\d
often considers actuator limits as constraints and energy 
or control quality or a combination of both as an objective. 
However, MPC is more applicable in process control as it 
requires considerable amount of time to solve the optimi-
zation problem. This is not acceptable for high-frequency 
machine control software running on constrained embed-
ded platforms.
I\Z\ek nfibj jlZ_ Xj R()+T _Xm\ gifgfj\[ Xggifo`-
mate solution to the online optimization problem while 
preserving the guarantees on stability. This facilitates the 
application of MPC to high frequency control systems. 
Furthermore, Yao et al. R(),T _Xm\ gifgfj\[ X i\jfliZ\$
\]ÔZ`\ek`dgc\d\ekXk`feYp\ogcf`k`e^k_\Z_XiXZk\i`jk`Zjf]
MPC. Here, the actual system state is compared with the 
predicted state. If the error is more than a threshold then 
the optimization problem is solved otherwise the precal-
culated control action is applied. However, to utilize the 
released processor time, the underlying platform needs to 
be runtime adaptable. Thus, a complex scheduling algo-
rithm must be cosynthesized along with MPC to ensure pro-
cessor resource to the application based on requirement. In 
X[[`k`fe#n\Y\c`\m\DG:n`ccÔe[dfi\Xe[dfi\Xggc`ZX-
tions in resource-constrained embedded systems. Tradeoff 
between optimality and computation time can be explored 
further with self-triggered nonuniform sampling.
2) Time Variance: In control theory, adaptive control 
techniques were known since many decades. An adaptive 
controller can manipulate the control gains online based on 
the changing plant dynamics. Therefore, it can stabilize the 
system in the event of unforeseen environmental variations. 
Such a control technique is inherently applicable to time-
varying systems. However, these techniques have not been 
considered for safety-critical systems until recently as it is 
[`]ÔZlck kfhlXek`]p k_\kiXej`\ekg\i]fidXeZ\f]XeX[Xg-
tive control loop.
A popular adaptive control technique is model refer-
ence adaptive control (MRAC). In this technique, the error 
between the output of the reference model and the actual 
output is fed back to adapt the control gains. In order to 
improve the transient performance, closed-loop reference 
models are considered of late. Here, the error is also fed 
back to change the reference model.
@ek_`ji\^Xi[#k_\i\_Xm\Y\\ejfd\nfibjR()-TÆR()0T
which quantify the transient performance using  & ) norm 
f] \iifi j`^eXcj% ?fn\m\i# fecp m\ip ]\n R(*'TÆR(*)T _Xm\
actually tried to consider cosynthesis of controller and plat-
]fidgXiXd\k\ij%Mf`k Xe[8eeXjnXdp R(*(T_Xm\[\i`m\[
an adaptive controller considering network induced delay. 
Furthermore, Voit et al.R(*)T_Xm\Zfej`[\i\[Zf[\j`^ef]
adaptive controllers and shared hybrid communication bus 
minimizing resource utilization while guaranteeing stability.
As a future extension, one can consider a setting where 
multiple applications mapped on a shared platform. Here, 
worst case bounds on time variance can be analyzed. 
Correspondingly, it is possible to cosynthesize platform 
schedules along with adaptive controllers providing guaran-
tees on stability and performance.
3) Nonlinearity: Nonlinear systems can be widely found 
in several domains of embedded systems, including avion-
ics and automotive. However, cosynthesis of controllers 
and platform parameters for such systems is still an open 
gifYc\d%K_\i\_XjY\\ej`^e`ÔZXekgif^i\jj`ek_\jkXY`c`-
zation and control of these systems based on abstraction of 
platform characteristics. Many related works in this direc-
tion are based on concepts such as input-to-state stability 
R(**T#R(*+T#jdXcc^X`ek_\fi\dR(*,T#gXjj`m`kpR(*-T#Xe[
]\\[YXZbc`e\Xi`qXk`feR(*.T%
Fuzzy-model-based analysis and control of nonlinear 
jpjk\dj _Xm\ Xcjf i\Z\`m\[ j`^e`ÔZXek Xkk\ek`fe% 8dfe^
[`]]\i\ek ]lqqp df[\cj# efec`e\Xi jpjk\dj Ôk n\cc `ekf
KXbX^`ÆJl^\ef KÆJ  df[\cj R(*/T% @e jlZ_ X df[\c# Xk
each  sampling time the system is represented as an averaged 
linear model. Based on TS models, there have been works 
k_Xk Zfej`[\i e\knfib$jg\Z`ÔZ gifg\ik`\j jlZ_ Xj gXZb\k
dropout, signal quantization, and time delays. Toward con-
sidering packet drops, data loss in TS fuzzy-based systems is 
modeled as a Bernouli process. Correspondingly, 1) stability 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
192 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
is studied based on a common quadratic Lyapunov function 
Xe[X]lqqpCpXglefm]leZk`feR(*0T2Xe[) [\j`^ef]" ∞ 
state feedback control [140], static/dynamic output feed-
YXZb Zfekifc R(+(T# R(+)T# fYj\im\i$YXj\[ flkglk ]\\[YXZb
i\c`XYc\ Zfekifc R(+*T# Xe[ df[\c gi\[`Zk`m\ Zfekifc R(++T
are proposed. Toward time-delayed nonlinear systems, most 
works assume parameters such as maximum allowable delay 
bound [145], maximum allowable transfer interval [146], 
and delay distribution [147], [148]. Corresponding to these 
parameters, the stability and control of such systems can be 
evaluated. Furthermore, there have been some works which 
consider the impact of network induced signal quantization 
on TS fuzzy-based nonlinear systems. They use abstracted 
platform models based on time-invariant logarithmic quan-
tizer [149] or time-varying quantizer [150] to study stabiliza-
tion and control problems. However, we may point out here 
again that all these works start with platform abstractions. 
Therefore, in the context of CPSs, we can leverage on these 
advanced theories of fuzzy-based control. We can also con-
sider cosynthesis of platform parameters and controllers by 
systematically deriving an interface between the platform 
parameters and the abstraction models.
Another important approach to tackle complex closed-
loop system dynamics is formal methods [151]. The embed-
ded control systems naturally fall in the category of hybrid 
systems where physical plant is in continuous time while 
the corresponding control action is generated and applied 
`e[`jZi\k\k`d\R(,)T%K_\i\Xi\j\m\iXcXggifXZ_\jkfjkl[p
such systems [10]. One of the earliest works toward control 
of hybrid nonlinear systems is by Branicky et al.R(,*T%K_`j
work presents a systematic notion of hybrid systems unify-
ing differential equations and automata. Subsequently, it 
gifgfj\jjl]ÔZ`\ekZfe[`k`fej]fifgk`dXcZfekifcYp[\i`m-
ing quasi-variational inequalities. A powerful approach to 
analyze such systems is the theory of hybrid automata (e.g., 
timed automata). It can be applied to study system prop-
\ik`\j XZZfi[`e^ kf Zfdgc\o jg\Z`ÔZXk`fej f] i\XZ_XY`c`kp
and safety, given by some LTL formulas [154] or automata 
fe `eÔe`k\ jki`e^j% K_`j XggifXZ_ ZXe [\Xc n`k_ Zfdgc\o
nonlinear systems [155][159] and correspondingly can 
]fidXccpjpek_\j`q\Zfekifcc\ijR(-'TÆR(-)Tn_`Z_Xi\Zfi-
i\ZkYpZfejkilZk`fe%KfXggcp k_`j k_\fip# k_\Ôijkjk\g `j
Ôe`k\ XYjkiXZk`fe R(-*TÆR(-,T f] k_\ [peXd`ZXc jpjk\dj%
This abstraction can already consider implementation-
level imperfections such as delay, jitter, packet loss, quan-
tization error, and limited resource. The abstracted model 
_XjXn\cc$[\Ôe\[]fidXci\cXk`fen`k_k_\fi`^`eXcjpjk\d%
Subsequently, given a hybrid (or timed) automata model, 
Zfekifcc\i ZXe Y\ jpek_\j`q\[ jXk`j]p`e^ jg\Z`ÔZXk`fej
using algorithmic theory such as two-player games [166], 
safety games, reachability games, and minimal and maxi-
dXcÔo\[gf`ekk_\fi\dR(-.T%>l^c`\cdfet al. [168] have 
solved the controller synthesis problem by formulating a 
bounded model checking (BMC) problem and subsequently 
solving the problem using SMT solver. The synthesized 
Zfekifcc\i `jk_\ei\Ôe\[kfY\Xggc`\[kfk_\fi`^`eXcjpj-
tem using information such as quantized state, according to 
the relations derived in the abstraction stage, e.g., bisimula-
tion relations [169], [170], alternating simulation relations 
R(.(T#Xe[]\\[YXZbi\Ôe\d\eki\cXk`fejR(.(T#R(.)T%K_\i\
have been several works addressing the design problem of 
embedded controllers from the perspective of hybrid sys-
tems. However, none of them considers the synthesis of plat-
form parameters. Therefore, the cosynthesis of controller 
and platform parameters considering hybrid system model 
is an important problem yet to be addressed and can be a 
prominent research direction for the future. Nevertheless, 
an important challenge here is the complexity of the prob-
lem and the scalability of the approach considering multiple 
control applications mapped on a shared platform.
C. Emerging Topics
J\Zli`kp#i\c`XY`c`kp#Xe[\e\i^p\]ÔZ`\eZp_Xm\Y\Zfd\
important requirements in the design of CPS. It is impor-
kXek kf le[\ijkXe[ _fn k_\j\ i\hl`i\d\ekj `eÕl\eZ\ k_\
system safety. Here, we will review the prospect of consid-
ering these requirements while design safe CPS.
1) Secure CPS: With modern connected systems, secu-
rity has become an important concern while designing 
\dY\[[\[ jpjk\dj% =fi \oXdgc\# `e R(.*T# :_\ZbfnXp
et al. have stated that the security of a modern vehicle can 
be compromised via a number of interfaces. These include 
Bluetooth, cellular radio, RFID car keys, and onboard diag-
nostic. Furthermore, it is reported that a malicious binary 
can be injected into car electronics via onboard diagnostics 
to which a WiFi-enabled PassThru device is connected. 
The malicious binary can then send preprogrammed CAN 
messages over the vehicular network. It is further claimed 
in [174] that if a malicious item can enter the internal net-
work of a car, then it can gain control over critical compo-
nents in a car such as engine or brake.
Thus, it is necessary to add security infrastructure to 
embedded architecture, e.g., encrypted network messages. 
?fn\m\i# `k `j [`]ÔZlck kf `eZfigfiXk\ Zipgkf^iXg_`Z Xc^f-
rithms on the ECUs and message authentication codes 
(MAC) on the bus because they consume substantial com-
putation power and communication bandwidth, respec-
tively. These security overheads impact the timing of the 
applications which in turn may affect system stability and 
performance. Therefore, it is important to have a cosynthe-
sis approach to the problem where controllers are designed 
along with cryptographic algorithms with a thorough timing 
analysis of the complete system.
In this regard, Zheng et al. have proposed a cross-layer 
design framework [175]. This framework combines control-
ler design and implementation along with security integra-
tion. Thus, it offers a tradeoff analysis between degree of 
security, control performance, and platform schedulability. 
The degree of security is measured as the number of messages 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 193
that are encrypted. The larger the degree of security is, the 
lower is the platform schedulability due to resource con-
straints. Similarly, the interplay between control quality and 
platform resource usage is often via the choice of sampling 
periods. The more frequently the control task is invoked, 
the higher is the performance but the lower is the schedula-
bility. These interdependencies are mathematically formu-
lated into a cosynthesis problem. Subsequently, a simulated 
annealing algorithm is proposed to solve the problem. In 
the same vein, we believe that there exists scope to further 
exploit  (m, k $Ôide\jjXe[efele`]fidjXdgc`e^f]Zfekifc
algorithms to achieve a better degree of security while satis-
fying performance requirements.
) <e\i^p$<]ÔZ`\ek:GJ1 In electric vehicles (EVs), actua-
tors are powered by in-vehicle battery system and current 
drawn from the batteries determines the actuation values. 
However, the actuation values are calculated by the con-
trol laws running on the processors. The battery capacity is 
constrained by weight and volume limitations. Additionally, 
battery capacity fades due to ageing calculated in terms of 
number of charging/discharging cycles. The battery ageing 
Xcjf[\g\e[jfek_\[`jZ_Xi^`e^Zlii\ekgifÔc\jXZZfi[`e^
to Peukerts law [176]. In practice, for the sake of reliabil-
ity in safety-critical systems, a battery is replaced on reach-
ing 80% capacity. Due to high battery cost, it is required to 
ensure battery usage in a way such that battery lifetime is 
enhanced. Therefore, modern battery systems typically con-
sist of a battery management system (BMS) for this purpose.
On the other hand, controllers are designed oblivious 
to battery characteristics except it may consider a con-
straint on actuator saturation. Therefore, separate design 
of  controllers and BMS may result in a performance gap or 
inappropriate battery usage where neither is desirable. An 
obvious alternative will be to design controllers in conjunc-
tion with BMS such that a tradeoff analysis between control 
performance and battery lifetime is possible. Toward this, 
Chang et al. [177] have proposed to design a direct current 
(dc) motor speed controller taking battery characteristics 
into consideration. In the same vein, Vatanparvar et al. have 
proposed design of heating, ventilation, and air condition-
ing (HVAC) control together with BMS [178]. This design 
improves battery lifetime and driving range of EVs while 
keeps vehicle climate within acceptable range. On average, 
their approach has successfully improved the battery life-
k`d\Yp(+Xe[i\[lZ\[k_\gfn\iZfejldgk`feYp*0
compared to state-of-the-art methodologies.
In this direction, we envision a more holistic cosynthe-
sis approach where all the control loops powered by the 
battery system will be considered together with the BMS. 
Moreover, in the future, hybrid electrical energy storage 
(HEES) systems [179] can be considered where multiple 
jkfiX^\\c\d\ekjXi\gXZb\[kf^\k_\i]fiY\kk\i\e\i^p\]Ô-
ciency. For such a setting, dimensioning of HEES system 
may also be integrated in the control/battery system code-
sign framework.
3) Reliable and Fault-Tolerant CPS: There has been 
emphasis on reliability of embedded systems or design of 
fault-tolerant embedded systems. A natural choice is to add 
redundancy [180]. However, dual redundancy can only help 
in error detection. This is because any mismatch between 
two systems only indicates fault but cannot say by certainty 
which one is faulty. However, triple redundancy may allow 
uninterrupted functionality as it can be safely assumed that 
at least two behave correctly. However, it results in more 
cost and space. Toward fault-tolerant systems, Kim et al. 
have proposed a middleware-based solution [181]. The 
middleware remaps and reschedules the tasks of the faulty 
 processor to achieve full system functionality. It further con-
siders timing analysis of hard real-time systems to ensure all 
deadline constraints. However, it is assumed that the system 
can withstand fault for certain minimum time. This may be 
critical for control loops running at high frequency as the 
system can become unstable in no time. On the other hand, 
control theorists regard fault as some outages in sensors 
or actuators. In case a fault is detected, it can be mitigated 
lj`e^Zfdg\ejXk`fe`ek_\i\]\i\eZ\`eglkR(/)T%
In a safety-critical control application, it is not desirable 
that a fault in the underlying embedded platform propagates 
to the control loop and jeopardizes the safety of the system. 
Toward this, Goswami et al. R(/*T_Xm\Zfej`[\i\[[\j`^e`e^
controller such that the control loop is stable to intermit-
tent hardware faults. They have characterized an intermit-
k\ek_Xi[nXi\]Xlcklj`e^`ek\id`kk\ekY`kÕ`gdf[\c%K_\p
have calculated from Monte Carlo simulations the probabil-
ity that a faulty sample is followed by at least  N nonfaulty 
samples. The value of  N should be such that the calculated 
probability is close to 1. In case of a faulty sample, let us 
assume that the control input  u[k ] is held. Here, the over-
all system can be represented as a switched system where 
the system switches between faulty and nonfaulty instances. 
For such systems, Goswami et al. R(/*T_Xm\ jl^^\jk\[ kf
[\j`^e knfZfekifcc\ij%K_\Ôijkfe\\ejli\jg\i]fidXeZ\
under nonfaulty execution while the second one ensures 
fault recovery within the next  N nonfaulty executions after a 
faulty sample. In this direction, further research efforts are 
required to consider different fault scenarios while design-
ing the controllers.
Along similar lines, it is also important to consider the 
impact of processor ageing on control loops. As processor 
ages, delay in the critical path increases which may call for a 
decrease in operating frequency of a processor. As a result, 
the execution time of control tasks will increase which 
may jeopardize safety. Toward this, Chang et al. [177] have 
 proposed to mitigate the performance degradation by rede-
signing the controller. The redesign exploits energy com-
pensation to meet the performance demand. In the current 
age, the negative impacts of aggressive technology scaling, 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
194 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
e.g., manufacturing variabilities and ageing, are becoming 
more apparent. Therefore, embedded control system design 
taking into consideration processor errors or ageing will 
gain grounds in near future.
D. Challenges
It is established that control-platform cosynthesis is nec-
\jjXip ]fi jX]\ Xe[ \]ÔZ`\ek `dgc\d\ekXk`fe f] \dY\[[\[
controllers. There exist some fundamental challenges that 
impede future advancement in this direction [184], [185].
1) Scalability and Complexity: It may be noted that the 
future directions discussed in this section somehow increase 
the dimensions of the cosynthesis problem. Examples 
include adding program analysis in case of memory-aware 
design, gateway characterization in heterogeneous net-
works, and DMA scheduling in multicore architectures. 
The problem of complexity and scalability is a big challenge 
in moving forward. In general, the complexity of a problem 
grows rapidly with increase in design dimensions, i.e., the 
number of parameters that needs to be synthesized. In addi-
tion, the complexity might also depend on the number and 
nature of the constraints.
In control-platform cosynthesis, the controller and 
the platform parameters are synthesized together. This 
increases considerably the complexity as compared to sepa-
ration of concerns. Therefore, the related works explained 
in Section V can only be scaled to a certain size. The sec-
ond problem is that usually the controller design problem 
cannot be formulated in a closed-form mathematical repre-
sentation. Moreover, the tools and methods for controller 
design are different from those used in platform synthesis. 
The complexity problem becomes even challenging, if cer-
tain objectives need to be optimized. In this case, the solver 
needs to spend a lot of computation effort on proving the 
optimality of the solution.
KfnXi[ X[[i\jj`e^ k_\ gifYc\d f] Zfdgc\o`kp# \]Ô-
cient design space pruning is required. It may be possible 
to divide the whole design space into the controller design 
subspace and the platform design subspace, which are 
`ek\iZfee\Zk\[R(((T%K_`ji\hl`i\jXZc\Xicp[\Ôe\[`ek\i-
face between the two subspaces so that feasibility region is 
well preserved. The whole synthesis problem can then be 
jfcm\[lj`e^Xe\]ÔZ`\ek;J<k\Z_e`hl\%K_\k\Z_e`hl\dXp
consist of heuristic search to choose a value for sampling 
period, evolutionary algorithms for designing the control-
ler for a given sampling period, and linear programming 
for computing the schedules. Moreover, the characteristics 
f]jg\Z`ÔZgifYc\dj\kk`e^ZXeXcjfY\\ogcf`k\[kfi\[lZ\
complexity. For example, sampling period of controllers can 
be restricted to some discrete values, which is enforced by 
some platform constraints [110], [111].
Furthermore, making a tradeoff between optimality 
and computational effort can also help the scalability of the 
approach. For example, Samii et al. [105] utilize a genetic 
algorithm to iterate through sets of sampling periods. 
?fn\m\i#k_\Xc^fi`k_djkfgjXjjffeXjk_\ZfjkjXk`jÔ\jX
Z\ikX`ed\ki`Zn`k_flkÔe[`e^k_\^cfYXcfgk`dXcjfclk`fe%
)  :\ik`ÔZXk`fe Xe[ M\i`ÔZXk`fe1 Industrial CPS, espe-
cially safety-critical control systems in domains such as 
avionics and automotive, need to meet certain national 
Xe[ `ek\ieXk`feXc jX]\kp jkXe[Xi[j R)T# R*T% K_\p _Xm\
kf Y\ Z\ik`Ô\[ XZZfi[`e^cp Yp Zfii\jgfe[`e^ Z\ik`ÔZX-
k`fe Xlk_fi`k`\j% KiX[`k`feXccp# k_\ Z\ik`ÔZXk`fe gifZ\jj
`emfcm\jm\i`ÔZXk`fefi\ok\ej`m\k\jk`e^f]jpjk\dgifg\i-
ties. This not only consumes a lot of time and effort but is 
also expensive.
Toward addressing this issue, model-based design 
approaches are popular which are based on accurate math-
\dXk`ZXc df[\c f] k_\ jpjk\d% Jg\Z`ÔZXk`fej \ogi\jj\[ Xj
mathematical expressions can be formally proved. Since 
cosynthesis techniques are model based, the synthesized 
control and platform parameters are correct by design. 
However, the codes generated from the models that will run 
on the processors may not preserve the model-level guaran-
tees. This is due to some optimization in the compiler. Thus, 
]lik_\im\i`ÔZXk`fefik\jk`e^f]^ \e\iXk\[Zf[\jfiZfdg`c\i
to prove satisfaction of safety requirements is necessary.
Over the years there have been considerable research 
\]]fikj `e jpjk\dXk`Z k\jk`e^ Xe[ m\i`ÔZXk`fe f] \dY\[[\[
codes. However, it is far from being effective for industrial 
jpjk\dj%Fefe\_Xe[#m\i`ÔZXk`fei\hl`i\j]fidXcdXk_\-
matical proofs for correct system behavior. It employs tools 
such as model checking [186], [187] and theorem prov-
ing [188]. However, these tools are not scalable to indus-
trial-sized embedded code. On the other hand, testing which 
ljlXccp\oXd`e\jjpjk\dY\_Xm`fi ]fiXÔe`k\j\kf] `eglkj
and parameters, e.g., [189], [190], does not guarantee safety 
`eXccgfjj`Yc\jZ\eXi`fj%Dfi\fm\i#`k`j[`]ÔZlckkfXZ_`\m\
substantial coverage owing to the exponential increase in 
scale and complexity of modern embedded systems. Thus, 
m\i`ÔZXk`fe fi k\jk`e^ f] Zfdgc\o \dY\[[\[ Zfekifc jf]k-
ware is an important aspect to be considered in the coming 
p\XijkfZfdgcpn`k_jX]\kpZ\ik`ÔZXk`fejkXe[Xi[j%
3) Control Design and Optimization Hurdles: In control-
ler design, the emphasis is not only on stability of closed-
loop systems but also on optimal control. Therefore, for 
given resource constraints the requirement is to maximize 
QoC. However, for certain performance metrics, such as 
j\kkc`e^k`d\Xe[fm\ij_ffk#`k`j[`]ÔZlckkfZfd\lgn`k_
closed-form expressions. There does not exist any closed-
form standard framework for optimal control. Therefore, 
often exhaustive search of design parameters, such as 
system poles, is employed to design an optimal control-
ler [111]. However, for higher system orders, this approach 
is not scalable. Therefore, more scalable heuristics or opti-
mization techniques are required to be developed to syn-
thesize optimal control parameters. On the other hand, 
although LQR/LQG techniques gives optimal control for 
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 195
a given cost function, determining the weight matrices 
which correctly represent the desired performance meas-
ure is challenging.
Moreover, considering that control performance is 
efec`e\Xicp [\g\e[\ek fe k`d`e^ gifg\ik`\j# `k `j [`]ÔZlck
to integrate the controller design and the platform design 
problems in a closed-form mathematical formulation. 
Therefore, cosynthesis approaches often iterate through all 
feasible combinations of sampling periods to determine the 
fgk`dXc[\j`^eZfeÔ^liXk`feR(',T# R(('T%?fn\m\i#YXj\[
fe jg\Z`ÔZ gcXk]fid Z_XiXZk\i`jk`Z# \]ÔZ`\ek [\j`^e jgXZ\
pruning may also be possible. For example, Roy et al. [111] 
predesign for each application optimal controller at each 
possible sampling period. Consequently, in the optimization 
stage, it considers only those sampling periods for which the 
predesigned controllers satisfy the performance require-
ments. This is only possible as the choice of closed-loop 
delay is assumed to be constrained for a selected sampling 
period. Nevertheless, different problems may offer different 
opportunities for design space pruning and it is challenging 
to identify them.
Furthermore, the related works mostly consider that the 
kpg\f]Zfekifcc\i`jjg\Z`Ô\[Xe[fecpfe\kpg\`jlj\[]fi
all the applications. However, it is interesting to consider 
a system where different applications may need different 
control strategies. For example, time-variant plant dynam-
ics may require adaptive control while input saturation may 
necessitate the use of MPC. Thus, for a heterogeneous set of 
applications, it is challenging to design the complete system 
using a single framework. As different types of controllers 
Xi\[\j`^e\[[`]]\i\ekcp# `k `j[`]ÔZlck kfZfdY`e\ k_\d`e
a single design problem. On the other hand, separation of 
ZfeZ\iejdXpc\X[kfXe`e\]ÔZ`\ek[\j`^e%
4) Toolchain Support: In industry, the design and imple-
mentation of CPS follow strict procedures from require-
ments to test and integration. Therefore, these steps are 
 supported by standard and reliable commercial-off-the-
shelf (COTS) tools, so that products can be developed in 
a systematic way. Traditionally, controllers are designed 
in MATLAB/Simulink and are provided as a black box 
kf k_\ \dY\[[\[ jpjk\dj \e^`e\\i n`k_ [\Ôe\[ `ek\i-
faces. The latter then uses platform design tools, e.g., 
D\kifgfc`j R(0(TXe[D\kif@@ R(0)T%K_\j\kffcjjlggfik
the synthesis of platform parameters, such as cache sizes, 
scheduling algorithms, and schedules, followed by the gen-
\iXk`fef]ÔeXcjf]knXi\`dgc\d\ekXk`fe%?fn\m\i#k_\j\
tools are restricted to the platform synthesis and do not 
consider the control aspect. Therefore, the algorithms 
[\jZi`Y\[`eJ\Zk`feMe\\[kf_Xm\n\cc$[\Ôe\[`ek\i]XZ\j
with the COTS tools for controller and software codesign 
and implementation. We believe that a prerequisite for the 
applicability of cosynthesis methods in industrial systems 
`jXjpjk\dXk`ZXe[gfjj`YcpjkXe[Xi[`q\[[\j`^eÕfnXe[
toolchain support.
V II.  CONCLU DING R EM A R K S
In this paper, the evolution of design approaches and the 
shift of design paradigm for embedded control systems are 
reviewed. It is established that to ensure safety of these 
systems, it is required to preserve the semantics of control-
ler design in the platform implementation and vice versa. 
Corresponding to this requirement, the design paradigm 
is gradually moving from isolated design of controllers and 
platform to a more integrated approach. A group of cosyn-
thesis approaches have emerged which synthesizes param-
\k\ijfeYfk_j`[\jYp\dgcfp`e^\]ÔZ`\ekXe[efm\c[\j`^e
space exploration and optimization techniques. These 
approaches can, therefore, effectively bridge the semantic 
gap between controller and platform designs. We further 
believe that several future extensions to the cosynthesis par-
adigm are possible and it will draw increasing attention in 
the context of CPS design. 
REFERENCES
 [1] A. Banerjee, K. K. Venkatasubramanian, 
T. Mukherjee, and S. K. S. Gupta, Ensuring 
safety, security, and sustainability of mission-
critical cyber-physical systems, Proc. IEEE, 
mfc%(''#ef%(#gg%)/*Æ)00#AXe%)'((%
 R)T Medical Electrical EquipmentPart 111: 
General Requirements for Basic Safety and 
Essential Performance, Standard IEC 60601-1-11, 
)'('%
 R*T Road VehiclesFunctional SafetyPart I, 
JkXe[Xi[@JF)-)-)$(1)'((#)'((%
 [4] W. Chang, L. Zhang, D. Roy, and 
S. Chakraborty, Control/architecture 
codesign for cyber-physical systems, in 
Handbook of Hardware/Software Codesign. 
Amsterdam, The Netherlands: Springer-
M\icX^#)'(.%
 [5] B. C. Kuo, Digital Control Systems, New York, 
NY, USA: Holt McDougal, Series in 
Electrical and Computer Engineering, 1980.
 [6] W. C. Schultz and V. C. Rideout, Control 
system performance measures: Past, present, 
and future, IRE Trans. Autom. Control, 
mfc%8:$-#ef%(#gg%))Æ*,#=\Y%(0-(%
 R.T ;%>%IfY\ijfeXe[;%A%Jk`cn\cc#ÈC)^X`e
performance analysis of linear switched 
systems: Fast switching behavior, in Proc. 
Amer. Control Conf.#Alc%)''.%
 [8] K. J. Aström and B. Wittenmark, Computer-
controlled systems: Theory and design, in 
Information and System Sciences#*i[\[%
Englewood Cliffs, NJ, USA: Prentice-Hall, 
1997.
 [9] J. Qiu, H. Gao, and S. X. Ding, Recent 
advances on fuzzy-model-based nonlinear 
networked control systems: A survey, 
IEEE Trans. Ind. Electron.#mfc%-*#ef%)#
gg%()'.Æ()(.#=\Y%)'(-%
 [10] P. J. Antsaklis, X. D. Koutsoukos, and 
J. Zaytoon, On hybrid control of complex 
systems: A survey, Eur. J. Autom.#mfc%*)#
efj%0Æ('#gg%(')*Æ('+,#(00/%
 [11] B. De Schutter, W. P. M. H. Heemels, 
J. Lunze, and C. Prieur, Survey of modeling, 
analysis, and control of hybrid systems, in 
Handbook of Hybrid Systems ControlTheory, 
Tools, Applications. Cambridge, U.K.: 
:XdYi`[^\Le`m%Gi\jj#)''0%
R()T I%8cli#È=fidXcm\i`]`ZXk`fef]_pYi`[
systems, in Proc. Int. Conf. Embedded Softw., 
FZk%)'((#gg%).*Æ)./%
R(*T H%Q_l#?%C`Xe^#C%Q_Xe^#;%Ifp#N%C`#
and S. Chakraborty, Extensibility-driven 
automotive in-vehicle architecture design, 
in Proc. Design Autom. Conf.#)'(.%
 [14] C. L. Liu and J. W. Layland, Scheduling 
algorithms for multiprogramming in a hard-
real-time environment, J. Assoc. Comput. 
Machinery#mfc%)'#ef%(#gg%+-Æ-(#(0.*%
 [15] J. Xu and D. L. Parnas, Scheduling 
processes with release times, deadlines, 
precedence and exclusion relations, IEEE 
Trans. Softw. Eng.#mfc%(-#ef%*#gg%*-'Æ*-0#
Mar. 1990.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
196 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
 [16] R. J. Bril, Real-time scheduling for media 
processing using conditionally guaranteed 
budgets, Ph.D. dissertation, Department of 
Mathematics and Computer Science, 
Eindhoven University of Technology, 
<`e[_fm\e#E\k_\icXe[j#)''+%
 [17] R. J. Bril, J. J. Lukkien, and W. F. Verhaegh, 
Worst-case response time analysis of 
real-time tasks under fixed-priority 
scheduling with deferred preemption, 
Real-Time Syst.#mfc%+)#efj%(Æ*# 
gg%-*Æ((0#)''0%
 [18] R. Davis, A. Burns, R. J. Bril, and 
J. J. Lukkien, Controller area network 
(CAN) schedulability analysis: Refuted, 
revisited and revised, Real-Time Syst., 
mfc%*,#ef%*#gg%)*0Æ).)#)''.%
 [19] T. Pop, P. Pop, P. Eles, Z. Peng, and A. Andrei, 
Timing analysis of the FlexRay 
communication protocol, Real-Time Syst., 
mfc%*0#efj%(Æ*#gg%)',Æ)*,#)''/%
R)'T ?%Q\e^#8%>_fjXc#Xe[D%;`EXkXc\#
Timing analysis and optimization of 
FlexRay dynamic segment, in Proc. Int. 
Conf. Comput. Inf. Technol.#Ale%)'('#
gg%(0*)Æ(0*0%
R)(T A%C\9fl[\ZXe[G%K_`iXe#Network Calculus: 
A Theory of Deterministic Queuing Systems for 
the Internet. Berlin, Germany: Springer-
Verlag, ser. Lecture Notes in Computer 
JZ`\eZ\#)''(%
R))T C%K_`\c\#J%:_XbiXYfikp#Xe[D%EX\[\c\#
Real-time calculus for scheduling hard real-
time systems, in Proc. Int. Symp. Circuits 
Syst.#)'''#gg%('(Æ('+%
R)*T J%:_XbiXYfikp#J%Beqc`#Xe[C%K_`\c\#È8
general framework for analysing system 
properties in platform-based embedded 
system designs, in Proc. Design Autom. Test 
Eur. Conf. Exhib.#)''*#g%('(0'%
R)+T I%?\e`X#8%?XdXee#D%A\ijXb#I%IXZl#
K. Richter, and R. Ernst, System level 
performance analysisThe SymTA/S 
approach, Inst. Electr. Eng. Proc.Comput. 
Digit. Techn.#mfc%(,)#ef%)#gg%(+/Æ(--#)'',%
R),T L%;%9fi[fcf`#9%KXeXjX#G%<c\j#Xe[
Z. Peng, On the timing analysis of the 
dynamic segment of FlexRay, in Proc. Int. 
Symp. Ind. Embedded Syst.#Ale%)'()#
pp. 94101.
R)-T A%;`\d\i#;%K_`\c\#Xe[I%<iejk#È=fidXc
worst-case timing analysis of Ethernet 
topologies with strict-priority and AVB 
switching, in Proc. Int. Symp. Ind. Embedded 
Syst.#)'()#gg%(Æ('%
R).T I%JZ_e\`[\i#C%Q_Xe^#;%>fjnXd`#
A. Masrur, and S. Chakraborty, 
Compositional analysis of switched 
Ethernet topologies, in Proc. Design 
Autom. Test Eur. Conf. Exhib.#)'(*#
pp. 10991104.
R)/T =%I\`dXee#J%>iX]#=%Jki\`k#D%>cX#Xe[
J. Teich, Timing analysis of Ethernet AVB-
based automotive E/E architectures, in Proc. 
18th Conf. Emerg. Technol. Factory Autom., 
J\g%)'(*#gg%(Æ/%
R)0T <%NXe[\c\i#C%K_`\c\#D%M\i_f\]#Xe[
P. Lieverse, System architecture evaluation 
using modular performance analysis: A case 
study, Int. J. Softw. Tools Technol. Transf., 
mfc%/#ef%-#gg%-+0Æ--.#)''-%
R*'T 8%?X^`\jZl#L%;%9fi[fcf`#J%:_XbiXYfikp#
P. Sampath, P. V. V. Ganesan, and S. Ramesh, 
Performance analysis of FlexRay-based ECU 
networks, in Proc. Design Autom. Conf., 
)''.#gg%)/+Æ)/0%
R*(T ;%9%:_fbj_`Xe[G%9_X[li`#ÈG\i]fidXeZ\
analysis of FlexRay-based systems using 
real-time calculus, revisited, in Proc. Symp. 
Appl. Comput.#)'('#gg%*,(Æ*,-%
R*)T D%ClbXj`\npZq#D%>cX#A%K\`Z_#Xe[
P. Milbredt, FlexRay schedule optimization 
of the static segment, in Proc. Int. Conf. 
Hardw./Softw. Codesign Syst. Synth.#)''0%
R**T N%Jk\`e\i#È8e\mXclXk`fef]JDK$YXj\[
schedule synthesis for time-triggered multi-
hop networks, in Proc. Real-Time Syst. Symp., 
)'('#gg%*.,Æ*/+%
R*+T ;%KXdXj$J\c`Z\Xe#G%Gfg#Xe[N%Jk\`e\i#
Synthesis of communication schedules for 
TTEthernet-based mixed-criticality systems, 
in Proc. Int. Conf. Hardw./Softw. Codesign Syst. 
Synth.#)'()%
R*,T Q%?XeqXc\b#G%9li^\k#Xe[G%JlZ_X#
Profinet IO IRT message scheduling with 
temporal constraints, IEEE Trans. Ind. 
Informat.#mfc%-#ef%*#gg%*-0Æ*/'#
8l^%)'('%
R*-T =%JX^jk\kk\i#G%NXjq\Zb`#J%Jk\`e_fijk#
M. Lukasiewycz, and S. Chakraborty, 
Multischedule synthesis for variant 
management in automotive time-triggered 
systems, IEEE Trans. Comput.-Aided Design 
Integr. Circuits Syst.#mfc%*,#ef%+#gg%-*.Æ-,'#
8gi%)'(-%
R*.T =%JX^jk\kk\i#D%ClbXj`\npZq#Xe[
S. Chakraborty, Generalized asynchronous 
time-triggered scheduling for FlexRay, IEEE 
Trans. Comput.-Aided Design Integr. Circuits 
Syst.#mfc%*-#ef%)#gg%)(+Æ))-#=\Y%)'(.%
R*/T J%J%:iXZ`leXjXe[I%J%Fc`m\i#ÈJDK$YXj\[
task-and network-level static schedule 
generation for time-triggered networked 
systems, in Proc. Int. Conf. Real-Time Netw. 
Syst.#)'(+#g%+,%
R*0T C%Q_Xe^#;%>fjnXd`#I%JZ_e\`[\i#Xe[
S. Chakraborty, Task-and network-level 
schedule co-synthesis of Ethernet-based time-
triggered systems, in Proc. Asia South Pacific 
Design Autom. Conf.#AXe%)'(+#gg%((0Æ()+%
 [40] M. Lukasiewycz, F. Sagstetter, and 
S. Steinhorst, Efficient design space 
exploration of embedded platforms, in Proc. 
Design Autom. Conf.#)'(,%
 [41] J. Teich, Hardware/software codesign: The 
past, the present, and predicting the future, 
Proc. IEEE#mfc%(''#gg%(+((Æ(+*'#)'()%
R+)T A%MXc\eZ`X#;%>fjnXd`#Xe[B%>ffjj\ej#
Composable platform-aware embedded 
control systems on a multi-core 
architecture, in Proc. Eur. Conf. Digit. Syst. 
Design#)'(,%
R+*T N%:_Xe^#;%>fjnXd`#J%:_XbiXYfikp#
J. Xue, L. Ju, and S. Andalam, Memory-
aware embedded control systems design, 
IEEE Trans. Comput.-Aided Design Integr. 
Circuits Syst.#mfc%*-#ef%+#gg%,/-Æ,00#
8gi%)'(.%
R++T I%Bikfc`ZX#|%{q^e\i#?%:_Xe#
H. Goktas, J. Winkelman, and M. Liubakka, 
Stability of linear feedback systems with 
random communication delays, in Proc. 
Amer. Control Conf., 1991.
 [45] J. Nilsson, B. Bernhardsson, and 
B. Wittenmark, Some topics in real-time 
control, in Proc. Amer. Control Conf., 1998.
 [46] W. Zhang, M. S. Branicky, and S. M. Phillips, 
Stability of networked control systems, 
IEEE Control Syst. Mag.#mfc%)(#ef%(#
gg%/+Æ00#=\Y%)''(%
 [47] J. Nilsson, B. Bernhardsson, and 
B. Wittenmark, Stochastic analysis and 
control of real-time systems with random 
time delays, Automatica#mfc%*+#ef%(#
pp. 5764, 1998.
 [48] E. Boje, Approximate models for continuous-
time linear systems with sampling jitter, 
Automatica#mfc%+(#ef%()#gg%)'0(Æ)'0/#
)'',%
 [49] A. Cervin, Stability and worst-case 
performance analysis of sampled-data 
control systems with input and output 
jitter, in Proc. Amer. Control Conf.#)'()#
gg%*.-'Æ*.-,%
 [50] D. Goswami, A. Masrur, R. Schneider, 
C. J. Xue, and S. Chakraborty, Multirate 
controller design for resource- and schedule-
constrained automotive ECUs, in Proc. 
Design Autom. Test Eur. Conf. Exhib.#DXi%)'(*%
 [51] K. Goossens, Virtual execution platforms 
for mixed-time-criticality systems: The 
CompSOC architecture and design flow, 
SIGBED Rev.#mfc%('#ef%*#gg%)*Æ*+#)'(*%
R,)T <%G%mXe?fijj\e#8%I%9%9\_iflq`Xe#
D. Goswami, D. Antunes, T. Basten, and 
W. P. M. H. Heemels, Performance analysis 
and controller improvement for linear 
systems with (m, k)-firm data losses, in 
Proc. Eur. Control Conf.#)'(-#gg%),.(Æ),..%
R,*T N%>\\c\e#;%8ekle\j#A%G%D%Mf\k\e#
R. R. H. Schiffelers, and W. P. M. H. Heemels, 
The impact of deadline misses on the 
control performance of high-end motion 
control systems, IEEE Trans. Ind. Electron., 
mfc%-*#ef%)#gg%()(/Æ())0#=\Y%)'(-%
 [54] D. Antunes and W. P. M. H. Heemels, 
Frequency-domain analysis of control loops 
with intermittent data losses, IEEE Trans. 
Autom. Control#mfc%-(#ef%/#gg%))0,Æ)*''#
8l^%)'(-%
 [55] M. Kauer, S. Steinhorst, D. Goswami, 
R. Schneider, M. Lukasiewycz, and 
S. Chakraborty, Formal verification of 
distributed controllers using time-stamped 
event count automata, in Proc. Asia South 
Pacific Design Autom. Conf.#AXe%)'(*%
 [56] M. Kauer, D. Soudbakhsh, D. Goswami, 
S. Chakraborty, and A. M. Annaswamy, 
Fault-tolerant control synthesis and 
verification of distributed embedded 
systems, in Proc. Design Autom. Test Eur. 
Conf. Exhib.#)'(+#gg%(Æ-%
 [57] D. Goswami, R. Schneider, and S. Chakraborty, 
Relaxing signal delay constraints in 
distributed embedded controllers, IEEE 
Trans. Control Syst. Technol.#mfc%))#ef%-#
gg%)**.Æ)*+,#Efm%)'(+%
 [58] I. Saha, S. Baruah, and R. Majumdar, 
Dynamic scheduling for networked control 
systems, in Proc. Int. Conf. Hybrid Syst. 
Comput. Control#)'(,#gg%0/Æ('.%
 [59] R. Majumdar, I. Saha, and M. Zamani, 
Performance-aware scheduler synthesis for 
control systems, in Proc. Int. Conf. Embedded 
Softw.#)'((#gg%)00Æ*'/%
 [60] V. C. Aitken and H. M. Schwartz, On the 
exponential stability of discrete-time systems 
with applications in observer design, IEEE 
Trans. Autom. Control#mfc%*0#ef%0#
gg%(0,0Æ(0-)#J\g%(00+%
 [61] A. Podelski and S. Wagner, Model checking 
of hybrid systems: From reachability towards 
stability, in Proc. Int. Conf. Hybrid Syst. 
Comput. Control#)''-%
R-)T 8%Gf[\cjb`Xe[J%NX^e\i#ÈI\^`fe
stability proofs for hybrid systems, in Proc. 
Int. Conf. Formal Modelling Anal. Timed 
Syst.#)''.%
R-*T 8%8ekX#I%DXald[Xi#@%JX_X#Xe[
P. Tabuada, Automatic verification of 
control system implementations, in Proc. 
Int. Conf. Embedded Softw.#)'('%
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 197
 [64] E. Feron, From control systems to control 
software, IEEE Control Syst. Mag.#mfc%*'#
ef%-#gg%,'Æ.(#Ale%)'('%
 [65] R. Majumdar, I. Saha, and M. Zamani, 
Synthesis of minimal-error control 
software, in Proc. Int. Conf. Embedded Softw., 
)'()#gg%()*Æ(*)%
 [66] J. Kennedy and R. Eberhart, Particle swarm 
optimization, in Proc. Int. Conf. Neural 
Netw., 1995.
 [67] G. M. Mancuso, E. Bini, and G. Pannocchia, 
Optimal priority assignment to control 
tasks, ACM Trans. Embedded Comput. Syst., 
mfc%(*#ef%,j#gg%(-(1(Æ(-(1(.#)'(+%
 [68] A. Aminifar, P. Eles, Z. Peng, and A. Cervin, 
Stability-aware analysis and design of 
embedded control systems, in Proc. Int. Conf. 
Embedded Softw.#)'(*#8ik%ef%)*%
 [69] A. Cervin, B. Lincoln, J. Eker, K. E. Årzén, 
and G. Buttazo, The jitter margin and its 
application in the design of real-time control 
systems, in Proc. Int. Conf. Real-Time 
Embedded Comput. Syst. Appl.#)''+%
 [70] A. Aminifar, E. Bini, P. Eles, and Z. Peng, 
Designing bandwidth-efficient stabilizing 
control servers, in Proc. Real-Time Syst. 
Symp.#;\Z%)'(*#gg%)0/Æ*'.%
 [71] A. Aminifar, E. Bini, P. Eles, and Z. Peng, 
Analysis and design of real-time servers for 
control applications, IEEE Trans. Comput., 
mfc%-,#ef%*#gg%/*+Æ/+-#DXi%)'(-%
R.)T D%8cB_Xk`Y#8%>`iXi[#Xe[K%;Xe^#
Verification and synthesis of timing 
contracts for embedded controllers, in Proc. 
Int. Conf. Hybrid Syst. Comput. Control#)'(-#
gg%((,Æ()+%
R.*T 8%I%9%9\_iflq`Xe#ÈJXdgc\$[ifg]`ide\jj
analysis of TDMA-scheduled control 
applications, in Proc. Symp. Ind. Embedded 
Syst.#DXp)'(-%
 [74] Y. Wu, G. Buttazzo, E. Bini, and A. Cervin, 
Parameter selection for real-time 
controllers in resource-constrained systems, 
IEEE Trans. Ind. Informat., vol. 6, no. 4, 
gg%-('Æ-)'#8gi%)'('%
 [75] R. Schneider, D. Goswami, A. Masrur, and 
S. Chakraborty, QoC-oriented efficient 
schedule synthesis for mixed-criticality 
cyber-physical systems, in Proc. Forum 
Specification Design Lang.#)'()#gg%-'Æ-.%
 [76] R. Schneider, D. Goswami, A. Masrur, 
M. Becker, and S. Chakraborty, Multi-
layered scheduling of mixed-criticality cyber-
physical systems, J. Syst. Archit., vol. 59, 
ef%('#gg%()(,Æ()*'#)'(*%
 [77] P. Martí, J. M. Fuertes, G. Fohler, and 
K. Ramamritham, Improving quality-of-
control using flexible timing constraints: 
Metric and scheduling, in Proc. Real-Time 
Syst. Symp.#;\Z%)'')#gg%0(Æ(''%
 [78] D. Roy, M. Balszun, D. Goswami, and 
S. Chakraborty, Hybrid automotive 
in-vehicle networks, in Proc. Int. Symp. 
Netw. Chip#)'(.%
 [79] D. Goswami, R. Schneider, and S. Chakraborty, 
Re-engineering cyber-physical control 
applications for hybrid communication 
protocols, in Proc. Design Autom. Test Eur. 
Conf. Exhib.#)'((%
 [80] A. Masrur, D. Goswami, R. Schneider, 
H. Voit, A. Annaswamy, and S. Chakraborty, 
Schedulability analysis of distributed cyber-
physical applications on mixed time-/event-
triggered bus architectures with 
retransmissions, in Proc. Int. Symp. Ind. 
Embedded Syst.#Ale%)'((#gg%)--Æ).*%
 [81] A. Masrur, D. Goswami, S. Chakraborty, 
J. Chen, A. Annaswamy, and A. Banerjee, 
Timing analysis of cyber-physical applications 
for hybrid communication protocols, in Proc. 
Design Autom. Test Eur. Conf. Exhibit.#)'()%
R/)T C%Q_Xe^#;%Ifp#G%Dle[_\eb#Xe[
S. Chakraborty, Schedule management 
framework for cloud-based future 
automotive software systems, in Proc. Int. 
Conf. Embedded Real-Time Comput. Syst. Appl., 
8l^%)'(-#gg%()Æ)(%
R/*T G%Dle[_\eb#>%K`YYX#C%Q_Xe^#
F. Reimann, D. Roy, and S. Chakraborty, 
Dynamic platforms for uncertainty 
management in future automotive E/E 
architectures: Invited, in Proc. Design 
Autom. Conf.#)'(.#8ik%ef%(,%
 [84] D. Majumdar, L. Zhang, P. Bhaduri, and 
S. Chakraborty, Reconfigurable 
communication middleware for flex ray-
based distributed embedded systems, in 
Proc. Int. Conf. Embedded Real-Time Comput. 
Syst. Appl.#8l^%)'(,#gg%(,0Æ(--%
 [85] M. Balszun, D. Roy, L. Zhang, W. Chang, 
and S. Chakraborty, Effectively utilizing 
elastic resources in networked control 
systems, in Proc. Int. Conf. Embedded Real-
Time Comput. Syst. Appl.#)'(.%
 [86] P. Tabuada, Event-triggered real-time 
scheduling of stabilizing control tasks, IEEE 
Trans. Autom. Control#mfc%,)#ef%0#
gg%(-/'Æ(-/,#J\g%)''.%
 [87] A. Anta and P. Tabuada, Self-triggered 
stabilization of homogeneous control 
systems, in Proc. Amer. Control Conf., 
Ale%)''/#gg%+()0Æ+(*+%
 [88] Z.-P. Jiang and Y. Wang, Input-to-state 
stability for discrete-time nonlinear systems, 
Automatica#mfc%*.#ef%-#gg%/,.Æ/-0#
Ale%)''(%
 [89] M. Velasco, P. Martí, and E. Bini, On 
Lyapunov sampling for event-driven 
controllers, in Proc. Conf. Decision Control, 
)''0%
 [90] R. Postoyan, P. Tabuada, D. Neic, and 
A. Anta, Event-triggered and self-triggered 
stabilization of distributed networked control 
systems, in Proc. Conf. Decision Control Eur. 
Control Conf.#)'((#gg%),-,Æ),.'%
 [91] M. Abdelrahim, V. S. Dolk, and W. P. M. H. 
Heemels, Input-to-state stabilizing event-
triggered control for linear systems with 
output quantization, in Proc. Conf. Decision 
Control#;\Z%)'(-%
R0)T G%DXik#D%M\cXjZf#Xe[<%9`e`#ÈK_\
optimal boundary and regulator design 
problem for event-driven controllers, in 
Proc. 12th Int. Conf. Hybrid Syst. Comput. 
Control#)''0#gg%++(Æ+++%
R0*T D%M\cXjZf#G%DXik#A%Pg\q#=%A%Il`q#
J. M. Fuertes, and E. Bini, Qualitative 
analysis of a one-step finite-horizon 
boundary for event-driven controllers, in 
Proc. Conf. Decision Control Eur. Control Conf., 
;\Z%)'((#gg%(--)Æ(--.%
 [94] M. Velasco, P. Martí, and E. Bini, Control-
driven tasks: Modeling and analysis, in 
Proc. Real-Time Syst. Symp.#)''/%
 [95] A. Aminifar, P. Tabuada, P. Eles, and 
Z. Peng, Self-triggered controllers and 
hard real-time guarantees, in Proc. 
Design Autom. Test Eur. Conf. Exhib.#)'(-#
gg-*-Æ-+(%
 [96] M. Mazo and P. Tabuada, On event-
triggered and self-triggered control over 
sensor/actuator networks, in Proc. Conf. 
Decision Control#)''/#gg%+*,Æ++'%
 [97] S. Samii, P. Eles, Z. Peng, P. Tabuada, and 
A. Cervin, Dynamic scheduling and 
control-quality optimization of self-
triggered control applications, in Proc. 
Real-Time Syst. Symp.#)'('#gg%0,Æ('+%
 [98] I. Saha and R. Majumdar, Trigger 
memoization in self-triggered control, 
in Proc. Int. Conf. Embedded Softw. 
(EMSOFT)#)'()%
 [99] J. Araújo, M. Mazo, A. Anta, P. Tabuada, 
and K. H. Johansson, System architectures, 
protocols and algorithms for aperiodic 
wireless control systems, IEEE Trans. Ind. 
Informat.#mfc%('#ef%(#gg%(.,Æ(/+#)'(+%
 [100] A. Aminifar, S. Samii, P. Eles, Z. Peng, and 
A. Cervin, Designing high-quality 
embedded control systems with guaranteed 
stability, in Proc. Real-Time Syst. Symp., 
;\Z%)'()#gg%)/*Æ)0)%
 [101] A. Aminifar, E. Bini, P. Eles, and Z. Peng, 
Bandwidth-efficient controller-server 
co-design with stability guarantees, in 
Proc. Design Autom. Test Eur. Conf. Exhib., 
DXi%)'(+#gg%(Æ-%
R(')T A%MXc\eZ`X#<%G%mXe?fijj\e#;%>fjnXd`#
W. P. M. H. Heemels, and K. G. W. Goossens, 
Resource utilization and quality-of-control 
trade-off for a composable platform, in Proc. 
Design Autom. Test Eur. Conf. Exhib.#)'(-%
R('*T P%Ol#B%$<%wiqe#<%9`e`#Xe[8%:\im`e#
Response time driven design of control 
systems, IFAC World Congr.#mfc%+.#ef%*#
gg%-'0/Æ-('+#)'(+%
 [104] Y. Xu, K.-E. Årzén, A. Cervin, E. Bini, and 
B. Tanasa, Exploiting job response-time 
information in the co-design of real-time 
control systems, in Proc. Int. Conf. 
Embedded Real-Time Comput. Syst. Appl., 
8l^%)'(,%
 [105] S. Samii, A. Cervin, P. Eles, and Z. Peng, 
Integrated scheduling and synthesis of 
control applications on distributed 
embedded systems, in Proc. Design Autom. 
Test Eur. Conf. Exhibit.#)''0#gg%,.Æ-)%
 [106] B. Lincoln and A. Cervin, JITTERBUG: A 
tool for analysis of real-time control 
performance, in Proc. Conf. Decision 
Control#;\Z%)'')%
 [107] S. Samii, P. Eles, Z. Peng, and A. Cervin, 
Design optimization and synthesis of 
FlexRay parameters for embedded control 
applications, in Proc. Int. Symp. Electron. 
Design Test Appl.#)'((#gg%--Æ.(%
 [108] A. Aminifar, P. Eles, Z. Peng, and 
A. Cervin, Control-quality driven 
design of cyber-physical systems with 
robustness guarantees, in Proc. Design 
Autom. Test Eur. Conf. Exhibit.#)'(*#
gg%('0*Æ('0/%
 [109] R. Schneider, D. Goswami, S. Zafar, 
M. Lukasiewycz, and S. Chakraborty, 
Constraint-driven synthesis and tool-
support for FlexRay-Based automotive 
control systems, in Proc. 7th IEEE/ACM/
IFIP Int. Conf. Hardw./Softw. Codesign Syst. 
Synth.#)'((#gg%(*0Æ(+/%
 [110] D. Goswami, M. Lukasiewycz, R. Schneider, 
and S. Chakraborty, Time-triggered 
implementations of mixed-criticality 
automotive software, in Proc. Design Autom. 
Test Eur. Conf. Exhibit.#DXi%)'()%
 [111] D. Roy, L. Zhang, W. Chang, D. Goswami, 
and S. Chakraborty, Multi-objective 
co-optimization of FlexRay-based 
distributed control systems, in Proc. 
Real-Time Embedded Technol. Appl. 
Symp.#)'(-%
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
198 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
R(()T K%>fddXej#;%8ekle\j#K%;feb\ij#
P. Tabuada, and M. Heemels, Self-triggered 
linear quadratic control, Automatica, 
mfc%,'#ef%+#gg%().0Æ()/.#)'(+%
R((*T 8%8d`e`]Xi#J%JXd``#G%<c\j#Xe[Q%G\e^#
Control-quality driven task mapping for 
distributed embedded control systems, in 
Proc. Int. Conf. Embedded Real-Time Comput. 
Syst. Appl.#8l^%)'((#gg%(**Æ(+)%
 [114] D. Goswami, R. Schneider, and 
S. Chakraborty, Co-design of cyber-physical 
systems via controllers with flexible delay 
constraints, in Proc. Asia South Pacific 
Design Autom. Conf.#)'((#gg%)),Æ)*'%
 [115] K. Pettis and R. C. Hansen, Profile guided 
code positioning, in Proc. Conf. Programm. 
Lang. Design Implement.#mfc%),#ef%-#
gg%(-Æ).#(00'%
 [116] J. Kalamationos and D. R. Kaeli, 
Temporal-based procedure reordering for 
improved instruction cache performance, 
in Proc. Int. Symp. High-Perform. Comput. 
Archit.#=\Y%(00/#gg%)++Æ),*%
 [117] N. Gloy, T. Blackwell, M. D. Smith, and 
B. Calder, Procedure placement using 
temporal ordering information, in Proc. 
Int. Symp. Microarchitect., 1997.
 [118] K. W. Batcher and R. A. Walker, Dynamic 
round-robin task scheduling to reduce 
cache misses for embedded systems, in 
Proc. Design Autom. Test Eur. Conf. Exhibit., 
)''/#gg%)-'Æ)-*%
 [119] M. Glaß, M. Lukasiewyc, J. Teich, 
U. D. Bordoloi, and S. Chakraborty, 
Designing heterogeneous ECU networks 
via compact architecture encoding and 
hybrid timing analysis, in Proc. Design 
Autom. Conf.#Alc%)''0#gg%+*Æ+-%
R()'T ;%9l`#<%C\\#@%C`l#?%GXk\c#Xe[
J. Reineke, Temporal isolation on 
multiprocessing architectures, in Proc. 
Design Autom. Conf.#)'((#gg%).+Æ).0%
R()(T K%Le^\i\i#ÈD\iXjX1Dlck`Zfi\\o\Zlk`fe
of hard real-time applications supporting 
analyzability, IEEE Micro#mfc%*'#ef%,#
gg%--Æ.,#J\g%)'('%
R())T J%>`iYXc#O%A\Xe#A%C%I_le#;%>%Gi\q#
and M. Gatti, Deterministic platform 
software for hard real-time systems using 
multi-core COTS, in Proc. Digit. Avion. 
Syst. Conf.#J\g%)'(,#gg%/;+$(Æ/;+$(,%
R()*T I%KXY`j_#È8i\Xc$k`d\jZiXkZ_gX[$Z\eki`Z
OS for multi-core embedded systems, in 
Proc. Real-Time Embedded Technol. Appl. 
Symp.#8gi%)'(-#gg%(Æ((%
R()+T 8%9\dgfiX[#8%Fc`m\i`#K%Gf^^`#Xe[
M. Storace, Ultra-fast stabilizing model 
predictive control via canonical piecewise 
affine approximations, IEEE Trans. Autom. 
Control#mfc%,-#ef%()#gg%)//*Æ)/0.#
;\Z%)'((%
R(),T Q%PXfXe[E%?%<c$=XiiX#ÈI\jfliZ\$
aware model predictive control of spatially 
distributed processes using event-triggered 
communication, in Proc. Conf. Decision 
Control#;\Z%)'(*#gg%*.)-Æ*.*(%
R()-T K%<%>`Yjfe#8%D%8eeXjnXdp#Xe[
E. Lavretsky, Improved transient response 
in adaptive control using projection 
algorithms and closed loop reference 
models, in Proc. AIAA Guid. Navigat. 
Control Conf.#)'()%
R().T K%<%>`Yjfe#8%D%8eeXjnXdp#Xe[
E. Lavretsky, Closedloop reference 
model adaptive control: Composite 
control and observer feedback, in Proc. 
IFAC Int. Workshop Adaptation Learn. 
Control Signal Process.#Ale%)'(*#
gg%**.-Æ**/*%
R()/T K%<%>`Yjfe#8%D%8eeXjnXdp#Xe[
E. Lavretsky, Adaptive systems with 
closed-loop reference-models, part I: 
Transient performance, in Proc. Amer. 
Control Conf.#)'(*%
R()0T K%<%>`Yjfe#8%D%8eeXjnXdp#Xe[
E. Lavretsky, Closed-loop reference 
models for output-feedback adaptive 
systems, in Proc. Eur. Control Conf., Jul. 
)'(*#gg%*-,Æ*.'%
R(*'T C%:_ledXfXe[O%A`Xe#È8[Xgk`m\
delay estimation and control of 
networked control systems, in Proc. Int. 
Symp. Commun. Inf. Technol.#)''-#
pp. 707710.
R(*(T ?%Mf`kXe[8%8eeXjnXdp#È8[Xgk`m\
control of a networked control system with 
hierarchical scheduling, in Proc. Amer. 
Control Conf.#Ale%)'((#gg%+(/0Æ+(0+%
R(*)T ?%Mf`k#8%D%8eeXjnXdp#I%JZ_e\`[\i#
D. Goswami, and S. Chakraborty, 
Adaptive switching controllers for 
systems with hybrid communication 
protocols, in Proc. Amer. Control Conf., 
)'()#gg%+0)(Æ+0)-%
R(**T P%$<%NXe^#O%$D%Jle#G%J_`#Xe[A%Q_Xf#
Input-to-state stability of switched 
nonlinear systems with time delays under 
asynchronous switching, IEEE Trans. 
Cybern.#mfc%+*#ef%-#gg%))-(Æ))-,#
;\Z%)'(*%
R(*+T P%NXe^#O%Jle#Xe[9%Nl#ÈCpXglefmÆ
Krasovskii functionals for input-to-state 
stability of switched non-linear systems 
with time-varying input delay, IET Control 
Theory Appl.#mfc%0#ef%((#gg%(.(.Æ(.))#
Alc%)'(,%
R(*,T N%G%D%?%?\\d\cj#ÈJkXY`c`kpXeXcpj`jf]
nonlinear networked control systems with 
asynchronous communication: A small-
gain approach, in Proc. Conf. Decision 
Control#;\Z%)'(*#gg%+-*(Æ+-*.%
R(*-T P%NXe^#D%O`X#M%>lgkX#Xe[G%A%8ekjXbc`j#
On feedback passivity of discrete-time 
nonlinear networked control systems with 
packet drops, IEEE Trans. Autom. Control, 
mfc%-'#ef%0#gg%)+*+Æ)+*0#J\g%)'(,%
R(*.T A%C\`Xe[?%B%B_Xc`c#È=\\[YXZb
linearization for nonlinear systems with 
time-varying input and output delays 
by using high-gain predictors, IEEE 
Trans. Autom. Control, vol. 61, no. 8, 
gg%))-)Æ))-/#8l^%)'(-%
R(*/T K%KXbX^`Xe[D%Jl^\ef#È=lqqp
identification of systems and its 
applications to modeling and control, IEEE 
Trans. Syst. Man Cybern. Syst., vol. SMC-15, 
ef%(#gg%((-Æ(*)#AXe%(0/,%
R(*0T O%Q_Xe^#>%Cl#Xe[P%Q_\e^#
Stabilization of networked stochastic 
time-delay fuzzy systems with data 
dropout, IEEE Trans. Fuzzy Syst., vol. 16, 
ef%*#gg%.0/Æ/'.#DXi%)''/%
 [140] H. Gao, Y. Zhao, and T. Chen,  H ∞ fuzzy 
control of nonlinear systems under 
unreliable communication links, IEEE 
Trans. Fuzzy Syst.#mfc%(.#ef%)#gg%)-,Æ)./#
=\Y%)''0%
 [141] H. Li, C. Wu, and Z. Feng, Fuzzy dynamic 
output-feedback control of non-linear 
networked discrete-time system with 
missing measurements, IET Control 
Theory Appl.#mfc%0#ef%*#gg%*).Æ**,#
)'(,%
R(+)T A%H`l#>%=\e^#Xe[?%>Xf#È=lqqp$df[\c$
based piecewise  H ∞ static-output-feedback 
controller design for networked nonlinear 
systems, IEEE Trans. Fuzzy Syst., vol. 18, 
ef%,#gg%0(0Æ0*+#)'('%
R(+*T ;%;l#ÈI\c`XYc\H ∞ control for Takagi-
Sugeno fuzzy systems with intermittent 
measurements, Nonlinear Anal. Hybrid 
Syst.#mfc%-#ef%+#gg%0*'Æ0+(#)'()%
 [144] Y. Zhao, H. Gao, and T. Chen, Fuzzy 
constrained predictive control of nonlinear 
systems with packet dropouts, IET Control 
Theory Appl., vol. 4, no. 9, p. 16651677, 
)'('%
 [145] H. Zhang, J. Yang, and C. Su, T-S fuzzy-
model-based robust  H ∞ design for 
networked control systems with 
uncertainties, IEEE Trans. Ind. Informat., 
mfc%*#ef%+#gg%)/0Æ*'(#8gi%)''.%
 [146] H. Zhang, D. Yang, and T. Chai, 
Guaranteed cost networked control 
for TS fuzzy systems with time delays, 
IEEE Trans. Syst. Man Cybern. C, 
Appl. Rev.#mfc%*.#ef%)#gg%(-'Æ(.)#
DXi%)''.%
 [147] C. Peng and T. C. Yang, Communication-
delay-distribution-dependent networked 
control for a class of T-S fuzzy systems, 
IEEE Trans. Fuzzy Syst.#mfc%(/#ef%)#
gg%*)-Æ**,#=\Y%)'('%
 [148] E. Tian, D. Yue, and Z. Gu, Robust  
H ∞ control for nonlinear systems over 
network: A piecewise analysis 
method, Fuzzy Sets Syst.#mfc%(-(#ef%)(#
gg%).*(Æ).+,#)'('%
 [149] M. S. Mahmoud and A.-W. A. Saif, Robust 
quantized approach to fuzzy networked 
control systems, IEEE J. Emerg. Sel. Topics 
Circuits Syst.#mfc%)#ef%(#g%.(Æ/(#
DXi%)'()%
 [150] J. Yan, Y. Xia, and L. Li, Stabilization of 
fuzzy systems with quantization and 
packet dropout, Int. J. Robust Nonlinear 
Control#mfc%)+#ef%('#g%(,-*Æ(,/*#)'(+%
 [151] S. A. Seshia, Combining induction, 
deduction, and structure for verification 
and synthesis, Proc. IEEE#mfc%('*#ef%((#
gg%)'*-Æ)',(#Efm%)'(,%
R(,)T N%Bf_e#A%AXd\j#8%E\if[\#B%?XiY`jfe#
and A. Agrawala, A hybrid systems 
approach to computer-aided control 
engineering, IEEE Control Syst., vol. 15, 
ef%)#gg%(+Æ),#8gi%(00,%
R(,*T D%J%9iXe`Zbp#M%J%9fibXi#Xe[
S. K. Mitter, A unified framework for 
hybrid control: Model and optimal control 
theory, IEEE Trans. Autom. Control#mfc%+*#
ef%(#gg%*(Æ+,#AXe%(00/%
 [154] P. Tabuada and G. J. Pappas, Linear time 
logic control of discrete-time linear 
systems, IEEE Trans. Autom. Control, 
mfc%,(#ef%()#gg%(/-)Æ(/..#;\Z% 
)''-%
 [155] X. Chen, E. Abraham, and S. Sankaranarayan, 
Taylor model flowpipe construction for 
non-linear hybrid systems, in Proc. Real-
Time Syst. Symp.#)'()%
 [156] R. Testylier and T. Dang, NLTOOLBOX: A 
C++ library for reachability computation 
of non-linear dynamical systems, in Proc. 
Int. Symp. Autom. Technol. Verification Anal., 
)'(*#gg%+-0Æ+.*%
 [157] T. Dang, O. Maler, and R. Testylier, 
Accurate hybridization of nonlinear 
systems, in Proc. Int. Conf. Hybrid Syst., 
Comput. Control#)'('#gg%((Æ)'%
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
Vol. 106, No. 1, January 2018 | Proceedings of the IEEE 199
 [158] E. Asarin, T. Dang, and A. Girard, 
Hybridization methods for the analysis of 
nonlinear systems, Acta Inf.#mfc%+*#ef%.#
gg%+,(Æ+.-#)''.%
 [159] X. Chen and S. Sankaranarayanan, 
Decomposed reachability analysis for 
nonlinear systems, in Proc. Real-Time Syst. 
Symp.#)'(-#gg%(*Æ)+%
 [160] H. Ravanbakhsh and S. Sankaranarayanan, 
Robust controller synthesis of switched 
systems using counterexample guided 
framework, in Proc. Int. Conf. Embedded 
Softw.#FZk%)'(-#gg%(Æ('%
 [161] H. Ravanbakhsh and S. Sankaranarayanan, 
Infinite horizon safety controller 
synthesis through disjunctive polyhedral 
abstract interpretation, in Proc. Int. Conf. 
Embedded Softw.#FZk%)'(+#gg%(Æ('%
R(-)T J%>_fj_#È;`X^efj`jXe[i\gX`i]fi
synthesis from signal temporal logic 
specifications, in Proc. Int. Conf. Hybrid 
Syst. Comput. Control#)'(-#gg%*(Æ+'%
R(-*T D%QXdXe`#D%DXqf#Xe[8%8YXk\#
Finite abstractions of networked control 
systems, in Proc. Conf. Decision Control, 
;\Z%)'(+#gg%0,Æ(''%
 [164] M. Khaled, M. Rungger, and M. Zamani, 
Symbolic models of networked control 
systems: A feedback refinement relation 
approach, in Proc. Conf. Commun. Control 
Comput.#)'(-%
 [165] M. Zamani, G. Pola, M. Mazo, Jr., and 
P. Tabuada, Symbolic models for 
nonlinear control systems without 
stability assumptions, IEEE Trans. Autom. 
Control, vol. 57, no. 7, pp. 18041809, 
Alc%)'()%
 [166] A. Balluchi, L. Benveunuti, T. Villa, 
H. Wong-Toi, and A. L. Sangiovanni-
Vincentelli, Controller synthesis for 
hybrid systems with lower bounds on event 
separation, in Proc. Conf. Decision Control, 
;\Z%(000#gg%*0/+Æ*0/0%
 [167] M. Rungger and M. Zamani, SCOTS: A 
tool for the synthesis of symbolic 
controllers, in Proc. Int. Conf. Hybrid Syst. 
Comput. Control#)'(-#gg%00Æ('+%
 [168] L. Di Guglielmo, S. A. Seshia, and T. Villa, 
Synthesis of implementable control 
strategies for lazy linear hybrid automata, 
in Proc. Federated Conf. Comput. Sci. Inf. 
Syst.#)'(*%
 [169] A. Girard, Controller synthesis for safety 
and reachability via approximate 
bisimulation, Automatica, vol. 48, no. 5, 
gg%0+.Æ0,*#)'()%
 [170] P. Bouyer, K. G. Larsen, N. Markey, 
O. Sankur, and C. Thrane, Timed 
automata can always be made 
implementable, in Proc. Int. Conf. 
Concurrency Theory#)'((#gg%.-Æ0(%
 [171] M. Rungger, G. Reissig, and M. Zamani, 
Symbolic synthesis with average 
performance guarantees, in Proc. 
Conf. Decision Control#;\Z%)'(-#
pp. 74047410.
R(.)T >%I\`jj`^#8%N\Y\i#Xe[D%Ile^^\i#
Feedback refinement relations for the 
synthesis of symbolic controllers, IEEE 
Trans. Autom. Control#mfc%-)#ef%+#
gg%(./(Æ(.0-#8gi%)'(.%
R(.*T J%:_\ZbfnXp#È:fdgi\_\ej`m\\og\i`d\ekXc
analyses of automotive attack surfaces, in 
Proc. Conf. Secur.#)'((%
 [174] K. Koscher, Experimental security 
analysis of a modern automobile, in Proc. 
Symp. Secur. Privacy#)'('%
 [175] B. Zheng, P. Deng, R. Anguluri, Q. Zhu, 
and F. Pasqualetti, Cross-layer codesign 
for secure cyber-physical systems, 
IEEE Trans. Comput.-Aided Design Integr. 
Circuits Syst.#mfc%*,#ef%,#gg%-00Æ.((#
DXp)'(-%
 [176] D. Rakhmatov and S. Vrudhula, An 
analytical high-level battery model for use 
in energy management of portable 
electronic systems, in Proc. Int. Conf. 
Comput. Aided Design#)''(%
 [177] W. Chang, A. Pröbstl, D. Goswami, 
M. Zamani, and S. Chakraborty, Battery- 
and aging-aware embedded control systems 
for electric vehicles, in Proc. Real-Time 
Syst. Symp.#)'(+%
 [178] K. Vatanparvar and M. A. Al Faruque, 
Battery lifetime-aware automotive climate 
control for electric vehicles, in Proc. 
Design Autom. Conf.#)'(,%
 [179] M. Pedram, N. Chang, Y. Kim, and 
Y. Wang, Hybrid electrical energy storage 
systems, in Proc. Int. Symp. Low Power 
Electron. Design#)'('%
 [180] M. Baleani, A. Ferrari, L. Mangeruca, 
A. Sangiovanni-Vincentelli, M. Peri, and 
S. Pezzini, Fault-tolerant platforms for 
automotive safety-critical applications, in 
Proc. Int. Conf. Compil. Archit. Synth. 
Embedded Syst.#)''*%
 [181] J. Kim, G. Bhatia, R. Rajkumar, and 
M. Jochim, SAFER: System-level 
architecture for failure evasion in real-time 
applications, in Proc. Real-Time Syst. 
Symp.#)'()%
R(/)T ;%K_\`cc`fc#:%Af`e#Xe[P%Q_Xe^#
Actuator fault-tolerant control design 
based on reconfigurable reference input, 
Int. J. Appl. Math. Comput. Sci., vol. 18, 
ef%+#gg%,,*Æ,-'#)''/%
R(/*T ;%>fjnXd`#;%Dcc\i$>i`kjZ_e\[\i#
T. Basten, U. Schlichtmann, and 
S. Chakraborty, Fault-tolerant embedded 
control systems for unreliable hardware, 
in Proc. Int. Symp. Integr. Circuits#;\Z%)'(+#
pp. 464467.
 [184] W. Chang, D. Roy, L. Zhang, and 
S. Chakraborty, Model-based design of 
resource-efficient automotive control 
software, in Proc. Int. Conf. Comput.-Aided 
Design#Efm%)'(-#gg%(Æ/%
 [185] D. Roy, W. Chang, L. Zhang, and 
S. Chakraborty, Automated synthesis of 
cyber-physical systems from joint controller/
architecture specifications, in Proc. Forum 
Specification Design Lang.#)'(-%
 [186] C. Baier and J. Katoen, Principles of Model 
Checking (Representation and Mind 
Series). Cambridge, MA, USA: MIT Press, 
)''/%
 [187] A. Biere, A. Cimatti, E. M. Clarke, 
O. Strichman, and Y. Zhu, Bounded 
model checking, Adv. Comput., vol. 58, 
gg%((.Æ(+/#)''*%
 [188] M. Fitting, First-order logic and 
automated theorem proving, in Graduate 
Texts in Computer Science. New York, NY, 
USA: Springer-Verlag, 1996.
 [189] S. Sims and D. C. DuVarney, Experience 
report: The Reactis validation tool, in 
Proc. Int. Conf. Funct. Programm.#)''.%
 [190] M. Satpathy, A. Yeolekar, and S. Ramesh, 
Randomized directed testing 
(REDIRECT) for simulink/stateflow 
models, in Proc. Int. Conf. Embedded Softw., 
)''/%
 [191] F. Balarin, Y. Watanabe, H. Hsieh, 
L. Lavagno, C. Passerone, and 
A. Sangiovanni-Vincentelli, Metropolis: 
An integrated electronic system design 
environment, Computer#mfc%*-#ef%+#
gg%+,Æ,)#8gi%)''*%
R(0)T 8%;XmXi\#Èd\kif@@18[\j`^e\em`ifed\ek
for cyber-physical systems, ACM Trans. 
Embedded Comput. Syst.#mfc%()#ef%(j#
gg%+01(Æ+01*(#)'(*%
ABOUT THE AUTHORS
Debayan Roy (Student Member, IEEE) received 
the M.Sc. degree in communications engineer-
ing from the Technical University of Munich (TU 
Munich), Munich, Germany, in 2015, where he is 
currently working toward the Ph.D. degree.
He is currently a Researcher with the Chair of 
Real-Time Computer Systems, TU Munich. His 
current research interests include automo-
tive E/E architecture and embedded control 
 systems.
Licong Zhang (Student Member, IEEE) received 
the Dipl. -Ing degree in electrical and computer 
engineering from the Technical University of 
Munich (TU Munich), Munich, Germany, in 2011, 
where he is currently working toward the Ph.D. 
degree with the Chair of Real-Time Computer 
Systems.
His current research interests include auto-
motive E/E architecture and software, in-vehicle 
communication networks and control-platform cosynthesis.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
Roy et al   6HPDQWLFV3UHVHUYLQJ&RV\QWKHVLVRI&\EHU§3K\VLFDO6\VWHPV
200 Proceedings of the IEEE | Vol. 106, No. 1, January 2018
Wanli Chang (Member, IEEE) received the Ph.D. 
degree in electrical and computer engineer-
ing from the Technical University of Munich (TU 
Munich), Munich, Germany, in 2017.
He is a Lecturer at the Singapore Institute 
of Technology, Singapore. His current research 
interest includes resource-aware automotive 
control systems.
Sanjoy K. Mitter (Fellow, IEEE) received the 
Ph.D. degree from the Imperial College of Sci-
ence and Technology, London, U.K., in 1965.
He is currently a Professor in Electrical 
Engineering at the Massachusetts Institute of 
Technology (MIT), Cambridge, MA, USA. His cur-
rent research interests are communication and 
control in a networked environment, the rela-
tionship of statistical and quantum physics to 
information theory and control, and autonomy and adaptiveness for inte-
grative organization.
Samarjit Chakraborty (Senior Member, IEEE) 
received the Ph.D. degree in electrical engineer-
ing from ETH Zurich, Zurich, Switzerland, in 2003.
He is currently a Professor in Electrical and 
Computer Engineering at the Technical Univer-
sity of Munich (TU Munich), Munich, Germany, 
where he holds the Chair for Real-Time Com-
puter Systems. His research interests include dis-
tributed embedded systems, embedded control 
systems, energy storage systems, electromobility, and sensor network-
based information processing for healthcare.
Authorized licensed use limited to: University of York. Downloaded on August 24,2020 at 11:04:44 UTC from IEEE Xplore.  Restrictions apply. 
