Abstract
Introduction
It has been noted by the digital design community that the greatest potential for additional cost and iteration cycle time savings is through improvements in tools and techniques that support the early stages of the design [ 11. Decisions made during the initial phases of a product's development cycle determine up to 80% of its total cost. The result is that accurate, fast analysis tools must be available to the designer at the early stages of the design process to help make these decisions. Design alternatives must be effectively evaluated at this level with respect to multiple metrics, such as performance, dependability, and testability. There are a number of current tools and techniques that support analysis of these metrics at the system level such as SES Workbench [2], ADAS [3] , Ptolemy [4] , and Foresight [ 5 ] . Most of these tools are not linked into the design environment in which the system will be implemented. This disconnect leads to the system model being at best of little use to the design team as a starting place for their implementation. At worst, the system model developed using these types of tools can be completely inaccurate because of assumptions and abstractions that can not be verified until the design is almost complete -at which point redesign is too time consuming and expensive. Even those design environments which do allow the system level model to be used within the design environment often use different languages for parts of the model and require the user to develop complex, ad hoc interfaces between components modeled at different levels of abstraction.
A further problem with existing system level modeling tools is that they force the designers to represent the system using different modeling paradigms for each type of analysis that is to be performed. For example, multiple models in different representations may be needed to analyze performance and "Permission to make digitallhardcopy of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage, the copy-right notice, the title of the publication and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on services or to redistribute to lists, requires prior specific permission and/ or a fee." DAC 97, Anaheim, California (C) 1997 ACM 0-89791-920-3/97/06 .. $3.50 184 dependability. A great deal of extra work must be done to verify that these models accurately represent the same system. This paper presents a unified end-to-end design environment developed at the University of Virginia that solves these problems by using a single system level representation which can be used to measure multiple metrics and provides a starting point for the engineering design process. A tool called ADEPT (Advanced Design Environment Prototype Tool) has been developed to implement this environment. ADEPT supports both system level performance and dependability analysis in a common design environment using a collection of predefined library elements. ADEPT also includes the capability to simulate both system level and implementation level (behavioral) models in a common simulation environment. This capability allows the stepwise refinement of system level models into implementation level models.
The remainder of this paper is organized as follows. Section 2 describes the ADEPT environment and set of tools. Section 3 describes the performance modeling capabilities and mixed level modeling capabilities of ADEPT through the use of an example. Section 4 describes the dependability analysis capabilities of ADEPT through additional examples and shows how this analysis can be continued through the design process as the system model is refined. Finally, Section 5 contains some conclusions.
The ADEPT Design Environment
Two approaches to creating a unified design environment are possible. An evolutionary solution is to provide an environment that "translates" data from different models at various points in the design process and creates interfaces for the non-communicating software tools used to develop these models. With this approach, users must be familiar with several modeling languages and tools. Also, analysis of design alternatives is difficult and is likely to be limited by design time constraints.
The approach being taken in ADEPT uses a common modeling language and simulation environment which decreases the need for translators and multiple models, reducing inconsistencies and the probability of errors in translation. The inclusion of a mathematical foundation in ADEPT provides a capability for complex system analysis using analytical approaches.
ADEPT implements an end-to-end unified design environment based upon the use of the VHSIC Hardware Description Language (VHDL), IEEE Std. 1076 [6] . ADEPT supports the integrated performance and dependability analysis of system level models and includes the capability to simulate both uninterpreted (performance) and interpreted (behavioral) models in a common simulation environment using a technique called mixed level modeling. Mixed level modeling allows the stepwise refinement of system level models into implementation level models. ADEPT also has a mathematical basis in Petri Nets thus providing the capability for analysis through simulation or analytical approaches r71.
The ADEPT Modules
In the ADEPT environment, a system model is constructed by interconnecting a collection of predefined elements called ADEPT modules. The modules model the information Row, both data and control, through a system. Each ADEPT module has a symbol, a VHDL behavioral description, and a corresponding mathematical The basic ADEPT modules are intended to be building blocks from which useful modeling functionality can be constructed. The set of basic ADEPT modules is divided into six categories: control modules, color modules, delay modules, fault modules, miscellaneous parts modules, and hybrid modules [9] . The control modules, like the Wye module shown above, are used to manipulate the Row of tokens in a model. A majority of the control modules have been adapted from Dennis [lo] . Modules in the color and delay categories enable the manipulation of the token color and model temporal aspects of a system, respectively. The fault modules are used to model the presence of faults and errors in a system. The miscellaneous modules are modules that perform data collection with the ADEPT system. Hybrid modules aid in the construction of mixed level models. Custom modules can be developed by the user if required and incorporated into a system model as long as the handshaking protocol described below is adhered to. In addition, some libraries of application-specific, highlevel modeling modules such a Multiprocessor Communications Network Modeling Library [I 11 have been developed and included in ADEPT.
The ADEPT modules communicate by exchanging tokens, which represent the presence of information, using a fully interlocked, four-state handshaking protocol. ADEPT tokens are implemented as a VHDL record structure. In the token, the two most important fields are the STATUS field and the COLOR field. The STATUS field is used to implement the token passing mechanism; that is, the "handshaking" between the ADEPT modules. The COLOR-field is an array of integers that hold userspecified information.
The ADEPT Tools
The ADEPT system is available on Sun platforms using Mentor Graphics' Design Architect as the front end schematic capture system, or on Windows PCs using OrCAD's Capture as the front end schematic capture system. The overall architecture of the ADEPT system is shown in Figure 2 . The schematic front end is used to graphically construct the system model from a library of ADEPT module symbols and translate it into an EDIF (Electronic Design Interchange Format) 2.0.0 netlist of the model. Once the EDIF netlist of the model is generated, the ADEPT software is used to translate the model into a structural VHDL description consisting of interconnections of ADEPT modules. The user can then simulate the structural VHDL that is generated to obtain performance and dependability measures using the VHDL behavioral descriptions of the ADEPT modules. In addition to VHDL simulation, a path exists that allows the CPN description of the system model to be constructed from the CPN descriptions oflhe ADEPT modules. This CPN description can then be translated into a Markov model and solved using commercial tools to obtain dependability information.
Performance and Mixed Level Modeling with ADEPT
This section presents some of the performance analysis capabilities of ADEPT and how the technique of mixed level modeling can be used to gain more accurate performance metrics.
Performance Modeling
The example used to demonstrate the performance modeling capabilities of ADEPT consists of an FIR digital filter that operates on an incoming stream of data in real-time. The specifications of this system include the required frequency response of the filter and the rate in which the data arrives to the filter. The required frequency response determines the order of the filter, or the number of additions and multiplications required between each arriving data item The data arrival rate along with the order determines the rate at which additions and multiplications must be performed. Based on these specifications, the designers have to define the system's architecture, for example, the number and configuration of arithmetic resources to be used.
The schematic shown in Figure 3 is an ADEPT model of one possible configuration of the FIR filter. This model is constructed entirely of ADEPT modules. Some of the elements seen are ADEPT modules and some are hierarchical elements built from the ADEPT modules. The goal of this model is to analyze the performance of a FIR filter with two adders and two multipliers. By simulating this model it is possible to estimate the effect of different parameters on the performance. The graph in Figure 4 shows the overall system latency as a function of the speed of the multiplier for three different filters (order 10, 15 and 20). As expected, for "relatively slow" multipliers (propagation delay of more than 40 ns) the system's latency is dominated by the multipliers while for "faster" multipliers the system's latency is dominated by the adders. For this FIR architecture with two multipliers and two adders, the designer can determine the speed required of the multipliers to provide a given data rate and frequency response (filter order). Alternatively, given a specific multiplier implementation, filter order can be traded off for increased data rates. Finally, it is possible to evaluate different architectures for the system that have different numbers of arithmetic resources. This will require minor modifications to the ADEPT model and resimulation to obtain the new data. 
Mixed Level Modeling
Once the initial design space exploration has been done using estimated delays in the performance model, the next step in a typical spiral design process is to implement the portions of the design that have been identified as the critical path to determine if their performance constraints can be met. In ADEPT, this analysis is performed using mixed level modeling.
In a mixed level model, a portion of the ADEPT performance model is replaced by the fully implemented behavioral description of the corresponding component. The result is a model which is composed of an uninterpreted model which manipulates tokens and an interpreted model which manipulates actual signal values (bits, integers, reals, etc.) and has full timing information. This unique mixed level modeling approach is supported by the VHDL implementation of ADEPT.
Since mixed level models mix components that communicate via tokens and components that communicate via values, there is a need for an interface that will handle the flow of information between the two domains. The major problems that occur when cosimulating models at different levels of abstraction, especially performance level models with lower level models, is that of data and timing abstraction across the mixed level modeling interface. The timing abstraction problem arises because the components at different levels model timing events a different granularities. For example, the passing of a token between library elements at the performance level that represents a packet of data being transferred may correspond to hundreds or thousands of bus cycles for a model at the bus functional level.
The problem of data abstraction across the mixed level modeling interface is due to the fact that models at higher levels do not include full functional details whereas models at a lower level require complete functional data (in terms of values on their inputs) to be present before they will execute correctly. For example, a performance level modeling token arriving at the inputs to the interface to a bus functional floating point coprocessor model may contain information about the operation the token represents, but may not contain the data upon which the operation is to take place. In this case, the interface must generate the data required by the bus functional model and do it in a way that a meaningful performance metric, such as best or worst case delays, is obtained.
The mixed level interface in ADEPT is divided into two parts, an uninterpreted to interpreted (U/I) part that converts tokens to values, and an interpreted to uninterpreted ( I N ) part that converts values to tokens. In addition to value conversion, these interfaces must handle the timing of the two different levels of abstraction during simulation. This portion of the interface function differs significantly depending on the characteristics of the interpreted component and the objectives of the performance model. More detail on the functions of these interfaces and how they are implemented in ADEPT can be found in [ 121. The advantage of mixed level modeling and the operation of the mixed level interface are illustrated by its application to the FIR model. Assume that the performance analysis has shown that In the FIR design, the multiplier is the critical element in meeting performance goals. A multiplier that uses Booth's algorithm was selected for the implementation of the multiplier, and a behavioral model of the multiplier was developed. A mixed level model using the behavioral description of the multiplier was then constructed. At this stage of the design, the actual data inputs to the multiplier (multiplier and multiplicand) are not known. This lack of information is handled by the mixed level interface in such a way that the maximum or minimum delay through the implemented component can be measured.
The actual method by which this process is performed for sequential interpreted elements involves manipulation of the sequential element's State Transition Graph. The traversal operation is performed based on a given initial state of the sequential interpreted element when a token arrives at the mixed level interface and a given condition on the outputs of the sequential interpreted element that signify the completion of data processing.
The result of this traversal operation is the sequence of input values that will drive the state machine along the longest or shortest paths between starting and ending states, depending on whether maximum or minimum delays are desired. Once the proper input sequence is determined, it is applied by the mixed level interface to the sequential interpreted element.
Despite the fact that the difference in level of abstraction between the uninterpreted and interpreted parts of this mixed level model is quite large, its simulation provides very useful results. The mixed level model simulation provides an upper and lower bound on the performance of this implementation of an FIR. These simulations provide more realistic performance estimation which, in some cases, can suggest modifications in the implementation of the behavioral element (multiplier, in this case) or in the architecture of the entire system. Figure 5 shows some simulation results of the FIR mixed level model described above. This graph shows the maximum and minimum amount of time required to complete one set of FIR computations as a function of the order of the filter. Since the actual delay of the multiply operation is data dependent and the actual data is not known in this stage of performance modeling, the actual system performance will lie somewhere between these two bounds. In a less abstract performance model, more inputs to the interpreted element will be known from the information carried by the tokens, hence narrowing the range between the lower and the upper bounds of the latency. The nonlinearity of the graphs demonstrates one advantage of mixed level modeling; the maximum and minimum time required to complete a single multiplication by the Booth multiplier can be determined even without developing the mixed level model. However, to find the effect of this multiplier on the latency of the entire system requires the simulation of the mixed level model. This is because even in this simple example, there are complex dependencies between delays of the individual components and the overall performance of the system. An additional advantage of mixed level modeling versus off-line simulation of the interpreted element and then back annotating the delay information into the performance model, is that in a mixed level model, the performance model drives the interpreted element. This helps ease the problem of test bench generation for the interpreted element and results in greater accuracy of the overall model because the interpreted element is responding to actual inputs from the overall system instead of contrived examples.
Dependability Modeling with ADEPT
ADEPT supports dependability analysis in the same framework and using the same models as the performance analysis. This section presents the capabilities of ADEPT for dependability analysis of system-level models using Petri Net to Markov model conversion, and simulation based dependability analysis for system level and mixed level models using fault simulation.
High Level Dependability Analysis
System-level dependability analysis is supported in ADEPT by the CPN descriptions of the ADEPT modules. A system-level ADEPT model can be converted into a CPN description by replacing each module with its CPN representation. The CPN model is then reduced using reduction rules developed for dependability analysis [ 131 and converted to a Markov model using techniques similar to those described in [ 141. The Markov model can then be solved to generate dependability metrics using well known techniques and tools.
Dependability analysis using this method is illustrated in Figure   6 . An ADEPT schematic of a TMR with a Spare system is constructed. The CPN model of the TMR system is obtained by replacing each ADEPT module by its corresponding CPN definition. The resulting CPN model is reduced using special rules developed for dependability modeling and translated into a Markov model. This schematic to Markov model translation is a completely automated procedure performed entirely by the ADEPT tools. The designer does not need to build an additional model in order to gain reliability information. Figure 6 shows the results that can be obtained from dependability analysis of the TMR with Spare system in the form of reliability and safety measures versus mission time in hours.
<
In addition to the Petri Net to Markov model translation process, ADEPT also supports reliability analysis of system level models via an interface to the REST (Reliability Estimation System Testbed) tool [15] .
Fault simulation in ADEPT
A method of dependability analysis via fault simulation has also been implemented in ADEPT. This method of dependability analysis has the benefit of being able to be applied across various levels of abstraction. In this method of dependability analysis, ADEPT models are created using the normal ADEPT tools. A separate tool then adds a new process to the VHDL description generated by ADEPT that performs fault injection during simulation. A VHDL bus resolution function (BRF) applies the fault from the fault injection process to the data field of the target signal according to the fault operation. The fault injection process By performing fault injection in VHDL using signal corruption, fault simulation and dependability evaluation can be performed throughout the design process as the ADEPT model is refined to lower levels of abstraction. The fault operations available for fault injection vary with the level of design abstraction as shown in Table  I .
Dependability analysis in ADEPT using fault simulation is illustrated via an example of a watchdog monitor card that is embedded within a real-time distributed system used for wayside train control. Train control functions at the wayside include the switching and signaling of trains on railways. The watchdog monitor card is responsible for assuring the safety of the distributed The function of the watchdog monitor is to concurrently check the execution of the safety-critical application within real-time constraints. The watchdog checks the input and output data from the application processor using the method of signature analysis. The signature is checked against a pre-computed fault-free signature to ascertain whether or not the correct data stream was produced.
A model of the watchdog monitor was created at the algorithmic level of design abstraction using A D E m in order to simulate its functions early in the design process. The algorithmic-level design implements the functions of the watchdog monitor without tying the design to a particular hardware or software implementation. The main components of the watchdog monitor card are two signature generators, a codeword checker, and a signature comparator. Fault simulations were executed on this model to test the response of the design to injected faults. Each signal in the design was injected with faults in over 450 fault simulation experiments. By examining the response of the simulation to the injected faults, knowledge of which faults affect the output of the watchdog monitor is gained.
The fault simulations corrupted the input and output signals for every functional block in the algorithmic-level watchdog checker. The fault operations used in the simulations spanned the range of fault operations available at the algorithmic level (see Table 1 ). For these experiments, all fields that were corrupted were of type integer with the exception of the status field. Integer fault values were selected from a range of large negative integers to large positive integers. Status field faults consisted of sourcing or sinking faults. Figure 8 shows the results from fault simulations of the algorithmic-level watchdog monitor. The horizontal axis depicts the fault operations that were used in the fault simulations. The fault operations correspond to the types of operations available for token type signals in ADEPT. Stuck-at faults cause the value carried by the signal to be "stuck-at'' some particular constant. The additive, multiplicative, and logical fault operations perform their respective operations using the unperturbed value carried by the signal and the fault mask as operands to the fault operation. The result of the fault operation replaces the unperturbed value carried by the signal. Sinking faults set the status of the token signals to "removed", thereby removing the presence of the data. Sourcing faults set the status of token signals to "present", thereby indicating presence of data on the signal.
The results from the fault simulations, indicated by the vertical specifications and hardwarekoftware codesign. Figure 8 , show the percentage of faults that were detected and the proportion of faults that remained undetected. An undetected fault indicates that the injected fault was not identified by the built-in detection mechanisms. There may be several possible reasons for why injected faults do not result in detectable errors. First, an injected fault may not actually corrupt the data state of the system. For example, setting a stuck-at-0 fault on a signal whose unperturbed value is always 0 will not cause an error in the output. Second, faults can remain latent for an extended period of time. For example, corrupting a memory location may not effect the data state of the system until this memory state is read and used in processing. Third, some injected faults are masked by data processing operations. For example, corrupted data may be masked by other inputs to components depending on the component function and its input values.
Functional descriptions of the watchdog components were then developed and incorporated into the ADEPT model using the mixed level modeling techniques described previously. Fault simulations were then performed on these models using the fault models shown in Table 1 for the appropriate level of the individual components. The results of these fault simulations show no substantial statistical difference from the fault simulations at the functional block level. The fact that the fault coverage remained relatively unchanged even after synthesizing the comparator component to the logic level verified the accuracy and usefulness of the algorithmic fault simulation experiments as a way to measure the fault tolerance of a system at a high level.
Conclusions
An integrated design environment called ADEPT that supports performance and dependability modeling at the system level has been developed. In addition ADEPT supports the modeling and analysis of systems at mixed levels of abstraction. ADEPT models may contain elements modeled both uninterpreted and interpreted levels. Performance and dependability analysis can be performed on these mixed level models as well. This allows true step-wise refinement of system level models down to an implementation level. A complete set of tools has been developed to help automate the construction and analysis of ADEPT models. Work is on going to extend the ADEPT environment into the areas of operational 6. Acknowledgments
