Abstract-This paper addresses co-design of platform and control of multiple control applications in a network control system. Limited and shared resources among control and non-control applications introduce delays in transmitted messages. These delays in turn can degrade system performance and cause instabilities. In this paper, we propose an overrun framework together with a co-design to achieve both optimal control performance and efficient resource utilization. The starting point for this framework is an Arbitrated Network Control System (ANCS) approach, where flexibility and transparency in the network are utilized to arbitrate control messages. Using a two-parameter model for delays experienced by control messages that classifies them as nominal, medium, and large, we propose a controller that switches between nominal, skip and abort strategies. An automata-theoretic technique is introduced to derive analytical bounds on the abort and skip rates. A co-design algorithm is proposed to optimize the selection of the overrun parameters. A case study is presented that demonstrates the ANCS approach, the overrun framework and the overall co-design.
several applications including automotive and aircraft systems, it is often possible to design both the implementation network and the controller concomitantly, with the choice of the network parameters depending on the plant, the quality-of-control requirements, and the type of controller, and similarly the choice of the controller parameters depending on the characteristics of the network (for example delay, jitter, etc). We refer to such flexible networked control systems as arbitrated networked control systems (ANCS) [1] [2] [3] [4] [5] . This paper presents a codesign of implementation platform and control in ANCS so as to simultaneously result in efficient resource utilization and desired real-time control performance.
Existing research in co-design of control and implementation platform in the presence of non-ideal message transmissions can be categorized in two parts: i) Designing controllers to achieve desired performance and ii) designing communication protocols to achieve efficient resource utilization. The former consists of procedures for the estimation of worst-case delays of messages and design of controllers that are robust to such delays. This approach however can be pessimistic and often leads to inefficient control performance or resource utilization. The latter consists of defining a deadline for messages and employing a switching control strategy that depends on this deadline; if the message does not exceed the deadline, a nominal controller is employed, and if it does, the message is aborted. A slight but important variation of the abort strategy is to skip the next message rather than aborting the current message, so as to free up resources at the next instant. Such skip and abort messages lead to different dynamic characteristics as well as different implications on the efficiency of resource utilization. This paper proposes an overrun framework that includes a nominal-skip-abort control strategy which switches between three modes depending on the delay that all messages experience. Based on this switching strategy, we introduce an automata-theoretic technique to derive analytical bounds on the abort and skip rates that an application experiences on the platform, and a numerical algorithm for the co-design of platform and control that utilizes the platform analysis and switching control design to achieve satisfactory control performance and efficient resource utilization.
The problem of control and platform design in the presence of non-ideal transmissions of closed-loop messages has been the focus of several investigations (see, for example, [1] , [2] , [4] - [25] ). In the control systems domain, the main approach used is to design the controller based on the estimation of worstcase delays (ex. [1] , [6] [7] [8] [9] [10] , [21] ). Although such approaches can improve over a baseline design that completely neglects any implementation delays, they still introduce a stringent constraint on the platform resources to guarantee such delays for all messages. Designing the controllers based on messages with worst-case delays often leads to inefficient performance during normal operation of the system, as such messages may occur rarely. Alternatively one can use scheduling techniques and corresponding resources to design desired delays that each message can experience [11] . This however may result in very high implementation costs. Furthermore, it may be impossible to design a system based on worst case delays, as the latter may be unbounded depending on the network configuration [10] .
An abort strategy that drops any message whose arrival exceeds a specified deadline has been explored in the literature as well [1] , [4] , [5] , [10] , [12] , [14] , [15] . This leads to a switched control system whose stability has been analyzed using multiple Lyapunov functions [4] , [10] , norm-based approaches [4] , and common quadratic Lyapunov functions [1] , [5] , [12] , [14] . Modifying the control law for consecutive aborted signals to improve the overall performance has been studied in [5] , [14] , [16] [17] [18] . While all of these methods based are improvements over those based on worst-case delays, and can be proved to be stable, they may still lead to inefficient resource utilization. This is because all messages that are aborted have to be computed until the specified deadline thereby wasting resources over this period.
In contrast to the abort strategy, a skip strategy, which consists of dropping the next message when the current message exceeds a deadline, has been explored to a much lesser extent [19] , [20] , [22] , [26] . The skipping is implemented in some of these papers by doubling the sampling period of the next message when the current message exceeds the deadline. As mentioned earlier, the skip strategy has a direct advantage over the abort one in terms of resource utilization. When messages experience inordinately large delays, the skip strategy has obvious shortcomings, necessitating a careful stability analysis.
The above discussions clearly imply that a combined skipabort strategy for messages with overruns together with an optimal set of parameters that characterize abort and skip conditions is desirable. Although control and platform design with overruns have been considered previously (see for example [23] [24] [25] ), most existing research assumes either zero or a factor of the sampling time as the deadline of samples in their control design (see, for example, [14] , [26] ), and both the deadline and the number of deadline misses in a given window are given a priori in the platform analysis. To the best of our knowledge, our work is the first to provide a constructive approach to determine these parameters.
This paper proposes a co-design framework where transparencies and flexibilities in the implementation network, and connections between controllers and implementation can be accommodated, leading to an ANCS [1] . Our main contributions, which build further on earlier work in [2] [3] [4] [5] , can be summarized as follows:
• a nominal-skip-abort control strategy based on two delay threshold parameters to enable efficient resource use; • an automata-theoretic approach for modeling the platform and for analyzing the maximum number of skip and abort samples under the proposed control strategy;
• an expanded dynamic model of the plant for each of the nominal, abort, and skip cases, and a stability analysis of the resulting switched system; and • a co-design algorithm that optimizes the threshold parameters to result in efficient resource utilization and desired control performance.
Our evaluation results show that the proposed co-design with skip and abort can help save resource by an order of magnitude compared to a nominal co-design approach while still ensuring the desirable control performance as well as co-design approaches that use simpler switching combinations such as nominal and abort only. This paper is organized as follows. Section II introduces the problem statement including the platform architecture and the dynamic model of the plants to be controlled. Before presenting the overrun framework, we first present the nominal case in Section III, when all messages meet their deadlines, and discuss both the platform design and the control design. The overrun framework is introduced in Section II, and a two-parameter model to represent message deadlines is presented. Section V presents the corresponding control designs and stability results for the closed-loop system. Section VI includes the platform analysis for the overrun framework. We present the co-design algorithm in Section VII, which is evaluated through a case study with six applications in Section VIII. Concluding remarks are given in Section IX.
II. SYSTEM MODEL AND PROBLEM STATEMENT
Before stating the co-design problem, we first present the models of the platform and the control applications.
A. Platform Architecture
The typical platform we consider consists of a set of processing elements (PEs) connected via FIFO buffers, where each PE represents a single-core processor (for example ECU) or a network (for example CAN bus). Each PE processes one or more tasks of control and non-control applications in the network. 1 The end-to-end delay of a sample, τ , is defined as the duration from the instant the sample arrives at the system until it is fully processed. Fig. 1 shows an example of the platform architecture with four ECUs and a CAN bus. This platform processes three control applications and a non-control application. In the figure, {T 1 , T 2 , T 3 }, {T 4 , T 5 , T 6 }, and {T 7 , T 8 , T 9 } are the sets of tasks of the first, second, and third control application, respectively, whereas T 10 is the task of the non-control application. An example for Tasks 1, 4, and 7 is preprocessing and prefiltering of sensor data. Similarly, Tasks 2, 5, and 8 can be associated to sending data from one node in the network (where measurements occur) to another point where the control inputs are computed, and Task 3, 6, and 9 are dedicated to for compute actuators' inputs. An example of non-control applications is collecting data with low frequency for offline data analysis (such as for maintenance check).
Upon arriving at the system, the sensor input data items (samples) of each control application will be processed on a sequence of PEs before being used to actuate the physical plant. As an example, in Fig. 1 , the sensor data of the first application (produced by the sensor 1) will first be processed by T 1 on ECU1, whose output will then be transmitted on the bus via the message T 2 to ECU3. Upon arriving at ECU3, the data will then be processed by T 3 , and the final output data will then be used by the actuator 1. The end-to-end delay of a sample in this example is the time duration from the instant it arrives at ECU1 until the instant it leaves ECU3.
We assume that the processors schedule their tasks using a fully preemptive fixed-priority scheduling algorithm (for example Rate Monotonic [27] ), whereas the network schedules its messages according to a non-preemptive fixed-priority algorithm (as is the case for CAN bus). 2 The sampling period and the priority of each application are assumed to be given a priori. All tasks of an application share the same priority as that of the application, and their worst-case execution demands are given a priori. In addition, the sizes of the buffers are set to be sufficiently large, for example equal to the maximum buffer sizes computed using the method in [28] , to avoid buffer overflows.
B. Control Applications
The problem considered here is the control of n applications, whose plant models are assumed to be of the forṁ
where x i (t) ∈ p and u i (t) ∈ q are the states and inputs of the system, respectively, and (A i , B i ) are controllable for all i = 1 : n. Arbitrary delays τ i occur due to shared resources. The problem is to carry out a CPS co-design and choose u(t) so that x(t) tends to zero asymptotically for all n plants, while 2 These scheduling policies are chosen because they have small run-time overheads and are most commonly used in practice; however, our analysis method can easily be modified to consider other scheduling algorithms. Note also that each processor employs a uniprocessor scheduling algorithm instead of a multi-core scheduling algorithm because it has a single core.
consuming minimal resources in the implementation platform. For ease of exposition, we set
and denote the corresponding state and input as x and u, respectively. Extension to the case when the plant dynamics varies with i is relatively straightforward. For ease of exposition, we assume that τ ≤ h, the sampling time. The corresponding sampled data model is given by
where
C. The End-to-End Delay τ
The main focus of this paper pertains to τ , its implications on control performance, and its dependence on the platform architecture. As mentioned in Section II-A, τ is the duration from the instant the message arrives at the first task to the instant it is fully processed by the last task of the application. The fact that there are several control and non-control applications that have to be processed by the platform imply that this delay τ is (a) non-negligible, and (b) can vary significantly. In the rest of the paper, we address this aspect of the delay and show that by a co-design of the controller and the platform, the desired control performance can be met with the available platform resources.
The final point to note regarding the delay is the delay τ p due to actuator dynamics. While in general τ , the end-to-end delay from a plant output to the plant input should include τ p as well, for ease of exposition, we set τ p = 0. An extension to τ p = 0 is relatively straightforward.
III. NOMINAL CO-DESIGN
The problem is the stabilization of n plants given by (3) in the presence of a nonzero delay τ . We focus in this section on th e nominal case, which is defined as the case when τ ≤ τ th , where τ th is a value that is small enough for closed-loop control to be effective. In Section III-A, we describe the platform analysis for this case and in Section III-B, we propose a nominal control design for this case, based on a linear-quadratic regulator.
A. Nominal Platform Analysis
In the nominal case, the control design requires that every sample of an application must be fully processed by the platform within the delay threshold τ th of the application. We briefly describe how this feasibility condition can be analyzed using the Real-Time Calculus (RTC) method [28] , [29] .
In the RTC method, the arrival pattern of the input data stream of a task is modeled using a pair of arrival functions, (α u , α l ), where α u (Δ) and α l (Δ) specify the maximum and minimum number of data items that arrive at the task's buffer over any interval of length Δ, for all Δ ≥ 0. Similarly, the resource availability of a PE can be modeled using a pair of service functions, (β u , β l ), where β u (Δ) and β l (Δ) specify the maximum and minimum number of items that can be processed over any interval of length Δ, for all Δ ≥ 0.
Based on the models of the input data streams and resource availability of the PEs, we can compute the maximum bound on the end-to-end delay of an application in a compositional manner. For example, the end-to-end delay of the first application shown in Fig. 1 is bounded above by the sum of the maximum processing (transmission) delays of its tasks, i.e.,
where d 1 , d 2 , and d 3 are the worst-case delays of T 1 , T 2 , and T 3 , respectively. By definition, the upper arrival function of the input data of T 1 is α u 1 (Δ) = Δ/h . Since T 1 is the highestpriority task, ECU1 first provides all its available resource to T 1 and only gives the remaining to the lower-priority tasks. As the ECU provides Δ execution units over any interval of Δ time units, the lower service function of the resource available to T 1 is β l 1 (Δ) = Δ/wcet 1 , where wcet 1 is the worst-case execution demand of T 1 . Then, d 1 is given by [28] , [29] 
Further, the arrival function of the output data of T 1 , which is also the input arrival function of T 2 , is given by [28] , [29] : Based on the results in [29] , we can also derive the service functions of the remaining resource after processing T 1 , T 2 , and T 3 on ECU1, the bus, and ECU3, respectively. These service functions are then used to compute the worst-case delays of the tasks of the next highest-priority application, and so on.
Depending on whether the end-to-end delay of each application is always less than or equal to the application's threshold τ th , we can then determine whether the platform is feasible for the applications. If it is not, the platform resource will be increased in an iterative manner until all applications have their end-to-end delays within their respective thresholds τ th .
B. Nominal Control Design
We now derive a control design for the plant in (3) that explicitly accommodates τ with the assumption that τ th = τ wc . For the sake of analytical tractability, we assume that τ < h is a constant. By defining an extended state (3) can be written as
Equation (6) suggests that a state feedback controller in the form of
can stabilize the system. The closed-loop system is then given by
The controller in (7) is chosen so as to minimize a quadratic cost function J n as
where Q and R are the weighting matrices on augmented states and inputs, respectively. The optimal gain K = [K 0 G 0 ] is derived by solving the following discrete-time Riccati equation for a positive definite matrix P 0 0:
and using the following relation:
C. Implementation of the Nominal Co-Design
The discussions in the above two sections imply that as long as τ wc < h, a control design can be carried out as in (7) for the plant in (6), where τ = τ wc . The platform resources therefore have to be such that τ wc computed using (4) does not exceed h. Any time-variations in τ between (0, τ wc ) can be accommodated by using the shaper shown in Fig. 1 . By locating the shaper at the last P E and having it hold every fully processed sample for exactly τ th − τ time units before sending to the actuator, we can ensure that the sensor-to-actuator delay of each sample is always τ th .
IV. AN OVERRUN FRAMEWORK
The implicit assumption made for the nominal co-design discussed in Section III is that τ wc is small compared to the sampling period, which is valid only when there are sufficient platform resources. In addition, the derivation of τ wc was conservative, which implies that messages that actually experience a delay of τ wc are rare. We therefore address in this section the possibility that τ varies, and allow some of the messages to be overrun, i.e., τ < τ th for some messages, and τ > τ th for others. The overrun framework proposed includes the delineation of overrun strategies with two parameters, control designs based on these strategies, stability guarantee, and a codesign that ensures desired control performance and minimal resource utilization.
A. Overrun Framework With Two Delay-Parameters
In this framework, we assume that there are two parameters τ th1 and τ th2 , where τ th2 is a value close to the worst-case upper bound that all delays are expected not to exceed, while τ th1 is an average value of delay experienced by messages. We consider three possible cases, A1. Nominal: τ ≤ τ th1 : That is, the message has a delay less than the threshold τ th1 , i.e., the delay is small. A2. Skip: τ th1 < τ ≤ τ th2 : Here, the computation of the control input at the next instant of time is skipped, and the delay is medium. A3. Abort: τ > τ th2 : The computation of the current control input is aborted, as the delay is large.
B. Implementation of the Overrun Framework
We now describe how the two-parameter frameworks can be implemented for each control application C i executing on the platform. Let T 1 , . . . , T n be the sequence of tasks of the application. Further, let P E i the processing element that processes T i , for all i = 1 : n. As an example, in Fig. 1 , the three tasks T 1 , T 2 and T 3 of the first control application are processed by P E 1 , P E 2 , and P E 3 . Here, P E 1 is ECU1, P E 2 is the CAN bus, and P E 3 is ECU3.
To implement the overrun strategy, we introduce a buffer control mechanism that proactively removes data items from the buffers based on their current delays, as follows:
• If the current delay of a fully processed data item in the output buffer of T n is less than τ th1 , the item will be delayed by a shaper until its delay reaches exactly τ th1 ; this corresponds to the nominal case (A1).
• If the delay of a fully processed data item in the output buffer of T n is larger than τ th1 but less than or equal to τ th2 , then P E n will send a notification message to P E 1 , informing P E 1 to immediately discard the next sensor data item as soon as it arrives at the input buffer of T 1 . This implements the skip strategy (A2). • For each T i , i = 1 : n, if the current delay of a data item in the input buffer of T i is equal to τ th2 , the item will be removed from the buffer 3 ; this implements the abort strategy (A3), The skip and abort strategies at the buffers, as well as the shaper in the nominal case are illustrated by the Abort, Skip, and Shaper blocks in Fig. 1 through the orange blocks marked S, A, and S (in white letter), respectively. The notification message from P E n to P E 1 (for skipping) of each application is illustrated as a dashed orange arrow in this figure. All removal actions and notification messages of the buffer control mechanism are assigned a special priority that is higher than that of the applications' tasks and messages.
Remark 1: Since the removal actions and notification messages of the buffer control mechanism always have higher priority than the tasks and messages of the applications, their run-time overhead can be incorporated into the analysis. We note that this buffer control mechanism helps improve the resource use efficiency in two ways. First, since not all data items need to be processed, the amount of computation and communication resource required by each control application is reduced compared to the conventional platform design approach, where all data items must be fully processed. Second, since the platform discards data items as soon as they are not needed by the control application, the amount of resource needed to further process these data items can be saved or used to process other applications.
V. CONTROL DESIGNS FOR A TWO-PARAMETER OVERRUN FRAMEWORK
Using an Abort Only strategy may need very large thresholds in order to avoid excessive drops, leading to a conservative control performance. On the other hand, using skip strategy alone demands the system to accommodate worst case execution that may be large and rare, and introducing unnecessary wait times for useless and potentially destabilizing messages. In such scenarios, it is more efficient to use a two-parameter overrun framework which takes advantage of both strategies, outlined in Section IV-A.
Starting with two threshold parameters τ th1 and τ th2 with τ th1 ≤ τ th2 . Cases A1, A2, and A3 are invoked as described in Section IV-A. That is, if τ ≤ τ th1 , the messages belong to the nominal case. If τ th1 < τ ≤ τ th2 , then the skip strategy is employed and we set
If τ > τ th2 , computation of u[k] is aborted and u[k] is set to a previously computed value. That is at any time k, if the delay τ continues to be larger than τ th2 for j consecutive instants, with τ <τ th1 at k−1, or τ th1 < τ ≤ τ th2 at k−2, then it follows that:
where u
is a previously computed value. In what follows, we discuss the underlying dynamics in all three cases and derive the corresponding control strategy. A summary of these cases can be found in Table I. A1. Nominal mode, τ ≤ τ th1 [see Table I (a)]: the dynamics is given by (6) with τ = τ th1 .
A2. Skip mode τ th1 < τ ≤ τ th2 [see 
Noting that input u[k] had arrived with a corresponding delay τ > τ th1 , the state at k + 1 can be computed as
Using (15), augmented state
and (7), we can write the underlying dynamics of A2
A3. Abort mode, τ > τ th2 [see Table I (c)]: can happen after a nominal or a skip and results in aborting the computations of u[k] and using a previously computed value instead. That is at any time k, the delay τ continues to be larger than τ th2 for j consecutive instants, with τ < τ th2 at k − 1, then it follows that:
where u * [k] is a previously computed value. For example, if a standard zero order hold is used, with j = 1
With such an abort strategy as in (17), and the closedloop dynamics is given by
Alternately, u * [k] can also be derived using other compensation strategies (see [5] ).
The above discussions indicate that the underlying plant dynamics is given by (6) in the nominal mode, (16) in the skip mode, and (19) in the abort mode.
Suppose, in general, starting at k, there are i instants of nominals, followed by j skip instants (each with a length of 2h), followed by r instants of aborts, for = 1 : p, with:
then the evolution of the composite switched system over a time
In addition, suppose that sufficient information is available about the implementation platform such that in
where γ n , γ s , and γ a are parameters determined in Theorem 1.
Theorem 1: System (21) is stable (exponentially stable) if there exist positive definite matrix P 0, and positive scalars γ n < 1, and γ s , γ a > 0 such that the following LMI (27) where γ n0 is the solution γ n in (23) .
We define a normalized decay rate α overall asᾱ 1/N overall , which can be shown to be independent of the observation window. Defining r p skip and r p abort the allowable skip and abort rates specified by the platform as
it is easy to see that
Equation (30) implies that the augmented states of the system decay at a rate greater than α overall (r p skip , r p abort ). A measure for quality of control can be defined based on this value as
From (30) in Theorem 1, it follows that the control design is not stable if α overall < 1. Stability will therefore be ensured by requiring the stronger condition that α overall > α * , where α * > 1 is pre-specified. We denote that the control design is feasible in such a case.
A summary of the overall control design for the twoparameter overrun framework include the following steps: 1) Given a τ th1 and τ th2 , find the nominal control gains K = [K 0 G 0 ] by solving (10) for P 0 and using (11) . This results in the closed-loop dynamics (8 (28), (29) , and the normalized overall decay rate, α overall as in (30) . If α overall > α * , the control design is feasible. Otherwise, the control design is infeasible.
Remark 2:
The most important point to note is that Steps 1) to 5) imply that the control design above is always stable for a given τ th1 and τ th2 if α overall > α * . Theorem 1 starts with a feasible solution, since in case of no skip and abort, we only solve (23), which using a Schur complement is the same as finding γ n such that Γ T n P Γ n − γ n P 0. This equation is the discrete-time Lyapunov equation and is satisfied for stable matrix Γ (closed loop system), and a γ n ≤ 1.
The stability result in Theorem 1 can be extended to general nonlinear systems in the presence of nominal, skip, and abort modes, with maximum skip and abort rates. This is stated in Corollary 3.
Corollary 3: Suppose that the underlying switching nonlinear dynamics is given by
System (32) 
Proof: The Corollary is proved through the direct application of [31] , Theorem 3.2 to the switched system in equations (32a)-(32c).
We provide an additional example to illustrate Corollary 3. Example 1: Consider the following nonlinear discrete-time system, which switches between f nominal and f abort , with a maximum number of allowable drops m a over a window of N samples, where f nominal is defined by [32] 
with a 2 ≤ α 0 < 1 and b 2 ≤ α 0 , where
T . The nonlinearity f abort is defined by (34) , and the relation (35) . We show the stability of the switched system (between f nominal and f abort ) by choosing Lyapunov-like functions V 1 = V 2 for both f nominal and f abort , defined as
Evaluating the change in V 1 along the trajectories of f nominal , it can be shown that
Similarly, we consider along the trajectories of f abort , for an
Since α 0 < 1, and
and an N such that α N < 1. From inequalities (37) and (38), it is easy to show that
. The choice of V 1 implies that condition 1) is also satisfied. Therefore, the overall switched nonlinear system is stable.
VI. PLATFORM ANALYSIS UNDER OVERRUN SEMANTICS
In this section, we introduce an automata-theoretic technique for analyzing the maximum long-term abort and skip rates that an application experiences on the platform, for a given resource availability, under the implementation strategy described in Section VI-A1. For this, we first present the automata model of the platform. We then discuss how automata verification can be used to derive the maximum number of aborts m ab0 and skips m sk0 experienced by an application within a sliding window of length N , for any given pair of delay thresholds (τ th1 , τ th2 ) with 0 ≤ τ th1 ≤ τ th2 ≤ h. The long-term abort (skip) rate can then be bounded by the ratio of the maximum number of drops (skips) within the sliding window to the window size, and their results are used in each step of the exploration of threshold parameters in the co-design algorithm. Typically, a larger window size leads to tighter abort and skip rates but longer analysis time. One possibility is to choose the smallest window size such that the corresponding abort (skip) rates do not decrease as the window size increases; however, our analysis is safe under any window size.
A. Automata-Theoretic Modeling of the Platform
The platform can be modeled in a compositional manner as a composition of three basic components, as shown in Fig. 2: • Sensor: models the generation of the sensor data stream of an application; • Application: models the task processing of an application, according to the overrun semantics; • PE: models the amount of resource that a PE provides to each connected application based on its scheduling policy.
We first explain the interfaces of these components, and then present the automata models of their internal semantics.
As an example, Fig. 3 shows the model of part of the platform that processes the highest-priority application App 1 of the architecture shown in Fig. 1 , which is formed by connecting the Sensor, Application and PE components of the application based on the components' interfaces.
1) Interfaces of the Basic Components:
As shown in Fig. 2 , the Sensor component is characterized by two parameters, sID and h, which denote the identification and sampling period of the corresponding application. It has two output variables, (x, t), where x denotes the number of new data items the component generates, and t is their discrete time stamp. These data items serve as inputs to the corresponding Application component.
The Application component is characterized by: sID, the application identification; n, the number of tasks; and E k , the worst-case execution demand of the kth task, for all k = 1 : n. It has two types of inputs: (1) the variables (x, t) produced by the Sensor of the application; and (2) the amount of resource provided to task k by the PE that executes this task, for all k = 1 : n. In addition, the Application has three internal variables:
• i: the index of the task that is processing the current data sample of the application. Note that, since τ th2 ≤ h and all unfinished items with current delays equal to τ th2 will be aborted, at most one sample of each application is in the platform at any time. We refer to this item as the current item, and we refer to the task that is currently processing this item as the current task of the component; • skip: a binary value denoting whether the next data sample should be skipped (skip = 1) or not (skip = 0); • status [1. .N ]: an array of N elements representing the status of N most recent samples (including the current one) of the application. Specifically, status l takes value 0, 1, or 2 if the lth most recent data item is processed successfully, skipped, or aborted, respectively.
Finally, the component has two output variables, pid and e, which represent the identification of the PE executing the current task and the task's remaining execution demand.
The PE component is characterized by the identification, pID, and speed of the corresponding PE. It has m input ports that are connected to m Application components that execute on this PE, with Application j having higher priority than Application j + 1, for all j = 1 : m − 1. Thus, the PE only provides service to Application j when pid j = pID. Finally, for each input port j of the PE, there is a corresponding output port that is associated with the output variable s j , which denotes the amount of service (in terms of execution time units) available to the corresponding Application component. When the PE implements a non-preemptive fixed-priority scheduling policy, the component also has an internal variable, cur, which represents the index of the task that was processed but has not yet been completed in the previous time unit.
2) Semantics of the Sensor Component:
The semantics of a Sensor component is captured by an Event Count Automata (ECA) [33] extended with a clock variable, which is shown in Fig. 4(a) . This ECA has a single count variable, x, which counts the number of data items that are generated by the automaton since the last time x was reset. Each state of the automaton is associated with a rate vector, [l, u] , where l and u denote the minimum and maximum number of data items that are generated by the automaton in each unit of time when the automaton is in this state. For instance, while the automaton is in the initial state, which is associated with the rate vector [0, 1], it generates 0 to 1 data item in each time unit. Each transition is associated with a guard on the count variables or the clock variable, which specifies the condition under which the transition is enabled. In addition, it may also be associated with a reset of the variables, which takes place when the transition is taken. FIG. 4(b) The ECA in Fig. 4(a) describes the arrival of the sensor samples of an application. The first sample of an application can arrive at the system any time between time 0 and h, and every subsequent item arrives exactly h time units after the previous one. As is shown in the figure, initially the component is in the state initial, where it generates at most one item per time unit (modeled by the invariant [0, 1]). If no item is generated after h − 1 time units (modeled by the guard t = h − 1 and x = 0), the component will move to the state arriving. At arriving, the component generates the first data item in the next time unit (modeled by the invariant [1, 1] ) and then moves to the state waiting (captured by the guard x = 1). In contrast, if the first item is generated before h − 1 time units have passed, the component will move directly to the state waiting. In either case, the component will reset both x and t to zero upon entering waiting. It will then remain in waiting for exactly h − 1 time units (during which no item is generated, as captured by the guard [0, 0]) and will move to the state arriving. The component will then stay in arriving for exactly one time unit and generates exactly one data item before transitioning to waiting.
3) Semantics of the Application Component:
The semantics of the Application component is modeled by the finite automaton shown in Fig. 4(b) , whose guards are described in Table II . Initially, the component is in the idle state and the variable skip is set to zero, which indicates that the next incoming item will not be skipped. While the component is in this state, if the guard g 0 is true, i.e., a new item has arrived (x = 1) and this item will be skipped (skip = 1), then the component will perform the reset R 0 . Specifically, it will reset the value of skip to zero (so that the next data item will not be skipped) and update the status array to indicate that the most recent item is skipped (status 1 ← 1) and that the status of the existing items remains unchanged (status j ← status j−1 ). 4 If the guard g 1 is true, i.e., a new item has arrived (x = 1) and this item will not be skipped (skip = 0), then the component will move to the state busy while performing the reset R 1 . In particular, the index of the task processing this data item is reset to 1 (i ← 1), indicating that the item will be processed by the first task; the remaining execution time of this task is set to its worst-case execution demand (e ← E 1 ); the array status is updated to indicate that the the new item is not skipped or aborted (status 1 ← 0) and the status of the existing items remains unchanged. Once entering the busy state, the component will remain in this state as long as the current data item is not fully processed by all n tasks and its current delay is less than τ th2 , i.e., the guard g 2 holds. In addition, at each time unit while g 2 holds, the component will update the index of the task that will be processing the current item (i) in the next time unit and its remaining execution time (e) based on whether the service available (s i ) is sufficient to complete the task that is currently processing the item (see reset R 2 ). In contrast, if the current delay of the task reaches τ th2 (guard g 3 holds) or the item has been fully processed (guard g 4 holds) , the component will return to the idle state and wait for the next item to arrive. In the former case, the execution of the current item is aborted and thus, its status is changed to aborted (status 1 ← 2) and the next item will not be skipped (skip ← 0), which is reflected by the reset R 3 . In the latter case, the current item is successfully processed and thus, the next item will be skipped if the delay of the current item is greater than τ th1 and less than or equal to τ th2 , which is reflected by the reset R 4 . Fig. 4(c) shows the automaton that models the processing semantics of a PE that implements the fully-preemptive fixed-priority scheduling (FP) policy. As was discussed earlier, the PE executes m Application components; where, the current task of Application j is only executed by the PE when pid j = pID. Therefore, the service provided to Application j (denoted by s j ) is zero if pid j = pID. Otherwise, the service provided to Application j is the minimum of the execution demand e j of the application and the remaining service of the ECU after having processed all higherpriority Application components k with pid k = pID. This is reflected by the reset R fp shown in the automaton.
4) Semantics of the PE Component:

B. Computing the Skip and Abort Bounds
The maximum number of aborts (skips) in a sliding window of N can be established using verification technique. Recall that the processing status of the samples in the current window of an application is captured by the status array, where status l is equal to 0, 1, or 2 if the lth most recent data samples is processed successfully, skipped, or aborted, respectively, for all l = 1 : N . Therefore, the numbers of skipped and aborted items in the current window are given by numSkips = 1≤l≤N {status l | status l = 1} and numAborts = 1≤l≤N {status l | status l = 2}, respectively.
As a result, given any constant value U , we can verify whether U is a valid upper bound on the number of skips in any window of N (consecutive) samples by verifying the Linear Temporal Logic (LTL) formula
which states "Always, numSkips is less than or equal to U ." Thus, to determine the maximum number of skips in any window of length N , we perform a binary search on the value U , starting with the largest value N/2 . 5 The maximum number of skips over any window of length N , denoted by m sk0 , is then chosen as the smallest value of U for which (39) holds. The maximum number of aborts in a window of length N , denoted by m ab0 , can be obtained in a same manner, except that we initially start with N as the maximum value of U .
Discussions: The proposed automata-theoretic approach can easily be implemented using existing verification tools. For example, using the SAL toolset (http://sal.csl.sri.com), the automata model of a component can be implemented as a module, and the composition of these modules and verification of the LTL formula can be done automatically. In our experiments, we relied on the SAL toolset for the implementation of the automata models and their verification, and we implemented the binary search procedure as a C program that calls the SAL toolset to perform the verification of the LTL formula at each search step.
We note that the composition of the automata models can easily be constructed syntacally (and done automatically using the SAL toolset), and thus it is highly efficient. The complexity of our approach lies primarily in the verification of the LTL formula [34] . In general, automata verification is more expensive than purely analytical approaches, such as Real-Time Calculus or real-time scheduling theory. However, since all existing analytic approaches cannot capture the state semantics used by our overrun strategy, we have relied on an automata-theoretic method in this paper. Extending an analytical approach to capture and analyze systems with state-based semantics as ours is interesting but highly non-trivial, and we defer this investigation to future work. 5 Note that at most one sample is skipped for any two consecutive samples. 
VII. CO-DESIGN ALGORITHM
With the overrun framework and the corresponding control designs described in Sections IV and V, and the platform analysis for overruns in Section VI, we propose a co-design of control and platform in this section, using the two-parameter overrun strategy. The discussions with implementation platform in Section VI showed that the platform analysis starts with τ wc and h to compute m sk0 , m ab0 , and N associated with the pair (τ th1 , τ th2 ). The control design in Section V requires (τ th1 , τ th2 , m sk0 , m ab0 , N) and returns a decay rate α overall (see Fig. 5 ), with the overall control design becoming infeasible if α overall < 1. Together, the overall performance of the controller and the platform is then quantified by a J overall = ρ 1 J c + ρ 2 J p , where J c is the control performance cost, J p is the platform cost, and ρ 1 , ρ 2 ∈ R are constant parameters. J c is determined by (31) , which depends on the control parameters γ n , γ a , γ s , and the skip and abort rates r p skip , r p abort . J p is chosen so as to reflect tradeoff between resource utilization and control performance in a given application. The goal of the codesign algorithm is to find the optimal parameters τ th1 and τ th2 that minimize a cost J overall .
Suppose we choose J p = 1≤j≤n J k p , where J k p is the overall resource utilization of the application k, which can be approximated by
where wcet is worst-case execution demand. The insight of this approximation is that (i) whenever a sample is skipped, all the resource demanded by the sample is saved, and (ii) when a sample is aborted, the system may have executed a fraction of its demand, which can be as small as one execution time unit and as large as (wcet − 1) execution time units. J k p can therefore be viewed as a platform cost for application k using average values for delays between threshold values and the worst-case delay. 6 Our co-design algorithm proceeds in four steps, which correspond to 1) initialization, 2) determining thresholds for application C i , 3) updating worst case delays for application C j , j ≥ i, and 4) repeating steps 2 and 3 for i = 1 · · · n. If the above steps result in a feasible control design, then the fourth step of the codesign reduces the network bandwidth and returns to step 1.
All parameters related to the ith application are denoted with a superscript i. Details of these steps are as follows. 2.d. Expand the search area with adding more elements to the set S by exploring (τ 1 − δτ, τ 2 ), (τ 1 , τ 2 − δτ ), and (τ 1 − δτ, τ 2 − δτ ) for each (τ 1 , τ 2 ) ∈ S. In this step, the previously visited pairs and the pairs which violate the constraint τ 1 ≤ τ 2 are not considered. 2.e. Repeat steps 2.a-2.c until there are no more points to explore. 3. Exploration of lower priority applications. Use (τ th1 , τ th2 )
for ith application and update τ wc for lower priority applications (i = i+1), starting from 1.b. Note that the updated τ wc are smaller than previously computed values due to the overrun framework of the higher priority applications. 4. Reduce network Bandwidth. If feasible design achieved in step 3 for all applications, reduce the network bandwidth, return to step 1, otherwise return the previous bandwidth.
The end-result of this co-design returns optimal values (τ * th1 , τ * th2 ), and optimal network bandwidth which optimizes J overall for each application. Fig. 6 shows a typical evolution of the optimal thresholds for an application. In this example, τ wc = 14, and the overall control cost is defined by J overall = 0.5 J c +0.5J p . Each element at the row τ 1 and the column τ 2 of the table in the figure gives the overall control cost corresponding to the thresholds τ th1 = τ 1 and τ th2 = τ 2 , where 1 ≤ τ 1 ≤ τ 2 ≤ τ wc . Each highlighted row, from the bottom to the top, represents the expansion of the set S at each iteration step. As shown in the figure, the pair of thresholds (τ th1 , τ th2 ) is evolved from (14, 14) initially, then to (10, 10), and finally to (2, 14) , which is also the optimal value (corresponding to the smallest control cost). 
Remark 3: Since in
Step 2, we ensure that the control design is feasible and start with zero abort and skip rates, the above codesign is guaranteed to be stable for any output of the algorithm, i.e., (τ * th1 , τ * th2 ).
VIII. CASE STUDY
This section presents a case study of a network control system to demonstrate the utility and benefits of our co-design methods. For our evaluation, we compared the performance of the overrun co-design method with both abort and skip (based on two delay thresholds) against the nominal co-design with no overrun (similar to [21] ) and the co-design with abort only (with a single fixed delay threshold, i.e., τ th1 = τ th2 ) (similar to [4] , [5] , and [26] .
A. Experimental Setup
The system consists of n = 6 control applications, each of which corresponds to lane keeping of a vehicle, with an underlying computational architecture that consists of two ECUs connected via a CAN bus. Each application i consists of two control tasks, T In our evaluation, the sampling periods h i of the applications range between 5 ms and 35 ms. Both ECU1 and ECU2 employ the preemptive fixed-priority scheduling policy, whereas the CAN bus employs a non-preemptive fixed-priority scheduling policy, with application i having a higher priority than application i + 1 for all 1 ≤ i < n. We assumed a fixed frame length for every CAN frame in the system. The window size N under our overrun strategies was set to be 20 samples. We use the symbolic model checker in the SAL toolset for our experiments.
Objectives: Our evaluation focuses on three aspects of the two co-design methods: 1) the minimum speed that the ECUs and the CAN network can operate to guarantee the control quality of every application; 2) the feasibility design regions of the platform; and 3) the impact of the delay thresholds on the resource savings. Towards this, we performed the following three sets of experiments:
In the first experiment, we considered different processor frequencies of the ECUs and for each frequency value, we determined the minimum network speed such that the control performance of every application i is satisfied for some delay thresholds τ i th1 and τ i th2 within its valid range (i.e., 0 < τ
At the same time, we computed as a baseline the minimum network speed for which a feasible design exists under the nominal co-design method, where the delay threshold τ th of each application was set equal to its sampling period.
In the second experiment, we fixed the network bandwidth to be 400 Kbits/s and computed the minimum processor frequency of ECU2 required to find a feasible solution under different processor frequency values of ECU1. The computation is done in the same fashion as in the previous experiment. In addition to the overrun and nominal co-design methods, we also evaluate the feasible space of the co-design method with abort only, where we set τ
For the dynamical system, we consider the dynamic model of a vehicle for a lane-keeping application [35] , the numerical values of which can be found in [4] . The controllers were designed using LQR controller presented in Section III. Analysis time. The model checker took t = 0.88 seconds on average to verify whether a given bound U on the number of aborts or skips is satisfied [i.e., the LTL formula in (39)] in our experiments. As our algorithm determines the maximum number of skips (aborts) in any window of length N using binary search on the value U , with U ≤ N , it takes at most log 2 N verification steps (i.e., at most 5 steps when N = 20). Since the analysis is performed offline, the running time is reasonable in our experiments; however, we plan to investigate abstraction methods to enable more efficient analysis for more complex scenarios in future work.
B. Evaluation Results
Resource Savings: Fig. 7(a) shows the minimum network bandwidth required under the overrun and nominal co-design methods when varying the processor frequency of the ECUs. (Here, the frequency of ECU1 was always set equal to the frequency of ECU2.) We observe that the overrun codesign method consistently outperforms the nominal co-design method. Specifically, at the processor frequencies for which a feasible design exists for both methods, the overrun co-design method reduces the network resource bandwidth required by at least 2.4 × and up to more than 10.7 × compared to the nominal co-design method. We note that the nominal design is similar to other delay-aware optimal strategies with fixed delays reported in the literature such as [21] .
The results in Fig. 7 (a) also show that the smaller the processor frequency, the higher the resource savings. In fact, when the processor frequency is between 20 MHz and 100 MHz (the shaded area), no design solutions exist under the nominal co-design method even if the network bandwidth is arbitrarily large; in contrast, the overrun co-design method produces a feasible design using only a small network bandwidth, which is even smaller than the bandwidth that can be achieved by the nominal co-design method under an arbitrarily large processor frequency. For instance, under the overrun co-design method, a network bandwidth of 200 Kbits/s and 90 Kbits/s are sufficient to guarantee the control quality of all applications when each ECU operates at 20 MHz and 100 MHz, respectively. On the contrary, the nominal co-design method cannot find any feasible solution at the processor frequency within 20-100 MHz, and even when the processor frequency is arbitrary large, it requires a network bandwidth of at least 215 Kbits/s.
We also observe from Fig. 7 (a) that increasing the processor frequency beyond 100 MHz does not help reducing the network requirement. In other words, the portion of the overrun co-design curve at the processor frequency 20-100 MHz also forms the Pareto design curve for the overrun co-design method.
Feasibility Design Regions: Fig. 7(b) illustrates the feasibility design regions for the two ECUs obtained in the second experiment for the three co-design methods: nominal co-design, overrun co-design, and co-design with abort only. The network bandwidth was fixed at 400 Kbits/s. The areas above the three curves in the figure correspond to the regions for which a feasible frequency exists for the ECUs under the corresponding co-design methods. We observe that as the frequency of ECU1 increases, the feasible region is also widen for all three methods, enabling smaller processor frequency for ECU2. These feasible regions can be used to optimize the platform resource under a given resource constraint.
It can also be observed from Fig. 7(b) that the feasible region of the nominal co-design method falls strictly inside that of the co-design with abort method, which in turn falls strictly inside that of the overrun co-design method. For example, in contrast to the overrun co-design methods, no solution exists for the nominal co-design method and the co-design with abort only method when the frequency of ECU1 falls below 160 MHz and 67 MHz, respectively. Thus, the overrun co-design not only saves significant resources but also provides more flexibility for the platform design compared to both the nominal co-design and co-design with abort method. The results also show that while abort strategy does help reduce the resource requirements compared to the nominal co-design, our combination of abort and skip strategies further increases resource savings substantially.
In summary, our evaluation demonstrates that not only does the overrun co-design method save the resource requirement by an order of magnitude but it also has a much larger feasible design space compared to the nominal co-design method.
IX. CONCLUDING REMARKS
This paper addresses the problem of implementation of multiple control applications in a network control system where resources are limited and shared thereby resulting in varying delays in transmitted messages. Using a two-parameter model for these delays, a switching control strategy is proposed that varies between nominal, skip, and abort modes based on the magnitude of the delay. The underlying dynamic models in each of these cases are utilized in order to derive the stability of the switched system. An automata-theoretic approach is used for modeling the platform and for analyzing the maximum number of skip and abort samples under the proposed control strategy. Using both the platform and switched system analyses, a codesign algorithm is proposed that further optimizes the twoparameter delay thresholds to result in an efficient platform resource utilization as well as the desired control performance. A case study with six control applications implemented on a shared network with one bus and two ECUs is presented, which is shown to result in an order of magnitude reduction in the resource requirement and a much larger feasible design space.
Systematic design of cyber-physical systems is becoming increasingly important as the need for smart and efficient engineering applications in energy, transportation, and healthcare grows. An important component of this design is the implementation of advanced control algorithms using embedded system platforms. Traditionally, control design and hardware/software techniques for implementing these algorithms are undertaken by disjoint communities-control systems and embedded systems, respectively. The ANCS-based approach proposed in this paper seeks to disrupt this isolated development, and close the gap between stability and performance robustness guaranteed in control theory and actual performance realized during implementation, leading to reduced integration, testing, and debugging costs. The specific codesign proposed in this paper employs arbitration by way of introducing a delay aware component in the control design and estimating the upper-bound on delays experienced by control messages in the embedded system platform design. Together, the codesign and the overall ANCS approach was demonstrated to lead to a significant improvement in the design space of the platform while guaranteeing the desired control performance. While significant challenges remain, in expanding the scope of the estimation of the worst-case delay, in the assumptions made regarding the underlying dynamics of the control applications, and in the sampling period, we believe that this paper represents an important first step in developing a building block for CPS design.
APPENDIX A PROOF OF THEOREM 1
Proof: Inequalities (23) implies that the following inequalities are satisfied as well, with the Schur complement:
similarly, inequalities (24) and (25) (23)- (25), and it is decreasing with a decay rate of at least α for any interval N = 2m sk0 + m ab0 + n n0 , proving Theorem 1.
