Abstract-Controlling physical systems is a common task of embedded systems. The requirements for a control system are correctness, stability and control performance. This leads to realtime constraints which have to be hold by the implemented controller. We present an approach that supports the control engineer to get guaranteed bounds for the timing behavior of the controller at early design steps. This is done by connecting the Matlab/Simulink environment widely used for controller design to real-time analysis using a mapping between graphs.
I. INTRODUCTION
As the requirements of embedded systems are increasing, we can see more and more complex architectures consisting of a large number of inter-networked electronic control units (ECUs). Taking the automotive industry as an example, we can find up to seventy ECUs in a modern upper-class vehicle. Each ECU consists of various subcomponents like general and application-specific processing units, communication networks and memory architectures. A control unit can be a host for multiple tasks which brings the challenge of finding a suitable task schedule. All these degrees of freedom result in a large design space whereof the system engineer has to choose a solution which must fulfill all requirements that have been specified for the system.
Model driven development is one paradigm that supports the system engineer to handle this task, as it allows to simulate and to analyze the behavior of a system at an early design step.
One commonly required task in embedded systems is controlling a physical system. This results in real-time constraints, which, if violated, can not only have a negative impact on the control performance but may also let the system fail completely. In embedded systems it is not uncommon that the tasks of a controller like gathering sensors values, calculating the actuating signal and driving the actuator are distributed on more than one ECU. This is, for example, the case if one sensor value is needed for more than one technical process. It follows that it is necessary for the system designer to choose solutions of the design space by deciding on which ECU the tasks are mapped and what priority they get on the communication infrastructure. Figure 1 shows a general design flow. The system architecture is designed based on the specification. After then, it is verified regarding different design goals, and changes to the design are done accordingly to the results of the verification. These steps are repeated until the system fulfills its requirements. It is a common way that different verification aspects are explored independently. Consider, for example, the control performance verification. Normally, the controller is verified without any time delays, but this is necessary since the time delay has a direct impact on the control performance as we will see in section VI. Therefore a connection between the control performance and real-time verification is required.
In this paper we give an approach that enhances the model driven design of embedded systems to allow the developer to know in how far a chosen solution in the design space influences the control performance. Therefore the missing connections, depicted as the dashed line in the verification block in figure 1, will be established. To accomplish this, we present a mapping formalism of the compute and delay blocks in controller theory to tasks and communication busses used in real-time analysis. Thereby we show how the commonly used Matlab/Simulink can be connected to a real-time analysis which can be used to analyze the real-time behavior of a complex distributed system with up-to-date algorithms. SimEvents is used to get one model of both, the continuous world of the control plant and the the discrete event simulation in real-time systems.
The paper is structured as follows: In the next section, we state the problem and discuss related work. In the third section we show how continuous time-driven and event-driven components can be modeled in Matlab/Simulink using SimEvents. This is followed by the fourth section that describes the realtime analysis. After then we show how we connect controller model and real-time analysis. This is followed by an example.
II. PROBLEM FORMULATION AND RELATED WORK
In classical control theory a dynamic system is described by differential equations. To implement a controller on a computer system, the controller algorithm is performed periodically at discrete time steps. Delays in a control loop have always a destabilizing effect on the system dynamics. To minimize this effect, systems engineers make a strong effort in reducing transport lags. Jitterbug, a Matlab toolbox for real-time control performance analysis [1] simulates the effects of jitter and delays in a control loop and calculates the corresponding cost criteria, which gives a mathematical representation of the control performance.
In many embedded environments, especially in automotive applications, it is necessary to run different tasks on one resource and to transmit information over a bus system. This leads to a delay, caused by the execution times and the scheduling strategy on the resource. Therefore, the control engineer needs to know the amount of delay in the control loop and where it occurs to guarantee a desired control performance. There are approaches to solve this problem by simultions. For example, TrueTime [2] , which is implemented as a Matlab/Simulink toolbox, simulates the timely behavior of real-time kernels, executing controller tasks and network protocols to study the influence on networked control loops. In [3] Korte and Slomka present an approach which is based on examining C code by an external real-time simulator after it has been created by a Matlab/Simulink code generating toolbox. As both proposals rely on simulating the real-time behavior, they show the typical coverage problem of simulations, i.e. it cannot be ensured that the worst-case behavior has been observed during the simulation. However, we need to know these bounds to get a guaranteed performance for the control loop. Real-time analysis calculates an upper and a lower bound for the response time of tasks, the worst-case response time and the best-case response time. Those values, back-annotated in the control simulation, can be used to determine an assured control performance. If the performance is not sufficient, improvements in the structure of the controller or adjustments of control parameters can be handled in an early design step.
Aida [4] is a toolset that translates a Simulink model into a data flow diagram which is then used to do the response-time analysis. Compared to Aida, our approach describes a direct formal relation between the controller components and the task level view which makes the flow diagram representation obsolete in our case. To integrate both, the continuous-variable time-driven dynamic system (the plant to be controlled) and the discrete events (for transport and computation) into one model, the Aida toolset appends a layer on top of the simulation. This layer manages the execution time delays and triggers the standard blocks.
In [5] , Cassandras and Lafortune describe possible methods to achieve this in general. Digital controllers having a discrete state space can be described as a discrete event system. Systems that combine time-driven with event-driven dynamics are referred to as hybrid systems. One solution to model hybrid systems is the Matlab/Simulink toolbox SimEvents.
In [6] , Xu and Wang show how SimEvents can be used for simulating distributed control systems. While they focus on the influence of different routing algorithms on control performance, we will use SimEvents to establish the missing connection between the control simulation and real-time analysis. The usage of SimEvents for this purpose is presented in the next chapter.
III. CONTROLLER MODEL
Technical systems, like an embedded controller operating on discrete time steps are not suitable to be simulated in a continuous time environment. The usage of triggered subsystems is one possibility to solve this problem. The main challenge of modeling control loops is to combine the continuous time base with the discrete time base. Matlab/Simulink is the common standard in the industry to model controllers, that applies a numerical method to solve the set of differential equations represented by a model. The toolbox SimEvents [7] adds a library to the Simulink environment, providing blocks for discrete event simulation. This toolbox is normally used to simulate the behavior of networks, but, as we will show, it can also be used to model a discrete distributed embedded controller.
In SimEvents, entities represent a discrete item that can be transmitted over a network consisting of queues, servers, gates and switches. The information which has to be transported is added to an entity as an attribute of it. For a simple usage and for a better connection to the real-time analysis, we define our control loop on basis of graphs. First we define a distributed embedded controller. Definition 1. A distributed embedded control system is a tuple dec := (V, E) consisting of V := {sb 1 , .., sb n , ab 1 , .., ab n , spb 1 , .., spb n , db 1 , .., db n } and a relation E where E ⊆ V × V .
The element sb is the sensor block with a continuous input signal and an event stream of entities as output, the actuator block ab extracts the information from an entity, the signal processing block delays entities and modifies the information of the entities' attributes, delay blocks db specify the time delay of the messages between the elements in sb, ab and spb. Figure 2 shows a control loop, composed from the basic blocks (grey), control algorithms in the logic block and the plant. Entities are transmitted over signal connections with a doubled arrowhead. Time-continuous signals are transmitted over connections with a single arrowhead. In the next step, we have to define the building blocks of the distributed embedded controller in more detail.
A. Sensor Block
First we define the sensor block which is the entry point for the control loop.
Definition 2.
A sensor block is a tuple sb := (V, E) consisting of V := (eg, sa, db) and a relation E where E ⊆ V × V .
Consider figure 3 where an example of a sensor block is depicted. Basically, the sensor block has the same functionality as a sample-and-hold circuit.
The main component of the sensor block is the entity generator eg, which generates an entity on every sample time. The signal x, which is a physical value, is put as an attribute on the entity by the set attribute block sa. To model the delay of the sensor block, e.g. caused by the time needed to convert an analog value in a digital value, a delay block db is used.
In SimEvents a server with infinite capacity can be used to model the conversion time.
B. Actuator Block
The actuator block is the counterpart to the sensor block. An example for the actuator block is depicted in figure 5 . While the sensor block generates an entity stream and adds information on it, the actuator block extracts the information from the entities by the get attribute block ga. Finally, the entity stream is terminated in an entity sink block es. The time delay of the actuator is modeled by a delay block db. Based on this we can define the actuator block as follows: Definition 3. An actuator block is a tuple ab := (V, E) consisting of V := (db, ga, es) and a relation E where E ⊆ V × V .
C. Signal Processing Block
The signal processing block models the computation unit of the control system. In this basic block, the signal processing in general, for example, filtering and the control algorithm as in our example is realized. The basic block consists of a predefined part which models the time delay and an applicationspecific block bhb. This behavior block has to be filled by the system engineer. We define the signal processing block as follows:
Definition 4. A signal processing block is a two tuple spb := (V, E) consisting of V := (ga, db, sa, bhb) and a relation E where E ⊆ V × V .
In the predefined part, the information is separated from the entities with the get attribute block ga and forwarded to the behavior block bhb, represented by a discrete event subsystem block in SimEvents. While a new actuating signal is computed, the entity is hold in the delay block db which is a single server block in SimEvents. The service time of this block simulates the effect of the delay time of the information flow in the system and thus can hold only one entity. After the service time is elapsed, the new attribute is set and the entity is released by a set attribute block sa. Consider the example depicted in figure 4.
D. Delay Block
A delay block db is an atomic block and represents the time delay caused by the system architecture where the controller is mapped to. In the view of a control engineer, the different effects on transport component are reduced to a guaranteed delay interval. Hence, the delay blocks contain only an infinite server that holds a random number of entities for the service time, or single server components holding only one entity. For the mapping to the real-time analysis we define that V db := {db ∈ V dec ∪ V sb ∪ V ab ∪ V spb |db is a delay block} is the set of all delay blocks of the control loop.
IV. REAL-TIME ANALYSIS
As discussed in section II we need guaranteed bounds for the timing behavior of control systems to evaluate the performance of a control loop. A possibility to solve this is to use schedulability analysis approaches because these deliver for each task in a system a guaranteed bound for the best-case and worst-case response time. Many approaches have been developed in this domain. The base for the real-time analysis of distributed system was introduced by Tindell and Clark in [8] . Since then many improvements have been conducted to obtain more realistic response times of the tasks. Recently, Kollmann et al. proposed in [9] a holistic real-time analysis with an expressive event model. Based on this we will give here the main ideas of the real-time analysis. We start with the definition of a real-time task. The worst-case execution time describes the maximum execution demand of a task's job for a resource κ. The bestcase execution time is the corresponding counterpart. Due to space limitation we are not able to consider all possible schedulers and therefore we consider here only schedulers with fixed-priorities. Hence, each task must have an unique priority for the scheduler to determine the execution order of the tasks τ i ∈ Γ mapped on the same resource κ. The blocking time b τ determines the maximum delay for a task τ produced by tasks having a lower priority. The incoming stimulation describes the maximum number of events or jobs for a task τ which can be demanded in a specific time interval. The outgoing stimulation describes the maximum number of events which can be generated by a task τ in a specific time interval.
From this we can define two functions necessary for the real-time analysis of fixed-priority systems.
Definition 6. The event function η(∆t, Θ + ) denotes for an incoming stimulation Θ + the maximum number of events which can occur in an interval ∆t.
The pseudo-inverse function is defined as follows:
The interval function δ(n, Θ + ) denotes for an incoming stimulation Θ + the minimum interval in which n events can occur.
A detailed definition of these functions in conjunction with a concrete event model is given in [9] . From these definitions we can formulate how the worst-case response time of a task τ can be determined scheduled non-preemptively by fixedpriorities.
Lemma 1. The worst-case response time of a task is bounded by:
The proof is given in [10] . The idea of this analysis is the following. is always a bound. How the whole analysis for distributed systems works and how the outgoing stimulations of a task can be computed is described in [8] and [9] , for example. For the real-time analysis the tasks must be connected. This can be solved by defining a graph.
Definition 8. A real-time graph is a two tuple rtg := (V, E) consisting of V := {τ 1 , . . . , τ n } and a relation E where E ⊆ V × V .
V. INTERCONNECTION OF CONTROLLER MODEL AND
REAL-TIME ANALYSIS From the previous sections we know that the delay of the controller blocks and the messages between the controller blocks are modeled by delay blocks. The aim of the real-time analysis is to determine the best-case and worst-case delay of these delay blocks. This is equal to the best-case and worstcase response time of a task in a real-time system. Therefore 
both, the continuous-variable system (the plant to be controlled) and or transport and computation) into one lset appends a layer on top of the r contorols the execution time delays e standard blocks. In [5] , Cassandras be possible methods to achieve this in ollers having a discrete state space can rete event system. Systems that combine nt-driven dynamics are referred to as solution to model hybrid systems is the The element sb is the sensor block with a continuous input signal and an event stream of entities as output, the actuator e. Those values, back-annotated in the can be used to determine an assured e. If the performance is not sufficient, tructure of the controller or adjustments can be handled in an early design step. that translates a Simulink model into a ch is then used to do the response time Aida, our approach describes a direct en the controller components and the makes the flow diagram representation o integrate both, the continuous-variable ystem (the plant to be controlled) and r transport and computation) into one lset appends a layer on top of the r contorols the execution time delays e standard blocks. In [5] , Cassandras e possible methods to achieve this in llers having a discrete state space can ete event system. Systems that combine t-driven dynamics are referred to as solution to model hybrid systems is the The element sb is the sensor block with a continuous input signal and an event stream of entities as output, the actuator cts the information from an entity, the signal ck delays entities and modifies the information ' attributes, delay blocks db specify the time essages between the elements in sb, ab and spb. ows a control loop, composed from the basic control algorithms in the logic block and the are transmitted over signal connections with a head. Time continuous signals are transmitted ns with a single arrowhead. In the next step, we the building blocks of the distributed embedded ore detail. ck ne the sensor block which is the entry point for p.
A sensor block is a tuple sb := (V, E) consisting a, db) and a relation E where E ⊆ V × V .
ure 3 where an example of a sensor block is cally, the sensor block has the same functionality d-hold circuit. component of the sensor block is the entity hich generates an entity on every sample time. which is a physical value, is put as an attribute y the set attribute block sa. To model the delay lock, e.g. caused by the time needed to convert e in a digital value, a delay block db is used. an server with infinite capacity can be usedto vert time. 
B. Actuator Block
The actuator block is the counterpart to the sensor block. An example for the actuator block is depicted in figure 5 . While the sensor block generates an entity stream and adds information on it, the actuator block extracts the information from the entities by the get attribute block ga. Finally the entity stream is terminated in an entity sink block es. The time delay of the actuator is modeled by a delay block db. Based on this we can define the actuator block as follows.
Definition 3. An actuator block is a tuple ab := (V, E) consisting of V := (db, ga, es) and a relation E where E ⊆ V × V .
C. Signal Processing Block
The signal processing block models the behavior of a processor in the control system. Whenever an entity arrives at the signal processing block, a signal with the value of the entity's attribute is passed to the logic block, which contains the behavioral description. In this basic block, the signal processing in general and the control algorithm in the case of a controller is realized. In the signal processing block the flow of information is managed, and therefore acts as control unit for the entities.
Definition 4.
A signal processing block is a two tuple spb := (V, E) consisting of V := (ga, db, sa, bhb) and a relation E where
The information is separated from the entities with the get attribute block ga and forwarded to a discrete event subsystem block, where the controller is stored. While a new actuating signal is computed, the entity is hold in the delay block db which is a single server block in SimEvents. The service time of this block simulates the effect of the response time of the information flow in the system and thus can hold only one entity. After the service time is elapsed, the new attribute is set and the entity is released by a set attribute block sa. Consider the example depicted in figure 4.
D. Delay Block
A delay block is an atomic block and represents the time delay caused by the system architecture where the controller is mapped to. In the view of a control engineer, the different effects on transport component are reduced to a guaranteed delay interval. Hence, the delay blocks contain only an infinite server that holds a random number of entities for the service block ab extracts the information from an entity, the signal processing block delays entities and modifies the information of the entities' attributes, delay blocks db specify the time delay of the messages between the elements in sb, ab and spb. Figure 2 shows a control loop, composed from the basic blocks (grey), control algorithms in the logic block and the plant. Entities are transmitted over signal connections with a doubled arrowhead. Time continuous signals are transmitted over connections with a single arrowhead. In the next step, we have to define the building blocks of the distributed embedded controller in more detail.
A. Sensor Block
Definition 2.
The main component of the sensor block is the entity generator eg, which generates an entity on every sample time.
The signal x, which is a physical value, is put as an attribute on the entity by the set attribute block sa. To model the delay of the sensor block, e.g. caused by the time needed to convert an analog value in a digital value, a delay block db is used. In SimEvents an server with infinite capacity can be usedto model the convert time. 
B. Actuator Block
C. Signal Processing Block
Definition 4.
D. Delay Block
A delay block is an atomic block and represents the time delay caused by the system architecture where the controller is mapped to. In the view of a control engineer, the different effects on transport component are reduced to a guaranteed delay interval. Hence, the delay blocks contain only an infinite server that holds a random number of entities for the service as a sample-and-hold circuit.
The main component of the sensor block is the entity generator eg, which generates an entity on every sample time. The signal x, which is a physical value, is put as an attribute on the entity by the set attribute block sa. To model the delay of the sensor block, e.g. caused by the time needed to convert an analog value in a digital value, a delay block db is used. In SimEvents an server with infinite capacity can be usedto model the convert time. the behavioral description. In this basic block, the signal processing in general and the control algorithm in the case of a controller is realized. In the signal processing block the flow of information is managed, and therefore acts as control unit for the entities.
Definition 4. A signal processing block is a two tuple spb := (V, E) consisting of V := (ga, db, sa, bhb) and a relation E where
A delay block is an atomic block and represents the time delay caused by the system architecture where the controller is mapped to. In the view of a control engineer, the different effects on transport component are reduced to a guaranteed delay interval. Hence, the delay blocks contain only an infinite server that holds a random number of entities for the service the delay block can be mapped to a task in a real-time system. For this task the best-case and worst-case response time is determined and therefore the timing of the delay block.
Since both approaches are defined on graphs, we need only a bijective mapping between the graphs to interconnect the two approaches. Therefore we define:
is a bijective mapping, so that f (db) returns of real-time task and f −1 (τ ) returns the corresponding delay block.
In order to clarify our procedure, the controller loop in figure 2 is mapped to a real-time graph as depicted in figure 6 . With the methods of the graph theory it is quite easy to connect the two approaches without any transformation. To the best of our knowledge this is not considered by previous work. Via this mapping it is possible to exchange information between the control model and the real-time analysis. For example, the initial event streams can be directly derived from the Simulink model, because SimEvents works also on discrete events. The worst-case and best-case execution times depend on the hardware where the tasks are mapped to. To get these times it is possible to use the code generation of Simulink to get the source code which must be executed on the hardware. Via a worst-case execution time analysis as proposed in [12] it is possible to get bounds for the worst-case and best-case execution times.
VI. EXAMPLE
As a sample application, the system in figure 2 is regarded. The motivation is to control a oscillatory plant over the Controller Area Network (CAN) with an additional load. The system that needs to be controlled is a PT 2 plant with transfer function
and parameters T 2 = 0.1, T 1 = 0.05 and gain K = 10. The sample rate in the sensor block is chosen to T s = 0.01s and the controller algorithm in the logic block is constructed as an empirical determined discrete PID controller. Figure 7 shows the hardware architecture. Additional to the sensor, actuator and the controller, three ECUs are connected to the CAN bus. For simplicity, the sensor, actuator and controller tasks have a fixed best-case and worst-case response time of 50 µs. The CAN bus has a speed of 500 kBit/s and each message has a size of 8 bytes. Sensor and controller block transmit one message whereas the number of messages transmitted by ECU1, ECU2 and ECU3 are described in figure 7 by T x. Twenty messages in total are sent over the bus. All messages from ECU1 to ECU3 are sent strictly periodically. The smallest period is 20 ms and the greatest 100 ms. In this example we consider the performance of the control loop by shifting the priorities of the sensor message and the controller message. For this we explore the following cases: Assume, the CAN bus has twenty unique priorities. The sensor message starts with the highest priority and in each step the priority is decreased to the next lower priority up to the second lowest priority. The controller message has always one priority lower than the sensor message. The remaining priorities are distributed to the remaining messages. In each step the bestand worst-case response times are calculated and the influence on the control loop performance is computed. Table I gives an overview of the properties of the CAN messages. The bestcase and worst-case response times for the sensor message and the controller message are also described.
The knowledge about the worst-case response times feeds the delay blocks with the corresponding information. Since not only the bounds, defined by r + (τ ) and r − (τ ) have a destabilizing effect on the control performance, a varying response time between these bounds can lead to at least the same performance losses. In this example, the jitter is modeled as an equally distributed service time for the delay blocks.
The step response for a step from zero to one regarding the command variable at t = 1 s is drawn in figure 8 , which shows the transient response for different delays. The differences between the step response with best-case response time and no delay are negligible, whereas in a simulation with worstcase response time a distinct oscillating behavior is shown. In the case of a jitter between the best-case and the worst- CAN Fig. 8. Step response of the control loop case response time, the step response for the system has less overshoot, but leads to a longer oscillation. For further analysis, a quadratic cost criteria is defined, where a high cost results in a poor control performance. A common cost criteria is the integral of the squared error, defined as:
with x d (t) as control difference. Figure 9 plots the defined cost criteria over CAN priority for the previously described step response of the controlled system. As depicted in Figure 9 , the curves for the worst-case response time and in the case of a jitter show a disproportionate rise, whereas the slight curve at priority 18 is caused by the equivalent transport delay for priority 19 and 20 (see Table 1 ). Note that the choice of the jitter distribution function affects the resulting cost. At this point, the controller can be redesigned to reach a better performance for the new knowledge of the delay in the system. This leads to an iterative process in improving the overall performance of the system, as described above.
VII. CONCLUSION AND OUTLOOK
In this paper we presented an approach to connect a control model to real-time analysis by giving a formal mapping between the model components of a controller and tasks of a distributed real-time system. This helps the control engineer to simulate the control performance based on guaranteed timing bounds that are derived mathematically. In the example we have shown in how far control performance is dependant on the system's real-time behavior. Here, not only the the worst-and best-case response times are of interest, but also the amount of jitter of the reponse time.
In this paper we have shown how guaranteed bounds for the timing behavior can be derived and how these can be included in the control performance evaluation. Thereby an open question is how the worst-case performance of the controller can be constructed by these bounds.
The introduced method gives us the opportunity to consider also recently developed control strategies like the eventtriggered control.
