Using discrete controller synthesis for fault-tolerant distributed - - PowerPoint PPT Presentation

Using discrete controller synthesis for fault-tolerant distributed systems

Alain Girault, ´ Eric Rutten POP ART, INRIA Rhˆ

• ne-Alpes

Alain.Girault@inrialpes.fr, Eric.Rutten@inrialpes.fr, www.inrialpes.fr/pop-art

Using discrete controller synthesis for fault-tolerant distributed systems – p.1/16

Motivations and context

Embedded systems (aeronautics, automotive, ...)

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches;

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints;

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints; limited resources: computing, memory, power;

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints; limited resources: computing, memory, power; distributed and heterogeneous architecture

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints; limited resources: computing, memory, power; distributed and heterogeneous architecture Intrinsically safety-critical systems, requiring

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints; limited resources: computing, memory, power; distributed and heterogeneous architecture Intrinsically safety-critical systems, requiring safe design using off-line validation

→ need for formal models e.g., transition systems

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Motivations and context

Embedded systems (aeronautics, automotive, ...) automatic-control/discrete-event duality: sampled time iterations, mode switches; critical real-time: timing constraints; limited resources: computing, memory, power; distributed and heterogeneous architecture Intrinsically safety-critical systems, requiring safe design using off-line validation

→ need for formal models e.g., transition systems

safe execution with on-line fault recovery

→ need for fault tolerance e.g., recovery

Using discrete controller synthesis for fault-tolerant distributed systems – p.2/16

Problem statement

Safe design for safe execution

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults;

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults; in a distributed system: upon processor failure: reconfigure active tasks on remaining ones

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults; in a distributed system: upon processor failure: reconfigure active tasks on remaining ones correctness of the reconfiguration to be validated w.r.t. properties of fault tolerance

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults; in a distributed system: upon processor failure: reconfigure active tasks on remaining ones correctness of the reconfiguration to be validated w.r.t. properties of fault tolerance We apply formal methods to ensure fault tolerance by:

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults; in a distributed system: upon processor failure: reconfigure active tasks on remaining ones correctness of the reconfiguration to be validated w.r.t. properties of fault tolerance We apply formal methods to ensure fault tolerance by: applying controller synthesis: advantages of correctness of the result, easy modifiability

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Problem statement

Safe design for safe execution fault tolerance: maintain correct functionality, whatever the faults; in a distributed system: upon processor failure: reconfigure active tasks on remaining ones correctness of the reconfiguration to be validated w.r.t. properties of fault tolerance We apply formal methods to ensure fault tolerance by: applying controller synthesis: advantages of correctness of the result, easy modifiability producing automatically a controller enforcing fault-tolerance for a distributed system

Using discrete controller synthesis for fault-tolerant distributed systems – p.3/16

Using controller synthesis for fault-tolerance

Model of the distributed system:

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns)

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture Properties to be enforced:

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture Properties to be enforced: consistent execution: placement constraints

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture Properties to be enforced: consistent execution: placement constraints functionality fulfillment e.g., reach termination

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture Properties to be enforced: consistent execution: placement constraints functionality fulfillment e.g., reach termination

• ptimization of costs (time, power) and qualities

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Using controller synthesis for fault-tolerance

Model of the distributed system: architecture and environment processors (fail-silent), fault model (patterns) application: configurations tasks and their placement on the architecture Properties to be enforced: consistent execution: placement constraints functionality fulfillment e.g., reach termination

• ptimization of costs (time, power) and qualities

Using controller synthesis: find, if it exists, the controller of the model enforcing the properties

→ synthesis of the correct reconfiguration controller

Using discrete controller synthesis for fault-tolerant distributed systems – p.4/16

Discrete control synthesis

Purpose:

make a property hold in the controlled system!

transition system:

all possible behaviours

(incl. bad ones)

E i i i d d d i 00 01 10 11 d

Using discrete controller synthesis for fault-tolerant distributed systems – p.5/16

Discrete control synthesis

Purpose:

make a property hold in the controlled system!

transition system:

all possible behaviours

(incl. bad ones) events: uncontrollable, and controllable: to be constrained e.g., i controllable, d not

E i i i d d d i 00 01 10 11 d

Using discrete controller synthesis for fault-tolerant distributed systems – p.5/16

Discrete control synthesis

Purpose:

make a property hold in the controlled system!

transition system:

all possible behaviours

(incl. bad ones) events: uncontrollable, and controllable: to be constrained e.g., i controllable, d not

• bjectives: properties

e.g., make invariant w.r.t.

E s.t. not (s1 and s2)

i i i d d d i 00 01 10 11 d E

Using discrete controller synthesis for fault-tolerant distributed systems – p.5/16

Discrete control synthesis

Purpose:

make a property hold in the controlled system!

transition system:

all possible behaviours

(incl. bad ones) events: uncontrollable, and controllable: to be constrained e.g., i controllable, d not

• bjectives: properties

e.g., make invariant w.r.t.

E s.t. not (s1 and s2)

controller {ctrl}=f(state, unctrl) e.g., inhibit event i from state 10

i i d d d i 00 01 10 11 d E i

Using discrete controller synthesis for fault-tolerant distributed systems – p.5/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03]

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata global constraints on interactions: properties

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata global constraints on interactions: properties combination by control synthesis as compilation

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata global constraints on interactions: properties combination by control synthesis as compilation

physical system under control requests sensors ack actuators Application program Property-enforcing layer

Automatic generation of property enforcing layers

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata global constraints on interactions: properties combination by control synthesis as compilation

physical system under control requests sensors ack actuators Application program Property-enforcing layer

Automatic generation of property enforcing layers correct control not just monitoring

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Property enforcing layers

Mixed imperative/declarative descriptions [ESOP03] local constraints of components: set of automata global constraints on interactions: properties combination by control synthesis as compilation

physical system under control requests sensors ack actuators Application program Property-enforcing layer

Automatic generation of property enforcing layers correct control not just monitoring efficient synthesis (relatively) on prepared model

Using discrete controller synthesis for fault-tolerant distributed systems – p.6/16

Architecture model

Local processor: fail-silent, permanent failure multiple tasks, time-sharing; load are additive

quantitative bounds bi (e.g., power, CPU load)

ERRi fi OKi

Using discrete controller synthesis for fault-tolerant distributed systems – p.7/16

Architecture model

Local processor: fail-silent, permanent failure multiple tasks, time-sharing; load are additive

quantitative bounds bi (e.g., power, CPU load)

ERRi fi OKi P0 P1 P3 P2 S = {P1, P2, P3}

Network model: heterogeneous processor P0 dedicated for control, failless fully connected network, no communication failure

Using discrete controller synthesis for fault-tolerant distributed systems – p.7/16

Environment or fault model

What failures can occur in the system?

Using discrete controller synthesis for fault-tolerant distributed systems – p.8/16

Environment or fault model

What failures can occur in the system? all processors can fail: no tolerance whatsoever

Using discrete controller synthesis for fault-tolerant distributed systems – p.8/16

Environment or fault model

What failures can occur in the system? all processors can fail: no tolerance whatsoever (a) only one failure

e2e3

(a)

F1 F2 F3 B e1 /f1 e3/f3 /f2 e1e2 e2e3 e1

Using discrete controller synthesis for fault-tolerant distributed systems – p.8/16

Environment or fault model

What failures can occur in the system? all processors can fail: no tolerance whatsoever (a) only one failure (b) two failures possibly simultaneously

e1e3/f1 e1e3/f3 e2e3/f2 e2e3 e1e2 F1 F2 F3 F1,2 F1,3 F2,3 B e1 e2e3 /f2f3 e2e1/f2 e2e3/f3 e1 e1 /f1 f3 e3/f3 e3/f1 e1e2 e2e3 /f1, f2 e2e3 e1 /f2 e1e2/f1

(b)

Using discrete controller synthesis for fault-tolerant distributed systems – p.8/16

Environment or fault model

What failures can occur in the system? all processors can fail: no tolerance whatsoever (a) only one failure (b) two failures possibly simultaneously (c) other patterns e.g., not 1 and 3 together

e1e3/f1 e1e3/f3 e2e3/f2 F1 F2 F3 F1,2 F2,3 B e1 e2e3 /f2f3 e2e1/f2 e1 e1 /f1 e3/f3 e2e3 /f1, f2 e2e3 e1 /f2

(c)

e1 e3

Using discrete controller synthesis for fault-tolerant distributed systems – p.8/16

Task model (i)

Basic control structure pattern task j, executable on 3 procs.

Aj

2

Rj aj

2

T j Aj

3

Aj

1

tj tj tj aj

3

aj

2

aj

2

aj

1

aj

3

rj aj

1

aj

3

rj aj

1

Ij

Using discrete controller synthesis for fault-tolerant distributed systems – p.9/16

Task model (i)

Basic control structure pattern task j, executable on 3 procs. initially idle in Ij, upon request rj: ready Rj

Aj

i : cyclically executed on Pi,

upon termination tj: ended T j

Aj

2

Rj aj

2

T j Aj

3

Aj

1

tj tj tj aj

3

aj

2

aj

2

aj

1

aj

3

rj aj

1

aj

3

rj aj

1

Ij

Using discrete controller synthesis for fault-tolerant distributed systems – p.9/16

Task model (i)

Basic control structure pattern task j, executable on 3 procs. initially idle in Ij, upon request rj: ready Rj

Aj

i : cyclically executed on Pi,

upon termination tj: ended T j re-configuration: transition (controllable) from Aj

i to Aj k

Aj

2

Rj aj

2

T j Aj

3

Aj

1

tj tj tj aj

3

aj

2

aj

2

aj

1

aj

3

rj aj

1

aj

3

rj aj

1

Ij

Using discrete controller synthesis for fault-tolerant distributed systems – p.9/16

Task model (ii)

Quantitative characteristics: weights associated with states

Using discrete controller synthesis for fault-tolerant distributed systems – p.10/16

Task model (ii)

Quantitative characteristics: weights associated with states Execution time or CPU load required by each task

Using discrete controller synthesis for fault-tolerant distributed systems – p.10/16

Task model (ii)

Quantitative characteristics: weights associated with states Execution time or CPU load required by each task Power consumption on a given processor Power processor consumption

P1 P2 P3 T 1

4 4 2

T 2

2 2 3 task

T 3

2 3 4 bound 5 3 6

Using discrete controller synthesis for fault-tolerant distributed systems – p.10/16

Task model (ii)

Quantitative characteristics: weights associated with states Execution time or CPU load required by each task Power consumption on a given processor Quality of the functionality (accuracy, depth of search, algorithm versions, ...) Power processor consumption

P1 P2 P3 T 1

4 4 2

T 2

2 2 3 task

T 3

2 3 4 bound 5 3 6 Task processor quality

P1 P2 P3 T 1

3 5 3

T 2

2 2 5 task

T 3

2 2 5

Using discrete controller synthesis for fault-tolerant distributed systems – p.10/16

Application model

Tasks server: n tasks in parallel

Using discrete controller synthesis for fault-tolerant distributed systems – p.11/16

Application model

Tasks server: n tasks in parallel synchronous composition of behaviours

Using discrete controller synthesis for fault-tolerant distributed systems – p.11/16

Application model

Tasks server: n tasks in parallel synchronous composition of behaviours composition of costs e.g., addition: for CPU loads or power: on each Pi: Ci =

j Cj i

for quality: means, or actually sum: Q =

i

• j Qj

i

Using discrete controller synthesis for fault-tolerant distributed systems – p.11/16

Application model

Tasks server: n tasks in parallel synchronous composition of behaviours composition of costs e.g., addition: for CPU loads or power: on each Pi: Ci =

j Cj i

for quality: means, or actually sum: Q =

i

• j Qj

i

Program or scheduler (not handling distribution)

Using discrete controller synthesis for fault-tolerant distributed systems – p.11/16

Application model

Tasks server: n tasks in parallel synchronous composition of behaviours composition of costs e.g., addition: for CPU loads or power: on each Pi: Ci =

j Cj i

for quality: means, or actually sum: Q =

i

• j Qj

i

Program or scheduler (not handling distribution) emitting requests in sequence according to precedence graph

T 1 T 3 T 2 T 1

Using discrete controller synthesis for fault-tolerant distributed systems – p.11/16

System model

f2 OK2 ERR2 f3 OK3 ERR3 A1 2 R1 a1 2 T 1 A1 3 A1 1 t1 t1 t1 a1 3 a1 2 a1 2 a1 1 a1 3 r1 a1 1 a1 3 r1 I1 a1 1 A2 2 R2 a2 2 T 2 A2 3 A2 1 t2 t2 t2 a2 3 a2 2 a2 2 a2 1 a2 3 r2 a2 1 a2 3 r2 I2 a2 1 A3 2 R3 a3 2 T 3 A3 3 A3 1 t3 t3 t3 a3 3 a3 2 a3 2 a3 1 a3 3 r3 a3 1 a3 3 r3 I3 a3 1 F1 F2 F3 B e1 e2 e3/f1 e3/f2 e1 e2 e1 e2 e3/f3

CONTROLLER SCHEDULER

f1 OK1 ERR1

composition of all that → the system to be controlled

Using discrete controller synthesis for fault-tolerant distributed systems – p.12/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi Insuring functionality: make that, from all reachable states, the terminal configurations such that

i T i are reachable

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi Insuring functionality: make that, from all reachable states, the terminal configurations such that

i T i are reachable

Optimizing costs and qualities among remaining behaviors

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi Insuring functionality: make that, from all reachable states, the terminal configurations such that

i T i are reachable

Optimizing costs and qualities among remaining behaviors maximize global quality varying according to Pi (also giving some progress)

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi Insuring functionality: make that, from all reachable states, the terminal configurations such that

i T i are reachable

Optimizing costs and qualities among remaining behaviors maximize global quality varying according to Pi (also giving some progress) minimize global consumption in time or power

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Properties and objectives for fault-tolerance

Insuring consistent execution: make it invariantly true No task active on a failed processor ¬

• j
• i

(Aj

i ∧ Erri)

Tasks active on a proc. are within capacity ∀i, Ci ≤ bi Insuring functionality: make that, from all reachable states, the terminal configurations such that

i T i are reachable

Optimizing costs and qualities among remaining behaviors maximize global quality varying according to Pi (also giving some progress) minimize global consumption in time or power Order of synthesis operations essential: not commutative

Using discrete controller synthesis for fault-tolerant distributed systems – p.13/16

Illustrative scenarii

Insuring consistent execution:

Using discrete controller synthesis for fault-tolerant distributed systems – p.14/16

Illustrative scenarii

Insuring consistent execution: No task is active on a failed processor if P1 goes to ERR1, any task on P1 is reconfigured

Using discrete controller synthesis for fault-tolerant distributed systems – p.14/16

Illustrative scenarii

Insuring consistent execution: No task is active on a failed processor if P1 goes to ERR1, any task on P1 is reconfigured Tasks active on a proc. are within capacity when T 1 on P1, T 2 on P2, T 3 on P3, if P2 goes to ERR2:

T 2 is forced to migrate to P1 or P3, but then overload?

hence forcing migration of both T 1 to P3 and T 2 to P1

Using discrete controller synthesis for fault-tolerant distributed systems – p.14/16

Illustrative scenarii

Insuring consistent execution: No task is active on a failed processor if P1 goes to ERR1, any task on P1 is reconfigured Tasks active on a proc. are within capacity when T 1 on P1, T 2 on P2, T 3 on P3, if P2 goes to ERR2:

T 2 is forced to migrate to P1 or P3, but then overload?

hence forcing migration of both T 1 to P3 and T 2 to P1 Insuring functionality avoids staying in Rj

keeping only paths clear and wide enough down to the end

• ne failure: ok; two failures: no; (c) pattern: ok

Using discrete controller synthesis for fault-tolerant distributed systems – p.14/16

Illustrative scenarii

Insuring consistent execution: No task is active on a failed processor if P1 goes to ERR1, any task on P1 is reconfigured Tasks active on a proc. are within capacity when T 1 on P1, T 2 on P2, T 3 on P3, if P2 goes to ERR2:

T 2 is forced to migrate to P1 or P3, but then overload?

hence forcing migration of both T 1 to P3 and T 2 to P1 Insuring functionality avoids staying in Rj

keeping only paths clear and wide enough down to the end

• ne failure: ok; two failures: no; (c) pattern: ok

Optimizing costs and qualities: different solutions when minimizing cost first, maximizing quality then

Using discrete controller synthesis for fault-tolerant distributed systems – p.14/16

Implementation

Using synchronous tools

Sigali SigalSimu interactive simulation Automata Mode weights components system model encoding z3z properties controller

Using discrete controller synthesis for fault-tolerant distributed systems – p.15/16

Implementation

Using synchronous tools behavior specification in Mode Automata (Verimag)

Sigali SigalSimu interactive simulation Automata Mode weights components system model encoding z3z properties controller

Using discrete controller synthesis for fault-tolerant distributed systems – p.15/16

Implementation

Using synchronous tools behavior specification in Mode Automata (Verimag)

• bjectives and synthesis with Sigali (IRISA)

Sigali SigalSimu interactive simulation Automata Mode weights components system model encoding z3z properties controller

Using discrete controller synthesis for fault-tolerant distributed systems – p.15/16

Implementation

Using synchronous tools behavior specification in Mode Automata (Verimag)

• bjectives and synthesis with Sigali (IRISA)

co-simulation with SigalSimu

Sigali SigalSimu interactive simulation Automata Mode weights components system model encoding z3z properties controller

Using discrete controller synthesis for fault-tolerant distributed systems – p.15/16

Conclusion and perspectives

Results

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations automatic production of a controller enforcing fault-tolerance by reconfiguration

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations automatic production of a controller enforcing fault-tolerance by reconfiguration Perspectives

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations automatic production of a controller enforcing fault-tolerance by reconfiguration Perspectives model of tasks with modes, other architectures, ...

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations automatic production of a controller enforcing fault-tolerance by reconfiguration Perspectives model of tasks with modes, other architectures, ... properties: exclusions on resources, observers, ...

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16

Conclusion and perspectives

Results a formal model of a real-time distributed system processors, faults, tasks, and reconfigurations automatic production of a controller enforcing fault-tolerance by reconfiguration Perspectives model of tasks with modes, other architectures, ... properties: exclusions on resources, observers, ... platform-based design: same system used under different control objectives

Using discrete controller synthesis for fault-tolerant distributed systems – p.16/16