PLEASE SCROLL DOWN FOR ARTICLEsbie.kaist.ac.kr/ftp/Supervisory control for fault... · 2009-01-28 · (Received 19 July 2007; final version received 11 March 2008) Supervisory control

PLEASE SCROLL DOWN FOR ARTICLE

This article was downloaded by: [2007-2008-2009 Ajou University]On: 23 January 2009Access details: Access Details: [subscription number 907428303]Publisher Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK

International Journal of ControlPublication details, including instructions for authors and subscription information:http://www.informaworld.com/smpp/title~content=t713393989

Supervisory control for fault-tolerant scheduling of real-time multiprocessorsystems with aperiodic tasksSeong-Jin Park a; Kwang-Hyun Cho b

a Department of Electrical and Computer Engineering, Ajou University, Suwon, 443-749, Korea b Departmentof Bio and Brain Engineering and KI for the BioCentury, Korea Advanced Institute of Science and Technology(KAIST), Daejeon, 305-701, Korea

First Published:February2009

To cite this Article Park, Seong-Jin and Cho, Kwang-Hyun(2009)'Supervisory control for fault-tolerant scheduling of real-timemultiprocessor systems with aperiodic tasks',International Journal of Control,82:2,217 — 227

To link to this Article: DOI: 10.1080/00207170802047425

URL: http://dx.doi.org/10.1080/00207170802047425

Full terms and conditions of use: http://www.informaworld.com/terms-and-conditions-of-access.pdf

This article may be used for research, teaching and private study purposes. Any substantial orsystematic reproduction, re-distribution, re-selling, loan or sub-licensing, systematic supply ordistribution in any form to anyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae and drug dosesshould be independently verified with primary sources. The publisher shall not be liable for any loss,actions, claims, proceedings, demand or costs or damages whatsoever or howsoever caused arising directlyor indirectly in connection with or arising out of the use of this material.

http://www.informaworld.com/smpp/title~content=t713393989

http://dx.doi.org/10.1080/00207170802047425

http://www.informaworld.com/terms-and-conditions-of-access.pdf

International Journal of ControlVol. 82, No. 2, February 2009, 217–227

Supervisory control for fault-tolerant scheduling of real-time multiprocessor

systems with aperiodic tasks

Seong-Jin Parka and Kwang-Hyun Chob*

aDepartment of Electrical and Computer Engineering, Ajou University, Suwon,443-749, Korea; bDepartment of Bio and Brain Engineering and KI for the BioCentury,Korea Advanced Institute of Science and Technology (KAIST), Daejeon, 305-701, Korea

(Received 19 July 2007; final version received 11 March 2008)

Supervisory control theory is a well-established theoretical framework for feedback control of discrete eventsystems whose behaviours are described by automata and formal languages. In this article, we propose a formalconstructive method for optimal fault-tolerant scheduling of real-time multiprocessor systems based onsupervisory control theory. In particular, we consider a fault-tolerant and schedulable language which is anachievable set of event sequences meeting given deadlines of accepted aperiodic tasks in the presence of processorfaults. Such a language eventually provides information on whether a scheduler (i.e., supervisor) should accept orreject a newly arrived aperiodic task. Moreover, we present a systematic way of computing a largest fault-tolerantand schedulable language which is optimal in that it contains all achievable deadline-meeting sequences.

Keywords: supervisory control; discrete event systems; fault-tolerant scheduling; multiprocessors; real-timesystems

1. Introduction

A fault-tolerant scheduler of a real-time multiprocessorsystem should allocate periodic or aperiodic tasks toavailable processors such that given deadlines of thetasks are met in the presence of processor faults. Inmost previous studies of real-time multiprocessorsystems including Ghosh, Melhem, and Mosse (1997),Manimaran and Murthy (1998), Girault, Lavarenne,Sighireanu, and Sorel (2001) and Yang, Deconinck,and Gui (2004), fault-tolerance was achieved byscheduling multiple copies of tasks on differentprocessors. In Ghosh et al. (1997), a primary/backupapproach for aperiodic and non-preemptive tasks wasproposed with the deallocation and overloading schemeto achieve a high acceptance ratio of arriving tasks.In Manimaran and Murthy (1998), a dynamic schedul-ing algorithm for aperiodic and non-preemptive taskswas proposed in consideration of resource and fault-tolerance requirements based on the primary/backupapproach. In Girault et al. (2001), a static fault-tolerantscheduling algorithm for periodic tasks was proposedby taking account of inter-processor communications.In Yang et al. (2004), a fault-tolerant schedulingscheme for aperiodic tasks was proposed by makinguse of the processor time unused by periodic tasksbased on the primary/backup approach. However,most of the previous results including Ghosh et al.(1997), Manimaran and Murthy (1998) and

Girault et al. (2001) are based on heuristic algorithms

without presenting an optimal scheduling solution.

Although the necessary and sufficient conditions for

schedulability were presented in Yang et al. (2004), the

conditions were built on a particular scheduling

algorithm called an earliest-deadline-first (EDF)

algorithm.Recently, some formal methods based on feedback

control theory have been applied to the systematicdesign of optimal real-time schedulers (Altisen,Goessler, and Sifakis 2002; Lu, Stankovic, Son, andTao 2002; Chen and Wonham 2002; Girault andRutten 2005; Janarthanan, Gohari, and Saffar 2006).In these cases, the scheduler was considered asa controller of a real-time system that restricts theprocessing of tasks to ensure given scheduling require-ments. In particular, optimal scheduling methodsbased on supervisory control theory of discrete eventsystems (DESs) were proposed in Altisen et al. (2002),Chen and Wonham (2002), Girault and Rutten (2005)and Janarthanan et al. (2006). DESs are dynamicsystems whose state transitions are caused by irregu-larly occurring events, and their behaviours aremodelled by automata and formal languages. Asupervisor is a controller that can achieve a givensystem requirement through enabling/disabling con-trollable events based on the observation of events orstates. Specifically, real-time optimal scheduling

*Corresponding author. Email: [email protected]

ISSN 0020–7179 print/ISSN 1366–5820 online

� 2009 Taylor & Francis

DOI: 10.1080/00207170802047425

http://www.informaworld.com

Downloaded By: [2007-2008-2009 Ajou University] At: 00:57 23 January 2009

schemes for periodic tasks were proposed within theevent-based supervisory control framework in whichtiming constraints are represented by formal languagesand supervisory control is used upon event observa-tions in Chen and Wonham (2002) and Janarthanan etal. (2006). In Altisen et al. (2002), a state-basedsupervisor synthesis method was used to design real-time schedulers under timing and resource constraints.Moreover, a fault-tolerant design scheme fornon-real-time distributed systems was presented inGirault and Rutten (2005) based on the state-basedcontroller synthesis scheme. However, there has beenno study on optimal fault-tolerant scheduling of real-time multiprocessor systems which process aperiodicand non-preemptive tasks with deadlines.

In this article, we present a formal method ofdesigning an optimal fault-tolerant scheduler for real-time multiprocessor systems with non-preemptive andaperiodic tasks based on supervisory control theory oftimed DESs (Brandin and Wonham 2004). We assumethat the arrival time of a task is unknown while theexecution time and (relative) deadline of the task areknown a priori. With this assumption, a task ismodelled by a finite state automaton in which tick ofthe global clock represents the passage of unit time, andits behaviour is described by the language generated bythat automaton. In consideration of processor faults,we present a notion of a fault-tolerant and schedulablelanguage which is an achievable set of event sequencesmeeting given deadlines of accepted tasks. We alsopresent a systematic way of computing the largest fault-tolerant and schedulable language which is the optimalsolution in that all achievable deadline-meetingsequences for given aperiodic tasks are included.Then, a supervisor that can achieve this languagebecomes the optimal scheduler. We also show that thefault-tolerant and schedulable language includes thedecision information on whether a scheduler accepts orrejects a newly arrived aperiodic task. While mostexisting scheduling algorithms such as those in Ghoshet al. (1997), Manimaran andMurthy (1998), Girault etal. (2001) and Yang et al. (2004) operate in an on-linemanner, the proposed algorithm predetermines theacceptance of newly arrived tasks and the allocation toprocessors in an off-line manner through computationof a fault-tolerant and schedulable language.A scheduler (i.e., supervisor) designed based on thislanguage can achieve the requirements onfault-tolerance and timing constraint through on-linefeedback control composed of event observations andenabling/disabling of some controllable events.

The paper is organised as follows: Section 2introduces preliminary concepts on the supervisorycontrol theory of timed DESs; in Section 3, we presentthe TDES model of a real-time multiprocessor system

processing n aperiodic tasks subject to processor faults;in Section 4, we present an optimal scheduler based onthe computation of all achievable deadline-meetingsequences; in Section 5, two examples are provided toillustrate our main results; finally, conclusions are madein Section 6.

2. Supervisory control of timed DESs

To investigate the problem of schedulinga multiprocessor for aperiodic and non-preemptivetasks, we adopt the supervisory control framework oftimed DESs (TDESs) (Brandin and Wonham 2004).A TDES G is represented by the following finite stateautomaton

G ¼ ðQ,�, q0, �,QmÞ,

where Q is the finite set of states, � is the set of events,q0 is the initial state, �: Q��!Q is the statetransition (partial) function, and Qm�Q is the set ofmarked states representing the completion of tasks.The event set � is composed of two subsets

� ¼ �act _[ftg,

where �act is the set of activity (or logical) events andthe event t denotes the passage of one unit time,or one tick of the global clock. The event set �act iscategorized by three subsets: the controllable eventsset �c, the uncontrollable events set �uc, and theforcible events set �for. The occurrence of controllableevents can be controlled by disabling commands ofa supervisor, but the uncontrollable events areinherently non-preventable (e.g., a fault event). Onthe other hand, the forcible events can preempt theevent t by forcing action of a supervisor and a forcibleevent itself can be either controllable or uncontrollable.

For an event set A��, let A* denote the set of allfinite sequences (or strings) over A, including theempty string �. Then, any subset of �* is calleda language over �. The transition function � can beextended to �* by defining �(q, �) :¼ q and�(q, s�) :¼ �(�(q, s), �) for all s2�* and � 2�. Fors2�*, pr(s) denotes the set of all strings that areprefixes of s, i.e., pr(s) :¼ {t2�*j tu¼ s for someu2�*}. The prefix closure pr(L) of a language L��*is the set of prefixes of all the strings in L.

The behaviour of a TDES G is described by thefollowing two languages:

LðGÞ :¼ fs 2 �� j �ðq0, sÞ! ðis definedÞg,

LmðGÞ :¼ fs 2 �� j �ðq0, sÞ 2 Qmg:

L(G) includes all possible sequences occurring in thesystem, and Lm(G) includes the sequences of L(G)that lead to the marked states. A state x of G is said

218 S.-J. Park and K.-H. Cho


to be coaccessible if there is a path from the state x to

a marked state in the state transition diagram of G.

Otherwise, the state is called non-coaccessible. G is

non-blocking if L(G)¼ pr(Lm(G)), otherwise it is

blocking. Note that if G is non-blocking, then every

reachable state of G is coaccessible.To construct an execution model of a composite

task describing the concurrent behaviour of individual

tasks, we employ the synchronous product operation

(Wonham 2004). Given two TDESs Gi¼ (Qi, �, q0, i, �i,Qm,i) for i¼ 1, 2, the synchronous product of G1 and G2

is defined as follows:

G1kG2 :¼ ðQ1 �Q2,�, ðq0, 1, q0, 2Þ, �,Qm, 1 �Qm, 2Þ,

where the operator�denotes a product between two

state sets and

�ððq1, q2Þ, �Þ

:¼ð�1ðq1, �Þ, �2ðq2, �ÞÞ if �1ðq1, �Þ! and �2ðq2, �Þ!

undefined otherwise.

�

Then, it holds that L(G1jjG2)¼L(G1)\L(G2) and

Lm(G1jjG2)¼Lm(G1)\Lm(G2) (Wonham 2004).A supervisor controls a TDES by dynamically

enabling and forcing events based on observation of

a sequence of events. Formally, a supervisor S is

defined as a function from the language generated by G

to the power set of �

S: LðGÞ ! 2�

such that �uc�S(s) for any s2L(G). For each s2L(G)

generated so far by G (under the control of S ), S(s)

denotes a set of events to be enabled or forced for

occurrence. The constraint �uc�S(s) implies that

a supervisor is not allowed to ever disable uncontrol-

lable events. A supervised (or controlled) system is then

denoted by S/G and its closed-loop behaviour L(S/G)

becomes a language defined as follows:

(1) �2L(S/G);(2) if s2L(S/G), � 2S(s), and s� 2L(G), then

s� 2L(S/G);(3) no other strings belong to L(S/G).

Given a language specification K�Lm(G) representing

a control objective or system requirement,

a fundamental supervisory control problem is to find

the existence conditions of a supervisor S satisfying

L(S/G)¼ pr(K) and to design such a supervisor. We

note that since the control objective presented in this

article is to complete accepted tasks within their

deadlines, a language specification K is given as

a sublanguage of Lm(G). To solve this problem, the

following language property of K called controllability

is required (Brandin and Wonham 2004). For s2�*,

let �K(s) :¼ {� 2�j s� 2 pr(K)}. Then, K is controllable

with respect to (w.r.t.) L(G) if, for any s2 pr(K),

�KðsÞ ��LðGÞðsÞ \ ð�uc [ ftgÞ if �KðsÞ \�for ¼ ;,

�LðGÞðsÞ \�uc if �KðsÞ \�for 6¼ ;:

�

Intuitively, this condition implies that if we cannot

prevent a certain event (uncontrollable event or t) then

it should be legal, i.e., included in �K(s). It has been

known that there exists a supervisor S satisfying

L(S/G)¼ pr(K) if and only if K is controllable w.r.t.

L(G) (Brandin and Wonham 2004). Then, the super-

visor can be designed as follows: For any event

sequence s2 pr(K),

SðsÞ ¼ f� 2 � n�uc j s� 2 prðKÞg [�uc:

It states that if the sequence s is observed then the

supervisor enables or forces the events of S(s) such that

extensions of the sequence still remain within K.In the next sections, we present a TDES model of

processing tasks in a real-time multiprocessor

system, and a specification language representing

a requirement of fault-tolerance and timing con-

straint. Based on this model, we develop a detailed

algorithm to compute a largest controllable sublan-

guage of the specification. In addition, we show that

a supervisor achieving such a largest sublanguage

corresponds to an optimal scheduler that guarantees

all achievable sequences meeting given deadlines

of tasks.

3. A task processing model

We consider a real-time multiprocessor system

processing n aperiodic tasks, and composed of m

identical processors and one central scheduling

processor (scheduler or supervisor). All arrived

tasks are reported to the scheduler and then it

distributes those to each processor for execution

according to the off-line computed scheduling policy.

In addition, the scheduling processor monitors

processor faults. When it observes a fault of some

processor, it reassigns the task under execution at the

faulty processor to another processor according to

the scheduling policy. Since the scheduler has such

non-negligible computational burdens, we need to

dedicate one processor for scheduling in order to

ensure the meeting deadlines of tasks in the m

processors.For i2 I :¼ {1, 2, . . . , n}, the TDES model of

executing an aperiodic task i with an execution time

Ei and a (relative) deadline Di is as follows:

Ti ¼ ðQi,�, q0, i, �i,Qm, iÞ,

International Journal of Control 219


where

� ¼ [i2I�i [�fau [ ftg,

�fau ¼ f f1, . . . , fmg,

�i ¼ fai, pi, ri, ei, 1, . . . , ei,m, ci, 1, . . . , ci,mg:

The events are described in Table 1 and these are

categorised as follows:

�uc ¼ [i2Ifaig [�fau, �c ¼� n ð�uc [ ftgÞ, �for ¼�c:

The state transition diagram of Ti is shown in Figure 1

where the initial state is indicated by an entering arrow

and the marked state is denoted by double circles. In

this case, both the initial state and the marked state are

identical, i.e., Qm,i¼ {q0, i}.In this article, we assume that the execution times

and deadlines of all aperiodic tasks are known a priori

as constant values, and the tasks are independent

(i.e., no precedence constraints). The processing of an

aperiodic task requires executing Ei segments and each

segment takes one unit time (one t), which is

represented by the event t followed by the event ei,jas shown in Figure 1. We further assume that (i) the

acceptance decisions on arrived tasks and (ii) the

preparation for executing a task after a processor fault

do not take any processing time. This is just to simplify

our developments without loss of generality and the

result presented can easily be extended to the case of

non-zero processing time. In addition, we assume that

if a fault occurs in one processor then no more faults

occur in the other processors until all accepted tasks

complete their operations. This is illustrated in

Figure 1 where no additional fault event is defined

after the occurrence of an event fj ( j¼ 1, . . . ,m). In

Figure 1, we further find that if a fault occurs in one

processor in the middle of executing a task then the

task restarts its execution from the beginning in

another processor. This model can also be extended

to the case of restarting from the interrupted point.

Note that, although we do not take account of the

faults of a scheduler in this article, there are some ways

of handling this, e.g., by duplicating the scheduler

itself.Since Ti in Figure 1 is a model for an aperiodic

task, the release time of a task i can be arbitrary, e.g.,ai, tai, ttai, tttai, . . .2L(Ti). Moreover, Ti in Figure 1describes a non-preemptive scheduling scheme sincea task is not preempted by another task during its

execution in a processor. This is illustrated in Figure 1where the self-loop transitions by *k at the statesreachable through the event ei,k and t exclude theoccurrence of ej,k (i 6¼ j) which represents the executionof a task j in a processor k.

Let us now construct a composite model for

concurrent executions of n aperiodic tasks as follows:

T ¼ ki2ITi:

This model includes all possible execution sequences ofn aperiodic tasks where an accepted aperiodic taskmight complete its last task segment before its deadlineor the task might miss its deadline due to processorfaults or execution of other tasks.

4. Design of a scheduler

To address the scheduler design problem in a formalway, we define the following notions.

Definition 1: A sequence s2Lm(T ) is deadline-meeting if for all s1, s3 2 �� and s22 (�n{ci,j})*, s¼ s1ai pi s2 ci,j s3 implies that tickcount (s2)�Di� 1 wheretickcount (s2) denotes the number of unit time passageevents in the sequence s2. Otherwise, the sequence s isdeadline-missing.

Note that the string s2 does not contain events ai and riaccording to the definition of T, i.e., s1 ai pi s4 ai ri s5 ci,js3 =2L(T ) for any s4, s52 (�n{ci,j})* where s2¼ s4 airi s5. In other words, the definition of deadline-meetingsequences implicitly imposes a restriction on therejection events ri’s.

Definition 2: A language K�Lm(T ) is fault-tolerantand schedulable if K includes only deadline-meetingsequences and it is controllable w.r.t. L(T ).

Then, we consider the following problem in this article:

Find a largest fault-tolerant and schedulable languagein that it contains all achievable deadline-meetingsequences in T.

If we find such a language K, then we candesign a scheduler S such that L(S/T )¼ pr(K) sinceK is controllable w.r.t. L(T ) (Brandin and Wonham

2004).Let us find all deadline-meeting sequences of

Lm(T ). To this end, we first construct a deadline

Table 1. Description of events.

Event Description

ai Arrival (or release) of a task ipi Acceptance of a task iri Rejection of a task ifi Fault of a processor iei,j Executing a segment of a task

i in a processor jci,j Executing the last segment of a

task i in a processor j



specification model for each task as illustrated

in Figure 2. The model Hi for a task i

includes all possible sequences meeting the deadline

Di of the task when it is accepted by the scheduler.

Based on these individual models, we construct

the composite deadline specification model as

follows:

H ¼ ki2IHi:

This overall specification model includes all sequences

that concurrently meet the deadlines of accepted

aperiodic tasks.In general, the behaviour of the composite deadline

specification model H does not belong to that of the

composite task model T, i.e., L(H ) =�L(T ). Hence, we

need to find all sequences that meet the deadlines of

accepted tasks from the sequences of L(T ). For this

purpose, we construct the following finite state

automaton M:

M ¼ TkH:

Figure 1. The execution model Ti for a task i.

Figure 2. A deadline specification model Hi for a task i.



We note that L(M) 6¼ pr(Lm(M)) and therefore there

can be some sequences in L(M) leading to deadlock

states of M. In other words, there may exist some

sequences in L(M) after which there is no more

continuation of events leading to the marked states

of M.Based on the construction of M, we obtain the

following result.

Proposition 1: Lm(M) contains all deadline-meeting

sequences of Lm(T ).

Proof: Let us prove this by contradiction. Suppose

that there exists a deadline-meeting sequence s2Lm(T )

satisfying s =2Lm(M). According to the definition of

deadline-meeting sequences, for any task i with s¼ s1 aipi s2 ci,j s3 where s1, s32�* and s22 (�n{ci,j})*, the

number of unit time passage event t in the string s2should be less than or equal to Di� 1. So, this implies

that s2L(Hi). In addition, from Figure 1, it is clear

that s2Lm(T ) implies s¼ s1 ai pi s2 ci,j s3¼ s1 ai pi s2 ci,js4 t s5 ck,l t for some task k and processor l where

s42 (�n{t})* and s52�*. Then, this implies that

s2Lm(Hi) from Figure 2. As this must be satisfied

for any task i, it holds that s2\i2ILm(Hi) implying

s2Lm(H ). From s2Lm(T ) and s2Lm(H ), s2Lm(M)

following the definition of M(¼TjjH ). This contra-

dicts the assumption. Therefore, we conclude that

Lm(M) contains all deadline-meeting sequences

of Lm(T ). œ

To meet all the deadlines of accepted tasks, a scheduler

should be designed to achieve Lm(M). For this, Lm(M)

needs to be controllable w.r.t. L(T ). In general, Lm(M)

can be, however, uncontrollable w.r.t. L(T ). This

implies that Lm(M) might not always be an achievable

language. Hence, we need to compute a controllable

language associated with Lm(M). To this end, we first

construct a finite state automaton M0 from M

according to the following procedure. Let �M and �M0

be the state transition functions of M and M0,

respectively. Let all other components of M and M0

be identical except the transition functions. For s2�*,

let le(s) denote the last event of the string s, e.g.

le(��)¼ � for �,�, � 2�. Then, we construct �M0

based on �M as follows. For every coaccessible state q

of M, we compute the following:

(1) Let s2 {a1, . . . , an}*n{�}.(2) For any s0 2 pr(s)n{�}, let �M(q, s0) be non-

coaccessible in M.(3) For some s0 2 pr(s)n{�}, let �M(q, s0)¼ q0. Then,

we can let �M0(q0, ri) :¼ q and le(s0)¼ ai, and

eliminate pi transition (and its subsequent

transitions) from M. For all s0 2 pr(s)n{�},repeat Step 3.

Note that M0 is constructed from M by adding the

rejection transition (ri) from a non-coaccessible state q0

to a coaccessible state q.

Remark 1: In the above procedure, if we let

�MðqM0 , uÞ ¼ q for some u2 pr(Lm(M)) then us0 =2

pr(Lm(M)), but us0, us0ri2 pr(Lm(M0)).

Let K :¼Lm(M0), then the language K is, however,

not controllable w.r.t. L(T ). To find a largest

controllable sublanguage of K, we consider the set of

all sublanguages of K that are controllable w.r.t. L(T )

as in Ramadge and Wonham (1987)

CðKÞ :¼ fK0 � K j K0 is controllable w.r.t. LðT Þ g:

Then, as in Ramadge and Wonham (1987), we

assert the existence of a unique supremal element

supC(K) in C(K), called a supremal controllable

sublanguage of K. Then, the main result of this article

is as follows.

Proposition 2: The language supC(K) is fault-tolerant

and schedulable.

Proof: First, let us show that K contains only

deadline-meeting sequences. For a sequence s2K,

from K¼Lm(M0)�Lm(M), we consider the following

two cases: Case 1. s2Lm(M); Case 2. s2Lm(M0)n

Lm(M). For Case 1, according to Proposition 1, the

sequence s is deadline-meeting. For Case 2, according

to the procedure of constructing M0, it follows that

s¼ s1 sa ri s2 for some s1, s22�* and sa2 {a1, . . . , an}*

satisfying le(sa)¼ ai and s1 s22Lm(M). Then, since the

sequence sari does not include the unit time passage

event t and the sequence s1s2 is deadline-meeting, it

turns out that s is also deadline-meeting. Furthermore,

supC(K)�K since the language supC(K) is a supremal

element in C(K), and therefore supC(K) also

contains only deadline-meeting sequences. In addition,

it follows from supC(K)2C(K) that supC(K) is

controllable w.r.t. L(T ). œ

Theorem 1: The language supC(K) is the largest fault-

tolerant and schedulable language.

Proof: Since K¼Lm(M0)�Lm(M) and Lm(M)

contains all deadline-meeting sequences of T,K

includes all deadline-meeting sequences of T.

Moreover, supC(K) is a unique supremal controllable

sublanguage of K w.r.t. L(T ). Therefore, we conclude

that supC(K) is the largest fault-tolerant and schedul-

able language. œ

A supervisor S achieving the language supC(K)

corresponds to the optimal scheduler in the sense that

the language includes all achievable deadline-meetingsequences of the real-time multiprocessor system.



So, the optimal scheduler can be designed as follows:

For any s2 pr(supC(K)),

SðsÞ :¼ f� 2 � n�uc j s� 2 prðsupCðKÞÞg [�uc

which is the set of events to be enabled or forced afterobservation of the string s. As a result of thesupervision, we obtain L(S/T )¼ pr(supC(K)), i.e., the

task executions controlled by the scheduler remainwithin the largest fault-tolerant and schedulablelanguage.

Most previous studies on fault-tolerant schedulingof real-time multiprocessor systems including Ghoshet al. (1997), Manimaran and Murthy (1998), Girault

et al. (2001) and Yang et al. (2004) did not propose anoptimal solution in that an aperiodic task might berejected according to the previous algorithms even if itis schedulable. This is mainly because the previousalgorithms provided only sufficient conditions for

schedulability tests but not necessary conditions aswell. We also note that the previous algorithms operatein an on-line manner. So, whenever aperiodic tasksarrive, a scheduler should do computations accordingto these algorithms. This can incur significant compu-

tational burdens. In the approach proposed in thisarticle, the acceptance decision for each newly arrivedtask can be predetermined in an off-line mannerthrough computation of a fault-tolerant and schedul-able language supC(K). Upon the observation of

a sequence, a scheduler accepts a task if the acceptanceevent of the task still leaves the observed string withinthe path of supC(K), otherwise, it rejects the task.Hence, comparing with the previous algorithms inGhosh et al. (1997), Manimaran and Murthy (1998),

Girault et al. (2001) and Yang et al. (2004), theproposed method certainly reduces the on-line compu-tational burden accompanied with the decision onacceptance and the task allocation to processors.Moreover, as presented in Theorem 1, the fault-

tolerant and schedulable language supC(K) containsall achievable deadline-meeting sequences. This impliesthat if the proposed scheduler decides to reject a newlyarrived task then there is no other way of accepting thistask while meeting all the deadlines of the newly

arrived task and already accepted tasks.One important drawback of the presented

approach is the computational complexity involvedwhen we compute a schedulable language. Here thecomputational burden is primarily caused by composi-tion of component TDES models since the size of the

composite model exponentially increases along withthe number of components. This is even more seriousin a TDES framework since the TDES models furtherinclude the unit time passage as a distinct event. So,overcoming the computational complexity is actually

a challenging issue to realise the proposed scheme.Modular synthesis can be one way of dealing with thisproblem. In addition, the constant development of newtechnologies increasing the computational power whilereducing the memory size adds the value of theproposed scheme by effectively resolving sucha computational burden.

Another limitation is that the proposed approach isless flexible than on-line approaches since the proposedoff-line method cannot properly adapt to a prioriunknown tasks unlike the on-line methods. This is aninevitable cost paid for optimal schedules.

5. Examples

5.1 Example 1

Let us consider a real-time system composed of twoprocessors that process two aperiodic tasks, task 1 andtask 2. TDES models of executing these two tasks areT1 and T2, respectively. Suppose that the executiontimes and deadlines of the tasks are given as follows:E1¼ 2 and D1¼ 3 for task 1; E2¼ 1 and D2¼ 3 fortask 2. The event sets are defined as follows: �1¼ {a1,p1, r1, e1,1, e1,2, c1,1, c1,2}, �2¼ {a2, p2, r2, c2,1, c2,2}, and�fau¼ { f1, f2}. The state transition diagrams for T1 andT2 are shown in Figure 3. From these models, weconstruct a composite task execution model T¼T1jjT2.A partial diagram of T is illustrated in Figure 4(self-loop transitions at each state are not described forsimplicity). This composite model includes all possiblesequences composed of both deadline-meeting anddeadline-missing sequences that can occur duringconcurrent execution of the two tasks. For instance,let us consider the following two sequencess1, s22Lm(T ):

s1 ¼ a1p1e1,1a2p2c2, 2tc1,1t,

s2 ¼ a1p1e1,1a2p2tf1e1,2tc1,2tc2, 2t:

Note that s1 is deadline-meeting, but s2 is deadline-missing since the number of t in the substringa2p2tf1e1,2tc1,2tc2,2 of the string s2 is 3 which is greaterthan D2� 1¼ 3� 1¼ 2.

All the composite models presented in this exampleincluding the composite task model T in Figure 4 arepartially shown in the figures owing to space limita-tions. Note, however, that they were all verified usingDESUMA software (DESUMA Software 2006)which is a DES software providing various functionalmanipulations of DESs based on a graphicalenvironment. We have executed DESUMA in theenvironment of Microsoft Windows XP andJava Platform JDKTM 6.

To find all deadline-meeting sequences in Lm(T ),we construct deadline specification models as shown in



Figure 5 where self-loop transitions at each state of H

are not described to avoid unnecessary complication.

From these models, we construct a finite state

automaton M¼T jjH. A partial diagram of M is

illustrated in Figure 6. In Figure 6, all the sequences

leading to deadlock states are deadline-missing

sequences. For instance, let us consider a1p1e1,1t-

f1a2p2c2,2te1,2. After the task 1 is executed at one t in

the processor 1 (a1p1e1,1t), if a fault occurs in the

processor 1 ( f1) and thereafter the task 2 is accepted

(a2p2), then the execution of task 2 (c2,2) prior to task 1

in the processor 2 cannot meet the deadline of the task

1. However, the execution of task 1 (e1,2) prior to task 2

can meet both deadlines of task 1 and task 2 as shown

in Figure 6. To find a largest fault-tolerant and

schedulable language, we compute M0 from M and

then compute supC(K) (recall K¼Lm(M0)) as described

in the previous section. A partial supC(K) is indicated

by thick lines in Figure 6. Finally, we find that there

exists a scheduler S satisfying L(S/T )¼ pr(supC(K))

and therefore the scheduler can be designed as follows:

For any s2 pr(supC(K)),

SðsÞ ¼ f� 2 � n�uc j s� 2 prðsupCðKÞÞg [�uc:

Figure 3. Task execution models T1 and T2.

Figure 5. Deadline specification models in Example 1.

Figure 4. A composite model T¼T1kT2.



This means that, if the scheduler observes thesequence s, it enables or forces the events in S(s). Inother words, the scheduler disables all controllableevents not belonging to S(s). For instance, ifa sequence s¼ a1p1e1,1tf1a2p2 is observed, the decisionof the scheduler is

SðsÞ ¼ fe1,2g [�uc:

This implies that, after the elapse of one unit time oftask 1, if a fault occurs in the processor 1 and the task 2is accepted, then the scheduler commands such thatthe task 1 should be first executed in the processor 2.If the occurrence of another string s¼ a1p1e1,1a2p2is observed, the decision of the scheduler isS(s)¼ {c2,2}[�uc, and then the scheduler forces theevent c2,2 to preempt the illegal event t.

5.2 Example 2

Let us consider a second example with two processorsand two tasks where task 1 and task 2 have thefollowing execution times and deadlines: E1¼ 2,D1¼ 3, E2¼ 1, and D2¼ 2. The task executionmodels are the same as those in Figure 3.The deadline specification model H is shown inFigure 7 where self-loop transitions at each state arenot described for simplicity. The model M¼T jjH ispartially illustrated in Figure 8. When a deadline-meeting sequence a1p1e1,1a2p2c2,2tc1,1t is executed, thetask 2 is completed prior to the task 1. Then, it ispossible that a new task 2 arrives before executing thelast segment of the current task 1. In other words, theevent a2 can occur after the string a1p1e1,1a2p2c2,2t.

Figure 6. M and supC(K) in Example 1.

Figure 8. M in Example 2.

Figure 7. Deadline specification model H in Example 2.



This is not illustrated in Figure 8 owing to the spacelimitation. Also, we note that the state reached by thestring a1p1e1,1tf1a2p2 in Figure 8 is non-coaccessible.This means that there is no way to meet the deadlinesof the task 1 and task 2 after the state. Hence, for thiscase, if the arrival event of the task 2 (a2) is observedafter the string a1p1e1,1tf1 then the scheduler must rejectthe task (r2).

To find a largest fault-tolerant and schedulablelanguage, we first construct an automaton M0 in whichthe rejection event r2 is specified after the stringa1p1e1,1tf1a2 and the transition of p2 together with itsfollowing transitions are eliminated as shown inFigure 9. Based on the automaton M0, we finallycompute the supremal controllable sublanguagesupC(K) as partially illustrated in Figure 9.

The scheduler S satisfying L(S/T )¼ pr(supC(K))for supC(K) shown in Figure 9 can be designedfollowing the same procedures as in the first example.For this scheduler, if the sequence s1¼ a1p1e1,1tf1a2 isobserved, the decision of the scheduler is

Sðs1Þ ¼ fr2g [�uc:

This states that a unique way of meeting the deadlineof the accepted task 1 after the string s1 is to rejectthe arrived task 2. If the occurrence of another strings2¼ a1p1f1a2p2 is observed, the scheduler enables theevent c2,2 and disables the event e1,2, i.e.,S(s2)¼ {c2,2}[�uc. This implies that, if a faultoccurs in the processor 1 before the execution ofthe task 1 then the scheduler accepts the arrivedtask 2 and executes it in the processor 2 prior to thetask 1.

6. Conclusions

In this article, we have presented a formal method forfault-tolerant scheduling of real-time multiprocessorsystems based on supervisory control theory.The method employs an off-line analysis to computea largest fault-tolerant and schedulable language

including all achievable sequences that meet thedeadlines of accepted aperiodic tasks in the presenceof processor faults. The language also containsinformation on whether a scheduler accepts or rejectsnewly arrived tasks. Note that the schedulablelanguage presented in this article is optimal as itguarantees achieving all achievable deadline-meetingsequences while most of the previous fault-tolerantscheduling of real-time multiprocessor systems has notprovided an optimal solution.

Acknowledgements

This work was supported by the Korea Research FoundationGrant funded by the Korean Government (MOEHRD)(KRF-2005-041-D00492). This work was also supported bythe Korea Science and Engineering Foundation (KOSEF)grant funded by the Korea government (MOST)(M10503010001-07N030100112), and by the KoreaMinistry of Science and Technology through the NuclearResearch Grant (M20708000001-07B0800-00110) and the21C Frontier Microbial Genomics and Application CenterProgram.

References

Altisen, K., Goessler, G., and Sifakis, J. (2002), ‘Scheduler

Modeling Based on the Controller Synthesis Paradigm’,

Journal of Real-Time Systems, 23, 55–84.Brandin, B.A., and Wonham, W.M. (1994), ‘Supervisory

Control of Timed Discrete Event Systems’, IEEE

Transactions on Automatic Control, 39, 329–342.Chen, P.C.Y., and Wonham, W.M. (2002), ‘Real-Time

Supervisory Control of a Processor for Non-preemptive

Execution of Periodic Tasks’, Journal of Real-Time

Systems, 23, 183–208.DESUMA Software (2006). Available online at: http://

www.eecs.umich.edu/umdes/toolboxes.html

Ghosh, S., Melhem, R., and Mosse, D. (1997),

‘Fault-Tolerance Through Scheduling of Aperiodic Tasks

in Hard Real-Time Multiprocessor Systems’, IEEE

Transactions on Parallel and Distributed Systems, 8,

272–284.

Girault, A., Lavarenne, C., Sighireanu, M., and Sorel, Y.

(2001), ‘Generation of Fault-Tolerant Static Scheduling for

Real-Time Distributed Embedded Systems with Multi-

Point Links’, Proceedings of 15th Parallel and Distributed

Processing Symposium, 1265–1272.

Girault, A., and Rutten, E. (2005), ‘Modeling Fault-Tolerant

Distributed Systems for Discrete Controller Synthesis’,

Electronic Notes in Theoretical Computer Science, 133,

81–100.Janarthanan, V., Gohari, P., and Saffar, A (2006),

‘Formalising Real-Time Scheduling Using Priority-based

Supervisory Control of Discrete-event Systems’, IEEE

Transactions on Automatic Control, 51, 1053–1058.Lu, C., Stankovic, J.A., Son, S.H., and Tao, G. (2002),

‘Feedback Control Real-Time Scheduling: Framework,

Figure 9. supC(K) in Example 2.



Modeling, and Algorithms’, Journal of Real-Time Systems,23, 85–126.

Manimaran, G., and Murthy, C.S.R. (1998), ‘A Fault-Tolerant Dynamic Scheduling Algorithm forMultiprocessor Real-Time Systems and Its Analysis’,IEEE Transactions on Parallel and Distributed Systems, 9,

1137–1152.Ramadge, P.J., and Wonham, W.M. (1987),‘Supervisory Control of a Class of Discrete Event

Processes’, SIAM Journal of Control Optimisation, 25,206–230.

Wonham, W.M. (2004), Supervisory Controlof Discrete-Event Systems, Toronto ON, Canada:University of Toronto.

Yang, C., Deconinck, G., and Gui, W. (2004), ‘Fault-

Tolerant Scheduling for Real-Time Embedded ControlSystems’, Journal of Computer Science and Technology, 19,191–202.



Documents

PLEASE SCROLL DOWN FOR ARTICLEsbie.kaist.ac.kr/ftp/Supervisory control for fault... · 2009-01-28 · (Received 19 July 2007; final version received 11 March 2008) Supervisory control