# Hardware Implementation of an Invariant Observer



### **Marko Stanisic**

Department of Informatics
Technical University of Vienna

This dissertation is submitted for the degree of Bachelor of Science

# **Declaration**

I hereby declare that except where specific reference is made to the work of others, the contents of this thesis are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This thesis is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.

Marko Stanisic 2014

#### **Abstract**

The Invariant Observer is a Runtime Verification Unit monitoring a signal  $\phi$  from a System under Test in real time and determining whether the signal was in an active state and had been active up to  $\tau$  clock cycles before. If this is the case then signal  $\phi$  is observed as being invariant in the past within the time interval  $[0,\tau]$ .

In their paper "Runtime Verification of Embedded Real Time Systems", Reinbacher et al. [4] presented a hardware implementation of an Invariant Observer. In this thesis a different hardware implementation is shown, that allows for parallel execution of several instances, leading to significant performance improvements if the time required for determining whether  $\phi$  holds, is not neglectable.

# **Contents**

| Co | onten   | ts        |                                                    | vii |  |  |  |  |
|----|---------|-----------|----------------------------------------------------|-----|--|--|--|--|
| Li | st of l | Figures   |                                                    | ix  |  |  |  |  |
| 1  | Intr    | roduction |                                                    |     |  |  |  |  |
|    | 1.1     | Overv     | iew of the Bachelor Thesis                         | 1   |  |  |  |  |
|    | 1.2     | The In    | nvariant Observer                                  | 3   |  |  |  |  |
|    |         | 1.2.1     | Arbitrary calculation time of logical propositions | 4   |  |  |  |  |
|    |         | 1.2.2     | Pipelined Observer Stages                          | 4   |  |  |  |  |
|    |         | 1.2.3     | System Settings of the Invariant Observer Stages   | 6   |  |  |  |  |
| 2  | Soft    | ware In   | mplementation and Algorithm                        | 7   |  |  |  |  |
|    | 2.1     | Algori    | ithm of the Invariant Observer Stages              | 7   |  |  |  |  |
|    | 2.2     | VHDI      | Implementation of the Algorithm                    | 8   |  |  |  |  |
| 3  | Har     | dware l   | Implementation                                     | 13  |  |  |  |  |
|    | 3.1     | Hardw     | vare Platform for a Prototype                      | 13  |  |  |  |  |
|    | 3.2     | Synthe    | esis and Design                                    | 14  |  |  |  |  |
|    |         | 3.2.1     | Design View of the Register Transfer Level         | 14  |  |  |  |  |
|    |         | 3.2.2     | Timing Model of the Design                         | 14  |  |  |  |  |
|    |         | 3.2.3     | Design Decisions based on Register Transfer level  | 15  |  |  |  |  |
|    | 3.3     | Design    | n problems in the development                      | 20  |  |  |  |  |
| 4  | Exp     | erimen    | ts and Testing                                     | 21  |  |  |  |  |
|    | 4.1     | Reaso     | ning and Environment of the Experiments            | 21  |  |  |  |  |
|    |         | 4.1.1     | Reasoning and Meaning                              | 21  |  |  |  |  |
|    |         | 4.1.2     | Build-up of Experiments                            | 22  |  |  |  |  |
|    | 12      | Simul     | ations                                             | 23  |  |  |  |  |

| viii | Contents |
|------|----------|
|      |          |

|    | 4.3         | Experi | iments                              | <br>26 |
|----|-------------|--------|-------------------------------------|--------|
|    |             | 4.3.1  | Testing the Behaviour               | <br>26 |
|    |             | 4.3.2  | Maximum Performance                 | <br>29 |
| 5  | Sum         | mary   |                                     | 31     |
| Re | eferen      | ces    |                                     | 33     |
| Αŗ | pend        | ix A S | Source Implementation in VHDL       | 35     |
|    | <b>A.</b> 1 | Observ | ver Stage                           | <br>35 |
|    | A.2         | TOP F  | File                                | <br>38 |
| Αŗ | pend        | ix B M | Modelsim Simulations                | 41     |
|    | B.1         | Simula | ations with 10 Observer             | <br>41 |
| Αŗ | pend        | ix C R | Register Transfer Level Design View | 45     |
|    | C.1         | Design | n of the First Version              | <br>45 |
|    | C.2         | Design | n of the most performant Version    | <br>49 |
| Αŗ | pend        | ix D D | Datasheets and Descriptions         | 55     |

# **List of Figures**

| 1.1         | Invariant Observer with $\tau = 3$                                      | 3  |
|-------------|-------------------------------------------------------------------------|----|
| 1.2         | Invariant Observer with $\tau = 2$                                      | 3  |
| 1.3         | 3 Observer Stages with monitoring range $\tau = 2 \ldots \ldots \ldots$ | 5  |
| 2.1         | Invariant Observer stages in cascade, m=4                               | 9  |
| 3.1         | RTL View of Observer 0 with clock 50Mhz                                 | 18 |
| 3.2         | RTL View of Observer 0 with clock 150Mhz                                | 19 |
| 4.1         | Modelsim Simulation of 5 Observer                                       | 25 |
| 4.2         | Logicanalyzer m=1, $\tau$ = 1                                           | 27 |
| 4.3         | Logicanalyzer m=5, $\tau$ = 10                                          | 27 |
| 4.4         | Logicanalyzer m=10, $\tau$ = 1                                          | 28 |
| 4.5         | Logicanalyzer m=10, $\tau$ = 1                                          | 28 |
| A.1         | Entity Design of Invariant Observer                                     | 36 |
| A.2         | Behavioural Design of Invariant Observer                                | 37 |
| A.3         | TOP File Example-p1                                                     | 39 |
| A.4         | TOP File Example-p1                                                     | 40 |
| B.1         | Modelsim Simulation of 10 Observer - 1                                  | 42 |
| B.2         | Modelsim Simulation of 10 Observer - 2                                  | 43 |
| B.3         | Modelsim Simulation of 10 Observer - 3                                  | 44 |
| <b>C</b> .1 | TOP Design of the First Version                                         | 46 |
| C.2         | Observer Design of the First Version                                    | 47 |
| C.3         | Signalgenerator of the First Version                                    | 48 |
| C.4         | TOP Design of the Final Version                                         | 50 |
| C.5         | Observer 0 of the Final Version                                         | 51 |

| X | List of Figures |
|---|-----------------|
|   |                 |

| C.6 | Observer 5 of the Final Version | 52 |
|-----|---------------------------------|----|
| C.7 | Observer 9 of the Final Version | 53 |

# Chapter 1

# Introduction

#### 1.1 Overview of the Bachelor Thesis

In embedded real time systems it is necessary to make efforts to verify a system design. A system design can be formalized by a mathematical specification within a properly chosen dynamic system model. One approach to system design verification is a deduction, which shows that the design implies the requirements.

In critical Real Time Systems (RTS) timing constraints have to be considered in the requirement engineering. Such Real Time Systems are modelled by states changing over time. Time constraints can be formulated as constraints on the duration of critical states. A real time logic should be able to specify that real time constraints. Generally it seems that two main classes of real time logic are present, explicit or implicit temporal logic.[3]

Explicit temporal logic makes use of explicit expressions of time variables. The time variable can be the representation of a time interval or a variable in temporal logic. Implicit temporal logic (for example MTL - Metric Temporal Logic) is using temporal operators that constrain the extent of a state. It is based on interval temporal logic and the duration concept. Implicit temporal logic can be very useful to express before/after relations between concurrent actions. For further details [3] can be a good source of information. In runtime verification a monitor evaluates executions of a **System under Test (SUT)** [4]. The evaluation is formalised from a formal specification described in temporal logic.

2 Introduction

For ultra critical systems it is important to meet four major requirements:

- 1. Functionality: cannot change target's behaviour
- 2. Certifiability: must avoid re-certification
- 3. Timing:must not interfere with the target's timing
- 4. Swap:must not exhaust size, weight and power tolerance

A **Runtime Verification Unit (RVU)** is a verification monitor that meets these four major requirements. As part of this requirements, the RVU must be separated from SUT. In fact it is a synthesized hardware that monitors the execution of a SUT.

The topic of my thesis "Hardware Implementation of an Invariant Observer" can also be considered as a RVU, it evaluates the execution of a SUT and checks it for invariance conditions. My observer is an alternative implementation of the invariant observer INVARIANT-SYMBOL published in [4], that bypasses the problem of resource limitation and makes use of the significant advantages of a highly parallel **Field Programmable Gate Array(FPGA)** hardware implementation. The most important difference is that my observer is not bounded to a specific  $\tau$ , but the observers in [4] are bounded. This feature will be explained in the next section.

In the publication "**Real-Time Runtime Verification on Chip**" [4] the concept of a RVU and the principles of that Verification Framework are described in greater detail.

A survey about the functionality of the invariant observer is given in the following sections.

#### 1.2 The Invariant Observer

This section is a survey about the invariant observer and how it works. More details about the observer algorithm are presented in the next chapter.

The Invariant Observer acts like the temporal (invariant previously) operator  $\Box_{\tau}\phi$  of the Metric Temporal Logic (MTL) and is certainly restricted to the past (ptMTL). Such a temporal operator takes an input  $\phi$ , the calculation of a propositional formula, and evaluates if  $\phi$  holds for the past  $\tau$  execution times, including the current execution time in a discrete time setting. For example the logical consequence  $e^n \models \Box_3 \phi$  expresses that the operator  $\Box_3 \phi$  is true at current time n iff (if and only if) the evaluation of  $\phi$  is true now and was also true the last  $\tau = 3$  execution times. In fact the  $\Box_{\tau} \phi$  is a specialization of the  $\Box_{[0,\tau]} \phi$  ptMTL operator which restricts the range of the invariance qualification.

Figure 1.1 and Figure 1.2 show an example for such a temporal operator.



Fig. 1.1 Example for Invariant Operator  $\Box_{\tau}\phi$  with  $\tau=3$ 



Fig. 1.2 Example for Invariant Operator  $\Box_{\tau}\phi$  with  $\tau$ =2

My approach of the invariant observer is based on some certain requirements. The following subsections will discuss these requirements.

4 Introduction

### 1.2.1 Arbitrary calculation time of logical propositions

To introduce the first requirement we begin with the discussion of the problem that the calculation of a propositional formula  $\phi$  could take several clock cycles (execution times). This means that an observer has to wait until the calculation of the proposition is finished. In [4] the observer needs to guarantee that it finishes evaluation of atomic propositions within a tight time bound. In our case, if we start calculation of a propositional formula  $\phi$  at every clock cycle and the calculation itself needs y clock cycles, than we need at least y observer stages to cover finished calculations at every clock cycle. These observer stages are part of the whole observer. After y clock cycles, at every following clock cycle, a calculation of  $\phi$  will be available. At least one observer stage will be ready, too, to evaluate a calculation  $\phi$  at any time. In other words, we are implementing temporal pipeline stages that represent components of the invariant operator and these components together are evaluating the invariance qualification of the proposition  $\phi$ . We don't have one observer, in fact the observer is composed from several observer stages. As a matter of fact, this solution only requires the calculation time of a proposition  $\phi$  to be bounded by some previously known time y.

Propositional formulas can be composed from several other complex propositional subformulas or atomic propositions. In some cases a subformula is waiting for the resolution of an another subformula. In [4] this balance is achieved by the restriction of the atomic proposition class in sense of the abstract domain of logahedron.

## 1.2.2 Pipelined Observer Stages

Consider every finished calculation of a propositional formula  $\phi$  as a signal value of the signal W( $\phi$ ), every value in that signal is timely ordered just in the order it was calculated. Obviously, every represented execution time of W( $\phi$ ) is the same as the execution time of the Observer. This means, at every execution time (clock cycle) an observer stage is evaluating a signal W( $\phi$ ) at that time. In our case, signal W( $\phi$ ) is apparently shifted by y clock cycles to the right. This view is encouraged by the fact, that at the beginning of the monitoring, the observer stages have to wait, until the first valid value of the signal W( $\phi$ ) is available for evaluation of any observer stage which is duly put at disposal. The following observer stage evaluates, at execution time n = y + 1, the second valid value of W( $\phi$ ), and so on and so forth. It should be considered, that the evaluation of a signal value from W( $\phi$ ) relates to a propositional formula  $\phi$ , which was relevant y clock cycles before. But it should also be mentioned that the signal values between execution time n = 0 and n = y - 1 are evaluated

as well, but obviously with a negative result, because no calculation can be started before any input is available.



Fig. 1.3 Example for m=3 observer stages monitoring a signal W( $\phi$ ),  $\tau$ =2

The example in Figure 1.3 shows that the calculation of the first value from  $W(\phi)$  needs y execution times. So no value is defined in the cycles before. If we take the view only from the proposition  $\phi$  as a signal, then we calculate at every execution time n, from the latest inputs and subformulas at that time, exactly the proposition  $\phi$  at that moment. But this holds under the assumption that the result of such a calculation is available immediately. The signal  $W(\phi)$  shows us, what happens if calculations of proposition  $\phi$  need some time, here we assume y=3 clock cycles. As mentioned,  $W(\phi)$  is like signal  $\phi$  shifted to the right. In Figure 1.3 we also see at which execution time the observer stages evaluate the signal  $W(\phi)$ . But this is only a preview about these observer stages. The algorithm about their real behaviour will be explained in the next chapter. The most important thing here is that these observers are working delayed. Every new observer stage starts its work after the observer stage before. This is important, because every clock cycle must be covered as long as the calculation of  $W(\phi)$  takes. The last signal shows us the invariance qualification  $e^{n-m} \models \boxdot_{\tau} \phi$  for  $\tau=2$ , which holds at execution time n=15 and n=22, but either for one cycle only.

The invariance qualification will be resolved if we connect every observer stage in a binary "and" operation. In Figure 1.3 the result is simply calculated with:

6 Introduction

Summarized, every observer stage is included in a binary "and" operation and all these observer stages together are computing at every execution time n, if the logical consequence  $e^{n-m} \models \boxdot_{\tau} \phi$  holds. If we consider all these observer stages together as one temporal (invariance before) operator, than this operator checks at every execution time n, the invariance qualification of the proposition  $\phi$ , m clock cycles before. Regarding Figure 1.3, it is true now if the proposition  $\phi$ , m clock cycles before, was invariant with  $\tau$ =2.

#### 1.2.3 System Settings of the Invariant Observer Stages

This was a brief introduction about the specific behaviour of the invariant observer as a whole. We will next detail on the parameter settings. It starts with the question of how many observer stages do we actually need? We already know that at least y are necessary. If we have to define a number of observer stages with variable "m" then the following condition must be hold:  $m \ge y$ . Depending on how long the calculation of a proposition  $\phi$  needs, a minimum of y observer stages are necessary, but upwards can be chosen arbitrarily. This shows us also the possibility to apply the Observer with his observer stages on different evaluations of system inputs despite the time they need and it works in real time. If we use only one observer stage (means immediate evaluation of  $\phi$ ), then it works as a native invariant operator.

The next interesting aspect, and maybe the most powerful argument of this design way, is the invariance parameter  $\tau$ . The number of observer stages "m" stays in no relation to the invariance parameter  $\tau$ . Following conditions are possible:  $m \ge \tau$  or  $m < \tau$ . As long as the observer is configured to cover the computation time of  $W(\phi)$ , it can be used for every arbitrary choice of  $\tau$ . In [4] this setting is fixed. My implementation of an invariant observer is able to change that parameter during run-time, but this feature is not specified in the requirements, and should be treated as such.

The next chapter shows the algorithm of the observer stages and how every observer stage works. Also a representation of the software implementation will be explained in great detail.

# Chapter 2

# **Software Implementation and Algorithm**

# 2.1 Algorithm of the Invariant Observer Stages

The following algorithm shows the proper behaviour of an observer stage.

#### Algorithm 1 Pseudo Code of an Observer Stage

```
Require: Precondition: m \ge y
 1: Initialize: count = 0
 2: if (clock mod m) = 0 then
      if W(\phi) = 0 then
         /*evaluates finished calculation of \phi after m clock cycles*/
 4:
         count = 0
 5:
      else
 6:
 7:
         /*do nothing*/
      end if
 8:
 9: end if
10: /*Following code executes every clock cycle*/
11: if count = \tau + 1 then
12:
      output = 1
13: else
14:
      output = 0
15: end if
16: count = min(count + 1,\tau + 1)
17: return output
```

As shown in Algorithm 1 the algorithm is split in two main parts. From the start of the observer stage, and periodically every m clock cycles, the upper part checks the status of the current signal value  $W(\phi)$ . If  $W(\phi)$  has an active state (e.g.  $W(\phi)=1$ ), the counter keeps his

old value, otherwise it will be set to zero. It is important that one observer stage recognizes, that the invariance qualification was not satisfied at this time. When the conjunction of all observer stages is computed, at any arbitrary execution time n, and at least one stage does not have an active output, then the result is false. This means, that at the execution time n, the invariance qualification is not fulfilled. The bottom part is executed at every clock cycle and increments the counter value up to the maximum value of the invariance qualification's range. If the counter reaches the maximum value, the respective observer stage activates its output to an active state. In fact, the counter represents the invariance qualification of length ' $\tau$ '. The term ' $\tau + 1$ ' indicates that the present value must also be involved in the invariance qualification. The counter value will be initialized with zero at the beginning of the algorithm. Hypothetically, if the counter is initialized with ' $\tau + 1$ ' the output is activated immediately, because of the bottom algorithm. But this is a contradiction to the assumption that W( $\phi$ )=0 for all execution times n before zero.

It should be mentioned that this current design does not implement or handle the calculations of the truth value of propositions  $\phi$ , which is indicated with W( $\phi$ ). On the other hand, the observers from [4] are responsible for taking the necessary inputs, calculate the atomic propositions (with ATCheckers) and immediately evaluate the ptMTL-operator qualifications. These steps have to be done in a tight time bound. In our case, W( $\phi$ ) must be updated from another entity in such a way, that at every clock cycle an observer stage must have a consistent value for evaluation. The following subsection is an overview about the implementation of the Algorithm 1 in VHDL.

# 2.2 VHDL Implementation of the Algorithm

In Appendix A.2, there is an implementation in VHDL which follows the meaning of Algorithm 1. We will discuss the different process entities and the relations with Algorithm 1. Finally, we get an overview about the improvements which are significant for a faster design. This VHDL design of an observer stage has got the following inputs and outputs:

#### (a) inputs:

- invariance\_tau is a signal variable which gets the value for  $\tau$
- enable\_in signal activates the observer stage
- **signal\_phi** is the signal state of  $W(\phi)$

#### (b) output:

- **enable\_out** is a signal whose state is set to active after the activation of the current observer stage, but delayed for exact one clock cycle.
- **output signal** is simply the output state of the observer stage.

The Observer Stage is split in a synchronous and an asynchronous design, in terms of a Moore State Machine. The process labelled "sync" (at line 83 of the VDHL-Code A.2) represents the synchronous part of that design where the register states are changed at every clock cycle. The synchronous process is only executed if the combined signal **enable\_logic** has been activated, indicating a specific behaviour of the observer stages. (VDHL-Code A.2, line 22) The observer stages are linked to each other through cascade connections. The first stage activates the next observer stage through the signal **enable\_out** after being activated through **enable\_input**. If the signal **enable\_input** of an observer stage is being activated,in a clock cycle, then the signal **enable\_out** will be activated in the clock cycle afterwards.



Fig. 2.1 Example for m=4 Invariant Observer Stages concatenated in cascade.

This ensures, that these observers are starting delayed, each 1 clock cycle after its predecessor.

Signal  $inc_tau(VDHL-Code\ A.2$ , line 21) increments the input signal  $invariance_tau$ , which represents  $\tau+1$  at every execution time. The asynchronous part works immediately after every change of the system state. (VDHL-Code A.2, line 25 and line 51) In the following descriptions of the asynchronous parts, only temporary signals are changed, but these signals transfer their values inside the synchronous part at every clock cycle, except

**inc\_tau** and **enable\_logic**. Every of these signals are indicated with "\_next" at the end of their names, but in the following descriptions only their register counterparts will be mentioned.

The process entity  $\mathbf{comb\_cycle}(VDHL\text{-}Code\ A.2,\ line\ 25)$  is the description of an internal clock counter which only counts up and down between values 0 and m. The signal  $\mathbf{cycle}$  is significant for checking the condition "(clock mod m) = 0" from Algorithm 1.

The process entity **comb\_logic** implements the main part of the algorithm. Signal **count\_p** will be incremented in each clock cycle until it reaches  $\tau+1$ . The counter should be initialised to zero (as indicated in the algorithm), but is incremented immediately at every clock cycle. (VDHL-Code A.2, line 55) Or in other words, if **count\_p** is reset to zero in a clock cycle, it will be incremented immediately in the "same" clock cycle. To demonstrate this fact we have an additional signal **count**, initialised with 1. But this signal is only for reasoning and will be reduced by the syntheses tool. The synchronous design is cumbersome in a way, which is due to the way of how the states change. If the counter is supposed to be incremented after evaluating some conditions, this does not imply an immediate change of the counter. To overcome this handicap the counter **count\_p** is initialised to 2(VDHL-Code A.2, line 56) which means, that at every clock cycle we check if the counter count\_p will reach a maximum at the next clock cycle. This enables us to change things on time. According to the Algorithm 1 at line 5, **count\_p** will only be reset if signal  $W(\phi)$  has been evaluated as being not active in **comb\_cycle**. (VDHL-Code A.2, line 56)

The first if-branch at line 53 of the VDHL-Code A.2 checks two cases. At first it will be checked if the clock passed m cycles or not and second if the signal **enable\_logic** is supposed to be active. The first question is in term of Algorithm 1, line 2. The second question concerns the signal **enable\_logic**. This signal combines **enable\_in** and **reset** in one signal. If signal **enable\_logic** is active, means that the observer stage is active and no reset condition happens. The else-branch of the first if-branch at line 67 of the VDHL-Code A.2 checks the condition in terms of Algorithm 1, line 11. The content of the if-branch (line 53) and the else-branch (67) are nearly the same, but there are two exceptions. Inside the if-branch, beginning at line 54, the status of signal  $W(\phi)$  will be checked, according to Algorithm 1, line 3. And inside the else-branch at line 75, if m cycles are no yet passed and signal **count\_p** is already at the maximum, then signals **count\_p**, **count** and **output** keep their old values. The other parts of **comb\_cycle** are straightforward, if you compare it with the algorithm. In case

the counter **count\_p** reaches the maximum, the **output** of the observer stage is activated.

The current design has been made optimizing for throughput. Besides from design decisions like using count\_p instead of count, this led to the following general design rules:

It is very important that no Latches are built by the syntheses tool, so every if-branch must contain the same changes on the same signals. A further point is to reduce the number of if-branches to a minimum. If-branches inside of an If branch extends signal paths and reduce the maximum clock design of the whole design. In the next chapter we get an overview of the hardware realisation of the current design, which shows us a more visual view on that.

# Chapter 3

# **Hardware Implementation**

The following sections give an overview on the hardware implementation of the Invariant Observer Design. The section starts with a description about the hardware platform on which the observer runs and some details about the synthesis tools. At the end of this chapter, there comes a design view about the synthesized hardware and a discussion about the design steps.

# 3.1 Hardware Platform for a Prototype

The Invariant Observer is synthesized on a Field Programmable Gate Array(FPGA). On this platform it is possible to gain insights about the observer's runtime behaviour and to perform extensive testing on a real circuit hardware implementation. The FPGA board, that was used for the simulations, is a **DE2-115** modell from ALTERA[1]. That board is ideal to illustrate fundamental concepts and advanced designs, and it gives a possibility to meet necessary real-time requirements. The DE2-115 is equipped with a **Cyclone IV EP4CE115F29** FPGA Chip and it is powerful enough to emulate a CPU(e.g. the Nios from Altera). In [4] this FPGA board was used for performance studies, besides other FPGAs, so it was natural to use a similar environment. The **DE2-115** has an on-board oscillator of 50 Mhz and in combination with a Phase Locked Loop(PLL) it is possible to increase the operating frequency for advanced tests. In the following section it will be shown, how enhanced frequencies can change the design on the Register Transfer level(RTL) and why bad design decisions can influence the maximal speed of a design. In Appendix D there is a schema illustration about the components of the **DE2-115** FPGA board.

## 3.2 Synthesis and Design

This section gives an overview on the synthesis tool and details about the Register Transfer Level design view. An interesting part in this section is to see how the synthesis tool creates hardware structures based on the code of the Observer VHDL implementation.

For synthesis and compilation of the observer VHDL code, the **Altera Quartus II Version 12.1 Build 177 Full Version** was used.

#### 3.2.1 Design View of the Register Transfer Level

In Quartus II, after compilation of the design and after creation of the netlists, you can use a tool named **RTL Viewer**, which shows how the components of the design will be created on a Hardware Platform. It is an abstract view on the **Register Transfer Level**. This tool can be very handy if someone wants to see how the hardware should look like. Based on the illustration of the hardware, some decisions can be reconsidered in terms of the performance.

Figure 3.1 is the hardware schematic view of a single observer stage (m=1), which is modelled as a single observer with input frequency equal to 50Mhz. The way the test cases were modeled, will be discussed in the next chapter. The next Figure 3.2 shows exactly the same design case like Figure 3.1 but with the difference that the operating frequency is 150Mhz. In Figure 3.2, it is illustrated how the syntheses tool reorientates the hardware design, to meet the requirements of that clock speed. The worst case path determines the maximum frequency, which is allowed for that design. A more detailed description about the timing model is given in the next subsection.

### 3.2.2 Timing Model of the Design

One important thing that has to be considered is that the signal path from the beginning of the observer entity to the end should be as short as possible, this concludes to some important design facts. The maximum frequency of the whole system is limited by the longest path of the design, which means that the performance of a system is expressed by the maximum frequency at which it may be operated. So it should be the major goal for every entity in the netlist, to keep the signal path as short as possible. The performance maximum can be computed by the Quartus Tool named **TimeQuest Timing Analyzer**, which gives estimations about the maximum frequency of the design. The longest signal path of a design is indicated by the **worst case path** in the tool.

The first version of the observer stage had a low performance level. An illustration of this version is shown in the Appendix C.2. The TimeQuest Timing Analyzer consider several predefined uncertainties for the performance estimations. From [2] it is known how the Quartus Tool creates timing models. These are created in the TimeQuest Timing Analyzer after building the netlist, as part of the compilation process of a design. A FPGA has to operate in a continuum of conditions. These conditions include the die junction temperature which can vary among specific ranges, for example commercial parts have a range of 0°C to 85°C and industrials a bigger range. A further condition is the voltage supply level with regard to critical voltages for maintaining FPGA performance(Vcc and the various I/O supplies).

The timing analyzer shows estimations for three cases

- 1. Slow 1200mv 85°C model
- 2. Slow 1200mv 0°C model
- 3. Fast 1200mv 0°C model

These are operating-condition corners which are usually end point combinations of the ranges in temperature, voltage and manufacturing processes. Each operating-condition is used to model the timing delays under specific end points of temperature, voltage, and manufacturing process conditions. The first case with "Slow 1200mv 85°C model" seems natural and was most of the time considered for test cases, because it shows frequencies under long term operating conditions. A lot of the tests about estimations of the maximum frequency of different design cases have been exercised(shown in the next chapter), and only the estimations from "Slow 1200mv 85°C model" were significant for further discussions. In the next chapter there is a summary of these tests.

### 3.2.3 Design Decisions based on Register Transfer level

At the first time, the VHDL Code of the observer stage was behaviourally correct, some performance and optimization decisions had to be reconsidered. The most important thing is to separate synchronous and asynchronous design. So, it was necessary to split the first version of a completely synchronous design, where every action is only triggered after every clock cycle.

A more parallel approach was necessary to increase the possible operating frequency. The redesign was done in a way such that only state changes are done synchronously, but

other actions are triggered immediately after any change of the state. This, so called, asynchronous system part can be separated into several independent asynchronous components, thus achieving more system parallelism and a better performance. As already mentioned in chapter 2, this system design is similar to a Moore State Machine, where the logic is separated in a transition logic, an output logic and a state memory. Only the state memory should be changed on every clock cycle. The design approach of the invariant observer is similar, but with the difference that the output logic and transition logic components are merged together. The hardware schemas from the Register Transfer Level illustrations were beneficial, because they showed how the components where created with its VHDL background. For example If-statements should be created in a way, that allow no Latches. This means that every else-branch should contain the same components like the if-branch. Following that rule, multiplexer will be created. See Figure 3.1 for example. Every multiplexer has two inputs(according to if, else), which are selected depending on the third input(MUX21). At the beginning of the entity there are several adders and these are representations for the different addition operations which has to be done according to the behaviour of the observer. **Add2** emulates " $cycle\_next = cycle + 1$ ", **Add1** emulates " $cycle\_next = cycle - 1$ " and **Add3** emulates " $count_p = count_p + 1$ " according to the sourcecode of the Observer Stages in Appendix A.2. In Figure 3.1, the MUX 21 multiplexer at the beginning, indicated by cycle\_next[15..0], is the if-branch, according to the sourcecode in Appendix A.2, which decides if "cycle = 0" or not. The MUX21[cycle\_next[31..16]] below stands for the branch "if cycle = observernumber". MUX21[cycle\_next[15..0]] decrements cycle\_next in normal case, but increments it only once if the value of cycle\_next reaches the bottom limit. MUX21[cycle\_next[31..16]] works the opposite way. As you can see, the tool enhanced cycle\_next up to 48bit to reserve memory for intermediate results. In the middle of the hardware scheme, there are two MUX21[cycle\_next[15..0]], the first(left to right) decides between " $cycle\_next = cycle + 1$ " or " $cycle\_next = cycle - 1$ " and the second between the result from first multiplexer before and the reset value. MUX21[cycle\_next[47..32]] decides between keeping the old value " $cycle\_next = cycle$ " or taking over the value from MUX21[cycle\_next[31..16]]. The overview regarding count\_p is similar, but a deeper insight about that Quartus translation behaviour would exceed that subsection. As you can see in the hardware schema, there are 5 registers (cycle, count\_p, direction, output, enable\_out) whose values represent the state of the Invariant Observer and which may only change their values at every clock\_cycle.

The dimensions of the registers are conform to the dimensions of the input conditions. For example if inc\_tau has a value with only 5 bits, then count\_p is accordingly large-

**17** 

dimensioned to 6 bits. This is only a cut-out, about how the Quartus II translates VHDL Code. A lot of other hardware representations are shown in Appendix C, actually they have the same components but another orientations. The next subsection summarize problems that were faced during the progress of that development.



Fig. 3.1 RTL View of a single observer stage with input clock of 50Mhz



Fig. 3.2 RTL View of a single observer stage with input clock of 150Mhz

# 3.3 Design problems in the development

This subsection is only written in a protocoll style, summarizing problems during the development.

- 1. The starting condition of Algorithm 1 was uncertain. The question was, whether variable count should be initialised with 0 or with (τ + 1). If count=(τ + 1) then the output is immediately switched on, which correspond to an invariance qualification. From the specification of an observer in [4], it is known from the proof of Theorem 1(in [4]) that ∀i: (i ∈ [max(0,n-τ),n] → e<sup>i</sup> ⊨ φ) from which follows that at the beginning of an execution if n − τ exceeds th bottom border, but the signal φ is true, the invariance qualification is fulfilled by that specification. This condition only holds if signal φ is known at that time. In our case the status of signal φ is always(if m ≥ 1) taken from the past. So it is not known which status signal φ has in execution e<sup>n</sup> before time 0. The Algorithm 1 is initialised in a way, that assume that W(φ) has always value 0 for all time before 0, because no assumptions can be made for a proposition φ before the observers are started.
- 2. The Invariance Observer was tested with a self-made signalgenerator which imitates input  $\phi$ . As a result, two clock domains were created, although the clock signals came from the same PLL(Phase Locked Loop). If the observers clock is an "even" multiple of the second clock frequency(signalgenerator), there was no problem, but if the clock frequencies are chosen in a different way, then it comes to clock drifts.
- 3. The file (\*.sdc file)for timings has to be adjusted every time, if there are changes in one of the clock domains. The PLL output timings have to be analyzed separately by the TimeQuest Timing Analyzer. If this does not happen, false estimations are created for "Slow 1200mv 85°C model" maximum frequencies and worst case paths.
- 4. The first download of the compiled design to the FPGA was not successfull, because the Quartus Tool was not correctly adjusted to that plattfom. The following points had to be changed:
  - The correct architecture must be set
  - the voltage level must be set for all inputs and outputs
- 5. It should be always considered what is the active state of an input component or output component, for example input KEY is low active and it was used to reset the FPGA board.

# Chapter 4

# **Experiments and Testing**

This Chapter contains a detailed description of the simulations and experiments carried out on the Invariant Observer. The first section is a survey about the environment of the experiments and their semantic property. Afterwards the author gives an overview on the simulations with ModelSim. In the final section there is a detailed description about the test cases and experiments, including results of the performance studies which were mentioned in subsection 3.2.3 of Chapter 3 before.

# 4.1 Reasoning and Environment of the Experiments

This section should be considered as an answer for the following questions "Which results do we gain from these experiments?" and "How are the experiments done?".

### 4.1.1 Reasoning and Meaning

The Invariant Observer will interact with an environment in which at least soft real-time, but most likely hard real-time conditions will exist. Therefore, the correct behaviour has to be shown with regard to the algorithm and the resulting VHDL Implementations. A good start to show a correct behaviour are simulations, but it should be mentioned that no clear assertions can be made about correct timings of the underlying Design. This question will be examined in section "Experiments". How the simulations and experiments were executed, and which insights they produced, will be discussed in the next subsection. After the simulations, to present a first proof about the correct principle of the Invariant Observer, the VHDL Design had to be synthesized into a Hardware. A FPGA Board was the best

solution, besides other possibilities like ASICs (Application-specific integrated circuits) or microcontrollers. An ASIC is the most performant solution, but that solution is hard-wired and any change of the design is very expensive. However, an ASIC is typically the final product implementation.

A Microcontroller would never reach the performance of a FPGA Board and FPGAs are more cost effective and nearly as performant like as hard-wired solutions. Any change of the design can be easily downloaded on a FPGA Board, so it seems natural to use a FPGA as the prototyping platform. One important part of the experiments was to show the timing boundaries of the Observer Design (e.g. the maximum performance on a FPGA board like the DE2-115, which was used for the experiments). But other FPGAs with stronger capabilities could reach better performance goals. In [4] for example, several FPGA models were used to reach a more expressive experiment. Another part of the experiments was to show the ability of handling any propositional formula  $\phi$ , which is a temporal description of ongoing operations from an observed system. The evaluation of  $\phi$  takes time, maybe several clock cycles, until the final computation  $W(\phi)$  is finished. That circumstance was not exactly tested, but a different approach was introduced to emulate that behaviour. More detailed experiments also focusing on this aspect are required before in-field use.

The next subsection will explain the detailed investigations of the Invariant Observer through the experiments.

### **4.1.2** Build-up of Experiments

At the beginning some facts about the Invariant Observer will be repeated, to give a better understanding about the tests that were made. The Invariant Observer consist of several Observer Stages. To cover every clock cycle n, where a finished computation of a proposition  $W(\phi)$  is evaluated, we need at least as many Observer Stages ( $m \ge y$ ), as the computation (y clock cycles) needs. As a reminder, the Observer Stages are not responsible for the computation of the propositions (in contrast to [4]), but for the final evaluation of the status of the computation. So it seems logical to create a signal  $W(\phi)$  which gives, at every clock cycle, a pseudo computation of a proposition  $\phi$ . With that approach, it was easy to carry out experiments that strengthen the confidence in the correct behaviour of the Invariant Observer.

For example we have m=3 Observer Stages (means theoretically that the computation of  $\phi$  needs less than 3 clock cycles), and we want to show the invariance of signal W( $\phi$ ), actually the finished computation  $W(\phi)$  at every clock cycle, with  $\tau=10$ . That 3 Observer Stages show whether the signal  $W(\phi)$  was invariant 11 clock cycles, the current clock cycle

4.2 Simulations 23

included. The experiments have been exercised with a plain implementation of a signal  $W(\phi)$  and with a more complex implementation of  $W(\phi)$ , which gives a stronger argument of the correct behaviour. More about that in the sections "Experiments" and "Simulations". These two versions of a simulated input signal for the Observer Stages are justified with the fact, that the Quartus synthesis tool could create distinct implementations of the Observer Design, because it must match the correct timing behaviours in both cases. As a result, the experiments are separated in two parts, as already mentioned in the subsection 4.1.1 before, but this will be discussed in the section "Experiments". The next section details on the simulations.

#### 4.2 Simulations

To simulate the VHDL Design of the Observer Stages the simulation tool **ModelSim** (**Version 10.1d**) from **MentorGraphics** was used. A testbench, created for simulations in Modelsim, gives a good overview about the intended behaviour of the implemented algorithm and it is useful for debugging and error detection. At the beginning, only one Observer Stage was simulated, because it demonstrates the simplest case. After error corrections and successful simulations of one Observer Stage, further simulations were proceeded with more Observer Stages.

Figure 4.1 illustrates a simulation with m=5 Observers, where every Observer Stage monitors the yellow coloured input signal  $W(\phi)$  for Invariance  $\tau=3$ . The leftmost column shows the names of the illustrated signals. For every Observer (OBS1 to OBS5), signals cycle,  $count_p$  and their corresponding outputs (add1 to add5) are shown to overlook their behaviour on the yellow coloured input signal  $phi_s$  (=W( $\phi$ )). Signals cycle and  $count_p$  are already described in 2.2 and 3.2.3, so there is nothing additional. Signals add1 to add5 (grey coloured) are the outputs of the different Observer Stages, which are linked together in a binary add operation. The result of that operation is illustrated as the red coloured signal  $coutput_s$  which shows the final result of the Invariance Observer.

Signal  $phi\_s$  is generated by a complex signalgenerator to get a nearly universal test signal. The green coloured signal at the top indicates the system clock which drives the signalgenerator and all the Observer Stages at the same time. While the signalgenerator is driven on the rising edge, the Oberver Stages are driven on the falling edge. This fact is important to understand one further explanation of the simulation. The most important thing that is shown in that illustration is that the Observer Stages activate together the final  $output\_s$  exactly tau + 1 (with  $\tau = 3$ ) clock cycles after signal phi\\_s still holds its active state. This

case is indicated between these two big vertical lines. It shows that the Invariance Observer monitored an Invariance Situation of signal *phi\_s*, according to the behaviour described in Chapter 2. That Invariance Situation continues three clock cycles until signal phi\_s goes into a non active state and therefore output\_s, too.

As mentioned before, signal phi\_s changes its state on a rising edge, whereas an Observer Stage checks the state of signal phi\_s on a falling edge. This also explains the delayed reaction of the Observer Stages on changes of the input signal as can be seen in Figure 4.1. However, this handicap could be enhanced by driving the Observers clock a multiple faster. The output of the signalgenerator phi\_s is designed in a way to increase the invariance of its active state continuously, so it was reasonable to see how the final red coloured output behaves in comparison with phi\_s. To make it clear, signal phi\_s which is created by the signalgenerator only delivers a pseudo input for the Observer Stages which can be understood as: "at every clock cycle, a computation of  $\phi$  is finished and the result of that computation  $W(\phi)$  is illustrated as true (active state) or false (low state)". In the simulations and experiments, which are carried out with the pseudo signal  $W(\phi)$ , the number of Observer Stages was not choosen by a specific computation time y, but rather choosen arbitrarily. That circumstance also applies to Figure 4.1. There could be less or more than five Observer Stages, the simulation would behave the same.

Finally, it should be discussed how the Observer Stages are initialised. The fourth signal from the top enable\_s activates the first Observer Stage which is located at the beginning of an Observer Cascade Chain. This principle was already shown in Figure 2.1. After one clock cycle the following Observer Stage will be activated by signal en\_1 from the Stage before, and after one clock cycle again signal en\_2 activates the next Observer Stage and so on. In Figure 4.1 this behaviour is illustrated at the beginning by signal enable\_s, signals en\_1 till en\_4 and the last output in the cascade by signal next\_obs.

A further illustration from another simulation is shown in Appendix B with m=10 Observers. A lot of simulations with different configurations were made, with different numbers of Observer Stages and different Invariance Qualifications. Automated Testing was necessary to have a stronger error check in case of changes in the design. Assertions as part of the VHDL language were inserted into the Code to have a possibility to check if the behaviour of the Observer Stages is still the same. Modelsim gives also the possibility of scripting, which is very helpful when a lot of simulation parameters have to be handled.

The following final section introduces the experiments with a FPGA Board.

4.2 Simulations 25



Fig. 4.1 Illustration of a Simulation with m=5 Observers and Invariance  $\tau=3$ 

## 4.3 Experiments

This section treats the experiments done for the Invariance Observer Design. The main part of the experiments were dedicated for testing the behaviour of the Invariant Observer. Other experiments were justified by the reason to figure out the maximum performance of the Observer Design. It is decent to present only the edge cases of the experiments, which have reasonable arguments. However, several further experiments have been exercised to stress the correctness of the circuit unter test. For the first, it was important that the correct behaviour of the Invariant Observer was tested and demonstrated on the FPGA Board. The correct behaviour of the Invariant Observer Design, synthesized on a DE2-115 FPGA board, will be shown by the following pictures made with the logic analyzer (Agilent 16803A). The logic analyzer was used to monitor the output pins GPIO(0) to GPIO(34) from the FPGA Board. An example of a TOP VHDL file which embeds the Invariant Observer Design inside a Test Environment is shown in Appendix A.2. A lot of TOP files with different configurations where created, but this one example (A.3 and A.4) should only show how the experiments work. The output of every Observer Stage is connected to a GPIO output pin, and every of these GPIO pins can be measured and displayed on the logic analyzer. The pictures shown for up to 5 Observers (Figure 4.3 and Figure 4.2) show only the ouputs from GPIO(0) to GPIO(14) in the left side of every these pictures. For 10 Observers, the examples in Figure 4.4 and Figure 4.4 illustrate the output pins from **GPIO(0)** to **GPIO(31)**. For example the first signal **GPIO(0)** is always the **reset\_s** signal similar to the arrangement in Figure 4.1. The names of the signals in the following picture are also the same like in the simulation, so it should be clear what the signals in the appropriate line means.

## 4.3.1 Testing the Behaviour

The experiments in this subsection are realized with a signalgenerator which was built individually to simulate an invariance signal that is step-wise increased in length. This is only the case, because we want to see the correct behaviour of the Observer Stages indicated by **add0** to **addn** and **final\_output**. The signalgenerator and the observer stages are driven with the same input clock of 50MHz, only for demonstrations. An indicated  $f_{max}$  means the maximum frequency estimation from the Quartus Tool for the whole design according to the Slow 1200mv 85°C model, which was described in subsection 3.2.2. But that will be more considered in the next subsection regarding the performance, whereas this section has no significant arguments regarding the performance of the Observer Stages, because  $f_{max}$  also depends on the included signalgenerator. The pictures in that subsection are very similar to

4.3 Experiments



Fig. 4.2 Illustration from the Logic analyzer which shows the case  $m=1, \tau=1$ 



Fig. 4.3 Illustration from the Logic analyzer which shows the case  $m=5, \tau=10$ 

the explanations in Section 4.2 regarding simulations, so only some few informations will be added. Every picture contains two clock signals, one for the signalgenerator and one for the Observer Stages, this was introduced only for the possibility that the frequency of **CLK\_OBSERVER** is a multiple of **CLK\_Generator**, but that idea was declined because of some irregular behaviours which will be discussed in the Summary of Chapter 5. In principle **CLK\_Generator** and **CLK\_OBSERVER** should be the same.

The simplest case, shown in the first picture Figure 4.2, is one Observer m=1 and  $\tau=1$ . Recall that the vertical lines indicate the start of an active signal phi\_s and the start of it's Invariance Condition.

- $\tau = 1$  with  $f_{max} = 91,41$  MHz (shown in Figure 4.2)
- $\tau = 10 \text{ with } f_{max} = 87,61 \text{ MHz}$

Figure 4.3 shows 5 Observer (m=5) with observing an Invariance of 10 clock cycles Signal **final\_OUTPUT** is the binary conjunction from **add0** to **add4**. The vertical lines



Fig. 4.4 Illustration from the Logic analyzer which shows the case  $m=10, \tau=1$ 



Fig. 4.5 Illustration from the Logic analyzer which shows the case  $m=10, \tau=1$ 

indicate the beginning of the observation by the Observer Stages (phi\_s in active state) and the Invariance Condition  $\tau = 10$  fullfilled at the right vertical line. If every falling edge of signal **CLK\_OBSERVER** is counted between both vertical lines, it should be equal to  $\tau + 1 = 11$ . The same principle should hold for further pictures.

Figure 4.4 and Figure 4.5 show the same experiment (illustration from logic analyzer separated in two pictures) with 10 Observers (m=10) which are observing Invariance of  $\tau=1$  on signal phi\_s. Figure 4.5 illustrates the same behaviour like the pictures before. Figure 4.5 also shows how the Observer Stages are activated, one by one. Signal enable\_start shows the start of that start-up sequence, which illustrates the behaviour according to the Algorithm 1 that every Observer Stage turns on the next following Observer Stage after one clock cycle as illustrated by Figure 2.1.

The next subsection shows a chain of experiments with the aim to answer the question: "What is the maximum possible clock frequency that can drive the Observer Stages?"

4.3 Experiments

#### 4.3.2 Maximum Performance

This subsection discusses the maximum possible performance of the Observer Stage Design under involvement of the limitation by the DE2-115 FPGA Board. The following testchain comprise the Invariant Observer Design and a plain Signalgenerator, which only changes the signalvalue of his output at every clock cycle. For this experiment it was important that the Quartus II tool takes its focus on the Observer circuit, and estimations of the Slow 1200mv 85°C model depends only on the Observer Design. Another modification is that the Phase-Locked Loop (PLL) is used actively, which means that the clock frequency of the Observer Design will be increased in several steps, depending on the experiment case. At every increase of the input clock frequency, the timing model file (\*.sdc) must be updated with the Time Quest Analyzer tool. Then depending on the current clock, the number of Observer Stages will be increased, to see the maximum performance for that configuration. The maximum range of Invariance  $\tau = 255$  is always used, but some experiment cases may have additional tests with another Invariance  $\tau$  where the differences in the performance can be seen. Similar to the previous subsection,  $f_{max}$  means the maximum frequency according to the Slow 1200mv 85°C model as a result of the Quartus Timing Model estimation.

#### Legend:

(LE is the number of Logic Elements used on the FPGA Board from available 114480LE)

- (1) Inputfrequency for all Observer Stages: 50MHz with plain Signalgenerator
  - a) 1 Observer,  $\tau = 255$  and  $f_{max} = 86,4MHz$
  - b) 10 Observer,  $\tau = 255$  and  $f_{max} = 101,83MHz$
  - c) 100 Observer,  $\tau = 10$  and  $f_{max} = 83,81 MHz$  (6718 LE $\sim$ 6%)  $\tau = 255$  and  $f_{max} = 79,88 MHz$
  - d) 300 Observer,  $\tau = 255$  and  $f_{max} = 74,01MHz$
  - e) 1000 Observer,  $\tau = 255$  and  $f_{max} = 66,00MHz$  (72514 LE $\sim$ 63%)

- (2) Inputfrequency for all Observer Stages: 100MHz with plain Signalgenerator
  - a) 1 Observer,  $\tau = 255$  and  $f_{max} = 96,82MHz$

- b) 10 Observer,  $\tau = 255$  and  $f_{max} = 134,99MHz$
- c) 100 Observer,  $\tau = 255$  and  $f_{max} = 116,44MHz$
- d) 1000 Observer,  $\tau = 1$  and  $f_{max} = 106,09MHz$  $\tau = 255$  and  $f_{max} = 95,27MHz$  (72755 LE $\sim$ 64%)
- (3) Inputfrequency for all Observer Stages: 200MHz with plain Signalgenerator
  - a) 1 Observer,  $\tau = 255$  and  $f_{max} = 90,82MHz$
  - b) 10 Observer,  $\tau = 255$  and  $f_{max} = 139,30MHz$  (possible **MAXIMUM**)
  - c) 100 Observer,  $\tau = 255$  and  $f_{max} = 114,57MHz$
  - d) 1000 Observer,  $\tau = 255$  and  $f_{max} = 103,46MHz$

In the experiment from (3) case b) the synthesis with the maximum possible performance of the Invariant Observer Design was created by the Quartus Tool. In Appendix C.2 there is an illustration of the RTL View of that design case. As high the performed input clock is, as well must Quartus sythesize the design to meet the requirements for that frequency. This results in the fact that the worst case path time must stay inside the time needed for a clock cycle. In all three experiments from (1) to (3) it can be seen that it is not always possible to meet these requirements for an input clock. Especially, in the experiments with 200MHz input clock there is no single case that meets that requirement.

One interesting thing that can be seen in all three experiments (1),(2),(3) is that for case b) with 10 Observers, the Quartus tool always reaches the maximum performance out of these cases. 1000 Observers occupy nearly 64% of the capacity of the Logic Elements that a FPGA Board possesses. Thus the upper bound on the number of possible Observers is close to 1500. Other boards with higher capacity are obviously capable to contain more Observers. (e.g. DE4 model series with Stratix IV FPGA cores with up to 820K LE) Finally, the differences between different values of  $\tau$  are not significant as we can see in 1c), 2d), hence the variance keeps inside 10MHz.

### Chapter 5

#### **Summary**

In this work, an alternative version of an Invariant Observer from [4] which circumvents specific design restrictions from [4] was introduced. For example, propositions  $\phi$  are not restricted by the logahedron class of atomic proposition like in [4], so there is not a tight time bound to fulfil. With the possibility of a massively parallel constuction of the Observer Stages as parts of a complete Invariant Observer which allows evaluating a proposition  $\phi$ at every clock cycle, the proposed design can result in a significant performance increase. The Observer Stages are in way more flexible than in [4], besides the possibility to change the Invariant  $\tau$  during runtime. But these agile advantages should be tested in a more detailed experiment and under real-time conditions. Another point to mention is, that the experiments considered only the case that the Observer Stages are running in the same time domain as the system that evaluates the proposition  $\phi$  to W( $\phi$ ). For example three clock cycles which passes for  $W(\phi)$  are also the same three clock cycles for the Observer Stages. It came out, that a better resolution could be performed if the frequency that drives the Observer Stages is a multiple of the frequency of the system that evaluates  $W(\phi)$ . For example if the evaluation system for  $W(\phi)$  is driven with 10KHz and the Observer Stages with 20KHz and an Invariance of  $\tau = 2$  on W( $\phi$ ) should be monitored, then the Observer Stages must observe an invariance of  $\tau = 4$  to meet the same time domain. That aspect should be considered in further real-time experiments. In [4] these two systems are acting together. The Invariant Observer should be considered as a temporal operator which follows the specifications of ptMTL  $\boxdot_{[y,y+\tau]}$  but with the restriction that it cannot perform the observation of the invariance inside intervall [0,y]. That means, that the computation time for a proposition  $\phi$  cannot be less than y (maybe the only disadvantage). Finally, the design approach of the Invariant Observer presented in this work also hints at potential approaches to derive other parallel performant temporal operators from the Metric Temporal Logic like

32 Summary

<sup>&</sup>quot;Exists-Operator within Intervals".

#### References

- [1] Altera de2-115 fpga-board description. http://www.altera.com/education/univ/materials/boards/de2-115/unv-de2-115-board.html, . Accessed: 2014-04-24.
- [2] Altera timing model. ttp://www.altera.com/literature/wp/wp-01139-timing-model.pdf,. Accessed: 2014-04-24.
- [3] A.P. Ravn, H. Rischel, and K.M. Hansen. Specifying and verifying requirements of real-time systems. *Software Engineering, IEEE Transactions on*, 19(1):41–55, Jan 1993. ISSN 0098-5589. doi: 10.1109/32.210306.
- [4] Thomas Reinbacher, Matthias Függer, and Jörg Brauer. Real-time runtime verification on chip. In Shaz Qadeer and Serdar Tasiran, editors, *Runtime Verification*, volume 7687 of *Lecture Notes in Computer Science*, pages 110–125. Springer Berlin Heidelberg, 2013.

## Appendix A

# **Source Implementation in VHDL**

A.1 Observer Stage

```
LIBRARY ieee;
     USE ieee.std_logic_1164.all;
use IEEE.NUMERIC_STD.ALL;
     entity observer is generic (
          observernumber:unsigned(15 downto 0):=x"0001" -- how many observer are instan
tiated
9 );
10 port (
        clk :in std_logic;
reset :in std_logic;
enable_in :in std_logic;
invariance_tau :in std_logic_vector(7 downto 0);
signal_phi :in std_logic;
output :out std_logic;
enable_out :out std_logic
);
13
15
16
18
19
     end entity;
```

Fig. A.1 Code of Observer Entity Design

```
## **count_park (= count.)

##
```

```
: unsigned(18 downto 0):= "000000000";
: unsigned(15 downto 0):= x"0001";
: unsigned(15 downto 0):= x"0002";
: unsigned(15 downto 0):= x"0000";
: std_logic := 'l';
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          -- main logic of the observer
comb_logic: process(inc_tau,count,count_p,cycle,signal_phi,enable_logic)
begin
                                                                                                                                                                                                                                                                                                                                                                                     std_logic := '0';
: std_logic := '0';
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              to 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          comb_cycle: process(cycle.direction,enable_logic)

begin — changes cycle.direction,enable_logic)

begin — changes cycle.maxt, direction, changeDirection

if(direction = '0' and enable_logic = '1') then

if(direction maxt <= '1';

cycle_next <= cycle + 1;

direction_next <= '0';

cycle_next <= cycle + 1;

direction_next <= '0';

elsif(direction = '1' and enable_logic = '1') then

if(cycle = observernumber) then

direction_next <= '0';

cycle_next <= cycle - 1;

direction_next <= '0';

cycle_next <= cycle - 1;

direction_next <= '0';

cycle_next <= cycle - 1;

direction_next <= '1';

direction_next <= '1';

ensite of the cycle = '1';

direction_next <= '1';

ensite of the cycle = '1';

direction_next <= '1';

ensite of the cycle = '1';

ensite of the cycle of '1';

ensite o
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               count_next <= count;

count_pack <= count;

count_plack <= count_p;

end if;

end if;

end if count_p <= inc_tau and enable_logic = 'l') then

count_next <= count_p + 1; --every clock cycle

count_plext <= count_p + 1; --every clock cycle
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       -- parallel logic
inc_tau <= unsigned(invariance_tau) + to_unsigned(1,9)
enable_logic <= enable_in and not reset;</pre>
                                                                                                                                        architecture Behavioural of observer is
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    direction_next <= direction;
cycle_next <= cycle;
end if;</pre>
                                                                                                                                                                                          signal inc_tau
signal count,count_next
signal count_p.count_p.next
signal count_p.count_p.next
signal cycle,cycle.next
signal direction,direction_next
LIBRARY ieee;
USE ieee.std_logic_1164.all;
use IEEE.NUMERIC_STD.ALL;
                                                                                                                                                                                                                                                                                                                                                                                  signal enable_logic
signal output_next
begin --BEGIN ARCHITECTURE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           process comb_cycle;
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   parallel logic
```

Fig. A.2 Code of the Behavioural Design of an Invariant Observer

#### A.2 TOP File

A.2 TOP File 39





Fig. A.3 Example Code of a TOP file for experiments



Fig. A.4 Example Code of a TOP file for experiments

## **Appendix B**

## **Modelsim Simulations**

**B.1** Simulations with 10 Observer



Fig. B.1 m=10 Observer and  $\tau = 3$  with view about cascade activation of the observer



Fig. B.2 m=10 Observer and  $\tau=3$  with view about the output of the Observer Stages and final red-colored output



Fig. B.3 m=10 Observer and  $\tau = 3$  with an overall view

## **Appendix C**

## Register Transfer Level Design View

**C.1** Design of the First Version



Fig. C.1 Illustration of the TOP Design of the first correct version, but without improvements



Fig. C.2 Illustration of the Observer Design of the first correct version,but without improvements



Fig. C.3 Illustration of the Signalgenerator of the first correct version, but without improvements

### **C.2** Design of the most performant Version



Fig. C.4 Illustration of the TOP Design with the best performance



Fig. C.5 Illustration of the Observer 0 from 9



Fig. C.6 Illustration of the Observer 0 from 9



Fig. C.7 Illustration of the Observer 5 from 9

# **Appendix D**

# **Datasheets and Descriptions**

