Selfadaptive systems need to monitor themselves, to check their internal behaviour and design assumptions about runtime inputs and conditions. This kind of monitoring for selfadaptive systems can include collecting statistics about such systems themselves which can be computationally intensive (for detailed statistics) and hence time consuming, with possible negative impact on selfadaptive response time. To mitigate this limitation, we extend the technique of incircuit runtime assertions to cover statistical assertions in hardware. The presented designs implement several statistical operators that can be exploited by selfadaptive systems; a novel optimization is developed for reducing the number of pairwise operators from
Selfadaptive systems can configure themselves to flexibly deal with changing environments after they are deployed. The configuration itself is systematically guided by means of system selfmonitoring to aid decisions about changing modes or to check design assumptions about runtime data and conditions or their internal operation. Such monitoring could check elementary Boolean conditions or, more generally, could process collected runtime system data, feeding a process of deciding whether or how the system can be adapted. The response time to adaptation is a fundamental feature characterizing selfadaptive systems. For the class of applications from the avionics domain we investigate, a fast response time to adaptation is crucial and motivates our advocated approach, presented in the rest of the paper. Gathered system data can be used for many purposes; for example, design assumptions about ranges of input values, used to optimize operator bitwidths, can be checked by assertions about the standard deviation of the input.
In this paper, we propose
Figure
Our approach: hardware datapath augmented with incircuit statistical assertions feeding an engine running a selfadaptive algorithm in software.
This paper makes the following contributions:
the design and optimized implementation of incircuit statistical assertions, which can be used by selfadaptive systems to monitor themselves and control system adaptation;
a case study on avionics systems, showing the potential of incircuit statistical assertions;
evaluation of tradeoffs between assertion implementations in software and in hardware, showing the advantages of our proposed incircuit assertions.
Compared to our previous work [
The rest of the paper is organized as follows. Section
Statistical assertions have been proposed by Dinh et al. [
This section presents our approach to incircuit statistical assertions and their implementation.
Our assertion language comprises C language style Boolean operators, augmented by statistical primitives. We choose the C language as it is familiar to many designers. The set of statistical primitives is as follows:
We choose these primitives as a useful set for expressing statistical conditions; future work could add further statistical operators such as covariance, skewness, and kurtosis or limit the number of cycles over which the statistics are calculated, potentially reducing hardware resources.
The following shows the grammar of our statistical assertions language in extended BackusNaur form:
We propose four architectures suitable for streaming systems: both
Online algorithms for calculation of statistical metrics such as mean, variance, and standard deviation are known [
Online algorithms can be expressed as a set of recurrence equations calculating the sum, mean, and sum of square differences in terms of the current input
We design both feedforward and feedback architectures for the online algorithms. Figure
Partial calculation of statistics using feedforward online operators. There are
Figure
Partial calculation of statistics using feedback online operators.
Chan et al. developed pairwise algorithms for sum, mean, and variance [
Partial calculation of statistics using feedforward pairwise operators: naive implementation of Chan et al.’s algorithm [
Figure
We optimize the feedforward pairwise design using the observation that, in a streaming system, iterating through the input data in order, sums of neighbouring elements can be accessed by stream offsets, which are mathematically equivalent to
In Figure
Partial calculation of statistics using feedforward pairwise operators, optimized for streaming systems. Compared to Figure
Note that the above only calculates part of the variance, specifically the local variance around each sample; however, it greatly reduces the amount of data sent back to software. The design consists of repeating units of the pairwise operator and stream offsets to delay the input. Each repeating unit reduces by half both the output data and the remaining calculations to be done in software, so
In addition, we extend the optimized pairwise algorithm to a feedback architecture (Figure
Partial calculation of statistics using feedback pairwise operators. The two multiplexors share a control input; stream offsets labelled
Table
Summary of different operator properties.
Architecture  Algorithm  Storage  Compute  Outputs 

Feedback  Online 



Feedback  Pairwise 



Feedforward  Online 



Feedforward  Pairwise 



We choose Maxeler streaming systems to implement our designs, though the approach is not Maxeler specific and can be ported to other design descriptions such as Verilog and VHDL. We focus on a systematic approach to translating assertions into Maxeler designs; future work includes developing a tool for compiling Maxeler designs extended with statistical assertions into the current base language.
The Maxeler system generates
Maxeler tools compile designs into hardware description languages and control FPGA vendor tools to build the corresponding bitstream for a specific FPGA device. Software can interact with the generated hardware using a Maxeler application programming interface to configure the FPGA device with the bitstream and run on user data stored in C arrays. The Maxeler tools automatically pipeline the datapath, resulting in deeply pipelined operators at a high clock rate. This works well for feedforward designs, but feedback requires some manual intervention and reordering or duplicating of input data.
Avionics systems are electronic systems used for control or information in the aviation or aerospace industries [
Selfadaptive systems with a fast response to adaptation (where fast means quicker than
autonomous flying systems,
special satellites,
deepspace mission systems,
exploratory space mission systems.
All these systems operate in environments that cannot be fully described at design time and hence such systems cannot be statically designed to cover and handle all environmental settings. Furthermore, these systems have strong constraints on power consumption, weight, and packaging volume. Additionally, these systems may never be physically reachable after deployment.
We choose a
We analyze the processing structure of these systems for the functionality of guidance, navigation, and orientation, revealing that the processing is commonly composed of different blocks/kernels with inputs and outputs. Determining the adequate bit widths and hence precision for the inputs and outputs is difficult and is often based on worst case assumptions involving unnecessary resources. An alternative is to start with an initial, more optimistic design assumption about the input/output value range, used to optimize operator bit widths. Such assumptions can be checked by assertions about the standard deviation of the input and adapted by another kernel version accordingly if required. Obviously, fast response time to adaptation is to avoid compromising system functionality, while simultaneously optimizing the system at runtime with respect to performance, energy efficiency, and environmental adaptability.
Our case study involves true airspeed calculation. Calculating the true airspeed from external sensor signals (Pitot tubes) and continuously providing a correct value of the true airspeed to the avionic computers is of critical importance for safe flying, navigation, and airtraffic operation. This calculation affects aircraft and helicopters operated manually as well as autonomous unmanned aerial vehicles (UAVs). Due to the safety relevance of this particular calculation and the overall unalterable structure of today’s avionic systems, it is common practice to redundantly (triple) realize the calculation of the true airspeed, including the sensors. With respect to the sensors, the redundant approach is obvious and well justified, but for the calculation of the true airspeed a redundant approach is, in most flight phases, an overdesign and consequently a waste of computing resources. For civilian and military aircraft and helicopters, this approach can currently be tolerated and technically realized. However, for UAVs with envisaged long operation times, a predefined and fixed architecture wastes computing resources, directly impacts on weight and fuel consumption, and consequently negatively influences operation time.
Our proposed approach offers a twofold strategy and technical solution to systematically address the calculation, with respect to the true airspeed, especially providing a technically attractive solution for UAVs. In detail, hardware assertions will allow for single realisation of the true airspeed calculation in flight phases with stable and predictable weather conditions. Possible failures in the calculation can be identified by the assertions with counteractions of using the old value or starting reconfiguration actions if the failure remains permanent. Statistical assertions evaluation can be utilized to predict upcoming problems and to start counteractions before the failure appears and affects the system. Reconfiguration itself, within our defined timeframe of 500 ms, enables flexible adjustment of system to adapt to identified failures or simply to different flight phases, where, for instance, failures of the true airspeed are not acceptable and double or triple modular redundancy is, for that situation in time, the best solution. Consequently, our proposed approach can adjust our calculation of the true airspeed to suit different flight situations and can utilize the computing resources efficiently.
For example, given inputs of static and impact pressures, the formula for calculating true airspeed
Note the units of measurement are governed by the units of
Figure
Datapath of streaming implementation of true airspeed. Each connector is a potential point to add statistical assertions.
We evaluate our implementations of onchip statistical assertions showing the tradeoff between hardware and software implementations. We compare
scalability: operator size versus hardware size;
software versus hardwareassisted results: speed, bandwidth.
Figure
Area usage and output reduction versus unroll factor for the feedforward pairwise variance operator.
The feedforward online operator performs less well than the feedforward pairwise operator, as shown in Figure
Area usage versus unroll factor for feedforward online variance operator.
Figure
Area usage versus number of variance assertions for feedback online variance operator.
Avionics case study: estimated time taken by software and feedback hardware variance assertions versus number of assertions.
Avionics case study: resources used by the true airspeed datapath (Figure
To enable efficient monitoring for selfadaptive systems, we design and implement incircuit statistical assertions, allowing designs to use several frequently occurring statistical operators to capture desired runtime properties of design inputs, outputs, and internal signals. Results show that response time can be greatly reduced at a modest cost in hardware area per exception.
Current and future work includes enlarging the set of statistical primitives to allow more general assertions on the state of the design. We would also like to explore the interaction of the statistical operators with runtime reconfiguration, since statistical conditions can be used to decide when to reconfigure. More generally, the statistics operators themselves can be reconfigured, allowing the system to alter the balance of configurable hardware between assertions and computation depending on runtime conditions. Furthermore, runtime statistics for large datapath operators can provide information about their adequacy, enabling continuous runtime optimization of system performance and energy efficiency.
The authors declare that there is no conflict of interests regarding the publication of this paper.
This work was supported in part by the UK EPSRC, by the European Union Seventh Framework Programme under Grant agreement nos. 257906 and 318521, by the HiPEAC NoE, by the Maxeler University Program, and by Xilinx.