Real-time Systems

STUDY GUIDE

HAN University of Applied Sciences

Master Engineering Systems | Real-time Systems
Revision history

Revision When What

1.0 26/01/2023 Initial revision for the 2023/2024 academic year

P a g e 1 | 66
Table of contents

Revision history ..................................................................................................................................................................... 1

Table of contents ................................................................................................................................................................... 2
Learning unit 01: The real-time environment ..................................................................................................................... 4
Learning unit 02: Simplicity ................................................................................................................................................ 5
Learning unit 03: Global time ............................................................................................................................................... 6
Learning unit 04: Temporal relations................................................................................................................................... 7
Learning unit 05: Dependability ........................................................................................................................................... 9
Learning unit 06: Real-time communication................................................................................................................. 11
Learning unit 7: Real-time operating systems.............................................................................................................. 13
Learning unit 8: Digital Twinning ...................................................................................................................................... 17
Learning unit 9: System design ......................................................................................................................................... 18
Learning unit 10: Validation ............................................................................................................................................... 21
References .......................................................................................................................................................................... 24

P a g e 2 | 66
P a g e 3 | 66
Learning unit 01: The real-time environment
Before class activities
Reading: Preface (Kopetz, 2023)

Reading: Chapter 1 The Real-Time Environment (Kopetz, 2023)

• Carefully read Sections 1.1 – 1.5.

• Skim Sections 1.6 and 1.7.

• System Workbench for STM32 (SW4STM32) is an Eclipse integrated IDE for STM32
microcontrollers. Download and install SW4STM321.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 01.pptx

Lab exercise
• CMSIS-Core is a vendor-independent hardware abstraction layer for the Cortex-M processor
series. The CMSIS-Core enables consistent and simple software interfaces to the processor
and the peripherals, simplifying software re-use, reducing the learning curve for new
microcontroller developers and reducing the time to market for new devices (CMSIS, 2018).
This website2 provides an overview of how CMSIS is used in embedded applications.

With respect to CMSIS remember that:

o a register is accessed by addressing a memory location;

o structs are used to define the memory layout of all the registers for a single
peripheral;
o the CMSIS header files provided by STMicroelectronics define the structs for all the
peripherals;
o the CMSIS header files provided by STMicroelectronics define the memory location for
each of the structs.

• Create, test and discuss a Hello World! Application

1 http://www.openstm32.org
2 http://arm-software.github.io/CMSIS_5/Core/html/using_pg.html

P a g e 4 | 66
Learning unit 02: Simplicity
Before class activities
Reading: Chapter 2 Simplicity (Kopetz, 2023)

• Quickly read Section 2.1.

• Skip paragraphs 2.2.1 and 2.2.2.
• Carefully read paragraphs 2.2.3 – 2.2.4.
• Quickly read Sections 2.3 – 2.4.
• Carefully read Section 2.5.

• Tera Term is a terminal emulator for Microsoft Windows, that supports serial port, telnet and
SSH connections. Install Tera Term3.
In class activities

Warming up: discussion of prior knowledge

Presentation: Learning unit 02.pptx

Lab exercise
• Run Learning unit 02 and verify that data is received and transmitted by using Tera Term.
• Study the source code. Refer to the following sections of the
STM32F0x1/STM32F0x2/STM32F0x8 microcontroller reference manual (RM0091, 2017) for
a detailed explanation of the peripherals that are used in the project:
o General-purpose I/Os (GPIO)
o Interrupts and events
o Universal synchronous asynchronous receiver transmitter (USART)
o General-purpose timers (TIM2 and TIM3)
• Extend the project with one or more of the following functionality:
o The time between two blinks of the green LED can be adjusted in steps of 100 ms,
with a maximum of 1000 ms and a minimum of 100 ms. Make the blink rate of the
green LED adjustable in 20 ms steps (without changing the maximum and minimum
value).
o When an ‘r’ is received by the microcontroller, the blink rate is reset to 1000 ms
between two blinks of the green LED. The string ‘reset’ is displayed in Tera Term.
o After the string ‘fastest’ has been received by the microcontroller, the blink rate is set
to its maximum.
After the string ‘slowest’ has been received by the microcontroller, the blink rate is set
to its minimum.
Tip: use the strcmp() function.
o When button B1 is clicked, blinking stops. When B1 is clicked again, blinking
resumes.

Tip: introduce a global variable that is set in the external interrupt handler and read in
the main loop.

3 https://ttssh2.osdn.jp/index.html.en

P a g e 5 | 66
Learning unit 03: Global time
Before class activities
Reading: Chapter 3 Global Time (Kopetz, 2023)

• Carefully read Sections 3.1 – 3.2

• Quickly read section 3.3
• Carefully read Sections 3.4 – 3.5

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 03.pptx

Lab exercise

• Lookup the drift rate of the microcontroller’s system core clock in the datasheet. What is used
as the reference clock?
• You will measure the microcontroller’s drift for the period of (approximately) one hour. Your
laptop’s system clock will be used as the reference clock 𝑧.
Setup the microcontroller’s system tick timer to generated a system tick interrupt every
minute. Use the system tick’s interrupt handler to trigger the transmission of the number of
minutes that have past via the UART. Repeat this for sixty minutes. TeraTerm should show the
following output:

00
01
02
..
..
..
13
14
15

Enable the logging option in TeraTerm (File → Log…). Make sure to enable timestamps.
TeraTerm provides timestamps with millisecond granularity. What is the expected number of
microticks for the duration of one minute (𝑛𝑘)?
Copy-and-paste the log data into the Excel sheet. Repeat the measurement on three different
physical locations. Discuss the results. Also discuss the latency jitter in this measurement and
how it influences the measured results.

P a g e 6 | 66
Learning unit 04: Temporal relations
Before class activities
Reading: Chapter 5 Temporal relations (Kopetz, 2023)

• Quickly read Sections 5.1 – 5.3.

These first three paragraphs refines the subjects RT entity, RT image, RT object, and
observation. These subjects have been introduced in Chapter 1.
• Carefully read Sections 5.4 – 5.6.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 04.pptx

Lab exercise

• The code example shows internal clock synchronisation by means of a central

master synchronisation system. A simple UART (USART1 9600,8,n,1) is used
for communication.
Connect two boards as follows by using connector CN10:
- Board 1 pin 21 (PA9, USART1_TX) to board 2 pin 33 (PA10, USART1_RX)
- Board 1 pin 33 (PA10, USART1_RX) to board 2 pin 21 (PA9, USART1_TX)
- Board 1 pin 20 (GND) to board 2 pin 20 (GND)
• Verify the operation: as soon as the button B1 is pressed on one of the
boards, this board will become the master. The master periodically transmits a
message that contains the value of the global clock.

Provide answers to the following questions:

• What are the RT entities?

• What are the RT images?
• Does the example implement state- or event observation?
• What is the time between updates of the RT image global_clock?
• What is 𝑑𝑎𝑐𝑐 without state estimation?
What is 𝑑𝑎𝑐𝑐 with state estimation?
• Why can 𝑊𝐶𝐸𝑇𝑠𝑒𝑛𝑑 and 𝑊𝐶𝐸𝑇𝑟𝑒𝑐 be discarded?
• Why is WCCOM equal to 25𝑚𝑠?
• Show that the RT image global_clock is phase-sensitive.
• What should the time between updates be to make the RT image global_clock parametric
(including the already implemented state estimation)?
• What can be said with respect to the precision of the clock synchronisation algorithm?
• Is global time reasonable?
• Does the example implement state correction or rate correction?
• The master also has a fake sensor. This fake sensor is toggled (1 → 0 or 0 → 1) each time the
master’s button B1 is clicked.

P a g e 7 | 66
 o In main.c: Transmit the value of the fake sensor in an observation message from the
master to the node.
o In cni.c: Receive the value of the fake sensor in the node and write it to the
fake_sensor RT image. On correct reception by the node, a message is printed in
TeraTerm as long as the value of the fake sensor is equal to 1.
o Why is state estimation not possible for this fake sensor?

P a g e 8 | 66
Learning unit 05: Dependability
Before class activities
Reading: Chapter 6 Dependability (Kopetz, 2023)

• Read Section 6.1 – 6.2.

• Carefully read Sections 6.3 – 6.4.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 05.pptx

Lab exercise

• The code example shows internal clock synchronisation by means of a central

master synchronisation system. A simple UART (USART1 9600,8,n,1) is used
for communication.
Connect two boards as follows by using connector CN10:
- Board 1 pin 21 (PA9, USART1_TX) to board 2 pin 33 (PA10, USART1_RX)
- Board 1 pin 33 (PA10, USART1_RX) to board 2 pin 21 (PA9, USART1_TX)
- Board 1 pin 20 (GND) to board 2 pin 20 (GND)
• This project introduces the notion of an operational component and a
monitoring component. By default, a board will function as an operational
component.
If the blue user button is pressed immediately after reset, the board will act as
the monitoring component (press both buttons and release the reset button
first). A board with the green LED on is a monitoring component.
• The desired behaviour of the operational component is a simple 0 to 9 counter, which is
incremented (approximately) every second. The counter value is visualized via the TII
interface.
The component will fail by introducing a fake transient error. By clicking the blue user button,
the counter is set to the value three.

Provide answers to the following questions:

• In this example project: what is the fault, what is the error, and what is the failure?
• Give the specification of the g-state. Does this specification adhere to the description in
paragraph 6.6.2?
• Describe the structure of a message (header, data, trailer).
• Describe the messages that are being transmitted in a scenario without a fault.
• When faking a transient error by pressing the blue button of the operational component, the
user still sees an erroneous ‘3’ being displayed. The operational component, however,
continues counting after the erroneous ‘3’ was displayed. Explain how this is possible by
describing the program flow and the sequence of messages.
• Why is such behaviour, an erroneous ‘3’ still being displayed, not a major problem in most
control applications?

P a g e 9 | 66
 • The example project does not implement a self-test. Where in the code should a self-test be
implemented?
• Paragraph 6.4.3 describes two sorts of architectures. Which one is implemented in the
example project?
• What are pros and cons of using the AES256 library in the transmit and receive functions of
the CNI?
• What is the content and meaning of the following message:

header 0x01
Data 0xDC, 0xFA, 0xF1, 0xF1, 0xA6, 0x35, 0x89, 0x2D, 0x4C, 0x4B, 0xC9, 0x23,
0xC5, 0xA3, 0xCB, 0xF6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
trailer

The 32 byte key used for encryption is:

0x3A, 0xBA, 0x59, 0xB0, 0x39, 0x85, 0x7F, 0x52, 0x07, 0x87, 0x89, 0x9A, 0x76, 0x4A,
0x05, 0x44, 0x53, 0x94, 0x84, 0xC9, 0xF7, 0xC5, 0xD1, 0x48, 0x68, 0x76, 0x96, 0x33,
0x6E, 0x6E, 0xCE, 0x13,

Tip. Use the debugger to find the answer to this question.

Extra (hard)

The monitoring component implements value verification and does not implement temporal
verification. Implement temporal verification with a window of 0.2 seconds. In order to do so, you
should:

• Add global time to the project (refer to Learning unit 04)

• Set the global timestamps in the observation message during phase D: Produce new g-state
and transmission of output data.
• Use the timestamp for verification in the monitoring component.
• Implement a test scenario

P a g e 10 | 66
Learning unit 06: Real-time communication
Before class activities
Reading: Chapter 7 Real-time communication (Kopetz, 2023)

• Carefully read Sections 7.1 – 7.5.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 06.pptx

Lab exercise

• Attach an RS485 CAN shield to each board. Connect the three boards as depicted in the
image below. Refer to the board’s User Manual (UM1724, 2017) to find the pin locations of
PC6, PC8, 3V3 and GND on connectors CN7 and CN10.

CANH
CANL

RS485 RS485 RS485

CAN CAN CAN
Shield Shield Shield

NUCLEO-F072RB NUCLEO-F072RB NUCLEO-F072RB

Monitor Node A Node B
PC8 – GND PC6 – GND

3V3

GND

This hardware setup allows us to connect a single board via USB to the computer and power
all the boards. Programming the boards must be done by connecting each board separately to
the computer. By connecting PC6 or PC8 to GND, the board knows its role in the ensemble.
• Test the project. The green LED on Node B will be lit as long as the blue button on Node A is
pressed. By connecting the Monitor to a terminal program, messages on the CAN bus can be
observed.
• Study section Controller Area Network (bxCAN) in the reference manual (RM0091, 2017).
Answer the following questions.
o What BaudRate is implemented?

P a g e 11 | 66
 o What is the size of the sender queue? What happens if the queue is full?
o What is the size of the receiver queue? What happens if the queue is full?
o What is the content of a mailbox?
o What are acceptance filters used for?
o What is the difference between loopback mode and silent mode?
• Explain why/how this project implements event-triggered communication.
• Explain how CAN implements back-pressure flow control. Why can this not be used in a real-
time communication system?
• Why is the latency jitter for media access higher for messages with lower priority?
• What is (approximately) the limit of the data efficiency that can be achieved?
• In event-triggered communication, it is impossible to provide temporal guarantees. Implement
a scenario that shows this. Test the implementation and prove your scenario by analysing the
observed CAN messages from the Monitor.
• Reflect on the project by discussing the following architectural requirements of a
communication infrastructure: timeliness, dependability, flexibility, and physical structure.

Extra

• Implement a membership service.

• Each node in the project has its own global clock. Implement synchronisation of the global
clock. Use the Monitor as the global clock master and have it send messages to the nodes
periodically.

P a g e 12 | 66
Learning unit 0 7: Real-time operating systems
Before class activities
Reading: Chapter 9 Real-Time Operating Systems (Kopetz, 2011)

• Carefully read Sections 9.1 – 9.7.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 07.pptx

Lab exercise

• This project runs on a single NUCLEO-F072RB board without an RS485 CAN shield mounted.
• The project shows how the FreeRTOS real-time operating system is ported to the NUCLEO-
F072RB board and how three tasks interact.
• The scheduler follows the following scheme:

𝑻𝒂𝒔𝒌 𝟏

𝑻𝒂𝒔𝒌 𝟐

𝑻𝒂𝒔𝒌 𝟑

𝑰𝒅𝒍𝒆

𝑡2 𝑡5 𝑡6 𝑡𝑖𝑚𝑒

𝑡1 = 0 𝑚𝑠: Start of task 1. The maximum duration of this task is 100 ms. If the task finishes
earlier, the idle task is executed.
𝑡2 = 100 𝑚𝑠: Start of task 2. The maximum duration of this task is 40 ms. The example
shows that this time is not needed, so the idle task is executed.
𝑡3 = 140 𝑚𝑠: Start of task 3. The maximum duration of this task is 860 ms. The example
shows that this time is not needed, so the idle task is executed.
𝑡4 = 1000 𝑚𝑠: The cycle repeats by the execution of task 1.

P a g e 13 | 66
 • The project shows two means of inter-task interaction. The first is exchange of messages by
means of a queue:

𝑄𝑢𝑒𝑢𝑒
𝑆𝑒𝑛𝑑 𝑅𝑒𝑐𝑒𝑖𝑣𝑒
𝑻𝒂𝒔𝒌 𝟏 𝑂𝑏𝑠𝑒𝑟𝑣𝑎𝑡𝑖𝑜𝑛_𝑡 𝑻𝒂𝒔𝒌 𝟐

The second is exchange of data by means of shared data structures:

𝑆ℎ𝑎𝑟𝑒𝑑 𝑚𝑒𝑚𝑜𝑟𝑦: 𝑡𝑥 𝑟𝑖𝑛𝑔 𝑏𝑢𝑓𝑓𝑒𝑟

𝑻𝒂𝒔𝒌 𝟏
𝑟𝑒𝑎𝑑 𝑏𝑦𝑡𝑒 𝑻𝒂𝒔𝒌 𝟑
𝑡𝑟𝑎𝑛𝑠𝑚𝑖𝑡 𝑏𝑦𝑡𝑒

𝑻𝒂𝒔𝒌 𝟐
𝑡𝑟𝑎𝑛𝑠𝑚𝑖𝑡 𝑏𝑦𝑡𝑒

𝑆ℎ𝑎𝑟𝑒𝑑 𝑚𝑒𝑚𝑜𝑟𝑦: 𝑏𝑢𝑡𝑡𝑜𝑛 𝑜𝑏𝑠𝑒𝑟𝑣𝑎𝑡𝑖𝑜𝑛

𝑤𝑟𝑖𝑡𝑒
𝑻𝒂𝒔𝒌 𝟐 𝑂𝑏𝑠𝑒𝑟𝑣𝑎𝑡𝑖𝑜𝑛_𝑡

Notice that task 2 is writing to a shared data structure, but in the example project, this shared
data structure is never read.

• Study the source code of the project. Documentation related to the FreeRTOS functions is
provided in (Barry, 2016) and on the FreeRTOS website5.
o For each of the three tasks: is it an S-task or a C-task?
o What mechanism is used to ensure data integrity for the shared data structures?
o What is the role of time in this project?
o Does the project implement any interrupts?

5 https://www.freertos.org

P a g e 14 | 66
 • Update the project and implement a component. The component must realize the following
high-level software structure and tasks:

𝑻𝒂𝒔𝒌 𝟓

𝐴𝑝𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑜𝑛 𝑠𝑜𝑓𝑡𝑤𝑎𝑟𝑒
𝐴𝑃𝐼

𝑻𝒂𝒔𝒌 𝟒𝒂 𝑻𝒂𝒔𝒌 𝟑𝒂

𝑀𝑖𝑑𝑑𝑙𝑒𝑤𝑎𝑟𝑒
𝐿𝐼𝐹 𝑇𝐼𝐼
𝑻𝒂𝒔𝒌 𝟒𝒃 𝑻𝒂𝒔𝒌 𝟑𝒃

𝐿𝑜𝑐𝑎𝑙 𝑂𝑆

𝑻𝒂𝒔𝒌 𝟐 𝑻𝒂𝒔𝒌 𝟏

𝐿𝐸𝐷 𝐵𝑢𝑡𝑡𝑜𝑛

o 𝑇𝑎𝑠𝑘 1: Observation of button input and writes this in a button observation.

o 𝑇𝑎𝑠𝑘 2: Output operation at the LED. Reads an LED observation.
o 𝑇𝑎𝑠𝑘 3𝑎: Receives information from the TII. If a ‘1’ is received, the LED is always on.
On the reception of any other character, the LED follows the state in the LED
observation.
o 𝑇𝑎𝑠𝑘 3𝑏: Receives characters from any state and outputs the characters through the
TII.
o 𝑇𝑎𝑠𝑘 4𝑎: Transmit data in a CAN messages (in loopback mode). The transmitted data
is a cycle counter value which is provided by task 5.
o 𝑇𝑎𝑠𝑘 4𝑏: Receives data in CAN messages (in loopback mode). If the received counter
value is odd, a message is displayed via TII.
o 𝑇𝑎𝑠𝑘 5: Implements the processing algorithm: reads the button observation and
writes the LED observation accordingly. It also maintains a cycle counter that is
incremented each cycle.

• Create S-tasks only.

• The tasks are scheduled in the correct phase according the cyclic model of time presented in
section 3.3.4 (Kopetz, 2023):

P a g e 15 | 66
 • Give a description and rationale for the duration of each task.
• Give a description and rationale for the inter-task interactions.

P a g e 16 | 66
Learning unit 08: Digital Twinning
Before class activities
Reading: Chapter 14 Cloud and Fog Computing (Kopetz, 2023)

• Carefully read Sections 14.5.1

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 08.pptx

Lab exercise

Develop a simple digital twin. Details to be determined in class.

P a g e 17 | 66
Learning unit 09: System design
Before class activities
Reading: Chapter 11 System Design (Kopetz, 2023)

• Carefully read Sections 11.1 – 11.3.

• Carefully read paragraph 11.4.1.
• Read paragraphs 11.4.2 – 11.4.4.
• Carefully read Sections 11.4.5 – 11.4.6.

In class activities
Warming up: discussion of prior knowledge

Presentation: Learning unit 09.pptx

Lab exercise

• Attach an RS485 CAN shield to each of the three boards. Connect the three boards as
depicted in the image below. Refer to the board’s User Manual (UM1724, 2017) to find the
pin locations of PC6, PC8, 3V3 and GND on connectors CN7 and CN10.

RS485A
RS485B

CANH
CANL

RS485 RS485 RS485

CAN CAN CAN
Shield Shield Shield

NUCLEO-F072RB NUCLEO-F072RB NUCLEO-F072RB

Monitor Node A Node B

PC8 – GND PC6 – GND

FTU

3V3
GND

This hardware setup allows us to connect a single board via USB to the computer and power
all the boards. Programming the boards must be done by connecting each board separately to
the computer. By connecting PC6 or PC8 to GND, the board knows its role in the ensemble.

P a g e 18 | 66
 The jumpers of the RS485 CAN shield should be set
to their default positions as depicted in the adjacent
image.

The provided example project demonstrates how to

transmit a byte via RS485 in a single master (Monitor)
and multiple slave (Nodes A and B) configuration.

• Test the example project. On correct operation,

the green LEDs on all nodes will blink
simultaneous and status messages are displayed
via the TII interfaces of each node.
• Study the following table, that shows the
differences between RS485 and CAN
communication10.

Feature RS485 CAN

Required interface UART CAN controller
Supported ISO model Physical layer Physical layer and data link layer
layers
Detection of data Not implemented Yes, CSMA/CR
collisions
Maximum 10 Mbit/s (up to 12 m) 1 Mbit/s (up to 50 m)
transmission rate
Maximum bus length 1200 m (at 100 kbit/s) 1600 m (at 50 kbit/s)
Supported Bus Master/slave or token ring Multimaster and all principles,
arbitration principles which can be derived from that
like master/slave or token ring
Maximum data Unlimited 8 bytes
amount per frame
Examples of popular Modbus RS485, Profibus CANopen, DeviceNet, J1939
protocols

It is very important that safety-critical functions do not use a single channel system. An example of
a safety-critical function is the synchronisation message of the global clock.
The goal of this assignment is to implement a fail-silent architecture (refer to paragraph 6.4.2 in
(Kopetz, 2023)) for two types of functions:
1. Transmitting global clock synchronisation messages from the monitoring node to nodes A and
node B.
2. Transmitting blue button pressed messages from nodes A and B to the monitoring node.
Nodes A and B are a single FTU: as long as one or both blue buttons are pressed, the
monitoring node turns on the green LED.

Implement the following behaviour for the nodes:

• Monitor
o Generates the global clock and transmits clock synchronisation messages. These
messages are transmitted via CAN and via RS485 and are fail-silent: messages are
either correct in both time and value domain, or the message is not transmitted at all.

10 https://www.ixxat.com/technologies/all4can/can-news-blog/can-news-blog/2017/09/22/rs485-vs.-can

P a g e 19 | 66
 o Receives messages via CAN indicating the state of a blue button. The green LED is set
according to this state. Redundant incoming messages are removed. For each node
that has not produced a message, an appropriate message is displayed via the TII
interface.
• Node A
o Receives global clock synchronisation messages and synchronises its local clock to the
content of this message. Redundant incoming messages are removed.
For each interface that has not produced a message, an appropriate message is
displayed via the TII interface.
o Transmits a message via CAN indicating the state of the blue user button.
• Node B
Identical to node A.

Test your implementation by removing the jumper wires from the CAN and/or RS485 interface and
show by utilizing several different scenarios that it is fail-silent.

Discuss the following aspects of your implementation:

• What basic cycle is implemented?
• How long is the duration for each phase of the basic cycle?
• Are the basic cycles phase aligned?
• What can be said with respect to the precision and accuracy of global clock synchronisation?
• What happens exactly at start-up of the ensemble, before any global clock synchronisation
message has been transmitted?
• How exactly do nodes A and B discard redundant messages? What are alternatives?
• Are global clock synchronisation messages via CAN and RS485 idempotent?
• Describe the content of a single message frame for CAN and for RS485.
• Paragraph 11.3.4 in (Kopetz, 2023) provides example questions for testing a decomposition.
Give an answer to these questions with respect to your implementation for the following
subjects:
o Functional coherence
o Testability
o Dependability
o Physical characteristics
Extra

• Make you’re implementation more diverse, by implementing an RTOS in node A and by not
implementing an RTOS in node B.

P a g e 20 | 66
Learning unit 10: Validation
Before class activities
Reading: Chapter 12 Validation (Kopetz, 2023)

• Carefully read Sections 12.1 – 12.3.

• Read Section 12.4.
• Carefully read Section 12.5.

In class activities
Warming up: discussion of selected assignments

Presentation: Learning unit 10.pptx

Lab exercise

• Attach an RS485 CAN shield to each of the three boards. Connect the three boards as
depicted in the image below. Refer to the board’s User Manual (UM1724, 2017) to find the
pin locations of PC6, PC8, 3V3 and GND on connectors CN7 and CN10.

CANH
CANL

RS485 RS485 RS485

CAN CAN CAN
Shield Shield Shield

NUCLEO-F072RB NUCLEO-F072RB NUCLEO-F072RB

Monitor Node A Node B

PC8 – GND PC6 – GND

3V3

GND

This hardware setup allows us to connect a single board via USB to the computer and power
all the boards. Programming the boards must be done by connecting each board separately to
the computer. By connecting PC6 or PC8 to GND, the board knows its role in the ensemble.
• The implementation of the Monitor and Node A is given and tested by the supplier. It is your
task to test node A as a component provider and as a component user.

P a g e 21 | 66
 The given specification of node A is as follows:

1 The node implements an LFI interface

1.1 The communication protocol is CAN
1.2 CAN communication speed is 1 Mbit/s
1.3 An 8-byte data field is used
1.3.1 Byte 7 and 6: 16-bit timestamp
1.3.2 Byte 5 and 4: unused
1.3.3 Byte 3 to 0: 32-bit value
1.4 The CAN id is also used as a message identifier
1.5 No message will be sent before the node is synchronized to the global clock

2 The node synchronizes to the global clock

2.1 Global time is a 16-bit unsigned counter incremented every 1 ms
2.2 The LIF is used to receive time reference messages from a time master
2.2.1 The message id is 0x0110
2.2.2 The message is of type observation_t

3 The node implements a TII

3.1 Changes of the node’s internal state are transmitted via TII
3.2 The TII is a standard serial interface: 9600, 8, n, 1

4 The node detects blue user button clicks

4.1 A counter is incremented at each button click
4.2 The counter is reset to zero
4.2.1 At node reset
4.2.2 After 9 counts (the counter never reaches the value 10)
4.3 Each time the counter is updated, a single message is transmitted
4.3.1 Via the LFI interface
4.3.2 The message id is 0x0210
4.3.3 The message is of type observation_t
4.4 The LFI is used to receive messages for setting the counter value
4.4.1 The message id is 0x0220
4.4.2 The message is of type observation_t

5 The node supports the observation_t type

5.1 The id field holds the message id
5.2 The value field holds the 32-bit value
5.3 The timestamp field holds the 16-bit timestamp at time of the observation

6 The node fails silent

6.1 Input assertions
6.1.1 Excludes data that the component is not designed to handle
6.1.2 When detected, a message is transmitted via TII
6.2 Output assertions
6.2.1 Prohibits invalid messages from being sent over the LIF
6.2.2 When detected, a message is transmitted via TII

7 The node establishes a static temporal control structure, as described in section 3.3.4
(Kopetz, 2011):
7.1 The duration of one cycle is 200 ms
7.1.1 The duration of phase A is 30 ms
7.1.2 The duration of phase B is 20 ms
7.1.3 The duration of phase C is 30 ms
7.1.4 The duration of phase D is 20 ms
7.1.5 The duration of phase E is 30 ms
7.2 The cycle is phase aligned with all other nodes
7.3 At the start of the cycle, the green LED toggles
7.4 The control structure is independent of the input data (blue button clicks)

P a g e 22 | 66
 The implementation of the node does not comply to all specifications. It is your task to find out
what specifications are not met by testing the component (and not by reviewing the code in
node_a.c). Use the following approach:

• Validate the properties of the node by observing its behaviour.

o Does the node function according to the specification when integrated?
o Is there any unexpected emergent behaviour due to the integration of the
component?
• Validate the message exchange by implementing test cases in node B.
o Does the node comply to the transport level specifications of the LIF?
o Does the node comply to the operational level specifications of the LIF?
o Does the node comply to the semantic level specifications of the LIF?
o What is the rationale for your test data selection (see section 12.2.2 (Kopetz, 2023))?
o To what extend is the node capable of handling ‘babbling idiots’? How is this realized?
• Software fault injection
o Use the debugger to make changes to variables in node A. What scenarios are tested?
Is it ok to use the debugger in that scenario (in other words, does it affect the
temporal behaviour)?

TIP: Four specifications are not met.

P a g e 23 | 66
References

Barry, R. (2016). Mastering the FreeRTOS ™ Real Time Kernel - A Hands-On Tutorial Guide. Retrieved
from FreeRTOS Documentation:
https://www.freertos.org/Documentation/161204_Mastering_the_FreeRTOS_Real_Time_Ker
nel-A_Hands-On_Tutorial_Guide.pdf

CMSIS. (2018, June). Cortex Microcontroller Software Interface Standard.

Kopetz, H. (2023, September). Real-time systems: design principles for distributed embedded applications.
Springer Cham.

RM0091. (2017, January). STM32F0x1/STM32F0x2/STM32F0x8 advanced ARM®-based 32-bit

MCUs.

UM1724. (2017, December). User manual - STM32 Nucleo-64 boards.

P a g e 24 | 66