\section{Design Guidelines} \label{sec:design_guidelines} Based on the insights from our model, we propose design guidelines for efficient and safe intermittent systems. The effectiveness of the guidelines is evaluated on seven benchmarks on the reference system used in Sec.~\ref{sec:detailed_execution_model}. We ported five benchmarks from miBench~\cite{guthausMiBench2001} benchmark suite and implemented two computation kernels (\emph{matmul} and \emph{conv2d}) commonly used for evaluating intermittent systems in literature~\cite{kimLACT2024,maengSupporting2019,bhattacharyyaNvMR2022,ganesanWhat2019,akhunovEnabling2023}. We evaluate two popular existing checkpointing schemes: \emph{static} and \emph{dynamic}. The static scheme~\cite{} inserts checkpoint triggers at every loop latch in the program during compilation. At runtime, checkpoint triggers check the capacitor voltage and execute checkpoint only when it is below a predefined threshold. In contrast, the dynamic scheme~\cite{} does not modify the original program code. Instead, it executes checkpoints via interrupts from the power management system, generated when the power-off threshold is reached. All the evaluations are conducted with 470uF energy storage and 1mA of input current unless otherwise stated. \subsection{Delay Checkpoint Execution} Delaying checkpoint execution until the last possible moment is generally regarded as desirable in existing works~\cite{bhattiHarvOS2017}. However, this has not been considered a critical property, since early checkpoint execution makes the system wake up sooner, incurring only a small cost of initialization and recovery. For example, some static checkpoint approaches have explored proactive power-offs based on the program's worst-case execution time~\cite{choiCompilerDirected2022,reymondSCHEMATIC2024}, which can be overly pessimistic~\cite{raffeckWoCA2024}. On the other hand, Our model reveals that significant energy is wasted each time the system powers off (Sec.~\ref{sec:power_efficiency}). As a result, the importance of delaying checkpoint executions is greater than previously assumed. \begin{figure} \centering \includegraphics[width=\linewidth]{figs/plot_expr_7_cropped.pdf} \caption{Execution times across various checkpoint voltages, normalized to the 3.4V case.} \label{fig:expr_checkpoint_voltages} \end{figure} Fig.~\ref{fig:expr_checkpoint_voltages} shows the benchmark execution times in dynamic checkpoint scheme, across various checkpoint execution voltages. A 1100uF capacitor is used and the execution times are normalized to the 3.4V case. The figure shows that executing checkpoint earlier is considerably inefficient: 1.38x and 2.45x with 3.7V and 4.0V configurations, respectively. Consequently, it is important to execute as long as possible whenever the system wakes up. In the next section, we discuss how this can be implemented in the existing intermittent systems. \subsection{Use Vdd and Known Voltage for Checkpoint Execution} \label{sec:use_vdd} Sec.~\ref{sec:predicting_power_failures} demonstrates that capacitor voltage is not a good estimate for the system's remaining execution time. Instead, we propose using Vdd to accurately estimate the imminent power-off, as in works that do not have the power management systems (Sec.~\ref{sec:related_work}). Also, when dealing with the Vdd, it is important to consider the operations of ADC in sub-normal voltage (Sec.~\ref{sec:sub_normal_execution}). For consistent operation of ADCs, the computing system needs a voltage source with a known value. In STM32L5 and MSP430, there exist internal reference voltage source of 1.2V; an external voltage reference~ (e.g., TI LVM431~\cite{texasinstrumentsLMV431}) can be considered otherwise. % Note that the reference voltage should be lower than the minimal operating voltage of MCU as it is regulated from Vdd. We propose two efficient implementations, each for dynamic and static checkpoint schemes. $T_{sta}$ is a setup for static checkpoint techniques, which poll the capacitor voltage and execute checkpoint only the voltage is below a threshold. Instead of reding the energy storage voltage, $T_{sta}$ reads the known voltage $V_{ref}$, which results in the same value of $\lfloor V_{ref}/V_{dd} \cdot 2^n \rfloor$ when operating on normal voltage. During sub-voltage execution, this value increases as $V_{dd}$ decreases. Given that the target threshold voltage for checkpoint execution is $V_{th}$, software designers can compare the ADC value with $\lfloor V_{ref}/V_{th} \cdot 2^n \rfloor$ to determine whether to execute checkpoint. On the other hand, $T_{dyn}$ utilizes an on-chip comparator, which is available in most modern MCUs including STM32L5 and MSP430. As $V_{ref}$ is always lower than $V_{dd}$, we use a voltage divider using two resistors, $R1$ and $R2$, to reduce $V_{dd}$ and compare it with $V_{ref}$. Specifically, we set $R1$ and $R2$ to satisfy $\frac{R2}{R1+R2} \cdot V_{th} = V_{ref}$ so that the comparator generates an interrupt when $V_{dd}$ reaches the threshold voltage $V_{th}$. % T2 is setup for static checkpoint techniques, which poll the capacitor voltage to determine whether execute checkpoint or not. % Instead of reading the capacitor voltage, it reads the reference voltage. % As we discussed in Sec.~\ref{sec:sub_normal_execution}, the voltage remains same while the system executes at normal voltage but the value increases during sub-normal voltage execution. % \begin{itemize} % \item T1 utilizes a on-chip comparator (available both in STM32L5 and MSP430) with a reference voltage. % \item T2. % \end{itemize} \begin{figure} \centering \begin{subfigure}{\linewidth} \includegraphics[width=\textwidth]{figs/plot_expr_11_cropped.pdf} \caption{Static checkpointing with $T_{sta}$.} \label{fig:expr_precise_checkpoint_timings_static} \vspace{7pt} \end{subfigure} \begin{subfigure}{\linewidth} \includegraphics[width=\textwidth]{figs/plot_expr_10_cropped.pdf} \caption{Dynamic checkpointing with $T_{dyn}$.} \label{fig:expr_precise_checkpoint_timings_dynamic} \end{subfigure} \caption{Impact of precise checkpoint timings to the end-to-end execution times.} \label{fig:expr_precise_checkpoint_timings} \end{figure} Fig.~\ref{fig:expr_precise_checkpoint_timings} shows \subsection{Checkpoint Techniques and Evaluation Methods} % \subsection{Design Checkpoint Techniques for Sufficient Power Duration} Power failure injection (soft reset)~\cite{wuIntOS2024,yildizEfficient2023}.