Abstract
Introduction
It is well admitted, embedded systems affect most aspects of our everyday lives. New development frameworks that allow designers to perform efficient exploration of design alternatives and analyze system properties early in the design cycle are commonly needed. Several proposals for Model-driven development of embedded systems have been defined, see [1, 2] . However, these modeling principles for architectural modeling of large embedded systems do not have a universal recognition. An important recent development in this respect is the emergence of AADL.
Architecture Analysis and Design Language (AADL [3] ) is a standard for providing formal modeling concepts for the description and analysis of application system architecture in terms of distinct components and their interactions. It provides support to hierarchically describe how software components are mapped onto computational hardware elements of the execution platform. The modeling aspect of * This work is partially supported by the ANR project TopCased. system design activity is becoming increasingly essential, since it allows prototyping and experiments without necessarily having a physical implementation of the system at hands. Meanwhile, component-based approaches provide a way to significantly reduce overall development costs through modularity and re-usability.
The synchronous paradigm has proved well-suited for the design of embedded systems to significantly ease the modeling and validation of software components. For the early validation and testing, some methods for the modeling and automated translation of those complex architectures into synchronous languages [4] have been proposed. For instance, the paradigm of "Globally asynchronous locally synchronous system" (GALS [5] ) has been proposed to describe general asynchronous systems, while keeping as much as possible the advantages of synchronous components. Other approaches are proposed to program separately software components using synchronous languages, and deploy them to the target architecture using classical design methods for asynchronous systems.
In such cases, developing separately software components using synchronous languages, and deploying them on the target architecture using classical design methods for asynchronous systems, it is difficult to validate the integrated system, the problem of validating the whole system is crucial: the execution of the software on the target architecture is generally asychronous, and as a consequence, this phase of the design is the most error-phone. The validation can be performed by testing the implementation, however, this will result in later error detection. Furthermore, testing an asynchronous implementation is difficult.
In order to support the virtual prototyping, simulation and formal validation of early, component-based, embedded architectures, we define a model of the AADL into the polychronous model of computation of the SIGNAL programming language [6] . Typical synchronous languages are ESTEREL, LUSTRE and SIGNAL. They mainly differ from each other by their programming style. Esterel is controloriented state-based formalisms, and Lustre and Signal are declarative data-flow based formalisms. The polychronous (i.e. multi-clocked) model of the SIGNAL design language offers formal support for the capture of behavioral abstractions for both very high-level system descriptions (e.g. SystemC/SPECC) and behavioral-level IP components (e.g. VHDL). Its platform POLYCHRONYprovides models and methods for a rapid, refinement-based, integration and a formal conformance-checking of GALS hardware/software architectures. While AADL combines various formalisms and tools for the design of embedded real-time system, our approach relies on the single semantic model of the SIG-NAL language. This favors a uniform framework, which facilitates system validation. Other simultaneous languages, such as VHDL/Verilog/SystemC, which are high level hardware description languages, restrict the set of verification back-ends that can be applied. That's why we choose SIG-NAL for the translation.
TopCased [7] is a large open-source project devoted to the design of critical embedded systems. In the TopCased process, several meta-models are proposed, including those for describing architectures in AADL and those for modeling synchronous components. In this framework, we propose a methodology to describe asynchrony using a synchronous multi-clocked formalism.
The main difficulty in this translation is to model intrinsically non-deterministic and asynchronous AADL descriptions into a polychronous model. We challenge this difficulty by using existing techniques and library of the SIGNAL environment, consisting of a model of the APEX-ARINC-653 real-time operating system services. It proves a suitable and adequate library to model embedded architectures in the specific case of Integrated Modular Avionics (IMA [8] ) considered in the TopCased project.
General principles
In this article, we describe the general principles of the translation for each AADL component. The main one is to use APEX-ARINC services. AR-INC 653 (Avionics Application Standard Software Interface [10] ) is a standard that specifies an API for software of avionics, following the architecutre of Integrated Modular Avionics. It defines an APplication EXecutive (APEX) for space and time partitioning. An ARINC PARTITION is a logical allocation unit resulting from a functional decomposition of the system. PARTITIONs are composed of PROCESSes (to distinguish from the AADL process and SIGNAL process) that represent the executive units. AADL components are mapped onto ARINC PARTITIONs. Each component corresponds to some instances of APEX services ( Figure 1 ). The scheduler and communication of the AADL components are also translated to SIGNAL processes using some improved APEX services. Plan The paper is organized as follows. Sections 2-4 review the AADL, IMA architecture and SIGNAL. Section 2 presents an AADL example. Section 5 explains the general principles of the translation for each AADL component. It is illustrated with the translation in SIGNAL of components used in our example, using the SIGNAL library of APEX services. Section 6 discusses related work. Finally, we summarize the extent of our contribution to virtual prototyping AADL, as well as the current limitations of our approach, and draw conclusions in section 7.
A Summary of AADL
The Architecture Analysis and Design Language (AADL) is a SAE standard aimed at the high level design and evaluation of the architecture of embedded systems. The language is used to describe the structure of such systems as an assembly of software components that are mapped to an execution platform. The purpose of a model in AADL is to describe the execution characteristics of the system. Because such characteristics depend on the hardware executing the software, an AADL model includes the description of both software and hardware.
AADL focuses on the description of systems using the component-based paradigm. A sample client-server AADL system is presented in Figure 2 . The client sends a signal to the server, which in turn sends a message containing data. The server is made up of two sensors linked to a processor, which performs a certain number of calculations and sends the result to the client when it demands. In this graphical representation, all the basic components are depicted. Component categories AADL components are separated into three categories: composite components, application software components and execution platform components.
Composite components model components consisting of both hardware and software. A system component models a component containing execution platform, application software and other composite components. The Global system in Figure 2 contains two subsystems: Client and Server.
Application software components include process, thread, thread group, subprogram, and data components. A process component models a protected virtual address space, and it contains at least one thread. A thread component is an abstraction of a schedulable unit of concurrent execution. A subprogram component models a procedure call as in imperative programming languages. The A sensor server process of Server subsystem in Figure 2 contains a thread A sensor server thread, and this thread calls three subprograms for computation: Compute t, Compute p and Agregate.
Execution platform components model the hardware part of the system, and it includes the processor, memory, device, and bus components. A processor component is an abstraction of hardware and possibly embedded software that schedules and executes threads. It may contain memory, and can access memory or device components through a bus component. A device component is an abstraction for a component with complex behavior that interfaces with and represents a part of the external environment. A bus component is an abstraction for an execution platform component which provides communication of data and event messages between processor, memory and device components. In Figure 2 , Sensor processor is a processor, and it represents Component type and implementation Each component is described in AADL with two parts. The first one, the type, represents the functional interface of the component and externally observable attributes, what is visible by other components. The second one, the implementation, describes the contents of the component, as well as the connections between them [9] . Each type may be associated with zero, one or more implementation(s).
Properties A property provides information about component types, implementations, subcomponents, features, connections, flows, and subprogram calls.
Connections
Components can be connected and bound to each other in a number of manners. A connection is a linkage between component features that represents the communication of data and control between components.
IMA Architecture
The APEX interface, defined in the ARINC standard [10] , provides an avionics application software with the set of basic services to access the operating-system and other system-specific resources. Its definition relies on the Integrated Modular Avionics (IMA) architecture. A main feature in an IMA architecture is that several avionics applications can be hosted on a single, shared computer system. This is addressed through a functional partitioning of the applications with respect to available time and memory resources [11] . The allocation unit that results from this decomposition is the PARTITION.
A processor is allocated to each PARTITION for a fixed time window within a major time frame maintained by the module-level OS. A PARTITION is composed of PROCESSes which represent the executive units. When a PAR-TITION is activated, its owned PROCESSes run concurrently to perform the functions associated with the PAR-TITION. Each ARINC PROCESS is uniquely characterized by information useful to the partition-level OS, which is responsible for the correct execution of PROCESSes within a PARTITION. Suitable mechanisms and devices are provided for communication and synchronization between PROCESSes (e.g. buffer, event, semaphore) and PARTITIONs (e.g. ports and channels).
The APEX interface allows IMA applications to access the underlying OS functionalities. The interface includes both services to achieve communications and synchronizations, and services for the management of PROCESSes and PARTITIONs.
The SIGNAL Language
SIGNAL is a dataflow relational language that relies on the polychronous model [12] . It handles unbounded series of typed values (x t ) t∈N , called signals, denoted as x and implicitly indexed by discrete time. At any instant, a signal may be present, at which point it holds a value; or absent and denoted by ⊥ in the semantic notation. The set of instants where a signal x is present represents its clock, noted x. A SIGNAL process (to distinguish from the AADL process and ARINC PROCESS) is a system of equations over signals that specifies relations between values and clocks of the signals. A program is a process. SIGNAL relies on six primitive constructs that define elementary processes:
• Undersampling. y:= x when b where b is Boolean ≡ def y t = x t if b t = true, else y t =⊥. The expression y:= when b is equivalent to y:= b when b.
• Deterministic merging. z:= x default y ≡ def z t = x t if x t 6 =⊥, else z t = y t .
• Composition. P1|P2 ≡ def conjunction of equations of P1 and P2.
• Hiding. P where x ≡ def x is local to the process P.
SIGNAL offers a process frame that enables the definition of sub-processes (declared in the where scope). Subprocesses that are only specified by an interface without internal behavior are considered as external (e.g. C++ / JAVA functions), and may be separately compiled processes or physical components. Any process can be abstracted by an interface which specifies properties on its input-output signals. These properties essentially concern clock relations and dependencies between signals. All these features favor modularity and reusability.
Example (counter)
We consider the definition of a counter: Count. It accepts an input reset signal and delivers the integer output signal val. The local variable counter is initialized to 0 and stores the previous value of the signal val (equation counter := val$ init 0). When an input reset occurs, the signal val is reset to 0 (expression (0 when reset)). Otherwise, the signal val takes an increment of the variable counter (expression (counter+1)). The activity of Count is governed by the clock of its output val which has higher frequency than its input reset.
SIGNAL is associated with a design environment, called POLYCHRONY [12] , which offers a graphical user interface, a compiler and a model-checker that support the trustworthy design of systems.
Modeling ARINC concepts in SIGNAL
The POLYCHRONY design environment includes a library in SIGNAL containing real-time executive services defined by ARINC [10] . It relies on a few basic blocks [13] , which allow to model PARTITIONS: APEX-ARINC 653 services, an RTOS model and executive entities.
APEX services
The APEX services modeled in SIG-NAL include communication and synchronization services used by PROCESSes (e.g. SEND BUFFER, WAIT EVENT, READ BLACKBOARD), PROCESS management services (e.g. START, RESUME), PARTITION management services (e.g. SET PARTITION MODE), and time management services (e.g. PERIODIC WAIT). Figure 3 , the input Active_partition_ID represents the identifier of the running PARTITION selected by the module-level OS, and it denotes an execution order when it identifies the current PARTITION. Whenever the PARTITION executes, the PARTITION_LEVEL_OS selects an active PROCESS within the PARTITION. The PROCESS is identified by the value carried by the output signal Active_process_ID, which is sent to each PROCESS. The other input/output signals can be referenced in [14] .
PARTITION-level OS

ARINC PROCESSES
The definition of an ARINC PROCESS model basically takes into account its computation and control parts. This is depicted in Figure 4 . Two sub-components are clearly distinguished within the model: CONTROL and COMPUTE. Any PROCESS is seen as a reactive component, which reacts whenever an execution order (denoted by the input Active_process_ID) is received. The input timedout notifies PROCESSes of timeout expiration. In addition, there are other inputs (resp. outputs) needed for (resp. produced by) the PROCESS computations. The CONTROL and COMPUTE sub-components cooperate to achieve the correct execution of the PROCESS model.
The CONTROL sub-component specifies the control part of the PROCESS. Basically, it is a transition system that indicates which statements should be executed when the PROCESS model reacts. Whenever the input Active_process_ID identifies the ARINC PROCESS, this PROCESS "executes". Depending on the current state of the transition system representing the execution flow of the PROCESS, a block of actions in the COMPUTE subcomponent is selected to be executed instantaneously. 
From AADL models to SIGNAL processes
Here we present general rules to translate AADL systems into the SIGNAL programming language. We put our translation to work by studying the similarity relationship between AADL and APEX-ARINC services.
An AADL system model describes the architecture and runtime environment of an application system in terms of its constituent software and execution platform components and their interactions. In the following, we present the translation rules from four main categories: system, software components, hardware components and component interactions. For each category, we select some classical components. And for each component, we present a general mapping rule, show how its corresponding SIGNAL process is, then describe some details of the translation, and an example translation for the system presented in Figure 2 is given.
System
The system is the top-level component of the AADL model, It can be mapped into a top-level SIGNAL process.
General rules: 1. Each system can correspond to an ARINC PARTI-TION. 2. Each input (output) port of the system is mapped into an input(output) of the PARTITION. 3. For system implementations, each sub-component is mapped into a SIGNAL process, for example, an AADL process can be mapped as an ARINC PRO-CESS, a thread can be a block, and all the PROCESS and block can be modeled in SIGNAL as described in section 4.2. 4. The SIGNAL process calls result straightforwardly from their inner connections. 5. The connections between systems are implemented as the communications between the PARTITIONs, that are the ports and channels in APEX. • The addtional two other inputs: initialize and active partition ID are generated by the PARTITION scheduler.
• The SHARED RESOURCE includes buff and sema, used for the ARINC PROCESS communication.
Here an AADL system can only contain one processor, the case in which one system contains several processors is not considered yet. So that one AADL system can be mapped into one PARTITION.
Software components
Each software component (except data and thread group) is mapped into a SIGNAL process whose inputs/outputs are made of the component input/output ports. For component implementations, the SIGNAL process calls result from their inner connections.
Process
The AADL process component represents a protected address space, a space partitioning where protection is provided from other components accessing anything inside the process.
Here we consider that the AADL processes executed on the same processor constitute a PARTITION (on the assumption that a system only has one processor), in other words, the processes in one system are mapped into one PARTITION.
General rules: 1. Each AADL process represents an ARINC PROCESS. 2. The input (output) ports of the AADL process become the inputs (outputs) of the PROCESS. 3. The AADL process is responsible for scheduling and for executing threads, while the CONTROL process schedules the blocks which are translated from the threads and sub-programs. 4. An AADL process must contain a thread, so the corresponding ARINC PROCESS has to contain a block in the COMPUTE sub-program. Figure 6 is a simple example of AADL process mapping (the same example as described in section 2):
• The ARINC PROCESS attribute (process property in AADL) must be recorded in the PARTITION LEVEL OS which is the scheduler for the PROCESSes in the PARTI-TION.
• The CONTROL input timedout notifies PROCESSes of time-out expiration, and the other input active process ID notifies current active PROCESS which is scheduled by PARTITION LEVEL OS. The output end processing is emitted by the PROCESS after completion, and active block is transfered to the COMPUTE part to activate the corresponding block.
• There are other inputs needed for the ARINC PRO-CESS computations in actual programming.
• The input (output) ports of the AADL process component which correspond to the parent system inputs/outputs are translated as the ARINC PROCESS inputs (outputs); the other ports which are used for communication between AADL processes are not translated directly as PROCESS inputs (outputs), they can be translated as buffer or blackboard for the PROCESS communication, that will be represented in detail in component interaction section. 
Thread
Thread component is an abstraction of software responsible for scheduling and for executing sub-programs.
When several threads run under the same AADL process, the sharing of the process is managed by a runtime scheduler. Threads are responsible for the subprogram execution, so the thread component can be translated as the execution of the ARINC PROCESS, that is the COMPUTE part of the PROCESS.
General rules: 1. The threads that belong to the same AADL process constitute the COMPUTE process. 2. Each thread can be a block or several blocks according to the subprograms it contains. 3. The inputs/outputs of COMPUTE correspond to the inputs/outputs of the parent PROCESS. 4. One more important input is needed: active block, for activating the selected block. 5. Some communication services may be needed, in such case, more inputs will be added, like port and buffer names for identifying the communication scheme.
A generic interface of the SIGNAL process that specifies the COMPUTE sub-component mapping is given in Figure 7 . Two blocks are made from the two subprograms. The blocks are scheduled by the CONTROL part.
The dispatch protocol property is used to specify the activation of a thread, it can be periodic/ aperiodic/ sporadic/ background. This must be recorded in the PARTI-TION LEVEL OS as an attribute of the parent process. 
Subprogram
The subprogram is a callable component with or without parameters that operates on data or provides functions to components that call it. Subprogram components represent elementary pieces of code that processes inputs to produce outputs. Calls to subprograms are declared in call sequences in threads and subprogram implementations. Only their interfaces are given in the AADL model; subprogram implementations ought to be provided in some host language (such as C or Java).
The ARINC block represents elementary pieces of code to be executed without interruption. The statements associated with a block are assumed to complete within a bounded amount of time. The subprogram component can be mapped into a block, the code should be executed without interruption. The detailed implementation of the function can be programmed in C/JAVA language. The block is part of the COMPUTE process. 2. Each block is identitied by a BLOCK ID. Only when the current active block equals to its BLOCK ID, this block is executed. 3. Some subprocess may be needed for detailed computation of the execution of the subprogram.
The same small example is used for subprogram translation (see Figure 8 ). For this example block, the BLOCK ID is 0, so when the active block equals to 0, it is activated. Here COMPUTE T processes the incoming data T data when this block is triggered to produce some output data, the detailed output data producing is programmed in another SIGNAL process, which can be provided by a SIGNAL program or some C program.
When a thread is made of several subprograms, the call sequence is determined by the subprogram calls declaration order. In other words, the calls order is static and linear. In the SIGNAL library of ARINC services, the blocks can be controlled to be activated in sequence. This is implemented by the PROCESS CONTROL part. The block is activated only when the active block equals to its BLOCK ID. Depending on the current state of the transition system representing the execution flow of the PROCESS, a block of actions in the COMPUTE sub-component is selected to be executed instantaneously. The active block is computed in CONTROL,the ID value is increased each time the previous one is terminated, so that each block is executed in turn (see Figure 9 ). The block sequence can be arranged according to the call sequence order, so that the blocks are computed sequentially from top to bottom. 
Hardware components
Hardware components represent computational and interfacing resources within a system. Each hardware component can be mapped into a SIGNAL process, the translation is more intricate than software components. Here we consider some basic components for the translation. The device component is translated as an external interface, the processor as a scheduler, and the bus as a communication component.
Device
Device components are used to interface the AADL model with its environment. Devices are not translated as the other components, they are modeled outside the PARTITION, the implementation can be provided in some host language.
General rules: 1. The device can be a SIGNAL process outside the PAR-TITION. 2. The process inputs/outputs are mapped from the component input/output ports. The inputs are considered as PARTITION outputs, and the outputs as PARTITION inputs. Figure 10 is a device example which has one output data port temperature output, in SIGNAL it becomes a process with an output temperature, and this output is transfered to the corresponding PARTITION as one input.
Figure 10. Mapping an AADL device
Processor
Processor component is an abstraction of hardware and software responsible for executing and scheduling threads. Basically, each processor has its own clock, which is the base time of the components running on the processor. Several processes or threads that run on the same processor have to share the resources such as CPU. The sharing is managed by a runtime scheduler.
The processor property Scheduling Procotol defines the way the processor will be shared between the threads of the application. The possible scheduling protocols include: Rate Monotonic, Earliest Deadline First, Deadline Monotonic, Least Laxity First, and Highiest Priority First. we consider the most commonly used scheduler Rate Monotonic for ouw translation, with which the task with the lowest period is the task with the highest periority.
In ARINC services, PROCESSES run concurrently and execute functions associated with the PARTITION in which they are contained. The PARTITION LEVEL OS selects an active PROCESS within the PARTITION whenever the PARTITION executes, that is to say, at any time, there is only one PROCESS that is activated. The scheduling policy for PROCESSES is priority preemptive. The processor can be translated as the scheduler of the AADL processes/threads which are bounded to the processor, corresponding to the PARTITION LEVEL OS in SIGNAL. For the Rate Monotonic scheduler, we can set the ARINC PRO-CESS priorities according to the thread period, then the priority preemptive scheduler can be used.
The subclauses of PARTITION LEVEL OS declaration can be summarized as follows:
The priority of the ARINC PROCESS must be considered carefully. The PROCESS with the lowest period is set to be the highest priority. The PROCESS period attribute is set to -1.0 when it's aperiodic.
Bus
A bus component represents hardware and associated communication protocols that enable interactions among other execution platform components (ie., memory, processor and device). For example, a connection between two threads, each executing on a separate processor, is through a bus between those processors. This communication is specified in AADL using access and binding declarations to a bus. Because memory is ignored in this article, we only discuss the bus interaction between processor and device components.
Bus between two processors
In this case, it means that the bus connects two different sub-systems. The bus is used for exchange of communication data. As mentioned, each sub-system is mapped as an ARINC PARTITION, the communication between PARTITIONs in ARINC services is via ports and channels (Figure 11 ). There are two transfer modes in which channels may be configured: sampling mode and queuing mode. In the former, no message queuing is allowed. A message remains in the source port until it is transmitted by the channel or it is overwritten by a new occurrence of the message. During transmissions, channels ensure that messages leave source ports and reach destination ports in the same order. A received message remains in the destination port, until it is also overwritten. In the queuing mode, ports are allowed to store messages from a source PARTITION in queues, until they are received by the destination PARTITION.
A simple way to implement bus access in SIGNAL is to use the port mechanism.
General rules: 1. The APEX SAMPLING PORT mechanism can be used for AADL bus.
2. Some property checking must be added. 3. The source and destination PARTITIONs need to declare the use of SAMPLING PORT, and identify the direction: source or destination.
Figure 11. ARINC port mechanism
Following is an example for the CRE-ATE SAMPLING PORT interface.
Here three new inputs (it maybe that more than three properties need to be checked) are added: transmission time, message Size, access protocol, which correspond separately to Transmission Time, Allowed Message Size, Allowed Access Protocol property in AADL. For the other APEX SAMPLING PORT interfaces, similar property checking must be added. Bus between a processor and a device In this case, the processor and device are in the same sub-system, it is the communication between a PARTITION and a device process in SIGNAL. A set of new BUS SIGNAL processes is provided:
• CREATE BUS: create a new bus, record the predeclared properties.
• WRITE BUS: input some messages to the bus, make property checking.
• READ BUS: read the current message from the bus. The detailed programming can be implemented in C code. In the programming, two things must be done: check the property whether the message is available for transfer, and if available then record the message in the bus, otherwise ignore it.
Component Interactions
An AADL port represents a communication interface for the directional exchange of data, events, or both between components. Ports are classified as:
• data port: interfaces for typed state data transmission among components without queuing. Connections between data ports are either immediate or delayed.
• event port: interfaces for the communication of events raised by subprograms, threads, processors, or devices that may be queued.
• event data port: interfaces for message transmission with queuing. These interfaces enable the queuing of the data associated with an event.
A port connection instance represents the actual flow of data and control between components of a system instance model. In case of a fully specified system, this flow is a transfer between two thread instances, a thread instance and a processor instance, or a thread instance and a device instance, at least one thread must be included. Each input port has a fresh variable to define the state of the port, if a port has not received anything between two thread dispatches, this variable is set to false. A buffer (to distinguish from the ARINC buffer mechanism) is also associated with each input port, when an output port sends a data or an event it modifies these buffers. On the dispatch of a thread, these buffers are copied into the local memory of the thread.
For the AADL port connection translation, we define a thread and its parent process parent sub-system as an enclosing set. The port connection can be divided into two types:
• Type A: the sequence of data connection is within an enclosing set, for example from a thread to its parent process, or from process to thread (within the same enclosing set) (see Figure 12 left).
• Type B: the sequence of data connection is between two enclosing sets, for example, the sequence of data connection from a thread to its parent process, to the second process, and to the thread contained in the second process (see Figure 12 right ).
Figure 12. Port connection
For type A, we just consider it as usual connection, like parameter transfering.
For type B, it can be translated as blackboard or buffer, according to the communication scheme. If it is queuing, then it can be mapped into buffer; if queuing is not allowed, then blackboard can be used. A more detailed description of type B mapping in the following:
1. For data port, queuing is not allowed, and the connection can be either immediate or delayed. APEX blackboard is used to display and read messages: no message queues are allowed, and any message written on a blackboard remains there until the message is either cleared or overwritten by a new instance of the message [14] . That is to say, the output message is either synchronous with the input or delayed of several ticks. So data port connection communication can be mapped as read/write blackboard. 2. For event data port, queuing is allowed. APEX buffer allows to send and receive messages following a FIFO policy. So buffer can be used for event data port connection. 3. For event port, it may be queued. For simple, we image it is queued, and consider it the same as event data port.
Related work
A number of related approaches have been proposed. Dissaux [15] presents an approach for AADL model transformations. This approach concentrates on the analysis of components from legacy code aimed specifically towards use with the HOOD Stood tool [15] . Bertolino and Mirandola [16] propose an approach for the specification and analysis of performance related properties of AADL components using the RT-UML profile. Although the approach also uses a UML profile, it is not targeted towards model driven development.
Also, a number of tools are available that address the issues discussed in this paper. CHEDDAR [17] is a free realtime scheduling tool. It is designed for checking task temporal constraints of a real time application/system which is described with AADL or a CHEDDAR specific language. CHEDDAR provides a number of features to ease the development of specific schedulers and task models, and it relies on OCARINA [18] to provide schedulability analysis of AADL models. OCARINA allows model manipulation, generation of formal models, to perform scheduling analysis and generate distributed applications. OCA-RINA allows code generation from AADL descriptions to Ada. GME [19] is engaged in work on a DARPA-sponsored metamodeling framework, AADL capture and role-based system security analysis, model transformation and integration.
Some related approaches are proposed to modeling nonsynchronous systems using synchronous languages and developing system level design methodology. For instance, AADL2SYNC [20] tool is an AADL to synchronous programs translator, which is extended in the framework of the European project ASSERT, resulting in the system-level tool box translating AADL to LUSTRE. Although the approach also translates AADL to a synchronous language, it considers a purely synchronous model of computation (that of LUSTRE) in which clocks need to be totally ordered (by contrast to the relational, multi-clocked MoC considered here). This limitation requires the emulation of asynchrony
