Timing Analysis using the MARTE Profile in the Design of Rail Automation Systems by Hagner, M et al.
HAL Id: hal-02270283
https://hal.archives-ouvertes.fr/hal-02270283
Submitted on 24 Aug 2019
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Timing Analysis using the MARTE Profile in the Design
of Rail Automation Systems
M Hagner, M Huhn, A Zechner
To cite this version:
M Hagner, M Huhn, A Zechner. Timing Analysis using the MARTE Profile in the Design of Rail
Automation Systems. Embedded Real Time Software and Systems (ERTS2008), Jan 2008, Toulouse,
France. ￿hal-02270283￿
Timing Analysis using the MARTE Profile in the Design of Rail Automation Systems
M. Hagner, M. Huhn, A. Zechner
Technische Universita¨t Braunschweig
Institute for Programming and Reactive Systems
Muehlenpfordtstr. 23, D-38106 Braunschweig, Germany
{hagner,huhn,zechner}@ips.cs.tu-bs.de
Abstract: For dependable systems as in the railway domain
the timing behaviour is considered part of the functional cor-
rectness. Thus timing requirements have to be traced and
refined through the system and software development phases
and validation and verification efforts have to address the tim-
ing as well as the pure input/output behaviour.
We show how timing can be handled in a UML or SysML based
approach to the development of software-intensive railway sys-
tems by using the new MARTE profile. Thereby timing be-
comes fully integrated in the chain of system and software mod-
els and may benefit from tool support. Moreover, automated
timing analysis may be employed via model transformations
which enables the exploration of timing-related issues in var-
ious design phases.
Keywords: MARTE, Timing Analysis, Rail Automation Sys-
tems, CENELEC
1. Introduction
Dependable systems are in many cases hard real-time system
i.e. if the timing behaviour violates the requirements, the sys-
tem reaction has to be considered as faulty because of po-
tential severe consequences. Therefore, timing requirements
as other runtime properties, which are in non-dependable soft-
ware design considered as extra-functional like availability, are
taken into account from the very beginning of the development
process. Within each design phase a catalogue of measures is
employed to assure predictable behaviour.
However, nowadays standardised tool-supported model dri-
ven development for the application logic on the basis of UML
or SysML is on the rise in the railway domain. Moreover, to-
days rail automation systems are composed out of a set of
configurable components to improve reuse. On the other hand,
COTS products for hardware components and lower middle-
ware layers find their way into this segment dependable sys-
tems. All these require a new treatment of real-time require-
ments that supports tracing through the model driven design
and automated timing analysis for verification. An answer is
MARTE (A UML Profile for Modelling and Analysis of Real-Time
and Embedded systems) [5], a new UML profile extension for
embedded and real-time systems. It is proposed by the “Pro-
Marte” consortium1 consisting of academics, tool providers, and
OMG end-users. The goal of the consortium was to define a
concept, in terms of UML extensions, to model real-time and
embedded systems. The MARTE Profile is a successor of the
Profile for Schedulability, Performance, and Time (SPT Profile)
1http://www.promarte.org
[6] and the QoS Profile (Profile for modeling quality of service
and fault tolerance characteristics and mechanisms) [7].
Figure 1: MARTE architecture model
The profile consists of three main packages (see Figure 1).
The MARTE foundations package defines the basic concepts
to design and analyze an embedded, real-time system. The
MARTE Design Model offers elements for requirements cap-
turing, the specification, the design, and the implementation.
Therefore, it provides a concept for high-level modeling and
a concept for detailed hard- and software description. The
MARTE Analysis Model defines specific model abstractions and
annotations that could be used by external tools to analyze the
described system. Therefore, the analysis package is divided
into three parts, according to the kind of analysis. The first part
defines a general concept for quantitative analysis techniques;
the second and third parts are focused on schedulability and
performance analysis. The analysis package was designed
with reference to a number of tools that are specialized to ana-
lyze the scheduling behaviour of systems (SymTA/S [2], TIMES
[3], or MAST [4] ).
2. Standards for Functional Safety in Railway
Applications
The railway is one of the safest means of transport, compa-
rable to civil aviation. However, as with other complex sys-
tems, despite all efforts to avoid them, accidents do occur again
and again, since railway is transport of big masses, some of
them even with catastrophic consequences. Therefore stan-
dards are of central importance when developing electronic
and programmable systems for safety critical functions. The
Page 1/9
CENELEC2 standards EN50126, EN50128 and EN50129 give
recommendations to railway companies, industry and suppliers
for consequently applying quality management (RAMS3). Appli-
cation of those standards has to be carried out systematically
during all phases of a product’s life cycle.
2.1 Quality Management
Due to the fact that failure in safety relevant functions of railway
systems may have dramatic consequences, the main focus in
RAMS management lies on the safety aspect. CENELEC stan-
dards call for an assurrance that the risk of severe hazards is
minimized to an acceptable risk [8] which is usually expressed
as Tolerable Hazard Rate (THR). System failures may origin
from two different kinds of reasons:
• random or aging effects on the material
• systematic errors from incorrect design
For the first probabilistic methods can be applied, but the sec-
ond kind needs another treatment since systematic errors can-
not be quantified with mathematical means. In order to prevent
systematic errors and random failures, the concept of Safety
Integrity Level (SIL) is applied. SIL is a classification related
to ranges of THRs. As a SIL comes along with a catalogue of
measures to be applied in the different phases of a product’s
life cycle, SIL addresses in particular systematic errors in the
design by recommending methods and practices for the devel-
opment process.
2.2 Development Processes
According to EN50126 [1] the system development process
comprises several phases: concept, system definition, risk anal-
ysis, system requirements, apportionment of system require-
ments, design, and implementation. Further refinement of the
process leads to the loosely coupled development processes
for hardware and software. When designing and assembling
hardware made of COTS4 and rather simple electric circuitry
most of the RAMS qualities can be addressed directly because
of the physical and probabilistic properties of the single parts
from resistors to complete electric circuits. Software is im-
material and does not suffer from statistic errors that is why
EN50128 [9] introduces Software SIL. As a consequence the
standard makes recommendations for tracing requirements, us-
ing formal or semi-formal methods for design and verification
and execution of certain test procedures according to the SSIL
that is assigned to the function or subcomponent under devel-
opment. Furthermore EN50128 proposes phases and artefacts
for a software development process (see Figure 2).
The development process for software starts with the soft-
ware requirements specification phase. As inputs serve doc-
uments from system requirements specification, system safety
requirements, system architecture specification, and software
2European Committee for Electrotechnical Standardization
3Reliability, Availability, Maintainability, and Safety
4Components Off The Shelf
quality assurance plan; outputs are requirements and test re-
quirements. Recommendations for this phase include formal,
semi formal, and structured methods like CCS, temporal logic,
function block and sequence diagrams, SDL, Yourdan, etc.
Software requirements specification, system safety require-
ments, system architecture specification, and software qual-
ity assurance plan form the basis of the software architecture
phase. The software architecture specification has to identify
all software components and subsystems, document and anal-
yse interactions between software and hardware, and provide
traceability of requirements. The standard proposes fault tree
analysis, software error effect analysis, and several program-
ming techniques and best practice architecture fragments.
A design and implementation phase basically ends the con-
structive part of the software development process. The de-
sign has to give detailed information on interfaces of all soft-
ware components and modules. Every kind of module has
to be specified exactly regarding data structures, diagrams of
data and control flows, and algorithms. Software module spec-
ifications shall be sufficiently detailed for further implementa-
tion and coding of a module. Here again recommendations for
formal, semi formal, and structured methods can be applied.
Object-oriented or module-oriented approaches, coding guide-
lines, programming languages with certain properties, restric-
tion to a subset of a programming language, utilisation of ap-
proved or certified software libraries, and other programming
related issues extend the list of recommendations.
Figure 2: Software development process [8]
Model checking and the like are methods for proving pure
functional correctness in the meaning of reactive, computa-
tional behaviour. Besides timed Petri nets or temporal logic
the CENELEC standards give only marginal recommendations
for checking, tracing, and proving correct temporal behaviour.
In particular this applies to the architecture and design phases.
However, this does not reflect the state of the art in real-time
modeling and analysis and in particular for complex depend-
able systems it is mandatory to assure timing correctness as
that timing is a safety relevant matter whether for the functional
behaviour or for the prevention of hazards to minimize detection
time of failures and to initiate fail safe reactions.
Page 2/9
3. Case Study
The German railroad network comprises about 50,000 level
crossings. According to the laws and regulations of Germany
and Switzerland railway lines may be equipped with crossings
where trains travel with up to 160 km/h. Due to this european
railway standards [1] demand high requirements for automatic
protection systems concerning reliability, availability, maintain-
ability and safety.
In this case study we will examine the development of an
automatic train level crossing system with supervision signal.
The purpose of such a system is to prevent street traffic from
entering the crossing while trains are approaching it or pass
through the crossing. A level crossing system with supervision
signal works as an autonomous system; interaction with a rail-
way control centre or interlocking is not necessary.
3.1 Basic Execution of Protection
When railway vehicles are approaching a level crossing, road
users have to be signalised. On technically safeguarded level
crossings this is realised indirectly via the train activating the
protection process. The interval of time between announcing
the approaching train to its arrival on the crossing must be suf-
ficiently long for road users to either come to a halt before the
rails or to enter the area and to safely clear before the train ar-
rives at the level crossing. Not until successful safeguarding
the train may pass the level crossing. When the complete train
has depleted the level crossing, road users may be given way
to cross the rails.
3.2 System Boundaries
A protection system for level crossings obviously has bound-
aries towards its environment: the railway system (train, rails,
etc.) and road traffic. Laws and regulations prescribe more de-
tailed restrictions on the concrete interfaces. The level cross-
ing protection system has to warn road traffic by a set of lights
comprised of a yellow and a red light with conventional mean-
ing. Additionally the level crossing can also have gates faced
toward the street. A railway signal, namely the supervision sig-
nal, shall inform the train driver of the state of the level cross-
ing. Besides those prescribed interfaces a protection system
also needs an interface component for detecting trains.
Regarding the fact that we will focus on software develop-
ment - ignoring the true physical boundaries to the environment
like climate conditions, electrical interfaces, etc. - our list of in-
terfaces is sufficient.
3.3 Variants of Automatic Level Crossing Protection
Protection systems for level crossing are conceived for differ-
ent operational purposes. Besides the design with supervi-
sion signal other systems exist which are remotely controlled
by interlockings from railway control centres or manually oper-
ated from station personnel. As initially mentioned a protection
system with supervision signal works independently from other
train operating or control systems which could influence train
movement and prevent a train from entering when the crossing
is not guarded against road traffic. In this variant the maximum
speed of trains is limited to 120 km/h. The supervision signal is
faced towards approaching trains and shows whether the pro-
tection system works and the area can be entered safely or
not. Its placement is in a safe stopping distance from the grade
crossing; so the train driver can react and initiate braking. The
signal can show two signal aspects LC1, a blinking white light
indicating that the facility is safe, or LC0 otherwise. Its activa-
tion takes place as soon as the set of lights is showing red.
3.4 Parameters and Constraints
Regarding the operation of protection described earlier we get
several constraints and parameters which have to be taken into
account when developing a protection system:
• Maximum allowed speed of trains
• Diameter of level crossing
• Maximum expected length of road vehicles
• Minimum expected depletion time of road vehicles
• Stopping distance of road vehicles including time to react
• Train deceleration at emergency brake
• Reaction time of the train driver
Most of those parameters and constraints result in requirements
as we will see later.
4. The Development Process
Here we show how to integrate the MARTE profile for specify-
ing real-time properties in a model based development process
conforming to CENELEC. Our focus lies on software develop-
ment but MARTE can be used from early phases of require-
ment specification on the system level till implementation. We
will go through all development phases but after the system
architecture phase we concentrate on software development5
and will introduce artefacts of the hardware parts only when
required for understanding.
4.1 Phase 0 - User Requirements Specification
In the railway domain user requirements are stated by railway
companies, which typically have a long history. Alike is the form
of user requirements in this domain. Some come from descrip-
tions of operating procedures for railways - mostly written for
railway personnel -, sometimes involving descriptions of exist-
ing technology. The operation procedures contain explicit time
constants for end-to-end paths for functions such as safeguard-
ing the level crossing. Furthermore legal constraints also have
to be considered as a source of requirements, next to the tacit
knowledge of domain experts. However, in this paper we refer
to the more or less formal description of the case study as the
user requirements specification in our development process.
5HW development will ideally take place in parallel.
Page 3/9
4.2 Phase 1 - System Requirements Specification and System
Architecture
Unlike all other phases this phase is twofold, it contains all sys-
tem level activities of the development reflecting our concentra-
tion on software development. System requirements capture
the user requirements and enrich them with goals and require-
ments of the developing manufacturer like for instance product
line development. Furthermore requirements are usually con-
ditioned for further engineering use thus they are getting more
technical.
Thereafter follows system architecture. Major system suppli-
ers for railways typically have existing solutions and platforms
which fulfil typical requirements of railway standards; especially
some generic documents for certification purposes already ex-
ist. A system architecture specification collects solution ideas
to address functional and extra-functional requirements mak-
ing use of generic components, COTS, and deciding where
new subsystems either hard- or software have to be designed.
Using MARTE can help to improve the architectural decision
process by making inherited and derived requirements more
explicit.
4.2.1 System Requirements Specification
The level crossing system consists of gates, a set of lights, a
supervision signal, and activation and deactivation sensors to
detect approaching or leaving trains. The arrangement of these
elements is depicted in Figure 3.
Set of lights
Supervision 
signal
Gate
Activation 
sensor
Deactivation 
sensor
Figure 3: Schematic view on the level crossing system
If a train approaches to pass a level crossing, it first passes
the activation sensor (e.g. an axle counter). Hence, the level
crossing system recognizes a train coming and starts to pre-
vent the road traffic from crossing the rails. Therefore, it switch-
es the traffic lights yellow. It is well-defined, how long the lights
have to stay yellow. If the level crossing is constructed for traffic
speeds up to 70 km/h, the set of lights have to stay yellow for
three to five seconds. Next the lights are switched to red. The
level crossing system has to monitor whether turning the red
light on was successful, i.e. the status from the set of lights has
to be read. Only afterwards the supervision signal is switched
on (showing signal aspect LC1). About 7 seconds later the
gates start to close. The time required for closing the gates de-
pends on the length of the gate’s bar. If the bars are longer then
6 meters, it can take up to 10 seconds and if they are shorter,
6 seconds.
Right beyond the level crossing is the deactivation sensor.
This sensor detects the leaving train; following the gates can
be opened, the traffic lights are turned off, and the supervision
signal shows LC0 again.
One requirement of the level crossing system is that the ac-
tions to protect the level crossing have to be executed fast
enough. The supervision signal has to be in LC1 mode 7 sec-
onds before the train passes the signal. These 7 seconds are
necessary for the engine driver to recognize the signal and are
defined in the engineering standards. If the supervision signal
is not in LC1 mode, the engine driver has to stop the train.
The time that remains to switch the supervision signal to LC1
depends on the distance between the activation sensor and the
supervision signal. If the distance is longer, the train will take
longer to reach the point where the driver has to recognize the
supervision signal, thus the system has more time for its inter-
actions. Because of cable costs and costs for the installation
and maintainance it is an effort to keep the distance between
the sensor and the supervision signal as short as possible.
However, the switching order and time intervals inbetween, a
minimal distance between the activation sensor and the super-
vision signal can also be calculated. The distance between the
supervision signal and the level crossing is fixed, because it di-
rectly depends on the braking distance of the train at maximum
speed. In our case study the distance between the activation
sensor and the supervision signal is defined to 450 m, which
implies that the supervision signal should be in LC1 mode 6.5
seconds after the train passes the sensor (7 seconds before the
train passes the supervision signal). Then, the red traffic light is
on and 7 seconds later, the closing of the gates should begin.
It takes up to 6 seconds afterwards to close the gates. As a
result of these constraints, the complete protection of the level
crossing has to be finished after 20 seconds (time to switch the
supervision signal + red light phase + time to close the gates +
processing and communication time). This is one of the main
requirements.
4.2.2 System Architecture
In this phase, there is no detailed resource modelling. A frag-
mentary choice about the hardware architecture is done, mainly
influenced by experiences made in previous projects or by ap-
plicable COTS. However, there is no final decision about e.g. a
specific CPU. Tasks are not described in this phase, because
tasks are not yet identified. Hence, no detailed scheduling
analysis is possible. A more considerable method at this point
of the development is to refine and capture the requirements
in the UML model (like execution path deadlines of function-
alities etc.) and define the interfaces (which components are
connected with each other). Therefore, UML diagrams are ex-
tended using the MARTE profile.
Figure 4 shows a component diagram of the level cross-
ing system. The levelCrossingSystem offers two services
(represented as methods): one service to prevent the traffic
Page 4/9
Figure 4: Component diagram of a level crossing system
from crossing the rails and switch the supervision signal in LC1
mode (protectLevelCrossing) and one service to open the level
crossing again for the traffic and to switch the supervision sig-
nal to LC0 mode (unprotectLevelCrossing). These two services
represent the main functionality of the system. The train com-
ponent represents an approaching train that triggers the pro-
tection of the level crossing (the service protoctLevelCrossing).
Afterwards the level crossing system sets the lights, switches
the supervision signal, and closes the gates. The execution
flow of these actions is depicted in Figure 5. There is a simi-
lar diagram for the unprotectLevelCrossing service of the level
crossing system.
The stereotypes used for this diagram are defined in the
MARTE specification for a MARTE Design Model:
rtUnit - “rtUnit” marks the component as a realt-time unit.
rtService - This stereotype implies that this function is a real-
time service.
rtf - This stereotype gives the developer the possibility to use
the tagged value “absDl” and “occKind”.
In Figure 4 the LevelCrossingSystem is represented as a
component using the stereotype “rtUnit”. The methods of this
component (the services) are marked with the stereotypes “rt-
Service” and “rtf”. With the “absDl” and “occKind” tagged val-
ues a deadline and the arrival pattern of the initiating event can
be defined for the corresponding functionality. The values are
directly derived from the requirement specification. One re-
quirements is that the protection of the level crossing has to
be finished after 20 seconds. This is now captured in the com-
ponent diagram with the deadline of the protectLevelCrossing
service.
A refinement of the requirements is already done in this phase.
The user requirements specification defines that the protect-
LevelCrossing service has a deadline of 20 seconds. Another
requirement is that the supervision signal has to be in LC1
mode after 6.5 seconds. The following equation shows, how
the requirements are distributed:
6.5 s = tyellow + tcommunication + tprocessing
Derived from maximum car length, stopping distance of road
vehicles, and their minimum depletion speed of the crossing,
follows that the lights have to be yellow for 5 seconds (tyellow =
5 s). Hence, it is easy to calculate that there are 1.5 second left
for the communication between the elements of the level cross-
ing (tcommunication) and for the processing of the commands
(tprocessing). This is possible for this case study, because of the
low complexity of the interactions of the level crossing system
(i.e. there are no backward loops or data dependencies thus
simple addition of numbers or intervals suffices).
The execution flow of the actions can be defined in sequence
diagrams or activity charts. Figure 5 represents the actions of
the safeguarding process. In this diagram, it is possible to give
a more detailed description about runtime of actions or require-
ments. Therefore, the Value Specification Language (VSL) can
be used. In Figure 5, two variables are defined. The first t0
is the mark, where the service levelCrossingSystem is trig-
gered. Later the set of lights should switch to red. Afterwards
the supervision signal should be set to LC0 (the light blinks
soon enough for the engine driver that the train does not need
to be stopped). This has to happen 6.5 seconds after the ap-
proaching train triggered the level crossing system. From 12
to 14 seconds after the train triggered the level crossing sys-
tem, the system starts to close the gates. The last requirement
for this service is that the gates have to close within 6 sec-
onds. Again, all values are directly derived from the require-
ments specification.
4.3 Phase 2 - Software Requirements Specification
At this stage of development as a result of the system archi-
tecture phase apportionment of functions and assignment to
COTS, pure hardware and software has already been accom-
plished on a level of coarse subsystems. Requirements regard-
ing functions assigned to software have to be collected and
refined. In an iterative execution of the process the bound-
aries of the software system will get clearer over time due to
results and choices from the concurrent hardware architecture
process. Thus, high-level functions assigned to software reali-
sation have to be split to meet the new boundaries.
In our case study, functional integration and control of all
hardware and COTS systems shall be performed in software.
The software has to read and interpret values from axle coun-
ters and simple I/O- hardware. On the other hand it controls
and sends data in given telegram message formats to those el-
ements. Some parameters e.g. bar length type and a lot more
have to be configurable.
Page 5/9
Figure 5: Sequence chart representing the protection of the level crossing
Although software or software architecture itself cannot ful-
fil timing requirements on its own it is inevitable to inherit and
track such requirements for later phases. Nevertheless, archi-
tectural decisions on the software level may influence satisfia-
bility of requirements positively, e.g. in separating timing critical
from other functions [10], or negatively. In addition choosing ar-
chitectural styles or best practice methods and solutions for the
software infrastructure, can ease predictive validation of timing
requirements.
4.4 Phase 3 - Software Architecture and Design
As in this phase the software structure is developed, the archi-
tecture and the behaviour of the system is described in more
detail. Hence, it is possible to give more precise predictions
about the timing requirements of the system. These predictions
can be made using scheduling analysis tools (e.g. SymTA/S
[2] or MAST [4]). The metamodels of (UML or SysML based)
CASE tools and timing analysis tools differ and thus, an anal-
ysis on the basis of UML models is only possible after a trans-
formation from the UML metamodel into the metamodel of the
chosen scheduling analysis tool. Moreover, the UML model has
to be completed with respect to timing analysis: It is necessary
to add priorities, scheduling algorithms, task execution times
etc. To keep this information added for timing exploration sep-
arated from requirements and design decisions, one possibility
is to create a scheduling analysis view [11]. This view should
contain all necessary information for a scheduling analysis.
The scheduling analysis view uses the following stereotypes:
SaExecHost - This stereotype describes a CPU or other de-
vice which executes functional steps.
SaCommHost - This stereotype marks a component as a com-
munication channel.
Scheduler - If necessary, it is possible to use this stereotpye
to define an explicite scheduler. Otherwise, this can be
done with a tagged value of the “SaExecHost” or “Sa-
CommHost ” stereotype.
SchedulableResource - A SchedulableResource is defined
as a kind of concurrency resource with logical concur-
rency.
SaExecStep - A “SaExecStep” is a kind of step that represents
a usage of a resource, like a CPU.
SaCommStep - A “SaCommStep” is a kind of step that repre-
sents a usage of a communication media.
SaEnd2EndFlow - End-to-end flows describe a unit of pro-
cessing work in the analyzed system, which contend for
use of the processing resources.
GaWorkloadEvent - Defines a stream of events that make up
a workload which drives the system.
allocated - This stereotype maps a “SchedulableResource” on
a “SaExecHost” or “SaCommHost ”.
SharedResource - Resources like memory or I/O devices are
described with the “SharedResource” stereotype.
Most of the introduced stereotypes are defined in the MARTE
specification of a scheduling analysis model (MARTE Analysis
Model). Our collection of stereotypes is based on the meta-
model of scheduling analysis tools like SymTA/S.
Figure 6 shows a class diagram of the scheduling analysis
view that describes the structure of the level crossing system.
The functionalities/the tasks are represented by methods of the
“SchedulableResource” marked classes. The “SchedulableRe-
sources” are mapped on resources (like processors or busses).
This is done using the “allocate” stereotype. The tasks are de-
scribed using the “SaExecStep” stereotype. All components
communicate with each other over a bus. The methods that
represent the communication are extended with the “SaComm-
Step” stereotype.
Figure 6 depicts the entire level crossing system. Beside
other things, it consists of a component ControlUnit. This
component is refined in the class diagram presented in Fig-
ure 7 which lists all tasks of the ControlUnit. Part of this list
are tasks to check the behaviour of the unit (systemIntegrity-
Check, cycleTimeMonitoring), tasks to control the set of lights
(sendSetYellow, checkRedStatus . . . ), tasks to initiate the clos-
ing and opening of the gates (closeGates, openGates), etc.
Details about tasks and scheduling parameters are exam-
ined during this phase. These details can now be added to
the model using tagged values (see Figure 8). Thus, it is pos-
sible to define deadlines, execution times, priorities, etc.. For
Page 6/9
Figure 6: Sequence chart representing the protection of the level crossing
Figure 7: A more detailed representation of the ControlUnit
component
Figure 8: Tagged Values
a scheduling analysis, it is necessary that all time/scheduling
concerning information are added to the model. The execution
times can be estimated from experts or measured from pre-
vious projects. The response times are calculated using the
analysis tools, and afterwards transferred back into the model
(where the variable r1 is defined in Figure 8).
The dependencies of tasks and the execution order can be
illustrated using activity or sequence diagrams. The diagrams
are used to show the workload behaviours. This is done us-
ing the “GaWorkloadEvent” and the “SaEnd2EndFlow” stereo-
types. The corresponding tagged values offer enough opportu-
nities to describe the situations (e.g. the arrival pattern of the
approaching train or the deadline of an execution path).
One important requirement for the level crossing system is
that the supervision signal is in LC1 mode soon enough for the
engine driver to recognize it, so the train does not need to be
stopped. The order of the actions, that are executed when a
train approaches, has been described in the system require-
ments specification (section 4.2). This workload situation is de-
scribed using sequence or activity diagrams.
It is possible and one of the main purposes of the schedul-
ing analysis view, to transform a model into the format of a
scheduling analysis tool. The analysis results show whether
deadlines are met, execution paths are executed fast enough,
etc. The results of the analysis can be transferred back into
the UML model. In Figure 9 a part of the level crossing system
is depicted in SymTA/S. The tasks are mapped on resources
and connected using event streams. On the SymTA/S model
an analysis can be executed automatically.
The hardware is developed in parallel and so the scheduling
analysis view may change iteratively. New hardware decisions
may have great impact on the timing behaviour of the system,
because of their influence on execution times, blocking times
etc. For the hardware development, the MARTE profile can
also be used. Elements for detailed hardware modeling are
part of the MARTE design model. Nevertheless, the focus of
this document lies on the software modelling. The analysis re-
sults of the scheduling analysis view may also have influence
on the hardware development. If a result of the analysis is that
a utilization of a resource is too high or a deadline is missed, it
may be a solution to employ faster hardware.
Page 7/9
Figure 9: A workload situation in SymTA/S
4.5 Phase 4 - Model-Coding
In this phase, the design, implementation, and calibration is
done. It is still recommended to use scheduling analysis dur-
ing the implementation and calibration phase. As the structure
of the system developed in phase 3 is fixed, the model (espe-
cially the scheduling analysis view) can still be used for further
analyses. The task execution times now can either be calcu-
lated or measured times. Therefore tools like aiT [12] or RTA
Trace6. As now code exists the realised hardware/software sys-
tem can be validated for the first time. However, using formally
founded worst case execution time calculations like done by aiT
and scheduling analysis is of additional value, because then the
anaylsis result is a verification and not only a simulation based
and thus incomplete statement.
5. Lessons Learned
MARTE offers manifold possibilities for modeling embedded
systems. Because of the broad scope of the profile, it is non-
trivial to select an appropriate set of elements for a specific
modeling purpose that also meets to the needs of a depend-
able system design process as a whole like seamless trac-
ing or completeness for automated analysis. This is true even
more, because in the manufacturing of complex software sys-
tems many developers only have a partial view on the design.
In discussions with practioneers it turned out that a restricted
6http://www.etas.com/de/products/rta trace.php
set of MARTE profile elements and guidelines for their use in
a certain development phase is preliminary for a successful
transfer into practise. Modeling rules and guidelines releave
the developer from the complexity of UML and the MARTE pro-
file and therefore increase productivity because the developer
can concentrate on the modeling but integrate the timing eas-
ily. As a step in that direction we defined a scheduling analysis
view [11] with guidelines to assure the extension of a design
with timing and resource information leads to a model that is
complete w.r.t. a scheduling analysis. Moreover, the timing re-
lated information, that is exclusively required for analysis pur-
poses, is added in a separated view to the model to avoid the
overloading of the design model in particular with temporary in-
formation that is only of use to explore and evaulate a number
of design alternatives.
A major benefit of modeling guidelines is that transforma-
tions to analysis tools can be easier automated. This is due
to the fact that the automatic transformations can be kept sim-
pler if the structure of the MARTE extended UML model is re-
stricted. This is especially helpful for the scheduling analysis
views, used in phase 3 (see section 4.4).
On the OMG MARTE homepage7 the Papyrus for UML tool8
is proposed. The Papyrus for UML project offers an add-on for
their modeling tool that includes all MARTE elements. With this
tool and the add-on, it is possible to create models conforming
to MARTE. Papyrus for UML is still under development. Thus,
there are some features, which do not work properly (e.g. using
7http://www.omgmarte.org
8http://www.papyrusuml.org
Page 8/9
activity charts) until now.
6. Conclusion
We have presented how to use the MARTE profile within sys-
tem and software development process conforming to domain
specific standards for safety critical systems. In the early phas-
es, it helps to capture and visualise the timing requirements
with UML conforming notations. In the later phases, MARTE
annotations can be used for scheduling analysis before any
implementation takes place. As a case study we have shown
how to enrich a model of a level crossing protection system for
scheduling analysis. The extended model can be used as an
input for automatic scheduling analysis tools. The CENELEC
standards give only marginal recommendations for checking,
tracing and proving correct temporal behaviour. As we have
shown, the integration of timing requirements into a model bas-
ed, tool supported design methodology is useful and neces-
sary. The future versions of the standards should be extended
by recommendations for acquisition and refinement of timing
requirements during the development of safety critical and pro-
grammable systems.
7. Acknowledgements
We are grateful to Stefan Gerken from Siemens Transprotation
Systems for fruitful discussions on a subprofile applicable in
practise as well as the Symtavision GmbH for the grant of free
software licenses.
8. References
[1] CENELEC. EN 50126 – Railway Applications – The
Specification and Demonstration of Reliability, Availability,
Maintainability, and Safety (RAMS). European Standard.,
1999.
[2] Rafik Henia, Arne Hamann, Marek Jersak, Razvan Racu,
Kai Richter, and Rolf Ernst. System level performance
analysis - the symta/s approach. IEEE Proceedings Com-
puters and Digital Techniques, 152(2):148–166, March
2005.
[3] Elena Fersman and Wang Yi. A generic approach to
schedulability analysis of real-time tasks. Nordic J. of
Computing, 11(2):129–147, 2004.
[4] M. Gonza´lez Harbour, J. J. Gutie´rrez Garcı´a, J. C. Palen-
cia Gutie´rrez, and J. M. Drake Moyano. Mast: Modeling
and analysis suite for real time applications. In ECRTS ’01:
Proceedings of the 13th Euromicro Conference on Real-
Time Systems, page 125, Washington, DC, USA, 2001.
IEEE Computer Society.
[5] OMG Object Management Group. UML Profile for Mod-
eling and Analysis of Real-Time and Embedded systems
(MARTE) RFP, 2006.
[6] OMG Object Management Group. UML profile for schedu-
lability, performance and time, 2002.
[7] OMG Object Management Group. UML profile for mod-
eling quality of service and fault tolerance characteristics
and mechanisms, 2004.
[8] Jens Braband, Bernd-E. Brehmke, Stephan Griebel, Har-
ald Peters, and Karl-Heinz Suwe. The CENELEC-
Standards regarding Functional Safety. Eurail Press, sig-
nal + draht edition, 2006.
[9] CENELEC. EN 50128 – Railway Applications – Software
for Railway Control and Protection Systems. European
Standard., 2001.
[10] Len Bass, Paul Clements, and Rick Kazman. Software
Architecture in Practice. Addison-Wesley, second edition
edition, 2003.
[11] M. Hagner and M. Huhn. Tool support for a scheduling
analysis view. In MARTE workshop at DATE’08, 2008.
[12] Christian Ferdinand, Reinhold Heckmann, Marc Langen-
bach, Florian Martin, Michael Schmidt, Henrik Theiling,
Stephan Thesing, and Reinhard Wilhelm. Reliable and
precise wcet determination for a real-life processor. In
EMSOFT ’01: Proceedings of the First International Work-
shop on Embedded Software, pages 469–485, London,
UK, 2001. Springer-Verlag.
Page 9/9
