The embedded software of an electricity meter: An experience in using formal methods in an industrial project  by Arnold, André et al.
I 
LSEVIER Science of Computer Programming 28 (1997) 93-110 
Science of 
Computer 
Programming 
The embedded software of an electricity meter: An 
experience in using formal methods in an industrial project 
Andrk Arnold a**, Didier Btgay a, Jean-Pierre Radoux b 
a LaBRI-CNRS, 351, tours de la Libhtion, F-33405 Talence, France 
b SERLI-Informatique, avenue du T&l&port F-86960 Futuroscope, France 
Abstract 
This article presents how various forma1 methods have been involved, first on their own, 
then coupled, in the different steps of the industrial development of an embedded software for 
an electricity meter. Synchronized transition systems have been used to conceive and implement 
some rendezvous mechanisms for the distributed kernel, and the physical link protocol supporting 
communication between processors. The rate monotonic analysis mode1 has been completed to 
suit some features of the product; however it appeared too rough to reach a positive issue. So 
we coupled both (synchronized transition systems and rate monotonic analysis) to achieve a fine 
analysis of the temporal properties of the system under development. This can be considered a 
first step towards formal methods engineering. 0 1997 Elsevier Science B.V. 
Keywords: Transition systems; Model-checking; Embedded systems; Industrial use of formal 
methods; Scheduling; Critical software 
1. Introduction 
The aim of this article is to report on an experience of using formal methods in 
a real industrial project. Due to the lack of space we shall not enter into the de- 
tails of all modelling and checking that we have done during this project. Instead 
we present an overall survey of all the aspects of this project where formal methods 
have been used, with their impact on the development of this project. We wish to 
advocate that formal methods can be really and profitably applied in a lot of various 
situations. 
1.1. The Eurotri project 
The Eurotri project was aimed by Schlumberger-Industries to define, conceive, design 
and develop a static electricity meter with large abilities of tariff programming and 
* Corresponding author. E-mail: Didier.Begay@labri.u-bordeaux.fr. 
0167~6423/97/$17.00 @ 1997 Elsevier Science B.V. All rights reserved. 
PIISO167-6423(96)00018-4 
94 A. Arnold et al. IScience of Computer Proyramming 28 (1997) 93-110 
distant measuring. As short time of development and low cost of production (i.e. 
use of components at frontier of their technical limits) were the challenges, it has 
been decided at the very beginning of the project to use formal methods in most 
steps of it, from feasability study to reception testing. The first contacts date back 
to the beginning of 1992, and the meter passed (in a straight way) the final tests 
mid 1994. This time to market delay has been considered as very short, and related 
to the use of formal methods all along the project. 1995 has been dedicated to the 
evaluation by the industrial party of the integration of this process in an industrial 
environment. 
The team in charge of the project was Smantique du parall2lisme (Concurrency 
semantics), headed by Prof. A. Arnold. Although the whole team was involved in 
the cooperation, a hard core was composed of A. Arnold, P. Crubille, A. Dicky, P. 
Felix, A. Griffault, A. Rauzy and coordinated by D. Btgay, who was supervisor for 
J.-P. Radoux’s thesis [lo]. Detailed studies of points of interest have been released in 
[1,4,51. 
In this paper, we present how the research team joined the industrial project and 
played its part; then how formal methods have been used at different levels, different 
times and in different ways; and finally, as a conclusion, the results of this process for 
every party. 
1.2. Why using formal methods? 
This question relates to two important issues: what benefit is awaited from using 
formal methods, and why the choice of these peculiar ones? 
Awaited benejit. Formal methods have been used in the main aim of avoiding back- 
ward steps in the development: as every step is mathematically verified there is no need 
to loop back to some erroneous previous step, and even to iterate. This ideal straight- 
forward development is the big issue of formal methods, provided they are efficiently 
applied. 
Behaoioural study. Concurrent behaviour was at the heart of the project: from im- 
plementation (study of the protocol of the physical link handling signals between both 
processors) to design step (design of the rendezvous mechanism) and consistency of 
the call graph of the set of tasks shaping the application layer. The synchronized tran- 
sition systems model uses labelled transition systems to describe individual behaviours 
and synchronization systems, i.e. sets of firable labels configurations, to express inter- 
actions between the individual behaviours. Then the product of the labelled transition 
systems with respect to the synchronization system is built; it figures out the behaviour 
of the whole of the interacting system. Boolean properties can then be computed on the 
states and transitions of this graph [2]. The availability of a powerful model-checker, 
the MEC tool [3] settled it. 
Temporal study. The formal approach to temporal aspects of the system, more 
precisely the respect of every deadline, has been since the beginning considered 
A. Arnold et al. IScience of Computer Progrummimg 28 (1997) 93-110 95 
out of reach of the automata approach, as time could be in no way unfolded in 
a so wide range of periods : some tasks have a frequency of 5OkBz, some oth- 
ers a period of 6 months. A rate monotonic analysis [12] had been successfully 
used in a previous development, and it has been considered suitable to ensure de- 
sired timing properties. Unfortunately the rate monotonic scheduling hypotheses (per- 
fect scheduler, instantaneous preemption, periodic and independant tasks, etc.) were 
not met, and the load of both processors was too high to allow such a rough ap- 
proach. As it happened during the development, a coupling of both formal meth- 
ods has been successfully studied and used to achieve a fine study of the loaded 
system. 
Who uses 1 Formal methods are just another tool to use in a development, and that 
means they have to be practicable by the engineers in charge of the project, who have 
already a lot of tools to control. In the case we present here, the basic common culture 
of them was electronics, and the readability of automata by electronic engineers, as 
well as the fundamentally synchronous approach of the model. On the other hand, the 
rate monotonic analysis had been used in a previous (and much lighter) project the 
year before. 
2. Formal methods at work 
Traditionally at Schlumberger’s the families of trades involved in such a project were 
marketing, industrialization and technics. In this case, the technical part was composed 
of three teams: mechanics, electronics, software. 
As validation had to deal with electronics as well as software, and was directly 
involved in the reliability of the product, we decided to propose another team dedi- 
cated to validation, based on the Skmantique du paralklisme team, with a frequent 
go between; this team has been known in the project as “Bordeaux team”, making the 
formal methods used out of the software team. 
The strong point of the Bordeaux team was its expertise on the MEC system al- 
ready used in various domains, and its ability to tailor adhoc versions if necessary; 
the weak point was it consisted of part-time researchers, in a limited number. So all 
aspects of the projects would not be covered at the same time. Instead of scatter- 
ing the forces, we proposed to focus on the kernel design and development with the 
dedicated team while another development team would do with the application, that 
was more classical matter for the people involved, and supposed to be more easily 
contained. 
In order to spare time, two sub-teams of the software team developed simultane- 
ously in a layer approach: one subteam had to deal with underlying electronics to 
provide some services used by the other team to achieve functionalities of the soft- 
ware as defined by the marketing team, and compatible with industrialization require- 
ments. 
96 A. Arnold et al. /Science of’ Computer Programming 28 (1997) 93-110 
2.1. The embedded system 
The new concept of electricity meter and its advanced functionalities implied the 
massive use of software, unlike previous generations which could be developped on 
an electromechanical or electronic basis. 
Basic features of the meter were obvious: sampling signals (either power character- 
istics or signaling elements) and signal processing, keeping a database of tariffs and 
counters, managing protocols. Some other features are less obvious: safety of measure 
(whatever could happen on the metered lines, even drops of power), integrity of the 
system (protection against fraud), or low energy consumption of the meter itself. An- 
other need was to design a family of products, and the different variants had to be 
derived afterwards in an easy and safe way. 
2.2. Preliminary study 
It appeared that a single processor of the Texas Instruments 32OC30 class (for exam- 
ple) could be a good candidate to support the features, excepted for the consumption 
of the meter. A low consumption could be achieved only with very lowlevel proces- 
sors, and no single one could achieve all the features. The idea then was to use “more 
than one” low-level-low-consumption-low-price processor (such as the ones used in 
domestic applications), in order to meet the requirements. 
To cover all features, two different processors have been chosen, one more dedicated 
to signal processing, and the other on controlling. But nearly every feature had to use 
both of them to be achieved. It was then necessary to conceive a system with a large 
use of communication between the processors, and that raised the question of reliability, 
leading to a need of a reliable software architecture, and thus to the use of some formal 
technics. 
It was then decided to conceive in a layer approach a distributed kernel implementing 
a rendezvous scheduler, offering services to a distributed application, and to verify this 
architecture using formal technics. 
It has been part of the preliminary study to propose both the architecture and the 
ways to develop and verify it. So the formal methods have been considered as a 
companion for the project since the beginning of the design phase. 
2.3. Formal technics at hand 
The kernel had to offer such elaborated mechanisms as scheduling services, based 
on a very low level hardware. This gap made the software difficult to conceive with a 
high level of confidence. 
On the other hand, it meant that a verified description at some abstract level would 
be available for the engineers who had to implement the software system. Furthermore, 
the readability of the description would be part of the reliability of the implementation. 
A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 97 
Synchronized transition systems are very handy for expressing rendezvous tech- 
niques, and this would allow an abstraction of the kernel, and thus a test of the 
rendezvous architecture of the application layer. A description explicitely using au- 
tomata happened to cover widely the different cultures of the people involved in the 
project, on software part, on hardware part (closely interfaced with the software) and 
on the validation part. Even if such systems as MEC can model up to millions of states 
systems, it was stated it would be out of reach to model in one time all aspects (from 
signals on interruption lines to a succession of nested rendezvous calls); actually we 
stated this would be the wrong way to do. The validation of the kernel would be made 
layer by layer, abstracting lower and upper layers. 
Explicit time expression is not easily done using transition systems, even if some 
academic experiments are very promising [ 131. To model explicit time aspects, and 
more peculiarly deadlines meetings, we decided to use the rate monotonic analysis 
model, that was well suited for the type of system to express whether or not the 
deadlines could be met for concurrent tasks scheduled by a rate monotonic sheduler. 
The applicability hypotheses for the rate monotonic analysis are: perfect scheduler (e.g. 
context switching of zero time); instantaneous preemption of tasks; merely periodic and 
independant tasks; non-overlapping executions of tasks; priorities static and strongly 
related to frequencies. Unfortunately the tasks are not scheduled using a rate monotonic 
scheduler, and the applicability hypotheses are not fulfilled. 
A strong effort has been made to stay as near as possible to the rate monotonic 
scheduling algorithm, but some verifications had to be made, and the applicability 
of the rate monotonic analysis to be checked on all reachable configurations of this 
distributed system. 
So this model has been coupled with the synchronized transition system one to 
perform these verifications and checks and validate control and call structures. 
As it happened later, the formal methods approach with the MEC tool was of some 
profit for both aspects of the project: ab initio for the kernel, and a posteriori for the 
application, leading to a good quality production, revealed by a surprisingly short time 
for industrial validation tests. 
Even more surprisingly, this approach could be used to diagnose faulty behaviours 
observed at testing time, whose very low rate of appearance made the diagnostic te- 
dious. 
In the following we present these different aspects of the use of formal methods in 
this development project. 
3. Development of the kernel 
The aim of the layer was to provide a cooperation mechanism between tasks as near 
as possible of the ADA concept of rendezvous. For economical reasons, the hardware 
is of very low level and is composed of two processors communicating through a 
limited number of signals, without shared memory. 
98 A. Arnold et al. IScience of Computer Proyramminy 28 (1997) 93-110 
The challenge of the development of the kernel is to fill the gap between the hardware 
constraints and the highlevel, implementation independant features of the kernel. 
In order to divide and conquer difficulties, we adopted a layer-oriented architecture. 
3.1. Hardware description and provided services 
The hardware is composed of two processors, a micro-controller (uc) and a digital 
signal processor (DSP). DSP are processors specialized in signal processing and are 
rather poor on the control aspects such as stacks or instructions sets. The DSP sizes up 
to 2 K instructions and 256 words of RAM, and the micro-controller goes up to 32 K 
instructions and 1 K bytes RAM, including registers. They are linked to some physical 
devices for measure and control, and connected in both ways through two serial lines 
and some signal lines (see Fig. 1). These serial lines bear bytes; signals, including a 
clock common to both serial lines and driven by the uc are also present on the other 
lines. 
The DSP is badly suited for running a kernel: no interruption is associated with the 
line; moreover, the line is sensitive to noise altering messages and clock. 
The kernel is designed to provide a distributed application with task calls and com- 
munication, either locally (same processor) or remotely, in a way analogous to ADA 
rendezvous, in a severely restricted environment. 
The principles of the rendezvous have been retained as a unified concept for task 
synchronization and communication. We call local a rendezvous whose caller and callee 
tasks run on same processor, and distant the other ones. We call strong a rendezvous 
where both task have to exchange a message (and first arrived waits for the other) 
to allow the rendezvous to proceed (in callee’s code), and weak rendezvous where 
caller leaves a message, notwithstanding the previous message has been delivered or 
three physical devices 
MC DSP 
Fig. 1. Physical architecture of the system. 
A. Arnold et al. IScience of Computer Programming 28 (1997) 93-I IO 99 
not. This terminology is the one used in the project; only strong rendezvous are real 
ones; others are message passings. 
The semantics of the rendezvous have to be independant of the local-distant concept. 
3.2. Rendezvous scheduler 
Synchronization and communication between tasks are achieved through a rendezvous 
scheduler. This scheduler is responsible for implementing the rendezvous: it manages 
the rendezvous calls and accepts produced by the application layer. The structure of 
this scheduler is strongly related to the safety of the system (blocking freeness) and 
to its performances (too much control to avoid blockings would slow down a criti- 
cal system). To keep the balance between both constraints, we decided to use formal 
modelling at two levels: the first level was functional specification of the interfaces 
of the scheduler, and definition of essential properties to check, in the aim to build a 
validated scheduling structure (control and variables); the second level was operational 
and aimed to detect useless controls in order to remove corresponding structures from 
the specification, to save memory space and computation time. 
The functional description of this scheduler was made of transition systems: inter- 
faces to caller and callee (Figs. 2 and 3), mailbox for communication (Fig. 5) and 
e 
weaksdv 
rel-strg-rd instrg-rdv 
e 
Fig. 2. Caller’s interface. 
r el_ r d& call_rdv 
0 inl_rdv e 
end-rdwrun_rdv 
e 
Fig. 3. Callee’s interface. 
100 A. Arnold et al. IScience of Computer Programming 28 (1997) 93410 
e 
e 
inA 
e 
id3 
is-pp 
in-A 
in-B 
Fig. 4. Memory. 
e 
not-m 
0 
out-m 
4 
in-m 
1 
e 
ism 
in-m 
Fig. 5. A mailbox. 
memorization of the status of the rendezvous (Fig. 4), with respect to both parties. In 
the callee’s interface, the “endrdv” is a signal to the upper layer signaling the end of 
the rendezvous execution. So this transition is related to no-one in the synchronization 
constraints. 
To model our four types of rendezvous, we use different sets of those basic compo- 
nents, and different synchronization constraints between them. These synchronization 
constraints are expressed as vectors of labels, each label belonging to a given compo- 
nent, as shown in Figs. 6 and 7. 
Another part of the functional description consists in the list of properties the sys- 
tem had to satisfy to be considered correct; actually we defined a list for the weak 
rendezvous and another one for the strong rendezvous, including absence of deadlock, 
or control of memory, or consistency of mailboxes and registers. 
A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 101 
Caller (A) Memory Mailbox Callee (B) 
~1 
e I e I e 1 end_rdv 1 
Fig. 6. Synchronization constraints for strong rendezvous. 
1 Caller (A)1 Memory1 Mailbox1 Callee fB)l 
Fig. 7. Synchronization constraints for weak rendezvous. 
The main results of the study have been: obviously a validation of the functional 
architecture, but also quantitative gains, as only two bits were proven necessary per 
rendezvous and some controls could be removed, strongly lowering memory use. 
This work has been released in [8, lo]. 
3.3. Presentation layer 
This layer stores the messages from the scheduler and transmits them one-by-one to 
the link layer; the service provided by this layer is the transfer of frames from upper 
to lower layers, at a pace compatible with the flow between processors. A potential 
danger is the overflow of the local storage, or underflow due to a wrong management 
of this store. 
In case of repeated weak rendezvous calls, some information could be lost with- 
out any control. The link handles such situation in signaling the rendezvous status 
to the presentation layer. This latter propagates the status to the application layer, 
in order to substitute extra calls (that would lose not yet treated messages) with 
a global call relating to a result of a global value, depending on the implied 
rendezvous. 
Functional aspects. These are related to the underlying design principle, that is a 
critical section to protect a shared resource. 
So we model a scheduler, a status of frame, a number of messages, a service for 
the scheduler to request, an indication for the link to signal free, and the link. 
This leads to a synchronized transition system of 17 states and 29 transitions, which 
reveals that a deadlock occurs only if the stack of rendezvous overflows. 
102 A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 
Overjow of stack. It is a difficult point to guarantee not to happen in this tight 
context. 
A first point is that there is no queue for the rendezvous, for no rendezvous call is 
allowed in the body of the procedures of the kernel. So there is no need to handle more 
than a boolean for each rendezvous. The second point is that the maximal number of 
rendezvous is known at compilation time, excepted for weak rendezvous where several 
occurrences of same rendezvous can happen. 
So we can propose to implement this supposed dynamic structure as a static array 
of bits, indexed with the numbers of the rendezvous, and a message counter. 
A validation of this correct handling is driven adding to previous modelling two 
extra transitions systems keeping track of emitted and not yet treated weak rendezvous 
calls, and modelling the array of booleans. The number of booleans is set equal to 
three. 
This yields a synchronized transition system of 96 states and 236 transitions. Com- 
puted properties pointed out critical aspects in the design of stack handling. Actually, 
due to this early discovery, the implementation prevents the use of such faulty execu- 
tions. 
This work has been released in [lo]. 
3.4. Link layer 
The link layer guarantee services at the frame level (no-blocking, no-loss, no- 
duplication of bytes) provided lower layer ensures correct transport of bytes. 
The solution is based on the well-known alternated bit protocol, as presented 
in [6]. It consists in adding to the payload information (number of rendezvous, 
possible message) some extra structure information (an extra alternated bit, a 
byte count, and some redundancy through a CRC), working in a half-duplex 
way. 
To ensure against an erroneous reception of the structure information, we need 
some watchdogs on both ends of the link. Unfortunately, one of the processors is not 
equipped with suitable device. To remove this difficulty, fixed length frames are used 
in that direction, and watchdogs are set both for emission and reception on the other 
processor. 
An expected problem for this layer was the non-instantaneous transfer at the physical 
level, where the data are exchanged in a full-duplex way. To deal with that problem 
we decided to use Formal Methods; so we modeled both lignes in an abstracted way, 
and each link (left, right) also. 
The computations with MEC on the modelling aimed to four blocking states, as- 
signed to some uncontrolability of the events relating the link layer to the upper one; 
these states leaded to a loss of the beginning of some frame. This reflects the phys- 
ical asynchronism of both underlying processors: one is ready to send, the other one 
is not yet ready to receive. Then a solution was designed, where the link layer pre- 
pared the begin of next frame (to be ready to receive) immediately before sending 
A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 103 
the previous one (and thus passing hand over). The MEC computations validated this 
solution. 
3.5. Hardware protocol 
An interesting point of the project is the study of the hardware protocol between 
both processors, as it relies on both software and hardware aspects of the system. 
It happened to be one of the first studied points, and the way it worked with engi- 
neers of both cultures was a great help to a better mutual understanding. The way 
formal methods happened to allow to remove a diode from the wiring impressed peo- 
ple involved in the project and made these methodological tools suddenly and strongly 
credible. 
The aim of this protocol is to forward bytes from DSP to uc and vice versa. The 
protocol must meet the following property: no byte is lost on a hypothetical perfect 
line. 
It is important in this matter to keep in view the physical architecture, and the 
abilities of the different “wires” to handle information. A representation of the physical 
structure can be found in Fig. 8. 
Data are exchanged along two serial lines sharing a common clock. The byte is 
the unit of information during the transfer. One line links the output register of the 
microcontroller (ROmc) to the input register of the DSP (RIdsp), the other one the 
output register of the DSP (ROdsp) to the input register of the microcontroller (RImc). 
Only the microcontroller is in charge of the clock signal. An extra signal, SORQ (signal 
output request) can be set by the DSP to ask for the clock and the microcontroller 
sets a SOEN (signal output enable) signal to trigger the output by the DSP. An extra 
PC DSP 
clock 
ROmc ) Rldsp 
serial lines 
RImc . ROdsp 
SOEN _ 
Fig. 8. Physical structure of the serial link. 
104 A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 
signal, SIEN (signal input enable), set by the uc, allows RIdsp to receive data from line. 
Transfers of data to and from the registers of the microcontroller are controlled through 
interrupts, and special attention must be paid to the fact that the DSP supports no 
interrupt mechanism: data entering the input register must be polled regularly. Another 
feature of DSP registers is their structure; they are double sized shift-registers. The uc 
registers are one byte large. 
Loss of data due to polling rate are definitely difficult to detect by statistical simu- 
lation. The only solution consists of a protocol that absolutely avoids this risk. 
Loss or spontaneous creation of data on the line embodies the perturbation of line 
by interference, namely, interference losing or creating tops on the clock of the syn- 
chronous serial lines by spikes. This will imply a desynchronization in the flow of 
bytes. The only solution is a hardware reset on a time-out condition after communica- 
tion has been erroneous for a too-large number of bits. Nevertheless, the physical layer 
protocol is founded on the use of a special character, denoted “b”; alteration implying 
such a character is a potential occasion of lock of data flow or of misinterpretation 
of frames. So to prove anything in that direction we have to be able to distinguish 
unambiguously the emitted, transferred and received bytes. Actually, all bytes are dealt 
with in the same way in the modelling - as in real life - and we have to take care of 
one byte. On the other hand, we have to deal with a common clock on both lines; this 
implies a signal must be considered on each line, providing the link with false bytes. 
So we consider only three different values of data to be transmitted through the link, 
“b”, “X”, “Y”. We are then able to distinguish one of them from all of them. This 
transition system in the generic representation, where “a” stands for each of “b”, “X”, 
“Y”, is displayed in Fig. 9. 
The physical objects we model are: the serial lines; the signals SORQ, SOEN and 
the clock; and the four registers. As stated before, register management is a central 
point in the study. This is achieved using a protocol defined on each processor in the 
way shown in Figs. 10 and 11. This protocol has been designed in an experimental 
way, every attempt being validated or not using the modelling. 
In order to make sure every byte is correctly routed whatever has gone or is go- 
ing on, the modelling has been completed by various sets of two testers generating 
arbitrary sequences of bytes, on one way or on both. In the most general case, both 
emitted a sequence of X*.Y.X*, and on the other side the Y neither lost nor du- 
plicated. In that precise case, the modelling amounted to 60737 states and 112654 
transitions. 
This work is released in [5, lo]. 
Fig. 9. Line. 
A. Arnold et al. I Science of Computer Programming 28 (1997) 93-110 105 
Fig. 10. Micro-controller part of the protocol. 
r-b 
Ride Ride 
Fig. Il. DSP part of the protocol. 
4. Development of the application 
In a way very different from what had happened for the kernel, the application part of 
the software has not been developped using formal methods from the very beginning; 
this does not reflect a methodological position: the main reason for that is that human 
(academic) power was not available, and that we needed a sane and efficient kernel, 
at the border of electronics and software. 
Unfortunately some difficulties arose in this part (application) of the project, and we 
had to step in at a detailed design phase of the development. 
106 A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 
Formal methods have then been used in two ways: the first consisted to check the 
consistency of the calls of rendezvous among tasks, specially in critical phases of 
the application, such as turning on or off, most of it when the power is cut while in 
the starting-up phase or comes back in the stoping phase; the second was related to 
the validation of respect of deadlines for every task, whatever could happen. This last 
point is a priori out of reach of the model used, but combined with rate monotonic 
analysis technics it revealed efficient in handling this kind of temporal aspects. 
4.1. Validating the call graph 
In order to verify the mutual interlocking of the various tasks, those have been 
abstracted to their call structure as shown in Fig. 12, and the behaviour of each of 
them has been reduced to the control related to rendezvous calls depicted in Fig. 13. 
The rendezvous semantics has been expressed as a set of synchronization constraints. 
Unfortunately it appeared that the synchronized product of these 36 tasks could not 
be built in a reasonable time (a couple of days) using a server as a workstation: the 
modelling amounted to too many states (more than 4 millions). Actually the modelling 
of the behaviour of starting-up phase was not fully built! So we decided to study the call 
graph using a partial and progressive approach: the initial states sets have been modi- 
fied to model from this new point of the system, up to what was physically buildable. 
This way of doing left uncertain the fact that the whole modelling had been 
studied. 
task body MlKEeprom is 
. 
procedure X is 
begin 
delay0 ; 
end 
begin 
accept M18M20_Begin do 
. 
end accept 
loop 
select 
accept M18M14_Lire() do end accept ; 
or 
accept MHM14_Ecrire() do end accept ; 
Or 
accept M18M14_Checksum() do end accept ; 
end select ; 
loop ; X ; end loop ; 
end loop ; 
end Ml&Eeprom ; 
Fig. 12. Ada modelling of Task Ml 8 
A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 107 
Fig. 13. Transition system modelling of Task Ml% 
This process allowed detection of interlocking situation among rendezvous calls, and 
thus early modification of the call architecture; it allowed as well detection of controls 
on some rendezvous that were actually of no use, and thus could be suppressed. These 
bugs would not have happened if formal methods had been applied earlier in the 
conception stage. A minor default has been revealed after tests, in a part that had not 
been studied. In a way, this confirms that formal studies are both less practicable and 
less efficient when applied at then end of the project. 
This work is released in [lo]. 
4.2. Dealing with deadlines 
The model used did not basically handle quantitative temporal aspects, and the tools 
available at this time revealed to be unefficient to deal with so many tasks and a so 
large scale of time: some of the tasks had to be performed at a 5OKHz rate, and 
another one had a period of more than 6 months! 
On the other hand, the temporal properties we intended to verify had more to do 
with respect of deadlines than with exact timing validation for each instruction to be 
performed. So we moved to a study following the rate monotonic analysis approach, 
as the prerequisites for its application were fulfilled (static tasks, static priorities, . ..) 
even if there was no proper theoretical scheduler in the system, but a rendezvous 
manager. Let us recall that in this approach the static priority order is the period 
order. 
The model as presented in [9, 1 l] has been extended to take into account switching 
durations and real run-time priorities. The temporal characteristics of the circuits have 
been measured on the bench and the algorithm applied. It appeared that the deadlines 
were not met at all. 
108 A. Arnold et al. IScience of‘ Computer Programming 28 (1997) 93-110 
The first idea was then to modify the too long tasks, to artificially cut them into 
shorter ones, thus modifying the priority order. Then after some attempts, the algorithm 
could be run again on this new task organization. 
The second idea was that this new set of tasks could be obtained with no code change 
(very few actually), and that this modification could not put the previous validation in 
danger. This has been made possible because the synchronized transition systems were 
a unifying tool between both models. 
The actual computation of RMA values has been achieved using Excel 5.0 in its 
iterative mode. 
This work is released in [ 1, lo]. 
5. Testing and debugging 
Formal methods are usually thought as code validation tools after detailed conception, 
or less often as an architecture validation tool at conception time, but their investigative 
power is supposed to be irrelevant with the testing step of the development: they are 
argued as shorting down this last step, but without any direct involvement in it, 
The experiment we present here is a counterexample of this narrow way of seeing, 
as it emphazises the role of the investigative power of formal methods even in the 
testing phase. 
This case refers to some lowlevel rare mechanism driving a signal multiplexer. At a 
given time t, one among N analog signals is input in the measuring software, by the 
mean of a l-in-n multiplexer, driven by an external (external to the software) counter. 
So we have two counters referring to the same value: an external (hardware) counter, 
selecting the input signal, an internal (software) counter, processing the input signal, 
both of them being controlled by the same clock. The first problem we have to deal with 
is that parasites can impact the links between the common clock and both devices, and 
thus desynchronize both counters, making the software process erroneously input values. 
This can be handled either by identifying each sample transmitted to the software 
or by periodically synchronizing both counters. The first solution was not relevant for 
technical reasons, and it has been designed that an output port would be used by the 
software counter to reset the hardware counter. 
In such an embedded system as the electricity meter, various processes have to 
be activated to ensure the fiability of the apparatus. One of them is the OUCABO 
system. This system requires a device to be periodically activated and tested. The 
second problem is that the solution to the first problem left no output port available to 
activate a secondary device required for reliability reasons, nor any input port to test 
it. This situation has been handled using the leftmost carry bit of the hardware counter 
to activate the device: if the software counter does not reset the hardware counter in 
due time, an arithmetic overflow occurs and the device is activated; this had been 
conceived and implemented ignoring formal methods, as an electronic hack to answer 
a very simple, low-level problem. 
A. Arnold et al. IScience of’ Computer Programming 28 (1997) 93-110 109 
This part of the system had been developped and implemented, and tested using 
laboratory testing devices to simultaneously measure same signals. Unfortunately, it 
happened that a very seldom measure difference occurred between testing and tested 
devices; at first glance, the origin could be hardware, software or a testing protocol 
error. 
Testing such rare behaviours may last a long time, and in order to save time, a 
model-checking approach was suggested. Then the system has been modelled using 
synchronized transition systems. The error and the error rate could be confirmed on 
a study of synchronized transitions, thus identifying the source of the erroneous be- 
haviour. The bug was fixed in the model and after validation, the system could be 
efficiently and safely corrected. 
Notice, however, that we did not intend to model and verify an implementation: we 
specified a posteriori the system by abstracting relevant elements with respect to the 
misbehaviour. 
This work is released in [4, lo]. 
6. Conclusions 
This study has been an opportunity to test several cases of use of formal methods in a 
real industrial project, all along the project. From design to test, through detailed design 
and architecture, the synchronized transition systems, standing for a formal algebraic 
framework, played an active and efficient role in the development of the product. 
In such a matter figures are not easy to exhibit, for confidence reasons; we estimate 
the extra manpower effort at Schlumberger dedicated to formal methods to about two 
percent of the global (hardware and software) development load. The academic com- 
panion effort is about a permanent half-time, strengthened for several defined periods 
by up to five searchers. 
The return on this extra effort is manifold: first, the cost has been kept in the original 
figure; second, the development has been more fully under control, and the integration 
and metrologic testings have been passed throughout; third, the quality of the product 
(the systems components, not the meter) allowed easy reuse in several variants by 
different teams. 
For the LaBRl this project was an illustration of the benefit of a formal approach 
for software engineering, and an opportunity to join two formal methods (synchronized 
transition systems and rate monotonic analysis) to cover, in some cases, temporal 
validation. 
References 
[l] M. Alabau, D. B&gay and J.-P. Radoux, Formal methods and real-time: Design and validation of a 
real-time embedded system, RTS’96, Paris, 1996. 
[2] A. Arnold, Finite Transition Systems (Prentice-Hall, Englewood Cliffs, NJ, 1994). 
110 A. Arnold et al. IScience of Computer Programming 28 (1997) 93-110 
[3] A. Arnold, D. B&gay, P. Crubille, Construction and Analysis of Transition Systems with MEC (World 
Scientific, Singapore, 1994). 
[4] A. Arnold, D. Begay and J.-P. Radoux, An example of use of Formal Methods to debug an embedded 
software, FME’96, Oxford, UK, 1996. 
[5] D. B&gay, J. Dormoy and P. Felix, An experiment in developing real-time systems using Met, in: 
T. Rus and C. Rattray, eds., Theories and Experiences for Real-time System Development, Vol. 2, 
AMAST Series in Computing (World Scientific, Singapore, 1994) chapter 14. 363-388. 
[6] P. Crubillt, Realisation de I’outil Met : specification fonctionnelle et architecture, PhD thesis, Universitt 
de Bordeaux I, November 1989. 
[7] A. Dicky, Une approche algebrique et algorithmique de l’analyse des systemes de transition, PhD thesis, 
Universitt de Bordeaux I, February 1985. 
[8] A. Griffault and A. Ressouche, Synthesis of a rendezvous based scheduler, in: D. Begay and M.-M. 
Corsini, eds., Models and Proofs, Bordeaux, 14-16 june ‘95, LaBRl Universite Bordeaux I, 1995. 
[9] CL. Liu and J.W. Layland, Scheduling algorithms for multiprogramming in a hard real-time en- 
vironment, J. ACM 20 (1) (1973) 4661. 
[IO] J.-P. Radoux, Utilisation de systemes de transitions finis pour la conception et le developpement d’un 
systeme embarque, PhD thesis, Universite de Bordeaux I, March 1995. 
[ll] L. Sha, J.B. Goodenough and J.P. Lehoczky, Priority inheritance protocols: an approach to real-time 
synchronization, IEEE Trans. Cornput., C-39 (9) (1990) 1175-I 185. 
[12] L. Sha, M.H. Klein and J.B. Goodenough, Rate monotonic analysis for real-time systems, Technical 
report, CMU/SEI 91_TR_6, March 1991. 
[ 131 T. Henzinger, X. Nicollin, J. Sifakis and S. Yovine, Symbolic model checking for real-time systems, 
Inform. Comput. 111 (2) (1994) 193-244. 
