High-level modelling languages and standards, such as Simulink, UML, SysML, MARTE and AADL (Architecture Analysis & Design Language), meet increasing adoption in the design of embedded systems in order to carry out system-level analysis, verification and validation (V&V) and architecture exploration, as early as possible. These analysis, V&V, architecture exploration techniques rely on mathematical foundations and formal methods in order to avoid semantics ambiguities in the design of safety-critical systems.
Introduction
Modern design of embedded systems consists of the integration of hardware and software concurrently engineered by engineering teams with of different skills, with specific tasks, using heterogeneous tools. To design the sole software functions of an aircraft, for instance, they may for instance use a variety of tools as heterogeneous as Scade [1] , Matlab [2] , Ptolemy [3] or Rhapsody [4] .
In an embedded system design flow, from top to bottom of Figure 1 , the same heterogeneity characterises design objectives (bottom). It may range from that of mapping the functional design on specific hardware architectures to that of virtual prototyping, simulation, checking hardware/software compatibility, performance evaluation, or energy footprint estimation. Comodelling encompasses a variety of engineering activ- ities at the crossing between functional and physical views of system design. It is typically the system archi-tect, for instance, who explores possible ways to map software functions on a target hardware, in order to evaluate it according to different metrics such as speed, throughput, consumption.
Still, system validation does not stop with the formal verification and automated synthesis of the system's software from a high-level model. Code automatically generated by synthesis tools is usually integrated to middleware which has not. It is usually interfaced to hardware through drivers, third-party APIs, external libraries, and runs on an uncertified operating system.
Integration poses numerous problems, from ill-typed usage of libraries to insufficient performances, etc. It is hence necessary to verify conformance between expected properties that were formally demonstrated at the model-level with respect to these offered by the execution platform to form the actual application software.
Some of the performance issues discovered during validation may require architectural changes as drastic as actually implementing part of the software in hardware (e.g. using an FPGA). More generally, it is sometimes necessary to optimise architecture choices made at the modelling level and reiterate design validation.
In order to support integration validation, it is essential to define a virtual prototyping framework that makes it possible to integrate, verify, exercise and analyse the application code generated by modelling tools and integrated with third-party middleware. Such a virtual prototyping platform makes it possible to validate the expected behaviour of the final application software and check that the resulting system indeed meets the specified performance requirements.
Goals
Our contribution in this aim of virtual prototyping embedded architectures is illustrated, Figure 2 , by a case-study we conducted with Airbus in [5] . We comodelled the doors management system (DMS) of the Airbus A350 aircraft by using the AADL standard [6] to describe its architecture and by using Simulink ?? to specify its embedded software. The aim of the case study was to demonstrate how to perform simulation, scheduling analysis, verification and code-generation, by solely considering the information provided by these combined, system-level, AADL and Simulink specifications.
To this end, we implemented a systematic translations of the AADL standard and of Simulink diagrams in the multi-clocked synchronous semantics of the Signal data-flow language [7] . We use its Eclipse environment, Polychrony on Polarsys [8] , as a pivot semantic model, in order to synthesise simulation code from imported Simulink and AADL models.
The aim of the present article is, first, to summarise all the effort conducted in this case study. In conclusion, or as a lesson learned from that experimental work, the article proposes, second, a reworked semantic model of Polychrony in terms of constrained automata, section 4, and a formal definition of the scheduling theory framework [9, 10, 11] , section 7, that we elaborated to best suit our experimental framework. After review of the related works, Section 2, and to this end, Sections 5, 3 and 4 give a brief overview of the AADL core concepts, of the data-flow language Signal and of the model of constrained automata which we use to represent timed behaviours in the AADL.
The principle of our compositional semantic translation of the AADL specification into the polychronous model of computation and communication is then outlined in Section 6. In Section 7, we address our core issue to define a proper scheduling policy of AADL threads in our framework using a model of affine clocks.
Section 8 presents one of the case studies we performed to validate and experiment with our approach. Section 9 concludes our presentation by offering perspectives toward a formal specification of the AADL.
Related Approaches
The formal analysis, verification, architecture exploration techniques available in the AADL rely on formal models to avoid semantics ambiguities for the design of safety-critical systems [12, 13, 14, 15, 16, 7] . As a result, many related approaches have contributed to allowing the formal specification, analysis and verification of AADL models and its annexes, hence implicitly or explicitly proposing a formal semantics or a model of computation and communication for the AADL.
The analysis language REAL [17] allows to define structural properties of AADL models that can be inductively checked by visiting the objects of a model under verification. Authors in [18] present an extension of this language, called LUTE, which further uses PSL (Property Specification Language) to check behavioural properties of AADL models, as well as a framework for assume-guarantee reasoning between composed AADL models.
The COMPASS project has also proposed a framework for formal verification and validation of AADL models and its error annex [13] . It puts the emphasis on capturing multiple aspects of nominal and faulty, timed and hybrid behaviours of models. Formal verification is supported by the nuSMV tool. Similarly, the FIACRE framework [19] uses executable specifications and the TINA model checker to check structural and behavioural properties of AADL models.
RAMSES [20] , on the other hand, presents the implementation of the AADL behavioural annex. The behavioural annex supports the specification of automata and sequences of actions to model the behaviour of AADL programs and threads. Its OSATE implementation proceeds by model refinement and can be plugged in with Eclipse-compliant backend tools for analysis or verification. For instance, the RAMSES tools uses OS-ATE and Ocarina to generate C code for OSs complying the ARINC-653 standard.
Synchronous modelling is central in [16] , which presents a formal real-time rewriting logic semantics for a behavioural subset of the AADL. This semantics can be directly executed in Real-Time Maude and provides a synchronous AADL simulator. It also allows to modelcheck LTL properties in that framework.
Similarly, Yang et al. [21] define a formal semantics for an implicitly synchronous subset of the AADL, which includes periodic threads and data port communications. Its operational semantics is formalised as a timed transition system. This framework is used to prove semantics preservation through model transformations from AADL models to the target verification formalism of timed abstract state machine (TASM).
Our proposal carries along the same goal and fundamental framework of the related work: to annex the core AADL with formal semantics frameworks to express executable behaviours and temporal properties, by taking advantage of model reduction possibilities offered thanks to a synchronous hypothesis, of close correspondence with the actual semantics of the AADL.
Yet, we endeavour in an effort of structuring and using them together within the framework of a more expressive multi-rate or multi-clocked, synchronous, model of computation and communication: polychrony. Polychrony would allow us to gain abstraction from the direct specification of executable, synchronous, specification in the AADL, yet offer services to automate the synthesis of such, locally synchronous, executable specification, together with global asynchrony, when or where ever needed.
CCSL [22] , the clock constraint specification language of the UML profile MARTE [23] , relates very much to the effort carried out in the present document. CCSL is an annotation framework to making explicit timing annotation to MARTE objects in an effort to disambiguate its semantics and possible variations. CCSL actually provides a clock calculus of greater expressivity than polychrony, allowing for unbounded, asynchronous, causal properties between clocks to be expressed such as the inf and sup clock operations.
While CCSL is essentially isolated as an annex of the MARTE standard for specifying annotations, our approach is instead to build upon the semantics of the behaviour and constraint annexes in order to implement a synchronous design methodology in the AADL, and specify it within a polychronous model of computation and communication.
An overview of Polychrony
The Polychrony toolset [24, 25] is an open-source modelling framework, DO-330 qualified (as verification tool) and integrated in the Eclipse Industrial Working Group Polarsys [26] . It is based on the Signal language [27] , dedicated to multiclock synchronous program transformation and verification.
Signal is a polychronous data-flow language that allows the specification of multi-clocked systems. Signal handles unbounded series of typed values (x t ) t∈N , called signals, denoted as x. Each signal is implicitly indexed by a logical clock indicating the set of instants when the signal is present, notedx. At a given instant, a signal may be present where it holds a value, or absent (denoted by #). In Signal, a process (written P or Q) consists of the synchronous composition (noted P|Q) of equations over signals x, y, z, written x := y f z or x := f (y, z). The process P/x restricts the lexical scope of the signal x to the process P. An equation x := y f z defines the output signal x by the result of the application of operator f to its input signals y and z. P, Q :: [28] (wrt prefix order) that satisfy the following general rules:
•
.., s n ) = when for some i s i = A function is synchronous iff it satisfies:
• f (x 1 .s 1 , ..., x n .s n ) = when x i = # and x j # for some i, j Stepwise extension. Given n > 0 and an n-ary total function f :
the stepwise extension of f denoted F is the synchronous function that satisfies:
A network of strict, continuous signal functions that satisfies the Kahn conditions is a strict, continuous signal function or Kahn Process Network [29] . Non-deterministic processes. A process with feedback or local variables may be (asynchronously) nondeterministic. One typical example is the var operator in Listing 1 (the notationˆreturns true when its argument is present). The semantics of non-deterministic processes can be defined using Plotkin's power-domain construction [30] . 
A model of constrained automata in Polychrony
To support a semantic translation of AADL behavioural annexes (see Section 5) in a polychronous model of computation, we consider a model of automata that comprises transition systems to express explicit reactions together with constraints in the form of boolean formula over time to represent implicit or expected timing requirements.
The implementation of such an automaton amounts to composing its explicit transition system with that of the controller synthesised from its specified constraints. It is supported by the Polychrony toolset and offers an expressive capability similar to those of the Esterel [31] and Signal [27] synchronous programming languages.
The fundamental difference between synchronous automata and the asynchronous style of the current AADL behavioural annex [20] is that, in a synchronous automaton, transitions can be labelled by guards defined by a conjunction of events. To simply overcome this limitation, we will write aˆ * b for the conjunction of occurrences of events a and b.
Constrained automata are reactive synchronous automata which manipulate timing events and are subject to constraints. These constraints formulate safety or temporal requirements. Would a transition of an automaton possibly violate such constraints during runtime, then its possible state transition should be inhibited and instead stutter or raise an error. Figure 3 depicts a constrained automaton manipulating events a and b. The automaton specifies the alternation of two input event streams a and b, depicted by the trace on the topright of the figure. Its reactive behaviour, depicted by the top-left automaton, keeps track of alternation between a and b by switching between states s 1 and s 2 .
It is yet a partial specification of possible synchronous transitions over the vocabulary of events {a, b}: it does not yet make the cases of a, b in s 1 or s 2 explicit. This is done by superimposing it with the requirement that aˆ * b = 0, which imposes a and b to never occur simultaneously (literally, a and b occur 0 time) during a transition. With that constraint in place, the automaton behaves as an asynchronous one. Finally, the absence of reflexive transitions specify that b (respectively a) cannot occur alone in state s 1 (respectively s 2 ). A reactive extension of this automaton allows b (respectively a) to occur in state s 1 (respectively s 2 ). But the reflexive transition must be fired only when b (respectively a) occurs alone. This is denoted by the event expression bˆ− a (respectively aˆ− b ).
The combination of a synchronous automaton and of a temporal constraint yields the hybrid structure of timed automata depicted in Listing 2. It supports an algebraic definition, presented next. Using the Polychrony toolset, we are currently implementing transformation and synthesis techniques which allow to synthesise an imperative program (or, equivalently, a complete synchronous automaton) that is able to both satisfy the intended semantics of the event automaton, but also enforces the expressed constraint formulas. In addition, these formula can themselves be expressed as automata abstracted by regular expressions on events (event formula), e.g., (a; b)
* to mean "always a followed by b".
t h r e a d a l t e r n a t e f e a t u r e s a , b : i n e v e n t p o r t ; c : o u t e v e n t p o r t ; end a l t e r n a t e ; t h r e a d i m p l e m e n t a t i o n a l t e r n a t e annex b e h a v i o u r s p e c i f i c a t i o n { * * s t a t e s s 1 : i n i t i a l s t a t e ; s 2 : s t a t e ; t r a n s i t i o n s 
Constrained automata
We first consider a countable set of Boolean signal variables of which V denotes a possibly empty finite subset. S is a non empty finite set of states; states and signal variables are disjoint sets. In the reminder, the symbolˆprefixes the so called clock of a variable (e.g. x), of a state, of an operator. The term variable is used for signal variable. We first consider a Boolean algebra φ(V, S ) = (F V,S ,ˆ * ,ˆ+,ˆ¬ V ,ˆ0,ˆ1 V ) consisting of
• infimumˆ+, supremumˆ * , complementˆ¬ V , minimumˆ0 and maximumˆ1 V
• Expressions ∀ f, g ∈ F V,S , fˆ * g, fˆ+ g,ˆ¬ V f ∈ F V,S built from constants:ˆ0,ˆ1 V ∈ F V,S and atoms:
Parentheses and affix notation are used. Our Boolean algebra supports the following formal properties.
Then, a constrained automaton A = (S A , s 0 , → A , V A , T A , C A ) defined on such formulas is, up to isomorphism, composed of
• S A a non empty set of states and s 0 the initial state 
Regular expressions
We define the algebra of regular expressions which will be used to abstract constrained automata or represent there null formula [32] . We consider a Kleene algebra (A, +, ., * , 0, 1), i.e., an idempotent semiring (A, +, ., 0, 1), an idempotent commutative monoid and star definition satisfying 1+aa * ≤ a * , 1+a * a ≤ a * , b + ax ≤ x ⇒ a * b ≤ x and b + xa ≤ x ⇒ ba * ≤ x. Our objective is to represent events and event formulas as regular expressions (extended) with counting. We compare with the related property specification language PSL [33] .
The words S ∈ W A of an automaton A are generated from values, operators and formula. Values h are event formula (in place of {h}) and neither the empty set 0 nor 1 = { } have PSL representation. Both 0 and 1 should remain implicit, as part of the event algebra, with no explicit syntax. Operators of concatenation S 1 .S 2 , or S 1 ; S 2 in PSL; union S 1 + S 2 , S 1 |S 2 in PSL; star S * ; positive S + = S ; S * ; option S ? = 1 + S ; fusion S : T , synchronous product S |T , interleaving and subsets as well as the usual reduction rules. Finally, counters [34] of the form S [n] are inductively defined by 5. An overview of the AADL AADL [6] is a Society of Automotive Engineers (SAE) standard dedicated to modelling embedded real-time system architectures. As an architecture description language, based on a component modelling approach, AADL describes the structure of systems as an assembly of software components allocated on execution platform components together with timing constraints.
Architecture
In AADL, three distinct families of components are provided: 1) software application components which include process, thread, thread group, subprogram, and data components, 2) execution platform components that model the hardware part of a system including (virtual) processor, memory, device, and (virtual) bus components, and 3) composite component such as execution platforms, application softwares.
We illustrate the AADL structure by using a generic producer-consumer design pattern Producer-Consumer of common use for avionic systems. The system diagram, Figure 6 , is in charge of producing and consuming data which is communicated through a shared data resource. The AADL components communicate via data, event, and event data ports. It contains several functions allowing the producer and consumer to communicate and to access data:
-sysEnv system models the environment raising events to start/stop the process prProdCons. -sysOperatorDisplay system signals when a timeout occurred on data production or consumption. -prProdCons process communicates with the previous two systems. It contains four threads: thProducer, thConsumer, thProdTimer and thConsTimer ( Figure 7 ). A data Queue is shared by threads thProducer and thConsumer: thProducer produces data in it, which in turn are consumed by thConsumer. The timer thProdTimer (resp. thConsTimer) manages timer services for thProducer (resp. thConsumer). It permits to start, stop the timer and send a timeout event (pTimeOut) when the timer has expired. -Processor Processor1 is responsible for executing threads of the process prProdCons.
Each component has a type, which represents the functional interface of the component and externally observable attributes. Each type may be associated with zero, one or more implementation(s) that describe the contents of the component, as well as the connections between components.
Properties
AADL properties provide various information about model elements of an AADL specification. For example, a property Dispatch Protocol is used to provide the dispatch type of a thread. Property associations in component declarations assign a particular property value, e.g., Periodic, to a particular property, e.g., Dispatch Protocol, for a particular component, e.g., thProducer thread. In this paper, we are interested in two types of properties: -Timing properties, such as Input Time (resp.
Output Time) of ports, that assure an inputcompute-output model of thread execution. For example, the following timing properties are assigned to the thread thProducer: -The binding properties assign hardware platforms to the execution of application components. For example, the property Actual Processor Binding specifies that process prProdCons is bound to processor Processor1.
r e a d t h P r o d u c e r p r o p e r t i e s D i s p a t c h P r o t o c o l =>
In general, a thread is dispatched either periodically, or by the arrival of data or events on ports, or by the arrival of subprogram calls, depending on the thread type. Three event ports are predeclared: dispatch, complete and error (Figure 8) . A thread is activated to perform the computation at start event, and has to be finished before deadline. A complete event is sent at the end of the execution. The received inputs are frozen at a specified point (Input Time), by default the dispatch time, which means that the content of the port that is accessible to the recipient does not change during the execution of a dispatch even though the sender may send new values. For example, the two data values 2 and 3 (in Figure 8 ) arriving after the first Input Time will not be processed until the next Input Time. As a result, the performed computation is not affected by a new arrival input until an explicit request for input. Similarly, the output is made available to other components at a specified Output Time, by default at complete (resp. deadline) time for out port if the associated port connection is immediate (resp. delayed) communication. 
Behaviour
The behaviour annex provides an extension to AADL so that complementary behaviour specifications can be attached to AADL components. The behaviour is described with a state transition system equipped with guards and actions. We take the thProducer thread as an example. Three states, stopped, running, and blocked, are specified together with the transitions between them (Figure 9 ). From the initial state stopped, when a pProdStart event is received, the shared data Queue is emptied, and the transition enters into the running state. Priorities are assigned to determine the transition to be taken, if more than one transition out of a state evaluates its condition to true. The higher the priority number is, the higher the priority of the transition is.
Semantic model of the AADL in Polychrony
The key idea for modelling computing latency and communication delay in Signal is to keep the ideal view of instantaneous computations and communications of synchrony while delegating computing or simulation of latency and delays to specific "memory" processes, that introduce delay with well-suited synchronisations to timed signals.
Input freezing. For an in event data (or event) port, the items are frozen at Input Time. Two FIFOs are used: the first one, in fifo, that stores the in event data, and another one, frozen fifo (limited to one place in the current implementation). At the frozen time, the items of the in fifo are frozen and some items (one in the current implementation) are popped up from the in fifo to the frozen fifo and made available at the execution.
Thread activation (Figure 10 ). An activation condition "Start" is introduced into the process P which models a thread. With the process IM(), the input i is resynchronised with Start before entering the synchronous program P. Output sending (Figure 11 ). To the process P modelling a thread behaviour, we associate a process P o, the output o of which is the value of the output o of P delayed until its output time occurs, represented by the input event signal OutEvent. An additional output memory process OM() is introduced to hold the values, which includes a delay process AT() for each output. The semantic transformation from the AADL to Signal is recursive. A package, which represents the root of an AADL specification, is transformed into a Signal module, the root of a Signal program, allowing to describe an application in a modular way. An AADL component implementation consists of:
• an identifier of the component implementation, • a set of features (such as ports) of the component type that define a functional interface, • subcomponents, subprogram call sequences, • port connections, which are an explicit relation between features (ports) that enables the directional exchange of data or event among its features (ports) and subcomponents,
• properties and a transition system specifying the functional behaviour. The rest of the transformation proceeds modularly by an inductive translation of the AADL concepts of a given model or source text. Each component implementation is translated into a Signal process composed of the following subprocesses:
• an interface consisting of input/output signals translated from the features (ports) provided by the component type, • additional control signals, that may also be added depending on the component category (Dispatch and Deadline for a thread), • a body, itself composed of subcomponents, subprogram call sequences, connections, component properties and a transition system.
Threads
Threads are the main executable and schedulable AADL components. An AADL thread encapsulates a functionality that contains an interface (a set of ports), a set of connections and a set of timing properties. The behavioural specification of the thread consists of subcomponents that may contain subprograms and data and is functionally represented by an annex that defines its transition system over a set of local states. The semantic translation of a thread in Signal has the data-flow structure depicted in Figure 12 and consists of the following steps.
• An AADL thread th is translated to a Signal process SP, which contains a representation of its transition system and of the associated subcomponents Su and connections C. Process SP has the same input/output flows as thread th, plus an additional tick to interface it with the scheduler (Figure 12 ) and receive dispatch. Each input (resp. output) port p i ∈ P corresponds to an input (resp. output) signal.
8
• The AADL standard specifies that the input signals of a thread are transmitted from the sending threads at the output time of the ports. They are consequently translated by a Signal process SPT which plays the role of timing semantics interface between the AADL environment and the synchronous model of the thread's behaviour. In SPT, two memory components IM() and OM() are added. The main functions of SPT are to memorise signals and activate threads.
• The execution of a thread is characterised by realtime features such as dispatch time and completion time. To model them, a template process SPS is added to records all the temporal properties associated with the thread, and when it receives the scheduling signals (e.g., dispatch) from the thread scheduler, it starts to calculate the timing signals (Start, Completion, Deadline. . . ) for activating and completing the SPT process.
Processor and Scheduling
In the AADL, a processor is an abstraction of a hardware execution unit and the software or middleware responsible for executing and scheduling threads. The property Scheduling Protocol defines the way the processor will be shared between the threads of the application. Possible scheduling protocols include: Rate Monotonic, Deadline Monotonic, Earliest Deadline First, Least Laxity First, Highest Priority First or user defined scheduling policies. An AADL processor is represented as a Signal process ( Figure 13 ). The interface contains the inputs/outputs of the AADL processes bound to this processor. The body is composed of the Signal processes representing these AADL processes (p1 process), and subprocesses representing processor behavior and processor property. The processor behavior subprocess implements a scheduler (or the interface to a scheduler), that provides scheduling information to the threads, in accordance with the recorded timing constraints and the scheduling policy.
Connections
Port connections are explicitly declared relations between ports (groups) that enable directional exchange of data and events between components. There are several combinations of event/data port connections. In this section, we focus on modelling data port connections. The AADL provides three types of data port communication mechanisms between threads: immediate, delayed and sampled connections. For an immediate or delayed data port connection, both communicating periodic threads must be synchronised and dispatched simultaneously. The transmission time of a connection is specified by a Latency property. The rest of the transformation proceeds modularly by an inductive translation of AADL concepts by corresponding source code patterns.
Sampled (Figure 14) . A Connection process receives values from an output port when OutEvent is present. Since the communication takes a duration represented by Latency, an event LatencyEvent is introduced to specify the time at which the value has been sent to the destination. The received values cannot be used immediately: they are not available until input time, specified by Input Time property and represented by an event InEvent in Signal. Hence, another memory AT() process is added. Delayed (Figure 15 ). The value from the sending thread is transmitted at its deadline (OutEvent = Deadline), and is available to the receiving thread at its next dispatch (InEvent = Dispatch).
Immediate ( Figure 16 ). Data transmission is initiated when the source thread completes and enters the suspended state. The output is transmitted to the receiving thread at the complete time of the sending thread (OutEvent = Completion) and available on the receiver side when InEvent = Start. The scheduler will dispatch the sender thread first, and ensure the receiver starts after the completion of the sender. 
Binding
A complete AADL system specification includes both software application and execution platform. The allocation of functionality onto architecture is specified, for example, the property Actual processor binding declares the processor binding property along with the AADL components and functionality to which it applies. In the corresponding Signal programs, the threads (Signal processes) bound to the same processor are placed in a same process M, and they are controlled by the scheduler MS generated for the processor. The generated Signal programs are annotated with allocation information. The function Binding(th) provides the processor to which a thread th is bound.
In [35] , we describe a distributed simulation technique using MPI [36] as runtime environment and the distributed code generator of the Polychrony toolset [24] in order to generate a concurrent executive in which every individual Signal process corresponding to an AADL processor will be assigned to a given runtime thread. In the future, we plan to use similar multi-processor real-time scheduler synthesis technique as these available in SynDEx [37] .
System
The system is the top-level component of an AADL model. A system is organised into a hierarchy that represents the integrated software and hardware of a dedicated application. A system specifies the runtime architecture of an operational physical system. It consists of ports declaring its interface, port connections among components, properties among which additional allocation directives are provided, and a set of threads.
An AADL system is transformed into a Signal process which consists of the composition of containers including the executable thread processes, their connections and related properties, as well as a global scheduler to activate each processor scheduler and ports.
AADL scheduling
Each thread translated from AADL is associated with a timing environment (Figure 17 ), which records timing constraints associated with the thread and computes the timing control signals (i.e., Start, OutEvent, etc.), once it is activated (by dispatch event) by the scheduler. Figure 17 shows a composition of two threads P and Q presented in Signal. Each component is activated by its corresponding activation event Start. Once SPS is triggered by the signal dispatch, it generates activation clock Start to activate the component, and computes the output available clock OutEvent that satisfies the specified clock properties. The following section shows how the timing environment SPS can be generated from an affine analysis proposed in [38, 9, 10] . Once the different timing semantics are bridged, now we can model the AADL threads and other components in Polychrony. An AADL specification generally consists of a set of threads with various dispatch protocols and timing requirements that must execute on a given architecture according to some scheduling policy. Schedulability analysis is a critical step in the design of any real-time system. It predicts whether the timing requirements will be satisfied by the system or not. This section does not present a standard schedulability analysis but a parametric one; i.e. timing and scheduling parameters (e.g. periods, deadlines, priorities) that ensure schedulability and optimize the system's performance are rather synthesised in accordance with the AADL specification. Furthermore, buffering parameters (i.e. capacities of connections) are also computed to ensure overflow and underflow-free communications. In this section, we will hence try to adapt well-known standard (EDF and fixedpriority) schedulability tests to our needs to synthesise the timing environment of each thread.
In the following, we present the parametric schedulability analysis of a restricted but yet expressive task model that corresponds to a subset of AADL specifications. But, we will first present the modelling of threads and communications between them.
System model
Systems considered in this section consist of a set P of N threads to be scheduled on M ≥ 1 homogeneous processors according to either the (partitioned) earliest-deadline first (EDF) policy or the (partitioned) fixed-priority policy. Each thread p i has the following timing properties: a periodic Dispatch Protocol with a Period π i , a First Dispatch Time r i , a Compute Execution Time property C i , and a hard Compute Deadline d i which can be equal to the period (i.e. implicit deadline) or a fraction of it; d i = β i π i (i.e. a constrained deadline).
In case of fixed-priority scheduling, each thread p i has a distinguished Priority ω i with 1 being the highest priority. In case of partitioned multiprocessor scheduling, each thread p i is permanently allocated to processor number ψ i (AADL property Actual Processor Binding). Apart from the worstcase execution times, the designer is free to not specify values of the other timing and scheduling parameters; and hence lets the parametric schedulability analysis compute the appropriate parameters. Many optimization problems can be considered such as throughput maximisation or buffer storage capacities minimisation.
Interactions among threads are restricted to one-toone port connections which are feature connections whose source and destination are limited to ports and data access. There are two kinds of port connections: message queuing and data port connections.
Message queuing connections. They are connections whose destination ports are either event ports or event data ports. They can be modelled as flow-preserving FIFO queues; i.e. all sent messages are consumed, without loss or duplication, in the same order of arrival. These connections establish some scheduling precedences between communicating threads.
A thread will block (or raise an underflow exception) if frozen inputs do not contain the necessary number of messages for its execution. Similarly, a thread will block (or raise an overflow exception) when it attempts to send messages on saturated connections. The AADL standard supports Overflow Handling Protocol to handle overloaded queues; our scheduling approach will however statically check and ensure that overflow and underflow exceptions will not occur at run-time.
Besides Input Time and Output Time properties of ports, Input Rate and Output Rate properties allow specifying the number per dispatch at which input and output are expected to occur at the port; they describe therefore the production and consumption rates. We will only consider an analysable class of rates called ultimately periodic rates. Furthermore, the (possibly unspecified) number of initial messages on the connection e is denoted by θ(e); while the (possibly unspecified) Queue Size is denoted by δ(e).
Data port connections. They are connections whose destination ports are data ports. They have a special non-flow-preserving semantics. They can be either sampled, immediate, or delayed. In a sampled connection, the receiver samples the output of the sender at time specified by the Input Time property. Hence, the sampling occurs non-deterministically due to concurrency and preemption. Sampled connections do not hence impose scheduling precedences.
For delayed connections, the Input Time is assumed to be the dispatch time and Output Time is assumed to be the deadline. Delayed connections do not also impose any scheduling constraint. For immediate connections, the Input Time is assumed to be the start time; they however impose scheduling precedences since the receiving thread must be delayed if its dispatch occurs at the same time or after the dispatch of the sending thread and before execution completion of the sending thread.
Scheduling approach
Scheduling of such systems consists of two (not necessarily separated) steps: the construction of an abstract periodic schedule and its concretisation.
Abstract schedules. An abstract schedule consists of all the scheduling constraints deduced from the userprovided scheduling parameters or from the interactions between threads. Scheduling constraints are mainly affine relations that relate dispatch clocks of threads, precedences between dispatches (i.e. jobs) of threads, priority assignments (in case of fixed-priority scheduling), and partitions (in case of multiprocessor scheduling). An abstract schedule must be checked to detect inconsistency and must be appropriately refined to complete absent information.
Symbolic schedulability analysis. It is the process of computing the timing and scheduling properties of each thread so that all threads meet their deadlines when scheduled using a specific scheduling policy on a given architecture. Of course, the computed parameters must respect the abstract schedule.
If all the timing and scheduling parameters are userprovided, then the symbolic schedulability analysis problem reduces to the standard real-time schedulability analysis. Two priority-driven scheduling policies are considered in this section: EDF and fixed-priority scheduling.
Abstract schedules
Many scheduling constraints must be satisfied to produce an overflow/underflow-free schedule that conforms to the AADL specification.
Precedences
An immediate data port connection may cause the receiver to be delayed until the completion of the sender. The AADL standard suggests using synchronisation protocols to implement such scheduling precedences. However, synchronisation and resource sharing protocols result in a much complicated and pessimistic schedulability analysis. We adopt a different strategy to implement precedence constraints by exploiting the priority-driven scheduling policy.
Let us assume that there is an immediate data port connection between threads p i and p k . The j th dispatch of a thread p is denoted by p[ j]. If job p k [ j ] of the receiver thread is dispatched at the same time as job p i [ j] or after the dispatch of p i [ j] and before its completion, then we add a scheduling constraint saying that job
This scheduling constraint is encoded as follows. For EDF, the absolute deadline of job p i [ j] (denoted by D i [ j]) will be adjusted to be less than the deadline of job p k [ j ] and the two threads are allocated to the same processor (i.e. ψ i = ψ k ); hence, job p k [ j ] will never preempt or execute in parallel with job p i [ j] . For the fixed-priority scheduling policy, thread p i must have a higher priority than thread p k (i.e. ω i < ω k ) and the two threads must be allocated to the same processor.
Adjusting deadlines and priorities to impose precedences is not a new idea. It has been first introduced by Chetto and Blazewicz [39, 40] and used in [41] to encode more general AADL communication patterns. We use this technique in a parametric context where timing properties are not known a priori.
Affine relations
Affine relations relate the dispatch clocks of threads. Letp i be the dispatch clock of thread p i . The relative positioning of ticks of two periodic dispatch clocksp i andp k can be described by an affine relation [42] which has three parameters n, d ∈ N >0 and ϕ ∈ Z (Figure 18 ).
We say then that threads p i and p k are (n, ϕ, d)-affinerelated. In case ϕ is positive (resp. negative), clockp i is obtained by counting each n th instant on a referential abstract clockĉ starting from the first (resp. (−ϕ + 1) th ) instant; while clockp k is obtained by counting each d th instant onĉ starting from the (ϕ+1) th (resp. first) instant. Affine relations are obtained as follows:
• If p i and p k have known periods and first dispatch times, then they are (n, ϕ, d)-affine related such that
• If p i and p k communicate with each other through a message queuing connection, then the affine relation between them must exclude (without using synchronisation protocols) potential overflow and underflow exceptions as described in the sequel. Overflow and underflow analysis. Let e be a message queuing connection between the sender p i and the receiver p k . Rate functions x, y : N >0 −→ N denote the production and consumption rates, respectively. For instance, x( j) represents the number of messages produced by p i [ j] . The cumulative function of a rate function x is the function X : N −→ N such that X( j) = j l=1 x(l). Function x is ultimately periodic if and only if ∃ j 0 , π ∈ N >0 : ∀ j ≥ j 0 : x( j + π) = x( j). One important property of such class of functions is that lim j→∞ X( j) j is a constantx ∈ Q >0 . Ultimately periodic rates are more expressive than the constant rates of the SDF model [43] and the periodic rates of the CSDF model [44] .
By the Input Time of job p k [ j ], the number of accumulated messages on the input port must be greater or equal to y( j ) in order to exclude underflow exceptions. Therefore, if X * ( j ) denotes the total number of produced messages before the Input Time of p k [ j ], we must have that
By the Output Time of p i [ j], there must be at least x( j) empty entries in the queue in order to avoid overflow exceptions. Therefore, if Y * ( j) denotes the total number of consumed messages before the Output Time, we must have that
The values of X * ( j ) and Y * ( j) depend on the affine relation between p i and p k , Input Time and Output Time properties, and the scheduling policy. If they cannot be exactly predicted due to, for example, potential preemption, then safe bounds are required. Figure 19 gives an intuition on how these values are computed. In the four cases, deadlines are equal to periods and the Output Time is equal to the completion time. The Input Time is equal to the dispatch time except in case (d) where it is equal to the start time. Thread p i and p k are allocated to the same processors except in case (d). • Case (a)-EDF scheduling:
and end before the start of
has completed or not; hence a safe bound of
• Case (d)-Fixed-priority scheduling with ω i < ω k and ψ i ψ k : Even if p i has a higher priority than p k , job p i [ j + 1] can run in parallel with job p k [ j ]. Hence, a safe bound of X * ( j ) is X( j). In case of ultimately periodic rates, Equations 2 and 3 can have solutions only if (boundedness criterion)
Consistency analysis. The previous analysis constructs each affine relation independently of the others. However, the obtained set of affine relations may be inconsistent. Let the graph of affine relations be the undirected graph where nodes represent threads and edges represent affine relations. An affine relation can be reversed; i.e. saying that p i and p k are (n, ϕ, d)-affine-related is equivalent to saying that p k and p i are (d, −ϕ, n)-affinerelated. Proposition 1 [38] ensures consistency.
Proposition 1. The set of affine relations is consistent if for every fundamental cycle p 1
−→ p 1 in the graph of affine relations, we have
Equations 1 to 6 are used to compute all the necessary affine relations. In [38] , we have presented an integer linear formulation of the problem by considering safe linear approximations of Equations 2 and 3. In the rest of this section, we will consider the case where the graph of affine relations is weakly connected. Hence, according to Equation 1, all periods and deadlines of threads can be expressed as ∀p i ∈ P : π i = α i T, d i = β i T . Furthermore, T must be a multiple of some integer B so that the equation may have integer solutions.
symbolic schedulability analysis
This step concerns the process of synthesizing timing and scheduling parameters of threads that respect the abstract schedule, ensure schedulability, and optimise the system's performance.
Priority assignments
In case of fixed-priority scheduling, priorities must be assigned to threads so that constraints resulted from the precedences encoding are respected together with the user-provided priorities. The deadline-monotonic (DM) priority ordering policy [45] is popular. It assigns the highest priority to the task with the shortest deadline. When deadlines are equal to periods, DM priority ordering is equivalent to rate-monotonic (RM) priority ordering. The DM priority assignment policy aims at maximising the processor utilisation (U = p i ∈P C i π i ) and hence the throughput. However, if minimising queue sizes is a more important requirement, then other policies (see [11] for examples) could achieve better buffer storage capacities than the DM priority assignment since priorities affect queue size computation.
Multiprocessor partitioning
The major advantage of partitioned scheduling techniques is that, once an allocation of threads to processors has been achieved, it is possible to apply real-time symbolic schedulability analyses for uniprocessor systems (described in the next section).
Partitioning the hard tasks on M identical processors to optimise some criterion is somehow equivalent to the bin-packing problem and hence NP-hard. Therefore, heuristics are attractive solutions. They consist in sorting tasks by some criteria (e.g. according to their priorities or deadlines) and then assigning each task to a processor according to some conditions [46] .
Let (V i ) i=1,M be the set of initially empty M partitions. Threads are allocated one by one according to the chosen order. Let U i be the processor utilisation obtained by the symbolic schedulability analysis when thread p k is assigned to partition V i .
One allocation strategy is to assign thread p k to the partition that gives the maximum U i . This best fit strategy aims at maximising the throughput. Strategies that minimise buffering requirements can be designed since the allocation of threads affects the queue sizes computation.
Parametric schedulability analysis
Assuming that the graph of affine relations is connected, we can put ∀p i ∈ P : π i = α i T, d i = β i T , and U = σ T such that T l ≤ T = kB ≤ T u . The bounds on T (i.e. T l and T u ) are deduced either from the userprovided bounds on the frequencies of threads or from the constraint C i ≤ d i . Regardless of the scheduling policy, a periodic task set is infeasible on one processor if its utilisation U is greater than one.
Hence, a necessary but not sufficient condition for schedule feasibility is that T ≥ σ. Taking T l = max{T l , σ}, we have that T = T l B B + kB for k ∈ N. The enumerative solution for throughput maximisation consists in checking the schedulability of the task system for each T in an increasing order, starting from the minimum value (i.e. k = 0) and until reaching an appropriate value or exceeding the upper bound T u . However, this time consuming approach can be improved, as we show next.
Fixed-priority scheduling. A sufficient schedulability test of DM scheduling of constrained-deadline periodic task systems is that p i ∈P
. The value of the appropriate T can be easily deduced from that equation. The most accurate analysis of the fixed-priority scheduling policy (regardless of the priority assignment policy) is based on worst-case response times [47] . The worst-case response time R i of a periodic task p i ∈ P is given by
Equation 7 can be solved with a recurrence approach starting with R 0 i = C i and until R n+1 i = R n i . If R i ≤ d i for all hard periodic tasks then all these tasks will meet their deadlines. Searching for the minimum value of T ∈ [T l , T u ] that satisfies ∀p i ∈ P : R i ≤ d i can be speedup by noting that:
2) Reducing the search space: We have that
Hence, if ∃p i ∈ P : R l i > d i , then the task system is infeasible. Dually, if ∀p i ∈ P : R u i ≤ d i , then the task set is schedulable. Solving these linear second degree inequalities should reduce enormously the search space.
3) In the case of multiprocessor scheduling, threads are ordered according to their priorities. Assigning task p k to a partition V i will not affect the worst-case response time of the threads already assigned to V i . Hence, it is sufficient to satisfy the new condition R k ≤ d k .
EDF scheduling. A sufficient EDF schedulability test of constrained-deadline periodic task systems is that
The most accurate analysis is based on the notion of processor demand [48] . A periodic task set is schedulable if U ≤ 1 and ∀l ≤ L : h(l) ≤ l. The feasibility bound L is equal to the length of the synchronous busy period given by the solution of the following recurrence:
The processor demand function h(l) calculates the maximum processor demand of all jobs which have their arrival times and deadlines in a contiguous interval of length l. So, h(l) is given by
It is necessary to check condition h(l) ≤ l only for the set of absolute deadlines which are less than L. This set can be large and a technique like the Quick convergence Processor demand analysis (QPA) [49] is needed.
Searching for the minimum value of T ∈ [T l , T u ] that satisfies the EDF schedulability can be speedup by incorporating the search for the minimum T in the QPA algorithm. Algorithm 1 represents our symbolic QPA algorithm. Let L(T ) denote the value of L for a given T . Starting from T = T min , SQPA checks points in the interval [0, L(T min )] in a backward manner. This first iteration leads to either h(l) ≤ min{d} or a deadline miss, i.e. h(l) > l. In the first case, the task system is schedulable and the algorithm returns T min . In the second case, T is increased and the verification continues without rechecking the previous points thanks to the following observations: 1) If h(l) ≤ l holds for a given T , then it holds for any
The performance evaluation of these two symbolic schedulability tests together with many other tests can be found in [11] . The objective of this section was to show that standard schedulability tests can be adapted to synthesise the timing and scheduling characteristics of AADL threads. However, we have only yet analysed a small subset of AADL specifications and much more properties should be considered in futur work (e.g. jitters, offsets, aperiodic dispatches, etc.).
Case studies
In the frame of the collaborative projects Topcased [50], OpenEmbeDD [51], Cesar [52], Opees [53] , we performed a series of case studies whose results are reported in earlier publications [7, 54, 5, 35] . In this section, we will focus on the probably most representative of the type of application under consideration: a simplified design of a slides and doors control system (SDSCS). The SDSCS is a generic simplified version of the system that allows managing slides and doors on the Airbus 350 series aircrafts chosen for the demonstration of capabilities developed in the CESAR project [52] .
Architecture
The Figure 21 gives an overview of the SDSCS system model in the AADL. The two doors, modelled as subsystems, are controlled by two processes doors process1 and doors process2. Each process contains three threads to perform the management of doors. All the threads and devices are periodic and share the same period. The process doors process1 (resp. doors process2) is executed on a processor CPIOM1 (resp. CPIOM2). The bus AFDX connects the processors, CPIOM1 and CPIOM2, and devices that model the sensors and actuators, such as DPS, OCU, etc. 
15
The embedded software driver of the SDSCS is responsible for the following tasks:
• monitor door status via door sensors;
• control flight lock actuators;
• manage the residual pressure of the cabin;
• inhibit cabin pressurisation if any external door is not closed, latched and locked.
Functions
The behaviour of the AADL components is specified using Simulink/Stateflow [55] . The latter is based on data-flow models and state machines, which are common models of computation adopted in the system design of avionic or automotive applications. A typical Simulink model is defined by a set of interconnected blocks, which model entities in a system, such as sensors, actuators, and logical operations. The library of Simulink includes function blocks that can be linked and edited in order to model the dynamics of the system. Gene-Auto [56] is a framework for code generation from a safe subset of Simulink and Stateflow models for safety critical embedded systems. This safe subset was adopted in our work and we used GeneAuto to filter the original Simulink models of the SDSCS into a safe Gene-Auto model that would be easy to interpret in the data-flow model language Signal. The behavioural aspects of SDSCS are modelled in Simulink and Stateflow (Figure 22) . Sensors, such as flight status, dps, and door io in, are connected to four Simulink blocks, each of which implements an SDSCS task. Three blocks, slide warn ctrl, pres warn ctrl, and closed locked and latched, are associated with simple logic to determine actuators status from sensors readings. The fourth block, flight lock ctrl, is associated with a state machine (specified in Stateflow), which decides the status of flight lock actuators. Each Simulink block is associated with a specific activation clock. At each tick of this clock, the block produces new outputs from available inputs. A global activation clock synchronises that of Simulink blocks. From this point of view, our Simulink model is synchronous, and each of its blocks is thus modelled as a synchronous Signal process after pre-processing using GeneAuto.
Integration
The integration of the SDSCS system, specified in the AADL, with its functional specifications, implemented using Simulink, requires further the specification of a few more components in order to perform simulation, as well as analysis and synthesis from the original models to, e.g., generate a scheduler or allocate the generated code onto the simulated architecture, as well as a model of the system's environment.
The synthesis of an AADL thread-level scheduler is required to integrate threads onto virtual processors. It must be generated from the timing properties specified with the AADL thread models. The allocation of threads onto virtual processors is specified in the AADL model. It is translated into Signal compilation directives (called pragmas) to perform distributed code generation from allocation directives so as to synthesise one executable program for each (virtual) processing unit. Finally, sensors and actuators interface the SDSCS with its environment. Therefore, a hand-written environment model is responsible for providing sensor readings to the SDSCS according to (an abstraction of) the aircraft status.
Once these models are obtained, they can be composed with those generated from the AADL and Simulink models in order to build a simulator. In the process, the clock calculus of the Polychrony toolset is of great help to synthesise the hierarchical control over the activation condition and dispatch of all functional blocks that are composed, and in a manner most generally transparent to the user. All the models, such as system behaviour, hardware architecture, environment, and schedulers, expressed by Signal processes, are composed together to build the complete system. The integrated system is then used for C or Java code generation via the Signal compiler for simulation purpose.
Simulation
The simplest form of simulation can easily be performed by visualising value changes during the execution of programs via VCD. VCD files are generally generated by EDA (Electronic Design Automation) logic simulation tools, and they adopt an ASCII-based file format, whose simplicity and compact structure allows a wide spread in application simulation. The simple and yet compact structure of the VCD format has allowed its use to become ubiquitous and to spread into non-Verilog tools such as the VHDL simulator GHDL and various kernel tracers. In our simulation, traces are recorded in VCD format. The VCD files are then used for the visualisation of simulation results through graphical VCD viewers, such as GTKWave. Figure 23 shows the result of a simulation. In this figure, the change of signal values with regard to the fastest clock is shown.
Step by step, interactive simulation through the generated VCD interface code is also possible, allowing for the user to interact with the simulator directly and inject particular usage scenarios.
Profiling
In addition to heterogeneous system specification, another advantage of our approach, compared to similar projects, is to benefit from simulation and validation tools associated with Polychrony in the same framework. The Polychrony toolset adopts various analysis and validation techniques: static analysis, simulation, model-checking, and co-simulation or profiling [57] . Figure 24 illustrates the co-simulation of the SDSCS. T(SDSCS) is the temporal homomorphism of SDSCS with regard to specified Temporal properties and a parameterisation of Library of cost functions. Date provides date signals to T(SDSCS) according to inputs I. The input signals are synchronised to their corresponding date signals. Control values of SDSCS, which decide specific traces of execution, are sent to T(SDSCS) so that they have the same execution traces. Inputsoutputs of T(SDSCS) are finally sent to Observer in order to obtain the simulation results V.
Distributed real-time scheduling
As well as other formats used for model checking and controller synthesis, the Signal code can be transformed into SynDEx code (.sdx file) for real-time scheduler synthesis. From the SynDEx tool, the .sdx file is read, and the "adequation" can be carried out. Figure 25 illustrates the SynDEx algorithm graph describing a partial order on the execution of the functions. Figure 26 shows the SynDEx architecture graph, which is translated from the AADL architectural part of SDSCS. The two processing units (CPIOM1 and CPIOM2), two concentrators (RDC1 and RDC2) and the communication media (AFDX1) can be easily found in the figure. In this case study, the algorithm had more than 150 nodes and the architecture had 5 nodes in SynDEx, so that the adequation algorithm took about 15 minutes 35 seconds in average. With this toolchain, it is easy to change the configuration of the execution platform and binding. For example, the number of processing units can be changed, the type of processing units and communication media can be changed. The names of AADL components are always kept in all the transformations in order to enable traceability. Hence, our approach provides a fast yet efficient architecture exploration for the design of distributed real-time and embedded systems.
Conclusion
In this paper, we have presented the definition, development and case-study validation of a comprehensive framework for the analysis, verification, validation of the AADL and its behavioural annex, allowing for both simulation and real-time code generation. Our framework is based on the synchronous paradigm and the polychronous model of computation and communication and its supportive open-source toolset: Polychrony. A longer-term aim of our work is to equip the AADL standard with a framework allowing for synchronous modelling, verification and synthesis of architecturefocused embedded software.
Based on the formal timing modelling of AADL presented in this paper, logical clock constraints are also considered to be associated with AADL core, behaviour annex, mode, etc. These timing constraints are, for the logical ones, resolved by using the controller synthesis framework of the Polychrony toolset. They are, for the numerical ones, solved by using efficient affine scheduling techniques we have developed.
Our approach, based on controller and scheduler synthesis, very much differs from those based on direct code generation techniques available from synchronous languages as well as interpretation and nondeterministic constraint resolution techniques implemented in CCSL [58] , the timing annex of MARTE. We have shown that logical clock constraints could be considered as the control objectives of a system design and they could be enforced by the synthesised controller. We have developed efficient algorithms to abstract and manipulate numerical timing constraints through affine equations to perform thread-level scheduler synthesis. Polychronous controller synthesis further offers the additional advantage to enable the simulation of sporadic or asynchronous clocks.
We believe that the work presented in this paper provides the first comprehensive framework of timed modelling, analysis, verification, and synthesis of AADL concepts, including software, architecture, behaviour annex and mode, yet in a way compatible with related work on the AADL in verification, synthesis, and requirement engineering. It is also a framework for implementation of synthesis of reactive and control systems. Our approach also offers a partial solution to the formal and systematic implementation of Globally Asynchronous Locally Synchronous (GALS) architecture at a high-level of abstraction.
The work reported in this paper has span over several collaborative projects to develop a polychronous framework for the AADL and study its pertinence through several industry-scale case-studies. Is has inspired new research with the definition and implementation of a model of constrained automata, based on the polychronous model of computation and communication. It is being pursued with an ongoing proposal towards the standardization of a synchronous timing annex for the AADL.
