This workshop brought together researchers and practitioners interested in model-based software engineering for real-time embedded systems, with a particular focus on the use of architecture description languages, domain-specific design and implementation languages, languages for capturing non-functional constraints, and component and system description languages. Ten presenters proposed contributions on model-based analysis, transformation and synthesis, as well as tools, applications and patterns. Three break-out groups discussed the transition from requirements to architecture, design languages, and platform (in)dependence. This report summarises the workshop results.
Introduction
The development of embedded systems with real-time and other constraints implies making specific architectural choices ensuring the satisfaction of critical non-functional constraints (in particular, related to real-time deadlines and platform parameters, such as energy consumption or memory footprint). Recently, there has been a growing interest in (1) using precise (preferably formal) domain-specific models for capturing dedicated architectural and non-functional information, and (2) using model-driven engineering (MDE) techniques for combining these models with platform independent functional models to obtain a running system. As such, MDE can be used as a means for developing analysis oriented specifications that, at the same time, represent the design model.
The MoDELS workshop on "Model Based Architecting and Construction of Embedded Systems" brought together researchers and practitioners interested in all aspects of model-based software engineering for real-time embedded systems. The participants discussed this subject at different levels, from modelling languages and related semantics to concrete application experiments, from model analysis techniques to model-based implementation and deployment. The workshop was attended by 61 registered participants hauling from 18 different countries, including six outside of Europe.
Reviewed Contributions
We received 16 submissions from 8 different countries, of which ten were accepted for presentation. A synopsis of each presentation is given below. Articles [4, 10] are included in this workshop reader, while the other articles can be found in the workshop proceedings [1] . [2] proposes a method for estimating the power consumption of components in the AADL (Architecture Analysis and Design Language) component assembly model, once deployed onto components in the AADL target platform model. [3] proposes Visual Timed Scenarios (VTS) as a graphical property specification language for AADL. An effective translation from VTS to Time Petri Nets (TPN) has been devised, which enables model-checking of properties expressed in VTS over AADL models using TPN-based tools.
[4] describes a general methodology and an associated tool for translating AADL and its annex behavior specification into the BIP (Behavior Interaction Priority) language. This allows simulation of systems specified in AADL and application of formal verification techniques developed for BIP to these systems. [5] discusses the transformation of a global requirements model into a system design. It describes an algorithm that derives the local behaviors for each system component, including coordination messages between the different system components. [6] shows how higher-order model composition can be employed for constructing scalable models. An approach based on model transformation is presented, defining basic transformation rules operating on the graph structures of actor models. [7] demonstrates an approach for early cross toolkit development based on the ISE ADL and the MetaDSP framework. It is designed to cope with hardware design changes, like changes in the instruction set of target CPUs. [11] Discusses advantages and drawbacks of UML and SysML for modeling RF systems, based on a case study of a UMTS transceiver. [8] propose the use of a new notion of modeling patterns for arbitrating between the real-time system designer's needs of expressive power and the restrictions that must be imposed so that models can be amenable to static analysis. [9] proposes an approach based on UML-MARTE that allows system modelling with separation of concerns between the functional software model and the execution platform resources as well as timing constraints. Temporal characteristics and timing constraints can be specified at different abstraction levels, and scheduling analysis techniques can be applied on the resulted model.
[10] presents a model-based integration environment which uses a graphical architecture description language (EsMoL) to pull together control design, code and configuration generation, platform-specific resimulation, and a number of other features useful for taming the heterogeneity inherent in safety-critical embedded control system designs.
of transformations in which platform independent models can be involved. A model can only be independent from a specific understanding of what the platform is, and in order to achieve this independence it must include a model of the platform. Such a model could specify, for example, a specific model of computation, a set of services, a set of resources, or required QoS constraints. Only in the presence of such platform model can a model be qualified as platform independent, which means, independent with respect to a concrete platform which conforms to the constraints specified by the platform model. The platform model is often not explicit, which reduces the self-containment and the usability of models.
Introduction
AADL [5] is used to describe the structure of component-based systems as an assembly of software components mapped onto an execution platform. AADL is used to describe functional interfaces and performance-critical aspects of components. It is used to describe how components interact, and to describe the dynamic behavior of the runtime architecture by providing support for model operational modes and mode transitions. The language is designed to be extensible to accommodate analysis of runtime architectures.
An AADL specification describes the software, hardware, and system part of an embedded real-time system. Basically, an AADL specification is composed of components such as data, subprogram, threads, processes (the software side of a specification), processors, memory, devices and buses (the hardware side of a specification) and system (the system side of a specification).
The AADL specification language is designed to be used with analysis tools that support automatic generation of the source code needed to integrate the system components and build a system executable.
BIP [9] is a language for the description and composition of components as well as associated tools for analyzing models and generating code on a dedicated platform. The language provides a powerful mechanism for structuring interactions involving rendezvous and broadcast.
In order to demonstrate the feasibility of the BIP language and its runtime for the construction of real-time systems, several case studies were carried out such as an MPEG4 encoder [15] , TinyOS [10] , and DALA [8] .
This work is partially supported by the ITEA/Spices project as well as by the STIC-AmSud project TAPIOCA.
This paper provides a general methodology for translating AADL models into BIP models [4] . This allows simulation of systems specified in AADL and application to these systems of formal verification techniques developed for BIP, e.g. deadlock detection [11] .
We use existing case studies [3, 2] to validate the methodology. This paper is organized as follows. Section 2 gives an overview of AADL and annex behavior specification. Section 3 gives an overview of BIP. In section 4, we translate AADL components (software, hardware, system and annex behavior specification). We present our tool in Section 5. In section 6, we present a Flight Computer example. Conclusions close the article in Section 7.
Overview of AADL

Generalities
The SAE Architecture Analysis & Design Language (AADL) [5] is a textual and graphical language used to design and analyze the software and hardware architecture of performance-critical real-time systems. It plays a central role in several projects such as Topcased [7] , OSATE [6] , etc.
A system modelled in AADL consists of application software mapped to an execution platform. Data, subprograms, threads, and processes collectively represent application software. They are called software components. Processor, memory, bus, and device collectively represent the execution platform. They are called execution platform components. Execution platform components support the execution of threads, the storage of data and code, and the communication between threads. Systems are called compositional components. They permit software and execution platform components to be organized into hierarchical structures with well-defined interfaces. Operating systems may be represented either as properties of the execution platform or can be modelled as software components.
Components may be hierarchical, i.e. they my contain other components. In fact, an AADL description is almost always hierarchical, with the topmost component being an AADL system that contains, for example, processes and processors, where the processes contain threads and data, and so on.
Compared to other modeling languages, AADL defines low-level abstractions including hardware descriptions. These abstractions are more likely to help design a detailed model close to the final product.
AADL Components
In this section, we describe the fragment of AADL components, connections and annex behavior taken into account by our translation.
Software Components. AADL has the following categories of software components: subprogram, data, thread and process. A subprogram type declaration contains parameters (in and out), out event ports, and out event data ports. A subprogram implementation contains connections subclause, a subprogram calls subclause, annex behavior subclause, and subprogram property associations. Figure 1 gives an example of a subprogram, that takes as input two integers A, B, and produces the result as output.
Data : The data component type represents a data type in the source text that defines a representation and interpretation for instances of data. A data implementation can contain data subcomponents, and data property associations. An example of data is given in Figure 1 .
Thread : A thread represents a sequential flow of control that executes instructions within a binary image produced from source text. A thread always executes within a process. A scheduler manages the execution of a thread.
A thread type declaration contains ports such as data port, event port, and event data port, subprogram declarations, and property associations. A thread component implementation contains data declarations, a calls subclause, annex behavior, and thread property associations.
Threads can have properties. A property has a name, a type and a value. Properties are used to represent attributes and other characteristics, such as the period, dispatch protocol, and deadline of the threads, etc. Dispatch protocol is a property which defines the dispatch behavior for a thread. Four dispatch protocols are supported in AADL: periodic, aperiodic, sporadic, and background. Figure 2 presents a thread component called sensor, that is a periodic thread with inter-arrival time of 20ms. This thread receives an integer data through port inp and sends an event through port outp.
Process : A process represents a virtual address space. Process components are an abstraction of software responsible for executing threads. Processes must contain at least one explicitly declared thread or thread group, and can contain a connections subclause, and a properties subclause. Figure 2 presents an example of process called Partition, that contains thread subcomponents and two types of connections (data port and event port) between threads. 
Fig. 2. Example of AADL thread and process
Hardware Components. Execution platform components represent hardware and software that is capable of scheduling threads, interfacing with an external environment, and performing communication for application system connections. We consider two types of hardware components: processors and devices.
Processor : AADL processor components are an abstraction of hardware and software that is responsible for scheduling and executing threads. In other words, a processor may include functionality provided by operating systems.
Device : A device component represents an execution platform component that interfaces with the external environment. A device can interact with application software components through their ports.
Systems.
A system is the toplevel component of the AADL hierarchy of components. A system component represents a composite component as an assembly of software and execution platform components. All subcomponents of a system are considered to be contained in that system. We present an example of system: system Platform end Platform; system implementation Platform.Impl subcomponents Part : process Partition.Impl; p : processor myProcessor ; ... end Platform.Impl; Annex Behavior Specification. Behavior specifications [1] can be attached to AADL model elements using an annex. The behavioral annex describes a transition system attached to subprograms and threads. Behavioral specifications are defined by the following grammar:
annex behavior specification {** <state variables>? <initialization>? <states>? <transitions>? **};
-State variables section declares typed identifiers. They must be initialized in the initialization section. -States section declares automaton states.
-Transitions section defines transitions from a source state to a destination state. The transition can be guarded with events or boolean conditions. An action part can be attached to a transition.
Connections.
A connection is a linkage that represents communication of data and control between components. This can be the transmission of control and data between ports of different threads or between threads and processor or device components. There are two types of connections: port connections, and parameter connections. Port connection: Port connections represent transfer of data and control between two concurrently executing components. There are three types of port connections: event, data and event data.
Parameter connection: represent flow of data between the parameters of a sequence of subprogram calls in a thread.
The BIP Component Framework
BIP (Behavior Interaction Priority) is a framework for modeling heterogeneous real-time components [9] . The BIP component model is the superposition of three layers: the lower layer describes the behavior of a component as a set of transitions (i.e. a finite state automaton extended with data); the intermediate layer includes connectors describing the interactions between transitions of the layer underneath; the upper layer consists of a set of priority rules used to describe scheduling policies for interactions. Such a layering offers a clear separation between component behavior and structure of a system (interactions and priorities).
Fig. 3. BIP Atomic Component
The BIP framework consists of a language and a toolset including a frontend for editing and parsing BIP programs and a dedicated platform for model validation. The platform consists of an Engine and software infrastructure for executing models. It allows state space exploration and provides access to model-checking tools of the IF toolset [13] such as Aldebaran [12] , as well as the D-Finder tool [11] . This permits to validate BIP models and ensure that they meet properties such as deadlock-freedom, state invariants [11] and schedulability. The BIP language allows hierarchical construction [14] of composite components from atomic ones by using connectors and priorities.
An atomic component consists of a set of ports used for the synchronization with other components, a set of transitions and a set of local variables. Transitions describe the behavior of the component. They are represented as a labeled relation between control states. A transition is labeled with a port p, a guard g and a function f written in C. The guard g is a boolean expression on local variables and the function f is a block of C code. When g is true, an interaction involving p may occur, in which case f is executed. The interactions between components are specified by connectors. Figure 3 shows an atomic component with two control states S i and S j , ports in and out, and corresponding transitions guarded by guard g i and g j .
Interactions between components are specified by connectors. A connector is a list of ports of atomic components which may interact. To determine the interactions of a connector, its ports have the synchronization attributes trigger or synchron, represented graphically by a triangle and a bullet, respectively. A connector defines a set of interactions defined by the following rules:
-If all the ports of a connector are synchrons then synchronization is by rendezvous. That is, only one interaction is possible, the interaction including all the ports of the connector. -If a connector has one trigger port then synchronization is by broadcast. That is, the trigger port may synchronize with the other ports of the connector. The possible interactions are the non empty sublists containing this trigger port.
In BIP, it is possible to associate with an interaction an activation condition (guard) and a data transfer function both written in C. The interaction is possible if components are ready to communicate through its ports and its activation condition is true. Its execution starts with the computation of data transfer function followed by notification of its completion to the interacting components.
Automatic Model Transformation from AADL to BIP
In this section, we present the translation from AADL [5] to BIP [9] . It is organized in five part. First, we translate AADL software components (subprogram, data, thread and process). Second, we translate hardware components (processor, device). Third, we translate a system component. Fourth, we translate the AADL annex behavior specification [1] in BIP. Finally, we translate connections.
Software Component
We define the translation of the different AADL software components into BIP.
Subprogram. Depending on its structure, we translate the AADL subprograms into atomic or compound BIP components: ..return n (where n is the number of the subprograms called sub 1 ...sub n ). To enforce the right sequence of execution and the transfer of parameters, two ports call and return are used to express calls to the compound subprogram by other subprograms or threads, and the port data to sends event or data to the threads, as shown in Figure 5 .
Data The data component type represents a data type in the source text that defines a representation and interpretation for instances of data in the source text. In BIP it is transformed into a C data structure. Thread : An AADL thread is modelled in BIP by an atomic component as shown in Figure 6 . The initial state of the thread is halted. On an interaction through port load the thread is initialized. Once initialization is completed the thread enters the ready state, if the thread is ready for an interaction through the port req exec. Otherwise, it enters the suspended state. When the thread is in the suspended state it cannot be dispatched for execution. When in the suspended state, the thread is waiting for an event and/or period to be activated depending on the thread dispatch protocol (periodic, aperiodic, sporadic). In the ready state, a thread is waiting to be dispatched through an interaction in the port get exec. When dispatched, it enters the state compute to make a computation. Upon successful completion of the computation, the thread goes to the outputs state. If there are some out ports to dispatch the thread returns to the outputs state. otherwise, it enters the finish state.
The thread may be requested to enter its halted state through a port stop after completing the execution of a dispatch. A thread may also enter the thread halted state immediately through an abort port.
Process : Processes must contain at least one explicitly declared thread or thread group. The process behavior is illustrated in Figure 7 . Once processors of an execution platform are started, the process enters to the state loading through port load and it is ready to be loaded.
A process is considered as stopped when all threads of the process are halted. When a process is stopped, each of its threads is given a chance to finalize its execution.
A process can be aborted by using abort port. In this case, all contained threads terminate their execution immediately and release all resources.
The Load deadline property specifies the maximum amount of elapsed time allowed between the time the process begins and completes loading.
Execution Platform Components
This section defines the translation into BIP of processors and devices.
Processors. AADL processor components are an abstraction of hardware and software that is responsible for scheduling and executing threads. Schedulers are modelled as atomic BIP components as shown in Figure 8 . The initial state of a scheduler is idle. When a thread become ready, the scheduler enters the choice state through an interaction on port ready. In this state, the thread ID is stored into the scheduler memory. When a thread is dispatched, the scheduler selects a thread identifier (into SelectedID variable) and enters the wait end state through an interaction on port dispatch. If there are several threads to be dispatched the scheduler re-enters to the state choice, otherwise, it enters the state idle. 
System
A system component represents an assembly of software and execution platform components. All subcomponents of a system are considered to be contained in that system. A system is modelled as a compound component in BIP. Figure 9 shows a BIP component representing a system and connexion between threads, process, and scheduler.
Annex Behavior Specification
Some annex behavior elements can be directly translated to BIP whereas for others we need new BIP facilities. Actual behaviors are supposed to be described using the implementation language. The proposed behavioral annex allows the expression of data dependent behaviors so that more precise behavioral analysis remains possible.
-The state variables section declares typed identifiers. In BIP, they correspond to data variables. They must be initialized in the initialization section, which is directly included in the BIP initialization part. -The states section declares automaton states as: The initial state is directly included in BIP. The return state indicates the return to the caller. This case is represented in BIP as a transition from return state to idle state. Fig. 9 . BIP System -The transitions section defines transitions from a source state to a destination state. Transitions can be guarded with events or boolean conditions, and can contain an action. Each transition is translated as one or a sequence of BIP transitions.
Connections
Port connection : is translated in BIP depending on the categories :
an event connection is translated into strong synchronization between the corresponding event ports. -a data connection is translated into connection with transfer of data.
an event data connection is translated into a strong synchronization between the corresponding ports with transfer of data.
Parameter connection : is translated in BIP by transfer of data between the parameters of a sequence of subprogram calls in a thread, as shown in section 4.1.
Tool
From the high-integrity systems point-of-view, the use of automatic code generation in the development process is profitable. As the generated code is a combination of a relatively small set of extensively tested design patterns, the analysis and review of this code is easier than for hand-written code. The tool chain is described in Figure 10 , and it has the following features:
-AADL to BIP Transformation: Using model transformations, allows to perform analysis on the models before code generation. The tool generating BIP from AADL ( Figure 10 ) has been implemented in Java, as a set of plugins for the open source Eclipse platform. It takes as input an AADL model(.aaxl) conforming to the AADL metamodel and generates a BIP model conforming to the BIP metamodel. Models generated may be timed or untimed. Timed models can be transformed into untimed models in which time progress is represented by a tick port that exists in all timed components and a connector connecting all tick ports. 
Case Studies
We used some examples of AADL [3, 2] (with annex behavior specification) to check the feasibility of our translation from AADL to BIP. In this section, we present the example of a simplistic flight computer [2] .
The Flight Computer has a thread called Sensor Sim that periodically sends integers data for the current AoA(angle-of-attack) and Climb Rate, and an event in case of Engine Failure. It also has a thread called Stall Monitor that is periodic and monitors the condition of the AoA and Climb Rate sensors and raise a stall warning if certain conditions are met. The thread Operator simulates the pilot. It is a periodic thread that sends a command (Gear Cmd) at every dispatch to raise or lower the landing gear of the aircraft. The thread Landing Gear simulates the landing gear subsystem. It receives a command to start a landing gear operation, and is a sporadic thread with a minimum inter-arrival time of 3 seconds. The thread HCI is a human computer interface. It receives a Stall Warning as an event data of type Integer; Engine Failure as an event; a landing gear command from the pilot. It may send a landing gear operation request (Gear Req) to the landing gear subsystem, and receives a landing gear operation acknowledgement (Gear Ack) from the landing gear subsystem. It is a sporadic thread with a minimum interarrival time of 10ms. The graphical representation of Flight Computer system model is given in Figure 11 .
BIP Model
The AADL model of the Flight Computer is transformed into BIP automatically by using our AADL to BIP translation tool. Figure 12 shows the obtained BIP model. This figure represents the BIP atomic components (AADL Threads) and connectors between them. Notice that we omit here the connectors between threads, process and scheduler that are shown in the Figure 9 .
The component Dummy In Out models the communication between the Dummy Out and Dummy In events ports. In the AADL model ( Figure 11 ), these two events are used to control thread reactivation: execution of the Landing Gear thread is activated by the Dummy In event; it emits a Dummy Out event upon completion. Thus, synchronizing these two events ensures periodic activation of this thread.
Verification
The model construction methodology applied to this example, opens the way for enhanced analysis and early error detection by using verifications techniques.
Once the model has been generated, two model checking techniques for verification have been applied:
Model checking by Aldebaran: The first technique of verification is deadlock detection by using the tool Aldebaran [12] . Exhaustive exploration by the BIP exploration engine, generates a Labeled Transition System (LTS) which can be analyzed by model checking. e.g, Aldebaran takes as input the LTS generated from BIP and checks for deadlock-freedom. We have checked that the model is deadlock-free.
Model checking with observers:
The second technique of verification is by using BIP observers to express and check requirements. Observers allow us to express in a much simple manner most safety requirements. We apply this technique to verify two properties:
• Verification of thread deadlines by using an observer component keeping track of the execution time of threads. If the execution time of a thread exceeds its deadline the observer moves to an error state. • Verification of synchronization between components: Landing Gear is sporadically activated bye HCI trough the Req port. When it is activated, it send back an acknowledgement through the ACK port, and possibly reactivates itself through the Dummy In Out component. This property can be verified by an observer which monitors the interactions between HCI, landing Gear and Dummy In Out components ( Figure 12 ).
Conclusion
The Architecture Analysis and Design Language (AADL) suffers from the absence of concrete operational semantics. In this paper, we address this problem by providing a translation from AADL to BIP, which has an operational semantics formally defined in terms of labelled transition systems. This translation allows simulation of AADL models, as well as application verification techniques, such as state exploration (using IF toolset [13] ) or component-based deadlock detection (using Aldebaran [12] , and D-Finder tool [11] ). The proposed method has been implemented in translation tool, which has been tested on the Flight Computer case study, also presented in this paper. Future work includes incorporating features that will appear in V2.0 of the AADL standard.
Introduction
Embedded software often operates in environments critical to human life and subject to our direct expectations. We assume that a handheld MP3 player will perform reliably, or that the unseen aircraft control system aboard our flight will function safely and correctly. Safety-critical embedded environments require far more care than provided by the current best practices in software development.
Embedded systems design challenges are well-documented [1] , but industrial practice still falls short of expectations for many kinds of embedded systems. In modern designs, graphical modeling and simulation tools (e.g. Mathworks' Simulink/Stateflow) represent physical systems and engineering designs using block diagram notations. Design work revolves around simulation and test cases, with code generated from "'complete"' designs. Control designs often ignore software design constraints and issues arising from embedded platform choices. At early stages of the design, platforms may be vaguely specified to engineers as sets of tradeoffs [2] .
Software development uses UML (or similar) tools to capture concepts such as components, interactions, timing, fault handling, and deployment. Workflows focus on source code organization and management, followed by testing and debugging on target hardware. Physical and environmental constraints are not represented by the tools. At best such constraints may be provided as documentation to developers.
Complete systems rely on both aspects of a design. Designers lack tools to model the interactions between the hardware, software, and the environment with the required fidelity. For example, software generated from a carefully simulated functional dataflow model may fail to perform correctly when its functions are distributed over a shared network of processing nodes. Cost considerations may force the selection of platform hardware that limits timing accuracy. Neither aspect of development supports comprehensive validation of certification requirements to meet government safety standards.
We propose a suite of tools that aim to address many of these challenges. Currently under development at Vanderbilt's Institute for Software Integrated Systems (ISIS), these tools use the Embedded Systems Modeling Language (ES-MoL), which is a suite of domain-specific modeling languages (DSML) to integrate the disparate aspects of a safety-critical embedded systems design and maintain proper separation of concerns between engineering and software development teams. Many of the concepts and features presented here also exist separately in other tools. We describe a model-based approach to building a unified model-based design and integration tool suite which has the potential to go far beyond the state of the art.
We will provide an overview of the tool vision and describe features of these tools from the point of view of available functionality. Note that two development processes will be discussed -the development of a distributed control system implementation (by an assumed tool user), and our development of the tool suite itself. The initial vision section illustrates how the tools would be used to model and develop a control system. The final sections describe different parts of our tool-development process in decreasing order of maturity.
Toolchain Vision and Overview
In this work, we envision a sophisticated, end-to-end toolchain that supports not only construction but also the verification of the engineering artifacts (including software) for high-confidence applications. The development flow provided by the toolchain shall follow a variation of the classical V-model (with software and hardware development on the two branches), with some refinements added at the various stages. Fig. 1 illustrates this development flow.
Consider the general class of control system designs for use in a flight control system. Sensors, actuators, and data networks are designed redundantly to mitigate faults. The underlying platform implements a variant of the time-triggered architecture (TTA) [3] , which provides precise timing and reliability guarantees. Safety-critical tasks and messages execute according to strict precomputed schedules to ensure synchronization between replicated components and provide fault mitigation and management. Software implementations of the control A modeling language to support this development flow must have several desired properties: (1) the ability to capture the relevant aspects of the system architecture and hardware, (2) ability to "understand" (and import) functional models from existing design tools, (3) support for componentization of functional models, and (4) ability to model the deployment of the software architecture onto the hardware architecture. The ability to import existing models from functional modeling tools is not a deeply justified requirement, it is merely pragmatic. EsMoL provides modeling concepts and capabilities that are highly compatible with AADL [4] . The chief differences are that EsMoL aims for a simpler graphical entry language, a wider range of execution semantics, and most important modelenabled integration to external tools as described below. Model exchange with AADL tools may be desirable in the future. A simple sample design will introduce key points of our model-based development flow and illustrate language concepts.
Our language design was influenced by two factors: (1) the MoC implemented by the platform and (2) the need for integration with legacy modeling and embedded systems tools. We have chosen Simulink/Stateflow as the supported "legacy" tool. As our chosen MoC relies on periodically scheduled time-triggered components, it was natural to use this concept as the basis for our modeling language and interpret the imported Simulink blocks as the implementation of these components. To clarify the use of this functionality, we import a Simulink design and select functional subsets which execute in discrete time, and then assign them to software components using a modeling language that has compatible (timetriggered) semantics. Communication links (signals) between Simulink blocks are mapped onto TTA messages passed between the tasks. The resulting language provides a componentized view of Simulink models that are scheduled periodically (with a fixed rate) and communicate using scheduled, time-triggered messages. Extensions to heterogeneous MoC-s is an active area of research.
Requirements Analysis (RA)
Our running example will model a data network implementing a single sensor/actuator loop with a distributed implementation. The sensors and actuators in the example are doubly-redundant, while the data network is triply-redundant. The common nomenclature for this type of design is TMR (triple modular redundancy). Unlike true safety-critical designs, we will deploy the same functions on all replicas rather than requiring multiple versions as is often done in practice [5] . The sensors and actuators close a single physical feedback loop. Specifying the physical system and particulars of the control functions are beyond the scope of this example as our focus is on modeling.
This example has an informal set of requirements, though our modeling language currently supports the formalization of timing constraints between sensor and actuator tasks. Formal requirements modeling offers great promise, but in ESMoL requirements modeling is still in conceptual stages. A simple sensor/actuator latency modeling example appears in a later section covering preliminary features for the language.
Functional Design (FD)
Functional designs can appear in the form of Simulink/Stateflow models or as existing C code snippets. ESMoL does not support the full semantics of Simulink. In ESMoL the execution of Simulink data flow blocks is restricted to periodic discrete time, consistent with the underlying time-triggered platform. This also restricts the type and configuration of blocks that may be used in a design. Continuous integrator blocks and sample time settings do not have meaning in ESMoL. C code snippets are allowed in ESMoL as well. C code definitions are limited to synchronous, bounded response time function calls which will execute in a periodic task. Fig. 2 shows a simple top-level Simulink design for our feedback loop along with the imported ESMoL model (Fig. 3 ). The ESMoL model is a structural replica of the original Simulink, only endowed with a richer software design 
Software Architecture (SwA)
The software architecture model describes the logical interconnection of functional blocks. In the architecture language a component may be implemented by either a Simulink Subsystem or a C function. They are compatible at this level, because here their model elements represent the code that will finally implement the functions. These units are modeled as blocks with ports, where the ports represent parameters passed into and out of C function calls. Semantics for SwA Connections are those of task-local synchronous function invocations as well as message transfers between tasks using time-triggered communication. Fig. 4 shows the architecture diagram for our TMR model. Instances of the functional blocks from the Simulink model are augmented with C code implementing replicated data voting. Hardware configurations are explicitly modeled in the platform language. Platforms are defined hierarchically as hardware units with ports for interconnections. Primitive components include processing nodes and communication buses. Behavioral semantics for these networks come from the underlying time-triggered architecture. The platform provides services such as deterministic execution of replicated components and timed message-passing. Model attributes for hardware also capture timing resolution, overhead parameters for data transfers, and task context switching times.
Figs. 5 and 6 show model details for redundant hardware elements. Each controller unit is a private network with two nodes and three independent data buses. Sensor voting and flight control instances are deployed to the controller unit networks. 
Deployment Models (CD, SY, DPL)
A common graphical language captures the grouping of architecture components into tasks. This language represents three of the design stages from the V-diagram (Fig. 1 ) -component design (CD), system architecture design (SY), and software deployment (DPL), though we will refer to it as the deployment language. In ESMoL a task executes on a processing node at a single periodic rate. All components within the task execute synchronously. Data sent between tasks takes the form of messages in the model. Whether delivered locally (same processing node) or remotely, all inter-task messages are pre-scheduled for delivery. ESMoL uses logical execution time semantics found in time-triggered languages such as Giotto [6] -message delivery is scheduled after the deadline of the sending task, but before the release of the receiving tasks. In the TT model message receivers assume that required data is already available at task release time. Tasks never block, but execute with whatever data is available each period. Deployment concepts -tasks running on processing nodes and messages sent over data buses -are modeled as shown in Fig. 7 . Software components and bus channels are actually references to elements defined in architecture and platform models. Model interpreters use deployment models to generate platform-specific task wrapping and communication code as well as analysis artifacts.
Existing Tools: Simulink to TTA
Control designs in Simulink are integrated using a graphical modeling language describing software architecture. Components within the architecture are assigned to tasks, which run on nodes in the platform. 
Integration Details
The Simulink and Stateflow sublanguages of our modeling environment are described elsewhere, though the ESMoL language changes many of the other design concepts from previously developed languages described by Neema [7] .
In our toolchain we created a number of code generators. To construct the two main platform-independent code generators (one for Simulink-style models and another one for Stateflow-style models) we have used a higher-level approach based on graph transformations [8] . This approach relies on assumptions that (1) models are typed and attributed graphs with specific structure (governed by the metamodel of the language) and (2) executable code can be produced as an abstract syntax graph (which is then printed directly into source code). This transformation-based approach allows a higher-level representation of the translation process, which lends itself more easily to automatic verification.
The models in the example and the metamodels described below were created using the ISIS Generic Modeling Environment tool (GME) [9] . GME allows language designers to create stereotyped UML-style class diagrams defining metamodels. The metamodels are instantiated into a graphical language, and metamodel class stereotypes and attributes determine how the elements are presented and used by modelers. The GME metamodeling syntax may not be entirely familiar to the reader, but it is well-documented in Karsai et al [10] . Class concepts such as inheritance can be read analogously to UML. Class aggregation represents containment in the modeling environment, though an aggregate element can be flagged as a port object. In the modeling environment a port object will also be visible at the next higher level in the model hierarchy, and available for connections. The dot between the Connectable class and the Wire class represents a line-style connector in the modeling environment.
High-confidence systems require platforms providing services and guarantees for properties such as fault containment, temporal firewalls, partitioning, etc. System developers should not re-implement such critical services from scratch [2] . Note that the platform also defines a 'Model of Computation' [11] . An MoC governs how the concurrent objects of an application interact (i.e. synchronization and communication), and how these activities unfold in time. The simple platform definition language shown in Fig. 8 contains relationships and attributes describing time-triggered networks.
Similarly, Fig. 9 shows the software architecture language. Connector elements model communication between components. Semantic details of such interactions remain abstract in this logical architecture -platform models must be defined Deployment models capture the assignment of Components (and Ports) from the Architecture to Platform Nodes (and Channels). Additional implementation details (e.g. worst-case execution time) are represented here for platform-specific synthesis. Fig. 10 shows the relevant modeling concepts. Simulink objects SLIn-putPort and SLOutputPort are assigned to Message objects, which represent the marshaling of data to be sent on a Bus.
Under Development: Platform-Specific Simulation, Generic Hardware, and Scheduling
A control system designer initially uses simulation to check correctness of the design. Software engineers later take code implementing control functions and deploy it to distributed controllers. Concurrent execution and platform limitations may introduce new behaviors which degrade controller performance and introduce errors. Ideally, the tools could allow the control functions to be resimulated with appropriate platform effects.
The TrueTime simulation environment [12] provides Simulink blocks modeling processing nodes and communication links. ESMoL tasks map directly to TrueTime tasks. In TrueTime, tasks can execute existing C code or invoke subsystems in Simulink models. Task execution follows configured real-time scheduling models, with communication over a selected medium and protocol. TrueTime models use a Matlab script to associate platform elements with function implementations. A platform-specific re-simulation requires this Matlab mapping function, and in our case also a periodic schedule for distributed timetriggered execution. Both of these can be obtained by synthesis from ESMoL models.
Resimulation precedes synthesis to a time-triggered platform. In order to use generic computing hardware with this modeling environment, we created a simple, open, portable time-triggered virtual machine (VM) to simulate the timed behavior of a TT cluster [13] on generic processing hardware. Since the commercial TT cluster and the open TT VM both implement the same model of computation, synthesis differences amount to management of structural details in the models. The open VM platform is limited to the timing precision of the underlying processor, operating system, and network, but it is useful for testing.
For both steps above the missing link is schedule generation. In commercial TTP platforms, associated software tools perform cluster analysis and schedule generation. For resimulation and deployment to an open platform, an open schedule generation tool is required. To this end we created a schedule generator using the Gecode constraint programming library [14] . The scheduling approach implements and extends the work of Schild and Würtz [15] . Configuration for the schedule generator is also generated by the modeling tools.
Integration Details
To configure TrueTime or the scheduler, the important details lie in the deployment model. Tasks and Messages must be associated with the proper processing nodes and bus channels in the model. The ISIS UDM libraries [16] provide a portable C++ API for creating model interpreters, navigating in models, and extracting required information. See Fig. 10 for the relevant associations. Model navigation in these interpreters must maintain the relationships between processors and tasks and between buses and messages. Scheduler configuration also requires extraction of all message sender and receiver dependencies in the model.
Designs in Progress: Requirements and Model Updates
Many types of requirements apply to real-time embedded control systems design. Embedded systems are heterogeneous, so requirements can include constraints on control performance, computational resources, mechanical design, and reliability, to name a few things. Formal safety standards (e.g. DO-178B [5] ) impose constraints on the designs as well as on the development process itself. Accordingly, current research has produced many techniques for formalizing requirements (e.g. ground models in abstract state machines [17] or Z notation [18] ). Models could be used to incorporate formal requirements into other aspects of the design process. During analysis, requirements may appear as constraints in synthesized optimization problems or conditions for model checking. Requirements can also be used for test generation and assessment of results.
Management of model updates is also essential. As designs evolve engineers and developers reassess and make modifications. Changes to either the platform model or functional aspects of the design may invalidate architecture and deployment models created earlier. Some portions of the dependent models will survive changes. Other parts needing changes must be identified. Where possible, updates should be automated.
Integration Details
The requirements sublanguage is in design, and so is light on details. As a simple example of the potential of such a language, Fig. 13 shows a model with latency requirements between tasks, and Fig. 11 shows the modeling language definition. This simple relationship can be quantified and passed directly to the schedule solver as a constraint. Ideally a more sophisticated requirements language could capture the syntax and semantics of an existing formal requirements tool. Some candidate languages and approaches are currently under consideration for inclusion in the framework.
To track model changes we propose to use the Simulink UserData field to store a unique tag in each functional block when the models are imported. During an update operation tags in the control design can be compared with previously imported tags in the model environment. Fig. 12 shows the UserData attribute from our Simulink sublanguage, corresponding to the actual attribute in Simulink blocks. To handle issues arising from topology concerns during model evolution, we require control designers to group top-level functionality into subsystems and place a few restrictions on model hierarchy in deployment models.
Wishlist: Expanded Semantics, Implementation Generation, and Verification
Many exciting possibilities loom on the horizon for this tool chain construction effort. We briefly describe some concepts currently in discussion for the tools. The current modeling languages describe systems which provide performance and reliability guarantees by implementing a time-triggered model of computation. This is not adequate for many physical processes and controller platforms. We also need provisions for event-triggered communication and components. Event-triggered component structures give rise to interesting and useful communication patterns common in practical systems (e.g. publish-subscribe, rendezvous, and broadcast). Several research projects have explored heterogeneous timed models of computation. Two notable examples are the Ptolemy project [19] and the DEVS formalism and associated implementations [20] . More general simulation and model-checking tools for timed systems and specifications include UPPAAL [21] and timed abstract state machines [22] . We aim to identify useful design idioms from event-triggered models and extend the semantics of the modeling language to incorporate them. Synthesis to analysis tools is also possible using model APIs.
Safe automation of controller implementation techniques is another focus. Control designs are often created and simulated in continuous time and arbitrary numerical precision, and then discretized in time for platforms with periodic sampling and in value for platforms with limited numeric precision. Recent work in optimization and control offers some techniques for building optimization problems which describe valid controller implementation possibilities [23] [24] . Early work on model interpreters aims to generate such optimization problems directly from the models. Other interesting problems include automated generation of fixed-point scaling for data flow designs. If integrated, tools like BIP [25] provide potential for automated verification of distributed computing properties (safety, liveness, etc...). Model representation of data flow functions, platform precision, and safety requirements could be used together for scaling calculation.
The addition of proper formal requirements modeling can enable synthesis of conditions for model checking and other verification tools. Executable semantics for these modeling languages can also provide the behavioral models to be checked (see Chen [26] [27], Gargantini [28] , and Ouimet [29] ). Other relevant work includes integration of code-level checking, as in the Java Pathfinder [30] or Saturn [31] tools. Synthesis to these tools must also be verified, an active area of research at ISIS [32] .
representing the official policies or endorsements, either expressed or implied, of the Air Force Office of Scientific Research or the U.S. Government.
