The ASSERT Virtual Machine Kernel: Support for preservation of temporal properties.

The ASSERT Project1 is aimed at defining new software engineering methods and tools for the development of critical embedded real-time systems in the aerospace domain. One of its main achievements is a new model-driven software process, which is based on the concept of property-preserving model transformations. Functional models developed with appropriate tools for the application domain are embedded in containers defining component interfaces and non-functional (e.g. timing) properties in a platform-independent set of notations. The resulting model is then automatically transformed to a platform-specific model using deployment information on target computer nodes, communication channels, and software platforms. Finally, source code for each computer node is automatically generated from the platform-specific model. The key element of the ASSERT process is that non-functional properties must be preserved during all phases of model transformations. In order to ensure that properties are preserved in model transformations and that the different views of each model are consistent with each other, a common meta-model has been defined which provides a formal basis to the whole process. This meta-model is called the Ravenscar Computational Model (RCM)

Ada, the programming language of choice for the UPMSAT-2 satellite

The proper selection of development mechanisms and tools is essential for the final success of any engineering project. This is also true when it comes to software development. Furthermore, when the system shows very specific and hard to meet requirements, as it happens for high-integrity real-time systems, the appropriate selection is crucial. For this kind of systems, Ada has proven to be a successful companion, and satellites are not an exception. The paper presents the reasons behind the selection of Ada for the UPMSat-2 development, along with the experience and examples on its usage

The TASTE Toolset: turning human designed heterogeneous systems into computer built homogeneous software.

The TASTE tool-set results from spin-off studies of the ASSERT project, which started in 2004 with the objective to propose innovative and pragmatic solutions to develop real-time software. One of the primary targets was satellite flight software, but it appeared quickly that their characteristics were shared among various embedded systems. The solutions that we developed now comprise a process and several tools ; the development process is based on the idea that real-time, embedded systems are heterogeneous by nature and that a unique UML-like language was not helping neither their construction, nor their validation. Rather than inventing yet another "ultimate" language, TASTE makes the link between existing and mature technologies such as Simulink, SDL, ASN.1, C, Ada, and generates complete, homogeneous software-based systems that one can straightforwardly download and execute on a physical target. Our current prototype is moving toward a marketed product, and sequel studies are already in place to support, among others, FPGA systems

Ravenscar computational model compliant AADL simulation on LEON2

AADL has been proposed for designing and analyzing SW and HW architectures for real-time mission-critical embedded systems. Although the Behavioral Annex improves its simulation semantics, AADL is a language for analyzing architectures and not for simulating them. AADS-T is an AADL simulation tool that supports the performance analysis of the AADL specification throughout the refinement process from the initial system architecture until the complete, detailed application and execution platform are developed. In this way, AADS-T enables the verification of the initial timing constraints during the complete design process. In this paper we focus on the compatibility of AADS-T with the Ravenscar Computational Model (RCM) as part of the TASTE toolset. Its flexibility enables AADS-T to support different processors. In this work we have focused on performing the simulation on a LEON2 processor.This work has been supported by ESTEC 22810/09/NL/JK HW-SW CODESIGN Project contracted to GMV Aerospace and Defence S.A.U

Ravenscar cross compiler for the Gurkh Project

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2004.Includes bibliographical references (leaves 54-56).Concurrency has greatly simplified the design of embedded software, but the gain in design simplicity is offset by the complexity of system implementation. The Ravenscar profile of Ada95 defines safe tasking constructs that enable the use of deterministic concurrency. The translation of these high-level constructs by the compiler to deterministic object code is dependent on both the underlying operating system and the system operation platform. The commonly available open-source development tools for compiling Ravenscar compliant Ada95 assume that the operating system is implemented as software. A hardware implemented run-time kernel requires a radical rethink of the execution architecture because operating system calls have to be routed from the host processor running the tasks to the hardware implemented kernel RavenHaRT. The redesigned compiler pGNAT is based on the open-source GNAT compiler and uses the GCC back end to cross compile application code to PowerPC object code. The GNAT run-time library (GNARL) is modified to support the use of RavenHaRT. This thesis presents the technical challenges faced and the modifications carried out for generating RavenHaRT compatible, Ravenscar compliant object code.by Pee Seeumpornroj.M.Eng

AADL, de l'analyse à la génération de code

Cet exposé présentera les principes de génération de code à partir de modèles AADL, et les fonctionnalités couvertes par Ocarina notre générateur de code. Ocarina est un projet joint entre Télécom ParisTech, l'ISAE et l'ENIS. AADL est un langage de description d'architectures normalisé par la SAE. La version 2 du langage a été publiée en Janvier 2009. La conception de ce langage vise à fournir les briques de base pour exprimer les éléments fondamentaux de l'architecture en vue de l'analyser. Parallèlement à ces activités, AADL permet aussi de générer de nombreux éléments (tâches, tampons et canaux de communications, tables de routages...). Tirant partie des informations architecturales, il est possible de générer un code compact, optimisé et conforme aux exigences strictes de qualité de code (Profil Ravenscar et Haute-Intégrité de Ada, ECSS-40 de l'ESA et recommandations liées au langage C). Afin de supporter cette génération de code, nous avons étendu AADLv2 et dirigé la direction de trois documents annexes clarifiant les patrons de modélisation à utiliser pour garantir que l'on est en mesure de générer du code. Ocarina est un outil de génération de code basé sur AADL. Il génère du code Ada, C ou Real-Time Java. Le code généré peut s'exécuter aussi bien sur des plates-formes natives qu'embarquées (RTEMS, bare-board, RT-Linux). De plus, il couvre aussi bien des systèmes basés sur RT-POSIX, que des systèmes partitionnés se fondant sur les concept de ARINC653. Il a été validé au travers de plusieurs cas d'étude avec l'ESA, Thales et leurs partenaires

A non-intrusive fault tolerant framework for mission critical real-time systems

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2005.Includes bibliographical references (p. 85-87).The need for dependable real-time systems for embedded application is growing, and, at the same time, so does the amount of functionality required from these systems. As testing can only show the presence of errors, not their absence, higher levels of system dependability may be provided by the implementation of mechanisms that can protect the system from faults. We present a framework for the development of fault tolerant mission critical real-time systems that provides a structure for flexible, efficient and deterministic design. The framework leverages three key knowledge domains: firstly, a software concurrency model, the Ada Ravenscar Profile, which guarantees deterministic behavior; secondly, the design of a hardware scheduler, the RavenHaRT kernel, which further provides deadlock free inter-task communication management; and finally, the design of a hardware execution time monitor, the Monitoring Chip, which provides non-intrusive error detection. To increase service dependability, we propose a fault tolerance strategy that uses multiple operating modes to provide system-level handling of timing errors. The hierarchical set of operating modes offers different gracefully degraded levels of guaranteed service. This approach relies on the elements of the framework discussed above and is illustrated through a sample case study of a generic navigation system.by Sébastien Gorelov.S.M

A New Approach to Memory Partitioning in On-board Spacecraft Software. In Fabrice Kordon and Tullio Vardanega (eds.), Reliable Software Technologies

The current trend to use partitioned architectures in on-board spacecraft software requires applications running on the same computer platform to be isolated from each other both in the temporal and memory domains. Memory isolation techniques currently used in Integrated Modular Avionics for Aeronautics usually require a Memory Management Unit (MMU), which is not commonly available in the kind of processors currently used in the Space domain. Two alternative approaches are discussed in the paper, based on some features of Ada and state-of-the art compilation tool-chains. Both approaches provide safe memory partitioning with less overhead than current IMA techniques. Some footprint and performance metrics taken on a prototype implementation of the most flexible approach are included

The Ravenscar-compliant hardware run-time (Ravenhart) kernel

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2004.Includes bibliographical references (leaves 69-71).Real-time embedded systems are increasingly becoming the foundation of control systems in both the aerospace and automotive worlds. This class of systems has to meet three requirements: strict timing constraints on operational behavior, limited resource availability, and stringent certification standards. The heart of any embedded system is its run-time system (RTS), which provides resource management, task creation and deletion, and manages inter-task communication. The traditional Ada RTS does not provide deterministic behavior. In order to meet the requirement of a minimal, deterministic RTS, a formal model based on the Ravenscar profile of Ada95 was developed by Professor Kristina Lundqvist in 2000. This formal model forms the basis of the work carried out in this thesis. This thesis aims to leverage the reliability and efficiency of programmable hardware to implement a run-time kernel called RavenHaRT. The kernel was designed to support Ravenscar compliant Ada95 code and provides task creation, task scheduling and inter-task communication capabilities. The timing properties embedded in the formal model are captured in terms of kernel performance within the hardware. The kernel was implemented using a Xilinx Virtex-II Pro FPGA. The results from testing demonstrate that the hardware kernel has the expected behavior and can interface correctly with software code.by Anna Silbovitz.S.M

SPaCIFY: a Formal Model-Driven Engineering for Spacecraft On-Board Software

International audienceThe aim of this article is to present a model- driven approach proposed by the SPaCIFY project for spacecraft on-board software development. This ap- proach is based on a formal globally asynchronous lo- cally synchronous language called Synoptic, and on a set of transformations allowing code generation and model verification