Composable Models for Timing and Liveness Analysis in Distributed Real-Time Embedded Systems Middleware

Middleware for distributed real-time embedded (DRE) systems has grown increasingly complex, to address functional and temporal requirements of diverse applications. While current approaches to modeling middleware have eased the task of assembling, deploying and configuring middleware and the applications that use it, a lower-level set of formal models is needed to uncover subtle timing and liveness hazards introduced by interference between and within distributed computations, particularly in the face of alternative middleware concurrency strategies. In this paper, we propose timed automata as a formal model of low-level middleware building blocks from which a variety different middleware configurations can be constructed. When combined with analysis techniques such as model checking, this formal model can help developers in verifying the correctness of various middleware configurations with respect to the timing and liveness constraints of each particular application

RTZen: Highly Predictable, Real-Time Java Middleware for Distributed and Embedded Systems

Distributed real-time and embedded (DRE) applications possess stringent quality of service (QoS) requirements, such as predictability, latency, and throughput constraints. Real-Time CORBA, an open middleware standard, allows DRE applications to allocate, schedule, and control resources to ensure predictable end-to-end QoS. The Real-Time Specification for Java (RTSJ) has been developed to provide extensions to Java so that it can be used for real-time systems, in order to bring Java's advantages, such as portability and ease of use, to real-time applications.In this paper, we describe RTZen, an implementation of a Real-Time CORBA Object Request Broker (ORB), designed to comply with the restrictions imposed by RTSJ. RTZen is designed to eliminate the unpredictability caused by garbage collection and improper support for thread scheduling through the use of appropriate data structures, threading models, and memory scopes. RTZen's architecture is also designed to hide the complexities of RTSJ related to distributed programming from the application developer. Empirical results show that RTZen is highly predictable and has acceptable performance. RTZen therefore demonstrates that Real-Time CORBA middleware implemented in real-time Java can meet stringent QoS requirements of DRE applications, while supporting safer, easier, cheaper, and faster development in real-time Java

Timed Automata Models for Principled Composition of Middleware

Middleware for Distributed Real-time and Embedded (DRE) systems has grown more and more complex in recent years due to the varying functional and temporal requirements of complex real-time applications. To enable DRE middleware to be configured and customized to meet the demands of different applications, a body of ongoing research has focused on applying model-driven development techniques to developing QoS-enabled middleware. While current approaches for modeling middleware focus on easing the task of as-assembling, deploying and configuring middleware and middleware-based applications, a more formal basis for correct middleware composition and configuration in the context of individual applications is needed. While the modeling community has used application-level formal models that are more abstract to uncover certain flaws in system design, a more fundamental and lower-level set of models is needed to be able to uncover more subtle safety and timing errors introduced by interference between application computations, particularly in the face of alternative concurrency strategies in the middleware layer. In this research, we have examined how detailed formal models of lower-level middle-ware building blocks provide an appropriate level of abstraction both for modeling and synthesis of a variety of kinds of middleware from these building blocks. When combined with model checking techniques, these formal models can help developers in composing correct combinations of middleware mechanisms, and configuring those mechanisms for each particular application

Petrinet-based Validation of Railway Signalling and Safety Systems

Die Entwicklung der Informatik und der Automatisierung ist (und war schon immer) Quelle stets neuer und effizienterer Lösungen, aber auch neuer Komplexität; sie macht eine dauerhafte, wirtschaftliche Gestaltung und Überprüfung der Sicherheit der Anlagen und der Verkehrssysteme nur noch schwieriger. Die Echtzeitinformatik ist heutzutage in die Systeme integriert, die das Leben von Menschen verwalten. Es stellt sich heraus, dass die derzeitigen Methoden und Normen nicht immer den Anforderungen nach Verfügbarkeit und nach Sicherheit entsprechen. Es sind so systematische Fehler der Software zu befürchten. Die vorliegende Arbeit besteht darin, eine Konzeptions- und Überprüfungsmethode zu definieren und zu instrumentalisieren. Sie zeigt, dass es möglich ist, formale Überprüfungsmethoden auf industrielle Steuerungen anzuwenden. Die Eisenbahnsteuerungen werden besonders behandelt. Die vorgeschlagene Methode beruht auf mehreren Konzeptionsideen: - so weit wie möglich das berufliche Umfeld berücksichtigen, die Sicherheitseigenschaften und die Funktionsanforderungen identifizieren - die Funktionssoftware und die Grundsoftware (Verwaltung des physikalischen Materials und Interpretation der fachspezifischen Aufgaben) unterscheiden - die Funktionen in Form von Automaten in AEFD-Sprache schreiben. Diese Sprache erlaubt eine Formulierung von Petrinetzen und eine deterministische Interpretation. Unter diesen Bedingungen ist es möglich, eine formelle Überprüfung einer Eisenbahnsteuerung, z.B. eines Stellwerks, zu verwirklichen. Die Hauptidee besteht in der Entwicklung eines industriellen Sicherheitsautomaten, der sich wie eine abstrakte Maschine verhält, damit dieser später formal validiert werden kann. Das Hilfsprogramm für die Formulierung der funktionellen Graphen ist für Fachleute bestimmt, die nicht über besondere Informatikkenntnisse verfügen. Die Petrinetze sind eine Konzeptualisierungssprache. Diese Netze, die in der AEFD Sprache formuliert sind, werden als interpretierbare Spezifikationen benützt. Die Sicherheitseigenschaften und die Anforderungen sind auch auf dieselbe Art formuliert. Die vorgeschlagene Methode erlaubt es unter diesen Bedingungen, einen formalen Beweis der Funktionen des Systems durchzuführen.The development of computer science and that of the automatisation were and are still source new more and more efficient resolutions, but are also sources of new complicacy returning even more difficult lasting and economic comprehension, valuation, safety of functioning of equipment and systems of transport. The real time computer science is now present in systems managing human lives. It appears now that methods and actual norms do not always allow to answer wait in availability and in security. So systematic errors of software are to fear. The work consisted in defining and instrumenting a new method of comprehension and validation. The work shows that it is possible to apply a method of formal validation to industrial automatisms. The case of rail automatisms is more particularly treated. The proposed method rests on several actions of comprehension: - hold the biggest count of context job, to identify the ownership of security and the postulates of functioning; - differentiate functional software and basic software (management of the equipment and interpretation of functional functions); - specify functions in form of automat written in language AEFD. This language allows a writing of Petri nets and a determinist and interpretable way. In these conditions it is possible to accomplish a formal validation of a rail automatism, a interlocking system or level crossing system for instance. The main idea consists in developing an industrial safety automatism which acts as an abstracted machine (a real time interpreted competitive automat with constraint) to allow a subsequent formal validation. The writing of functional graphs contacts persons having a signalling competence without any special knowledge in computer science. Petri nets are a language of conceptualization. We used these networks, written in the AEFD language, as language of deterministic and interpretable specifications. The safety properties and the functioning postulates are written in the same way. The proposed method allows in these conditions to accomplish a formal proof of the signalling functionalities realized by the computerized system

A Formal Approach for Designing CORBA based Applications

The design of distributed applications in a CORBA based environment can be carried out by means of an incremental approach, which starts from the specification and leads to the high level architectural design. This is done by introducing in the specification all typical elements of CORBA and by providing a methodological support to the designers. The paper discusses a methodology to transform a formal specification written in TRIO into a high level design document written using an extension of TRIO named TC. The TC language is suited to formally describe the high level architecture of a CORBA based application. The methodology and the associated language are presented by means of an example involving a real Supervision and Control System