Contracts for Systems Design: Methodology and Application cases

Recently, contract based design has been proposed as an ”orthogonal” approach that can beapplied to all methodologies proposed so far to cope with the complexity of system design. Contract baseddesign provides a rigorous scaffolding for verification, analysis and abstraction/refinement. Companionreport RR-8759 proposes a unified treatment of the topic that can help in putting contract-based design in perspective.This paper complements RR-8759 by further discussing methodological aspects of system design withcontracts in perspective and presenting two application cases.The first application case illustrates the use of contracts in requirement engineering, an area of system designwhere formal methods were scarcely considered, yet are stringently needed. We focus in particular to thecritical design step by which sub-contracts are generated for suppliers from a set of different viewpoints(specified as contracts) on the global system. We also discuss important issues regarding certification inrequirement engineering, such as consistency, compatibility, and completeness of requirements.The second example is developed in the context of the Autosar methodology now widely advocated inthe automotive sector. We propose a contract framework to support schedulability analysis, a key step inAutosar methodology. Our aim differs from the many proposals for compositional schedulability analysisin that we aim at defining sub-contracts for suppliers, not just performing the analysis by parts—we knowfrom companion paper RR-8759 that sub-contracting to suppliers differs from a compositional analysis entirelyperformed by the OEM. We observe that the methodology advocated by Autosar is in contradiction withcontract based design in that some recommended design steps cannot be refinements. We show how tocircumvent this difficulty by precisely bounding the risk at system integration phase. Another feature ofthis application case is the combination of manual reasoning for local properties and use of the formalcontract algebra to lift a collection of local checks to a system wide analysis

Developing Automotive Products Using the EAST-ADL2, an AUTOSAR Compliant Architecture Description Language

International audienceCurrent development trends in automotive software feature increasing standardization of the embedded software structure. But it still remains the critical issue of the overall engineering information management to control the system definition and manage its complexity. System modeling based onan Architecture Description Language (ADL) is a way to keep these assets within one information structure. The original EAST-ADL was developed in the EAST-EEA project (www.east-eea.org) and basic concepts were reused in the AUTOSAR standardization initiative. The original EAST-ADL is currently refined in the ATESST project (www.atesst.org) to EAST-ADL2. This paper presents the results of the language extension provided by the EAST-ADL2 domain model and focuses on its possible extension of the AUTOSAR standard to support decomposition of E/E automotive systems

Investigation on AUTOSAR-Compliant Solutions for Many-Core Architectures

As of today, AUTOSAR is the de facto standard in the automotive industry, providing a common software architec- ture and development process for automotive applications. While this standard is originally written for singlecore operated Elec- tronic Control Units (ECU), new guidelines and recommendations have been added recently to provide support for multicore archi- tectures. This update came as a response to the steady increase of the number and complexity of the software functions embedded in modern vehicles, which call for the computing power of multicore execution environments. In this paper, we enumerate and analyze the design options and the challenges of porting AUTOSAR-based automotive applications onto multicore platforms. In particular, we investigate those options when considering the emerging many- core architectures that provide a more scalable environment than the traditional multicore systems. Such platforms are suitable to enable massive parallel execution, and their design is more suitable for partitioning and isolating the software components.Euromicro Conference on Digital System Design (DSD 2015), Funchal, Portugal

An Architecture Pattern Enabling Safety at Lower Cost and with Higher Performance

International audienceIn both avionic and automotive systems, it might become very costly and/or restricting the functional performance, to prove functions safe in all operational conditions and for 100% of the mission time. This is especially true if the quality of sensor data and of communication data may vary very much. One way to solve this trade-off paradox is to leave part of the safety assessment from design-time to run-time. This paper proposes a general architectural pattern for this, and also how to instantiate this pattern in Integrated Modular Avionics (IMA) for the avionic domain, and in AUTOSAR for the automotive domain. The solutions imply some extensions of ARINC 653 and of AUTOSAR respectively, but they are not in conflict with the existing concepts. The proposed solutions are also fully in-line what is prescribed by the standards for functional safety of the two domains

Deterministic Execution Sequence in Component Based Multi-Contributor Powertrain Control Systems

International audienceModern complex control applications, e.g. engine management systems, typically are built using a component based architecture, enabling the reuse of components and allowing to manage the complexity of the application in terms of functional content, size and interfaces. This approach of independently developed components is supported by the concepts available in AUTOSAR and therefore can be expected to gain increasing importance. However, due to the nature of the task of control applications there still is a strong coupling between individual parts of the components resulting in signal chains and consequently in sequencing requirements. The challenge to get such execution sequences implemented correctly is increased, as often the components are delivered by different and external parties. Our approach extends the idea of functional partitioning of the application into the time domain by defining a system of phases with a fixed sequence and a defined content. This allows to design components right from the beginning into this sequencing frame like they are designed today into the component partitioning frame and to define a system sequencing across different suppliers

SimSched: A tool for Simulating Autosar Implementaion in Simulink

AUTOSAR (AUTomotive Open System ARchitecture) is an open industry standard for the automotive sector. It defines the three-layered automotive software architecture. One of these layers is the application layer, where functional behaviors are encapsulated in Software Components (SW-Cs). Inside SW-Cs, a set of runnable entities represents the internal behavior and is realized as a set of tasks. To address AUTOSAR's lack of support for modeling behaviors of runnables, languages such as Simulink are employed. Simulink simulations assume Simulink block behaviors are completed in zero execution time, while real execution requires a finite execution time. This timing mismatch can result in failures to detect unexpected runtime behaviors during the simulation phase. This paper extends the Simulink environment to model the timing properties of tasks. We present a Simulink block that can schedule tasks with non-zero simulation times. It enables a more realistic analysis during model development.Comment: 21 page

Contracts for System Design

Systems design has become a key challenge and differentiating factor over the last decades for system companies. Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems, and more, involve systems design as a critical step. Complexity has caused system design times and costs to go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods and standard practices do not seem to scale with complexity so that novel design methods and tools based on a strong theoretical foundation are sorely needed. Model-based design as well as other methodologies such as layered and compositional design have been used recently but a unified intellectual framework with a complete design flow supported by formal tools is still lacking albeit some attempts at this framework such as Platform-based Design have been successfully deployed. Recently an "orthogonal" approach has been proposed that can be applied to all methodologies proposed thus far to provide a rigorous scaffolding for verification, analysis and abstraction/refinement: contractbased design. Several results have been obtained in this domain but a unified treatment of the topic that can help in putting contract-based design in perspective is still missing. This paper intends to provide such treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity. In addition, the paper provides an important link between interfaces and contracts to show similarities and correspondences. Examples of the use of contracts in design are provided as well as in depth analysis of existing literature.Cet article fait le point sur le concept de contrat pour la conception de systèmes. Les contrats que nous proposons portent, non seulement sur des propriétés de typage de leurs interfaces, mais incluent une description abstraite de comportements. Nous proposons une méta-théorie, ou, si l'on veut, une théorie générique des contrats, qui permet le développement séparé de sous-systèmes. Nous montrons que cette méta-théorie se spécialise en l'une ou l'autre des théories connues