Separating Control and Data Flow: Methodology and Automotive System Case Study

In this document we propose to study the control/data flow separation design methodology, using Scade and Mode-Automata, and its application in the design of an automotive system. This methodology allows to facilitate the specification of different kinds of systems and to have a better readability. It also separates the study of the different parts by using the most appropriate existing tools for each of them. To do that, we study a cruise control system with GPS which makes possible the control of a car speed depending on its position given by a GPS. This system combines both control and data processing and can be specified using our methodology. The goal of this work consists in presenting the application of our methodology on a real system and studing its advantages notably for formal verification

Probabilistic Model-Based Safety Analysis

Model-based safety analysis approaches aim at finding critical failure combinations by analysis of models of the whole system (i.e. software, hardware, failure modes and environment). The advantage of these methods compared to traditional approaches is that the analysis of the whole system gives more precise results. Only few model-based approaches have been applied to answer quantitative questions in safety analysis, often limited to analysis of specific failure propagation models, limited types of failure modes or without system dynamics and behavior, as direct quantitative analysis is uses large amounts of computing resources. New achievements in the domain of (probabilistic) model-checking now allow for overcoming this problem. This paper shows how functional models based on synchronous parallel semantics, which can be used for system design, implementation and qualitative safety analysis, can be directly re-used for (model-based) quantitative safety analysis. Accurate modeling of different types of probabilistic failure occurrence is shown as well as accurate interpretation of the results of the analysis. This allows for reliable and expressive assessment of the safety of a system in early design stages

Object-based Control/Data-flow Analysis

Not only does a clear distinction between control and data flow enhance the readability of models, but it also allows different tools to operate on the two distinct parts of the model. This paper shows how the modelling based on control/data-flow analysis can benefit from an object-based approach. We have developed a translation mechanism that is faithful and gives an extra dimension (hierarchy) to the existing paradigm of control and data flow interacting in a model. Our methodology provides a comprehensible separation of these two parts, which can be used to feed another analysis or synthesis tools, while still being able to reason about both parts through formal methods of verification

Introducing Control in the Gaspard2 Data-Parallel Metamodel: Synchronous Approach

In this document, we study the introduction of control in the Gaspard2 application UML metamodel by using the synchronous reactive system principles. This allows to take the change of running mode into account in the case of data parallel applications, and to study more general ways of mixing control and data parallel processing. Our study is applied to a particular context using two different models, exclusively dedicated to the process of computation or control. The computation part represents the Gaspard2 application metamodels based on the Array-OL language. This Language is often used to specify the data dependencies and the potential parallelism in intensive signal processing applications manipulating multidimensional data. The control part is represented by an automaton structure based on the Mode-Automata concept which makes it possible to clearly identify the different modes of a task and the switching conditions between modes. For this kind of applications, mixing control and data parallel processing, we propose an UML metamodel allowing to better visualize and control the construction of the system by clarifying, at a height abstraction level, the various relations and the possible interactions of this system. The proposed UML metamodel makes it possible to describe and to model the control automata, the different running modes and the link between control and computation parts. It also allows to clearly separate control and data parts by respecting the concurrency, the parallelism, the determinism and the compositionality of the Gaspard2 models

Experiences in using model checking to verify real time properties of a landing gear control system

International audienceThis paper presents experiences in using several model checking tools to verify properties of a critical real time embedded system. The tools we tested are Lesar, SMV, Prover Plug In for SCADE and Uppaal. The application is the landing gear control system of a military aircraft, developed by Dassault Aviation. The property to be verified states that the gear must be down in at most 14 seconds. Results (success and verification time) depend a lot on the way time is handled by the verification tools

A Case Study in Formal System Engineering with SysML

International audienceIn the development of complex critical systems, an important source of errors is the misinterpretation of system requirements allocated to the software, due to inadequate communication between system engineering teams and software teams. In response, organizations that develop such systems are searching for solutions allowing formal system engineering and system to software bridging, based on standard languages like SysML. As part of this effort, we have defined a formal profile for SysML (OMEGA SysML) and we have built a simulation and verification toolbox for this profile (IFx). This paper reports on the experience of modelling and validating an industry-grade system, the Solar Generation System (SGS) of the Automated Transfer Vehicle (ATV) built by Astrium, using IFx-OMEGA. The experience reveals what can currently be expected from such an approach and what are the weak points that should be addressed by future research and development

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

When the worst-case execution time estimation gains from the application semantics

International audienceCritical embedded systems are generally composed of repetitive tasks that must meet drastic timing constraints, such as termination deadlines. Providing an upper bound of the worst-case execution time (WCET) of such tasks at design time is thus necessary to prove the correctness of the system. Static timing analysis methods compute safe WCET upper bounds, but at the cost of a potentially large over-approximation. Over-approximation may come from the fact that WCET analysis may consider as potential worst-cases some executions that are actually infeasible, because of the semantics of the program and/or because they correspond to unrealistic inputs. In this paper, we introduce a complete semantic-aware WCET estimation workflow. We introduce some program analysis to find infeasible paths: they can be performed at design, C or binary level, and may take into account information provided by the user. We design an annotation-aware compilation process that enables to trace the infeasible path properties through the program transformations performed by the compilers. Finally, we adapt the WCET estimation tool to take into account the kind of annotations produced by the workflow

Language Design for Reactive Systems: On Modal Models, Time, and Object Orientation in Lingua Franca and SCCharts

Reactive systems play a crucial role in the embedded domain. They continuously interact with their environment, handle concurrent operations, and are commonly expected to provide deterministic behavior to enable application in safety-critical systems. In this context, language design is a key aspect, since carefully tailored language constructs can aid in addressing the challenges faced in this domain, as illustrated by the various concurrency models that prevent the known pitfalls of regular threads. Today, many languages exist in this domain and often provide unique characteristics that make them specifically fit for certain use cases. This thesis evolves around two distinctive languages: the actor-oriented polyglot coordination language Lingua Franca and the synchronous statecharts dialect SCCharts. While they take different approaches in providing reactive modeling capabilities, they share clear similarities in their semantics and complement each other in design principles. This thesis analyzes and compares key design aspects in the context of these two languages. For three particularly relevant concepts, it provides and evaluates lean and seamless language extensions that are carefully aligned with the fundamental principles of the underlying language. Specifically, Lingua Franca is extended toward coordinating modal behavior, while SCCharts receives a timed automaton notation with an efficient execution model using dynamic ticks and an extension toward the object-oriented modeling paradigm