Platform-Specific Timing Verification Framework in Model-Based Implementation

In the model-based implementation methodology, the timed behavior of the software is typically modeled independently of the platform-specific timing semantics such as the delay due to scheduling or I/O handling. Although this approach helps to reduce the complexity of the model, it leads to timing gaps between the model and its implementation. This paper proposes a platform-specific timing verification framework that can be used to formally verify the timed behavior of an implementation that has been developed from a platform-independent model. We first describe a way to categorize the interactions among the software, a platform, and the environment in the form of implementation schemes. We then present an algorithm that systematically transforms a platform-independent model into a platform-specific model under a given implementation scheme. This transformation algorithm ensures that the timed behavior of the platform-specific model is close to that of the corresponding implementation. Our case study of an infusion pump system shows that the measured timing delay of the system is bounded by the formally verified bound of its platform-specific model

Safety-Assured Model-Based Development of Real-Time Embedded Software for the Gpca Infusion Pump

Many safety-critical embedded systems must meet safety requirements associated with timing constraints. Not only shall a system read/write correct input or output values, but also those operations shall be performed with the right timing. Failing to meet those timing constraints results in serious safety issues (e.g., medical device malfunctions may harm patients). It is difficult to develop complex embedded software in a correct way without rigorous and systematic handling of various sources that affect the timed behavior of a system. We propose the model-based development framework that enables timing aspects of a system to be formally modeled, verified, and further implemented in a systematic way. The fundamental idea is to separate the timing concerns of the platform-independent and the platform-dependent aspects of a system. In the platform-independent development phase, input and output timed interactions between a system and its environment is modeled and verified using state-transition formalism (e.g., UPPAAL) by hiding platform-dependent timing details. In the platform-dependent development phase, such platform-dependent timing details are modeled using architectural modeling languages (e.g., AADL) that are necessary to execute the platform-independent code on a particular platform, such as internal interactions among software components (e.g., threads) and hardware components (e.g., sensors and actuators). The platform-independent code and the platform-dependent code are independently developed from the different levels of timing abstractions, and composed together in the integration phase. In this phase, we propose a way to systematically extend the platform-independent model into different platform-specific models, which formally characterize the implementation-level timed behavior that can be verified for timing requirement conformance. In case this verification step fails, we propose a way to adjust the timing parameters of the platform-independent code by compensating for the platform-dependent processing delays in such a way that the resulting implementation meets the timing requirements verified in the platform-independent model. Applicability of this development approach was demonstrated by developing software running on several Patient-Controlled Analgesia (PCA) infusion pump systems. We hope that this approach is also applicable to other safety-critical domains where generic software needs to be developed independently of a particular platform, and integrated with many different platforms in a way that conforms to timing requirements

Controlling Concurrent Change - A Multiview Approach Toward Updatable Vehicle Automation Systems

The development of SAE Level 3+ vehicles [{SAE}, 2014] poses new challenges not only for the functional development, but also for design and development processes. Such systems consist of a growing number of interconnected functional, as well as hardware and software components, making safety design increasingly difficult. In order to cope with emergent behavior at the vehicle level, thorough systems engineering becomes a key requirement, which enables traceability between different design viewpoints. Ensuring traceability is a key factor towards an efficient validation and verification of such systems. Formal models can in turn assist in keeping track of how the different viewpoints relate to each other and how the interplay of components affects the overall system behavior. Based on experience from the project Controlling Concurrent Change, this paper presents an approach towards model-based integration and verification of a cause effect chain for a component-based vehicle automation system. It reasons on a cross-layer model of the resulting system, which covers necessary aspects of a design in individual architectural views, e.g. safety and timing. In the synthesis stage of integration, our approach is capable of inserting enforcement mechanisms into the design to ensure adherence to the model. We present a use case description for an environment perception system, starting with a functional architecture, which is the basis for componentization of the cause effect chain. By tying the vehicle architecture to the cross-layer integration model, we are able to map the reasoning done during verification to vehicle behavior

Validate implementation correctness using simulation: the TASTE approach

High-integrity systems operate in hostile environment and must guarantee a continuous operational state, even if unexpected events happen. In addition, these systems have stringent requirements that must be validated and correctly translated from high-level specifications down to code. All these constraints make the overall development process more time-consuming. This becomes especially complex because the number of system functions keeps increasing over the years. As a result, engineers must validate system implementation and check that its execution conforms to the specifications. To do so, a traditional approach consists in a manual instrumentation of the implementation code to trace system activity while operating. However, this might be error-prone because modifications are not automatic and still made manually. Furthermore, such modifications may have an impact on the actual behavior of the system. In this paper, we present an approach to validate a system implementation by comparing execution against simulation. In that purpose, we adapt TASTE, a set of tools that eases system development by automating each step as much as possible. In particular, TASTE automates system implementation from functional (system functions description with their properties – period, deadline, priority, etc.) and deployment(processors, buses, devices to be used) models. We tailored this tool-chain to create traces during system execution. Generated output shows activation time of each task, usage of communication ports (size of the queues, instant of events pushed/pulled, etc.) and other relevant execution metrics to be monitored. As a consequence, system engineers can check implementation correctness by comparing simulation and execution metrics

Schedulability analysis of timed CSP models using the PAT model checker

Timed CSP can be used to model and analyse real-time and concurrent behaviour of embedded control systems. Practical CSP implementations combine the CSP model of a real-time control system with prioritized scheduling to achieve efficient and orderly use of limited resources. Schedulability analysis of a timed CSP model of a system with respect to a scheduling scheme and a particular execution platform is important to ensure that the system design satisfies its timing requirements. In this paper, we propose a framework to analyse schedulability of CSP-based designs for non-preemptive fixed-priority multiprocessor scheduling. The framework is based on the PAT model checker and the analysis is done with dense-time model checking on timed CSP models. We also provide a schedulability analysis workflow to construct and analyse, using the proposed framework, a timed CSP model with scheduling from an initial untimed CSP model without scheduling. We demonstrate our schedulability analysis workflow on a case study of control software design for a mobile robot. The proposed approach provides non-pessimistic schedulability results