Copilot: Monitoring Embedded Systems

Runtime verification (RV) is a natural fit for ultra-critical systems, where correctness is imperative. In ultra-critical systems, even if the software is fault-free, because of the inherent unreliability of commodity hardware and the adversity of operational environments, processing units (and their hosted software) are replicated, and fault-tolerant algorithms are used to compare the outputs. We investigate both software monitoring in distributed fault-tolerant systems, as well as implementing fault-tolerance mechanisms using RV techniques. We describe the Copilot language and compiler, specifically designed for generating monitors for distributed, hard real-time systems. We also describe two case-studies in which we generated Copilot monitors in avionics systems

Incorporating faults and fault-tolerance into real-time networks: a graph-transformational approach

PhD ThesisThe introduction of fault tolerance into real-time systems presents particular challenges because of the price of redundancy and the added complexity of verification and validation on these redundant structures. This thesis brings structural and formal design techniques to bear on this problem. Verification of fault tolerance properties in such systems has only received limited attention. in particular the design methodologies are in their infancy. We propose a transformational design methodology, specific to a real-time systems architecture. We then reason about the compositional addition of fault tolerant components and templates of the derived designs. This requires that we show the existing axiomatic semantics for our chosen architecture sound with respect to a more constructive semantic model. The issues of presenting an operational model for a real-time architecture are discussed and a model is proposed. The extension of the existing semantics, to allow for faulty behaviour, is shown to preserve the existing semantic properties and the application of our methodology shown to be usable by a sizeable study. The contribution of this thesis is to define a transformational design methodology in which components can be extracted from a design and replaced by another component preserving functionality while providing fault tolerance. This approach requires the precise modelling of the faults we consider. the transformational method and verification of the transformed design with respect to faults.BAE Systems: EPSRC

A Development Process for the Design, Implementation and Code Generation of Fault Tolerant Reconfigurable Real Time Systems

The implementation of hard real-time systems is extremely a hard task today due to safety and dynamic reconfiguration requirements. For that, whatever the taken precautions, the occurrence of faults in such systems is sometimes unavoidable. So, developers have to take into account the presence of faults since the design level. In this context, we notice the need of techniques ensuring the dependability of real-time distributed dynamically reconfigurable systems. We focus on fault-tolerance, that means avoiding service failures in the presence of faults. In this paper, we have defined a development process for modeling and generating fault tolerance code for real-time systems using aspect oriented programming. First, we integrate fault tolerance elements since the modeling step of a system in order to take advantage of features of analysis, proof and verification possible at this stage using AADL and its annex Error Model Annex. Second, we extend an aspect oriented language and adapt it to respect real-time requirements. Finally, we define a code generation process for both functional preoccupations and cross-cutting ones like fault tolerance and we propose an extension of an existent middleware. To validate our contribution, we use AADL and its annexes to design a landing gear system as an embedded distributed one

Distributed systems and Ada

Viewgraphs of two briefings designed to provide information to the Software I and V Study Group to help complete the I and V study task are given. The information is taken from the areas of Ada real-time processing support, Ada run-time environments, Ada program construction, object oriented design, and Ada/UNIX/POSIX interfaces. Also covered are the development, integration, and verification of Ada systems; fault tolerance and Ada; and Ada programming standards, techniques, and tools

Motivating Time as a First Class Entity

In hard real-time applications, programs must not only be functionally correct but must also meet timing constraints. Unfortunately, little work has been done to allow a high-level incorporation of timing constraints into distributed real-time programs. Instead the programmer is required to ensure system timing through a complicated synchronization process or through low-level programming, making it difficult to create and modify programs. In this report, we describe six features that must be integrated into a high level language and underlying support system in order to promote time to a first class position in distributed real-time programming systems: expressibility of time, real-time communication, enforcement of timing constraints, fault tolerance to violations of constraints, ensuring distributed system state consistency in the time domain, and static timing verification. For each feature we describe what is required, what related work had been performed, and why this work does not adequately provide sufficient capabilities for distributed real-time programming. We then briefly outline an integrated approach to provide these six features using a high-level distributed programming language and system tools such as compilers, operating systems, and timing analyzers to enforce and verify timing constraints

Fault-tolerant Transmission of Messages of Differing Criticalities Across a Shared Communication Media

We discuss the motivation behind, and the design and analysis of, an algorithm for synthesizing communication schedules for shared media networks in some safety-critical hard-real-time applications such as autonomous navigation and factory automation. Communication media may be inherently noisy in many such environments, and occasional transmission errors hence inevitable. Therefore it is essential that some degree of fault-tolerance be built into the communication protocol that is used - in some safety-critical application domains, fault-tolerance requirements may be mandated by statutory certification requirements. Since the severity of the consequences of failing to successfully transmit different messages may be different, we consider a mixed-criticality setting in which the fault-tolerance requirement specification for messages are dependent on their criticality: more critical messages are required to be able to tolerate a larger number of faults. We advocate that communication schedules be as static as possible in safety-critical applications in order to facilitate verification and validation, and discuss the synthesis of semi-static schedules - schedules that are driven by precomputed lookup tables - with the desired fault-tolerance properties for such applications

An evaluation of software fault tolerance techniques in real-time safety-critical applications

The usefulness of three software fault tolerance techniques -- n-version programming, recovery blocks, and exception handling is examined within the context of real-time safety-critical environments. The general requirements of such application systems are presented and the techniques evaluated with regard to how well they satisfy these requirements

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned