Orccad, a framework for safe robot control design and implementation

International audienceRobotic systems are typical examples of hybrid systems where continuous time aspects, related to control laws, must be carefully merged with discrete-time aspects related to control switches and exception handling. These two aspects interact in real-time to ensure an efficient nominal behaviour of the system together with safe and graceful degradation otherwise. In a mixed synchronous/asynchronous approach, ranging from user's requirements to run-time code, Orccad provides formalised real-time control structures, the coordination of which is specified using the \esterel\ synchronous language. CAD tools have been developed and integrated to help the users along the steps of the design, verification, implementation and exploitation processes

SRAM-Based FPGA Systems for Safety-Critical Applications: A Survey on Design Standards and Proposed Methodologies

As the ASIC design cost becomes affordable only for very large-scale productions, the FPGA technology is currently becoming the leading technology for those applications that require a small-scale production. FPGAs can be considered as a technology crossing between hardware and software. Only a small-number of standards for the design of safety-critical systems give guidelines and recommendations that take the peculiarities of the FPGA technology into consideration. The main contribution of this paper is an overview of the existing design standards that regulate the design and verification of FPGA-based systems in safety-critical application fields. Moreover, the paper proposes a survey of significant published research proposals and existing industrial guidelines about the topic, and collects and reports about some lessons learned from industrial and research projects involving the use of FPGA devices

Tackling the Awkward Squad for Reactive Programming: The Actor-Reactor Model

Reactive programming is a programming paradigm whereby programs are internally represented by a dependency graph, which is used to automatically (re)compute parts of a program whenever its input changes. In practice reactive programming can only be used for some parts of an application: a reactive program is usually embedded in an application that is still written in ordinary imperative languages such as JavaScript or Scala. In this paper we investigate this embedding and we distill "the awkward squad for reactive programming" as 3 concerns that are essential for real-world software development, but that do not fit within reactive programming. They are related to long lasting computations, side-effects, and the coordination between imperative and reactive code. To solve these issues we design a new programming model called the Actor-Reactor Model in which programs are split up in a number of actors and reactors. Actors and reactors enforce a strict separation of imperative and reactive code, and they can be composed via a number of composition operators that make use of data streams. We demonstrate the model via our own implementation in a language called Stella

Scade 6: A Formal Language for Embedded Critical Software Development

International audienceSCADE is a high-level language and environment for developing safety critical embedded control software. It is used for more than twenty years in various application domains like avionics, nuclear plants, transportation, automotive. SCADE has been founded on the synchronous data-flow language Lustre invented by Caspi and Halbwachs. In the early years, it was mainly seen as a graphical notation for Lustre but with the unique and key addition of a code generator qualified with the highest standards for safety critical applications.In 2008, a major revision based on the new language 'Scade 6' was released. This language originally combines the Lustre data-flow style with control structures borrowed from Esterel and SyncCharts, compilation and static analyses from Lucid Synchrone to ensure safety properties. This expressiveness increase for SCADE together with a qualified code generator have dramatically widened the scope of applications developed with.While previous publications have described some of its language constructs and compiler algorithms, no reference publication on 'Scade 6' existed so far. In this paper, we come back to the decisions made for its design, illustrate the main language features, static analyses, and the compiler organization in the context of a qualification process

Concurrent Constraint Calculi: a Declarative Paradigm for Modeling Music Systems.

Concurrent constraint programming (CCP) has emerged as a simple but powerful paradigm for concurrent systems; i.e. systems of multiple agents that interact with each other as for example in a collection of music processes (musicians) performing a particular piece. The ntcc calculus is a CCP formalism for modeling temporal reactive systems. In ntcc, processes can be constrained by temporal requirements such as delays, time-outs and pre-emptions. Thus, the calculus integrates two dimensions of computation: a horizontal dimension dealing with partial information (e.g., note > 60) and a vertical one in which temporal requirements come into play (e.g., a process must be executed at any time within the next ten time units). We shall show that the above integration is remarkably useful for modeling complex musical processes, in particular for music improvisation. For example, for the vertical dimension one can specify that a given process can nondeterministically choose any note satisfying a given constraint. For the horizontal dimension one can specify that the process can nondeterministically choose the time to play the note subject to a given time upper bound. This nondeterministic view is particularly suitable for processes representing a musician's choices when improvising. Similarly, the horizontal dimension may supply partial information on a rhythmic pattern that leaves room for variation while keeping a basic control. We shall also illustrate how implementing a weaker ntcc model of a musical process may greatly simplify the formal verification of its properties. We argue that this modeling strategy provides a "runnable specification" for music problems that eases the task of formally reasoning about them