Validate implementation correctness using simulation: the TASTE approach

High-integrity systems operate in hostile environment and must guarantee a continuous operational state, even if unexpected events happen. In addition, these systems have stringent requirements that must be validated and correctly translated from high-level specifications down to code. All these constraints make the overall development process more time-consuming. This becomes especially complex because the number of system functions keeps increasing over the years. As a result, engineers must validate system implementation and check that its execution conforms to the specifications. To do so, a traditional approach consists in a manual instrumentation of the implementation code to trace system activity while operating. However, this might be error-prone because modifications are not automatic and still made manually. Furthermore, such modifications may have an impact on the actual behavior of the system. In this paper, we present an approach to validate a system implementation by comparing execution against simulation. In that purpose, we adapt TASTE, a set of tools that eases system development by automating each step as much as possible. In particular, TASTE automates system implementation from functional (system functions description with their properties – period, deadline, priority, etc.) and deployment(processors, buses, devices to be used) models. We tailored this tool-chain to create traces during system execution. Generated output shows activation time of each task, usage of communication ports (size of the queues, instant of events pushed/pulled, etc.) and other relevant execution metrics to be monitored. As a consequence, system engineers can check implementation correctness by comparing simulation and execution metrics

Incremental Latency Analysis of Heterogeneous Cyber-Physical Systems

REACTION 2014. 3rd International Workshop on Real-time and Distributed Computing in Emerging Applications. Rome, Italy. December 2nd, 2014.Cyber-Physical Systems, as used in automotive, avionics, or aerospace domains, have critical real-time require-ments. Time-related issues might have important impacts and, as these systems are becoming extremely software-reliant, validate and enforcing timing constraints is becoming difficult. Current techniques are mainly focused on validating these constraints late by using integration tests and tracing the system execution. Such methods are time-consuming and labor-intensive and, discovering timing issue late in the development process might incur significant rework efforts. In this paper, we propose an incremental model-based ap-proach to analyze and validate timing requirements of cyber-physical systems. We first capture the system functions, its related latency requirements and validate the end-to-end latency at a high level. This functional architecture is then refined into an implementation deployed on an execution platform. As system description is evolving, the latency analysis is being refined with more precise values. Such an approach provide latency analysis from a high level specification without having to implement the system, saving potential re-engineering efforts. It also helps engineers to select appropriate execution platform components or change the deployment strategy of system functions to ensure that latency requirements will be met when implementing the system.This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center

A MDE-based process for the design, implementation and validation of safety critical systems

Distributed Real-Time Embedded (DRE) systems have critical requirements that need to be verified. They are either related to functional (e.g. stability of a furnace controller) or non-functional (e.g. meeting deadlines) aspects. Model-Driven Engineering (MDE) tools have emerged to ease DRE systems design. These tools are also capable of generating code. However, these tools either focus on the functional aspects or on the runtime architecture. Hence, the development cycle is partitioned into pieces with heterogeneous modeling notations and poor coordination. In this paper, we propose a MDE-based process to create DRE systems without manual coding. We show how to integrate functional and architecture concerns in a unified process. We use industry-proven modeling languages to design functional elements of the system, and automatically integrate them using our AADL toolchain

Design and Analysis of Multi-Core Architecture for Cyber-Physical Systems

International audienceCyber-Physical Systems are becoming software intensive, collocating many functions on a single processor and requiring a significant processing capacity which increased over the years. In recent years, improving processing performance has been achieved by adding more processing cores on the same chip rather than increasing its frequency. This new design also introduces issues: interaction among cores may impact software performance and might also arm software isolation layers, such as the one defined in ARINC653. For that reason, software using multi-core architecture must be carefully designed and specified with hardware and software aspects. This would help to analyze the system and detect potential design issue. This paper proposes an approach to represent multi-core architectures and their association with software ar-tifacts, such as the ones used for cyber-physical systems (e.g., the ARINC653 platform). For that purpose, we use the AADL language and define specific modeling patterns with new properties

Model based code generation for distributed embedded systems

Embedded systems are becoming increasingly complex and more distributed. Cost and quality requirements necessitate reuse of the functional software components for multiple deployment architectures. An important step is the allocation of software components to hardware. During this process the differences between the hardware and application software architectures must be reconciled. In this paper we discuss an architecture driven approach involving model-based techniques to resolve these differences and integrate hardware and software components. The system architecture serves as the underpinning based on which distributed real-time components can be generated. Generation of various embedded system architectures using the same functional architecture is discussed. The approach leverages the following technologies – IME (Integrated Modeling Environment), the SAE AADL (Architecture Analysis and Design Language), and Ocarina. The approach is illustrated using the electronic throttle control system as a case study

Modeling and Validation of ARINC653 architectures

International audienceAvionics systems must be carefully designed due to their criticality since fault may lead to loss of life. Thes e systems must be verified and certified. However, design of avionics arc hitectures becomes more and more complex due to an increasing demand of new functionalities. It makes very diffic ult to analyze systems and detect potential faults that may cause damages. This paper presents an approac h to model and validate avionics systems. Architecture requirements, properties and constraints are described with the Architecture Analysis and Design Language (AA DL) and its associated A RINC653 annex. Then, we apply validation rules to check system correctness and constraints enforcement. This approac h provides a high-level view of the system and eases the development of avionics system by validating their requirements at a model- level, before any implementation effort

Model-Based Design, Automated Code Generation and Safety Analysis of ARINC653 Architectures using the AADL

Safety-Critical Systems for the aerospace domain are becoming extremely software-reliant, with tight coupling with hardware and network elements. At the same time, these have to demonstrate conformance with stringent standards so as to ensure a sufficient level of safety. In this talk, we report on recent advances in the SAE Architecture Analysis and Design Language -- AADL -- standard and supporting tools for the modeling of avionics system and software. SAE AS2-C committee pushed forward various standard documents 1) to model avionics system compatible with the Integrated Modular Avionics (IMA) paradigm, and 2) to support the analysis of safety properties by modeling the effects of faults and errors on architecture through the Error Modeling annex language. The proposed approach allows for an efficient modeling of the various aspects of a system, ranging from high-level architecture down to precise defects mode. Using OSATE analysis facilities, designer can generate from models analysis reports conformant to SAE ARP 4761, such as the Functional Hazard Assessment (FHA), Fault-Tree Analysis (FTA) or Failure Mode and Effects Analysis (FMEA). In a second phase, using Ocarina, one can generate the configuration of an ARINC653 APEX to set up run-time elements (partitions, time and memory budgets, communication ports QoS policies), but also the configuration of health monitoring policies. We illustrate how those elements are applied on the Software Health Management unit an ADIRU unit exposed as part of the incident report by the ATSB. This public case study allows for a precise assessment of the AADLv2 new capabilities

Modeling and Analyzing IMA Architectures with AADL, From Modeling to Safety Evaluation and Code Generation: A Case-Study

Safety-Critical Systems for the aerospace domain are becoming extremely software-reliant, with tight coupling with hardware and network elements. At the same time, these have to demonstrate conformance with stringent standards so as to ensure a sufficient level of safety. In this presentation, we report on recent advances in the SAE Architecture Analysis and Design Language -- AADL -- standard and supporting tools for the modeling of avionics system and software. SAE AS2-C committee pushed forward various standard documents 1) to model avionics system compatible with the Integrated Modular Avionics (IMA) paradigm, and 2) to support the analysis of safety properties by modeling the effects of faults and errors on architecture through the Error Modeling annex language. The proposed approach allows for an efficient modeling of the various aspects of a system, ranging from high-level architecture down to precise defects mode. Using OSATE analysis facilities, designer can generate from models analysis reports conformant to SAE ARP 4761, such as the Functional Hazard Assessment (FHA), Fault-Tree Analysis (FTA) or Failure Mode and Effects Analysis (FMEA). In a second phase, using Ocarina, one can generate the configuration of an ARINC653 APEX to set up run-time elements (partitions, time and memory budgets,communication ports QoS policies), but also the configuration of health monitoring policies. We illustrate how those elements are applied on the Software Health Management unit an ADIRU unit exposed as part of the incident report by the ATSB. This public case study allows for a precise assessment of the AADLv2 new capabilities

AADLv2, a Domain Specific Language for the Modeling, the Analysis and the Generation of Real-Time Embedded Systems

The Architecture Analysis and Design Language (AADL) is an SAE International Standard dedicated to the precise modeling of complex real-time embedded systems, covering both hardware and software concerns. Its definition relies on a precise set of concepts inherited from industry and academics best practice: clear separation of concerns among layers, rich set of properties to document system metrics and support for many kind of analysis: scheduling, safety and reliability, performance, but also code generation. In this tutorial, we provide an overview of AADLv2 and illustrate how several analyses can be combined on an illustrative example: an ADIRU system. In this tutorial, we focus on safety analyses and also demonstrate the use of AADL to both verify and implement automatically a real-time embedded systems

Intégration de la sécurité et de la sûreté de fonctionnement dans la construction d'intergiciels critiques

Safety-critical software (used in avionics, military or aerospace domains) must preserve their integrity, ensure a continuous operational state and enforce security of their data. There requirements are met through a dedicated development process that analyses and detects errors before system release. However, these methods are not sufficient and safety or security still occurs in such systems (e.g. explosion of Ariane 5, mission failure of Mars Climate Orbiter, etc). In addition, meeting safety and security becomes more and more difficult due to an increasing number of functionalities. This thesis introduces a new method to build safety-critical systems and ensure their safety and security requirements. The approach proposes patterns for the specification of safe and secure systems. Then, a dedicated development process relies on them to (i) validate, (ii) automatically implement and (iii) certify the system, enforcing its requirements from the specifications to the code. System validation (i) detects specification errors, ensuring its correctness and feasibility prior any development effort. The automatic implementation process (ii) translates system specification into code and ensures their requirements enforcement. The certification (iii) aspect verifies that specification requirements are met in the implementation by analyzing the system during its execution. It also evaluates its compliance against certification standards (such as DO178B).Les systèmes embarqués critiques (utilisés dans le domaine avionique, militaire ou médical) doivent assurer une continuité de service et la sécurité des données qu'ils contiennent ou échangent. La garantie de ces exigences s'effectue au travers d'un processus de développement rigoureux qui s'attache à détecter et corriger toute erreur avant la mise en production du système. Toutefois, plusieurs exemples (explosion de la fusée Ariane 5, échec de la mission Mars Climate Orbiter} ont montré les limites de ces méthodes. De plus, l'augmentation des fonctionnalités fournies par ces systèmes complique la garantie de règles de sécurité et de sûreté. Ce travail de thèse propose une méthode de conception de systèmes critiques visant à faciliter le respect des politiques de sécurité et de sûreté dans la production de systèmes critiques. L'approche décrite au sein de ce manuscrit définit des règles de spécifications des systèmes sûrs et sécurisés qui sont utilisés au cours d'un cycle de développement qui (i) valide, (ii) implante et (iii) certifie automatiquement le système. La validation de l'architecture (i) assure la bonne constitution des spécifications et garantit leur faisabilité. L'implantation automatique (ii) génère le système à partir des spécifications validées, garantissant la bonne traduction des spécifications en code exécutable. L'aspect certification (iii) compare l'exécution du système avec ses spécifications et vérifie sa conformité avec les standards de certification inhérents aux systèmes critiques. Cette partie de notre approche assure que les systèmes implantés respectent les contraintes de sécurité et de sûreté décrites par l'utilisateu