Fr.1.A.109:00add Fr.1.A.1 to agenda

Download Fr.1.A.1

A Tool-Supported Approach for Concurrent Execution of Heterogeneous Models

Benoit Combemale - IRISA, Université de Rennes 1, France Cédric Brun - Obeo, France Joël Champeau - ENSTA Bretagne, France Xavier Crégut - INPT ENSEEIHT, IRIT, France Julien Deantoni - UNS - I3S - INRIA Sophia Antipolis Mediterranee, France Jérome Le Noir - Thales Research & Technology, France

In the software and systems modeling community, research on domain-specific modeling languages (DSMLs) is focused on providing technologies for developing languages and tools that allow domain experts to develop system solutions efficiently. Unfortunately, the current lack of support for explicitly relating concepts expressed in different DSMLs makes it very difficult for software and system engineers to reason about information spread across models describing different system aspects. As a particular challenge, we investigate in this paper relationships between, possibly heterogeneous, behavioral models to support their concurrent execution. This is achieved by following a modular executable metamodeling approach for behavioral semantics understanding, reuse, variability and composability. This approach supports an explicit model of concurrency and domain-specific actions with a well-defined protocol between them (incl., mapping, feedback and callback). The protocol is then used to infer a relevant behavioral language interface for specifying coordination patterns to be applied on conforming executable models. All the tooling of the approach is gathered in the GEMOC studio, overviewed in the next paragraph. Currently, the approach is experienced on a system engineering language provided by Thales, named Capella (https://www.polarsys.org/capella/). The goal and current state of the case study are exposed in this paper.

Fr.1.A.209:30add Fr.1.A.2 to agenda

Download Fr.1.A.2

Towards an Ontology-Driven Framework for Simulation Model Development

Sangeeth-Saagar Ponnusamy - Airbus Operations SAS, LAAS-CNRS, France Patrice Thebault - Airbus Operations S.A.S., France Vincent Albert - CNRS LAAS, France

An ontology driven domain model approach for improving the fidelity of the simulation by developing models through the inclusion of simulation objectives for the system Verification & Validation activities (V&V) is presented. The system V&V by simulation ontology used to build this domain model is briefly outlined in the system teleological framework of Structure, Behavior, Function, Interface and Operation. The concept of operating mode is proposed and discussed with an example. The ontology approach is demonstrated with an aircraft nacelle anti-ice system presented in the experimental frame formalism. An example of using the inference and query capabilities of the domain model approach to identify and justify abstractions consistent with the test scenarios is illustrated with a failure mode case study for this application case. The relationship with formal behavioural approach through operating modes is briefly discussed at the end where some theoretical results on the behavioural compatibility of the experimental frame components based on the interface simulation distances are presented. The paper concludes with a discussion on the benefits of this approach from an industrial perspective along with an overview of the challenges ahead and the future work.

Fr.1.A.310:00add Fr.1.A.3 to agenda

Download Fr.1.A.3

Tool Support for a Method and a Language Integrating Model Refinements and Project Management

Salma Bergaoui - CEA, LETI, France Ivan Llopard - CEA, LETI, France Nicolas Hili - LIG, France Christian Fabre - CEA, LETI, France Fayçal Benaziz - CEA, LETI, France

Complexity of embedded System (ES) development is increasing thanks to several cumulative sources. Some of them are directly related to constraints on the ES themselves, like computing power, resource constraints, and multi- or many-core, while other are related to the industrial context, like teamwork and paral¬leli¬sation of concurrent development. In this paper we present CanHOE2, a Model-Driven Engineering (MDE) tool that addresses two issues of ES development: Teamwork syn¬chro¬nisa¬tion and expression of parallelism by means of objects and Hierarchical State Machines (HSM).

Fr.1.B.109:00add Fr.1.B.1 to agenda

Download Fr.1.B.1

The Unified Model-Based Design: how not to choose between Scade and Simulink

Jean-Louis Dufour - Sagem, France Bertrand Corruble - Sagem, France Bertrand Tavernier - Sagem, France

software projects using Simulink or Scade use in fact a subset of Simulink or Scade. The ‘alignment’ of these two subsets gives rise to a new concept, the ‘Unified MBD’, interesting in two respects: an industrial one and an academic one.

Fr.1.B.209:30add Fr.1.B.2 to agenda

Download Fr.1.B.2

MBSE with ARCADIA Method and Capella Tool

Pascal Roques - PRFC, France

Much more than just yet another modelling tool, Capella is a model-based engineering solution that has been successfully deployed in a wide variety of industrial contexts. Based on a graphical modelling workbench, it provides systems, software and hardware architects with rich methodological guidance relying on ARCADIA, a comprehensive model-based engineering method. The ARCADIA/Capella DSML is inspired by UML/SysML and NAF standards, and shares many concepts with these languages. It is the result of an iterative definition process driven by systems and software architects working in a broad spectrum of business domains (transportation, avionics, space, radar, etc.). It enforces an approach structured on successive engineering phases which establishes clear separation between needs (operational need analysis and system need analysis) and solutions (logical and physical architectures), in accordance with the IEEE 1220 standard.

Fr.1.B.310:00add Fr.1.B.3 to agenda

Download Fr.1.B.3

Model Driven Engineering with Capella and AADL

Bassem Ouni - IRT-saint exupéry, Toulouse, France Pierre Gaufillet - IRT-saint exupéry, Toulouse, France Eric Jenn - IRT-saint exupéry, Toulouse, France Jérôme Hugues - ISAE, Toulouse, France

Design, evaluation and verification of real time embedded equipments is a challenging task that requires the elaboration of multiple models spanning a large spectrum of multiple abstraction levels and viewpoints: structural, behavioral, dependability, etc. Moreover, these models various purposes: design, evaluation or verification and validation. Consequently, there is currently, no single modeling language and environment covering all these aspects.. While Capella – an open source modeling language and environment for system engineering developed by Thales – fits well to the most early stages of the development process, AADL – the Architecture Analysis and Design Language defined by the Society of Automotive Engineers – provides powerful capabilities to describe and analyze the detailed design artifacts that appear during the latest phase of the design. This is why they have both been selected in the project INGEQUIP of IRT Saint Exupéry. While using different modeling languages for different purpose is perfectly acceptable in a development process, it is important to guarantee that information remain consistent across all models. This is why building a formalized bridge between Capella and AADL is an essential piece of INGEQUIP process. In this paper, after an introduction to the context of INGEQUIP, the high level semantics of Capella and AADL are compared. The mapping used in INGEQUIP between Capella physical models and AADL abstract models is then described. The whole approach is illustrated by some elements coming from the design of TwIRTee – the robotic demonstrator of INGEQUIP – before concluding.

Fr.1.C.109:00add Fr.1.C.1 to agenda

Download Fr.1.C.1

Virtual Yet Precise Prototyping : An Automotive Case Study

Daniela Genius - LIP6, France Ludovic Apvrille - LTCI, France

The paper overviews a joint framework for validating and exploring complex embedded systems. The framework indeed combines AVATAR and SocLib. AVATAR is a Model Driven Engineering approach relying on SysML, and SoCLib is a virtual prototyping platform. The main contribution lies in the new possibility to map AVATAR SysML blocks onto hardware nodes, within a newly conceived Deployment Diagram, and then to transform the latter into SoCLib models. At the AVATAR level, diagrams can be formally verified and simulated in a functional way only, that is, without considering any underlying hardware execution environment. On the contrary, the SocLib models can be simulated taking into account hardware components in an explicit way with a cycle-accurate bit accurate approach. An automotive system is used to present the two abstraction levels, and their support by the TTool toolkit.

Fr.1.C.209:30add Fr.1.C.2 to agenda

Download Fr.1.C.2

Linking model predictive control (MPC) and system simulation tools to support automotive system architecture choices

Dirk von Wissel - RENAULT SA, France Vincent Talon - RENAULT SA, France Vincent Thomas - SIEMENS, France Benoist Grangier - SIEMENS, France Lukas Lansky - HONEYWELL, Czech Republic Michael Uchanski - HONEYWELL, Switzerland

Today’s automotive industry must introduce advanced powertrain technologies as a consequence of the stringent environmental regulations and strong market expectations. This leads to the increase of vehicle variants and to the growth of the powertrain architectures complexity. Hence, the development of hardware and software can no longer be decoupled. Those activities have to run in parallel, starting from simulation and advanced engineering, continuing to the detailed engineering phase, and ending in validation and calibration. In the so-called Model-Based Systems Engineering (MBSE) approach, simulation models including both hardware and control systems are used to first make decisions on possible architectures. This paper presents a new MBSE approach that allows powertrain hardware selection to occur early during the simulation stages. The process combines Model Predictive Control (MPC) for the control system with a physical modeling software package for the hardware. This combination of MPC and physical modeling addresses several practical difficulties that typically hinder attempts at MBSE for hardware selection.

Fr.1.C.310:00add Fr.1.C.3 to agenda

Download Fr.1.C.3

Concurrent Programming of Microcontrollers, a Virtual Machine Approach

Steven Varoumas - LIP6, France Benoît Vaugon - ENSTA, France Emmanuel Chailloux - LIP6, France

Microcontrollers are low-cost and energy efficient programmable integrated circuits, they are used in a lot of common electronic devices but are quite difficult to program because of very little resources available. Being particularly used for embedded system, they interact a lot with their environment, and should react quickly to external stimuli. In this paper, we study different models of concurrency for programming microcontrollers using a virtual machine approach for safety as well as a higher-level model of programming, and we propose a synchronous extension to OCaml suitable for concurrent programming on microcontrollers.

Fr.1.D.109:00add Fr.1.D.1 to agenda

Download Fr.1.D.1

Asynchronous modeling in railway systems

Emmanuel Gaudin - PragmaDev, France

Models in the railway industry are often based on synchronous technologies such as Matlab or Scade. This is due to technical reasons, but because of its concepts the abstraction level of synchronous models are very low and very close to the implementation level. A serious gap is observed between the requirements described in natural textual language and the model which is basically an implementation. The increasing level of system complexity, combining communicating subsystems, calls for a more abstract model. This paper will first discuss why synchronous technologies have been used in this type of systems, then an experiment of using an asynchronous technologies on a real ERTMS case coming from SNCF is described, and finally the paper will conclude on how an asynchronous modeling technologies could make the link between the informal textual requirements and the implementation of the system.

Fr.1.D.209:30add Fr.1.D.2 to agenda

Download Fr.1.D.2

Taste in action

Maxime Perrotin - European Space Agency, Netherlands Konrad Grochowski - N7 Mobile, Poland Marcel Verhoef - European Space Agency, Netherlands Damien Galano - European Space Agency, Netherlands Michał Mosdorf - N7 Mobile, Poland Michał Kurowski - N7 Mobile, Poland François Denis - CSL, Belgium Estelle Graas - CSL, Belgium

In this paper, we present the results of the past years of active development and use of a set of tools named TASTE (http://taste.tuxfamily.org), which is developed under the supervision of the European Space Agency (ESA) since 2008. TASTE was created to facilitate the development of software using a combination of modern development techniques including formal methods, domain-specific languages and graphical editors to offer a nice user experience. Being free and favouring accessible APIs, TASTE is open and can be used in many areas, covering educational purposes as well as application on operational projects. We show how some of the TASTE core technologies, based on well-established languages, are actually used for the development of satellite instrument on-board software and documentation. As a technology demonstrator and lab experimentation platform, TASTE enables the investigation and exploration of techniques that are not commonly used in industry yet, such as functional programming, data and behavioural modelling, property checking, multi-core systems, etc. The objective is to make better software using a solid engineering approach that does not stay stuck to the traditional “Text-based requirements translated to C source code” which is still mostly applied when developing embedded systems. But more than presenting a collection of technologies, this paper also explains our strategy and why a technical organisation such as ESA is probably the right one to lead the development of such tools and ensure their long-term support.

Fr.1.D.310:00add Fr.1.D.3 to agenda

Download Fr.1.D.3

Designing, developing and verifying interactive components iteratively with djnn

Stéphane Chatty - Université de Toulouse - ENAC, France Mathieu Magnaudet - Université de Toulouse - ENAC, France Daniel Prun - Université de Toulouse - ENAC, France Stéphane Conversy - Université de Toulouse - ENAC, France Stéphanie Rey - Université de Toulouse - ENAC, France Mathieu Poirier - Université de Toulouse - ENAC, France

Introducing iterative user interface design methods into the development processes of safety-critical software creates technical and methodological challenges. This article describes a new programming paradigm aimed at addressing some of these challenges: interaction-oriented programming. In this paradigm any piece of software consists of a hierarchical collection of components that can interact among themselves and with their environment, and its execution consists in propagating activation through interactions between components. We first describe the principles of interaction-oriented programming, and illustrate them by describing the basic components provided by the djnn programming framework to create interactive software. We then show how interactive programming provides a basis for formulating and checking properties that capture requirements on interactive components. The rest of the article is dedicated to example design and development scenarios that illustrate how development environments could leverage interactive programming in the future so as to jointly address the requirements of modern user interface design and safety-critical software development.

Fr.2.B.111:45add Fr.2.B.1 to agenda

Download Fr.2.B.1

Making Full use of Emerging ARM- based Heterogeneous Multicore SoCs

Felix Baum - Mentor, United States of America Arvind Raghuraman - Mentor, United States of America

The complexity and pace of heterogeneous SoC architectures is accelerating at blinding speed. While these complex hardware architectures enable product vision, they also create new and difficult challenges for the system architect. Running and debugging an Operating System and application code on a single core is child’s play. This is also true for running Synchronous Multiprocessing (SMP) capable Operating Systems on homogenous multicore processors. The modern day SoC combines asymmetric multiple cores, graphics processing units, offload engines and more on a single piece of silicon. This paper will discuss opportunities for system partitioning and consolidation, and some of the key issues and challenges of architecting, developing and debugging software on these complex systems.

Fr.2.C.111:45add Fr.2.C.1 to agenda

Download Fr.2.C.1

On the Reliability of Probabilistic Worst-Case Execution Time Estimates

Fabrice Guet - ONERA, France Santinelli Luca - ONERA, France Morio Jerome - ONERA, France

Probabilistic Worst-Case Execution Time estimates, through Measurement-Based Probabilistic Timing Analyses and statistical inference, desperately need for formal definition and reliability. The automatic DIAGnostic tool for applying the eXTReMe value theory within the Probabilistic Timing Analysis framework we are proposing defines a complete set of statistical tests for studying execution time traces, e.g., the real-time task average execution behavior, and estimating the extreme behavior of the task execution time, in particular the probabilistic Worst-Case Execution Time. The tool allows also defining and evaluating the reliability of the probabilistic Worst-Case Execution Time estimates with the Extreme Value Theory by applying a fuzzy logic approach. We apply the tool to traces of execution time measurements of a task running on a Commercial off-the-shelf real-time multi-core system under different execution conditions. Application of the diagnostic tool to the traces of execution time measurements particularly validates the hypothesis of using the Extreme Value Theory for estimating the probabilistic Worst-Case Execution Time for this kind of system.

Fr.2.C.212:15add Fr.2.C.2 to agenda

Download Fr.2.C.2

When the worst-case execution time estimation gains from the application semantics

Armelle Bonenfant - IRIT - Université de Toulouse, France Fabienne Carrier - Univ. Grenoble - Verimag, France Hugues Cassé - IRIT - Université de Toulouse, France Philippe Cuenot - Continental, France Denis Claraz - Continental Automotive SAS, France Nicolas Halbwachs - Univ. Grenoble - Verimag, France Claire Maiza - Univ. Grenoble - Verimag, France Marianne De Michiel - IRIT - Université de Toulouse, France Vincent Mussot - IRIT, France

Critical embedded systems are generally composed of repetitive tasks that must meet drastic timing constraints, such as termination deadlines. Providing an upper bound of the worst-case execution time (WCET) of such tasks at design time is thus necessary to prove the correctness of the system. Static timing analysis methods compute safe WCET upper bounds, but at the cost of a potentially large over-approximation. Over-approximation may come from the fact that WCET analysis may consider as potential worst-cases some executions that are actually infeasible, because of the semantics of the program and/or because they correspond to unrealistic inputs. In this paper, we introduce a complete semantic-aware WCET estimation workflow. We introduce some program analysis to find infeasible paths: they can be performed at design, C or binary level, and may take into account information provided by the user. We design an annotation-aware compilation process that enables to trace the infeasible path properties through the program transformations performed by the compilers. Finally, we adapt the WCET estimation tool to take into account the kind of annotations produced by the workflow.