We work on the problem of the safe design of real-time control systems. This area is related to control theory as well as computer science. Application domains are typically safety-critical systems, as in transportation (avionics, railways), production, medical or energy production systems. Both methods and formal models for the construction of correct systems, as well as their implementation in computer assisted design tools, targeted to specialists of the applications, are needed. We contribute to propose solutions all along the design flow, from the specification to the implementation: we develop techniques for the specification and automated generation of safe real-time executives for control systems. Our special research themes are:
implementations of synchronous reactive programs, generated automatically by compilation, particularly from the point of view of distribution (in relation with the Lustre
control/scheduling co-design, with cross-interactions between techniques of serving and real-time operating systems (
RTOS), in order to obtain an adaptive scheduling, with regard to quality of service (in relation with the
Orccad
high-level design and programming methods, with support for automated code generation, including: the automated generation of correct controllers using discrete control synthesis (in relation with the Mode Automata
Our applications are in embedded systems, typically in the robotics, automotive, and telecommunications domains with a special emphasis on dependability issues ( e.g., fault-tolerance, availability). International and industrial relations feature:
the
ITEAEuropean project EAST-EEA
the ISTEuropean networks of excellence:
Artist 2
AOSD-Europe
two ACIs (actions concertées incitatives), Alidecs (on large-scale critical embedded systems) and Dispo (on security policies for software components),
collaborations with STMicroelectronics and France Télécom R&D.
The context of our work is the area of embedded real-time control systems, at the intersection between control theory and computer science. Our contribution consists of methods and tools for their safe design. The systems we consider are intrinsically safety-critical because of the interaction between the embedded, computerized controller, and a physical process having its own dynamics. What is important is to analyze and design the safe behavior of the whole system, which introduces an inherent complexity. This is even more crucial in the case of systems whose malfunction can have catastrophic consequences, for example in transport systems (avionics, trains), production, medical, or energy production systems.
Therefore, there is a need for methods and tools for the design of safe systems. The definition of adequate mathematical models of the behavior of the systems allows the definition of formal calculi. They in turn form a basis for the construction of algorithms for the analysis, but also
for the transformation of specifications towards an implementation. They can then be implemented in software environments made available to the users. A necessary complement is the setting-up of software engineering, programming, modeling, and validation methodologies. The motivation of
these problems is at the origin of significant research activity, internationally and in particular, in the European
ISTnetwork of excellence
Artist 2 (Advanced Real-Time Systems)
The state of the art upon which we base our contributions, is twofold.
From the point of view of discrete control, there is a set of theoretical results and tools, in particular in the synchronous approach, often founded on labeled transition systems finite or infinite , . During the past years, methodologies for the formal verification , , control synthesis and compilation, and extensions to timed and hybrid systems , have been developed. Asynchronous models consider the interleaving of events or messages, and are often applied in the field of telecommunications, in particular for the study of protocols. A well-known formalism for reactive systems is StateCharts , which can be encoded in a synchronous model as shown in .
The synchronous approach
From the point of view of the executables and execution platforms for the implementation of embedded systems, there are software or middleware approaches and hardware-based approaches. Concerning the quantitative aspects of the problem, one can find techniques for structuring the programs in multiple tasks, possibly preemptable, based on the real-time operating system. Their durations and periods, for example, are taken into account within the framework of scheduling according to various strategies. The analytical approach, with the determination of schedulability of a set of real-time tasks with constraints, is a very active field of research, primarily turned towards the respect of computer-centered constraints only: the task characteristics are derived from measurements of periods and execution time imposed by the environment. There has been, until recently, only little work formalizing the relation with discrete models and control. The techniques of real-time control usually take into account only criteria internal to the computer system, related to the resources of computation. In other words, they have an open loop character. However, the progress of the reflexive systems, providing sensors (of reconfiguration) and actuators (of dynamic control of the system) make it possible to close the loop , ; we contribute to this new approach by the development of methods for control/scheduling co-design.
The design of safe real-time control systems is difficult due to various issues, among them their complexity in terms of the number of interacting components, their parallelism, the difference of the considered time scales (continuous or discrete), and the distance between the various theoretical concepts and results which allow the study of different aspects of their behaviors, and the design of controllers. The European ISTnetwork of excellence Artist 2 identifies three principal objectives: hard real-time for critical applications (which concerns the synchronous approach), component-based design, and adaptive real-time systems for quality of service management.
A currently very active research direction focuses on the models and techniques that allow the automatic use of formal methods. In the field of verification, this concerns in particular the technique of model checking; the verification takes place after the design phase, and requires, in case of problematic diagnostics, expensive backtracks on the specification. We want to provide a more constructive use of formal models, using them to derive correct executives by formal computation and synthesis, integrated in a compilation process. We therefore use models throughout the design flow from specification to implementation, in particular by automatic generation of embeddable executives.
They initially come from the fields of safety-critical systems (avionics, energy) and complex systems (telecommunication), embedded in an environment with which they strongly interact (comprising aspects of computer science and control theory). Fields with less strong criticality, or which support variable degrees of quality of service, such as in the multi-media domain, can also take advantage of methodologies that improve the quality and reliability of software, and reduce the costs of test and correction in the design.
Industrial acceptance, the dissemination, and the deployment of the formal techniques inevitably depend on the usability of such techniques by specialists in the application domain — and not in formal techniques themselves —, and also on the integration in the whole design process, which concerns very different problems and techniques. The application domains are rather rare where the actors are ready to employ specialists in formal methods or advanced control theory. Even then, the methods of systematic application of these theoretical results are not ripe. In fields like industrial control, where the use of PLC (Programmable Logic Controller ) is dominant, this question can be decisive.
Essential elements in this direction are the proposal of realistic formal models, validated by experiments, of the usual entities in control theory, and functionalities ( i.e., algorithms) which correspond indeed to services useful for the designer. Take for example the compilation and optimization taking into account the platforms of execution, possible failures, or the interactions between the defined automatic control and its implementation. A notable example for the existence of an industrial need is the activity of the Athyscompany concerning the development of a specialized programming environment, CellControl, which integrates synchronous tools for compilation and verification, tailored to the application domain. In these areas, there are functionalities that commercial tools do not have yet, and to which our results contribute.
We are proposing effective trade-offs between, on the one hand, expressiveness and formal power, and on the other, usability and automation. We focus on the area of specification and construction of correct real-time executives for discrete and continuous control, while keeping an interest in tackling major open problems, relating to the deployment of formal techniques in computer science, especially at the border with control theory. Regarding the applications, we propose new automated functionalities, to be provided to the users in integrated design and programming environments.
We intend to exploit our knowledge of formal techniques and their use, and of control theory, according to aspects of the definition of fundamental tools, and applications.
The integration of formal methods in an automated process of generation/compilation is founded on the formal modeling of the considered mechanisms. This modeling is the base for the automation, which operates on models well-suited for their efficient exploitation, by analysis and synthesis techniques that are difficult to use by end-users.
The creation of easily usable models aims at giving the user the role rather of a pilot than of a mechanics i.e., to offer her/him pre-defined functionalities which respond to concrete demands, for example in the generation of fault-tolerant or distributed executives, by the intermediary use of dedicated environments and languages.
The proposal of validated models with respect to their faithful representation of the application domain is done through case studies in collaboration with our partners, where the typical multidisciplinarity of questions across control theory and computer science is exploited.
The overall consistency of our approach comes from the fact that the main research directions address, under different aspects, the specification and generation of safe real-time control executives based on formal models.
We explore this field by linking, on the one hand, the techniques we use, with on the other, the functionalities we want to offer. We are interested in questions related to:
dedicated languages and models for automatic control that are the interface between the techniques we develop and the end-users on the one hand, and the designers of formal models on the other;
compositional modeling and analysis that aim at deriving crucial system properties from component properties, without the need to actually build and check the global system;
Aspect-Oriented Programming that allows to express safety concerns separately from the functional part and to enforce them on program.
This issue can be tackled differently depending on the execution platform. Based on a formal model of the program to be implemented, our approach is to obtain by compilation (i.e., automatically):
the distribution on a multiprocessor architecture, with code partitioning according to directives, and insertion of the necessary communication actions to ensure the coherence of control; the distribution must be correct with respect to the original specification, and must be optimized;
fault-tolerance by replication of computations on a multiprocessor architecture, and scheduling of computations according to the faults to be tolerated; such a scheduling must be optimized w.r.t.its length and reliability.
The interaction of the intrinsic nature of the control we consider, with its real-time implementation can be tackled in two ways:
scheduling for regulation where the scheduling scheme and parameters are designed to capture the control system requirements and to improve the quality of the implemented controller;
regulation for scheduling where the latter is made adaptive and is dynamically controlled by using techniques from control theory.
We use techniques of discrete controller synthesis, especially the tools Sigali and Mode Automata within an automated framework, for:
multi-mode multi-tasking systems where the management of interactions (exclusions, optimization of cost or quality criteria, ...) is obtained by synthesis;
a locally imperative, globally declarative language whose compilation comprises a phase of discrete controller synthesis.
Our applications are in embedded systems, typically: robotics, automotive, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and quality of designs, as well as the design, production and test costs themselves.
Industrial acceptance of formal techniques, as well as their deployment, goes necessarily through their usability by specialists of the application domain, rather than of the formal techniques themselves. Hence our orientation towards the proposal of domain-specific (but generic) realistic models, validated through experience ( e.g., control tasks systems), based on formal techniques with a high degree of automation ( e.g., synchronous models), and tailored for concrete functionalities ( e.g., code generation).
The commercially available design tools (such as
UMLwith real-time extensions, Matlab/Simulink/dSPACE
Regarding the synchronous approach, commercial tools are available:
Scade(based on
Lustre),
esterel
The scheduling methods we propose, are of interest for the designers of embedded applications, who lack adequate design methods to effectively use the tools offered by the
RTOS. The dissemination of these methods can be done via the success of applications (as in the European project
Teledimos), or by distribution in the context of free software around the real-time/embedded versions of Linux
Regarding applications and case studies with industrial end-users of our techniques, we cooperate with STMicroelectronics on compositional verification for System-on-Chip design assistance.
Orccad
It is mainly intended for critical real-time applications in robotics, in which automatic control aspects ( servo loops, control) have to interact narrowly with the handling of discrete events ( exception handling). Orccadoffers a complete and coherent vertical solution, ranging from the high level specification to real-time code generation.
Orccadis supported by the Support Expérimentations & Développement (SED)service of Inria-Rhône-Alpes. Orccadis used by the experimental robotics platforms of Inria-Rhône-Alpes. New functionalities are developed jointly by the SEDservice and the researchers of the Pop Art team. The current stable version allows for the automatic generation of real-time single-rate controllers running on top of VxWorks, Solaris and Linux. The main current developments allow for the generation of multi-rate controllers and the use of feedback scheduling running on top of Linux/RTAI (hard real-time) or patched Linux kernels (soft real-time using the Posix API).
ocrepdistributes automatically synchronous programs according to specifications given by the user. Concretely, starting from a centralized source synchronous program obtained either with the Lustreor the Esterelcompiler, from a number of desired computing locations, and an indication of where each input and output of the source program must be computed, ocrepproduces several programs, one for each location, each one computing only its assigned variables and outputs, and communicating harmoniously. Their combined behavior is equivalent to the behavior of the centralized source program and that there is no deadlock.
Currently our software
ocrepis distributed in the form of executable on the web
We have been cooperating for several years with the
Inriateam
Aosteon the subject of fault-tolerance. In particular, we have implemented several new heuristics for fault-tolerance and reliability within their software
SynDEx
We have developed a software tool chain to allow the specification of models, the controller synthesis, and the execution or simulation of the results. It is based on existing synchronous tools, and thus consists primarily in the use and integration of
Sigali(developed at
Irisa) and of Mode Automata (developed at
Verimag
Useful component templates and relevant properties can be materialized, on one hand by libraries of task models, and, on the other hand, by properties and synthesis objectives. A prototype compiler has been developed to demonstrate a domain-specific language, named Nemo, for multi-task controllers (see Section ).
Further results for compositional modeling, verification and synthesis (section ) have been implemented in the prototype tool Prometheus, in order to perform case studies to evaluate their potential and limits.
Y. Roux has developed a prototype tool translating models of Systems-on-Chip written in SystemC, into the input format of Prometheus. This prototype is currently being tested, and is intended to serve as a module for a tool platform for compositional verification of Systems-on-Chip.
Software-defined radio has recently emerged as an important research area for mobile telephone operators. The basic functionalities that both the emitter (
e.g., the base station, the wireless network hub, ...) and the receiver (
e.g., the cell phone terminal, the PDA, ...) must run are digital to analog conversion, analog to digital conversion, modulation/demodulation, radio frequency conversion, and so on. Software radio means that these functionalities are implemented as
softwaremodules run on general purpose hardware. For instance, this could allow a mobile terminal to adapt seamlessly to its environment, for instance when moving from a UMTS zone to a WIFI zone. Most of the existing approaches are either based on asynchronous process calculi or on
middleware. In this context, we have proposed an evolution of the synchronous language
Lucid
Synchronedesigned by M. Pouzet and P. Caspi
,
. This new language, called
Decade
, offers dynamic higher-order features, whereas
Lucid
Synchroneonly had static higher-order. Concretely,
Decadeallows a function
fto be parametrized by another function
g(higher-order), and more important to replace during the execution
gby another function
h(dynamic higher-order). It is a data-flow language, so all the objects handled by a program are streams, that is, infinite sequences of typed data. Higher-order means that both the data and the functions are streams. To this respect,
Decadeis the first purely data-flow programming language. Hence one can define streams of functions of streams. This feature makes
Decadea programming language well suited for software-defined radio. Gwenaël Delaval is doing a PhD on this topic, co-advised by Marc Pouzet from
LRI(University of Orsay) and Alain Girault. He works in the context of the
Alidecs
ACI
We are currently studying a synchronous dataflow language, Lucid Synchrone . This language is a high-order dataflow language, where functions are first-class citizens, i.e., can be manipulated as values, for instance as function parameters or results.
We propose to extend this language with primitives allowing the programmer to express the locationof streams. The goal is then to provide, by compilation of one synchronous program source with location annotations, an executable program for each physical location specified. The result of the parallel execution of these programs will be then a functionally distributed system, whose semantic, abstraction made of location informations, will be the same as the program without the location annotations.
This work is based on , where, given a reactive program, the location of each node of this program is propagated from the locations of its inputs and outputs. This ``coloring'' process is made on an in-lined model of the program. Unfortunately, this does not work for high-order programs, as such programs cannot be, in general, in-lined in order to perform a semantic computation, such as the distribution process described above.
Therefore, a ``spatial'' type system is proposed to infer locations of values (being scalar, or functions), and to check at compilation-time the consistency of the distribution described with regard to the system's architecture.
We have continued our work on the automatic generation of reliable and distributed schedules, with bi-criteria scheduling heuristics. The context of our work is to start from an algorithmic specification under the form of a DAG of operations (Directed Acyclic Graph), and an architecture specification under the form of a bipartite graph of processors and communication media.
On the theoretical side, we have chosen a simplified reliability model where we assume that the communication media are reliable. In this context, we have designed a new method that dissociates, one the one hand the spatial allocation of the operations to the processors, and on the other the temporal allocation of the operations allocated to the same processor. According to our simplified reliability model, the reliability of the resulting schedule depends only on the spatial allocation. Hence, our method first optimizes the reliability of the schedule during the spatial allocation phase, then optimizes the makespan of the schedule during the temporal allocation phase.
On the practical side, we are improving the cost function used inside our bi-criteria scheduling heuristic. This work uses a more general reliability model, where communication media have a rate of failure per time unit, just like the processors. Our bi-criteria cost function attempts to optimize both the reliability and the makespan of the resulting schedule. The difficulty arises from the fact that these two measures (the reliability and the makespan) have drastically different orders of magnitude and evolve in radically different ways during the incremental building of the schedule.
The real-time community has usually considered that control tasks have fixed periods, hard deadlines and worst-case execution times. This assumption has served the separation of control and scheduling designs, but has led to under utilization of CPU resources. However current real-time design methods and associated analysis tools do not provide a model flexible enough to fit well with control systems engineering requirements.
We aim to provide an Integrated control and scheduling co-designapproach . It is assumed that robust control focusing on timing uncertainties may provide a first level of fault tolerance. When the capabilities of feedback scheduling are exceeded, exception handling will be handled by a decision process working on a discrete events time scale. The proposed methodology will be assessed using realistic simulations and experiments.
Within our approach, the control system timing requirements are captured through a partition in control paths, whose fixed priorities are assigned according to their relative urgency. Latencies are managed through precedence constraints and more or less tight synchronization between modules. The implementation uses the fixed-priority based preemption service of an off-the-shelf real-time operating system. Such a system can be modeled with timed event graphs, and its temporal behavior can be analyzed off-line using the underlying (max,plus) algebra .
This methodology is supported by the version of Orccadunder development. It will be further improved using a QoS management of the timing constraints to fully benefit from the intrinsic robustness of closed-loop controllers w.r.t. timing uncertainties. Some studies are presented in for real-time control in robotics.
In our framework the feedback scheduling is designed w.r.t a QoC (Quality of Control) measure. The QoC criterion captures the control performance requirements, and the problem can be stated as QoC optimization under constraint of available computing resources. However, preliminary studies suggest that a direct synthesis of the scheduling regulator as an optimal control problem leads, when it is tractable, to a solution too costly to be implemented in real-time . Practical solutions will be found in the currently available control theory and tools or in enhancements and adaptation of current control theory. We propose in Figure a hierarchical control structure : besides the usual process control loops we add an outer control loop which goal is to manage the execution of the real-time application through the control of the scheduling parameters of the inner loops. Together with the outer loop (working on a periodic sampled time scale) we also need a scheduling manager working on a discrete events time scale to process exception handling and admission control.
Preliminary studies and experiments have been conducted along the following guidelines:
Ideally the outer loop should control a composite of QoC and QoS; however, due to the lack of knowledge about the relations between a the control performance and the timing parameters, we have up to now been focusing only on the control of the computing load. Indeed, the QoC is indirectly controlled through the temporal attributes of the control law. Finding effective cost functions that map the control performance into the scheduling parameters can be difficult, especially for non-linear systems.
As the task periods directly affect the computing load, they have been chosen as actuators. They can be implemented through software variable clocks.
Also, as timing uncertainties cannot be avoided and are difficult to model or measure, we are currently designing robust control algorithms using the
control theory. For example, Figure
shows a robust scheduling controller where template
Wespecifies the performances on the CPU load tracking error and template
Wxspecifies the load allocation between two control tasks. Such
scheduling controllers have been successfully simulated and experimentally validated
,
As the scheduling controller adapts the periods of the plant control tasks, the plant controllers gains must be sized according to the variable sampling period
hin order to preserve stability and to satisfy a given performance index.
Our design objective is to obtain a unique controller as a function of
hinstead of a map of different controllers as in the past. Therefore, the stability can be theoretically ensured for all control periods
hover a desired range. A polynomial pole-placement approach is used and a sampling period dependent RST (two degrees of freedom) discrete-time controller has been designed
.
The desired closed-loop performance is specified by model matching: it has been shown using the Truetime tools that decreasing the performance (e.g., the response time) while increasing the sampling period allows for preserving the stability over a wide control frequency range.
Control laws using variable sampling are currently under study, e.g., via new extensions of the gain scheduling and Linear Parameter Varying (LPV) design methods, considering here that the sampling period is the varying parameter.
Experiments are implemented using a modified Orccadruntime under Linux/RTAI (hard real-time using kernel modules) or under a patched Linux kernel (soft real-time using Posix threads).
Feedback scheduling has been successfully implemented in robot control where simulation results (using Truetime) and experiments (using RTAI) are compared running the so-called Computed Torque robot controller. The results show that our method provides both robustness w.r.t. unmodelled loads and a controlled use of the computing resource with a moderate computing cost (Figure ) : the upper part pictures the measured tasks periods and the lower part shows the CPU load, in response to a step in the desired total CPU load at time 1.5 sec. The jitter that is observed during the execution in real-time (right part) is due partly from variable latencies during interrupts handling and partly from variations in the tasks computation durations.
It is expected that, as adaptive closed-loop scheduling is somewhat tolerant w.r.t. timing uncertainties, our approach can be compliant with a soft and portable real-time implementation of control systems.
Further work will study improved versions of robust controllers with a moderate complexity, a process requirements based formulation of QoC/QoS criteria, the implementation of execution time measurements in a Posix compliant kernel and a full implementation of the system including QoS management issues. In particular this work will be done in the framework of the Safe_NECSproject (see ).
We address the difficulty of safely designing complex system controllers by proposing a method applying formal design techniques to the domain of embedded control systems. Such techniques are considered difficult to use, amongst other things because of the required competence. A general notion of hidden formal methodsadvocates for fully automated techniques, integrated into a design process and tool. The formal technique we aim to encapsulate into a tool chain is discrete controller synthesis .
We propose a simple programming language, called Nemo( , ), specific to the domain of multi-task real-time control systems, such as in robotics, automotive or avionics systems. The notion of task is related to the one used in the Orccadtool . It can be used to specify a set of resources with usage constraints, a set of tasks that consume them according to various modes, and applications sequencing the tasks. We obtain automatically an application-specific task handler that correctly manages the constraints (if any), through a compilation-like process including a phase of discrete controller synthesis. We use synchronous languages, modeling techniques and tools, particularly the Mode Automata language and the Sigali synthesis tool .
Work in the last few years has produced a methodology for the automatic generation of correct controllers for multi-task systems, in the form of property-enforcing layers . The model of commonly found task control patterns is proposed in terms of labeled transition systems, representing idle, waiting, or active states, and transitions in reaction to requests, authorizations and termination events. Quantitative weights can be associated to active states, representing costs (time, power consumption) or quality level. Standard properties of the interactions between such components are formulated, possibly using observers, in terms of invariants or configurations that should be always reachable. When a system is modeled by composing instantiations of such patterns, discrete controller synthesis is applied to obtain automatically (if it exists) the controller of activations such that the properties are satisfied, and the weights are optimized. This work is done in cooperation with Verimag(Synchronous team) and Irisa/ Inria-Rennes ( Vertecsproject team). An application of this framework concerns fault-tolerance (see Section ).
Ongoing work deals with the definition of a domain-specific language, Nemo, where a user can describe a multi-task system using constructs in terms of resources and their characteristics (implying implicit properties to be enforced), tasks and their essential control aspects (modes, controllability of start and stop), additional properties (explicitly stated, between tasks), and applications (sequencings of tasks). This language is compiled into an automaton-based model (concretely: Mode Automata) and associated synthesis objectives, which are processed by a controller synthesis tool ( Sigali), in order to produce the result. A prototype has been implemented (see Section ).
In order to obtain automatically fault-tolerant real-time systems, we investigate a new solution based on the application of discrete controller synthesis. The real-time systems we consider consist of a set of tasks and a set of distributed, heterogeneous processors. The latter are fail-silent, and an environment model can detail actual fault patterns. We apply controller synthesis, with objectives w.r.t.consistent execution, functionality fulfillment, and some optimizations. We construct a manager that ensures fault-tolerance by migrating the tasks automatically, upon occurrence of a failure, according to the policy given by the objectives . Work in progress involves fine-tuning algorithms for optimal synthesis along paths, and its application to the control of sequences of reconfigurations.
We have also managed to take into account the value failures of sensors, hence allowing us to control a liquid tank system equipped with four level sensors and three valves to fill and empty the tank. The fact that the sensors are subject to value failures is modeled thanks to uncontrollable inputs: when a sensor is faulty, instead of outputting a value accurate w.r.t.its state ( i.e., wet or dry), it outputs an uncontrollable input. To obtain automatically a controller ensuring that the tank is never empty nor over flooding, we have added a synchronous observer and used the discrete controller synthesis tool Sigali.
Finally, we have revisited the classical Byzantine Generals problem of Lamport et al . Several divisions of the Byzantine army, each commanded by its own general, are camped outside an enemy city. The generals must agree on a common plan of action (attack or retreat) by exchanging only oral messages. But when a general is a traitor, he can send incoherent orders. We have modeled this fact with uncontrollable inputs. Lamport et. al have proved by induction on the number of generals that this problem is solvable if and only if more than two-thirds of the generals are loyal. To obtain the same result with discrete controller synthesis, we have added, to the models of the generals, an environment model the most permissive possible that allows the generals to become traitors or not. Then we have shown that, among four generals, such an environment model constrained by Sigalionly allows one general to become a traitor and still guarantee that the loyal generals will reach the consensus. This result is consistent with the one of Lamport et. al.
This work is conducted in collaboration with É. Rutten (Dart project team from Inria Futurs, Lille) and E. Dumitrescu (Insa Lyon).
Component-based modeling is crucial to overcome the complexity of embedded systems. However, two major obstacles need to be addressed: the heterogeneous nature of the models, and the lack of results to guarantee correction of the composed system.
The technique of model-checking allows to verify or falsify correctness of the system with respect to some properties, but it has two drawbacks: its cost and the fact that this method is not constructive. The goal of compositionalmodeling is to guarantee correctness of real-time systems at a reasonable cost. The idea of compositionality is to infer properties of a model from the properties of its components. It is therefore necessary to find properties on the structure of the components and on their composition that imply the required properties of the composed model.
The heterogeneous nature comes from the fact that it is usually necessary to compose different parts of the system on different levels of abstraction, and using different models of computation(e.g., timed and untimed automata), models of interaction(e.g., blocking or non-blocking, rendez-vous or broadcast), and models of execution. The modeling formalism and the composition operation has to support this heterogeneous nature of the components.
The goal of the recent master's thesis of A. Khan is to develop a method and tool to connect Prometheus with the CADP tool developed by the Vasyteam, in order to combine different and complementary approaches for compositional verification.
Within the component model of , we have further improved the results of on component-based construction.
We have developed a new algorithm for the compositional construction of schedulers ensuring reachability of states. The algorithm can be used at design time for symbolic simulation of reactive systems, and to ensure reachability properties of embedded systems at run-time.
These results have been implemented in the Prometheustool.
Within the Vercorsproject with STMicroelectronics, we have developed a back-end tool for the generation of Prometheuscode, connected to the SystemC parser Pinapa . The goal is to apply the compositional verification algorithms of Prometheusto verify properties of the SystemC model.
Proteins fulfill a huge number of functions in living organisms. Any protein is encoded by a gene. In order to produce the protein, the corresponding gene has to be transcribedinto messenger RNA, which is then translatedto obtain the protein. This production mechanism is regulated by the concentration of proteins, which can promoteor inhibitthe production, e.g. by binding to the gene and disabling transcription. The dynamics of the protein concentrations is thus defined by a regulatory network which usually encompasses a multitude of highly complex feedback loops. Being able to analyze its structure and behavior is crucial for understanding the functions of the proteins and their interactions.
We have been studying the component-based modeling of genetic regulatory networks within our component framework, in order to compositionally verify properties of the network such as existence of equilibria and reachability of states. We have carried out several case studies with strongly encouraging results. This ongoing work benefits from the contact with H. de Jong ( Helixteam at Inria-Rhône-Alpes).
In the context of the ACI Alidecs, we started a research project on the definition of a language and framework for the construction of safe embedded systems based on synchronous components. This project is the main focus of M. Tivoli's post-doc.
The goal of Aspect-Oriented Programming ( AOP) is to isolate aspects (such as security, synchronization, or error handling) that cross-cut the program basic functionality and whose implementation usually yields tangled code. In AOP, such aspects are specified separately and integrated into the program by an automatic transformation process called weaving.
Although this new paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOPaddresses these issues by studying foundational issues of AOP(semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.
We are designing a common semantics base to describe precisely AOPlanguages and features. It will allow us to compare different proposals and to establish formal foundations for static analysis. Our structural operational semantics takes the form of a monitor filtering events produced by the execution of the base program and inserting aspects . One objective is to remain as generic as possible so that it can model various standard AOPlanguages for object-oriented languages (e.g. AspectJ, Caesar, Composition Filter) as well as more exotic ones (aspects for functional languages, domain-specific aspects).
This work is a first step towards the design of static tools to analyze the semantic impact of weaving on programs. Our mid-term goal is to statically check whether the weaving of an aspect respects a property
Por ensures a property
P. Properties of interest can be invariant state properties (i.e.,
x>0), temporal properties (i.e., eventually
xwill be 0) or even non functional properties (i.e., the worst case execution time of method
mis less than 42). The verification and analysis of aspect-oriented programs is the subject of S. Djoko Djoko's PhD thesis.
This work is conducted within the Formal Methods Lab of the network of excellence AOSD-Europe. It is done in collaboration with R. Douence and D. Le Botlan from the Obascoproject team at École des Mines de Nantes.
We have studied the use of aspect-oriented programming for resource management with the aim of enforcing availability properties. Our technique permits to keep the construction of systems separate from resource management and availability issues. We have focused on denials of service caused by resource management (starvations, deadlocks). Aspects specify time limits or orderings in the allocation of resources. They can be seen as the specification of an availability policy. The different components, services and aspects, are abstracted/translated into timed automata. This allows us to specify weaving as an automata product and to use model-checking tools (e.g., Uppaal) to verify that aspects enforce the required availability properties . The final definition of the aspect language and the formalization of the different steps (abstraction, weaving, translations) should be completed by the end of the year.
This research, related to the Dispoproject (see section ), is the subject of S. Hong Tuan Ha's PhD thesis from the Landeteam at Irisa/ Inria-Rennes.
Here, our objective is to design an aspect language for specifying fault-tolerance as well as efficient techniques based on static analysis, program transformation and/or instrumentation to weave them into real-time programs.
As a first step, we have studied the implementation of specific fault-tolerance techniques in real-time embedded systems using program transformation. The fault-intolerant initial system consists of a set of independent periodic tasks scheduled onto a set of fail-silent processors. We transform the tasks such that, assuming the availability of an additional spare processor, the system tolerates one failure at a time. Failure detection is implemented using heartbeating, and failure masking using checkpointing and roll-back. These techniques are described and implemented by automatic program transformations of the tasks' source programs. This proposed formal approach to fault-tolerance by program transformation highlights the benefits of separation of concerns.
The second step, is to design an aspect language allowing users to specify and tune a wider range of fault-tolerance techniques. For example, the user may want to use checkpointing, code or data replication at different places of the same program. For checkpointing, the user may also want to specify the subset of variables which must be saved. The definition of an aspect language to specify such choices is under completion.
This line of research, related to the Alidecsproject (see section ), is the main focus of T. Ayav's post-doc.
We have been interested for a long time in formal calculi in order to study programming language issues in the simplest possible setting. We present here our work within the -calculus (compilation of higher-order sequential languages) and the -calculus (higher-order parallel and non-deterministic programming).
The Krivine machine is a simple and natural implementation of the call-by-name -calculus. While its original description has remained unpublished, this machine has served as a basis for many variants, extensions and theoretical studies. We have presented the Krivine machine and some well-known variants in a common framework . We have characterized the essence of the Krivine machine and have located it in the design space of functional language implementations. This work is based on the framework that we had previously developed for the systematic study of functional language implementations .
This is joint work with R. Douence from the Obascoproject team (École des Mines de Nantes).
Gamma is a formalism in which programs are expressed in terms of multiset rewriting, and is often referred to as the Chemical Reaction Model. In this formalism, the execution of a program can be seen as a solution (multiset) of molecules which react until the solution becomes inert.
We have proposed a formal and basic calculus, the -calculus , which allows the definition of -abstractions ( i.e., rewritings) as first class citizens (in the same sense as -abstractions in the -calculus). This calculus can of course express the classical Gamma formalism, but its higher-order nature makes it easy to describe notions such as code mobility, distribution, adaptation, etc. We have illustrated these advantages by specifying an autonomic mail system as a solution (multiset) of data and reaction rules . A distinctive feature of our specification is its modularity. Each autonomic property (self-organization, self-healing, self-optimization, self-protection, self-configuration) was implemented by adding new reactive molecules in the solution.
Another generalization of the Gamma language stands in the introduction of multisets with infinite cardinality and multisets with a negative cardinality. These new kind of data structures, combined with the above higher-order properties, have been integrated in the Higher-Order Chemical Language Hocl , . We are currently working on the application of Hoclto Grid programming and, more generally, to the programming of distributed applications . In a first step, applications are programmed in an abstract manner describing essentially the chemical coordination between (not necessarily chemical) software components. In a second step, chemical service programs are specifically provided to the run-time system in order to obtain, from the resources, the expected quality of service in terms of efficiency, reliability, security, etc.
The Grand Challenge in Non-Classical Computationworkshop has been an occasion to expose our model and to have a large overview on non-conventional models of computation. We have also written for the same event, a position paper raising fundamental questions about non-classical programming languages .
This work is conducted in collaboration with J.-P. Banâtre and Y. Radenac from the Parisproject team at Irisa.
In the context of the MINEFI NANO 2008 programme, we have a cooperation Vercors(compositional verification of transactional models of systems-on-chip) with STMicroelectronics (Crolles), SysArt team. The goal is to translate and formally verify SystemC models on the transaction level into Prometheus code, in order to compositionally verify correctness of the model with respect to deadlock freedom, liveness, and reachability properties.
With the Inriaproject team Moais and the ProBayes start-up, we have signed a contract with DCN. DCN is a French company based in Toulon that builds warships. We will work on a R&D project aimed at improving the defense embedded software of their next generation warships.
Jessica
C3O(Conception Conjointe Commande Ordonnancement) is a locally funded (by
Inria-Rhône-Alpes) cooperation with
Lagabout control/scheduling co-design
The
Dispoproject
The objective of the
Alidecsproject
Action Spécifique CNRS AS 155, related to RTP 24 ( Mathématiques du signal et des Systèmes), is entitled: Approches formelles pour l'analyse et la synthèse sûre de contrôle des systèmes dynamiques hybrides, and is a working group on the analysis and synthesis of hybrid systems, under a control theory perspective approach.
We are collaborating to this RTP entitled
Sûreté de fonctionnement des systèmes informatiques complexes ouverts
NECS (NEtworked Control Systems)
Safe_NECSis an « Action de Recherche Amont - Sécurité, Systèmes embarqués et Intelligence Ambiante » funded by the ANR. It has been labeled at the end of 2005 on the topic of fault tolerant control of distributed process under resource constraints. It gathers teams from Cranand Loria(Nancy), Laas(Toulouse) and Lagand Pop Art(Grenoble).
The SED service at
Inria-Rhône-Alpes is maintaining
Orccadand provides support for experiments within the
C3O
Arc.
Aosteat Inria-Rocquencourt is working with us on fault-tolerant heuristics for their software SynDEx.
Vertecsat Irisa/ Inria-Rennes is working with us on applications of discrete controller synthesis, and in paticular on the tool Sigali.
P. Fradet cooperates with T. Jensen and S. Hong Tuan Ha ( Lande, Irisa/ Inria-Rennes), with J.-P. Banâtre and Y. Radenac (Paris, Irisa/ Inria-Rennes) and with R. Douence and M. Südholt ( Obasco, Ecole des Mines de Nantes).
G. Goessler cooperates with H. de Jong (Helix project, UR Rhône-Alpes) on modeling genetic networks.
A. Girault cooperates with X. Nicollin ( Verimag), M. Pouzet ( LRI, University of Paris VI), Denis Trystram from ( ID- Imag), and C. Dima (Université of Paris XII).
G. Goessler cooperates with J. Sifakis and S. Graf ( Verimag) and M. Majster-Cederbaum (University of Mannheim, Germany).
D. Simon cooperates with O. Sename ( Lag).
Artist 2 is a European Network of Excellence on embedded system design
AOSD-Europe is the European network of excellence on Aspect-Oriented Software Development. It lasts 4 years (September 2004-August 2008) and includes nine major academic institutions and two major industrial partners from UK, Germany, The Netherlands, France, Belgium, Ireland, Spain, and Israel. We collaborate in the formal methods lab with Obasco- Inria, Technion (Israel), and Twente (The Netherlands).
The EAST-EEA project (Embedded Electronics Architecture) aims at proposing a methodology in order to develop complex real-time embedded applications in the field of transportation, especially for automobiles. The PhD of Hamoudi Kalla has been funded by this project.
P. Fradet has participated in the program committees of JFDLPA'05 ( Seconde Journée Francophone sur le Développement de Logiciels Par Aspects), EIWAS'05 ( European Interactive Workshop on Aspects in Software) and FOAL'05 ( Foundations of Aspect-Oriented Languages Workshop). He is co-editor of Unconventional Programming Paradigms, revised selected and invited papers, Volume 3566 of Lecture Notes in Computer Science, Springer-Verlag . He has given a course with Jean-Pierre Banâtre on Chemical Programming at Ecole des Jeunes Chercheurs en Programmation, Saint-Malo, juin 2005.
A. Girault serves as associate editor for the
Eurasip Journal on Embedded Systems. He has participated in the program committees for EMSOFT'05 (
Embedded Software) and SLAP'05 (
Synchronous Languages, Applications and Programming), and maintains the
SYNchronous Applications, Languages, and Programsweb site
D. Simon is a member of the RTNS'06 (14th international conference on real-time and network systems) program committee. He has been examiner in the PhD commission of Th. Garcia-Fernandez (LINA, Nantes) about Conception et développement de composants pour logiciels temps-réel embarqués.
P. Fradet: Algorithms and Functional Programming(Introduction to programming), 32h, Université Joseph Fourier.
Alain Girault: algorithmics and programming in Java, 26h, INPG Telecom Department.
Gregor Goessler: compilation project, 2nd year engineering, 55 h, ENSIMAG Grenoble.
Daniel Simon gave a talk during ETR'05 (École d'été temps-réel), Nancy, September 2005.
Gwenaël Delaval, co-advised by Alain Girault (with M. Pouzet, LRI), since 9/2004, PhD in computer science, INPG.
Stéphane Hong Tuan Ha, co-advised by Pascal Fradet (with T. Jensen, Irisa), since 10/2002, PhD in computer science, Université de Rennes I.
Yann Radenac, co-advised by Pascal Fradet (with J.-P. Banâtre, Irisa), since 9/2003, PhD in computer science, Université de Rennes I.
Hamoudi Kalla, co-advised by Alain Girault (with Y. Sorel, AosteTeam), since 1/2001, PhD in computer science, INPG.
David Robert, co-advised by Daniel Simon and Olivier Sename, since 9/2003, PhD in Control Theory, INPG.
Simplice Djoko Djoko, co-advised by P. Fradet (with R. Douence, Obasco, École des Mines de Nantes), since 10/2005, PhD in computer science, Université de Nantes.
Darina Dimitrova, Automatic multitasking code generator for Orccad, projet de fin d'études, Technical University-Sofia, Bulgaria, advised by D. Simon.
Huafeng Yu, Synthèse de contrôleur pour la tolérance aux fautes de capteurs, INP Grenoble, advised by A. Girault.
Nour Brinis, Synthèse d'un contrôleur pour le problème des généraux byzantins, École Nationale des Sciences de l'Informatique, La Manouba, Tunisie, co-advised by A. Girault and M. Yeddes.
Erik Saule, Ordonnancement fiable pour la génération de code temps-réel embarqué, INP Grenoble, co-advised by A. Girault and D. Trystram.