We work on the problem of the safe design of real-time control systems. This area is related to control theory as well as computer science. Application domains are typically safety-critical systems, as in transportation (avionics, railways), production, medical or energy production systems. Both methods and formal models for the construction of correct systems, as well as their implementation in computer assisted design tools, targeted to specialists of the applications, are needed. We contribute to propose solutions all along the design flow, from the specification to the implementation: we develop techniques for the specification and automated generation of safe real-time executives for control systems, as well as static analysis techniques to check additional properties on the generated systems. Our special research themes are:

implementations of synchronous reactive programs, generated automatically by compilation, particularly from the point of view of distribution (in relation with the
Lustre

control/scheduling co-design, with cross-interactions between techniques of servoing and real-time operating systems (
RTOS), in order to obtain an adaptive scheduling, with regard to quality of service (in relation with the
Orccad

high-level design and programming methods, with support for automated code generation, including: the automated generation of correct controllers using discrete control synthesis (in
relation with the Mode Automata

static analysis and abstract interpretation techniques, which are applied both to low-level synchronous models/programs and to more general imperative programs; this includes the verification of general safety properties and the absence of runtime errors.

Our applications are in embedded systems, typically in the robotics, automotive, and telecommunications domains with a special emphasis on dependability issues (
*e.g.*, fault tolerance, availability). International and industrial relations feature:

two ISTEuropean networks of excellence:

Artist II

AOSD-Europe

three ACIs (``Actions Concertées Incitatives''): Alidecs(on large-scale critical embedded systems), Dispo(on security policies for software components), and Apron(numerical program analysis);

one ARA (``Action de Recherche Amont''): Safe_NECSon networked embedded control systems,

the OpenTLMproject of the MinalogicPole of Competitiveness, dedicated to the design flow for next generation SoC and SystemC,

industrial collaborations with DCNand PolySpace.

The context of our work is the area of embedded real-time control systems, at the intersection between control theory and computer science. Our contribution consists of methods and tools for their safe design. The systems we consider are intrinsically safety-critical because of the interaction between the embedded, computerized controller, and a physical process having its own dynamics. What is important is to analyze and design the safe behavior of the whole system, which introduces an inherent complexity. This is even more crucial in the case of systems whose malfunction can have catastrophic consequences, for example in transport systems (avionics, trains), production, medical, or energy production systems.

Therefore, there is a need for methods and tools for the design of safe systems. The definition of adequate mathematical models of the behavior of the systems allows the definition of
formal calculi. They in turn form a basis for the construction of algorithms for the analysis, but also for the transformation of specifications towards an implementation. They can then be
implemented in software environments made available to the users. A necessary complement is the setting-up of software engineering, programming, modeling, and validation methodologies. The
motivation of these problems is at the origin of significant research activity, internationally and in particular, in the European
ISTnetwork of excellence
Artist II (Advanced Real-Time Systems)

The state of the art upon which we base our contributions, is twofold.

From the point of view of discrete control, there is a set of theoretical results and tools, in particular in the synchronous approach, often founded on labeled transition systems finite or infinite , . During the past years, methodologies for the formal verification , , control synthesis and compilation, and extensions to timed and hybrid systems , have been developed. Asynchronous models consider the interleaving of events or messages, and are often applied in the field of telecommunications, in particular for the study of protocols. A well-known formalism for reactive systems is StateCharts , which can be encoded in a synchronous model .

From the point of view of verification, we use the methods and tools of symbolic model-checking and of abstract interpretation. From symbolic model-checking, we reuse BDD techniques
for manipulating Boolean functions and sets,
and their MTBDD extension for more general functions. Abstract Interpretation
is used to formalize complex static analysis,
in particular when one wants to analyze the possible values of variables and pointers of a program. Abstract Interpretation is a theory of approximate solving of fix-point equations applied
to program analysis. Most program analysis problems, among others reachability analysis, come down to solving a fix-point equation on the state space of the program. The exact computation of
such an equation is generally not possible for undecidability (or complexity) reasons. The fundamental principles of Abstract Interpretation are:
(
i)to substitute to the state-space of the program a simpler domain and to transpose the equation accordingly (static approximation); and
(
i
i)to use extrapolation (widening) to force the convergence of the iterative computation of the fix-point in a finite number of steps (dynamic approximation).
Examples of static analysis based on abstract interpretation are the Linear Relation Analysis
and Shape Analysis
.

The synchronous approach

From the point of view of the executables and execution platforms for the implementation of embedded systems, there are software or middleware approaches and hardware-based approaches. Concerning the quantitative aspects of the problem, one can find techniques for structuring the programs in multiple tasks, possibly preemptable, based on the real-time operating system. Their durations and periods, for example, are taken into account within the framework of scheduling according to various strategies. The analytical approach, with the determination of schedulability of a set of real-time tasks with constraints, is a very active field of research, primarily turned towards the respect of computer-centered constraints only: the task characteristics are derived from measurements of periods and execution time imposed by the environment. There has been, until recently, only little work formalizing the relation with discrete models and control. The techniques of real-time control usually take into account only criteria internal to the computer system, related to the resources of computation. In other words, they have an open loop character. However, the progress of the reflexive systems, providing sensors (of reconfiguration) and actuators (of dynamic control of the system) make it possible to close the loop , ; we contribute to this new approach by the development of methods for control/scheduling co-design.

The design of safe real-time control systems is difficult due to various issues, among them their complexity in terms of the number of interacting components, their parallelism, the difference of the considered time scales (continuous or discrete), and the distance between the various theoretical concepts and results that allow the study of different aspects of their behaviors, and the design of controllers. The European ISTnetwork of excellence Artist II identifies three principal objectives: hard real-time for critical applications (which concerns the synchronous approach), component-based design, and adaptive real-time systems for quality of service management.

A currently very active research direction focuses on the models and techniques that allow the automatic use of formal methods. In the field of verification, this concerns in particular the technique of model checking; the verification takes place after the design phase, and requires, in case of problematic diagnostics, expensive backtracks on the specification. We want to provide a more constructive use of formal models, using them to derive correct executives by formal computation and synthesis, integrated in a compilation process. We therefore use models throughout the design flow from specification to implementation, in particular by automatic generation of embeddable executives.

They initially come from the fields of safety-critical systems (avionics, energy) and complex systems (telecommunication), embedded in an environment with which they strongly interact (comprising aspects of computer science and control theory). Fields with less strong criticality, or which support variable degrees of quality of service, such as in the multi-media domain, can also take advantage of methodologies that improve the quality and reliability of software, and reduce the costs of test and correction in the design.

Industrial acceptance, the dissemination, and the deployment of the formal techniques inevitably depend on the usability of such techniques by specialists in the application domain — and not in formal techniques themselves —, and also on the integration in the whole design process, which concerns very different problems and techniques. The application domains are rather rare where the actors are ready to employ specialists in formal methods or advanced control theory. Even then, the methods of systematic application of these theoretical results are not ripe. In fields like industrial control, where the use of PLC (Programmable Logic Controller ) is dominant, this question can be decisive.

Essential elements in this direction are the proposal of realistic formal models, validated by experiments, of the usual entities in control theory, and functionalities (
*i.e.*, algorithms) that correspond indeed to services useful for the designer. Take for example the compilation and optimization taking into account the platforms of execution,
possible failures, or the interactions between the defined automatic control and its implementation. A notable example for the existence of an industrial need is the activity of the
Athyscompany (now belonging to
Dassault
Systeme) concerning the development of a specialized programming environment,
CellControl, which integrates synchronous tools for compilation and verification, tailored to the application domain. In these areas, there are
functionalities that commercial tools do not have yet, and to which our results contribute.

We are proposing effective trade-offs between, on the one hand, expressiveness and formal power, and on the other, usability and automation. We focus on the area of specification and construction of correct real-time executives for discrete and continuous control, while keeping an interest in tackling major open problems, relating to the deployment of formal techniques in computer science, especially at the border with control theory. Regarding the applications, we propose new automated functionalities, to be provided to the users in integrated design and programming environments.

We intend to exploit our knowledge of formal techniques and their use, and of control theory, according to aspects of the definition of fundamental tools, and applications.

The integration of formal methods in an automated process of generation/compilation is founded on the formal modeling of the considered mechanisms. This modeling is the base for the automation, which operates on models well-suited for their efficient exploitation, by analysis and synthesis techniques that are difficult to use by end-users.

The creation of easily usable models aims at giving the user the role rather of a pilot than of a mechanics
*i.e.*, to offer her/him pre-defined functionalities which respond to concrete demands, for example in the generation of fault tolerant or distributed executives, by the
intermediary use of dedicated environments and languages.

The proposal of validated models with respect to their faithful representation of the application domain is done through case studies in collaboration with our partners, where the typical multidisciplinarity of questions across control theory and computer science is exploited.

The overall consistency of our approach comes from the fact that the main research directions address, under different aspects, the specification and generation of safe real-time control
executives based on
*formal models*.

We explore this field by linking, on the one hand, the techniques we use, with on the other, the functionalities we want to offer. We are interested in questions related to:

dedicated languages and models for automatic control that are the interface between the techniques we develop and the end-users on the one hand, and the designers of formal models on the other;

compositional modeling and analysis that aim at deriving crucial system properties from component properties, without the need to actually build and check the global system;

static analysis and abstract interpretation methods for checking functional properties on models and generated programs;

Aspect-Oriented Programming (AOP) that allows to express safety concerns separately from the functional part and to enforce them on programs.

This issue can be tackled differently depending on the execution platform. Based on a formal model of the program to be implemented, our approach is to obtain by compilation (
*i.e.*, automatically):

the distribution on a multiprocessor architecture, with code partitioning according to directives, and insertion of the necessary communication actions to ensure the coherence of control; the distribution must be correct with respect to the original specification, and must be optimized;

fault tolerance by replication of computations on a multiprocessor architecture, and scheduling of computations according to the faults to be tolerated; such a scheduling must be
optimized
*w.r.t.*its length and reliability.

The interaction of the intrinsic nature of the control we consider, with its real-time implementation can be tackled in two ways:

scheduling for regulation where the scheduling scheme and parameters are designed to capture the control system requirements and to improve the quality of the implemented controller;

regulation for scheduling where the latter is made adaptive and is dynamically controlled by using techniques from control theory.

We use techniques of discrete controller synthesis, especially the tools Sigali and Mode Automata within an automated framework, for:

multi-mode multi-tasking systems where the management of interactions (exclusions, optimization of cost or quality criteria, ...) is obtained by synthesis;

a locally imperative, globally declarative language whose compilation comprises a phase of discrete controller synthesis;

fault-tolerance management, by reconfiguration following objectives of consistent execution, functionality fulfillment, boundedness and optimality of response time.

Our applications are in embedded systems, typically: robotics, automotive, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and quality of designs, as well as the design, production and test costs themselves.

Industrial acceptance of formal techniques, as well as their deployment, goes necessarily through their usability by specialists of the application domain, rather than of the formal
techniques themselves. Hence our orientation towards the proposal of domain-specific (but generic) realistic models, validated through experience (
*e.g.*, control tasks systems), based on formal techniques with a high degree of automation (
*e.g.*, synchronous models), and tailored for concrete functionalities (
*e.g.*, code generation).

The commercially available design tools (such as
UMLwith real-time extensions,
Matlab/
Simulink/ d
Space

Regarding the synchronous approach, commercial tools are available:
Scade(based on
Lustre),
Esterel

The scheduling methods we propose, are of interest for the designers of embedded applications, who lack adequate design methods to effectively use the tools offered by the
RTOS. The dissemination of these methods can be done via the success of applications (as in the former European project
TELEDIMOS), or by distribution in the context of free software around the real-time/embedded versions of
Linux

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with STMicroelectronics on compositional verification and abstract interpretation for the TLM-based System-on-Chip design flow, and with DCNon the multi-criteria real-time scheduling issues for action planning of their defense systems.

Orccad

It is mainly intended for critical real-time applications in robotics, in which automatic control aspects (
*servo loops*, control) have to interact narrowly with the handling of discrete events (
*exception handling*).
Orccadoffers a complete and coherent vertical solution, ranging from the high level specification to real-time code generation.

Orccadis supported by the
*Support Expérimentations & Développement (SED)*service of
Inria-Rhône-Alpes.
Orccadis used by the experimental robotics platforms of
Inria-Rhône-Alpes. New functionalities and updates are developed jointly by the
*SED*service and the researchers of the Pop Art team.

The former V3 version allows for the automatic generation of real-time single-rate controllers running on top of VxWorks, Solaris and Linux and multi-rate controllers running on top of Linux and Xenomai.

Although it has been developed years ago, the basic concepts upon which the Orccadarchitecture relies still appear to be solid in the field of software development for robot control , and compares well with other tools dedicated for real-time control implementation .

However the OrccadV3 software was designed with proprietary tools that moreover are now becoming obsolete. During the year 2006, Orccadhas been deeply re-engineered to be compliant with open-source and free software tools (Java/Eclipse/XML) while being fully compliant with V3 based former projects.

NBac(Numerical and Boolean Automaton Checker)

NBacis connected to 2 input languages: the synchronous dataflow language Lustre, and a symbolic automaton-based language, AutoC/Auto, where a system is defined by a set of symbolic hybrid automata communicating via valued channels. It can perform reachability analysis, co-reachability analysis, and combination of the above analyses. The result of an analysis is either a verdict to a verification problem, or a set of states together with a necessary condition to stay in this set during an execution. NBacis founded on the theory of abstract interpretation: sets of states are approximated by abstract values belonging to an abstract domain, on which fix-point computations are performed.

It has been used for verification and debugging of
Lustreprograms
. It is connected to the
Lustretoolset

The BIP component model (Behavior, Interaction model, Priority) has been designed to support the construction of heterogeneous reactive systems involving different models of computation, communication, and execution, on different levels of abstraction. By separating the notions of behavior, interaction model, and execution model, it enables both heterogeneous modeling, and separation of concerns.

The verification and design tool Prometheusimplements the BIP component framework. Prometheusis regularly updated to implement new developments in the framework and the algorithms for compositional verification of properties like deadlock-freedom, liveness, and reachability. It has allowed us to carry out several complex case studies from the system-on-chip and bioinformatics domains.

ocrepdistributes automatically synchronous programs according to specifications given by the user. Concretely, starting from a centralized source synchronous program obtained either with the Lustreor the Esterelcompiler, from a number of desired computing locations, and an indication of where each input and output of the source program must be computed, ocrepproduces several programs, one for each location, each one computing only its assigned variables and outputs, and communicating harmoniously. Their combined behavior is equivalent to the behavior of the centralized source program and that there is no deadlock.

Currently our software
ocrepis distributed in the form of executable on the web

We have been cooperating for several years with the
Inriateam
Aoste(
InriaSophia-Antipolis and Rocquencourt) on the subject of fault tolerance. In particular, we have implemented several new heuristics for fault
tolerance and reliability within their software
SynDEx
*i.e.*, buses)
.

We have developed a software tool chain to allow the specification of models, the controller synthesis, and the execution or simulation of the results. It is based on existing synchronous
tools, and thus consists primarily in the use and integration of
Sigali

Useful component templates and relevant properties can be materialized, on one hand by libraries of task models, and, on the other hand, by properties and synthesis objectives. A prototype compiler has been developed to demonstrate a domain-specific language, named Nemo, for multi-task controllers (see Section ).

Rapture
is a verification tool that was developed
jointly by BRICS (Denmark) and
Inriain years 2000–2002. The tool is designed to verify reachability properties on Markov Decision Processes (MDP), also known as Probabilistic
Transition Systems. This model can be viewed both as an extension to classical (finite-state) transition systems extended with probability distributions on successor states, or as an
extension of Markov Chains with non-determinism. We have developed a simple automata language that allows to describe a set of processes communicating over a set of channels
*à la*CSP. Processes can also manipulate local and global variables of finite type. Probabilistic reachability properties are specified by defining two sets of initial and final states
together with a probability bound. The originality of the tool is to provide two reduction techniques that limit the state space explosion problem: automatic abstraction and refinement
algorithms, and the so-called essential states reduction.

We also develop and maintain libraries of general use for people working in the static analysis and abstract interpretation community.

: a generic fix-point engine written in OCaml. It allows to solve systems of fix-point equations on a lattice, using a parameterized strategy for the iteration order and the application of widening.

We are working in the context of the
AlidecsACI

We have extended
Lucid
Synchronewith new primitives allowing the programmer to specify a
*distributed architecture*and express the
*location*of flows. The first step to achieve the desired distributed program is to propagate the available location informations to the flows for which this was not specified. This is
usually done on a fully inlined program, but unfortunately this does not work for higher-order programs, since such programs cannot be, in general, inlined in order to perform such a semantic
computation. Furthermore, we are interested in modular compilation, in the framework of which such inlining cannot be fulfilled. Therefore, we have proposed a new type system to check the
consistency of the location specifications w.r.t. the distributed architecture, to infer the location of the non located flows, and to insert automatically communication primitives at the right
place. We are currently working on the implementation of this type system and on semantics preserving issues.

Gwenaël Delaval is doing his PhD on this topic, co-advised by Alain Girault and Marc Pouzet (LRI, Orsay).

We have continued our work on the automatic generation of reliable and multiprocessor static schedules, with bi-criteria scheduling heuristics. The context of our work is to start from an algorithmic specification under the form of a DAG of operations (Directed Acyclic Graph), and an architecture specification under the form of a bipartite graph of processors and communication media.

On the theoretical side, we have chosen a simplified reliability model where we assume that the communication media are reliable. In this context, we have designed a new method that dissociates, one the one hand the spatial allocation of the operations to the processors, and on the other the temporal allocation of the operations allocated to the same processor. According to our simplified reliability model, the reliability of the resulting schedule depends only on the spatial allocation. Hence, our method first optimizes the reliability of the schedule during the spatial allocation phase, then optimizes the makespan of the schedule during the temporal allocation phase. Regarding the bi-criteria aspect of this problem, we have chosen to transform the reliability criterion into a constraint: this means that we iteratively fix several reliability thresholds, and for each such threshold we solve our problem by minimizing the makespan of the schedule while remaining above the reliability threshold. As a result, we are able to obtain, for a given instance, a set of non-dominated solutions (in the Pareto sense), among which the user can choose the compromise that fits his requirements best. We are also able to compute the average compromise between the reliability gain and the makespan overhead. We have conducted extensive simulations of our scheduling algorithm and have compared it against the popular HEFT algorithm .

On the practical side, we are improving the cost function used inside our bi-criteria scheduling heuristic. This work uses a more general reliability model, where communication media have a rate of failure per time unit, just like the processors. Our bi-criteria cost function attempts to optimize both the reliability and the makespan of the resulting schedule. The difficulty arises from the fact that these two measures (the reliability and the makespan) have drastically different orders of magnitude and evolve in radically different ways during the incremental building of the schedule.

We have therefore proposed a new framework for the bi-criteria multiprocessor scheduling problem. Our first criteria remains the static schedule's length (crucial to assess the system's real-time property). For our second criteria, we consider the global failure rate of the system (GSFR) instead of the usual reliability, because it does not depend on the schedule length like the reliability does (due to its computation in the classical reliability model of Shatz). The GSFR of a static schedule is the failure rate of seen as if it were a single operation scheduled onto a single processor. Thanks to the GSFR, we control better the replication factor of each individual task of the dependency task graph given as an input specification, with respect to the desired failure rate. Like above, we solve this bi-criteria optimization problem by considering the failure rate as a constraint, and by minimizing the schedule length. We are therefore able to compute the average compromise between the GSFR and the makespan overhead.

The real-time community has usually considered that control tasks have fixed periods, hard deadlines and worst-case execution times. This assumption has served the separation of control and scheduling designs, but has led to under utilization of CPU resources. However current real-time design methods and associated analysis tools do not provide a model flexible enough to fit well with control systems engineering requirements.

We aim to provide an
*integrated control and scheduling co-design*approach
. It is assumed that robust control focusing on
timing uncertainties may provide a first level of fault tolerance. When the capabilities of feedback scheduling are exceeded, exception handling will be handled by a decision process working on
a discrete events time scale. The proposed methodology will be assessed using realistic simulations and experiments.

In our framework the feedback scheduling is designed w.r.t a QoC (Quality of Control) measure. The QoC criterion captures the control performance requirements, and the problem can be stated as QoC optimization under constraint of available computing resources. However, preliminary studies suggest that a direct synthesis of the scheduling regulator as an optimal control problem leads, when it is tractable, to a solution too costly to be implemented in real-time . Practical solutions will be found in the currently available control theory and tools or in enhancements and adaptation of current control theory. We propose in Figure a hierarchical control structure : besides the usual process control loops we add an outer control loop which goal is to manage the execution of the real-time application through the control of the scheduling parameters of the inner loops. Together with the outer loop (working on a periodic sampled time scale) we also need a scheduling manager working on a discrete events time scale to process exception handling and admission control.

The task periods directly affect the computing load, they have been chosen as actuators. They can be implemented through software variable clocks. As timing uncertainties cannot be avoided and are difficult to model or measure, we currently design robust control algorithms using the control theory, which have been successfully simulated and experimentally validated .

This methodology is supported by Orccadwhere a runtime library for multi-rate multitasking has been developed and integrated. It will be further improved using a QoS-based management of the timing constraints to fully benefit from the intrinsic robustness of closed-loop controllers w.r.t. timing uncertainties. Further improvements are sketched at the end of the PhD of D. Robert , where the mean square of the tracking error during the scheduling window appears to be an effective measure of the quality of control of a inverted pendulum.

As variable control periods are used as actuators in feedback schedulers it is necessary to ensure the stability of the control laws under variable sampling conditions. Indeed it is known that on-line switches between stable controlled systems sampled at different rates may lead to instability. The synthesis of control laws using variable sampling has been developed via new extensions of the gain scheduling and Linear Parameter Varying (LPV) design methods, considering here that the sampling period is the varying parameter .

The first point is the problem formulation such that it can be solved following the LPV design of . We first propose a parametrised discretization of the continuous time plant and of the weighting functions, leading to a discrete-time sampling period dependent augmented plant leading to the discrete-time LPV system ( ).

with
hranging in
[
h
_{min};
h
_{max}].

To get a polytopic model (and then apply an LPV design), we approximate the exponential by a Taylor series of order
Nas:

which leads, with
H= [
hh^{2}...
h^{N}], to:

As the self-scheduled controller will be a convex combination of
2
^{N}"vertex" controllers, the choice of the series order
Ngives a trade-off between the approximation accuracy and the controller complexity. However to reduce the complexity (and the conservatism of the corresponding control
design as well), a reduction of the polytope is proposed using the dependency between the parameters, which actually are the successive powers of the sampling period
h : as illustrated in figure
the number of vertices to be considered for the convex
combination of the global controller becomes
N+ 1rather than
2
^{N}
,
.

In the
framework, the general control configuration of figure
is considered, where
W_{i}and
W_{o}are weighting functions specifying closed-loop performances. The objective is here to find a controller
Ksuch internal stability is achieved and
, where
represents the
attenuation level. Classical control design assumes constant performance objectives and produces a controller with an unique sampling period. This sampling period is chosen according
to the controller bandwidth, the noise sensibility and the availability of computation resources.

When the sampling period varies the usable controller bandwidth also varies and the closed-loop objectives should logically be adapted. Thus the performance templates
W_{i}and
W_{o}are split into two parts : a constant part with constant poles and zeros to compensate for oscillations or flexible modes independent of the sampling period, and a variable part
contains poles and zeros whose pulsations are expressed as an affine function of the frequency
f= 1/
h. The interconnection of figure
a between the discrete-time polytopic model of the plant
Hand the weighting functions
W_{i}and
W_{o}leads to the discrete-time LPV augmented plant
P(
)mapping exogenous inputs
wand control inputs
uto controlled outputs
zand measured outputs
y, with
, be given by the polytopic model

where the dependence of
A(
),
B(
),
C(
)and
D(
)on
is affine and the parameter vector
, ranges over a fixed polytope
.

The self-scheduled controller
K(
)is the convex combination of the elementary controllers synthesized at the
vertex of the polytope.

Under mild conditions this controller ensures the quadratic stability of the closed-loop system and the limitation of the input/output transfer
-induced norm whatever are the variations of the sampling period
hin the specified range.

The LPV design of variable sampling controllers has been experimentally validated using a "T" inverted pendulum available at Lag(figure ).

As such a T pendulum system is difficult to be controlled, our main objective is to get a closed-loop stable system, to emphasise the practical feasibility of the proposed methodology for real-time control.

The sampling period range has been set in the interval
[1, 3]
m
s. The performance objectives are represented by weighting functions and may be given by the usual transfer functions:

where
f= 1/
h,
_{Smax}= 1,5 rad/s,
M_{S}= 2,
_{S}= 0.01 and
M_{U}= 5.

The plant is controlled through Matlab/Simulink using the Real-time Workshop and xPC Target.

Some results are given in figures . The pendulum is requested to follow a square motion while the sampling period varies following a sinusoidal or square profile. As expected the settling time is minimal when the sampling period is maximal, and vice versa. In the same way, there is no abrupt changes in the control input even when the sampling period suddenly varies from 1 to 3 ms as in figure b.

We address the difficulty of safely designing complex system controllers by proposing a method applying formal design techniques to the domain of embedded control systems. Such techniques
are considered difficult to use, amongst other things because of the required theoretical competence. A general notion of
*hidden formal methods*advocates for fully automated techniques, integrated into a design process and tool. The formal technique we aim to encapsulate into a tool chain is
*discrete controller synthesis*
.

We propose a simple programming language, called Nemo , specific to the domain of multi-task real-time control systems, such as in robotics, automotive or avionics systems. The notion of task is related to the one used in the Orccadtool . It can be used to specify a set of resources with usage constraints, a set of tasks that consume them according to various modes, and applications sequencing the tasks. We obtain automatically an application-specific task handler that correctly manages the constraints (if any), through a compilation-like process including a phase of discrete controller synthesis. We use synchronous languages, modeling techniques and tools, particularly the Mode Automata language and the Sigalisynthesis tool .

We are considering to confront Nemowith case-studies in manufacturing systems. We are also considering extensions with models of the environment, which can have a decisive influence on the existence of solutions for the synthesis, as well as a more general language, less domain-specific, where controller synthesis is integrated in the compilation.

In order to automatically obtain fault tolerant real-time systems, we investigate a new solution based on the application of discrete controller synthesis (DCS). The real-time systems we consider consist of a set of tasks and a set of distributed, heterogeneous processors. The latter are fail-silent, and an environment model can detail actual fault patterns. We apply DCS with objectives w.r.t. consistent execution, functionality fulfillment, and some optimizations. We construct a manager that ensures fault tolerance by migrating the tasks automatically, upon occurrence of a failure, according to the policy given by the objectives. In this context, we have addressed different kinds of failures (crash, value, or Byzantine) affecting different kinds of hardware components (processors, communication links, actuators, or sensors) , .

We have new results concerning optimal synthesis along paths, and its application to the control of sequences of reconfigurations. Tasks that are interrupted by a fault can be restarted at their last checkpoint, and the control of the configuration restarts the tasks by placing them on processors chosen w.r.t. an objective on the shortest total execution time of the application. We therefore combine, on the one hand, guarantees on the safety of the execution by tolerating faults, and on the other hand, guarantees on the worst case execution time of the resulting dynamically reconfiguring fault tolerant system.

This work is conducted in collaboration with H. Marchand ( Vertecsteam from InriaRennes) and E. Dumitrescu ( InsaLyon).

This new result corresponds to the software described in section , in the context of the ACI-SI Apron(see ). The different teams were using different libraries and different interfaces for the analysis of numerical variables of programs. One of the goal of the ACI-SI Apronwas to design a common API in order to gain the following benefits:

The ability to choose very easily the numerical abstract domain in use, and to compare the precision and efficiency of different abstract domains and/or implementations;

The factorization of higher-level layers built on the basic common interface. This offers a higher-level interface and simplifies the design and implementation of analysis tools.

The design required several meetings in 2005, as it had to remain simple yet to satisfy at least all the members of the project, which are interested in different kind of analysis. The
year 2006 was devoted to the implementation, which required a significant effort (13000 LOC). This was done in collaboration with A. Miné (ENS Paris). The resulting library is distributed
since 07/2006 under LGPL license

The verification of communication protocols or distributed systems that can be modeled by set of sequential machines communicating via unbounded FIFO channels is the topic of the PhD of Tristan Le Gall. The main challenge of its PhD is the verification of such systems in the case where

the communicating machines are themselves infinite-state processes;

the values sent to FIFO channels belong to unbounded datatypes.

The approach we follow is based on the theory of Abstract Interpretation. The applications of such verification techniques are the analysis of communicating protocols, which may contain subtle bugs, the automatic synthesis of controllers for distributed systems in order to ensure a correct global behavior, and possibly the diagnosis of distributed systems.

We have also designed and implemented an abstract domain for the a general model of communicating system where both processes and values contained in FIFO queues are unbounded. The implementation should be soon connected to the NBactool (see Section ). A research report is being written.

We have been interested in solving the safety controller synthesis problem for various models (from finite transition systems to hybrid systems). Within this framework, we have been mainly
interested in an intermediate model: symbolic transition systems. Due to the infiniteness of the alphabet, we have chosen to redefine the concept of controllability by introducing the notion
of dynamic uncontrollable transitions (the controllability status is carried on by the symbolic transitions by means of guards, instead of the events). We focus on
*safety requirements*, modeled by observers that encode the negation of a safety property. We then defined synthesis algorithms based on abstract interpretation techniques so that we can
ensure convergence of fix-point computations in a finite number of steps
.

The work on component-based construction of correct embedded systems is a cornerstone of our activity. Component-based construction techniques are crucial to overcome the complexity of embedded systems design. However, two major obstacles need to be addressed: the heterogeneous nature of the models, and the lack of results to guarantee correction of the composed system. The heterogeneity of embedded systems comes from the need to integrate components using different models of computation, communication, and execution, on different levels of abstraction and different time scales. The component framework and verification and construction algorithms have to support this heterogeneous nature of the components.

The BIP (Behavior, Interaction model, Priority) component model presented in has been designed to support the construction of heterogeneous reactive systems. By separating the notions of behavior, interaction model, and execution model, it enables both heterogeneous modeling, and separation of concerns.

We have shown how the framework can be used to discuss properties of systems including local and global deadlock, reachability, progress of subsystems, fairness, liveness, and robustness. In most cases, direct testing of the properties relies on an exploration of the global state space and hence cannot be performed efficiently. We have established a condition that can be tested in polynomial time and guarantees liveness of a component, a set of components, or an interaction. Part of these results have been implemented in the Prometheustool .

In collaboration with Frédéric Lang (
Vasyteam), we have developed a method to translate BIP models into the CADP

The behavior model of each basic component is translated into a Lotosprocess.

The interaction model is converted into a set of EXP.OPEN synchronization vectors.

The execution model, consisting of constraints on the state space and on the enabling conditions of interactions, is translated as follows: (1) special actions called observers, are added in the LOTOS model of each sequential process to enable observation of local variables that occur in state invariants or in interaction constraints, (2) vectors modeling synchronizations between observers are added in the EXP.OPEN model to identify the states at which the invariants or interaction constraints are violated, and (3) priorities are added in the EXP.OPEN model to cut the transitions which violate the interaction constraints or whose source state violate some invariant.

Additionally, an SVL script is generated to orchestrate the generation of intermediate files. The translation was experimented on a case study in the domain of systems-on-chip. This work led to a MSc thesis .

In the context of the ACI Alidecs(see section ), we have an ongoing research project on the definition of a language and framework for the construction of safe embedded systems based on synchronous components.

Building a real-time system from existing components introduces several problems, mainly related to compatibility, communication, and QoS issues. We have proposed an approach to
automatically synthesize adapters in order to solve black-box integration incompatibilities within a lightweight component model. Adapter synthesis allows the developer to automatically build
*correct-by-construction*systems from third-party components, hence, reducing time-to-market and improving reusability.

A component interface includes a formal description of the
*interaction protocol*of the component with its expected environment. The interface language is expressive enough to specify QoS constraints such as
*latency*,
*duration*, and
*controllability*of the component actions (ports), as well as the component's
*clock*,
*i.e.*, its activation frequency. Based on results from Petri net and supervisory control theory, we have developed an algorithm which automatically synthesizes
correct-by-construction and bounded-memory adapter components from the interface specification of the components. The generated adapters coordinate the interaction behavior of the components
and buffer their communications, in order to avoid deadlocks. The algorithm has been implemented in the
*SynthesisRT*tool, and a research report has been written (accepted at TACAS'07).

Given a system of concurrent components communicating through FIFO queues in a Kahn process network-style, the technique of
*component fusion*
allows to obtain a sequential implementation
thus getting rid of context switching and improving efficiency. In this work, we extend the component language with non-determinism features (
*e.g.*, testing the size of a queue). We have been working on extending the fusion algorithm to fulfill the following requirements: (1) preserve functional (non-confluent)
non-determinism, so as to observe the same non-deterministic behavior as in the original component network; (2) eliminate confluent non-determinism as far as possible to improve performance;
(3) guarantee fairness. This work is still in progress.

The goal of Aspect-Oriented Programming (
AOP) is to isolate aspects (such as security, synchronization, or error handling) which cross-cut the program basic functionality and whose
implementation usually yields tangled code. In
AOP, such aspects are specified separately and integrated into the program by an automatic transformation process called
*weaving*.

Although this new paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOPaddresses these issues by studying foundational issues (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.

Existing semantics are typically based on a specific programming paradigm (
*e.g.*, object oriented, functional, process based) and model definite aspect languages. We have defined a common aspect semantics base (CASB) as a small step semantics that allows
the modular introduction of formal semantic descriptions of different aspect mechanisms
. The semantics relies on minimal
requirements on the base language semantics and can therefore be instantiated to arbitrary base language paradigms. We have shown how to define general aspect mechanisms from different aspect
languages such as AspectJ, Caesar or Composition Filters. As an illustration of our technique, we have described the semantics of an AspectJ-like core aspect language for a core Java
language.

This work is a first step towards the design of static tools to analyze the semantic impact of weaving on programs. Our mid-term goal is to statically check whether the weaving of an
aspect respects a property
Por ensures a property
P. Properties of interest can be invariant state properties (
*e.g.*,
x>0), temporal properties (
*e.g.*,
*eventually*
x>0,
*always*
x0) or even non functional properties (
*e.g.*, the worst case execution time of method
mis less than 10 times units). Recently, Shmuel Katz has characterized informally classes of aspects whose weaving respects specific classes of properties (
*e.g.*, invariant, liveness, etc.). We formalize these classes of aspects using the CASB to describe their semantics. The classes of properties (
*e.g.*, invariant, liveness, etc.) are formalized as subsets of temporal logics. We have started to prove formally that the weaving of some specific classes of aspects respected
some specific classes of properties.

The verification and analysis of the properties of aspect-oriented programs is the central topic of Simplice Djoko Djoko's PhD thesis. This work is conducted within the Formal Methods Lab of the network of excellence AOSD-Europe (see section ). It is done in collaboration with Rémi Douence from the Obascoproject team at École des Mines de Nantes.

We have studied the use of aspect-oriented programming for resource management with the aim of enforcing availability properties . Our technique permits to keep the construction of systems separate from resource management and availability issues. We have focused on denials of service caused by resource management (starvations, deadlocks). Our availability aspects specify time limits in the allocation of resources. They can be seen as formal temporal properties on execution traces that specify availability policies. The different components, services and aspects are abstracted/translated into timed automata. This allows us to specify weaving as an automata product and to use model-checking tools (such as Uppaal) to verify that aspects enforce the required availability properties.

This research, related to the Dispoproject (see section ), is part of Stéphane Hong Tuan Ha's PhD thesis from the Landeproject team at Irisa/ Inria-Rennes.

Here, our objective is to design an aspect language for specifying fault tolerance as well as efficient techniques based on static analysis, program transformation and/or instrumentation to weave them into real-time programs.

As a first step, we have studied the implementation of specific fault tolerance techniques in real-time embedded systems using program transformation . The fault-intolerant initial system consists of a set of independent periodic tasks scheduled onto a set of fail-silent processors. The tasks are automatically transformed such that, assuming the availability of an additional spare processor, the resulting system tolerates one failure at a time. Failure detection is implemented using heartbeating, and failure masking using checkpointing and roll-back. These techniques are described and implemented by automatic program transformations of the tasks' source programs. The proposed formal approach to fault tolerance by program transformation highlights the benefits of separation of concerns.

The second step, is to design an aspect language allowing users to specify and tune a wider range of fault tolerance techniques. For example, the user may want to use checkpointing, code or data replication at different places of the same program. For checkpointing, the user may also want to specify the subset of variables which must be saved. The definition of an aspect language to specify such choices is under completion.

This line of research is related to the Alidecsproject (see section ).

Gamma is a formalism in which programs are expressed in terms of multiset rewriting. It is often referred to as the Chemical Reaction Model. In this formalism, the execution of a program can be seen as a solution (a multiset) of molecules reacting until the solution becomes inert.

We have proposed the language
Hocl(
*Higher Order Chemical Language*), a higher-order extension of Gamma that can also manipulate multisets with negative or infinite cardinalities
. The higher-order extension makes it
possible to consider a chemical program as a member of a multiset, thus eligible for reactions as any other element. This facilitates the description of notions such as code mobility,
distribution, adaptation, etc. The extensions of the multiset data structure, combined with the higher-order properties, provide a powerful tool for expressing general (and original)
coordination schemes.

We have been working on the application of Hoclto the programming of distributed applications, in particular to autonomic systems and Grid programming . In a first step, applications are programmed in an abstract manner describing essentially the chemical coordination between not necessarily chemical software components. In a second step, chemical service programs are specifically provided to the run-time system in order to obtain from the resources the expected quality of service in terms of efficiency, reliability, security, etc.

An introductory abstract of this line of research has been published in the special issue of
*Ercim News*on ``Emergent Computing''
. A position paper presenting some
fundamental questions about non-classical programming languages has been published in the
*International Journal of Unconventional Computing*
.

This work is conducted in collaboration with Jean-Pierre Banâtre and Yann Radenac from the Parisproject team at Irisa.

Proteins fulfill a huge number of functions in any living organism. Any protein is encoded by a gene. In order to produce the protein, the corresponding gene has to be
*transcribed*into messenger RNA, which is then
*translated*to obtain the protein. This production mechanism is regulated by the concentration of proteins, which can
*promote*or
*inhibit*the production,
*e.g.*, by binding to the gene and disabling transcription. The dynamics of the protein concentrations are thus defined by a regulatory network which usually encompasses a multitude
of complex feedback loops. Being able to model and analyze its behavior is crucial for understanding the interactions between the proteins, and their functions.

Genetic regulatory networks have been modeled as discrete transition systems by many approaches, benefiting from a large number of formal verification algorithms available. However, most of these approaches face the problem of state space explosion, as even models of modest size (from a biological point of view) usually lead to large transition systems. In practice, non-compositional approaches for the analysis of genetic regulatory networks do not scale up well.

We have explored the use of compositionality for the analysis of genetic regulatory networks. A precondition for compositional algorithms to be applicable, is that the model be structured. We have therefore defined a modeling framework for genetic regulatory networks, based on our BIP component framework, in which the different components of the system (that is, proteins or sets of proteins) and the way they constrain each other, are modeled separately and modularly. Our approach is based on a conservative approximation of the mathematically well-founded formalism of qualitative simulation . This ongoing work benefits from the interaction with Hidde de Jong ( Helixproject).

The task of Adrien Richard, post-doc in the Pop Artand Helixprojects since October 2006, will be to define a modular but exact representation of the network behavior as defined by qualitative simulation, and study how to decompose networks into modules.

Daniel Le Métayer, who joined the Pop Artteam in July, is working on a new activity concerning the interactions between law and the information and communication sciences (``STIC'' in French). In particular, he is studying the impact of legal aspects on the software design flow. This activity shall become an independent project team in the short term.

In the context of the
*pôle de compétitivité*EMSOC, we participate in the new four-year project
OpenTLMon verification of systems-on-chip is modeled at the transaction level in SystemC
. We intend to develop methods for abstraction,
interprocedural analysis, and compositional verification of SystemC models.

With the Inriaproject team Moaisand the ProBayes start-up, we have signed a contract with DCN. DCN is a French company based in Toulon that builds warships. We will work on a R&D project aimed at improving the defense embedded software of their next generation warships.

A contract with PolySpace Technologiesstarted at the end of the year. The collaboration concerns their main product, PolySpace, a static analyser for detecting possible run-time errors in C/C++/ADA programs, which is based on abstract interpretation techniques.

C^{3}O(Conception Conjointe Commande Ordonnancement) is a locally funded (by
Inria-Rhône-Alpes) cooperation with
Lagabout control/scheduling co-design. It supports research on feedback scheduling together with the development of dedicated software tools.

The
Dispoproject

The objective of the
Alidecsproject

The Apron(Analyse de PROgrammes Numériques) project ( http://www.cri.ensmp.fr/apron/) [2004-2006] involves ENSMP, LIENS-ENS, LIX-Polytechnique, Verimagand Vertecs- Irisa.

The goal of the project is the static analysis of large specifications (
*e.g.*, à la
Lustre) and corresponding C programs, involving a lot of numerical floating-point computations, as well as boolean and counter-based control in
order to verify critical properties (including the detection of possible runtime errors), and to help in automatically locating the origin of critical property potential violation.

An example of such critical properties, as found in control/command programs, is of the form ``under a condition holding on boolean and numerical variables for some time, the program must imperatively establish a given boolean and/or numerical property, in given bounded delay''.

Pop Artcontributes to the following topics within the Apronproject:

The design and implementation of a common interface to several abstraction libraries (intervals, linear equalities, octagons, polyhedra, ...and their combination).

The verification of Lustrespecifications with adaptive techniques, using the NBactool as an experimental platform.

In 2006, most of the effort of Vertecswas spent on the implementation of the common interface.

We are collaborating to this RTP entitled
*Sûreté de fonctionnement des systèmes informatiques complexes ouverts*

NECS (NEtworked Control Systems)

Safe_NECSis an « Action de Recherche Amont - Sécurité, Systèmes embarqués et Intelligence Ambiante » funded for three years by the ANR and started in January 2006 http://safe-necs.cran.uhp-nancy.fr/. The research topic is fault tolerant control of distributed process and the project focuses on both diagnosis and robust control under execution resources constraints. It gathers teams from Cranand Loria(Nancy), Laas(Toulouse), and Lagand Pop Art(Grenoble).

The SED service at
Inria-Rhône-Alpes is maintaining
Orccadand provides support for experiments within the
C^{3}O
Arc.

Aosteat Inria-Rocquencourt is working with us on fault tolerant heuristics for their software SynDEx.

Vertecsat Irisa/ Inria-Rennes is working with us on applications of discrete controller synthesis, and in particular on the tool Sigali.

P. Fradet cooperates with S. Hong Tuan Ha ( Lande, Irisa/ Inria-Rennes), with J.-P. Banâtre and Y. Radenac ( Paris, Irisa/ Inria-Rennes) and with R. Douence and M. Südholt ( Obasco, Ecole des Mines de Nantes).

A. Girault cooperates with the Moaisproject (UR Rhône-Alpes) on multi-criteria scheduling. In particular, we have a common industrial contract with DCN. A. Girault cooperates also with the Verimaglab on model-based design and a compilation tool chain from Simulinkto distributed platforms, and with the Demonteam of LRI (Orsay) on the distribution of higher-order synchronous data-flow programs.

G. Goessler cooperates with H. de Jong ( Helixproject, UR Rhône-Alpes) and F. Lang ( Vasyproject, UR Rhône-Alpes).

B. Jeannet cooperates with T. Le Gall ( Vertecs, Irisa/ Inria-Rennes) on the analysis of communicating systems, and with C. Constant, T. Jéron and F. Ployette ( Vertecs, Irisa/ Inria-Rennes) on test generation.

E. Rutten is working with the DaRTproject at UR Futurs in Lille, on the synchronous modelling of massively parallel application, and the introduction of control and mode automata in the Gaspardframework.

A. Girault cooperates with X. Nicollin ( Verimag), M. Pouzet ( LRI, University of Paris VI), D. Trystram and É. Saule from ( ID- Imag), and C. Dima (Université of Paris XII).

G. Goessler cooperates with J. Sifakis and S. Graf ( Verimag) and M. Majster-Cederbaum (University of Mannheim, Germany).

B. Jeannet cooperates with N. Halbwachs and L. Gonnord ( Verimag) on the static analysis of numerical variables.

D. Simon cooperates with O. Sename ( Lag).

E. Rutten cooperates with H. Alla ( Lag).

Artist II is a European Network of Excellence on embedded system design

AOSD-Europe is the European network of excellence on Aspect-Oriented Software Development. It lasts 4 years (September 2004-August 2008) and includes nine major academic institutions and two major industrial partners from UK, Germany, The Netherlands, France, Belgium, Ireland, Spain and Israel. We collaborate in the formal methods lab with Obasco- Inria, Technion (Israel), and Twente (The Netherlands).

P. Fradet has participated in the program committee of FOAL'06 (
*Foundations of Aspect-Oriented Languages Workshop*). He was co-editor of the special issue of Science of Computer Programming on
*Foundations of aspect-oriented programming*published by Elsevier in december 2006
. He has given a course with Jean-Pierre
Banâtre on Chemical Programming at
*Ecole des Jeunes Chercheurs en Programmation*, Luchon, juin 2006.

A. Girault serves as associate editor for the
*Eurasip Journal on Embedded Systems*. He has co-edited two Special Issues for this journal, on Formal Methods for GALS Systems, and on Synchronous Paradigm for Embedded Systems. He
has organized the
*International Open Workshop on Synchronous Programming*, and he maintains the
*SYNchronous Applications, Languages, and Programs*web site

D. Simon is a member of the RTNS'06 and RTNS'07 (international conference on real-time and network systems) program committee. He has been rapporteur for the PhD of M. Ben Gaïd at ESIEE
(Evry) about
*Optimal scheduling and control for distributed real-time systems*.

E. Rutten is co-editor of the special issue of Discrete Event Dynamical Systems (jDEDS) on Control and Modeling of Reactive Systems. He was member of the PhD committees of A. Kerbaa (CERIMAG, Grenoble) as a referee, and of O. Labbani (LIFL/INRIA Futurs, Lille).

Alain Girault and Daniel Simon:
*Real-time and reactive programming*, 18h, Master of Science IVR, INPG.

Alain Girault:
*Algorithmics and programming in Java*, 26h, INPG Telecom Department.

Gregor Goessler:
*Software Engineering and Compilation project*, 2nd year engineering, 55h, INPG / ENSIMAG.

Alain Girault and Pascal Raymond:
*Synchronous programming*, 28h, Master of Science, Université Joseph Fourier.

Daniel Le Métayer:
*Systematic security analysis*, at the FOSAD'06 conference (Foundations of Software analysis and Design), september 2006; and at the Ecole des Mines de Nantes, december 2006. 7h.

Gwenaël Delaval, co-advised by Alain Girault (with M. Pouzet, LRIOrsay), since 9/2004. PhD in computer science, INPG.

Tristan Le Gall, co-advised by Bertrand Jeannet (with T. Jéron, Vertecs Irisa) since 9/2004. PhD in computer science, University of Rennes I.

Simplice Djoko Djoko, co-advised by P. Fradet (with R. Douence, Obasco, Ecole des Mines de Nantes), since 9/2005, PhD in computer science, University of Nantes.

Stéphane Hong Tuan Ha, advised by Pascal Fradet, since 9/2002, PhD in computer science, University of Rennes I.

Yann Radenac, co-advised by P. Fradet (with J.-P. Banâtre, Irisa), since 9/2003, PhD in computer science, University of Rennes I.

David Robert, co-advised by Daniel Simon (with O. Sename, LAG Grenoble), since 9/2003, PhD in control theory, INPG.

Mouaiad Alras, co-advised by Alain Girault (with P. Raymond, VerimagGrenoble), since 10/2006, PhD in computer science, UJF, Grenoble.

Gérald Vaisman, co-advised by Alain Girault (with P.-F. Dutot, MoaisUR Rhône-Alpes), since 10/2006, PhD in computer science, INPG.

Huafeng Yu, co-advised by E. Rutten (with J.-L. Dekeyser, LIFL/ InriaFuturs Lille), since 10/2005. PhD in computer science, University of Lille 1.

Abdul Malik Khan, co-advised by G. Goesler (with F. Lang, Vasyproject), in 2005/2006. Master of Science in computer science, UJF, Grenoble.