Post on 21-Mar-2020
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
MDE and Formal Methods for Embedded SystemsDesign
Alexandre CORTIERPost-Doc CNES-IRIT
cortier@irit.fr
18-19 May 2010
Alexandre Cortier SPaCIFY Project 1/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Main concern : On-Board Flight Software
Satellite System architecture is specialized according to thesatellite mission.
I Two main subsystems:I payload: application equipment (speci�c scienti�c
instrumentation)I platform: �ight software, communication devices, thermal
regulation...
SPaCIFY exploratory project focuses on the �ight softwareembedded in the satellite :
I hard real-time software
I ex: AOCS (Attitude and Orbit Control System), managingthermal regulation systems, monitoring systems status,managing on-board network, communicating with groundstation.
Alexandre Cortier SPaCIFY Project 2/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Flight Software Engineering Process
Flight software is critical to the success of the mission:
I space industries and agencies worked on engineering processesI Goal: increase reliabilityI Ex: standards on software engineering and on product
assurance (ECSS-Q-ST-80, ECSS-E-40)
BUT: These standards do not prescribe a speci�c process.
I They rather formalize documents, list requirements of theprocess and assign responsibilities to involved partners.
Alexandre Cortier SPaCIFY Project 3/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
GALS Systems
Satellite management software:
I usually divided in parts that are quite autonomous one fromthe other
I can share the same platform and resourcesI 'soft' real-time constraintsI asynchronous exchange
I Inside each of these parts, the subparts are most of the timestrongly linked:
I hard real-time constraintsI synchronous exchange
This kind of systems is usually called Globally Asynchronous,Locally Synchronous (GALS).
Alexandre Cortier SPaCIFY Project 4/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
GALS Systems
Alexandre Cortier SPaCIFY Project 5/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
SPaCIFY Project objectives
The SPaCIFY ANR (French Research National Agency)exploratory project aims to de�ne a design process andsupporting tools for On-Board Flight Software based on:
I Model-Driven Engineering (MDE)I use models as a communication mediumI to bene�t from tools and techniques of the domain
I Formal MethodsI multi-clock synchronous paradigmI model-checkingI transformations veri�cations
I Globally Asynchronous Locally Synchronous System(GALS) paradigm
I speci�cation of the services of an executive platformI executive platform supporting distribution, partitioning and
dynamic adaptation (middleware)
The ssociated tools are built upon the Topcased toolkit. (TheOpen-Source Toolkit for Critical Systems)
Alexandre Cortier SPaCIFY Project 6/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
SPaCIFY Process
Alexandre Cortier SPaCIFY Project 7/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic
Synoptic is the core language of the SPaCIFY process:
I a graphical and textual DSML
I provides high-level constructions to handleI multi-layers description (various modeling aspect)I various granularity levels (iterative and re�nement
development)I modular approach
I based on a synchronous semanticsI formal and deterministic analysis and veri�cationI re�nement proofI transformation proof
Alexandre Cortier SPaCIFY Project 8/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic : multi-layers system speci�cation
Synoptic is not fundamentally a new language but an integration of
di�erent sources and concepts.
Synoptic is inspired by several approaches :I Geneauto: safe subset of the Simulink/State�ow modelling
language used for the development of certi�ed safety criticalembedded real time systems
I structural feature: Data�ow models (�Blocks Diagrams�)I behavioral feature: Control Flow models (�Finite States
Machines�)I real-time constraints: clock properties
I AADL: Architecture Analysis & Design Language (formerlyAvionics Architecture Description Language)
I Threads descriptionI platform aspects (�components view�)I mappings: which component execute which functional blocks ?
I Components Models: CCM, FractalI Synoptic components : need to be improved...
Alexandre Cortier SPaCIFY Project 9/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic : multi-layers system speci�cation
Software architecture
Bus
10 Hz 50 HzThreads + Properties
Hardware architecture
Dynamic architecture
Hardware Design
ProcessorDevice_1
Functional and control design
Alexandre Cortier SPaCIFY Project 10/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic : multi-layers system speci�cation
Software architecture
Bus
10 Hz 50 HzThreads + Properties
Hardware architecture
Dynamic architecture
mappings
mappings
Hardware Design
ProcessorDevice_1
Functional and control design
Alexandre Cortier SPaCIFY Project 10/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic : multi-layers system speci�cation
Software architecture
Bus
10 Hz 50 HzThreads + Properties
Hardware architecture
Dynamic architecture
mappings
mappings
Hardware Design
ProcessorDevice_1
Functional and control design
Alexandre Cortier SPaCIFY Project 10/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Synoptic/MW : external variables
The Middleware has to abstract the asynchronous behavior of thesystem (bu�erisation,...).Interactions between MW and Synoptic models are handled usingexternal variables concept.
I external variables = sources / sinks of signalsI external variables types: constants, TM, TC, global variables...I external variables contracts
Client 1
VariablePersistence contractSyntactic Contract
Client 2
Usage contract
Synchronisation contract
Remote access contract
External variables and associated contracts are used to con�gure
the MW.Alexandre Cortier SPaCIFY Project 11/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Tools chain : Meta-Model of Synoptic DSML
I Meta-model of Synoptic describe using the formalism ECore
I ECore = metamodeling architecture in the Eclipse ModelingFramework (EMF)
I more or less aligned on OMG's metamodeling architectureMOF (Meta-Object Facility)
Alexandre Cortier SPaCIFY Project 12/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Tools chain : Textual & Graphical editor
I Graphical editor prototyp (Anyware Technologies) :I based on the EMF/Topcased framework
I Textual syntax de�ned with TCS (Textual Concrete Syntax)I TCS is a DSL de�ned with a KM3 metamodelI can be used to:
I parse text-to-modelI serialize model-to-text
I performed with a single (bidirectional) speci�cation
Alexandre Cortier SPaCIFY Project 13/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Horizontal/Vertical Transformations
1. Translation Transformation: Synoptic → AltaricaI verifying properties such as coherence of the modes
I model-checking
I Ex : 'if component X is in mode m1, then component Y is inmode m2 or can eventually move into mode m2 '
2. Translation Transformation: Synoptic → SMEI SME : meta-model of Signal (synchronous language)I temporal analysis (clocks), scheduling analysis, code generationI using the Polychrony platformI translation describes using the Kermeta language
3. Domain Speci�c Transformations (in progress)I Ex : Model organization, automata elicitationI Ex : Software function splitting and mapping to threads from
RTOS
Alexandre Cortier SPaCIFY Project 14/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Case Study: Thales Alenia Space
TAS uses a model based approach relying on the componentsmodel lifgtweight CCM to handle the deployment of the system(except for functional implementation of the components)
I Use Case Characteristics:I Modeling the OBSW (central �ight software)I Sub-systems : Battery Management, Thermal regulation
management, AOCS, global FDIR, actuators, sensors
I Goals: prove the utility of using Synoptic models as a unifyingand unique design
I to model the structural aspects of the software and todeduce the CCM model and the con�guration of themiddleware by model transformation
I to model the behavioral aspects and to automaticallygenerate the implementation of CCM components using thePolychrony platform
I Results:I code generation has been proved to be feasible
Alexandre Cortier SPaCIFY Project 15/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Case Study: EADS Astrium
Astrium experiments technologies with a real industrial use case:Satellites �ying in formation
I Characteristics:I Coordination of 2 satellites (1 master and 1 slave)I FDIR (Failure Detection Isolation and Recovery) more complex
I Goals: to cover a horizontal slice of the SPaCIFY engineeringprocess
I Evaluation of the Synoptic modeling language for early systemengineering phases
I Evaluation of the Altarica-based model-checker, especially withrespect to its scalability
I Validation of the Control/Command strategy
I Results:I the model contains 49 automataI model has been translated in AltaricaI invariants (coherence of modes) have been veri�ed using ARC
and MEC (Labri model-checkers)
Alexandre Cortier SPaCIFY Project 16/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Case Study: CNES
I Characteristics:I modeling of the Control/Command part of a Payload ManagerI sub-systems: House-Keeping, Routing, Filtering
I Goals:I test the expressivity of the Synoptic languageI test if the components of the middleware can be modeled in
SynopticI better understand the interconnection synchronous
islands/middleware (external variables)
I Results:I asynchronous exchanges can be modeled in Synoptic (using a
'fresh boolean data')I �ltering component can be modeled in a generic way
Alexandre Cortier SPaCIFY Project 17/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Conclusions
SPaCIFY project de�nes a design process for on-board �ightsoftware based on:
I Model Driven Engineering
I GALS
I Formal Methods: Synoptic equipped with a formalsynchronous semantics
A prototype tool chain based on the Eclipse ModelingFramework:
I textual and graphical editor
I translation transformations into Altarica and SME (Kermeta)
I code generation using the Polychrony platform
I veri�cation of the coherence of modes using ARC and MEC(model-checker Altarica)
I OCL constraints have been encoded to check structuralconstraints on models
Alexandre Cortier SPaCIFY Project 18/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Works in progress
The case studies help to highlight some improvements to doon the Synoptic language:
I automata in Synoptic
I adding the notion of partition to capture IMA concept
I external variables
Domain Speci�c Transformations :
I formal semantics of the language has been encoded in a typedsets Theory using the B Method
I will be helpful to validate the existing transformation Synoticto SME models
I will be used to the formalization of domain speci�ctransformations
I re�nement transformationsI model reorganizationI automatic mapping of functional blocks on threads
Alexandre Cortier SPaCIFY Project 19/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Perspectives
I Implementation of a clock calculus for Synoptic
I Extend Synoptic with the formal concept of contracts(assume/guarantee)
I re�nements
I Improve code generation (modularity)
I Formal correctness proof and subsequent certi�cation ofa code generator
I under way in the GeneAuto project
Alexandre Cortier SPaCIFY Project 20/ 21
Introduction
SPaCIFYMethodology
SynopticDSML
Tool chain
Case studies
Conclusions
Thank you.
Thank You.
Alexandre Cortier SPaCIFY Project 21/ 21