Dr Daniela Cancila

Laboratoire des composants logiciels

pour la Sécurité et la Sûreté des

Systèmes (L3S)

Département Architecture & Conception de Logiciels

Embarqués

Service de Conception des Systèmes Numériques

■ 2

• Society and the industrial context

• How is our society and the underlying industrial context evolving?

• What new industrial needs are emerging?

• What former ones are still in need of a response?

• Cyber Physical Systems as a means to disruptive technologies

• Who is doing what and how?

• CEA involvement

• industrial research axes of L3S (Laboratoire des composants logiciels

pour la Sécurité et la Sûreté des Systèmes)

OVERVIEW

■ 3

SOCIETY

1. How is our society and the underlying industrial context

evolving?

2. What new industrial needs are emerging?

3. What former ones are still in need of a response?

■ 4

1. How is our society and the underlying industrial context

evolving?

• Population longevity is increasing

• Technological supports are a means to increase the quality of

life

• More energy production

• Increase in distributed and connected embedded systems

A LEARNED LESSON

■ 5

1. How is our society and the underlying industrial context evolving?

2. What new industrial needs are emerging?

3. What former ones are still in need of a response?

QUESTIONS 2 AND 3

■ 6

• We are witnesses of a historical change in society

• Technology is pervasive

• Number of distributed and connected embedded systems is

increasing

EXAMPLE: A LEARNED LESSON

■ 7

INDUSTRIAL PROCESS

requirements

analyses design

Sw

components

Code

Platform

certification

standards

Cliquez pour modifier le style du titre

DACLE Division| January 2013 © CEA. All rights reserved | 8 &

Emergence of a new paradigm Integrated systems

Physical (sensor and actuators)

Hardware

Software

Network

Heterogeneous

Composability

Mixed-criticality

[ALSTOM, “Metropolis And Metro Train Solution.” http://www.alstom.com/ ]

■ 9

EMERGENCE OF A NEW PARADIGM

• Integrated systems

• Physical (sensor and actuators)

• Hardware

• Software

• Network

• Heterogeneous

• Composability

• Mixed-criticality

Instrumentation and control functions

(category B):

automatic control of the Nuclear Power

Plant (NPP) primary and secondary circuit

conditions SW and HW

[IEC 61226 Nuclear Power Plants – Instrumentation and control important to safety – Classification of

instrumentation and control functions]

■ 10

• Integrated systems

• Physical (sensor and actuators)

• Hardware

• Software

• Network

• Heterogeneous

• Composability

which ensures stability of component properties across integration

[1. J. Sifakis. Embedded Systems - Challenges and Work Directions, LNCS, 2005 ]

• Mixed-criticality

EMERGENCE OF A NEW PARADIGM

■ 11

EMERGENCE OF A NEW PARADIGM

Control of velocity SIL 2

Dead-man vigilance functionality SIL4

[Daniela Cancila, Stefano Dalpez, Roberto Passerone, Francois Terrier. AN INDUSTRIAL CASE STUDY USING AN MBE

APPROACH: FROM ARCHITECTURE TO SAFETY ANALYSIS, IEEE MOBE-RTES, In conjunction with IEEE ISORC

symposium, 2010]

[D. Macii et al., A safety instrumented system for rolling stocks: Methodology, design process and safety analysis,

Measurement Journal Elsevier 2015]

Event Recorder system

■ 12

• In 2006 Helen Gill at the National Science Foundation in the

United States coins term CPS [1]

• Cyber-physical systems (CPS) enable the physical world to

merge with the virtual leading to an Internet of Things, data and

services [2]

• example: intelligent manufacturing line

• CPS combine computing and networking with physical

dynamics [3]

CYBER-PHYSICAL SYSTEMS

[ 1] System design, Modeling and simulation, Cladius Ptolemaeus editor

[2] http://www.eitictlabs.eu/innovation-entrepreneurship/cyber-physical-systems/

[3] Ed Lee. Disciplined Heterogeneous Modeling Models 2010

■ 13

• We are witnesses of a historical change in society

• CPS lead to the fourth Industrial revolution

A LEARNED LESSON

■ 14

CPS STATE OF THE ART IN EU

■ 15

CPS STATE OF THE ART IN EU

Contract-Based Design is a methodology expected to reduce

the cost of design and certification

Underlying Idea

Individual components with safety-related, included timing,

properties specified via contracts

■ 16

Based on Floyd-Hoare logic (~1960-70) {P, C, Q}

P = Preconditions, C= Command in sequential imperative

language, Q =postconditions

Meyer (~1990-2009) to object-oriented programing

system substitutability

• Beugnard ~1999 to service oriented architectures

• Contracts as Interfaces (~2000)

• [T. Henzinger and L. De Alfaro]

• FP6 ASSERT and FP6 SPEEDS to model-based design (~2005-

2007)

• Assumptions and Guarantees are just properties (SPEEDS)

deployed in an architectural systems design to prove

correctness-by-construction approach

CPS STATE OF ART IN EU: CBD

■ 17

CBD IN THE ASSERT PROJECT guarantee

guarantee

assumption

Code ravenscar is a tailored Ada profile to real-time

systems

assumption

■ 18

CPS STATE OF THE ART IN EU

Composition with guarantees for

High-integrity Embedded

Software Components Assembly

Safety Certification of

Software-Intensive

Systems

with Reusable Components

Guaranteed Component

assembly with Round-Trip

Analysis for Energy Efficient

High-Integrity Multi-core Systems

■ 19

CPS STATE OF THE ART AT BERKELEY

Center for Hybrid and Embedded Software

Systems

Center for Hybrid and Embedded Software

Systems

■ 20

• we need to capture

• what the system is supposed to do

• the process of mapping a functionality

• how the system does what it is supposed to do

• with the elements that will be used to build a platform instance or an

architecture

• This process is the essential step for refinement and provides a mechanism

to proceed towards implementation in a structured way

CPS STATE OF THE ART AT BERKELEY

[Alberto Sangiovanni-Vincentelli. Quo Vadis, SDL: Reasoning

about Trends and Challenges of System-Level

Design Proceedings of the IEEE, 95(3):467-506, March 2007.]

■ 21

• The USA and EU communities are devoting effort to CPS

• Industrial and academic research

• EU founding

• Private founding

• What is expected

• Proving solutions to dynamic, heterogeneous, connected distributed

embedded systems

• Disruptive technologies

• Technological innovation

A LEARNED LESSON

■ 22

• Industrial problem

CONTRACT-BASED DESIGN AT L3S

Daniela Cancila, Elie Soubiran, Roberto Passerone Feasibility Study

in the use of contract-based approaches to deal with safety-related

properties. Ada User Journal, December 2014

FSF (Fiabilité et Surêté de Fonctionnement Reliability and Safety)

project. Technological Research Institute SystemX.

■ 23

• Industrial transfer to Alstom

• We adopt the ASAP (Advanced System Architect Program)

methodology (Alstom) [1, 2] and the supporting tools • Operational (why), functional (what) and constructional (how) views

• Integrating ASAP with CBD

• A contract is a pair (assumption, guarantee) [1] • the guarantee specifies the functionality provided by a component to the

environment;

• and the assumption sets forth the conditions required from the environment

in order for the component to accomplish its guarantee

CONTRACT-BASED DESIGN AT L3S

[3] D. Cancila, R. Passerone, T. Vardanega, and M. Panunzio, “Toward Correctness in the Specification

and Handling of Non-Functional Attributes of High-Integrity Real-Time Embedded Systems,” IEEE

Transactions on Industrial Informatics, May 2010

[1] ALSTOM, “Alstom ASAP methodology: Advanced System Architect Program.” OMG

[2] Marco Ferrogalini, Jean Le Bastard, “Return of experience on the implementation of the

System Engineering approach in Alstom.” OMG

■ 24

• Preliminary Industrial Feedback

CONTRACT-BASED DESIGN AT L3S

Daniela Cancila, Elie Soubiran, Roberto Passerone Feasibility Study in the use of contract-based

approaches to deal with safety-related properties. Ada User Journal, December 2014

FSF (Fiabilité et Surêté de Fonctionnement Reliability and Safety) project. Technological Research

Institute SystemX.

■ 25

• Industrial problem: Reduce the certification cost

• SW systems Safety Assurance, Goal, modular pre-certification

• HW systems Redundancy

• Device systems Production and test

• Preserving certification during the evolution of a mixed-criticality

system

• Contract-based design is a means to deal with modular pre-

certification

CONTRACT-BASED DESIGN AT L3S

HW

SIL4 SIL0

evolution

■ 26

• Industrial Problem: correct interaction between sw and hw

CONTRACT-BASED DESIGN AT L3S

Real-Time Micro-Kernel and HW

System

Sw components

Functional Embedded Sw components into model calculus

■ 27

THE WAY FORWARD

• Fact: CPS is becoming a must in our society

• Main goal: Advocating in CPS to response to the needs of society

and industry

• L3S and CEA LIST can become CPS leaders in the EU and in the

industrial environment

CPS Master

Summer School

Thank you!