SPaCIFY MDE and Formal Methods for Embedded Systems Design · Introduction SPaCIFY Methodology...

Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

MDE and Formal Methods for Embedded SystemsDesign

Alexandre CORTIERPost-Doc CNES-IRIT

[email protected]

18-19 May 2010

Alexandre Cortier SPaCIFY Project 1/ 21

Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Main concern : On-Board Flight Software

Satellite System architecture is specialized according to thesatellite mission.

I Two main subsystems:I payload: application equipment (speci�c scienti�c

instrumentation)I platform: �ight software, communication devices, thermal

regulation...

SPaCIFY exploratory project focuses on the �ight softwareembedded in the satellite :

I hard real-time software

I ex: AOCS (Attitude and Orbit Control System), managingthermal regulation systems, monitoring systems status,managing on-board network, communicating with groundstation.


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Flight Software Engineering Process

Flight software is critical to the success of the mission:

I space industries and agencies worked on engineering processesI Goal: increase reliabilityI Ex: standards on software engineering and on product

assurance (ECSS-Q-ST-80, ECSS-E-40)

BUT: These standards do not prescribe a speci�c process.

I They rather formalize documents, list requirements of theprocess and assign responsibilities to involved partners.


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

GALS Systems

Satellite management software:

I usually divided in parts that are quite autonomous one fromthe other

I can share the same platform and resourcesI 'soft' real-time constraintsI asynchronous exchange

I Inside each of these parts, the subparts are most of the timestrongly linked:

I hard real-time constraintsI synchronous exchange

This kind of systems is usually called Globally Asynchronous,Locally Synchronous (GALS).


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

GALS Systems


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

SPaCIFY Project objectives

The SPaCIFY ANR (French Research National Agency)exploratory project aims to de�ne a design process andsupporting tools for On-Board Flight Software based on:

I Model-Driven Engineering (MDE)I use models as a communication mediumI to bene�t from tools and techniques of the domain

I Formal MethodsI multi-clock synchronous paradigmI model-checkingI transformations veri�cations

I Globally Asynchronous Locally Synchronous System(GALS) paradigm

I speci�cation of the services of an executive platformI executive platform supporting distribution, partitioning and

dynamic adaptation (middleware)

The ssociated tools are built upon the Topcased toolkit. (TheOpen-Source Toolkit for Critical Systems)


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

SPaCIFY Process


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Synoptic

Synoptic is the core language of the SPaCIFY process:

I a graphical and textual DSML

I provides high-level constructions to handleI multi-layers description (various modeling aspect)I various granularity levels (iterative and re�nement

development)I modular approach

I based on a synchronous semanticsI formal and deterministic analysis and veri�cationI re�nement proofI transformation proof


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Synoptic : multi-layers system speci�cation

Synoptic is not fundamentally a new language but an integration of

di�erent sources and concepts.

Synoptic is inspired by several approaches :I Geneauto: safe subset of the Simulink/State�ow modelling

language used for the development of certi�ed safety criticalembedded real time systems

I structural feature: Data�ow models (�Blocks Diagrams�)I behavioral feature: Control Flow models (�Finite States

Machines�)I real-time constraints: clock properties

I AADL: Architecture Analysis & Design Language (formerlyAvionics Architecture Description Language)

I Threads descriptionI platform aspects (�components view�)I mappings: which component execute which functional blocks ?

I Components Models: CCM, FractalI Synoptic components : need to be improved...


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions


Software architecture

Bus

10 Hz 50 HzThreads + Properties

Hardware architecture

Dynamic architecture

Hardware Design

ProcessorDevice_1

Functional and control design


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions


Software architecture

Bus

10 Hz 50 HzThreads + Properties

Hardware architecture

Dynamic architecture

mappings

mappings

Hardware Design

ProcessorDevice_1

Functional and control design


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Synoptic/MW : external variables

The Middleware has to abstract the asynchronous behavior of thesystem (bu�erisation,...).Interactions between MW and Synoptic models are handled usingexternal variables concept.

I external variables = sources / sinks of signalsI external variables types: constants, TM, TC, global variables...I external variables contracts

Client 1

VariablePersistence contractSyntactic Contract

Client 2

Usage contract

Synchronisation contract

Remote access contract

External variables and associated contracts are used to con�gure

the MW.Alexandre Cortier SPaCIFY Project 11/ 21

Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Tools chain : Meta-Model of Synoptic DSML

I Meta-model of Synoptic describe using the formalism ECore

I ECore = metamodeling architecture in the Eclipse ModelingFramework (EMF)

I more or less aligned on OMG's metamodeling architectureMOF (Meta-Object Facility)


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Tools chain : Textual & Graphical editor

I Graphical editor prototyp (Anyware Technologies) :I based on the EMF/Topcased framework

I Textual syntax de�ned with TCS (Textual Concrete Syntax)I TCS is a DSL de�ned with a KM3 metamodelI can be used to:

I parse text-to-modelI serialize model-to-text

I performed with a single (bidirectional) speci�cation


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Horizontal/Vertical Transformations

1. Translation Transformation: Synoptic → AltaricaI verifying properties such as coherence of the modes

I model-checking

I Ex : 'if component X is in mode m1, then component Y is inmode m2 or can eventually move into mode m2 '

2. Translation Transformation: Synoptic → SMEI SME : meta-model of Signal (synchronous language)I temporal analysis (clocks), scheduling analysis, code generationI using the Polychrony platformI translation describes using the Kermeta language

3. Domain Speci�c Transformations (in progress)I Ex : Model organization, automata elicitationI Ex : Software function splitting and mapping to threads from

RTOS


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Case Study: Thales Alenia Space

TAS uses a model based approach relying on the componentsmodel lifgtweight CCM to handle the deployment of the system(except for functional implementation of the components)

I Use Case Characteristics:I Modeling the OBSW (central �ight software)I Sub-systems : Battery Management, Thermal regulation

management, AOCS, global FDIR, actuators, sensors

I Goals: prove the utility of using Synoptic models as a unifyingand unique design

I to model the structural aspects of the software and todeduce the CCM model and the con�guration of themiddleware by model transformation

I to model the behavioral aspects and to automaticallygenerate the implementation of CCM components using thePolychrony platform

I Results:I code generation has been proved to be feasible


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Case Study: EADS Astrium

Astrium experiments technologies with a real industrial use case:Satellites �ying in formation

I Characteristics:I Coordination of 2 satellites (1 master and 1 slave)I FDIR (Failure Detection Isolation and Recovery) more complex

I Goals: to cover a horizontal slice of the SPaCIFY engineeringprocess

I Evaluation of the Synoptic modeling language for early systemengineering phases

I Evaluation of the Altarica-based model-checker, especially withrespect to its scalability

I Validation of the Control/Command strategy

I Results:I the model contains 49 automataI model has been translated in AltaricaI invariants (coherence of modes) have been veri�ed using ARC

and MEC (Labri model-checkers)


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Case Study: CNES

I Characteristics:I modeling of the Control/Command part of a Payload ManagerI sub-systems: House-Keeping, Routing, Filtering

I Goals:I test the expressivity of the Synoptic languageI test if the components of the middleware can be modeled in

SynopticI better understand the interconnection synchronous

islands/middleware (external variables)

I Results:I asynchronous exchanges can be modeled in Synoptic (using a

'fresh boolean data')I �ltering component can be modeled in a generic way


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Conclusions

SPaCIFY project de�nes a design process for on-board �ightsoftware based on:

I Model Driven Engineering

I GALS

I Formal Methods: Synoptic equipped with a formalsynchronous semantics

A prototype tool chain based on the Eclipse ModelingFramework:

I textual and graphical editor

I translation transformations into Altarica and SME (Kermeta)

I code generation using the Polychrony platform

I veri�cation of the coherence of modes using ARC and MEC(model-checker Altarica)

I OCL constraints have been encoded to check structuralconstraints on models


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Works in progress

The case studies help to highlight some improvements to doon the Synoptic language:

I automata in Synoptic

I adding the notion of partition to capture IMA concept

I external variables

Domain Speci�c Transformations :

I formal semantics of the language has been encoded in a typedsets Theory using the B Method

I will be helpful to validate the existing transformation Synoticto SME models

I will be used to the formalization of domain speci�ctransformations

I re�nement transformationsI model reorganizationI automatic mapping of functional blocks on threads


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Perspectives

I Implementation of a clock calculus for Synoptic

I Extend Synoptic with the formal concept of contracts(assume/guarantee)

I re�nements

I Improve code generation (modularity)

I Formal correctness proof and subsequent certi�cation ofa code generator

I under way in the GeneAuto project


Introduction

SPaCIFYMethodology

SynopticDSML

Tool chain

Case studies

Conclusions

Thank you.

Thank You.


SPaCIFY MDE and Formal Methods for Embedded Systems Design · Introduction SPaCIFY Methodology...

Documents

Transcript of SPaCIFY MDE and Formal Methods for Embedded Systems Design · Introduction SPaCIFY Methodology...