Frédéric Boniol

The Landing Gear System Case Study

This document presents a landing gear system. It describes the system and provides some of its requirements. We propose this case study as a benchmark for techniques and tools dedicated to the verification of behavioral properties of systems.

Scheduling Dependent Periodic Tasks without Synchronization Mechanisms

This article studies the scheduling of critical embedded systems, which consist of a set of communicating periodic tasks with constrained deadlines. Currently, tasks are usually sequenced manually, partly because available scheduling policies do not ensure the determinism of task communications. Ensuring this determinism requires scheduling policies supporting task precedence constraints (which we call dependent tasks), which are used to force the order in which communicating tasks execute. We propose fixed priority scheduling policies for different classes of dependent tasks: with simultaneous or arbitrary release times, with simple precedences (between tasks of the same period) or extended precedences (between tasks of different periods). We only consider policies that do not require synchronization mechanisms (like semaphores). This completely prevents deadlocks or scheduling anomalies without requiring further proofs.

Multi-task Implementation of Multi-periodic Synchronous Programs

This article presents a complete scheme for the integration and the development of multi-periodic critical embedded systems. A system is formally specified as a modular and hierarchical assembly of several locally mono-periodic synchronous functions into a globally multi-periodic synchronous system. To support this, we introduce a real-time software architecture description language, named Prelude, which is built upon the synchronous languages and which provides a high level of abstraction for describing the functional and the real-time architecture of a multi-periodic control system. A program is translated into a set of real-time tasks that can be executed on a monoprocessor real-time platform with an on-line priority-based scheduler such as Deadline-Monotonic or Earliest-Deadline-First. The compilation is formally proved correct, meaning that the generated code respects the real-time semantics of the original program (respect of periods, deadlines, release dates and precedences) as well as its functional semantics (respect of variable consumption).

Deterministic execution model on COTS hardware

In order to be able to use multicore COTS hardware in critical systems, we put forward a time-oriented execution model and provide a general framework for programming and analysing a multicore compliant with the execution model.

A Multi-Periodic Synchronous Data-Flow Language

Implementing real-time critical systems is an increasingly complex process that calls for high-level formal programming languages. Existing languages mainly focus on mono-periodic systems, implementing multi-periodic systems with these languages is possible but inefficient. As a result, current practice usually consists in writing one program for each different rate and then letting a real-time operating system handle the multi-rate aspects. This can be a source of non-determinism as communications between processes of different rates are not precisely defined. We propose a new language, built upon synchronous data-flow languages, to handle multi-rate systems properly. It has strong formal semantics, which prevents non-deterministic communications, and relies on real-time primitives that enable efficient use of existing multi-periodic schedulers.

Latency and freshness analysis on IMA systems

The Integrated Modular Avionics (IMA) architectures have been defined for sharing communication and computation resources. The aim of this paper is to evaluate latency and freshness properties of functions implemented on IMA platforms. The two contributions are : (1) a modeling approach for IMA platforms based on the tagged signal model and the abstraction of the network, (2) the definition of an evaluation method for these properties based on Integer Linear Programming (ILP). The industrial applicability of the method is showed on an Airbus A380-like platform. We propose a discussion on the significance of the over-approximations induced by the abstraction. This work is supported by the French National Research Agency within the Satrimmap project1.

Reducing State Explosion with Context Modeling for Model-Checking

This paper deals with the problem of the usage of formal techniques, based on model checking, where models are large and formal verification techniques face the combinatorial explosion issue. The goal of the approach is to express and verify requirements relative to certain context situations. The idea is to unroll the context into several scenarios and successively compose each scenario with the system and verify the resulting composition. We propose to specify the context in which the behavior occurs using a language called CDL ({\em Context Description Language}), based on activity and message sequence diagrams. The properties to be verified are specified with textual patterns and attached to specific regions in the context. This article shows how this combinatorial explosion could be reduced by specifying the environment of the system to be validated. Our contribution is illustrated on an industrial embedded system.

A real-time architecture design language for multi-rate embedded control systems

This paper presents a language dedicated to the description of the software architecture of complex embedded control systems. The language relies on the synchronous approach but extends it to support efficiently systems with multiple real-time constraints, such as deadline constraints or periodicity constraints. It provides a high-level of abstraction and benefits from the formal properties of synchronous languages. The language defines a small set of rate transition operators, which enable the description of user-defined deterministic multi-rate communication patterns between components of different rates. The compiler of the language automatically translates a program into a set of communicating real-time tasks implemented as concurrent C threads that can be executed on a standard real-time operating system.

Analysis of Slope-Parametric Hybrid Automata

This paper addresses the analysis of slope-parametric hybrid automata: finding conditions on the slopes of the automaton variables, for some safety property to be verified. The problem is shown decidable in some practical situations (e.g. finding the running speeds of tasks in a real time application, for all tasks to respect their deadlines). The resolution technique generalizes polyhedral-based symbolic analysis and it involves reasoning about polyhedra with parametric shapes.

Multiprocessor schedulability analyser

Within the context of hard real-time systems, the schedulability analysis of a task set is a major issue. The problem consists in proving that the tasks always satisfy their temporal constraints for a given scheduling policy and a given platform. Extensive work has been done in the last decades for defining sufficient criteria and exact algorithms. Sufficient criteria usually have an excellent complexity but often lead to an over-dimension of the system. On the opposite, exact algorithms, especially in the case of multiprocessor platform, suffer from an exponential complexity. In this paper, we study an exact technique: we apply a brute force search combined with a model checker (Uppaal) that determines whether the exploration is complete. We consider periodic tasks which execute on parallel platforms composed of homogeneous processors. Under these hypotheses, we have encoded four policies: fixed task priority, gEDF, gLLF and LLREF. The analyser is user friendly and provides promising performances.