Kaj Hänninen

The Rubus component model for resource constrained real-time systems

In this paper we present a component model for development of distributed real-time systems. The model is developed to support development of embedded control systems for ground vehicles. The model aims at supporting three important activities in real-time development, (i) design, (ii) analysis and (iii) synthesis. These activities emphasise different and sometimes conflicting requirements that need to be balanced. For example, developers desire freedom in designing to solve complex tasks, analysis tools require the design to be formal enough for analysis and synthesis need to be efficient for low run-time footprint. We have considered industrial requirements for these activities and developed the RubusCMv3 component model. The model has been developed in close cooperation with industrial partners and it is currently being evaluated on real systems.

Determining Maximum Stack Usage in Preemptive Shared Stack Systems

This paper presents a novel method to determine the maximum stack memory used in preemptive, shared stack, real-time systems. We provide a general and exact problem formulation applicable for any preemptive system model based on dynamic (run-time) properties. We also show how to safely approximate the exact stack usage by using static (compile time) information about the system model and the underlying run-time system on a relevant and commercially available system model: a hybrid, statically and dynamically, scheduled system. Comprehensive evaluations show that our technique significantly reduces the amount of stack memory needed compared to existing analysis techniques. For typical task sets a decrease in the order of 70% is typical

Framework for real-time analysis in Rubus-ICE

In this paper, we present the development of a plug-in framework for integration of real-time analysis methods in the Rubus Integrated Component Environment (Rubus-ICE). We also present the implementation, and evaluate the integration, of two state of the art analysis techniques (i) response-time analysis for tasks with offsets and (ii) shared stack analysis, as plug-ins, in the Rubus-ICE framework. The paper shows that the proposed framework is well suited for integration of complex analysis methods. However, experience also show that analysis methods are not easily transferred from an academic environment to industry. The main reason for this, we believe, originates from differences in requirements and assumptions between industry and academia.

Present and future requirements in developing industrial embedded real-time systems - interviews with designers in the vehicle domain

In this paper, we aim at capturing the industrial viewpoint of todays and future requirements in development of embedded real-time systems. We do this by interviewing ten senior designers at four Swedish companies, developing embedded applications in the vehicle domain. This study shows that reliability and safety are the main properties in focus during development. It also shows that the amount of functionality has been increasing in the examined systems. Still the present requirements are fulfilled using considerably homogenous development methods. The study also shows that, in the future, there will be even stronger requirements on dependability and control performance at the same time as requirements on more softer and resource demanding functionality will continue to increase. Consequently, the complexity will increase, and with diverging requirements, more heterogeneous development methods are called for to fulfil all application specific requirements

Bounding Shared-Stack Usage in Systems with Offsets and Precedences

The paper presents two novel methods to bound the stack memory used in preemptive, shared stack, real-time systems. The first method is based on branch-and-bound search for possible preemption patterns, and the second one approximates the first in polynomial time. The work extends previous methods by considering a more general task-model, in which all tasks can share the same stack. In addition, the new methods account for precedence and offset relations. Thus, the methods give tight bounds for a large set of realistic systems. The methods have been implemented and a comprehensive evaluation, comparing our new methods against each other and against existing methods, is presented. The evaluation shows that our exact method can significantly reduce the amount of stack memory needed.

Regression verification of AADL models through slicing of system dependence graphs

Design artifacts of embedded systems are subjected to a number of modifications during the development process. Verified artifacts that subsequently are modified must necessarily be re-verified to ensure that no faults have been introduced in response to the modification. We collectively call this type of verification as regression verification. In this paper, we contribute with a technique for selective regression verification of embedded systems modeled in the Architecture Analysis and Design Language (AADL). The technique can be used with any AADL-based verification technique to efficiently perform regression verification by only selecting verification sequences that cover parts that are affected by the modification for re-execution. This allows for the avoidance of unnecessary re-verification, and thereby unnecessary costs. The selection is based on the concept of specification slicing through system dependence graphs (SDGs) such that the effect of a modification can be identified.

An Ontological Interpretation of the Hazard Concept for Safety-Critical Systems

The hazard concept has been extensively used in the literature and defined in an informal way, which serves as a guidance on identifying the potential hazards during the development of safety-criti ...

AQAF: An Architecture Quality Assurance Framework for Systems Modeled in AADL

Architecture engineering is essential to achieve dependability of critical embedded systems and affects large parts of the system life cycle. There is consequently little room for faults, which may cause substantial costs and devastating harm. Verification in architecture engineering should therefore be holistically and systematically managed in the development of critical embedded systems, from requirements analysis and design to implementation and maintenance. In this paper, we address this problem by presenting AQAF: an Architecture Quality Assurance Framework for critical embedded systems modeled in the Architecture Analysis and Design Language (AADL). The framework provides a holistic set of verification techniques with a common formalism and semantic domain, architecture flow graphs and timed automata, enabling completely formal and automated verification processes covering virtually the entire life cycle. The effectiveness and efficiency of the framework are validated in a case study comprising a safety-critical train control system.

A Hazard Modeling Language for Safety-Critical Systems Based on the Hazard Ontology

Preliminary hazard analysis (PHA) is a key safetyconcerned activity to identify potential hazards. However, since various stakeholders will be involved in the identification process, a common understanding of the nature of hazards among stakeholders, such as what a hazard consists of and how to describe it without ambiguities, is of crucial importance to achieve the goal of PHA. In this work, we propose a hazard modeling language (HML) based on a domain ontology to facilitate the specification of identified hazards. In addition, we present an approach to guide the transformation from natural language hazard descriptions into the HML specification. Finally, an industrial PHA example is used to illustrate the usefulness of our work.

Specifying Software Requirements for Safety-Critical Railway Systems: An Experience Report

Context and motivation: Software safety requirements are fundamental in the definition of risk reduction measures for safety critical systems, since they are developed to satisfy the system safety constraints as identified by mandated safety analyses. It is therefore imperative that the requirements are defined clearly and precisely. Question/Problem: We describe our experiences in introducing a safety compliant method of writing safety software requirements for railway projects in a distributed organization. Our goal was twofold, to develop requirements specifications that comply with the EN 50128 standard and that are understandable by the persons involved in the software development. Principal ideas/results: We introduced methods to transform natural language requirements to functional requirements described as scenarios, sequence, use-case and state-machine diagrams. Contribution: Our experience shows that new ways of expressing requirements, even if proper to solve technical issues such as compliance with standards, bring other challenges to the organization like people’s reluctance to changes in working routines and process updates.