Loïc Besnard

SIGNAL: A declarative language for synchronous programming of real-time systems

We present an applicative language, SIGNAL, designed to program real-time systems. The language is based on a synchronous notion of time. We assume the execution of operations to have a zero logical time duration; then, the sequence of communication events determines entirely a temporal reference. The ordering of the runable operations is limited only by the dependencies between the calculi : this is the point of view of data flow languages. SIGNAL is a data flow language (where the potential parallelism is implicit), which permits a structural description of interconnected processes. SIGNAL handles possibly infinite sequences of values (called signals) characterized by an implicit clock which specifies the relative instants (with respect to other signals) at which these values are available. Specific operators, such as delay, undersampling, deterministic merge, are designed to express temporal relations between different signals : in this way, a SIGNAL program expresses both functional and temporal relationships between all the involved signals. The language is semantically sound, and its declarative style allows to derive, by a simple projection on the commutative field Z/3Z, a complete static calculus of the timing of any SIGNAL process, called its clock calculus. Hence, the language SIGNAL is also a formal system to reason about timing and concurrency. The clock calculus is completed together with the dependency analysis of a given program. This leads to a conditional dependence graph in which the edges may be labelled by the involved clocks. From this graph, we generate code for a sequential machine, but it appears to be the suitable level to study the implementation on a multiprocessor architecture.

System-level co-simulation of integrated avionics using polychrony

The design of embedded systems from multiple views and heterogeneous models is ubiquitous in avionics as, in particular, different high-level modeling standards are adopted for specifying the structure, hardware and software components of a system. The system-level simulation of such composite models is necessary but difficult task, allowing to validate global design choices as early as possible in the system design flow. This paper presents an approach to the issue of composing, integrating and simulating heterogeneous models in a system co-design flow. First, the functional behavior of an application is modeled with synchronous data-flow and statechart diagrams using Simulink/Gene-Auto. The system architecture is modeled in the AADL standard. These highlevel, synchronous and asynchronous, models are then translated into a common model, based on a polychronous model of computation, allowing for a Globally Asynchronous Locally Synchronous (GALS) interpretation of the composed models. This translation is implemented as an automatic model transformation within Polychrony, a toolkit for embedded systems design. Simulation, including profiling and value change dump demonstration, has been carried out based on the common model within Polychrony. An avionic case study, consisting of a simplified doors and slides control system, is presented to illustrate our approach.

Toward polychronous analysis and validation for timed software architectures in AADL

High-level architecture modeling languages, such as Architecture Analysis & Design Language (AADL), are gradually adopted in the design of embedded systems so that design choice verification, architecture exploration, and system property checking are carried out as early as possible. This paper presents our recent contributions to cope with clock-based timing analysis and validation of software architectures specified in AADL. In order to avoid semantics ambiguities of AADL, we mainly consider the AADL features related to real-time and logical time properties. We endue them with a semantics in the polychronous model of computation; this semantics is quickly reviewed. The semantics enables timing analysis, formal verification and simulation. In addition, thread-level scheduling, based on affine clock relations is also briefly presented here. A tutorial avionic case study, provided by C-S, has been adopted to illustrate our overall contribution.

Polychronous modeling, analysis, verification and simulation for timed software architectures

High-level modeling languages and standards, such as Simulink, SysML, MARTE and AADL (Architecture Analysis & Design Language), are increasingly adopted in the design of embedded systems so that system-level analysis, verification and validation (VV an original clock-based timing analysis and validation of the overall system is achieved via a formal polychronous/multi-clock model of computation. In order to avoid semantics ambiguities of AADL and Simulink, their features related to real-time and logical time properties are first studied. We then endue them with a semantics in the polychronous model of computation. We use this model of computation to jointly analyze the non-functional real-time and logical-time properties of the system (by means of logical and affine clock relations). Our approach demonstrates, through several case-studies conducted with Airbus and C-S Toulouse in the European projects CESAR and OPEES, how to cope with the system-level timing verification and validation of high-level AADL and Simulink components in the framework of Polychrony, a synchronous modeling framework dedicated to the design of safety-critical embedded systems.

Formal verification of compiler transformations on polychronous equations

In this paper, adopting the translation validation approach, we present a formal verification process to prove the correctness of compiler transformations on systems of polychronous equations. We encode the source programs and the transformations with polynomial dynamical systems and prove that the transformations preserve the abstract clocks and clock relations of the source programs. In order to carry out the correctness proof, an appropriate relation called refinement and an automated proof method are presented. Each individual transformation or optimization step of the compiler is followed by our validation process which proves the correctness of this running. The compiler will continue its work if and only if the correctness is proved positively. In this paper, the highly optimizing, industrial compiler from the synchronous language SIGNAL to C is addressed.

The Sigali Tool Box Environment

Sigali is a tool that offers functionalities for verification of reactive systems and discrete controller synthesis. It manipulates ILTS: Implicit Labeled Transition Systems, an equational and symbolic representation of automata. The techniques used consist in manipulating the system of equations modeling the system instead of the sets of solutions, thus avoiding the enumeration of the state space. Each set of states is uniquely characterized by a predicate and the operations on sets can be equivalently performed on the associated predicates. A wide variety of properties, such as invariance, reachability and attractivity can be checked or ensured. Many algorithms for computing state predicates are also available

Modeling of Avionics Applications and Performance Evaluation Techniques Using the Synchronous Language SIGNAL

Modeling is widely accepted to be essential to design activity. A major benet is the use of formal methods for analysis and predictability. In Polychrony, the tool-set of the Signal language, a component-based approach have been dened to model avionics applications. This approach uses Signal models of so-called APEX services based on the avionics standard ARINC 653. This gives access to the formal tools and techniques available within Polychrony for verication and analysis. In this paper, we illustrate the approach by considering a small example of avionics application. We show how an associated Signal model is obtained for the purpose of temporal validation. This brings out the capability of the Signal to seamlessly address critical issues in real-time system design.

Formal verification of synchronous data-flow program transformations toward certified compilers

Translation validation was invented in the 90’s by Pnueli et al. as a technique to formally verify the correctness of code generators. Rather than certifying the code generator or exhaustively qualifying it, translation validators attempt to verify that program transformations preserve semantics. In this work, we adopt this approach to formally verify that the clock semantics and data dependence are preserved during the compilation of the Signal compiler. Translation validation is implemented for every compilation phase from the initial phase until the latest phase where the executable code is generated, by proving the transformation in each phase of the compiler preserves the semantics. We represent the clock semantics, the data dependence of a program and its transformed counterpart as first-order formulas which are called clock models and synchronous dependence graphs (SDGs), respectively. We then introduce clock refinement and dependence refinement relations which express the preservations of clock semantics and dependence, as a relation on clock models and SDGs, respectively. Our validator does not require any instrumentation or modification of the compiler, nor any rewriting of the source program.

Timed behavioural modelling and affine scheduling of embedded software architectures in the AADL using Polychrony

High-level modelling languages and standards, such as Simulink, UML, SysML, MARTE and AADL (Architecture Analysis & Design Language), meet increasing adoption in the design of embedded systems in order to carry out system-level analysis, verification and validation (V&V) and architecture exploration, as early as possible. These analysis, V&V, architecture exploration techniques rely on mathematical foundations and formal methods in order to avoid semantics ambiguities in the design of safety-critical systems.In order to support integration validation, it is necessary to define a formal framework of virtual prototyping to integrate, verify, exercise and analyse the application code generated by modelling tools as early as possible and virtually integrate it with simulators of third-party middleware and hardware. Such a virtual prototyping platform makes it possible to validate the expected behaviour of the final application software and check that the resulting system indeed meets the specified performance requirements before the actual hardware even actually exists.In this paper, we present the definition, development and case-study validation of such a comprehensive framework, based on the synchronous paradigm and the polychronous model of computation and communication of its supportive open-source toolset: Polychrony. A longer-term aim of our work is to equip the AADL standard with an architecture-centric framework allowing for synchronous modelling, verification and synthesis of embedded software. Virtual prototyping of AADL architectures in a synchronous model of computation.Synchronous framework for modelling and verification of AADL specifications.Definition, development and case-study validation of an AADL simulation framework.Efficient affine abstraction and schedule synthesis from AADL timing constraints.

Exploring system architectures in AADL via Polychrony and SynDEx

Architecture analysis & design language (AADL) has been increasingly adopted in the design of embedded systems, and corresponding scheduling and formal verification have been well studied. However, little work takes code distribution and architecture exploration into account, particularly considering clock constraints, for distributed multi-processor systems. In this paper, we present an overview of our approach to handle these concerns, together with the associated toolchain, AADL-Polychrony-SynDEx. First, in order to avoid semantic ambiguities of AADL, the polychronous/multiclock semantics of AADL, based on a polychronous model of computation, is considered. Clock synthesis is then carried out in Polychrony, which bridges the gap between the polychronous semantics and the synchronous semantics of SynDEx. The same timing semantics is always preserved in order to ensure the correctness of the transformations between different formalisms. Code distribution and corresponding scheduling is carried out on the obtained SynDEx model in the last step, which enables the exploration of architectures originally specified in AADL. Our contribution provides a fast yet efficient architecture exploration approach for the design of distributed real-time and embedded systems. An avionic case study is used here to illustrate our approach.