Mickaël Kerboeuf

Validate, simulate, and implement ARINC653 systems using the AADL

Safety-critical systems are widely used in different domains and lead to an increasing complexity. Such systems rely on specific services such space and time isolation as in the ARINC653 avionics standard. Their criticality requires a carefully driven design based on an appropriate development process and dedicated tools to detect and avoid problems as early as possible. Model Driven Engineering (MDE) approaches are now considered as valuable approach for building safety-critical systems. The Architecture Analysis and Design Language (AADL) proposes a component-based language suitable to operate MDE that fits with safety-critical systems needs. This paper presents an approach for the modeling, verification and implementation of ARINC653 systems using AADL. It details a modeling approach exploiting the new features of AADL version 2 for the design of ARINC653 architectures. It also proposes modeling patterns to represent other safety mechanisms such as the use of Ravenscar for critical applications. This approach is fully backed by tools with Ocarina (AADL toolsuite), POK (AADL/ARINC653 runtime) and Cheddar (scheduling verification). Thus, it assists system engineers to simulate and validate non functional requirements such as scheduling or resources dimensioning.

A DSML for reversible transformations

In this paper, we investigate a way to promote the reuse of legacy tools (or transformations) in specific contexts (defined by specific metamodels). More precisely we suggest a model transformation approach to achieve this purpose. We first introduce a language based on a metamodel called Modif in order to specify the differences between two semantically close metamodels. We can generate automatically data migration components from a Modif specification. They enable to put data complying with the specific context under the scope of the legacy tool. But more importantly in the case of a rewriting tool, they enable to put the tools outcome back into the original specific context. Then we propose a process and a set of helpers based on Modif to automate the reuse of legacy tools for domain-specific contexts. To illustrate this approach, we apply it to the case of simple finite state machines.

Specification and Verification of a Steam-Boiler with Signal-Coq

Over the last decade, the increasing demand for the validation of safety critical systems has led to the development of domainspecific programming languages (e.g. synchronous languages) and automatic verification tools (e.g. model checkers). Conventionally, the verification of a reactive system is implemented by specifying a discrete model of the system (i.e. a finite-state machine) and then checking this model against temporal properties (e.g. using an automata-based tool). We investigate the use of a synchronous programming language, SIGNAL, and of a proof assistant, CoQ, for the specification and the verification of co-inductive properties of the well-known steam-boiler problem. By way of this large-scale case-study, the SiGNAL-CoQ formal approach, i.e. the combined use of SIGNAL and CoQ, is demonstrated to be a wellsuited and practical approach for the validation of reactive systems. Indeed, the deterministic model of concurrency of SIGNAL, for specifying systems, together with the unparalleled expressive power of the CoQ proof assistant, for verifying properties, enables to disregard any compromise incurred by any limitation of either the specification and the verification tools.

Comparison of Six Ways to Extend the Scope of Cheddar to AADL v2 with Osate

Cheddar is a framework dedicated to the specification of real-time schedulers, and to their analysis by simulation. It is developed in Ada. Some parts of its modular architecture are generated by Platypus, a software engineering tool based on the STEP standards. Cheddar owns a dedicated specification language. It can also process AADL v1 specifications. In order to extend the scope of Cheddar to AADL v2 specifications, we introduced a translation component called Dairy. It aims at creating valid Cheddar data from AADL v2 specifications. The frontend of Dairy comes from Osate v2. Hence, the backend of Dairy must produce Cheddar data from instances of the AADL metamodel that has been implemented into Osate. Both of Cheddar and Osate are legacy systems built with different frameworks, different standards and different languages. Hence, the design of Dairy poses the problem of their integration. We postulate that an implemented metamodel should neither be rewritten nor be duplicated in order to keep unchanged its legacy equipment. Then, integration should better rely on data interoperability standards. In this paper, we illustrate this idea by investigating six different designs of Dairy to perform the integration of Cheddar and Osate. We compare them with each other according to reusability, code generation, and transformation of metamodels.

A UML/MARTE-Based Design Pattern for Semi-partitioned Scheduling Analysis

The scheduling of Real-Time Embedded Systems (RTES) is a challenging step that requires vast knowledge and expertise about the domain, which makes difficult the step of complex systems scheduling modeling. This paper presents a design pattern intended to support and facilitate the scheduling modeling of multiprocessor systems. The contribution of this pattern is that is designed to i) support semi-partitioned scheduling allowing tasks migration ii) model all the tasks features/types and criteria of scheduling in the same view (only one pattern is used) iii) specify the system properties using a high-level modeling language UML/MARTE (Modeling and Analysis of Real-time and Embedded systems).

Formal Proof of a Polychronous Protocol for Loosely Time-Triggered Architectures

The verification of safety-critical systems has become an area of increasing importance in computer science. The notion of reactive system has emerged to concentrate on problems related to the control of interaction and response-time in mission-critical systems. Synchronous languages have proved to be well-adapted to the verification of reactive systems. It is nonetheless commonly argued that real-life systems often do not satisfy the strong hypotheses assumed by the synchronous approach: they are not synchronous. Protocols have however been proposed (e.g. in [1]) to provide an abstract synchronous specification on top of real-time architectures (e.g. loosely time-triggered architectures or LTTA). This abstract model is designed so as to satisfy the synchronous hypotheses and meet the implementation architecture constraints. It makes it possible to design, specify and verify reactive systems in the context of the synchronous approach. In this aim, the present article formalizes the LTTA protocol in the theorem prover Coq and proves its correctness.

Lub: a DSL for Dynamic Context Oriented Programming

Embedded, interactive or reactive systems have to face unexpected events coming from their environment. Taking this kind of event into account at design time raises the challenging issue of the dynamic behavior adaptation at runtime. In this paper, we investigate a DSL approach to address this problem. This DSL, called Lub, is a context oriented programming language. It is defined as a featherlight adaptation of Pharo which enables to temporarily change the base of the method lookup when a message is sent to an object. This language is evaluated with a running example of a fleet of drones facing an unexpected problem of GPS loss.

Real-Time Design Patterns: Architectural Designs for Automatic Semi-Partitioned and Global Scheduling

The scheduling problem is becoming an important topic for different fields especially for Real-Time applications. Considering the complexity of Real-Time Embedded Systems (RTES) coupled with the variety of scheduling approaches and algorithms, the designer task is becoming increasingly hard. Few approaches have investigated design patterns to perform an automatic scheduling at a high-level of abstraction. However, only the partitioned scheduling that prevents task migrations has been taken into account. In this context, this paper proposes two design patterns maintaining an automatic choice of semi-partitioned and global scheduling algorithms. The Unified Modeling Language (UML) profile for the Modeling and Analysis of Real-Time Embedded systems (MARTE) is used to annotate the proposed design patterns with functional and non-functional properties.

Debugging Cyber-Physical Systems with Pharo: An Experience Report

Cyber-Physical Systems (CPS) integrate sensors and actuators to collect data and control entities in the physical world. Debugging CPS systems is hard due to the time-sensitive nature of a distributed applications combined with the lack of control on the surrounding physical environment. This makes bugs in CPS systems hard to reproduce and thus to fix. In this context, on-line debugging techniques are helpful because the debugger is connected to the device when an exception or crash occurs. This paper reports on our experiences on applying two different on-line debugging techniques for a CPS system: remote debugging using the Pharo remote debugger and our IDRA debugger. In contrast to traditional remote debugging, IDRA allows to on-line debug an application locally in another client machine by reproducing the runtime context where the bug manifested. Our qualitative evaluation shows that IDRA provides almost the same interaction capabilities than Pharos remote debugger and is less intrusive when performing hot-modifications. Our benchmarks also show that IDRA is significantly faster than the Pharo remote debugger, although it increases the amount of data transferred over the network.

Lub: A pattern for fine grained behavior adaptation at runtime

Abstract Autonomous systems have to evolve in complex environments and their software must adapt to various situations. Although it is common to anticipate adaptations at design time, it becomes a more complex issue when facing unpredictable contexts at runtime, especially if applications cannot be stopped. We introduce Lub, a pattern designed to extend object oriented languages with fine grained unanticipated adaptations. Lub is based on dynamic instrumentation of the lookup, and allows objects to acquire behaviors from another class than their own. A Pharo Smalltalk implementation of Lub is evaluated through a performance analysis and a running example of a fleet of drones facing unexpected GPS problems. Lub is then discussed from the unanticipated software adaptation perspective.