Tayfun Gezgin

Towards a Rigorous Modeling Formalism for Systems of Systems

The scope of this paper is collaborative, distributed safety critical systems which build up a larger scale system of systems (SoS). Systems participating in an SoS follow both global as well as individual goals, which may be contradicting. Both the global and local goals of the overall SoS may change over time. Hence, self-adaptive ness, i.e., reconfiguration of the SoS as a reaction on changes within its context is a major characteristic of this systems. The aim of this paper is to describe first steps towards a modeling formalism for SoS in a safety critical context. The challenge is to address on the one hand the required flexibility to adapt the system during run-time and on the other hand to guarantee that the system reacts still in a safe manner. To address these challenges, we propose an approach which guarantees that the system still reacts in a safe manner while adaption to uncertainty including context changes. This adaption has to be assumed as unsafe during design time. The key for having success is to define the interaction between the systems as well as its goals as basic elements of the design. Based on our former work, we propose a well-defined modeling approach for the interaction based on components as basic structural elements, the contract paradigm for the design of the interaction, and graph transformations, which addresses the adaptivity of system of systems. The component model is additionally explicitly enriched by goals, which supports so called evaluation functions to determine the level of target achievement.

Real-time scheduling interfaces and contracts for the design of distributed embedded systems

A notion of interfaces based on regular languages for modelling and verification of real-time scheduling constraints was proposed in [5]. This initial notion considers task sets running on single resources, and simple deadline requirements. We extend the approach to enable support for complex task models running on systems with multiple resources. We show that this extension preserves all properties of the original notion. In addition, this extension gives rise to the application of our interfaces in the design of more complex systems, where components can be spread over distributed architectures. The work is complemented by an initial implementation that performs scheduling analysis for a relevant class of real-time interfaces. It actually constructs an interface for a system model if it satisfies a set of given real-time requirements.

Contracts for evolving systems

In this work we address evolving systems, which are basically collaborative and distributed systems building up a larger scale system of system (SoS). These systems are able to adapt the current architecture to some changes in the environment. Constituent systems of a SoS, which represent the basic elements of our modeling approach, operate with different degrees of freedom and as a result the self-adaptation and cooperation between a set of constituent systems is driven by local needs. Based on our former work [11], we propose a well-defined modelling approach for SoS capturing both static and dynamic aspects. The aim is to address on the one hand the required flexibility to adapt the systems during run-time, and on the other hand to guarantee that the SoS reacts still in a safe manner. For this, we will use the contract paradigm for both the specification of legal configurations of the SoS, and to specify the dynamicity model, describing how the SoS architecture can change during run-time. Further, we depict how to adapt a system level analysis technique in order to check the dynamicity model against the invariants of the SoS. With this, we are able to determine, whether the SoS can reach some critical configurations. This enables us to modify the dynamicity model in an adequate manner.

State-based scheduling analysis for distributed real-time systems

The amount of system functions realized by software drastically increased in recent years. Software tasks of safety-critical systems like those in the automotive domain have to work in a timely manner. In such systems not only ordering of events but also timing properties like end-to-end deadlines are relevant for correctness and performance. Unfortunately, due to various inter-dependencies between software tasks the analysis of such properties becomes very complex. The state-of-the-art analysis approach considers only stateless system behaviors and relies on critical instances leading to very pessimistic results. Considering task inter-dependencies would result in more accurate results, though it negatively affects the scalability of the analysis.Our approach for scheduling analysis combines analytical and model checking methods. We consider the full state space of a system, where all interleavings and task dependencies are preserved. The state space is build in a compositional manner enabling a more scalable technique. For this, we introduce operations on the state spaces of resources, allowing the abstraction of irrelevant parts and the composition of state spaces. Based on the state space of each resource response times are determined, and timing and safety properties can be verified by means of reachability checks. The approach is demonstrated based on an example scenario.

Evaluation of a state-based real-time scheduling analysis technique

The analysis of real-time properties is crucial in safety critical areas. Systems have to work in a timely manner to offer correct services. The analysis of timing properties is particularly difficult for distributed systems when complex interferences between individual tasks can occur. Considering only critical instances, as analytic approaches do, may deliver pessimistic results leading to higher production costs. In previous works we introduced a state-based approach to validate task-and end-to-end deadlines for distributed systems. To improve scalability and reduce the analysis time, the approach computes the state spaces of the individual resources in a compositional fashion. For this, abstraction and composition operations were defined to remove those parts of the inputs of resources which have no influence on the response times of the allocated tasks. In this work, a new abstraction technique is introduced for scenarios where event bursts occur. Further, we extend our approach for systems with cyclic dependencies among the resources. We evaluate our approach on a set of example scenarios and compare the results with the state-of-the-art tool Uppaal.

Impact analysis for timing requirements on real-time systems

The analysis of real-time properties is crucial in safety critical areas, and is particularly difficult for distributed systems as complex interferences between tasks of different priorities can occur. In previous works we have introduced a state-based analysis approach to validate end-to-end deadlines for distributed systems, where the state spaces of all resources, such as processors and buses, are computed in a compositional fashion. For this, abstraction and composition operations were defined to adequately handle task and resource dependencies. During the design process of a system changes occur typically on both the specification and implementation level, such that already performed analyses of the system have to be repeated. In this work, we define a methodology to adequately handle such changes and to determine the minimal part of the affected architecture. For this, we define an appropriate refinement relation between state spaces of the resources. We use contracts to further reduce the re-validation effort. This check takes place at a higher design level, where only the specification is considered.

Abstraction Techniques for Compositional State-Based Scheduling Analysis

Nowadays, most embedded safety critical systems have to work in a timely manner in order to deliver desired services. In such timed systems not only ordering of events but timing properties are relevant for correctness and performance. In order to be safe and reliable, it is important to have rigorous analysis techniques of timing-dependent (state) behavior. Classical scheduling approaches consider only the system behavior stateless. Especially for safety critical systems this is not sufficient as the state space gives important information of the system which has to be considered by analysis approaches. Our approach for scheduling analysis combines analytical and model checking methods. We consider not only critical instances but the full state space for analysis, where all inter-leavings and task dependencies are preserved. For this, the state space of the entire system architecture is constructed with the aid of input event streams for tasks, and the known behavior of the scheduler of each resource. Based on the state space response times can be determined, and safety properties can be verified by means of reachability checks. As this approach alone is not scalable we present abstraction techniques based on determining output event streams for each resource. For this we exploit well known analytical methods for scheduling analysis. These methods typically abstracts from all inter-leavings leading to very pessimistic results. In this work we present an abstraction technique that is relevant if multiple activations of one task can occur. This technique lies in the middle of both approaches mentioned above.

Contract-Based Compositional Scheduling Analysis for Evolving Systems

The objective of this work is the analysis and verification of distributed real-time systems. Such systems have to work in a timely manner in order to deliver the desired services. We consider a system architecture with multiple computation resources. The aim is to work out a compositional state-based analysis technique to determine exact response times and to validate end-to-end deadlines. Further, we consider such systems in a larger context, where a set of systems work in a collaborative and distributed fashion. A major aspect of such collaborative systems is the dynamic evolution. New systems can participate, existing systems may leave because of failures, or properties may change. We use contracts to encapsulate systems which work in a collaborative manner. These contracts define sound timing bounds on services offered to the environment. When some systems evolve, only those parts which changed need to be re-validated.

Using Guided Simulation to Assess Driver Assistance Systems

The goal of our approach is the model-based prediction of the effects of driver assistance systems. To achieve this we integrate models of a driver and a car within a simulation environment and face the problem of analysing the emergent effects of the resulting complex system with discrete, numeric and probabilistic components. In particular, it is difficult to assess the probability of rare events, though we are specifically interested in critical situations which will be infrequent for any reasonable system. For that purpose, we use a quantitative logic which enables us to specify criticality and other properties of simulation runs. An online evaluation of the logic permits us to define a procedure which guides the simulation towards critical situations and allows to estimate the risk connected with the introduction of the assistance system.

State-Based Real-Time Analysis for Function Networks and Marte

State-based real-time scheduling analyses offer a high accuracy especially for chains of functions. In this work we extend our state-based approach to also support complex activation behavior of the functions. Additionally, we use standard modeling techniques and well defined formalisms to foster the applicability and usability of our scheduling analysis. In our approach we use M ARTE to model the underlying architecture of a system consisting of embedded control units and bus systems. For timing requirements we use the requirement specification language RSL. In order to model complex activation patterns and internal states, we use an extended task network formalism called function networks. Our approach is evaluated with an industrial driver assistance system case study.