Yean Ru Chen

Model Checking Safety-Critical Systems Using Safecharts

With rapid developments in science and technology, we now see the ubiquitous use of different types of safety-critical systems in our daily lives such as in avionics, consumer electronics, and medical systems. In such systems, unintentional design faults might result in injury or even death to human beings. To make sure that safety-critical systems are really safe, there is a need to verify them formally. However, the verification of such systems is getting more and more difficult because designs are becoming very complex. To cope with high design complexity, currently, model-driven architecture design is becoming a well-accepted trend. However, existing methods of testing and standards conformance are restricted to implementation code, so they do not fit very well with model-based approaches. To bridge this gap, we propose a model-based formal verification technique for safety-critical systems. In this work, the model-checking paradigm is applied to the Safecharts model, which was used for modeling but not yet used for verification. Our contributions listed are as follows: first, the safety constraints in Safecharts are mapped to semantic equivalents in timed automata for verification. Second, the theory for safety constraint verification is proven and implemented in a compositional model checker (that is, the state-graph manipulator (SGM)). Third, prioritized and urgent transitions are implemented in SGM to model the risk semantics in Safecharts. Finally, it is shown that the priority-based approach to mutual exclusion of resource usage in the original Safecharts is unsafe and corresponding solutions are proposed. Application examples show the feasibility and benefits of the proposed model-driven verification of safety-critical systems

Formal modeling and verification for Network-on-chip

A model checking based formal verification procedure is developed to verify and validate the routing micro-architecture in a Network-on-chip (NoC) communication infrastructure. Specifically, four crucial properties of an NoC router, namely, mutual exclusion, starvation freedom, deadlock freedom, and conditions for traffic congestions are investigated. Given a recently proposed bi-directional channel direction control protocol, guidelines for constructing formal models of an NoC router are proposed, and minimal formal models essential for verifying these four properties are analyzed. A popular formal verification model checking tool State Graph Manipulators (SGM) is applied to perform the verification task. Results obtained through formal verification of these four properties provide useful insights to refine the protocol design.

VERTAF/Multi-Core: A SysML-Based Application Framework for Multi-Core Embedded Software Development

Multi-core processors are becoming prevalent rapidly in personal computing and embedded systems. Nevertheless, the programming environment for multi-core processor-based systems is still quite immature and lacks efficient tools. In this work, we present a new VERTAF/Multi-Core framework and show how software code can be automatically generated from SysML models of multi-core embedded systems. We illustrate how model-driven design based on SysML can be seamlessly integrated with Intel’s threading building blocks (TBB) and the quantum framework (QF) middleware. We use a digital video recording system to illustrate the benefits of the framework. Our experiments show how SysML/QF/TBB help in making multi-core embedded system programming model-driven, easy, and efficient.

Model-driven development of multi-core embedded software

Model-driven development is worthy of further research because of its proven capabilities in increasing productivity and ensuring correctness. However, it has not yet been explored for multi-core processor-based embedded systems, whose programming is even more complex and difficult that that for conventional uni-processor systems. We propose a new VERTAF/Multi-Core (VMC) framework to bridge this gap. In this work, we mainly show how VMC generates code automatically from user-specified SysML models for multi-core embedded systems. We illustrate how model-driven design based on SysML can be seamlessly integrated with Intels threading building blocks (TBB) and the Quantum Framework middleware. We use a digital video recording system to illustrate the benefits of VMC. Our experiments show how SysML/QF/TBB make multi-core embedded system programming easy, efficient, and effortless.

Congestion-aware scheduling for NoC-based reconfigurable systems

Network-on-Chip (NoC) is becoming a promising communication architecture in place of dedicated interconnections and shared buses for embedded systems. Nevertheless, it has also created new design issue such as communication congestion and power consumption. A major factor leading to communication congestion is mapping of application tasks to NoC. Latency, throughput, and overall execution time are all affected by task mapping. As a solution, an efficient run-time Congestion-Aware Scheduling (CWS) is proposed for NoC-based reconfigurable systems, which predicts traffic pattern based on the link utilization. The proposed algorithm alleviates the overall congestion, instead of only improving the current packet blocking situation. Our experiment results have demonstrated that compared to other existing congestion-aware algorithm, the proposed CWS algorithm can reduce the average communication latency by 66%, increase the average throughput by 32%, reduce the energy consumption by 23%, and decrease the overall execution by 32%.

Unified Security and Safety Risk Assessment - A Case Study on Nuclear Power Plant

Critical systems have very stringent requirements on both security and safety. Recent mishaps such as the missing MH370 aircraft and the sunk Korean Sewol ferry go to show that our technology in safety and security risk assessment still need a more integrated approach. Nuclear plant meltdown in the recent Fukushima accident is also a typical example of insufficient risk assessments. This work is a case study on how a unified security and safety risk assessment methodology may be applied to a High Pressure Core Flooder (HPCF) system in a nuclear power plant. Individual risk security or safety assessments may overlook the possible higher risk associated with such critical systems. The case study shows how the proposed method provides a more accurate risk assessment compared to individual assessments.

VERTAF/Multi‐Core: A sysml‐based application framework for multi‐core embedded software development

Abstract Multi‐core processors are becoming prevalent rapidly in personal computing and embedded systems. Nevertheless, the programming environment for multi‐core processor based systems is still quite immature and lacks efficient tools. In this paper, we present a new VERTAF/Multi‐Core framework and show how software code can be automatically generated from SysML models of multi‐core embedded systems. We illustrate how model‐driven design based on SysML can be seamlessly integrated with Intels threading building blocks (TBB) and the Quantum Platform middleware. We use a digital video recording system to illustrate the benefits of the framework. Our experiments show how SysML/QF/TBB help in making the multi‐core embedded system programming model‐driven, easy, efficient, and effortless.

Modeling and verification of real-time embedded systems with urgency

Real-time embedded systems are often designed with different types of urgencies such as delayable or eager, that are modeled by several urgency variants of the timed automata model. However, most model checkers do not support such urgency semantics, except for the IF toolset that model checks timed automata with urgency against observers. This work proposes an Urgent Timed Automata (UTA) model with zone-based urgency semantics that gives the same model checking results as absolute urgency semantics of other existing urgency variants of the timed automata model, including timed automata with deadlines and timed automata with urgent transitions. A necessary and sufficient condition, called complete urgency, is formulated and proved for avoiding zone partitioning so that the system state graphs are simpler and model checking is faster. A novel zone capping method is proposed that is time-reactive, preserves complete urgency, satisfies all deadlines, and does not need zone partitioning. The proposed verification methods were implemented in the SGM CTL model checker and applied to real-time and embedded systems. Several experiments, comparing the state space sizes produced by SGM with that by the IF toolset, show that SGM produces much smaller state-spaces.

Accelerating Coverage Estimation Through Partial Model Checking

In model checking a system design against a set of properties, coverage estimation is frequently used to measure the amount of system behavior being checked by the properties. A popular coverage estimation method is to mutate the system model and check if the mutation can be detected by the given properties. For each mutation and each property, a full model check is required by some state-of-the-art coverage estimation methods. With such repeated model checking, mutation-based coverage estimation becomes significantly time-consuming. To alleviate this problem, a partial model checking (PMC) technique is proposed to recheck only those system states that were affected by a mutation, thus unnecessary rechecking of a large portion of the system states is avoided and time is saved. The PMC method has been integrated into the State Graph Manipulators model checker. Applying the proposed method to several examples showed that PMC has a saving of 50% to 70% in the coverage estimation time, and a reduction of 90% in mode visits.

Backward probing deadlock detection for networks-on-chip

To accurately detect deadlocks in Network-on-Chip (NoC) as early as possible, a novel deadlock detection mechanism called Backward-probing Deadlock Detection (BDD) is proposed in this work, which can detect and resolve all existing deadlocks. It was realized using probe systems that generate probes for deadlock detection. A probe system includes a probe System Manager (SM) for turning on probe system, a probe Generator (GEN) for generating probes, a Link Selection (LS) connected to a Switch Allocation (SA), which is used for copying the generated probes, transmitting probes backward, and discarding probes when the probes find that the traversal path is just a congestion not a deadlock or when probe congestion occurs. There is also a TB Calculation (TBC) in LS for TB settings. Finally, a probe comparator (PB Comparator) is used for claiming deadlocks. Note that each port except the local one in a router has its own probe system.