Model-based development for time-triggered architectures
Herbert Griebel2004, The 23rd Digital Avionics Systems Conference (IEEE Cat. No.04CH37576)
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Time-Triggered Architectures (TTA) and SCADE are both well-established technologies and tools for building safety-critical embedded software. Both are based on the same time-triggered approach;
Related papers
Systems Engineering of Time-Triggered Architectures - The Setta Approach +
IFAC Proceedings Volumes, 2000
SEIT A addresses the systems engineering of safety-critical distributed realtime systems with a special focus on time-triggered architectures. An innovative methodology and a corresponding engineering environment is developed which aims for a higher maturity at early development steps. Key features are the support for a virtual systems integration and the tighter interconnection between the functional development process and the safety analysis process. The supporting tool components are designed and implemented in the course of the SETT A project. The methodology is evaluated by pilot applications from the automotive. aerospace, and railway domain.
Aiding Modular Design and Verification of Safety-Critical Time-Triggered Systems by Use of Executable Formal Specifications
2008 11th IEEE High Assurance Systems Engineering Symposium, 2008
Designing safety-critical systems is a complex process, and especially when the design is carried out at different levels of abstraction where the correctness of the design at one level is not automatically sustained over the next level. In this work we focus on time-triggered (TT) systems where the resources of communication and computation are shared among different applications to reduce the overall cost of the system. This entails serializing both communication and computation which does not necessarily meet the assumptions made by the application. Hence, we present the concept of executable formal specification of general TT systems to establish a faithful model of the TT characteristics. Our focus is on general applications running in a synchronous environment. The proposed model can be easily customized by the user and it is able to support simulation and verification of the system. It also aids the effective deployment of applications, and the validation of the real system with model-based test generation. Our case study shows how the general model can be implemented in the SAL language and how SAL's tool suite can be used to guide the design of general TT systems.
TIMES - A Tool for Modelling and Implementation of Embedded Systems
2002
Times is a modelling and schedulability analysis tool for embedded real-time systems, developed at Uppsala University in 2001. It is appropriate for systems that can be described as a set of preemptive or non-preemptive tasks which are triggered periodically or sporadically by time or external events. It provides a graphical interface for editing and simulation, and an engine for schedulability analysis. The main features of Times are: A graphical editor for timed automata extended with tasks [1], which allows the user to model a system and the abstract behaviour of its environment In addition the user may specify a set of preemptive or non-preemtive tasks with parameters such as (relative) deadline, execution time, priority, etc. A simulator, in which the user can validate the dynamic behaviour of the system and see how the tasks execute according to the task parameters and a given scheduling policy. The simulator shows a graphical representation of the generated trace showing the time points when the tasks are released, invoked, suspended, resumed, and completed. A verifier for schedulability analysis, which is used to check if all reachable states of the complete system are schedulable that is, all task instances meet their deadlines. A symbolic algorithm has been developed based on the DBM techniques and implemented based on the verifier of the Uppaal tool [2]. A code generator for automatic synthesis of C-code on LegoOS platform from the model. If the automata model is schedulable according to the schedulability analyser the execution of the generated code will meet all the timing constraints specified in the model and the tasks.
A protocol for loosely time-triggered architectures
2002
A distributed real-time control system has a time-triggered nature, just because the physical system for control is bound to physics. Loosely Time-Triggered Architectures (ltta) are a weaker form of the strictly synchronous Time-Triggered Architecture proposed by Kopetz, in which the different periodic clocks are not synchronized, and thus may suffer from relative offset or jitter. We propose a protocol that ensures a coherent system of logical clocks on the top of ltta, and we provide several proofs for it, both manual and automatic, based on synchronous languages and associated model checkers. We briefly discuss how this can be used for correct deployment of synchronous designs on an ltta. 1 Loosely Time-Triggered Architectures (ltta) A distributed real-time control system has a time-triggered nature, just because the physical system for control is bound to physics. Loosely Time-Triggered Architectures are a weaker (and cheaper) form of the strictly synchronous Time-Triggered Architecture (tta) proposed by Kopetz [11]. An ltta is an architecture in which: 1/ access to the bus occurs quasiperiodically, in a non-blocking way, 2/ writings and readings are performed independently at each extremity of the bus in synchrony with each associated local clock, and 3/ the bus behaves like a shared memory, i.e., values are sustained by the bus and are periodically refreshed, based on a local clock. The term "quasi-periodically" indicates that the different clocks involved, for writing in, reading from, and updating the bus, are not synchronized. Still, this architecture is time-triggered in the sense that these clocks are bound to physical time, and deviate from each other in a certain "limited" way. ltta are in use in several major industries, they have been the subject of the Crisys project [6], where they are called quasi-synchronous, and of several investigations, by Caspi and co-workers, of the fundamental issues raised when deploying control applications on such architectures. ⋆ This work is or has been supported in part by the following projects : Esprit LTRsyrf (Esprit EP 22703), and Esprit R&D crisys EP 25514.
A novel modeling framework for time-triggered safety-critical embedded systems
Proceedings of the 2014 Forum on Specification and Design Languages (FDL), 2014
This paper presents the Platform Specific Time Triggered Model (PS-TTM), a SystemC based modeling and simulation framework for time-triggered safety-critical embedded systems. The approach facilitates the modeling of Time-Triggered Architecture (TTA) based embedded systems, following a strict separation between the designs of functionality and platform. The PS-TTM provides a value and time domain deterministic simulation environment for an early functional and temporal assessment of the systems. Moreover, the framework includes a time-triggered automatic test executor that enables to perform non-intrusive simulated fault injection (SFI) to the models. The SFI makes an early dependability assessment possible, what reduces the risk of late and expensive discovery of safety related pitfalls. The feasibility of the proposed framework is illustrated with a case study, based on the modeling, simulation and validation of a simplified railway on-board signaling system.
Loosely Time-Triggered Architectures for Cyber-Physical Systems
2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010), 2010
Cyber-Physical Systems require distributed architectures to support safety critical real-time control. Kopetz' Time-Triggered Architectures (TTA) have been proposed as both an architecture and a comprehensive paradigm for systems architecture, for such systems. To relax the strict requirements on synchronization imposed by TTA, Loosely Time-Triggered Architectures (LTTA) have been recently proposed. In LTTA, computation and communication units at all triggered by autonomous, non synchronized, clocks. Communication media act as shared memories between writers and readers and communication is non blocking. In this paper we review the different variants of LTTA and discuss their principles and usage. 1
A unifying view of loosely time-triggered architectures
Proceedings of the tenth ACM international conference on Embedded software - EMSOFT '10, 2010
Cyber-Physical Systems require distributed architectures to support safety critical real-time control. Hermann Kopetz' Time-Triggered Architectures (TTA) have been proposed as both an architecture and a comprehensive paradigm for systems architecture, for such systems. To relax the strict requirements on synchronization imposed by TTA, Loosely Time-Triggered Architectures (LTTA) have been recently proposed. In LTTA, computation and communication units at all triggered by autonomous, non synchronized, clocks. Communication media act as shared memories between writers and readers and communication is non blocking. In this paper we pursue our previous work by providing a unified presentation of the two variants of LTTA (token-and timebased), with simplified analyses. We compare these two variants regarding performance and robustness and we provide ways to combine them.
Automated synthesis of Time-Triggered Architecture-based TrueTime models for platform effects simulation and analysis
Proceedings of 2010 21st IEEE International Symposium on Rapid System Protyping, 2010
The TrueTime toolbox simulates real-time control systems, including platform-specific details like process scheduling, task execution and network communications. Analysis using these models provides insight into platforminduced timing effects, such as jitter and delay. For safetycritical applications, the Time-Triggered Architecture (TTA) has been shown to provide the necessary services to create robust, fault-tolerant control systems. Communication induced timing effects still need to be simulated and analyzed even for TTA-compliant models. The process of adapting time-invariant control system models, through the inclusion of platform specifics, into TTA-based TrueTime models requires significant manual effort and detailed knowledge of the desired platform's execution semantics. In this paper, we present an extension of the Embedded Systems Modeling Language (ESMoL) tool chain that automatically synthesizes TTA-based TrueTime models. In our tools, timeinvariant Simulink models are imported into the ESMoL modeling environment where they are annotated with details of the desired deployment platforms. A constraintbased offline scheduler then generates the static TTA execution schedules. Finally, we synthesize new TrueTime models that encapsulate all of the TTA execution semantics. Using this approach it is possible to rapidly prototype, evaluate, and modify controller designs and their hardware platforms to better understand deployment induced performance and timing effects.
Loosely time-triggered architectures: improvements and comparisons
2015
Loosely Time-Triggered Architectures (LTTAs) are a proposal for constructing distributed embedded control systems. They build on the quasi-periodic architecture, where computing units execute 'almost periodically', by adding a thin layer of middleware that facilitates the implementation of synchronous applications. In this paper, we show how the deployment of a synchronous application on a quasi-periodic architecture can be modeled using a synchronous formalism. Then we detail two protocols, Back-Pressure LTTA, reminiscent of elastic circuits, and Time-Based LTTA, based on waiting. Compared to previous work, we present controller models that can be compiled for execution and a simplified version of the Time-Based protocol. We also compare the LTTA approach with architectures based on clock synchronization.
The COTRE Project: How to model and verify Real Time Architecture?
2002
COTRE (``COmposant Temps Réel'') is a two years project starting in January 2002, supported by Réseau National des Technologies Logicielles (RNTL) The COTRE Project aims at providing a design methodology and its associated software environment for the development of embedded real-time avionic systems. It contributes at bridging the gap between requirements of such systems, typically expressed in Architecture Description Languages, and formal development techniques, relying on modeling of systems and verification. This paper will summarize the final status of the project: • The graphical and textual description language used to model the architecture. We will also describe the work done with the AADL (Avionics Architecture Description Language) SAE standard subcommittee , • The specification and verification of properties of COTRE components through the definition of a verification language and the use of formal proof techniques.
Related papers
Polychronous modeling, analysis, verification and simulation for timed software architectures
2013
High-level modeling languages and standards, such as Simulink, SysML, MARTE and AADL (Architecture Analysis & Design Language), are increasingly adopted in the design of embedded systems so that system-level analysis, verification and validation (V&V) and architecture exploration are carried out as early as possible. This paper presents our main contribution in this aim by considering embedded systems architectural modeling in AADL and functional modeling in Simulink; an original clock-based timing analysis and validation of the overall system is achieved via a formal polychronous/multi-clock model of computation. In order to avoid semantics ambiguities of AADL and Simulink, their features related to real-time and logical time properties are first studied. We then endue them with a semantics in the polychronous model of computation. We use this model of computation to jointly analyze the non-functional real-time and logical-time properties of the system (by means of logical and affine clock relations). Our approach demonstrates, through several case-studies conducted with Airbus and C-S Toulouse in the European projects CESAR and OPEES, how to cope with the system-level timing verification and validation of high-level AADL and Simulink components in the framework of Polychrony, a synchronous modeling framework dedicated to the design of safety-critical embedded systems.
A UML-Based Design Framework for Time-Triggered Applications
2007
Time-triggered architectures (TTAs) are strong candidate platforms for safety-critical real-time applications. A typical time-triggered architecture is constituted by one or more clusters. Each cluster consists of nodes communicating with one another via a time-triggered communication protocol. Designing applications to run on such a platform is a challenging task. We address this problem by constructing a UML-based design framework which exposes the essential features of the time-triggered platforms at the UMLlevel and allows applications to be developed at a more abstract level before full implementation. To support preliminary functional validation, we have constructed a translator by which SystemC code can be automatically generated from UML designs. Our framework enables fast prototyping of time-triggered applications and early design validation. It also supports key design principles of TTAs, such as temporal firewalls and composability.
Towards Modularized Verification of Distributed Time-Triggered Systems
Lecture Notes in Computer Science, 2006
The correctness of a system according to a given specification is essential, especially for safety-critical applications. One such typical application domain is the automotive sector, where more and more safety-critical functions are performed by largely software-based systems.
Formal Verification of Fault-Tolerant Startup Algorithms for Time-Triggered Architectures: A Survey
Proceedings of the IEEE, 2016
Time-triggered architectures form the important component of many distributed computing platforms for safetycritical real-time applications such as avionics and automotive control systems. TTA, FlexRay and TTCAN are examples of such time-triggered architectures that have been popular in recent times. These architectures involve a number of algorithms for synchronizing a set of distributed computing nodes for meaningful exchange of data among themselves. The algorithms include a startup algorithm whose job is to integrate one or more nodes into the group of communicating nodes. The startup algorithm runs on every node when the system is powered up, and again after a failure occurs. Some critical issues need to be considered in the design of the startup algorithms, for example, the algorithms should be robust under reasonable assumptions of failures of nodes and channels. The safety-critical nature of the applications where these algorithms are used demand rigorous verification of these algorithms and there have been numerous attempts to use formal verification techniques for this purpose. This paper focuses on various formal verification efforts carried out for ensuring the correctness of the startup algorithms. In particular, the verification of different startup algorithms used in three time-triggered architectures, TTA, FlexRay and TTCAN, are studied, compared and contrasted. Besides presenting the various verification approaches for these algorithms, the gaps and possible improvements on the verification efforts are also indicated.
Loosely Time-Triggered Architectures
ACM Transactions on Embedded Computing Systems, 2016
Loosely Time-Triggered Architectures (LTTAs) are a proposal for constructing distributed embedded control systems. They build on the quasi-periodic architecture, where computing units execute nearly periodically , by adding a thin layer of middleware that facilitates the implementation of synchronous applications. In this article, we show how the deployment of a synchronous application on a quasi-periodic architecture can be modeled using a synchronous formalism. Then we detail two protocols, Back-Pressure LTTA, reminiscent of elastic circuits, and Time-Based LTTA, based on waiting. Compared to previous work, we present controller models that can be compiled for execution, a simplified version of the Time-Based protocol and optimizations for systems using broadcast communication. We also compare the LTTA approach with architectures based on clock synchronization.
Modeling and verification of a time-triggered networking protocol
Analysis estimates that more than 80% of all current innovations within vehicles are based on distributed electronic systems. Critical to the functionality and application domain of such systems is the underlying communication network. Current advances in control networking technology indicate that time-triggered architectures offer improvements in deterministic behaviour, which are particularly appropriate for safety-critical and real-time applications. Here we present novel work on the formal specification and formal verification of a timetriggered protocol: ISO 11898-4 -Time Triggered communication on the Controller Area Network (TTCAN)®. This work has been carried out using the UPPAAL model checker based tool set which is capable of verifying safety properties as formalised by simple reachability properties. These verifiable properties are a subset of those possible in a full realisation of Timed Computation Tree Logic (TCTL). Three TTCAN network automata and a medium automaton were designed. Nine properties including deadlock were examined. The results provide a high degree of confidence in the correctness of the TTCAN protocol specification. The formal verification research work described here was conducted in parallel with the preparation of the ISO standard protocol specification for TTCAN.
Towards Secure Time-Triggered Systems
Lecture Notes in Computer Science, 2012
This paper presents the development of a novel joint safety and security architecture for dependable embedded time-triggered systems. While fault-tolerance properties of time-triggered protocols have been very well studied, research on security aspects for time-triggered systems have hardly been covered. Therefore, we explore system design principles which efficiently realize security mechanisms for time-triggered architectures. A particular focus is on synergistic effects of security and safety-related functions, thereby supporting the roll-out of safety-critical embedded systems even in 'untrusted' environments. As a main contribution, we present the Secure COmmunication in Time-Triggered sYstems (SCOTTY) approach to build secure time-triggered systems.
Toward Polychronous Analysis and Validation for Timed Software Architectures in AADL
Design, Automation & Test in Europe Conference & Exhibition (DATE), 2013, 2013
High-level architecture modeling languages, such as Architecture Analysis & Design Language (AADL), are gradually adopted in the design of embedded systems so that design choice verification, architecture exploration, and system property checking are carried out as early as possible. This paper presents our recent contributions to cope with clock-based timing analysis and validation of software architectures specified in AADL. In order to avoid semantics ambiguities of AADL, we mainly consider the AADL features related to real-time and logical time properties. We endue them with a semantics in the polychronous model of computation; this semantics is quickly reviewed. The semantics enables timing analysis, formal verification and simulation. In addition, thread-level scheduling, based on affine clock relations is also briefly presented here. A tutorial avionic case study, provided by C-S, has been adopted to illustrate our overall contribution.
Modeling logical execution time based safety-critical embedded systems in SystemC
2014 3rd Mediterranean Conference on Embedded Computing (MECO), 2014
The increase in the amount of functionalities provided by safety-critical systems in the last years has lead to a complexity growth in these systems. Several techniques have been developed in order to tackle this issue, including simplification strategies and the definition of time-deterministic models of computation (MoCs) and architectures, such as the Logical Execution Time MoC (LET) and the Time-Triggered Architecture (TTA) respectively. Although TTA based systems relying on the LET MoC have already been successfully applied to safety-critical systems, SystemC, the nowadays de-facto standard in HW/SW system development, does not provide a LET-based simulation engine for the modeling and assessment of these systems. With the aim to fill this gap, this paper presents the PI-TTM, a novel SystemC extension for the modeling and simulation of LET based safety-critical embedded systems.
Timed behavioural modelling and affine scheduling of embedded software architectures in the AADL using Polychrony
Science of Computer Programming, 2015
High-level modelling languages and standards, such as Simulink, UML, SysML, MARTE and AADL (Architecture Analysis & Design Language), meet increasing adoption in the design of embedded systems in order to carry out system-level analysis, verification and validation (V&V) and architecture exploration, as early as possible. These analysis, V&V, architecture exploration techniques rely on mathematical foundations and formal methods in order to avoid semantics ambiguities in the design of safety-critical systems. In order to support integration validation, it is necessary to define a formal framework of virtual prototyping to integrate, verify, exercise and analyse the application code generated by modelling tools as early as possible and virtually integrate it with simulators of third-party middleware and hardware. Such a virtual prototyping platform makes it possible to validate the expected behaviour of the final application software and check that the resulting system indeed meets the specified performance requirements before the actual hardware even actually exists. In this paper, we present the definition, development and case-study validation of such a comprehensive framework, based on the synchronous paradigm and the polychronous model of computation and communication of its supportive open-source toolset: Polychrony. A longer-term aim of our work is to equip the AADL standard with an architecturecentric framework allowing for synchronous modelling, verification and synthesis of embedded software.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.