Synchronous programming



Similar documents
SCADE Suite in Space Applications

Certification of a Scade 6 compiler

Specification and Analysis of Contracts Lecture 1 Introduction

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

The Model Checker SPIN

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

[Refer Slide Time: 05:10]

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Sources: On the Web: Slides will be available on:

RATP safety approach for railway signalling systems

Informatica e Sistemi in Tempo Reale

Best Practices for Verification, Validation, and Test in Model- Based Design

Real Time Programming: Concepts

Software testing. Objectives

Compliance and Requirement Traceability for SysML v.1.0a

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

Software Engineering. Computer Science Tripos 1B Michaelmas Richard Clayton

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

CS 141: Introduction to (Java) Programming: Exam 1 Jenny Orr Willamette University Fall 2013

PROBLEM SOLVING SEVENTH EDITION WALTER SAVITCH UNIVERSITY OF CALIFORNIA, SAN DIEGO CONTRIBUTOR KENRICK MOCK UNIVERSITY OF ALASKA, ANCHORAGE PEARSON

PATRIOT MISSILE DEFENSE Software Problem Led to System Failure at Dhahran, Saudi Arabia

Moving from CS 61A Scheme to CS 61B Java

Syntax Check of Embedded SQL in C++ with Proto

The Course.

How To Test Automatically

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

Glossary of Object Oriented Terms

SCADE SUITE SOFTWARE VERIFICATION PLAN FOR DO-178B LEVEL A & B

Formal verification of contracts for synchronous software components using NuSMV

The C Programming Language course syllabus associate level

Abstract Interpretation-based Static Analysis Tools:

Software Safety Basics

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

Integrating System Safety and Software Assurance

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Attaining EDF Task Scheduling with O(1) Time Complexity

Outline. hardware components programming environments. installing Python executing Python code. decimal and binary notations running Sage

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Object Oriented Software Design

The programming language C. sws1 1

Simulink Modeling Guidelines for High-Integrity Systems

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

Reduce Medical Device Compliance Costs with Best Practices.

From Control Loops to Software

Methods and Tools For Embedded Distributed System Scheduling and Schedulability Analysis

Object Oriented Software Design

SPAZIO IT. Spazio IT Open Source & AVIONICs. Open Source & Avionics. December 2014

C++ Programming Language

INF5140: Specification and Verification of Parallel Systems

Load balancing Static Load Balancing

A Quality Requirements Safety Model for Embedded and Real Time Software Product Quality

Real-Time Systems Prof. Dr. Rajib Mall Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

Using UML Part Two Behavioral Modeling Diagrams

Computer Programming. Course Details An Introduction to Computational Tools. Prof. Mauro Gaspari:

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

INF5140: Specification and Verification of Parallel Systems

Introduction to Computers and Programming. Testing

Automatic Test Data Generation for TTCN-3 using CTE

We will learn the Python programming language. Why? Because it is easy to learn and many people write programs in Python so we can share.

Unified Static and Runtime Verification of Object-Oriented Software

Flip-Flops, Registers, Counters, and a Simple Processor

Boolean Expressions, Conditions, Loops, and Enumerations. Precedence Rules (from highest to lowest priority)

MPLAB Harmony System Service Libraries Help

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Sequence Diagrams. Massimo Felici. Massimo Felici Sequence Diagrams c

Operating Systems 4 th Class

Load Balancing and Termination Detection

Why? A central concept in Computer Science. Algorithms are ubiquitous.

Software Engineering using Formal Methods

4 Applying DO-178B for safe airborne software

PL/SQL Overview. Basic Structure and Syntax of PL/SQL

Software Testing. Quality & Testing. Software Testing

Object Oriented Software Design II

Static Program Transformations for Efficient Software Model Checking

Programming Languages & Tools

Outline. 1 Denitions. 2 Principles. 4 Implementation and Evaluation. 5 Debugging. 6 References

Introduction to Software Paradigms & Procedural Programming Paradigm

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

Beyond the Mouse A Short Course on Programming

Pemrograman Dasar. Basic Elements Of Java

Jorix kernel: real-time scheduling

Feasibility of a Software Process Modeling Library based on MATLAB / Simulink

Embedded Software Development with MPS

Crash Course in Java

Computer Programming I

How To Develop A Static Analysis System For Large Programs

Transcription:

Synchronous programming Critical Real Time Embedded Software David Lesens Wednesday, 06 October 200 Synchronous programming Eugene Asarin Mehdi Dogguy David Lesens 06/0/200 p2 Master 2 Critical System Synchronous programming David LESENS

Overview Critical real-time embedded software Principles of the approach Introduction Formal semantics SCADE Model validation 06/0/200 p3 Master 2 Critical System Synchronous programming David LESENS 06/0/200 p4 Master 2 Critical System Synchronous programming David LESENS 2

Where can we find software? Windows, Linux PowerPoint Latex Compilers Mathematical software (e.g. computation of π) Mobile phone Space Nuclear plant Airplane Software is is everywhere Are all all these pieces of of software the same? 06/0/200 p5 Master 2 Critical System Synchronous programming David LESENS There is software and software Our topic is Critical Real Time Embedded Software 06/0/200 p6 Master 2 Critical System Synchronous programming David LESENS 3

What is embedded software? Windows, Linux PowerPoint Latex Compilers The software has its own objective We can buy the software Mathematical software (e.g. computation of π) Mobile phone Space launcher Nuclear plant Airplane The software is part of the system We can only buy the system 06/0/200 p7 Master 2 Critical System Synchronous programming David LESENS Compute the first 0,000 digits of Pi pi=3.459 26535 89793 23846 26433 83279 50288 497 69399 3750 58209 74944 59230 7864 06286 20899 86280 34825 342 70679 8248 0865 32823 06647 09384 46095 50582 2372 53594 0828 48 74502 8402 7093 852 05559 64462 29489 54930 3896 44288 0975 66593 3446 28475 64823 37867 8365 2720 909 45648 56692 34603 4860 45432 66482 3393 60726 0249 4273 72458 70066 0635 5887 4885 20920 96282 92540 975 36436 78925 90360 033 05305 48820 46652 384 4695 945 6094 33057 27036 57595 9953 0928 673 8932 679 305 8548 07446 23799 62749 56735 8857 52724 8922 7938 830 9492 98336 73362 44065 66430 8602 39494 63952 24737 9070 2798 60943 70277 05392 776 2937 67523 84674 8846 76694 0532 00056 827 45263 56082 77857 7342 75778 9609 73637 7872 4684 4090 22495 3430 46549 58537 0507 92279 68925 89235 4209 956 2290 2960 86403 448 5983 62977 4773 09960 5870 723 49999 99837 29780 4995 05973 7328 6096 3859 50244 59455 34690 83026 42522 30825 33446 85035 2693 88 700 0033 78387 52886 58753 32083 8420 677 7669 47303 59825 34904 28755 46873 595 62863 88235 37875 9375 95778 8577 80532 722 68066 300 92787 66 95909 2642 0989 38095 25720 0654 85863 27886 5936 5338 82796 82303 0952 03530 8529 68995 77362 25994 389 24972 7752 83479 35 55748 57242 4545 06959 50829 533 6867 27855 88907 50983 8754 63746 49393 9255 06040 09277 067 3900 98488 2402 85836 6035 63707 6600 470 8942 95559 6989 46767 83744 94482 55379 77472 6847 04047 53464 62080 46684 25906 9492 9333 67702 8989 5204 7526 20569 66024 05803 850 935 25338 24300 35587 64024 74964 73263 949 92726 04269 92279 67823 5478 63600 9347 264 2992 45863 5030 2868 29745 55706 74983 85054 94588 58692 69956 90927 2079 75093 02955 326 53449 87202 75596 02364 80665 499 9888 34797 75356 63698 07426 54252 78625 588 4757 46728 90977 77279 38000 8647 0600 6452 4992 732 7247 72350 444 9735 68548 636 573 52552 3347 5748 49468 43852 33239 07394 4333 45477 6246 8625 89835 69485 56209 9292 2284 27255 02542 56887 6779 04946 0653 46680 49886 27232 7978 60857 84383 82796 79766 8454 0095 38837 86360 95068 00642 2525 205 73929 84896 0842 84886 26945 60424 9652 85022 2066 863 06744 27862 2039 94945 0472 3737 86960 95636 4379 7287 46776 46575 73962 4389 08658 32645 9958 33904 78027 59009 94657 64078 9526 94683 98352 59570 98258 22620 52248 94077 2679 47826 84826 0476 99090 2640 36394 43745 53050 68203 49625 2457 49399 6543 4298 0990 65925 09372 2696 465 57098 58387 4059 78859 59772 97549 8930 6753 92846 8382 68683 86894 2774 5599 85592 52459 53959 4304 99725 24680 84598 72736 44695 84865 38367 36222 62609 9246 0805 24388 43904 5244 3654 97627 80797 7569 4359 97700 296 60894 4694 86855 58484 06353 42207 22258 28488 6485 84560 28506 0684 27394 52267 46767 88952 5238 52254 99546 66727 82398 64565 966 35488 62305 77456 49803 55936 34568 7432 425 5076 06947 9450 96596 09402 52288 7970 8934 5669 36867 22874 89405 600 50330 8679 28680 92087 47609 7824 93858 90097 4909 67598 5263 65549 7889 3297 8482 68299 89487 22658 80485 75640 4270 47755 5323 7964 4552 37462 34364 54285 84447 95265 86782 05 4354 73573 9523 3427 660 2359 69536 2344 29524 84937 87 0457 65403 59027 99344 03742 0073 05785 39062 9838 74478 08478 48968 3324 4573 86875 9435 06430 2845 390 4848 00537 0646 80674 9927 89 97939 95206 496 63428 75444 06437 4523 789 2799 9839 059 9568 4675 4269 2397 48940 9078 64942 396 56794 52080 9546 55022 5236 0388 9304 20937 6237 85595 66389 37787 08303 90697 92077 34672 2825 62599 6650 425 03068 03844 77345 49202 6054 46659 2520 49744 28507 3258 66600 2324 34088 907 04863 3734 64965 4539 05796 26856 0055 0806 65879 6998 63574 73638 40525 7459 0289 7064 400 9720 62804 39039 7595 5677 57700 42033 78699 36007 23055 8763 76359 4287 325 4720 53292 898 2686 2586 7325 7998 4484 8829 64470 60957 52706 95722 0975 676 7229 0986 9095 2807 35067 2748 58322 2878 35209 35396 5725 2083 5795 3698 8209 4442 00675 0334 670 342 67 36990 86585 6398 350 9706 55 6857 4376 5768 3555 65088 49099 89859 98238 73455 2833 63550 76479 8535 89322 6854 89632 3293 30898 57064 20467 52590 7095 484 65498 5946 6378 02709 8994 30992 44889 5757 28289 05923 23326 09729 9720 84433 57326 54893 8239 9325 97463 66730 58360 4428 3883 03203 82490 37589 85243 7447 0293 27656 8093 77344 40307 07469 220 930 20330 3809 762 000 44929 325 60842 44485 96376 69838 95228 68478 3235 52658 234 49576 85726 24334 4893 03968 64262 4340 77322 69780 28073 895 440 0446 82325 2762 0052 65227 26 60396 66557 30925 470 55785 37634 66820 6530 98965 2698 62056 47693 2570 58635 6620 8558 00729 36065 98764 867 9045 33488 50346 365 76867 53249 4466 80396 26579 7877 85560 84552 9654 26654 08530 6434 4438 58676 9754 5664 06800 70023 78776 5934 407 27494 70420 56223 05389 9456 3407 270 00407 85473 32699 3908 45466 46458 80797 27082 66830 63432 85878 56983 05235 80893 30657 57406 79545 7637 75254 202 49557 658 40025 0262 28594 302 6475 50979 25923 09907 96547 3762 5576 5675 3575 78296 66454 7797 450 2996 48903 04639 9473 2962 07340 4375 89573 5964 5890 93897 3 79042 97828 56475 03203 9869 540 28708 08599 0480 0942 4722 379 47647 77262 2442 54854 54033 257 85306 4228 8375 85043 06332 758 29798 66223 772 5960 7766 92547 48738 98665 49494 504 65406 28433 66393 79003 97692 65672 4638 53067 36096 5720 9807 63832 7664 6274 88880 07869 25602 90228 4720 4037 286 08204 9000 42296 67 96377 9233 7575 4959 5056 60496 3862 94726 54736 42523 0877 03675 5906 73502 35072 83540 56704 03867 4353 62222 4775 8950 49530 98444 89333 09634 08780 76932 59939 78054 934 44737 7448 4263 29860 80998 88687 4326 0472 5695 62396 58645 7302 6359 893 9567 3538 2974 67729 47867 24229 24654 36680 09806 76928 23828 06899 64004 82435 40370 463 4965 89794 09243 23789 69070 69779 42236 25082 2688 95738 37986 2300 59377 6476 5228 93578 6058 867 55782 97352 33446 0428 5262 72037 3434 6539 77774 603 99066 5548 76397 92933 4495 254 3489 94854 44734 56738 3624 9934 938 4809 27777 0386 38773 4377 20754 56545 32207 77092 209 0566 09628 04909 26360 9759 8828 6332 3666 36528 6932 66863 36062 73567 63035 44776 28035 04507 77235 5470 58595 48702 7908 43562 4045 780 62464 36267 9456 2753 8340 78330 33625 42327 83944 97538 24372 05835 347 799 26063 8334 67768 79695 97030 98339 3077 0987 04085 9337 4644 42822 77263 46594 70474 58784 77872 0927 7528 0737 67907 7075 7234 44730 60570 07334 92436 933 83504 9363 2840 4252 9256 5798 0694 3528 034 7030 4786 43788 5852 90928 54520 658 3934 96562 349 4345 95625 86586 55705 52690 49652 09858 03385 07224 26482 93972 85847 8363 05777 75606 88876 44624 82468 57926 03953 52773 48030 48029 00587 60758 2504 74709 6439 6362 67604 49256 27420 42083 20856 690 62545 43372 353 59584 50687 72460 2906 8766 79524 0663 42522 5779 5429 6299 93064 55377 9940 37340 43287 52628 88963 99587 94757 2974 64263 57455 25407 9094 5357 36 9409 939 3259 0760 20825 2026 87985 3887 70584 29725 9677 834 96990 0909 269 7737 27847 68472 68608 49003 37702 42429 653 00500 5683 23364 35038 9570 29893 92233 4572 2038 2806 9650 7844 08745 960 2228 59937 623 307 4448 46409 03890 64495 44400 6986 90754 8560 26327 50529 8349 87407 86680 8883 3850 22833 45085 04860 82503 9302 3329 755 84306 35455 00766 82829 49304 3776 55279 3975 7546 39539 84683 39363 83047 469 96653 8585 38420 56853 3862 86725 23340 28308 723 28278 9225 0772 62946 32295 63989 89893 582 67456 2700 2835 64622 0349 675 8890 97303 898 00497 34072 3960 36854 06643 9395 09790 9069 96395 52453 00545 05806 8550 95673 02292 939 3398 56803 44903 98205 9550 02263 53536 9204 9947 45538 5938 02343 95544 95977 83779 02374 267 27 72364 34354 39478 228 85286 24085 4006 66044 33258 88569 86705 4354 70696 57474 58550 33232 3342 0730 54594 0565 53790 68662 73337 99585 562 57843 22988 27372 3989 8757 4595 78 96358 33005 94087 3068 2602 87649 62867 44604 77464 9599 50549 73742 56269 0049 03778 9868 35938 4657 4268 04925 64879 8556 45372 34786 73303 90468 83834 36346 55379 49864 9270 56387 2937 48723 32083 760 23029 936 79386 27089 43879 93620 6295 543 3742 48928 30722 0269 0475 46684 76535 7664 77379 46752 00490 7575 55278 9653 6232 39264 0660 3635 8559 07422 02020 3872 77605 2772 90055 6484 2555 87925 30343 5398 44253 2234 57623 3606 42506 39049 75008 65627 0953 5994 65897 543 0348 22769 30624 74353 63256 9607 8547 88 52843 66795 706 0865 3350 4452 27473 92454 49454 23682 88606 3408 4486 37767 0096 2075 249 40430 27253 86076 48236 3443 34623 5897 57664 5264 3767 96903 4950 908 57598 44239 9862 9642 9399 49072 36234 64684 473 94032 6598 40443 7805 33389 45257 42399 50829 6592 28508 55582 5725 0307 2570 2668 30240 29295 25220 872 67675 62204 5420 568 4634 84756 5699 986 40 00299 60783 86909 2960 30288 40026 904 40792 8862 50784 2456 70908 70006 99282 2066 0483 7806 53556 72525 32567 53286 290 42487 7682 58297 6557 95984 70356 22262 93486 0034 58722 98053 49896 50226 2974 87882 02734 20922 22453 39856 26476 6949 05562 84250 3927 5770 28402 79980 66365 82548 89264 88025 4566 0729 67026 64076 55904 29099 4568 50652 65305 3782 9427 03369 3378 5786 09040 70866 749 65583 43434 76933 8578 738 64558 73678 230 45876 8726 60348 9390 95620 09939 3603 029 665 2883 84379 09904 2374 73363 94804 57593 493 40529 76347 5748 9356 709 0377 572 00803 5590 24853 09066 92037 6792 20332 29094 33467 6854 2244 77379 39375 7034 4366 9904 03375 73 5479 8550 46449 02636 5528 6228 82446 25759 6333 0390 72253 83742 824 08835 08657 3977 5096 82887 47826 56995 99574 49066 7583 4437 52239 70968 34080 05355 9849 7547 3888 39994 46974 86762 6556 58276 58483 58845 3427 75687 90029 0957 02835 2976 34456 2296 40435 237 60066 502 4200 65975 5852 7678 58382 9204 97484 42360 8007 93045 7689 32349 22927 9650 9875 8722 72675 0798 25547 09589 04556 35792 220 33346 69749 92356 30254 94780 2490 495 2238 2853 094 07907 38602 5522 74299 5880 7247 6259 66854 5333 2394 80494 7079 953 26734 30282 4486 0442 63639 54800 04480 02670 49624 8207 92896 47669 7583 8327 3425 7029 69234 88962 76684 40323 26092 75249 60357 99646 92565 04936 8836 09003 23809 29345 95889 70695 36534 94060 3402 66544 37558 90045 63288 22505 45255 64056 44824 655 87547 962 8443 96582 53375 43885 69094 303 5095 2679 37800 2974 20766 5479 39425 90298 96959 46995 56576 286 5696 73378 62362 5625 2632 08628 69222 0327 48892 8654 36480 22967 80705 7656 5446 32046 92790 6822 07388 3778 42335 62823 60896 32080 68222 4680 22482 677 8589 6384 0983 90367 36722 20888 325 37556 00372 79839 4004 52970 02878 30766 70944 47456 0345 5647 25437 09069 79396 2257 4298 9467 54357 84687 8864 4458 2345 9357 98492 25284 7605 04922 2424 704 2478 05734 5505 0080 90869 96033 02763 47870 808 75450 930 742 23390 86639 38339 52942 57869 05076 4300 63835 9834 38934 596 3854 34754 64955 6978 03829 3097 6465 43840 70070 73604 237 35998 43452 256 05070 27056 23526 6027 64848 30840 768 3030 52793 20542 74628 65403 60367 45328 6505 70658 74882 25698 5793 67897 66974 22057 50596 83440 86973 5020 4020 67235 85020 07245 22563 2653 4055 9240 90274 2624 8439 40359 98953 53945 90944 07046 9209 4093 8700 26456 0062 37428 8020 92764 5793 06579 22955 24988 72758 460 26483 69998 92256 95968 8592 05600 065 52563 7567 06/0/200 p8 Master 2 Critical System Synchronous programming David LESENS 4

Real time? Transformational systems Inputs available on execution start Outputs delivered on execution end Interactive systems React to their environment To their own speed Reactive systems React to their environment To a speed imposed by the environment e.g. Mathematical computation e.g. Windows, Powerpoint e.g. Control / Command of a spacecraft 06/0/200 p9 Master 2 Critical System Synchronous programming David LESENS Critical? What does it mean? 06/0/200 p0 Master 2 Critical System Synchronous programming David LESENS 5

06/0/200 p Master 2 Critical System Synchronous programming David LESENS Critical? What does it mean? Intuitively, a critical system is a system which failure can have severe impacts Nuclear Aeronautic Automotive Railway Space 06/0/200 p2 Master 2 Critical System Synchronous programming David LESENS 6

Software criticality levels Standards define precisely software criticality levels: For instance: DO78B and DO78C for airborne systems ECSS for space systems European Committee for Space Standardization 06/0/200 p3 Master 2 Critical System Synchronous programming David LESENS Software criticality categories ECSS-Q-80C Software criticality category A B C D Definition Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Catastrophic consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Critical consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Major consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Minor or Negligible consequences 06/0/200 p4 Master 2 Critical System Synchronous programming David LESENS 7

Software criticality categories ECSS-Q-80C Software criticality category A B C D Definition Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Catastrophic consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Critical consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Major consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Minor or Negligible consequences 06/0/200 p5 Master 2 Critical System Synchronous programming David LESENS Software criticality categories ECSS-Q-80C Software criticality category A B C D Definition Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Catastrophic consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Critical consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Major consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Minor or Negligible consequences 06/0/200 p6 Master 2 Critical System Synchronous programming David LESENS 8

Software criticality categories ECSS-Q-80C Software criticality category A B C D Definition Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Catastrophic consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Critical consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Major consequences Software that if not executed, or if not correctly executed, or whose anomalous behaviour could cause or contribute to a system failure resulting in: Minor or Negligible consequences 06/0/200 p7 Master 2 Critical System Synchronous programming David LESENS Severity Catastrophic hazards Critical hazards Marginal hazards Negligible hazards Consequence ECSS-Q-40B i) loss of life, life-threatening or permanently disabling injury or occupational illness, loss of an element of an interfacing manned flight system; ii) loss of launch site facilities or loss of system; iii) severe detrimental environmental effects. i) temporarily disabling but not life-threatening injury, or temporary occupational illness; ii) major damage to flight systems or loss or major damage to ground facilities; iii) major damage to public or private property; or iv) major detrimental environmental effects minor injury, minor disability, minor occupational illness, or minor system or environmental damage less than minor injury, disability, occupational illness, or less than minor system or environmental damage 06/0/200 p8 Master 2 Critical System Synchronous programming David LESENS 9

Severity Catastrophic hazards Critical hazards Marginal hazards Negligible hazards Consequence ECSS-Q-40B i) loss of life, life-threatening or permanently disabling injury or occupational illness, loss of an element of an interfacing manned flight system; ii) loss of launch site facilities or loss of system; iii) severe detrimental environmental effects. i) temporarily disabling but not life-threatening injury, or temporary occupational illness; ii) major damage to flight systems or loss or major damage to ground facilities; iii) major damage to public or private property; or iv) major detrimental environmental effects minor injury, minor disability, minor occupational illness, or minor system or environmental damage less than minor injury, disability, occupational illness, or less than minor system or environmental damage 06/0/200 p9 Master 2 Critical System Synchronous programming David LESENS Severity Catastrophic Hazardous / Severe-Major Major Minor No Effect DO78B differs lightly from the ECSS Consequence Failure conditions which would prevent continued safe flight and landing Failure conditions which would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be: () a large reduction in safety margins or functional capabilities, (2) physical distress or higher workload such that the flight crew could not be relied on to perform their tasks accurately or completely, or (3) adverse effects on occupants including serious or potentially fatal injuries to a small number of those occupants Failure conditions which would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to occupants, possibly including injuries Failure conditions which would not significantly reduce aircraft safety, and which would involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight Failure conditions which do not affect the operational capability of the aircraft or increase crew workload 06/0/200 p20 Master 2 Critical System Synchronous programming David LESENS 0

Wikipedia Vocabulary Security is the degree of protection against danger, loss, and criminals. Reliability is the ability of a person or system to perform and maintain its functions in routine circumstances, as well as hostile or unexpected circumstances. Safety is the state of being "safe" (from French sauf), the condition of being protected against [ ] consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable. It can include protection of people or of possessions. 06/0/200 p2 Master 2 Critical System Synchronous programming David LESENS Wikipedia Safety & Security in Software Engineering The key difference between security and reliability is that security must take into account the actions of people attempting to cause destruction. Safety The software must not harm the world Security The world must not harm the software 06/0/200 p22 Master 2 Critical System Synchronous programming David LESENS

Example : The First Computer Bug 06/0/200 p23 Master 2 Critical System Synchronous programming David LESENS Example 2: The Patriot Missile Failure On February 25, 99, during the Gulf War, an American Patriot Missile battery in Dharan, Saudi Arabia, failed to track and intercept an incoming Iraqi Scud missile. The Scud struck an American Army barracks, killing 28 soldiers and injuring around 00 other people. A report of the General Accounting office, GAO/IMTEC-92-26, entitled Patriot Missile Defense: Software Problem Led to System Failure at Dhahran, Saudi Arabia reported on the cause of the failure. It turns out that the cause was an inaccurate calculation of the time since boot due to computer arithmetic errors. 06/0/200 p24 Master 2 Critical System Synchronous programming David LESENS 2

Failure in space Trident Sea launch 06/0/200 p25 Master 2 Critical System Synchronous programming David LESENS Overview Critical real-time embedded software Principles of the approach Introduction Formal semantics SCADE Model validation 06/0/200 p26 Master 2 Critical System Synchronous programming David LESENS 3

NASA's Climate Orbiter was lost September 23, 999, due to a software bug One engineering team used metric units while another used English units 06/0/200 p27 Master 2 Critical System Synchronous programming David LESENS Why is System (to Software) Engineering complicated? Thermal control Mission management Flight control Communication Solar wings Spacecraft design Software development Power management Propulsion 06/0/200 p28 Master 2 Critical System Synchronous programming David LESENS 4

The V development cycle System requirements System qualification System design Subsystem requirements Validation tests System integration Subsystem validation Software development Subsystem design Subsystem development Integration tests Unitary tests Subsystem integration testing Unitary testing 06/0/200 p29 Master 2 Critical System Synchronous programming David LESENS Costs of critical software development Specification 0% Design 0% Development/TU 25% Integration tests 5% Validation 50% 06/0/200 p30 Master 2 Critical System Synchronous programming David LESENS 5

Late detection of errors System requirements System qualification System design Subsystem Error requirements System integration Error detection Subsystem validation Subsystem design Subsystem development Subsystem integration testing Unitary testing Delay for the error detection 06/0/200 p3 Master 2 Critical System Synchronous programming David LESENS Cost of error correction Cost of error correction Put more effort on early phases Phase of error discovery 06/0/200 p32 Master 2 Critical System Synchronous programming David LESENS 6

Verification with model driven engineering System requirements System qualification System design System integration Early detection of errors Automatic code generation Software requirements Software design Software development Software integration testing Unitary testing Software validation 06/0/200 p33 Master 2 Critical System Synchronous programming David LESENS Formal Model Driven Engineering shall allow An early verification of the specification via a strong and intuitive semantic ensuring Consistency Completeness Non ambiguity A behavioural validation within a simulation environment Automatic generation of certified code Formal proof 06/0/200 p34 Master 2 Critical System Synchronous programming David LESENS 7

Overview Critical real-time embedded software Principles of the approach Introduction Formal semantics SCADE Model validation 06/0/200 p35 Master 2 Critical System Synchronous programming David LESENS There are two ways of of constructing a software design. One way is is to to make it it so simple that there are obviously no deficiencies. And the other way is is to to make it it so complicated that there are no obvious deficiencies. Professor C. C. A. A. R. R. Hoare The 980 Turing award lecture 06/0/200 p36 Master 2 Critical System Synchronous programming David LESENS 8

Wikipedia Formal semantics of programming languages In In theoretical computer science, formal semantics is is the field concerned with the rigorous mathematical study of of the meaning of of programming languages and models of of computation 06/0/200 p37 Master 2 Critical System Synchronous programming David LESENS Syntax Is it only what you say that matters? And not so much how it is said? A good syntax shall be Clear Unambiguous Intuitive 06/0/200 p38 Master 2 Critical System Synchronous programming David LESENS 9

Statement groups In C, C++, Java if ( light == red ); { Cancel_lift_off(); } In Ada if light = red then; Cancel_lift_off; end if; Legal statement No warning The call to Cancel_lift_off is always executed Illegal statement No compilation 06/0/200 p39 Master 2 Critical System Synchronous programming David LESENS Named notation In C, C++, Java struct date { int day, month, year; }; In Ada type Date is record Day, Month, Year : Integer; end record; 06/0/200 p40 Master 2 Critical System Synchronous programming David LESENS 20

Named notation In C, C++, Java struct date today = { 2,, 5 }; What does it mean? In Ada Today: Date := ( Day => 2, Month =>, Year => 5 ); Notation usable also for function call 06/0/200 p4 Master 2 Critical System Synchronous programming David LESENS Using distinct types In C++ int badcount, goodcount; int b_limit, g_limit; badcount++; if ( badcount == b_limit ) { goodcount++; if ( goodcount == b_limit ) { Do we really mean that? 06/0/200 p42 Master 2 Critical System Synchronous programming David LESENS 2

Using distinct types In Ada type Goods is new Integer; type Bads is new Integer; badcount, b_limit : Goods goodcount, g_limit: Bads badcount := badcount+; if badcount = b_limit then goodcount := goodcount+; if goodcount = b_limit then Illegal Bad typing Strong typing is a good rule of critical software 06/0/200 p43 Master 2 Critical System Synchronous programming David LESENS Formal languages Programming languages are more or less formal Ada is more formal than Java Java is more formal than C++ C++ is more formal than C C is more formal than Matlab The risk of errors is less important with a formal language 06/0/200 p44 Master 2 Critical System Synchronous programming David LESENS 22

case State is when State => Guard := X < 3; Guard2 := X > 3; if (EVENT and (Guard or Guard2)) then if (Guard) then X := 5; State := State2; else if (Guard2) then X := 6; end if; State := State3; end if; end if; when State2 => if (EVENT) then X := 7; State := State; end if; when State3 => if (EVENT and EVENT) then X := 8; State := State; end if; end case; An other very simple example Simple? Yes But what does this piece of code do? Code (even Ada) is not an adequate way to communicate with system engineer 06/0/200 p45 Master 2 Critical System Synchronous programming David LESENS The same very simple example SCADE SCADE A graphical language with a high level of abstraction facilitates the communication 06/0/200 p46 Master 2 Critical System Synchronous programming David LESENS 23

Overview Critical real-time embedded software Principles of the approach Introduction Formal semantics SCADE Model validation 06/0/200 p47 Master 2 Critical System Synchronous programming David LESENS Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p48 Master 2 Critical System Synchronous programming David LESENS 24

Wikipedia Need of deterministic algorithm In computer science, a deterministic algorithm is an algorithm which, in informal terms, behaves predictably Given a particular input, it will always produce the same output, and the underlying machine will always pass through the same sequence of states 06/0/200 p49 Master 2 Critical System Synchronous programming David LESENS Wikipedia Determinism and ECSS ECSS-Q-80C 6.2.3 Handling of critical software 6.2.3.2 The supplier shall define and apply measures to assure the dependability and safety of critical software. These measures can include: prohibiting the use of language commands and features that are unpredictable; use of formal design language for formal proof; 06/0/200 p50 Master 2 Critical System Synchronous programming David LESENS 25

Synchronous languages Semantics = synchronous hypothesis Existence of a global clock Software cyclically activated Inputs read at the cycle beginning Outputs delivered at cycle end (read / write forbidden during the cycle) The cycle execution duration shall theoretically be null No cycle overflow Mono-tasking Ensures the determinism 06/0/200 p5 Master 2 Critical System Synchronous programming David LESENS Asynchronous versus synchronous Asynchronous system Start of an execution cycle End of an execution cycle Inputs can be received at any time I I O I O Outputs can be emitted at any time Synchronous system Inputs shall be available at cycle start I O Outputs are emitted at cycle end 06/0/200 p52 Master 2 Critical System Synchronous programming David LESENS 26

Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p53 Master 2 Critical System Synchronous programming David LESENS SCADE Safety Critical Application Development Environment A textual language: Lustre Formal language for reactive synchronous system A graphical language Semantics equivalence SCADE Lustre Adapted to data flow and automata A software toolbox Graphical editor, simulator, proof tool Automatic documentation and certified code generation Synchronous approach 06/0/200 p54 Master 2 Critical System Synchronous programming David LESENS 27

Syntax & Semantics checker SysML Gateway Simulink Simulator Interactive Batch Documentation generator Traceability tool SCADE editor Formal proof Qualified code generator CC Model Test Coverage Ada 06/0/200 p55 Master 2 Critical System Synchronous programming David LESENS Time in Scade Global clock (known by all processes) Time = discrete sequence of tick t 0, t, t 2, etc. At each tick t i a cycle is running Variable = flow which takes at each tick a unique value Example: integer variable x t 0 t t 2 t 3 t 4 t 5 x 5 8 2 3 3 5 06/0/200 p56 Master 2 Critical System Synchronous programming David LESENS 28

Operators An operator acts on flows of values (and not on values) Example Operator «+»: int n x int n int n t 0 t t 2 t 3 t 4 t 5 x 5 8 2 3 3 5 x + x 0 6 4 6 26 0 06/0/200 p57 Master 2 Critical System Synchronous programming David LESENS Temporal operators The PRE operator takes as input a data flow (i.e. a variable) and returns its value at the previous tick. At initial tick, its value is undefined. The operator takes as input an initialisation value and a data flow of the same type. It returns an identical data flow, except for the initial value. 06/0/200 p58 Master 2 Critical System Synchronous programming David LESENS 29

Example t 0 t t 2 t 3 t 4 t 5 x 5 8 2 3 3 5 PRE x null 5 8 2 3 3 9 -> x 9 8 2 3 3 5 9 -> PRE x 9 5 8 2 3 3 06/0/200 p59 Master 2 Critical System Synchronous programming David LESENS Follow by operator FBY( x, n, init ) = init ( PRE ( PRE x ) ) n times t 0 t t 2 t 3 t 4 t 5 x 5 8 2 3 3 5 9 -> PRE x 9 5 8 2 3 3 FBY(x,3,9) 9 9 9 5 8 2 06/0/200 p60 Master 2 Critical System Synchronous programming David LESENS 30

SCADE at a glance: Data Flow Data flows Inputs on the left X Y A U V B T Outputs on the right L C Z Local variables L D M Imported operator Procedure call 06/0/200 p6 Master 2 Critical System Synchronous programming David LESENS Textual versus graphical ( x, y ) = A(); B( x, y ); C( y ) X A Y B false C 06/0/200 p62 Master 2 Critical System Synchronous programming David LESENS 3

Basic operations (/2) Less Less or equal Greater Greater or equal Different I O I2 O2 Addition O3 O4 O5 I I2 I3 Subtraction Multiplication Division Integer division Modulo Unary minus MOD O O2 O3 O4 O5 O6 O7 O8 O9 Equal O6 Convert to real REAL O0 06/0/200 p63 Master 2 Critical System Synchronous programming David LESENS Basic operations (2/2) And Or I O I O I2 I2 I3 O2 I3 O2 Mutual exclusion I Not O I O Different O2 I2 I3 O2 I2 O3 Equal 06/0/200 p64 Master 2 Critical System Synchronous programming David LESENS 32

Mutual exclusion operator #: bool x bool x x bool bool e 0 0 0 0 n times e2 0 0 0 0 06/0/200 p65 Master 2 Critical System Synchronous programming David LESENS e3 0 0 0 0 Returns true if at most one of its inputs is true #(e, e2, e3) 0 0 0 0 Delays Generally not used I D PRE O I PRE PRE O2 D D2 Input I FBY O3 initial value I D FBY 2 O4 Output D Delay 06/0/200 p66 Master 2 Critical System Synchronous programming David LESENS 33

Node and function y = f( x ) Function and nodes are represented by a rectangle A node has an internal state A function has no internal state Input parameters on on the left Output parameters on on the right x f y 06/0/200 p67 Master 2 Critical System Synchronous programming David LESENS Imported function / node Imported function extern void C( C( bool Y ); ); Imported node extern void C_reset( outc_c *outc ); ); extern void C( C( bool Y, Y, outc_c *outc ); ); Context to to be be defined by by the developer 06/0/200 p68 Master 2 Critical System Synchronous programming David LESENS 34

Data structure DTG_Data T_ DT G_ dat a Xp Xm Yp Ym Xp := DTG_data.Xp Xm := DTG_data.Xm Yp := DTG_data.Yp Ym := DTG_data.Ym Xp Xm Yp T_ DT G_ dat a DTG_Data Ym DTG_data.Xp := Xp DTG_data.Xm := Xm DTG_data.Yp := Yp DTG_data.Ym := Ym 06/0/200 p69 Master 2 Critical System Synchronous programming David LESENS Variables representation Input Output Input Local_v ariable Local_v ariable Local_v ariable Output Local_v ariable Input Output Input Local_v ariable Local_v ariable Local_v ariable Local_v ariable Output 06/0/200 p70 Master 2 Critical System Synchronous programming David LESENS 35

Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p7 Master 2 Critical System Synchronous programming David LESENS Browser Main window (graph) 06/0/200 p72 Master 2 Critical System Synchronous programming David LESENS Messages 36

Creating a new project 06/0/200 p73 Master 2 Critical System Synchronous programming David LESENS Browser Main window (graph) 06/0/200 p74 Master 2 Critical System Synchronous programming David LESENS Messages 37

Packages Definitions of Scade operators Imported operators Constants Types Sensors Packages Inside or outside a package 06/0/200 p75 Master 2 Critical System Synchronous programming David LESENS Management of types (/3) 06/0/200 p76 Master 2 Critical System Synchronous programming David LESENS 38

Management of types (2/3) 06/0/200 p77 Master 2 Critical System Synchronous programming David LESENS Management of types (3/3) 06/0/200 p78 Master 2 Critical System Synchronous programming David LESENS 39

Integers and reals Integers Binary 0b000 Octal 0563 Decimal 9637 Hexadecimal 0xAF6C Encoding short, int, long Float, double Shall be defined by the user 06/0/200 p79 Master 2 Critical System Synchronous programming David LESENS Defining a constant 06/0/200 p80 Master 2 Critical System Synchronous programming David LESENS 40

Changing an object properties 06/0/200 p8 Master 2 Critical System Synchronous programming David LESENS Keyword list Scade keywords abstract, activate, and, assume, automaton, bool, case, char, clock, const, default, div, do, else, elsif, emit, end, enum, every, false, fby, final, flatten, fold, foldi, foldw, foldwi, function, guarantee, group, if, imported, initial, int, is, last, let, make, map, mapfold, mapi, mapw, mapwi, match, merge, mod, node, not, numeric, of, onreset, open, or, package, parameter, pre, private, probe, public, real, restart, resume, returns, reverse, sensor, sig, specialize, state, synchro, tel, then, times, transpose, true, type, unless, until, var, when, where, with, xor + Targeted programming language keywords 06/0/200 p82 Master 2 Critical System Synchronous programming David LESENS 4

Quick check The quick check performs syntax and semantics verification It It shall be be frequently used 06/0/200 p83 Master 2 Critical System Synchronous programming David LESENS Symbol editor Edition of the symbol Use of the symbol 06/0/200 p84 Master 2 Critical System Synchronous programming David LESENS 42

Display types / variable names / 06/0/200 p85 Master 2 Critical System Synchronous programming David LESENS Generation of documentation 06/0/200 p86 Master 2 Critical System Synchronous programming David LESENS 43

Report customization 06/0/200 p87 Master 2 Critical System Synchronous programming David LESENS Code generation customization 06/0/200 p88 Master 2 Critical System Synchronous programming David LESENS 44

File management Scade6Training.xscade ImportedOperator.xscade OutsidePackageOperator.xscade ActivationPackage.xscade ArrayPackage.xscade AutomatonPackage.xscade Cours.xscade Genericity.xscade ProbePackage.xscade Proof.xscade 06/0/200 p89 Master 2 Critical System Synchronous programming David LESENS Documentation 06/0/200 p90 Master 2 Critical System Synchronous programming David LESENS 45

Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p9 Master 2 Critical System Synchronous programming David LESENS IF operator x = if b then y else z If b is true, x takes the value y, else, x takes the value z Note: Does not mean If b is true, execute y, else, execute z 06/0/200 p92 Master 2 Critical System Synchronous programming David LESENS 46

If versus IfBlock int intifwithnodes(bool cond) { int intyf, yg; yg; yf=f (); (); yg=g(); if if (cond) { y = yf; yf; } else { y = yg; } return y; y; } Both branch are executed void IfBlockWithNodes(bool cond) { int inty; y; if if (cond) { y = f f (); ();} else { y = g (); ();} } Only one branch is is executed 06/0/200 p93 Master 2 Critical System Synchronous programming David LESENS When Block int intcase(t_enum enumerated) { switch (enumerated) { case black :: y = ; ; break; case red :: y = 2; 2; break; case green :: y = 3; 3; break; } return y; y; } 06/0/200 p94 Master 2 Critical System Synchronous programming David LESENS 47

Condition Activation conditions Activation condition Condition true = Block activated Condition false = Previous outputs used (was condact in Scade 5) or Default values Init values before first use Counter 5 Activ ateoutput Restart condition Condition true = Internal memory reset 06/0/200 p95 Master 2 Critical System Synchronous programming David LESENS Activation: Example (/3) x = a + b, initial default value 5, activation condition c y = a + b, default value 5, activation condition c Default values c 0 0 Computed values 0 a 3 6 3 2 3 b 3 2-4 x 5 5 2 2 7 y 5 5 2 5 7 Last computed values 06/0/200 p96 Master 2 Critical System Synchronous programming David LESENS Default value 48

Activation: Example (2/3) 06/0/200 p97 Master 2 Critical System Synchronous programming David LESENS if if (Activate) { Output_default_initial_value = A(); A(); Output_default_value = A(); A(); } else else { if if (init) (init) Output_default_initial_value = 5; 5; } Output_default_value = 5; 5; init init = false; Last computed values BOOLEAN_ACTIVATED::B/Activate/: true BOOLEAN_ACTIVATED::B/Output_default_initial_value/: 20 Introduce an an internal state BOOLEAN_ACTIVATED::B/Output_default_value/: 20 Default value 0 2000 4000 06/0/200 p98 Master 2 Critical System Synchronous programming David LESENS 49

Activation and restart Output PRE 0 Condition Activation // restart condition Previous value Condition A c t i v a t i o n P a c k a g e Activation A c t i v a t i o n P a c k a g e Counter 5 Activ ateoutput Computed value Condition Default value Restart A c t i v a t i o n P a c k a g e Counter 4 RestartOutput Re-initialization 06/0/200 p99 Master 2 Critical System Synchronous programming David LESENS Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p00 Master 2 Critical System Synchronous programming David LESENS 50

SCADE at a glance: Automaton Initial state Parallel states Guard <SM> Strong transition <SM2> Action 'SYNCHRO Z = 4.2; STATE_ 2 Y = (-) Weak transition INIT2 5 times true S STATE2_ <SM3> STATE2 times <SM4> STATE_2 STATE_3 2 S STATE2 3 L D M X Y = 2 L > 2 and Y < (-4) STATE2 2 History INIT3 0 Y X X * STATE5_ last 'Y + Y STATE5_ Y > 2 Y < (-4) STATE5_2 last 'Y - 3 S 06/0/200 p0 Master 2 Critical System Synchronous programming David LESENS <SM6> <SM5> Y Final state STATE2_2 4 S STATE2 4 emit 'SYNCHRO; Synchronization Data flow and automata A node is composed of Equations (data-flow) Automata (event driven) An automaton is composed of States Transitions A state is composed of Equations Automata step cmd Counter CL CL = 5 step2 2 cmd 2 Counter CL CL = 3 <SM> step3 3 cmd 06/0/200 p02 Master 2 Critical System Synchronous programming David LESENS 5

Principles of Automata Semantics equivalence There exists a data-flow model semantically equivalent to any automaton Automaton scheduling At most one transition fired per cycle Exactly one active state per cycle (except then parallel states are defined) 06/0/200 p03 Master 2 Critical System Synchronous programming David LESENS States A state can be An initial state / a final state Hidden / nested protection <SM> Initial f alse <SM2> isactiv e <SM3> inactiv e inactiv e inactiv e Final start start2 true isactiv e activ e activ e Nested 06/0/200 p04 Master 2 Critical System Synchronous programming David LESENS 52

Automaton simulation Active state Graph Watch 06/0/200 p05 Master 2 Critical System Synchronous programming David LESENS Transitions A transition can have a weak pre-emption have a strong pre-emption be synchronized It can have A guard An action It has a priority It can be with or without a history 06/0/200 p06 Master 2 Critical System Synchronous programming David LESENS 53

Graphical transitions State Strong without history Synchronized without history Weak with history State4 State5 true State7 true true State2 State3 State6 06/0/200 p07 Master 2 Critical System Synchronous programming David LESENS * * true * Weak without history Strong with history Synchronized with history Strong and weak transitions Strong transition The transition is triggered before the state execution The guard can not depend on the current value of a data Weak transition (or weak delayed ) The state is executed before the transition triggering The guard can depend on the current value of a data 06/0/200 p08 Master 2 Critical System Synchronous programming David LESENS 54

Strong and weak transition Strong transition Weak transition 06/0/200 p09 Master 2 Critical System Synchronous programming David LESENS Example (/2) Strong transition Weak transition inactiv e inactiv e * stop * stop * start activ e * start activ e last 'count last 'count count count start T stop T count strong 0 0 0 2 3 4 4 4 count weak 0 0 06/0/200 p0 Master 2 Critical System Synchronous programming David LESENS 0 0 2 3 4 4 4 4 4 4 55

Example (2/2) The behaviours of the two following models are equivalent <SM> <SM> step step cmd cmd Counter CL Counter CL last 'CL = 5 CL = 5 step2 step2 2 2 cmd cmd Previous value 06/0/200 p Master 2 Critical System Synchronous programming David LESENS Synchronized transition A synchronized transition Has no guard Is triggered as soon as all nested automata reach a final state 06/0/200 p2 Master 2 Critical System Synchronous programming David LESENS 56

Example Start received o Still in protection state Start2 received o Final states reached Transition inactive triggered 06/0/200 p3 Master 2 Critical System Synchronous programming David LESENS Transition history Transition without history The state resumes its execution The memories are reset Transition with history The state resumes its execution The memories are not reset Two types of memories PRE : local to the state LAST : common to the node 06/0/200 p4 Master 2 Critical System Synchronous programming David LESENS 57

Transition with history Restart Resume 06/0/200 p5 Master 2 Critical System Synchronous programming David LESENS Shared memory Data flow point of view Access to the last value of a flow in its scope pre expression Mode automata point of view Access to values computed in other states last x ( x is a named flow, not an expression utilization of ) 06/0/200 p6 Master 2 Critical System Synchronous programming David LESENS 58

With history last 'count * last 'count inactiv e start * stop activ e 0 0 count count A u t o m a t o n P a c k start LAST memory A u t o m a t o n P a c k shared stop between the A u t o m the states a t o n P a c k inactiv e pre count 0 count start * stop * activ e pre count 0 count PRE memory local to to the the state 06/0/200 p7 Master 2 Critical System Synchronous programming David LESENS Internal A u t o m memory a t o not reset start n P a c k A u t o m a t o n P a c k stop A u t o m a t o n P a c k Default actions in state inactiv e * stop By By default the the variable keeps its its previous value AutomatonPackage::AutomatonStro start * activ e AutomatonPackage::AutomatonStro last 'count count AutomatonPackage::AutomatonStro Initial value (replaces -> ) 06/0/200 p8 Master 2 Critical System Synchronous programming David LESENS 59

Modifying the default action inactiv e AutomatonPackage::AutomatonStro * start * activ e stop Modification of of the the default behaviour AutomatonPackage::AutomatonStro last 'count count Generated documentation Name Type count int Properties default last 'count - last 5 06/0/200 p9 Master 2 Critical System Synchronous programming David LESENS AutomatonPackage::AutomatonStro Signals A signal can be Present true Absent false A signal can not be An input / output Boolean value A Boolean value keeps its previous value then non updated in a state <SM> State S next State2 S2 next State3 A u t o m a t o n P a c k a g e ::A u t o m a S A u t o m a t o n P a c k a g e ::A u t o m a S2 A u t o m a t o n P a c k a g e ::A u t o m a S3 S3 06/0/200 p20 Master 2 Critical System Synchronous programming David LESENS 0 60

Composition and communication A signal can be Emitted in a state Emitted on a transition A transition can be triggered by a signal 06/0/200 p2 Master 2 Critical System Synchronous programming David LESENS Factor A factor specifies on many time a condition must be true In a data flow view In a guard (automaton) arg 5 DataFlowTimesOut State <SM> AutomatonPackage::AutomatonFactor/arg/: true arg f alse 5 times arg AutomatonTimesOut A uto mato np ackage::a uto mato nfacto r/dataflo wtimesou DataFlow true State2 AutomatonTimesOut AutomatonPackage::AutomatonFactor/AutomatonTimes Automaton 06/0/200 p22 Master 2 Critical System Synchronous programming David LESENS 6

Time-out with factor true Step Step_ true Step2 Step_2 true Step3 Step_3 true Step4 Step_4 5 times true DURATION times true ( duration = 20 ) 0 times true 5 A u t o m a t o n P a c k a g e : Step 20 A u t o m a t o n P a c k a g e : Step 2 0 A u t o m a t o n P a c k a g e : Step 3 06/0/200 p23 Master 2 Critical System Synchronous programming David LESENS Fork Common guard true State S Specific guard trigger true State2 v alue = v alue = 2 2 true State3 S2 3 S3 Priority true State4 S4 06/0/200 p24 Master 2 Critical System Synchronous programming David LESENS 62

Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p25 Master 2 Critical System Synchronous programming David LESENS Arrays definition Restrictions Static size First element = index 0 Definitions type VECTOR = real ^ 4 ; type MATRIX_2_3 = real ^ 3 ^ 2 ; 2 lines, 3 columns typedef real LINE_3[3]; typedef LINE_3 MATRIX_2_3 [2]; 06/0/200 p26 Master 2 Critical System Synchronous programming David LESENS 63

Editing array types Array type Type name Array size Generated code typedef _real array_2[2]; typedef array_2 array_[3]; typedef array_ T_MATRIX_3_2 ArrayPackage; 06/0/200 p27 Master 2 Critical System Synchronous programming David LESENS Array access Dynamic Array 5 [] 2 index Static Array5=[2,4,6,8,0], Index=3 Dy namicprojection Index = 3 Output = 8 Index = 0 Output = 2 Default value for for index out of of range Array 5 [2] Assignment Array 5 [0] StaticProjection AssignOf StructureElement Output = 6 newvalue = 3 Output = [3,4,6,8,0] newvalue 06/0/200 p28 Master 2 Critical System Synchronous programming David LESENS 64

Some operators on arrays 0.0 2.0 Constructor Value repetition [5.0, 6.0, 9.0,.0] 4 2 Vector4 06/0/200 p29 Master 2 Critical System Synchronous programming Rev erse_vector4 David LESENS 2 Matrix_3_2 Matrix_2_3 Vector2 Vector6 Data to to Vector Transpose of of an an Array Scalar to to Vector Slice of of a vector Concatenation of of Arrays Reverse of of a Vector Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p30 Master 2 Critical System Synchronous programming David LESENS 65

Iterations Equivalent to for in C Map / Mapi / Mapw / Mapiw Fold / Foldi / Foldi / Foldiw 06/0/200 p3 Master 2 Critical System Synchronous programming David LESENS Map FirstInt5 map<<5>> MapInt5 SecondInt5 for for (i (i = 0; 0; i i < 5; 5; i++) { MapInt5[i] = FirstInt5[i] + SecondInt5[i]; } MAP: Apply the the operator successively on on each element of of the the input vector(s) element[i].element [i] Size of of the the input vector 06/0/200 p32 Master 2 Critical System Synchronous programming David LESENS 66

Fold InputInt a fold<<5>> FoldInt FirstInt5 FoldInt = InputInt; for for (i (i = 0; 0; i i < 5; 5; i++) { FoldInt = FoldInt + FirstInt5[i]; } First element of of the the iteration FOLD: Apply recursively the the operator on on input vector element[i].element[i+] 06/0/200 p33 Master 2 Critical System Synchronous programming David LESENS Mapfold Operator add_2 Input sum InputInt a mapfold<<5>> add_2 MapFoldInt Input2 sum2 FirstInt5 MapFold2Int5 MapFoldInt = InputInt; Recursion for for (i (i = 0; 0; i i < 5; 5; i++) { add_2_arraypackage(mapfoldint, FirstInt5[i], &MapFoldInt, &MapFold2Int[i]); } Succession Nodes used with a mapfold iterator should duplicate their output We obtain both results at at the the same time 06/0/200 p34 Master 2 Critical System Synchronous programming David LESENS 67

Mapi = Map with iterator as input FirstInt5 i mapi<<5>> MapiInt5 Only one input for for (i (i = 0; 0; i i < 5; 5; i++) { MapiInt5[i] = i i + FirstInt5[i]; } The index of of the the iteration is is the the first argument of of the the node 06/0/200 p35 Master 2 Critical System Synchronous programming David LESENS Foldi = Fold with iterator as input InputInt ai foldi<<5>> FoldiInt No No vector in in input FoldiInt = InputInt; for for (i (i = 0; 0; i i < 5; 5; i++) { FoldiInt = i i + FoldiInt; } The input flow is is the the iterator 06/0/200 p36 Master 2 Critical System Synchronous programming David LESENS 68

Mapw / Foldw = Partial operators Capability to stop an iteration on a Boolean condition computed by the operator Operator add Input Input2 sum The iteration can be be stopped 0 condition As As soon as as the the condition is is false, the the iteration is is topped 06/0/200 p37 Master 2 Critical System Synchronous programming David LESENS Mapw = Map partial operator ConditionBool Default value after the the Iteration stop FirstInt5 SecondInt5 mapw<<5>> 64 add 4 MapwExitIndexInt MapwInt5 MapwExitIndexInt = 0; 0; for for (i (i = 0; 0; i i < 5; 5; i++) { if if (ConditionBool) { The iteration can be be stopped add(firstint5[i], SecondInt5[i], &ConditionBool, &MapwInt5[i]); MapwExitIndexInt = i i + ; ; } else { MapwInt5[i] = 4; 4; } } Default value after the the Iteration stop It is recommended to not use this operator (WCET) 06/0/200 p38 Master 2 Critical System Synchronous programming David LESENS 69

Mapwi = Mapi + Mapw ConditionBool Default value after the the Iteration stop i mapwi<<5>> add 67 MapwiExitIndexInt FirstInt5 MapwiInt5 06/0/200 p39 Master 2 Critical System Synchronous programming David LESENS 4 MapwiExitIndexInt = 0; 0; The iteration can be be stopped for for (i (i = 0; 0; i i < 5; 5; i++) { if if (ConditionBool) { The iterator is is the the first argument add(i, FirstInt5[i], & ConditionBool, &MapwiInt5[i]); MapwiExitIndexInt = i i + ; ; } else { outc->mapwiint5[i] = 4; 4; } } Default value after the the Iteration stop It is recommended to not use this operator (WCET) Foldw = Fold partial operator ConditionBool InputInt a foldw<<5>> add 74 FoldwExitIndexInt FirstInt5 FoldwInt FoldwInt = InputInt; for for (i (i = 0; 0; i i < 5; 5; i++) { if if (( ConditionBool )){ break; } The iteration can be be stopped add(foldwint, FirstInt5[i], & ConditionBool, &tmp); FoldwInt = tmp; } 06/0/200 p40 Master 2 Critical System Synchronous programming David LESENS 70

Foldwi = Foldi + Foldw ConditionBool InputInt i a foldwi<<5>> 80 add FoldwiExitIndexInt FoldwiInt5 FoldwiInt5 = InputInt; tmp = ConditionBool; for for (i (i = 0; 0; i i < 5; 5; i++) { if if (( ConditionBool) { break; } add(i, FoldwiInt5, & ConditionBool, &tmp); FoldwiInt5 = tmp; } FoldwiExitIndexInt = i; i; The iteration can be be stopped The input flow is is the the iterator 06/0/200 p4 Master 2 Critical System Synchronous programming David LESENS Iteration summary Map = Successive application Fold = Recursive application Mapfold = Map + Fold Mapi = Map with iterator as input Foldi = Fold with iterator as input Mapw = Map partial operator Mapwi = Mapi + Mapw Foldw = Fold partial operator Foldwi = Foldi + Foldw 06/0/200 p42 Master 2 Critical System Synchronous programming David LESENS 7

Example Without loop With loop 06/0/200 p43 Master 2 Critical System Synchronous programming David LESENS Example 2: cross product Compute scalar product Compute vector norm Compute cross product 06/0/200 p44 Master 2 Critical System Synchronous programming David LESENS 72

Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p45 Master 2 Critical System Synchronous programming David LESENS Sensors Sensor: Global system input Input temperature Output heater Sensor temperature commanded_heater heater aimed_temperature extern _int aimed_temperature ProbePackage; 06/0/200 p46 Master 2 Critical System Synchronous programming David LESENS 73

Probes Probe: Global system output temperature commanded_heater heater Probe aimed_temperature typedef struct {/* context */ */ _bool heater; /* /* outputs */ */ _bool commanded_heater; /* /* probes */ */ } C_controller ProbePackage; 06/0/200 p47 Master 2 Critical System Synchronous programming David LESENS Overview Synchronous model Introduction to the Scade language Editing a Scade model Activation conditions Automata Arrays Iterations Global flows: Sensors and probes Genericity 06/0/200 p48 Master 2 Critical System Synchronous programming David LESENS 74

Generic operator definition GenericSquare Specialization arg square_out argint GenericSquare squareint Input Output Name arg square_out Type 'T 'T argreal 2 GenericSquare squarereal Name Generic Type 'T numeric Definition of of a generic numeric type 06/0/200 p49 Master 2 Critical System Synchronous programming David LESENS Generic operator instantiation int intgenericsquare_int (( int intarg )){ int intsquare_out; square_out = arg * arg; return square_out; } real GenericSquare_real (( real arg )){ real square_out; square_out = arg * arg; return square_out; } void Specialization( int intargint; real argreal; int intsquareint; real squarereal; )){ *squarereal = GenericSquare_real (( argreal ); ); *squareint = GenericSquare_int (( argint ); ); } 06/0/200 p50 Master 2 Critical System Synchronous programming David LESENS 75

Definition of parameters Definition of of a generic size ( parameter ) 06/0/200 p5 Master 2 Critical System Synchronous programming David LESENS Parameter instantiation REAL_RESULT = 0.0; for for (i (i = 0; 0; i i < 3; 3; i++) { REAL_RESULT = REAL_RESULT + (*LEFT)[i] * (*RIGHT)[i]; } return REAL_RESULT; 06/0/200 p52 Master 2 Critical System Synchronous programming David LESENS 76

Overview Critical real-time embedded software Principles of the approach Introduction Formal semantics SCADE Model validation 06/0/200 p53 Master 2 Critical System Synchronous programming David LESENS Software validation Correct software No runtime errors Satisfaction of real time constraints Compliance with the expected results Solutions Manual review Dynamic testing A code level At model level Semantics checking Abstract interpretation Formal proof Costly Error prone Costly Non exhaustive 06/0/200 p54 Master 2 Critical System Synchronous programming David LESENS 77

Semantics verification (/2) Semantics of a SCADE model Syntax Typing verification Types compatibility Example: Integer real Non uninitialized variables Temporal causality 06/0/200 p55 Master 2 Critical System Synchronous programming David LESENS Temporal causality SCADE is an equational language The evaluation order depends only on data flows x = y; y = z; x = y; y = z; z = x; y = z evaluated first x = y evaluated secondly Impossible computation of the evaluation order x = y = z = x = Causality problem 06/0/200 p56 Master 2 Critical System Synchronous programming David LESENS 78

Semantics verification (2/2) A SCADE model with a correct semantics is: Complete Consistent Implementable The good properties of a specification Semantics check to be systematically performed But does the software behave as expected? 06/0/200 p57 Master 2 Critical System Synchronous programming David LESENS Software validation Correct software No runtime errors Satisfaction of real time constraints Compliance with the expected results Solutions Manual review Dynamic testing A code level At model level Semantics checking Abstract interpretation Formal proof Costly Error prone Costly Non exhaustive 06/0/200 p58 Master 2 Critical System Synchronous programming David LESENS 79

What is testing? Compare the observed behaviour with the expected behaviour Several levels of test Unitary / integration / validation / system qualification Host / target Real equipment / simulator White box / Black box At code or model level 06/0/200 p59 Master 2 Critical System Synchronous programming David LESENS Objectives of unitary tests Robustness Absence of runtime error Functional validity Comparison with the expected results Contractual objectives Coverage Intuitively satisfactory Measurable But not a proof of exhaustiveness 06/0/200 p60 Master 2 Critical System Synchronous programming David LESENS 80

Unitary tests: Coverage Procedure Procedure f(x f(x : : in in real; real; y: y: in in real; real; z z : : out out real) real) if if (x (x > >.0).0) or or (x (x < < -.0) -.0) then then z z := := y/x; y/x; else else z z := := y; y; if if z z < < 2.0 2.0 then then z z = = 2.0; 2.0; Coverage branch decision path (x=2.0, y=6.0), (x=-.0,y=.0) + (x=-2, y=3.0) + (x=2.0, y=.0), (x=0.5,y=2.0) 06/0/200 p6 Master 2 Critical System Synchronous programming David LESENS Coverage of a SCADE model Warning Both branches are executed whatever the value of inc PRE 0 2 inc = true = false + + + + Counter 06/0/200 p62 Master 2 Critical System Synchronous programming David LESENS 8

Integration test Validated by Unitary Tests Module A Module B Do they work together? y = f( x, x 2 ) ou y = f( x 2, x ) Module A Module B Validation of interfaces in white box 06/0/200 p63 Master 2 Critical System Synchronous programming David LESENS Limit of the white box approach The presence of a spy may modify the real time behaviour What happens if the debugger / simulator has a bug? 06/0/200 p64 Master 2 Critical System Synchronous programming David LESENS 82

Validation Black box tests Control of the inputs Observations of the outputs Non intrusive On host or on target Tests on target are more expensive 06/0/200 p65 Master 2 Critical System Synchronous programming David LESENS Software validation Correct software No runtime errors Satisfaction of real time constraints Compliance with the expected results Solutions Manual review Dynamic testing A code level At model level Semantics checking Abstract interpretation Formal proof Costly Error prone Costly Non exhaustive But proof can not completely replace testing 06/0/200 p66 Master 2 Critical System Synchronous programming David LESENS 83

Software testing Test coverage Error states Concrete semantics Non detected failure Tested execution OK Possible execution Program testing can be used to show the presence of bugs, but never to show their absence! Edgser W. Dijkstra 06/0/200 p67 Master 2 Critical System Synchronous programming David LESENS Principle of the proof Non computable Concrete semantics Error states Abstract semantics Computable and sound abstraction Verified In order to reason or compute about a complex system, some information must be lost Patrick Cousot 06/0/200 p68 Master 2 Critical System Synchronous programming David LESENS 84

Proof limitation Concrete semantics Error states Abstract semantics Warning False alarms! Computable but incomplete 06/0/200 p69 Master 2 Critical System Synchronous programming David LESENS Example () Warning int a[000]; for (i = 0; i < 000; i++) { for (j = 0; j < 000 i; j++) { // 0 <= i <= 999 // 0 <= j <= 999 a[i+j] = 0; 999 } i Error } states Non conclusive 0 999 j 06/0/200 p70 Master 2 Critical System Synchronous programming David LESENS 85

Example (2) Safe int a[000]; for (i = 0; i < 000; i++) { for (j = 0; j < 000 i; j++) { // 0 <= i and 0 <= j // i+j <= 999 a[i+j] = 0; 999 } i Error } states Conclusive 0 999 j 06/0/200 p7 Master 2 Critical System Synchronous programming David LESENS Safety et liveness properties Safety Bad things never happen Liveness Some thing good will eventually happen in the future Concrete semantics Error states State to be reached Abstract semantics 06/0/200 p72 Master 2 Critical System Synchronous programming David LESENS The proof tool of SCADE can not prove liveness properties 86

Interest of the liveness properties Liveness property / timed property Example: if an error is detected, the software shall raise an alarm toward the user Liveness: the alarm will mandatorily be raised (one day or another) But when? Not acceptable for a critical real time piece of software Timed property: the alarm will mandatorily be raised second after the failure occurence Safety property 06/0/200 p73 Master 2 Critical System Synchronous programming David LESENS Formal proof Mathematical exhaustive demonstration that a piece of software/code satisfied a property Rarely the case! A piece software generally satisfies a property only in a correct environment 06/0/200 p74 Master 2 Critical System Synchronous programming David LESENS 87

The software is part of a complex system Environment Vehicle Equipment Equipment Equipment Bus Processor On On board Software board Computer Computer 06/0/200 p75 Master 2 Critical System Synchronous programming David LESENS Formal proof principles Software under validation Properties to be satisfied Software environment ( correct environment) software properties Environment in open or close loop 06/0/200 p76 Master 2 Critical System Synchronous programming David LESENS 88

Expression of properties Notion of observer An observer is a software observing the software under validation and returning true as long as the property is satisfied Observation of the software inputs Observation of the software outputs Idem for the environment properties 06/0/200 p77 Master 2 Critical System Synchronous programming David LESENS Observers in SCADE FBY Environment Inputs Software under validation Outputs Observer of the property ok Use for testing (oracle) Use by SCADE proof tool 06/0/200 p78 Master 2 Critical System Synchronous programming David LESENS 89

Non deterministic environment (/2) The software environment is generally not fully deterministic Human action Failure Non deterministic environment But SCADE is a deterministic language! 06/0/200 p79 Master 2 Critical System Synchronous programming David LESENS Non deterministic environment (2/2) The non determinism is modelled by an additional input Example: Failure occurrence Failure Environment System 06/0/200 p80 Master 2 Critical System Synchronous programming David LESENS 90

Assertion An assertion allows to restrict an environment too much non deterministic Example: Input gf models a gyroscope failure Input tf models a thruster failureune panne d une tuyère To develop a one fault tolerant system Hypothesis: assert #( gf, tf ) 06/0/200 p8 Master 2 Critical System Synchronous programming David LESENS The End 06/0/200 p82 Master 2 Critical System Synchronous programming David LESENS 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information