Update on Behavior Language for Embedded Systems with Software for Proof Based Analysis of Behavior

Similar documents
Monday Jan 30. Tuesday Jan 31. AADL Standards Meeting Jan 30 Feb 1, 2012 Toulouse, France with ERTS Conference N7 INPT University de Toulouse

How to Use the BLESS Plug-in to OSATE

SAE Architecture Analysis and Design Language. AS-2C ADL Subcommittee Meeting June 6-9, 2011 Paris, France

UML&AADL 11 An Implementation of the Behavior Annex in the AADL-toolset OSATE2

AADL Tools & Technology. AADL committee 22 April Pierre Dissaux. Ellidiss. T e c h n o l o g i e s. w w w. e l l i d i s s.

Query Language for AADLv2, Jérôme Hugues, ISAE Serban Gheorghe, Edgewater

SAE Architecture Analysis and Design Language. AS-2C AADL Subcommittee Meeting Feb 3-6, 2014 Toulouse, France

SAE Architecture Analysis and Design Language. AS-2C AADL Subcommittee Meeting Sept 29-Oct 2, 2014 Valencia, Spain

Model Editing & Processing Tools. AADL Committee, San Diego February 4th, Pierre Dissaux. Ellidiss. Technologies w w w. e l l i d i s s.

The AADL Behavioural annex 1

An Implementation of the Behavior Annex in the AADL-toolset Osate2

Introduction to AADL 1

SAE Architecture Analysis and Design Language. AS-2C AADL Subcommittee Meeting Feb 2-5, 2015 San Diego, USA

AADL Inspector Tutorial. ACVI Workshop, Valencia September 29th, Pierre Dissaux. Ellidiss. Technologies w w w. e l l i d i s s.

Using the AADL for mission critical software development paper presented at the ERTS conference, Toulouse, 21 January 2004

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Model-Based Engineering for the Development of ARINC653 Architectures

Modeling and verification of memory architectures with AADL and REAL

The Montana Toolset: OSATE Plugins for Analysis and Code Generation

System-level co-modeling AADL and Simulink specifications using Polychrony (and Syndex)

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2.

Introduction to AADL analysis and modeling with FACE Units of Conformance

Formal Verification of AADL models with Fiacre and Tina

ARINC653 and AADL. Julien Delange Laurent Pautet

Presentation of the AADL: Architecture Analysis and Design Language

Generating high-integrity systems with AADL and Ocarina. Jérôme Hugues, ISAE/DMIA

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

Project Report. Using the AADL to support the ASSERT modeling process

AADL committee, Valencia October 2 nd, Pierre Dissaux (Ellidiss) Maxime Perrotin (ESA)

ARINC653 toolset: Ocarina, Cheddar and POK

AADL Subsets Annex Update

arxiv: v1 [cs.se] 2 Mar 2015

Presentation of the AADL: Architecture Analysis and Design Language

TTM/PAT: Specifying and Verifying Timed Transition Models

AADL Requirements Annex Review

ARINC653 annex: examples

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

FUSED Framework for System Engineering Hands-on Tutorial SAE AADL 19 April 2012

RAMSES. Refinement of AADL Models for the Synthesis of Embedded Systems. Etienne Borde

Update on AADLInspector and Cheddar : new interface and multiprocessors analysis

An Information Model for High-Integrity Real Time Systems

CONFIENT Introduction

Institut Supérieur de l Aéronautique et de l Espace Ocarina: update and future directions

Automatically adapt Cheddar to users need

AADL v2.1 errata AADL meeting Sept 2014

Institut Supérieur de l Aéronautique et de l Espace Constraints Annex Implementation Approach

HOOD, STOOD and AADL. Ada Europe, Valencia June 2010

Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language)

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

Modelling Avionics Architectures

Update on AADL Requirements Annex

AADS+: AADL Simulation including the Behavioral Annex

Translating AADL into BIP Application to the Verification of Real time Systems

AADL Model Behavior: Rapid-Prototype XOR Exactitude?

ARINC653 AADL Annex Update

Model Verification: Return of experience

This is an author-deposited version published in: Eprints ID: 9287

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Formal Verification. Lecture 10

This is an author-deposited version published in: Eprints ID: 3664

Formal Semantics of Behavior Specifications in the Architecture Analysis and Design Language Standard

Model-Driven Engineering Approach for Simulating Virtual Devices in the OSATE 2 Environment

POK. An ARINC653-compliant operating system released under the BSD licence. Julien Delange, European Space Agency

Schedulability Analysis of AADL Models

Development Process for Critical Embedded Systems

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Model-Based Engineering for the Development of ARINC653 Architectures

AADL performance analysis with Cheddar : a review

Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

Learn AADL concepts in a pleasant way

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

A discrete-event simulator for early validation of avionics systems

Distributed simulation of AADL specifications in a polychronous model of computation

Annex Document Y - Assertion

MODELING OF MULTIPROCESSOR HARDWARE PLATFORMS FOR SCHEDULING ANALYSIS

Lecture 11 Lecture 11 Nov 5, 2014

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Embedded software design with Polychrony

Runtime Checking for Program Verification Systems

CSSE 490 Model-Based Software Engineering: Architecture Description Languages (ADL)

Rapid Prototyping of Distributed Real-Time Embedded Systems Using the AADL and Ocarina

TOWARDS A VERIFIED CARDIAC PACEMAKER. Asankhaya Sharma

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

A First-Order Logic with First-Class Types

Specification and Analysis of Contracts Tutorial

AADL to build DRE systems, experiments with Ocarina. Jérôme Hugues, ENST

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

COMPASS GRAPHICAL MODELLER

SCADE AADL. Thierry Le Sergent, Adnan Bouakaz, Guilherme Goretkin (ANSYS)

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

COTRE as an AADL profile

Rationale and Architecture Principles for Medical Application Platforms

M. De Wulf, L. Doyen,J.-F. Raskin Université Libre de Bruxelles Centre Fédéré en Vérification

System Synthesis from AADL using Polychrony

Workshop 1: Specification for SystemC-AADL interoperability

TOPCASED. Current status

Formal Methods for Java

The Abstract Behavioral Specification Language

Transcription:

October 19, 2010 BLESS Progress Report (1) Update on Behavior Language for Embedded Systems with Software for Proof Based Analysis of Behavior Brian Larson Multitude Corporation October 19, 2010

October 19, 2010 BLESS Progress Report (2) Behavior Language for Embedded Systems with Software (BLESS) BLESS is AADL Annex Sublanguage(s) (v2 standardized by SAE in 2009) Inspired by Behavioural Annex (BA) Sublanguage Grammar of BLESS Coordinated with BA BLESS proof tool currently Java application; to become OSATE v2 (by SEI) plugin Convert BLESS behavior to BA to leverage BA tools Make adding proofs to models incremental, low-risk

October 19, 2010 BLESS Progress Report (3) Origins of BLESS Guidant (now Boston Scientific) used proprietary architecture language PADL derived from MetaH AADL, also derived from MetaH, was SAE International standard; anticipated migration to supplant home-brewed tools with commercial tools attended AADL tutorial at SEI (2007) invited to participate in AADL standard committee as medical device industry user reviewed v2 core standard and all annex standard documents Behavioural annex sublanguage (BA) might be augmented with Assertions to become proof outlines that could be transformed into a formal correctness proof by a proof tool like the one created for DANCE

October 19, 2010 BLESS Progress Report (4) Origins of BLESS, continued created temporal logic for Assertions while editing PACEMAKER System Specification (2006) migrate proof tool from ANTLR2 to ANTLR3 (start 2008, ongoing) wrote LRM defining semantics from set theory in LaTeX* (2009) BLESS grammar coordinated with BA grammar to make it easy to convert BLESS programs to BA text suspended in frustration development of OSATE/Eclipse plugin (2009); get tool working as Java application first VVI.aadl pushed through BLESS proof tool before May 2010 meeting of AADL committee in Toulouse (v0.12); half-day workshop/tutorial following was well received *please read it; ask questions; challenge suppositions

October 19, 2010 BLESS Progress Report (5) News DDD.aadl proved correct last Friday semantics for timeout dispatch conditions extended to express that none of the dispatch conditions leaving a source state has fired since the time of previous suspension, tops

October 19, 2010 BLESS Progress Report (6) BLESS is Three AADL Annex Sublanguages Assertion attached individually to features such as ports; annex libraries allow multiple assertions subbless attached only to subprograms; has only value transformations and Assertions without time expressions; subbless DANCE BLESS attached only to thread, device, or system AADL components; has states, transitions, timeouts, actions including communication, events, and Assertions with time expressions

October 19, 2010 BLESS Progress Report (7) BLESS is Three AADL Sublanguages subbless action firstorder predicate BLESS states transitions communication event dispatch persistence Assertion time @ ˆ

October 19, 2010 BLESS Progress Report (8) Assertions are Temporal Logic Formulas Assertion grammar is first-order predicate calculus augmented with @ and ˆ and @ says when a predicate is true in real time: p@t means p is true at time t ˆ says when a predicate is true in thread periods (clock ticks): d@i means d is true i ticks (thread periods) from now; i is usually negative says when a predicate is true the previous tick: c means cˆ-1 the value of c set by the thread last period; used in calculating new values for this period; c:=c -1 decrements c each clock cycle

October 19, 2010 BLESS Progress Report (9) Lower Rate Limit Assertion --5.1 Lower Rate Limit (LRL) -- The Lower Rate Limit (LRL) is the number of -- generator pace pulses -- delivered per minute (atrium or ventricle) -- in the absence of -- Sensed intrinsic activity. -- Sensor-controlled pacing at a higher rate. -- The LRL is affected in the following ways: -- 1. When Rate Hysteresis is disabled, the LRL shall -- define the longest allowable pacing interval. -- 2. In DXX or VXX modes, the LRL interval starts -- at a ventricular sensed or paced event <<LRL:theTime: -- there has been a V-pace or a non-refractory V-sense exists t:timing_properties::time -- within the previous LRL interval in (thetime-pp::lower_rate_limit_interval)..thetime -- in which a heartbeat was paced if not sensed that (nr_vs or vp)@t >> means that at thetime, there has been a non-refractory, ventricular sense (nr_vs) or ventricular pace (vp) in the previous period lasting lower_rate_limit_interval.

October 19, 2010 BLESS Progress Report (10) Timeout va,sav,pav -[on dispatch timeout (vp nr_vs) PP::Lower_Rate_Limit_interval ms]->va {...}; pav -[on dispatch vs]-> pav_check_vrp{}; <<((vp or nr_vs)@(now-pp::lower_rate_limit_interval) and not (exists t:timing_properties::time in now-pp::lower_rate_limit_interval,,now that (vp or nr_vs)@t )) and (VAI(now) and LAST_VP_OR_VS() and LAST_AS() and LRL(now) and URL(now))>>

October 19, 2010 BLESS Progress Report (11) Including a term that says no dispatch condition was true between time-of-previous-suspension, tops, and the present instant, now: <<((vp or nr_vs)@(now-pp::lower_rate_limit_interval) and not (exists t:timing_properties::time in now-pp::lower_rate_limit_interval,,now that (vp or nr_vs)@t )) and VAI(now) and LAST_VP_OR_VS() and LAST_AS() and LRL(now) and URL(now) and not (exists u:timing_properties::time in tops,,now that ((vp or nr_vs)@(u-pp::lower_rate_limit_interval) and not (exists t:timing_properties::time in u-pp::lower_rate_limit_interval,,u that (vp or nr_vs)@t )) or (as@u) or (vs@u) or (((vp or nr_vs)@(u-va_interval) and not (exists t:timing_properties::time in u-va_interval,,u that (vp or nr_vs)@t ))) or (stop) )>>

October 19, 2010 BLESS Progress Report (12) Dense time, actions, durations semantics of Assertions can express temporal behavior declaratively BLESS quantification integrates properties across time Needed to add open ranges: lb,,ub lb,.ub lb.,ub

October 19, 2010 BLESS Progress Report (13) DDD.aadl Proof 998 Theorems 414 lines of code 4 minutes run-time script to prove each initial obligation individually

October 19, 2010 BLESS Progress Report (14) BLESS, most recently DDD.aadl has been a challenging second example; many new or converted proof rules; caused re-evaluation of proof obligations for thread behavior Released tool (v0.14) yesterday; LRM (still v0.13) Many classes of proof rules and features added since Toulouse extensive use of ANTLR, 36 grammars and string template groups

October 19, 2010 BLESS Progress Report (15) Plentiful interesting things to do... use BLESS to prove RTEdge correctness integrate with Fiacre model checker (TOPCASED) attempt conversion of stand-alone application to OSATE (SEI) or STOOD (Ellidiss) plugins, experiment with avionics (Dassault), NPP shutdown systems (NRC), or robotics (PaR), add code generation to proof tool, Ocarina or ANTLR demonstrate proved-correct software running on real hardware for Pacemaker Challenge behavior semantics shoot-out : Fiacre, Maude, Ocarina, BLESS... but scarce funding

October 19, 2010 BLESS Progress Report (16) ESA s Avionics Reference Architecture and IMA Modeling Might be opportunity to integrate BLESS with TOPCASED (ASSERT) tool suite, and experiment with avionics subject Safety-critical systems complexity tamed using math like every other engineering discipline Ensure execution correctness with both proofs and testing Compose proved-correct building blocks into proved-correct systems

October 19, 2010 BLESS Progress Report (17) Team to Define Experiment Using BLESS on ESA s Avionics Reference Architecture Thierry Cornilleau - Dassault Aviation Pierre Dissaux - Ellidiss (STOOD, Adele) Jerome Hughes - ISAE (Ocarina) Mamoun Filalai - IRIT (Fiacre) Frank Singhoff - Brest (concurrency control protocols) Eric Conquet - ESA (ASSERT)* Julien Delange- ESA (ARA) Laurent Pautet - ESA (ARA) Serban Gheorghe - Edgewater (RTEdge) Oleg Sokolsky - UPenn (cyber-physical systems) Peter, Bruce, Dio, Lutz - SEI (OSATE) others? * What we prove is what we get.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback