# Model-Driven Engineering with Formal Models for Embedded Systems **INRIA Aoste** # **AOSTE** **Direction**: 2 (1+1) Directeur : de SIMONE, Robert – DR 5,,.....*5* Co-directeur : SOREL, Yves – DR #### Permanents: 6 (5+1) ANDRE, Charles – Professeur DEANTONI. Julien – McF HOGIE Luc - IR MALLET, Frédéric – McF PERALDI-FRATI, Marie-Agnès – McF POTOP BUTUCARU, Dumitru – CR ## **AOSTE** Ingénieurs experts : 3 (2+1) BOUCARON, Julien – Docteur FERRERO, Benoît – Master DE RAUGLAUDRE, Daniel – Ingénieur **Direction**: 2 (1+1) Directeur : de SIMONE, Robert – DR Co-directeur : SOREL, Yves – DR Doctorants: 4 (3+1) COADOU, Anthony – Master LE TALLEC, Jean-François – Master MEHMOOD KAHN, Aamir – Master MAROUF Mohamed – Master Post-Doctorants: 3 (2+1) GASCON, Régis – Docteur GLITIA, Calin – Docteur MEUMEU YOMSI, Patrick – Docteur Assistantes: >2 (2+?) DEVAUCHELLE, Sandra – I3S LACHAUME, Patricia – INRIA #### Goal: associate 3 domains # Where are we going? → mathematical mean to adress a problem → replacement of grammars 5 - Embedded systems - Concurrent and heterogeneous applications - Embedded systems - Concurrent and heterogeneous applications - Signal/image processing - Control software - • - Embedded systems - Concurrent and heterogeneous applications - Signal/image processing - Control software • - Constraints - safety-critical - hard real-time - Extra functional - low power - Cost - • - Embedded systems - Concurrent and heterogeneous applications - Constraints - safety-critical - hard real-time - Extra functional - low power - Cost - • - Embedded systems - Concurrent and heterogeneous applications - Constraints - safety-critical - hard real-time - Extra functional - low power - Cost - ... - Embedded systems - Concurrent and heterogeneous applications - Constraints - safety-critical - hard real-time - low power - \_ ... - Embedded systems - Concurrent and heterogeneous applications - Constraints - safety-critical - hard real-time - low power - <del>-</del> ... - Embedded systems - 1 Concurrent and heterogeneous applications - 3 mapped to Need for formalisms to adress these 5 concerns - (4) Constraints - safety-critical - hard real-time - low power # How to deal with the domain? - High-level descriptions of systems and demands - Designing in the large !! - Focusing on concerns one at a time (aspects) - Weaving concerns - Support for system structuring all along design cycle (≠ code) - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - All along the design cycle - Requirements are detailled with the specification refinement - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing parts / components Components provisions #### Goals - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability Which part of the specification satisfies a specific requirement, . . . - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - Communication between various teams (inside or across companies), documentation #### Goals - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - Communication between various teams (inside or across companies), documentation ### Current Shortcomings discrepancies, lack of semantics or even precise interpretation #### Goals - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - Communication between various teams (inside or across companies), documentation - discrepancies, lack of precise semantics or even of semantics - → tools suffer from this - discrepancies, lack of precise semantics or even of semantics - → tools suffer from this #### Goals - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - Communication between various teams (inside or across companies), documentation - discrepancies, lack of semantics or even precise interpretation - → tools suffer from this - universality dissolves into particularisms #### Goals - High-level descriptions of systems and demands - Support for system architecturing all along design cycle (≠ code) - Early expression of requirements and specifications - Ease Reuse of existing part / components - Traceability - Communication between various teams (inside or across companies), documentation - discrepancies, lack of semantics or even precise interpretation - → tools suffer from this - universality dissolves into particularisms Models of Computation and Communications (MoCCs) that exhibits explicit concurrency - Goals - Mathematical semantics - No Ambiguity - → Tools benefit from that ! - Mathematical semantics - Powerful analysis and algorithmic methods - Mathematical semantics - Powerful analysis and algorithmic methods - Optimization / verification - Mathematical semantics - Powerful analysis and algorithmic methods - Optimization / verification - Guaranteed equivalence between code and model - Mathematical semantics - Powerful analysis and algorithmic methods - Optimization / verification - Guaranteed equivalence between code and model - Basis for well-founded transformations - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network #### **Formal Models** - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network #### **Formal Models** - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network #### **Formal Models** - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network # A quick snapshot of relevant MoCC - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network **Logical Time** Schedule of A Schedule of B Schedule of C # A quick snapshot of relevant MoCC - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network #### **Logical Time** Schodule of A Schodule of A Schodule of A Schodule of A Schodule of A Schodule of A Schodule of B Schodule of C # A quick snapshot of relevant MoCC - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network # A quick snapshot of relevant MoCC - Process Networks - Marked Graph - Synchronous Data Flow - Kahn Process Network # A quick snapshot of relevant MoCC - Process Networks - Synchronous languages # Formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony # Formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony # Formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony # Formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony - Imperative: Esterel / SyncCharts # Formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony - Imperative Esterel / SyncCharts # Formal models ### A quick snapshot of relevant formal models - Process Networks - Synchronous languages - Declarative: Lustre / Scade, Signal / Polychrony - Imperative Esterel / SyncCharts Everything is about activation conditions #### Goals - Mathematical semantics - Powerful analysis and algorithmic methods - Optimization / verification - Guaranteed equivalence between code and model - Basis for well-founded transformations #### Current Shortcomings - Distance from current mainstream engineering practice - Exotic formalisms for programmers (not C / C++ / java) - Need for a mathematical background - Most tools half-academic or confidential #### Goals - Mathematical semantics - Powerful analysis and algorithmic methods - Optimization / verification - Guaranteed equivalence between code and model - Basis for well-founded transformations #### Current Shortcomings - Distance from current mainstream engineering practice - Exotic formalisms for programmers (not C / C++ / java) - Need for a mathematical background - Most tools half-academic or confidential Poor integration into designflow So? Transformations are often used from a world to another one... Transformations distort models and lead to hard understanding and round-trip are alsmost impossible # The finality? # The finality! - Expliciting the MoCC within a MDE environment - Adding explicit activation conditions - Adding relations between these activation conditions - → formal semantics explicit within the model (not hidden in the simulator / any transformation) - Expliciting the MoCC within a MDE environment - Adding explicit activation conditions - Adding relations between these activation conditions - → formal semantics explicit within the model (not hidden in the simulator / any transformation) - → By using multiform logical time - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time → The MARTE time model is a first step toward that - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time - → The MARTE time model specifies logical activation conditions → CCSL specifies relations between MARTE activation conditions - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time User Model - MDE is good for the structural concern - Logical Time MoCC is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time - MDE is good for the structural concern - Logical Time is good for the dynamic concern - Adding explicit activation conditions - Adding relations between these activation conditions - Optionnaly linking logical time to physical time - SubProfile of the MARTE UML profile standardized by the OMG (Object Management Group) - Reviewed and accepted by the community - Implemented in Papyrus (an UML tool integrated with Eclipse) - Under Implementation in other UML tools - A Domain Model integrated with eclipse and usable with Domain Specific Language - The main concepts is the Clock. - It is a way to specify a, possibly infinite, ordered set of instant - It can be logical or chronometric, discrete or dense - Its type is a ClockType Sketchy example of its use **User model** Sketchy example of its use #### **User model** Sketchy example of its use Sketchy example of its use # User model Producer c1 Consumer receiveEvent on c1.sendEvent LogicalClock c1.receiveEvent: LogicalClock LogicalClock : ClockType IsLogical : True Nature : discrete The ordered set of sendEvent is bijective with the ordered set of instants of c1.sendEvent # CCSL - Clock Constraint Specification Language - Firstly introduced in the MARTE TIME profile - Declarative model-based language integrated with Eclipse - Formal semantics (both denotational and operational) - Tooled (TimeSquare) - → Explicitly represent / specify relations between clocks # **CCSL** - Clock Constraint Specification Language - Relations: dependencies between clocks - Coincidence → = - Exclusion → # - Precedence → - Alternance → ~ - Expressions: a mean to create new clocks from others - Delay → delayedFor X on aClock - Filtering → aClock filteredBy aBinaryWord - Union → aClock union anotherClock - Intersection → aClock inter anotherClock - Periodicity → periodicOn aClock period X offset Y • ... - Clock Constraint Specification Language - Relations: dependencies between clocks - Coincidence → = - Exclusion → # - Precedence → < - Alternance → ~ - Expressions: a mean to create new clocks from others - Delay → **delayedFor** *X* **on** *aClock* - Filtering → aClock filteredBy aBinaryWord - Union → aClock union anotherClock - Intersection → aClock inter anotherClock - Periodicity → periodicOn aClock period X offset Y - ... - Libraries: user-defined relations and expressions Complete the sketchy example # Formal MDE #### **User model** #### **MARTE** model LogicalClock : ClockType IsLogical : True Nature : discrete The ordered set of sendEvent is bijective with the ordered set of instants of c1.sendEvent Complete the sketchy example Producer Consumer connector1 **User model** sendEvent receiveEvent on on c1.sendEvent LogicalClock c1.receiveEvent: LogicalClock **MARTE** model LogicalClock: ClockType IsLogical: True Nature : discrete left right R1: Precedes **CCSL** model Formal MDE Complete the sketchy example Producer Consumer connector1 **User model** sendEvent receiveEvent on on c1.sendEvent LogicalClock c1.receiveEvent: LogicalClock **MARTE** model LogicalClock: ClockType IsLogical: True Nature : discrete left right R1: Coincides **CCSL** model Formal MDE #### Simulation - Model animation - Timing Diagram - Sequence Diagram - User Defined action State space exploration Still Beta #### Simulation - Model animation - Timing Diagram - Sequence Diagram - User Defined action State space exploration Still Beta # **Current Projects** #### ARTEMIS CESAR [01/09 – 12/11] - 52 partners : CEA, Airbus, Esterel Technology, Thalès, ... - Requirements engineering: multi viewpoint, multi criteria and multi level requirements, - Component based engineering: design space exploration, comprising multi-view, multicriteria and multi level architecture trade-offs. #### ITEA TIMMO2 [?] - Continental, Delphi, Volvo, ... - Time Model for AUTOSAR/East-ADL2 #### FUI Lambda [07/08 – 06/11] - 14 partners : CEA-List, Thales TRT, Supélec, Airbus EADS, ... - Convergences MARTE, SysML, AADL, IP-Xact, Scade/SyncCharts #### ANR RT-Simex [12/08 – 12/11] - CEA-List, Thales TRT, OBEO, UBO, Aonix - Retro-ingénerie de Traces d'analyse de SIMulation et d'EXécution de systèmes temps-réel #### ANR Help [11/09 – 10/12] - Verimag, STMicro Grenoble, Docea Power, LEAT - High Level Models for Low Power Systems: IP-Xact et UPF #### Nano 2012 – ID-TLM [10/08 – 12/10] - ST-MicroElectronics - UML/MARTE & IP-Xact: behavioral and timing models for IP-Xact ## This is the end... ...thanks...