

#### **UbiComp Middleware and Verification**

Annie Ressouche Inria-sam (stars) annie.ressouche@inria.fr

# Ubiquitous Middleware Application Validation

Ultra-tiny computer are embedded into o

- •Ubiquitous and adaptive middleware may be used to design critical applications
- •Ensure a safe usage of these middleware wrt component behavior

•Apply general techniques used to develop critical software



#### Outline

- 1. Critical system validation
- 2. Model-checking solution
  - 1. Model specification
  - 2. Model-checking techniques
- 3. Application to component based adaptive middleware
  - 1. Middleware critical component as synchronous models to allow validation
  - 2. The Scade solution



### 1. Critical system validation

Outline

- 2. Model-checking solution
  - 1. Model specification
  - 2. Model-checking techniques
- 3. Application to component based adaptive middleware
  - 1. Middleware critical component as synchronous models to allow validation
  - 2. The Scade solution

#### **Critical Software**



- A critical software is a software whose failing has serious consequences:
  - Nuclear technology
  - Transportation
    - Automotive
    - •Train
    - Aircraft construction

#### **Critical Software**



- In addition, other consequences are relevant to determine the critical aspect of software:
  - Financial aspect
    - Loosing equipment, bug correction
    - Equipment callback (automotive)
  - Bad advertising

#### **Software Classification**



Depending of the level of risk of the system, different kinds of verification are required Example of the aeronautics norm DO178B:

biguitous Netwo

- A Catastrophic (human life loss)
- **B** Dangerous (serious injuries, loss of goods)
- **C** Major (failure or loss of the system)
- **D** Minor (without consequence on the system)
- **E** Without effect

#### **Software Classification**



Minor acceptable situation Major **Unacceptable situation** Dangerous 10<sup>-9</sup>/hour  $10^{-12}$ /hour  $10^{-3}$  / hour  $10^{-6}$ catastrophic hour probable probabilities very very rare rare improbable



#### How Develop critical software ?

08/01/2014

**Ubiquitous Network** 

#### How Develop Critical Software ?

Ultra-tiny computer are embedded into @

Ubiguitous Networ

- Cost of critical software development:
  - Specification : 10%
  - Design: 10%
  - Development: 25%
  - Integration tests: 5%
  - Validation: 50%
- Fact:

Earlier an error is detected, less expensive its correction is.



#### How Develop Critical Software ?

- Goals of critical software specification:
  - Define application needs
    - $\Rightarrow$  specific domain engineers
  - Allowing application development
    - Coherency
    - Completeness
  - Allowing application functional validation
    - Express properties to be validated

#### $\Rightarrow$ Formal model usage

biguitous Networ



- First Goal: must yield a formal description of the application needs:
  - Standard to allowing communication between computer science engineers and non computer science ones
  - General enough to allow different kinds of application:
    - Synchronous (and/or)
    - Asynchronous (and/or)
    - Algorithmic



- Second Goal: allowing errors detection carried out upstream:
  - Validation of the specification:
    - Coherency
    - Completeness
    - Proofs
  - Test
    - Quick prototype development
    - Specification simulation



#### Example of non completeness From Ariane 5:





- Third goal: make easier the transition from specification to design (refinement)
  - Reuse of specification simulation tests
  - Formalization of design
  - Code generation
    - Sequential/distributed
    - Toward a target language
    - Embedded/qualified code





#### **Critical Software Validation**



- What is a correct software?
  - No execution errors, time constraints respected, compliance of results.
- Solutions:
  - At model level :
    - Simulation
    - Formal proofs
  - At implementation level:
    - Test
    - Abstract interpretation



- Testing
  - Run the program on set of inputs and check the results
- Static Analysis
  - Examine the source code to increase confidence that it works as intended
- Formal Verification
  - Argue formally that the application always works as intended





- Dynamic verification process applied at implementation level.
- Feed the system (or one if its components) with a set of input data values:
  - Input data set not too large to avoid huge time testing procedure.
  - Maximal coverage of different cases required.







08/01/2014

#### Static Analysis



- The aim of static analysis is to search for errors without running the program.
- Abstract interpretation = replace data of the program by an abstraction in order to be able to compute program properties.
- Abstraction must ensure :
  - A(P) "correct"  $\Rightarrow$  P correct
  - But  $\mathbb{A}(\mathsf{P})$  "incorrect"  $\Rightarrow$  ?

#### Static Analysis: example



abstraction: integer by intervals

1: 
$$x:= 1;$$
 $x1 = [1,1]$ 2: while  $(x < 1000) \{$  $x2 = x1 \ U \ x3 \ \cap [-\infty, 999]$ 3:  $x := x+1;$  $x3 = x2 \oplus [1,1]$ 4:  $\}$  $x4 = x1 \ U \ x3 \ \cap [1000, \infty]$ 

## Abstract interpretation theory $\Rightarrow$ values are fix point equation solutions.

#### **Formal Verification**



- What about functional validation ?
  - Does the program compute the expected outputs?
  - Respect of time constraints (temporal properties)
  - Intuitive partition of temporal properties:
    - Safety properties: something bad never happens
    - Liveness properties: something good eventually happens

#### Safety and Liveness Properties



- Example: the beacon counter in a train:
  - Count the difference between beacons and seconds
  - Decide when the train is ontime, late, early
    - ontime : difference = 0
    - late : difference > 3 and it was ontime before or difference > 1 and it was already late before
    - early : difference < -3 and it was ontime before or difference < -1 and it was ontime before</li>

#### Safety and Liveness Properties



- Some properties:
  - 1. It is impossible to be late and early;
  - 2. It is impossible to directly pass from late to early;
  - 3. It is impossible to remain late only one instant;
  - 4. If the train stops, it will eventually get late
- Properties 1, 2, 3 : safety
- Property 4 : liveness



#### Some properties:

- 1. It is impossible to be late and early;
- 2. It is impossible to directly pass from late to early;
- 3. It is impossible to remain late only one instant;
- 4. If the train stops, it will eventually get late
- Properties 1, 2, 3 : safety
- Property 4 : liveness (refer to unbound future)

#### Outline



- 1. Critical system validation
- 2. Model-checking solution
  - 1. Model specification
  - 2. Model-checking techniques
- 3. Application to component based adaptive middleware
  - 1. Middleware critical component as synchronous models to allow validation
  - 2. The Scade solution

#### Safety and Liveness Properties Checking



- Use of model checking technique
- Model checking goal: prove safety and liveness properties of a system in analyzing a model of the system.
- Model checking techniques require:
  - model of the system
  - express properties
  - algorithm to check properties againts the model (⇒ decidability)

#### **Model Checking Techniques**

- Ubiquitous Network
- Model = automata which is the set of program behaviors
- Properties expression = temporal logic:
  - LTL : liveness properties
  - CTL: safety properties
- Algorithm =
  - LTL : algorithm exponential wrt the formula size and linear wrt automata size.
  - CTL: algorithm linear wrt formula size and wrt automata size

#### Model Checking Model Specification



 Model = automata which is the set of program behaviors

#### **Model Specification**



- Model = automata which is the set of program behaviors
- An automata is composed of:
  - 1. A finite set of states (Q)
  - 2. A finite alphabet of actions (A)
  - 3. An initial state  $(q^{init} \in \mathbb{Q})$
  - 4. A transition relation ( $\mathbb{R}$  in  $\mathbb{Q} \times \mathbb{Q}$ )
  - 5. A labeling function  $\lambda : \mathbb{Q} \times \mathbb{Q} \to \mathbb{A}$

Notation: a transition is denoted  $q_1 \xrightarrow{a} q_2$ 

#### **Model Specification**



 Model = automata which is the set of program behaviors

#### Example: Traffic Light



trigger: tick, reset

action:green,orange,red





- How design automata as system behaviors ?
- Use synchronous languages to specify critical systems.

Synchronous programs = automata



- Synchronous languages have a simple formal model (a finite automaton) making formal reasoning tractable.
- 2. Synchronous languages support **concurrency** and offer an implicit or explicit means to express parallelism.
- 3. Synchronous languages are devoted to design reactive systems.

#### **Determinism & Reactivity**



- Synchronous languages are deterministic and reactive
- Determinism:
  - The same input sequence always yields the same output sequence
- Reactivity:
  - The program must react<sup>(\*)</sup> to any stimulus
  - Implies absence of deadlock
    - (\*) Does not necessary generate outputs, the reaction may change internal state only.





Read





**Computations** 





#### Atomic execution: read, compute, write

# Synchronous Hypothesis



- Synchronous languages work on a logical time.
- The time is
  - Discrete
  - Total ordering of instants.

Use N as time base

- A reaction executes in one instant.
- Actions that compose the reaction may be partially ordered.

# Synchronous Hypothesis



- Communications between actors are also supposed to be instantaneous.
- All parts of a synchronous model receive exactly the same information (instantaneous broadcast).
- Outcome: Outputs are simultaneous with Inputs (they are said to be synchronous)
- Thanks to these strong hypotheses, program execution is fully deterministic.





- Different ways to "react" to the environment:
  - Event driven system:
    - Receive events
    - Answer by sending events
  - Data flow system:
    - Receive data continuously
    - Answer by treating data continuously also

Some systems have components of both kinds

# Event Driven Reactive System



#### Langing gear management





# Imperative and Declarative languages



- Different ways to express synchronous programs:
  - Imperative languages rely on implicitly or explicitly finite state machines, well suited to design event driven reactive system
  - Declarative languages rely on operator networks computing data flows, well suited to design data flow reactive system

#### Event Driven = FSM



Event driven applications can be designed:

- 1. As simple finite sate machines (= automata)
- 2. As the **synchronous product** of finite state machines





Data flow programs can be interpreted as networks of operators.

Data « flow » to operators where they are consumed. Then, the operators generate new data. (Data Flow description).





• A flow is a pair made of

Flows, Clocks

- A possibly infinite sequence of values of a given type
- A clock representing a sequence of instants

**X:T** 
$$(X_1, X_2, ..., X_n, ...)$$





#### d i X r a -F F D Ρ Ρ , Q Q $W_N^k$

08/01/2014

**Data Flow** 













08/01/2014





08/01/2014



- 1. Data flow programs compute output flows from input flows using:
  - 1. Variables (= flows)
  - **2.** Equation:  $\mathbf{x} = \mathbf{E}$  means  $\forall k \mathbf{x}_k = \mathbf{E}_k$
  - 3. Assertion: Boolean expression that should be always true.
- 2. Data flow programs define new data flow operators.





#### operator Average (X,Y:int) returns (M:int) M = (X + Y)/2

$$X = (X_1, X_2, ..., X_n, ....)$$
  

$$Y = (Y_1, Y_2, ..., Y_n, ....)$$
  

$$M = ((X_1 + Y_1)/2, (X_2 + Y_2)/2, ...., (X_n + Y_n)/2, ....)$$



Memorizing to take the past into account:
1. pre (previous):

$$X = (x_1, x_2, ..., x_n, ....)$$
  
pre(X) = (nil, x<sub>1</sub>, x<sub>2</sub>, ..., x<sub>n</sub>, ....)  
nil undefined value denoting uninitialized  
memory

2. 
$$\rightarrow$$
 (initialize):  
 $X = (x_1, x_2, ..., x_n, ....), Y = (y_1, y_2, ..., y_n, ....) :$   
 $X \rightarrow Y = (x_1, y_2, ..., y_n, ....)$ 



#### $n=0 \rightarrow pre(n) + 1$

operator MinMax (x:int) returns (min,max:int): min =  $x \rightarrow$  if (x < pre(min) then x else pre(min) max =  $x \rightarrow$  if (x > pre(max) then x else pre(max)



#### operator CT (init:int) returns (c:int): $c = init \rightarrow pre(c) + 2$

# operator DoubleCall (even:bool) returns (n:int) n= if (even) then CT(0) else CT(1) DoubleCall (ff,ff,tt,tt,ff,ff,tt,tt,ff) = ?

# Sequential examples

operator CT (init:int) returns (c:int):  $c = init \rightarrow pre(c) + 2$ CT(0) = (0,2,4,6,8,10,12,14,16,18,...)CT(1) = (1,3,5,7,9,11,13,15,17,19,...)operator DoubleCall (even:bool) returns (n:int) n = if (even) then CT(0) else CT(1) DoubleCall (ff,ff,tt,tt,ff,ff,tt,tt,ff) = ? (1,3,4,6,9,11,12,14,17)

#### **Modulo Counter**



Ultra-tiny computer are embedded into o

# operator MCounter (incr:bool; modulo : int) returns (cpt:int);

var count : int;

#### 

# Modulo Counter Clock



operator MCounterClock (incr:bool; modulo : int) returns(cpt:int; modulo clock: bool); var count : int;  $count = 0 \rightarrow if incr pre(cpt) + 1$ else pre (cpt); cpt = count mod modulo;modulo clock = count != cpt;

# Modulo Counter Clock



MCounterClock(true,3): count: 0123123..... cpt = 0120120..... modulo\_clock = ff ff ff tt ff ff tt ....

```
var count : int;
count = 0 -> if incr pre (cpt) + 1
else pre (cpt);
cpt = count mod modulo;
modulo_clock = count != cpt;
```

#### Timer



- operator Timer returns (hour, minute, second:int);
  var hour\_clock, minute\_clock, day\_clock : bool;
- (second, minute\_clock) = MCounterClock(true, 60); (minute, hour\_clock) = MCounterClock(minute\_clock,60); (hour, dummy\_clock) = MCounterClock(hour\_clock, 24);



#### Data flow programs are compiled into automata



- operator WD (set, reset, deadline:bool) returns (alarm:bool);
- var is\_set:bool;
  - alarm = is\_set and deadline;
  - is\_set = false -> if set then true

else if reset then false

else pre(is\_set);

assert not(set and reset);

tel.



- First, the program is translated into pseudo code:
- if \_init then // first instant (or reaction)
  - is\_set := false; alarm := false;
    - \_init := false;
- else // following reactions
  - if set then is\_set := true
  - else
    - if reset then is\_set := false;
      endif
  - endif

```
alarm := is_set and deadline;
```

```
endif
```



- Choose state variables : \_init and variables which have pre.
- For WD, we consider 2 state variables: \_init (true, false, false, ....) and pre(is\_set)
- 3 states: **S0**: \_init = true and pre(is\_set) = nil **S1**: \_init = false and pre(is\_set) = false **S2**: \_init = false and pre(is\_set) = true

# Data Flow Program Compilation



**Ubiquitous Network** 



08/01/2014







# **Model Checking Technique**



- Model = automata which is the set of program behaviors
- Properties expression = temporal logic:
  - LTL : liveness properties
  - CTL: safety properties
- Algorithm =
  - LTL : algorithm exponential wrt the formula size and linear wrt automata size.
  - CTL: algorithm linear wrt formula size and wrt automata size

## **Properties Checking**



- Liveness Property  $\Phi$  :
  - $\Phi \Rightarrow$  automata B( $\Phi$ )
  - $L(B(\Phi)) = \emptyset$  decidable
  - $\Phi \mid = \mathcal{M} : L(\mathcal{M} \otimes B(^{\sim}\Phi)) = \emptyset$

### **Safety Properties**

- Ubiquitous Network
- CTL formula characterization:
  - Atomic formulas
  - Usual logic operators: not, and, or ( $\Rightarrow$ )
  - Specific temporal operators:
    - EX  $\varnothing$ , EF  $\varnothing$ , EG  $\varnothing$
    - AX  $\varnothing$ , AF  $\varnothing$ , AG  $\varnothing$
    - $EU(\emptyset_1, \emptyset_2), AU(\emptyset_1, \emptyset_2)$



- We call Sat( $\varnothing$ ) the set of states where  $\varnothing$  is true.
- $\boldsymbol{\mathcal{M}} \mid = \varnothing \quad \text{iff } s_{\text{init}} \in \text{Sat}(\varnothing).$

Algorithm:

```
Sat(\Phi) = { s | \Phi |= s}
Sat(not \Phi) = S\Sat(\Phi)
Sat(\Phi1 or \Phi2) = Sat(\Phi1) U Sat(\Phi2)
Sat(EX \Phi) = { s | \exists t \in Sat(\Phi) , s \rightarrow t} (Pre Sat(\Phi))
Sat(EG \Phi) = gfp (\Gamma(x) = Sat(\Phi) \cap Pre(x))
Sat (E(\Phi1 U \Phi2)) = lfp (\Gamma(x) = Sat(\Phi2) U (Sat(\Phi1) \cap Pre(x))
```



**EG (a or b)**  $gfp(\Gamma(x) = Sat(a \text{ or b}) \cap Pre(x))$ 

 $\Gamma(\{s_0, s_1, s_2, s_{3,} s_4\}) = \text{Sat (a or b)} \cap \text{Pre}(\{s_0, s_1, s_2, s_{3,} s_4\})$   $\Gamma(\{s_0, s_1, s_2, s_{3,} s_4\}) = \{s_0, s_1, s_2, s_4\} \cap \{s_0, s_1, s_2, s_{3,} s_4\}$   $\Gamma(\{s_0, s_1, s_2, s_{3,} s_4\}) = \{s_0, s_1, s_2, s_4\}$ 



**EG (a or b)**  $\Gamma(\{s_0, s_1, s_2, s_3, s_4\}) = \{s_0, s_1, s_2, s_4\}$ 

 $\Gamma(\{s_0, s_1, s_2, s_4\}) = Sat (a \text{ or } b) \cap Pre(\{s_0, s_1, s_2, s_4\})$ 

 $\Gamma(\{s_0, s_1, s_2, s_4\}) = \{s_0, s_1, s_2, s_4\}$  $S_0 \mid = EG(a \text{ or } b)$  Model Checking Implementation



- Problem: the size of automata
- Solution: symbolic model checking
- Usage of BDD (Binary Decision Diagram) to encode both automata and formula.
- Each Boolean function has a unique representation
- Shannon decomposition:
  - $f(x_0, x_1, ..., x_n) = f(1, x_1, ..., x_n) \vee f(0, x_1, ..., x_n)$

Model Checking Implementation



- When applying recursively Shannon decomposition on all variables, we obtain a tree where leaves are either 1 or 0.
- BDD are:
  - A concise representation of the Shannon tree
  - no useless node (if x then g else g  $\Leftrightarrow$  g)
  - Share common sub graphs



**Ubiquitous Network** 

































Model Checking Implementation(3)



- Implicit representation of the of states set and of the transition relation of automata with BDD.
- BDD allows
  - canonical representation
  - test of emptiness immediate (bdd =0)
  - complementarity immediate (1 = 0)
  - union and intersection not immediate
  - Pre immediate

Model Checking Implementation (4)



- But BDD efficiency depends on the number of variables
- Other method: SAT-Solver
  - Sat-solvers answer the question: given a propositional formula, is there exist a valuation of the formula variables such that this formula holds
  - first algorithm (DPLL) exponential (1960)

Model Checking Implementation (4)



- SAT-Solver algorithm:
  - formula CNF formula set of clauses
  - heuristics to choose variables
  - deduction engine:
    - propagation
    - specific reduction rule application (unit clause)
    - Others reduction rules
  - conflict analysis + learning

Model Checking Implementation (5)



- SAT-Solver usage:
  - encoding of the paths of length k by propositional formulas
  - the existence of a path of length k (for a given k) where a temporal property Φ is true can be reduce to the satisfaction of a propositional formula
  - theorem: given  $\Phi$  a temporal property and  $\mathcal{M}$ a model, then  $\mathcal{M} \models \Phi \Rightarrow \exists n$  such that  $\mathcal{M} \models_n \Phi$  (n < |S|. 2  $|\Phi|$ )

# **Bounded Model Checking**



- SAT-Solver are used in complement of implicit (BDD based) methods.
- **M** |= Φ
  - verify ¬  $\Phi$  on all paths of length k (k bounded)
  - useful to quickly extract counter examples



### Given a property p Is there a state reachable in *k* steps, which satisfies ¬p ?



# **Bounded Model Checking**



The reachable states in k steps are captured by:  $I(s_0) \wedge T(s_0, s_1) \wedge \dots \wedge T(s_{k-1}, s_k)$ The property p fails in one of the k steps

 $\neg p(s_0) V \neg p(s_1) V \neg p(s_2) \dots V \neg p(s_{k-1}) V \neg p(s_k)$ The safety property **p** is valid up to step k iff  $\Omega(k)$  is unsatisfiable:

$$\Omega(k) = I(s_0) \wedge \left(\bigwedge_{i=0}^{k-1} T(s_i, s_{i+1})\right) \wedge \left(\bigvee_{i=0}^{k} \neg p(s_i)\right)$$



# **Bounded Model Checking**



- Computing CT is as hard as model checking.
- Idea: Compute an over-approximation to the actual CT
  - Consider the system as a graph.
  - Compute CT from structure of the graph.
- Example: for **AGp** properties, CT is the longest shortest path between any two reachable states, starting from initial state

### Model Checking with Observers



- Express safety properties as observers.
- An observer is a program which observes the program and outputs ok when the property holds and failure when its fails



# Model Checking with observers (2)



P: aircraft autopilot and security system



### **Properties Validation**



- Taking into account the environment
  - without any assumption on the environment, proving properties is difficult
  - but the environment is indeterminist
    - Human presence no predictable
    - Fault occurrence
    - ...
  - Solution: use assertion to make hypothesis on the environment and make it determinist

## **Properties Validation (2)**



- Express safety properties as observers.
- Express constraints about the environment as assertions.



### **Properties Validation (3)**



• if assume remains true, then ok also remains true (or failure false).



### Outline



- 1. Critical system validation
- 2. Model-checking solution
  - 1. Model specification
  - 2. Model-checking techniques
- 3. Application to component based adaptive middleware
  - 1. Middleware critical component as synchronous models to allow validation
  - 2. The Scade solution



### Application to Component Based Adaptive Middleware for Ubiquitous Computing

# **Component Modeling**



- Adaptive middleware (as Wcomp) component listen to input events and provide output methods in reaction.
- They could be critical and response time sensitive
  - They should support formal validation
  - They should be deterministic
- Component behavior specification as synchronous model



#### To sum up :

- Synchronous models can be designed as event-driven controllers or as data flow operator networks
- 2. They always represent automata
- 3. Model-checking techniques apply



- Our goal is to validate critical component of component based adaptive middleware for ubiquitous computing
- critical component will provide a synchronous model of their behaviors to allow modelchecking techniques application as validation
- This synchronous model will be translated into a specific component called a synchronous monitor

### **Use Case**







Old adults monitoring in an instrumented home

08/01/2014





- Use case: observe kitchen usage
  - 1. Camera sensor (to locate the person)
  - 2. Fridge (contact sensor on the door) and a timer to know how long the door is opened
  - 3. Posture sensor (accelerometers) to know if the person is standing, sitting or lying
- Goal: send the appropriate alarm (strong, weak or warning)

### **Use Case Implementation**

Ultra-tiny computer are embedded into •

**Ubiguitous Network** 

 The Alarm, component is critical, 3 synchronous monitors will be introduced to specify the Alarm component behaviors w.r.t the fridge, the posture and the camera components





**Ubiquitous Network** 

### The SCADE solution

- Ultra-tiny computer are embedded into •
- How design the posture component ?
- How validate its behaviors ?
- How introduce it in the overall design ?

### Rely on **SCADE** tool

SCADE: Safety-Critical Application Development Environment



- Scade has been developed to address safety-critical embedded application design
- The Scade suite KCG code generator has been qualified as a development tool according to DO-178B norm at level A.





- Scade has been used to develop, validate and generate code for:
  - avionics:
    - Airbus A 341: flight controls
    - Airbus A 380: Flight controls, cockpit display, fuel control, braking, etc,..
    - Eurocopter EC-225 : Automatic pilot
    - Dassault Aviaation F7X: Flight Controls, landing gear, braking
  - Boeing 787: Landing gear, nose wheel steering, braking

SCADE

- Code Generation
  - certified C code

- Apply observer technique

- Verification
- Simulation
  - Graphical simulation, automatic GUI integration

- System Design
  - Both data flows and state machines





### **Modulo Counter**



Ultra-tiny computer are embedded into o

## operator MCounter (incr:bool; modulo : int) returns (cpt:int);

var count : int;

### 



### Modulo Counter Clock



operator MCounterClock (incr:bool; modulo : int) returns(cpt:int; modulo clock: bool); var count : int;  $count = 0 \rightarrow if incr pre(cpt) + 1$ else pre (cpt); cpt = count mod modulo;modulo clock = count <> cpt;



**Ubiquitous Network** 

### Modulo Counter Clock

#### Timer



- operator Timer returns (hour, minute, second:int);
  var hour\_clock, minute\_clock, day\_clock : bool;





### **SCADE: state machines**



- Input and output: same interface
- States:
  - Possible hierarchy
  - Start in the initial state
  - Content = application behavior
- Transitions:
  - From a state to another one
  - Triggered by a Boolean condition



#### When off, ison = false

08/01/2014

**Ubiquitous Network** 

## SCADE: model checking



### **Observer technique**

### posture model



## **posture** model specification in scade



## SCADE: model checking



#### **Observer technique**



posture verification

lying: true; sitting:true; standing:true

08/01/2014

## SCADE: model checking



#### **Observer technique**



posture verification

assume (lying # sitting # standing)

08/01/2014

## SCADE: code generation



- KCG generates certifiable code (DO-178 compliance)
- Clean code, rigid structure (easy integration)
- Interfacing potential with user-defined code (c/c++)

# SCADE: code generation structures



- InC\_<operator\_name>
  - structure C
  - one member for each input
- OutC\_<operator\_name>
  - Structure C
  - one member for each output and each state
  - Other members for output/state computations

# SCADE: code generation structures

Ubiquitous Network

- Reaction function
  - for a transition (or a reaction) computes the output and the new state
  - void <operator\_name> (Inc\_<operator\_name>
     \* inC, outC\_<operator\_name>\* outc)
- Reset function
  - To reset the reaction and the structures
  - void <operator\_name>\_reset
     (outC\_<operator\_name>\* outc

# SCADE: code generation files



- Generated files
  - <operator\_name>.h : type and function declarations for code integration
  - <operator\_name>.c : implementation of reaction and reset functions
  - kcg\_types.(h,c) to define types in C
  - kcg\_conts.(h,c) to define contants

# Critical Component Validation with SCADE





# Critical Component Validation with SCADE



simule SCADE design validate



## Critical Component Validation with SCADE for WComp



**Ubiquitous Network** 



- Design a TrafficLight in WComp:
  - 1. Specify a TrafficLight synchronous monitor with Scade:
    - 3 lights : green, orange, red
    - Switch from green to orange, orange to red, red to green
  - 2. Connect the monitor to TrafficLight Wcomp component







08/01/2014



Ultra-tiny computer are embedded into g

### Generate TrafficLight Monitor Bean





### TrafficLightMonitor.[hc]:

- Generated from scade design
- \$ outC\_TrafficLight structure containing an entry for each output of TrafficLight (green, red, orange)
- TrafficLight to perform a step in the automaton.

### TrafficLightMonitor\_functions.c:

- User supplied
- Export structures and functions defined in TrafficLight.c
- Define a function to allocate outC\_TrafficLight structure
- Define functions to get output respective values ex: get\_green(outC\_TrafficLight\* out)





#### TrafficLightMonitor.cs:

- Define class TrafficLightMonitorBean as extension of EventedDrawable Wcomp bean.
- Import functions from TrafficLight\_Scade.dll
- Bean starting method: TrafficLightMonitorBean creates the output structure
- Step function: doStep:
  - Call of step function of the TrafficLightMonitor\_Scade dll
  - Get the respective values of green, red and orange from the output structure



#### TrafficLightMonitor.cs:

Definition of events: RedChanged, RedOffChanged, GreenChanged, GreenOffChanged, OrangeChanged,OrangeOffChanged connected to methods of TrafficLight Wcomp bean:



RedChanged → RedOn() RedOffChanged → RedOff() GreenChanged → GreenOn()

GreenOffChanged → GreenOff() OrangeChanged → YellowOn() OrangeOffChanged → YellowOff()











posture

lying

from



**Ubiquitous Network** 



## $\bigotimes_{\boldsymbol{\zeta}}$ = synchronous product + constraint function

The constraint function tells us how multiple accesses are combined

**Property** :  $\bigotimes_{\mathbf{\zeta}}$  preserves safety property:

 $M_1$  verifies  $\Phi$  then  $M_1 \bigotimes_{\boldsymbol{\zeta}} M_2$  verifies  $\Phi$  also



Ultra-tiny computer are embedded into o



O = {0,0'}

$$\zeta: 01 \rightarrow 0$$

{01,02} → 0







## ζ definition:

warning<sub>i</sub> = warning weak\_alarm<sub>2</sub> & weak\_alarm3 = strong\_alarm



08/01/2014

#### **Synchronous Monitor Ubiquitous Network Composition** Ultra-tiny computer are embedded into o warning1 warning warning2 warning3 weak\_alarm2 weak alarm weak\_alarm3 strong\_alarm

weak\_alarm<sub>2</sub> & weak\_alarm<sub>3</sub> implies strong\_alarm

## Use case Implementation in WComp



**Ubiquitous Network**