Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Complexity Management for Mixed-Criticality Systems

advertisement 
Complexity Management for Mixed-Criticality Systems
CoMMiCS
Cyber-physical systems are computer systems that tightly interact with physical
processes, typically for command and control purposes. Some cyber-physical systems
have to be dependable, which means that the overall failure of the system may lead to
loss of human life or significant assets. These dependable cyber-physical systems are
categorized as dependable systems. The avionics system in an airplane is such a
dependable system. Here dependable cyber-physical systems have replaced hydromechanical systems to control the airplane. While this shift towards dependable cyberphysical systems happened in the aviation industry already decades ago the automotive
industry is about to implement similar technologies. Electric cars are likely to speed up
this adoption process.
Dependable systems are, hence, omnipresent in our daily lives and are becoming
increasingly large and complex. As a consequence of this trend it is apparent that the
correct development of such complex systems requires a sound architectural basis. In the
absence of architectures we will either build systems of insufficient quality or will simply
not be able to build systems beyond a certain level of complexity at all. The timetriggered architecture (TTA) as developed at the Institut für Technische Informatik at the
Vienna University of Technology is an extraordinary example of an architecture for
dependable embedded systems. The TTA tremendously simplifies the development of
dependable cyber-physical systems. It has been successfully applied in industries that
demand a high level of determinism such as the avionics industry in which predictability
of system operation is a key property. TTP and TTEthernet are implementations of the
TTA. TTP is applied, for example, in the new Boeing 787 Dreamliner, whereas
TTEthernet has been selected for the NASA Orion Space Program.
While the aerospace and space industries (as well as automotive and similar industries)
are traditional areas for dependable systems, we also observe emerging areas with
increasing dependability requirements. Examples include surgery robots in the medical
area, datacenters in the financial and other critical industries, as well as the smart grid
that aims at decentralized energy production and efficient energy use. TTEthernet is
currently evaluated for several of these areas.
Given the observations as sketched above we can reasonably conclude that over time
more and more dependable systems will become mixed-criticality systems: as the
complexity and size of traditional dependable systems grows, cost restrictions as well as
size, weight and power (SWaP) requirements will force the industry to utilize their
computation/communication resources more efficiently. By sharing physical resources
between applications of different criticality levels the efficiency of a system can greatly
be improved. To some degree we see the concept of mixed-criticality systems already
being implemented in the aeronautic industry (“integrated modular avionics”). On the
other hand, the emerging systems will not instantaneously become dependable-only
systems, but gradually become more and more dependable. Systems that host
applications with different criticality requirements will be the normal case and not the
exception.
Architectures such as the TTA can be applied to mixed-criticality systems to some extent,
but as these systems have additional requirements to the ones the TTA has been
originally designed to, novel architectural approaches are necessary. The CoMMiCS
Marie Curie Fellowship researches such novel approaches by using formal methods for
the verification, configuration, and algorithm design for mixed-criticality systems. The
CoMMiCS project is hosted by TTTech Computertechnik AG in Vienna, Austria and by
SRI International, Menlo Park, California.
The CoMMiCs project has addressed the problem of complexity management for mixedcriticality systems by three workpackages (also called research objectives), RO_A,
RO_B, and RO_C. RO_A has had a focus on the development of an executable formal
specification for the TTEthernet synchronization protocol. RO_B has targeted at the
configuration of a TTEthernet system. Of particular interest has been research of novel
scheduling approaches for time-triggered communication as well as novel approaches to
calculate worst-case bounds on communication latency and buffer utilizations for eventtriggered communication. Furthermore in RO_B the configuration of integrated timetriggered event-triggered communication has been studied. In RO_C we executed
research with respect to future extensions of TTEthernet and similar protocols. The
challenge of RO_C has been to develop future extensions not in isolation, but to first
generate a system model (called the holistic view) that could then be extended with the
new functionality and both, the TTEthernet holistic view and the new functionality could
be verified together in an integrated manner.
Description of Work Methods:
The following paragraphs are taken from the SRI International Computer Science
Laboratory Homepage1; they describe the main tools PVS, YICES, and SAL that have
been used in the CoMMiCS project:
“The Formal Methods and Dependable Systems Program in the Computer Science
Laboratory of SRI International has been at the forefront of Formal Methods research
for three decades. During this period, we [SRI] have developed several software tools for
automated verification. This page provides an overview of our current tools and links for
downloading them. All these tools are under active development, extension, and mutual
integration.
PVS: The Prototype Verification System is a comprehensive verification environment: it
provides a specification language in which mathematical theories and conjectures can be
1
http://fm.csl.sri.com/
specified, together with an interactive theorem prover. The PVS specification language is
a higher-order logic with a rich type system that supports concise and perspicuous
specifications. Its theorem prover provides powerful automation, with decision
procedures for several theories including real and integer arithmetic. PVS has been
available since 1993, and has been Open Source since Version 4.0, released in December
2006.
Yices: is an SMT solver: it decides the satisfiability of propositional formulas containing
uninterpreted function symbols with equality, linear real and integer arithmetic, scalar
types, recursive datatypes, tuples, records, extensional arrays, fixed-size bit-vectors,
quantifiers, and lambda expressions. It's basic capability resembles the decision
procedures of PVS, but in a form that incorporates many new theoretical and practical
insights and delivers vastly greater performance and scalability. Yices also does
MaxSMT (and, dually, unsat cores) and is competitive as an ordinary SAT and MaxSAT
solver. Yices can be used as a library in any application that requires "embedded
deduction". Yices is used in SAL 3.0 and in PVS 4.0. Yices has been available since
August 2006; its current version is 1.0. Its prototypes Yices 0.1 and Simplics were
available since July 2005 and its predecessor ICS since 2001. Yices 1.0 won every
division in the 2006 SMT Competition.
SAL: The Symbolic Analysis Laboratory is an environment for the exploration and
analysis of concurrent systems specified as transition relations. Its language includes
many of the attractive features of PVS. The SAL toolkit provides several tools for
examining SAL specifications, including three different high-performance model checkers
for LTL: symbolic, bounded, and infinite-bounded. The infinite-bounded model checker
uses Yices to provide bounded model checking for systems defined over infinite data
types, such as integers and reals. In addition, both the bounded and infinite-bounded
model checkers can prove invariants by k-induction. SAL has been available since 2002,
and has been Open Source since Version 3.0, released in December 2006.
In CoMMiCS we have used the bounded model checker sal-bmc for finite datatypes and
sal-inf-bmc for infinite datatypes in the development of the executable formal
specification of the TTEthernet synchronization protocol.
In RO_B we incorporated YICES via its C-API into a set of novel tools for scheduling,
traffic analysis, as well as integrated time-triggered event-triggered network
configurations.
RO_C has used all three SRI tools, SAL, YICES, and PVS in the design of holistic views
of TTEthernet and novel algorithms.
Description of Main Results:
The main result of RO_A is the executable formal specification of the TTEthernet
synchronization protocol in two parts. A first part focuses on the integration aspects of
startup, restart, and some low-level diagnosis functionality. Due to the state-space
explosion problem we have chosen to represent time as a discrete entity in this first part
of the executable specification. However, the second part of the executable specification
addresses some particular lower-level synchronization functions and represents time as a
continuous entity.
The research results from RO_A resulted also in the following two publications (a third
publication is currently under finalization).

W. Steiner and B. Dutertre, “SMT-Based Formal Verification of a TTEthernet
Synchronization Function,” Proceedings of the 15th International Workshop on
Formal Methods for Industrial Critical Systems (FMICS 2010), Lecture Notes in
Computer
Science
6371
Springer,
2010,
pp. 148-163

W. Steiner and G. Bauer, “TTEthernet: Time-triggered services for Ethernet
networks,” Proceedings of the 28th IEEE/AIAA Digital Avionics Systems Conference
(DASC
2009),
IEEE, 2009
The executable formal specification is used in the NASA project NNL09AA08 and is
intended to be used also in follow-on projects. The second part of the executable
specification evolved as the foundation of model-checking clock synchronization
algorithms, which is further explained in the results of RO_C.
The main result of RO_B is a new approach of using the SMT-solver for configuring
mixed-criticality systems. In particular, we have included the YICES SMT-solver in tools
for scheduling of time-triggered traffic, traffic performance analysis of event-triggered
traffic, and design of time-triggered schedules with a provision for event-triggered traffic
integration.
The research results from RO_B resulted also in the following three publications (a
fourth publication is currently under finalization).

W. Steiner, “Synthesis of Static Communication Schedules for Mixed-Criticality
Systems,” Proceedings of the 1st IEEE Workshop on Architectures and Applications
for Mixed-Criticality Systems (AMICS 2011), IEEE Computer Society, 2011

W. Steiner, “An Evaluation of SMT-based Schedule Synthesis For Time-Triggered
Multi-Hop Networks,” Proceedings of the 31st IEEE Real-Time Systems Symposium
(RTSS 2010), IEEE Computer Society, 2010

W. Steiner, G. Bauer, B. Hall, M. Paulitsch, and S. Varadarajan, “TTEthernet
Dataflow Concept,” Proceedings of the 8th International Symposium on Networking
Computing and Applications (NCA 2009), IEEE Computer Society, 2009, pp. 319322
In particular the paper “Synthesis of Static Communication Schedules for MixedCriticality Systems” has been presented at the AMICS workshop, which has been cochaired by Wilfried Steiner. The tools developed within RO_B are currently used in the
US Darpa-funded project “Meta II” and TTTech is investigating whether these Marie
Curie developed tools may even evolve to become the TTTech’s standard tooling
products.
The main research results of RO_C comprise formal models of TTEthernet in PVS and
SAL that have been used to generate new algorithms, in particular a diagnosis algorithm
and a clock rate-correction algorithm. Furthermore, these models have shown for the first
time that clock-synchronization protocols for fault-tolerant systems can be verified fully
automatically by means of model checking.
The research results from RO_C resulted also in the following two publications (a third
publication has been submitted to the 17th IEEE Pacific Rim International Symposium on
Dependable Computing).
 W. Steiner and B. Dutertre, “Automated Formal Verification of the TTEthernet
Synchronization Quality,” Proceedings of the 3rd NASA Formal Methods Symposium
(NFM 2011), Springer Lecture Notes in Computer Science, 2011

W. Steiner and G. Bauer, “Mixed-criticality networks for adaptive systems,”
Proceedings of the 29th IEEE/AIAA Digital Avionics Systems Conference (DASC
2010), IEEE, 2010, pp. 5.A.3-1 - 5.A.3-10
The results of RO_C will be further used in the analysis of group membership and other
higher-layer algorithms for TTEthernet and related protocols.
Contact:
Dr. Wilfried Steiner
Marie Curie Fellow
TTTech Computertechnik AG
Schoenbrunner Str. 7
1040 Vienna
Austria
wilfried.steiner@tttech.com
Dr. Stefan Poledna
Scientist in Charge
TTTech Computertechnik AG
Schoenbrunner Str. 7
1040 Vienna
Austria
stefan.poledna@tttech.com
Related documents
PPT
PPT
PPTX - Systems, software and technology
PPTX - Systems, software and technology
CSCD 439/539 Guidelines for Survey Paper
CSCD 439/539 Guidelines for Survey Paper
Class One Teacher Job description
Class One Teacher Job description
RM1 119 Homework - Warren County Schools
RM1 119 Homework - Warren County Schools
Resumé info generator
Resumé info generator
2010 PPT Slide Template
2010 PPT Slide Template
Understanding Content Vocabulary in Employment Ads
Understanding Content Vocabulary in Employment Ads
IEEE (Institute of Electrical and Electronic Engineers): Number
IEEE (Institute of Electrical and Electronic Engineers): Number
Download
advertisement