RAMSES
Refinement of AADL Models for the
Synthesis of Embedded Systems
Etienne Borde
etienne.borde@telecom-paristech.fr
AADL: Architecture Analysis and Design
Language
  We
use AADL to model SCES architectures:
•  It is standardized (by the SAE), which guarantees
interoperability of different tools
•  It provides a clear and precise semantics, which is also
standardized
•  It federates a community of users that focus on each of
the aspect mentioned earlier:
-  Requirements specification
-  Models analysis
-  Code generation
page 2
07/08/13
RAMSES
A simplified MDE process in a nutshell
Rigorous yet abstract
representation of the system
Requirements
definition
Verification
1
2
Formal models
Generated code
1: Transformation into verifiable properties and models
2: Code generation
page 3
07/08/13
RAMSES
Issue with code generation
  Code
generation implies an alteration of the software
architecture
•  Ports are mapped into variables identifying ports,
•  Some connections are mapped into queues, potentially
requiring protected resources,
•  Modes may require additional threads to manage mode
transitions,
•  Health monitoring require faults detection and recovery
mechanisms,
•  etc, etc, etc…
Impact on analysis results?
page 4
07/08/13
RAMSES
A simplified MDE process in a nutshell
Impact of code generation on analysis results?
Rigorous yet abstract
representation of the system
Requirements
definition
Verification
1
2
Formal models
Generated code
Conformance ?
Problem: consistency between 1 and 2 ?
page 5
07/08/13
RAMSES
First contribution of RAMSES
Reduce the semantic gap between analysed model and
deployed system
Rigorous yet abstract
representation of the system
AADL
Requirements
definition
Verification
2
1
Rigorous and (more) precise
representation of the system
AADL
Formal models
Generated code
page 6
07/08/13
RAMSES
Example of input (ARINC653) AADL model
ARINC partition
Sporadic task T4 Periodic task T1 Period = 20 Ms Priority = 5 Subprogram_Call: {op1} Periodic Task T2 Period = 10 Ms Priority = 2 Subprogram_Call: {op2} Bus Par$$on run$me Scheduling=FPS page 7
Periodic task T3 Scheduling=RMS 07/08/13
Scheduling=FPS RAMSES
First contribution of RAMSES
Requirements
definition
AADL
Verification
This techniques paves the way
for interleaving analysis and
AADL-to-AADL transformations

It is now implemented as a
workflow, describing model
transformations, analysis steps,
and decisions.
2
1
AADL
Formal
models
page 8

Generated
code
07/08/13
RAMSES
Example of refinement for code generation
ARINC partition
ARINC partition
Periodic task T1 Period = 20 ms Priority = 5 Subprogram_Call: {op1} data Periodic Task T2 Period = 10 ms Priority = 2 Subprogram_Call: {op2} Periodic Task T2 Priority = 2 Subprogram_Call: { READ_BLACKBOARD;op2; PERIODIC_WAIT(10) } Par$$on run$me Scheduling=FPS page 9
Task T1 Priority = 5 Subprogram_Call: { op1;DISPLAY_BLACKBOARD; PERIODIC_WAIT(20) } Par$$on run$me Scheduling=FPS 07/08/13
RAMSES
Analysis precision
ARINC partition
ARINC partition
Task T1 Priority = 5 Subprogram_Call: { op1;DISPLAY_BLACKBOARD; PERIODIC_WAIT(20) } Periodic task T1 Period = 20 ms Priority = 5 Subprogram_Call: {op1} data Periodic Task T2 Period = 10 ms Priority = 2 Subprogram_Call: {op2} Periodic Task T2 Priority = 2 Subprogram_Call: { READ_BLACKBOARD;op2; PERIODIC_WAIT(10) } Additional
CPU
consumptions
Par$$on run$me Scheduling=FPS page 10
Additional
memory
consumptions
Par$$on run$me Scheduling=FPS 07/08/13
RAMSES
Input semantics variability
ARINC partition
Periodic task T1 Period = 20 ms Priority = 5 Subprogram_Call: {op1} Periodic Task T2 Period = 10 ms Priority = 2 Subprogram_Call: {op2} 
Dequeue_protocol=>AllItems
This subset of AADL can be implemented as a lock-free queue
[ISORC2013]



Timing=>delayed
Default “output_rate” property value
Removing the “delayed” property association to another value changes the
implementation
Similarly, changing the target platform from ARINC to OSEK requires to adapt
the code generation.
RAMSES relies on model transformation design pattern to ensure
adaptability (template method, strategy, adapter, etc…)
[ICECCS2012]
page 11
07/08/13
RAMSES
Model Transformations and code generation
for AADL BA

Code generator for the BA (subset) is integrated in the refinement
process
Periodic task T1 Period = 20 ms BA: {** … **} Periodic task T1 Period = 20 ms Calls {entry_point} entry (initial)
S1 (initial, complete)
-[on dispatch]/f3()
-[on dispatch]/f1()
entry_point
BA {** … **} -[current_state=S1] /
{f1();await_dispatch()}
-[current_state=S2] /
{f2();await_dispatch()}
-[on dispatch]/f2()
S2 (complete)
S3 (complete)
page 12
07/08/13
-[current_state=S3] /
{f3();await_dispatch()}
RAMSES
fini (initial)
Consequences on the
code generation part
  Code
generation becomes a very simple application
•  Generic code generation for data types, data
subcomponents, subprograms, subprogram calls, etc…
•  Target specific code generation for initialization of OS
data structures (tasks, routing of messages, etc…)
ARINC partition
Task T1 Priority = 5 Subprogram_Call: { op1;DISPLAY_BLACKBOARD; PERIODIC_WAIT(20) } data Periodic Task T2 Priority = 2 Subprogram_Call: { READ_BLACKBOARD;op2; PERIODIC_WAIT(10) } page 13
07/08/13
RAMSES
Integration status of RAMSES
  Directly
integrated with the
developemennt branch of
OSATE (IDE)
  Open-source, available on
our public svn
  Relies on OS with
standardised APIs (uses
APEX)
  Non regression tests
based on the open source
POK project
page 14
07/08/13
OSATE, open-source project
RAMSES
POK, open-source project
RAMSES
Ongoing and future works
  Requirements
driven selection of model
transformations (design space exploration)
•  Interactions with Lab-STICC and UPV on this topic
  Deployment
of generated code on COTS commercial
ARINC 653 Operating Systems
•  Interactions with SEI and ISAE
  Improve
the integration of RAMSES and AADL
Inspector
•  Interactions with Ellidiss
page 15
07/08/13
RAMSES