Dr Daniela Cancila Laboratoire des composants logiciels pour la Sécurité et la Sûreté des Systèmes (L3S) Département Architecture & Conception de Logiciels Embarqués Service de Conception des Systèmes Numériques
Dr Daniela Cancila
Laboratoire des composants logiciels
pour la Sécurité et la Sûreté des
Systèmes (L3S)
Département Architecture & Conception de Logiciels
Embarqués
Service de Conception des Systèmes Numériques
■ 2
• Society and the industrial context
• How is our society and the underlying industrial context evolving?
• What new industrial needs are emerging?
• What former ones are still in need of a response?
• Cyber Physical Systems as a means to disruptive technologies
• Who is doing what and how?
• CEA involvement
• industrial research axes of L3S (Laboratoire des composants logiciels
pour la Sécurité et la Sûreté des Systèmes)
OVERVIEW
■ 3
SOCIETY
1. How is our society and the underlying industrial context
evolving?
2. What new industrial needs are emerging?
3. What former ones are still in need of a response?
■ 4
1. How is our society and the underlying industrial context
evolving?
• Population longevity is increasing
• Technological supports are a means to increase the quality of
life
• More energy production
• Increase in distributed and connected embedded systems
A LEARNED LESSON
■ 5
1. How is our society and the underlying industrial context evolving?
2. What new industrial needs are emerging?
3. What former ones are still in need of a response?
QUESTIONS 2 AND 3
■ 6
• We are witnesses of a historical change in society
• Technology is pervasive
• Number of distributed and connected embedded systems is
increasing
EXAMPLE: A LEARNED LESSON
■ 7
INDUSTRIAL PROCESS
requirements
analyses design
Sw
components
Code
Platform
certification
standards
Cliquez pour modifier le style du titre
DACLE Division| January 2013 © CEA. All rights reserved | 8 &
Emergence of a new paradigm Integrated systems
Physical (sensor and actuators)
Hardware
Software
Network
Heterogeneous
Composability
Mixed-criticality
[ALSTOM, “Metropolis And Metro Train Solution.” http://www.alstom.com/ ]
■ 9
EMERGENCE OF A NEW PARADIGM
• Integrated systems
• Physical (sensor and actuators)
• Hardware
• Software
• Network
• Heterogeneous
• Composability
• Mixed-criticality
Instrumentation and control functions
(category B):
automatic control of the Nuclear Power
Plant (NPP) primary and secondary circuit
conditions SW and HW
[IEC 61226 Nuclear Power Plants – Instrumentation and control important to safety – Classification of
instrumentation and control functions]
■ 10
• Integrated systems
• Physical (sensor and actuators)
• Hardware
• Software
• Network
• Heterogeneous
• Composability
which ensures stability of component properties across integration
[1. J. Sifakis. Embedded Systems - Challenges and Work Directions, LNCS, 2005 ]
• Mixed-criticality
EMERGENCE OF A NEW PARADIGM
■ 11
EMERGENCE OF A NEW PARADIGM
Control of velocity SIL 2
Dead-man vigilance functionality SIL4
[Daniela Cancila, Stefano Dalpez, Roberto Passerone, Francois Terrier. AN INDUSTRIAL CASE STUDY USING AN MBE
APPROACH: FROM ARCHITECTURE TO SAFETY ANALYSIS, IEEE MOBE-RTES, In conjunction with IEEE ISORC
symposium, 2010]
[D. Macii et al., A safety instrumented system for rolling stocks: Methodology, design process and safety analysis,
Measurement Journal Elsevier 2015]
Event Recorder system
■ 12
• In 2006 Helen Gill at the National Science Foundation in the
United States coins term CPS [1]
• Cyber-physical systems (CPS) enable the physical world to
merge with the virtual leading to an Internet of Things, data and
services [2]
• example: intelligent manufacturing line
• CPS combine computing and networking with physical
dynamics [3]
CYBER-PHYSICAL SYSTEMS
[ 1] System design, Modeling and simulation, Cladius Ptolemaeus editor
[2] http://www.eitictlabs.eu/innovation-entrepreneurship/cyber-physical-systems/
[3] Ed Lee. Disciplined Heterogeneous Modeling Models 2010
■ 13
• We are witnesses of a historical change in society
• CPS lead to the fourth Industrial revolution
A LEARNED LESSON
■ 15
CPS STATE OF THE ART IN EU
Contract-Based Design is a methodology expected to reduce
the cost of design and certification
Underlying Idea
Individual components with safety-related, included timing,
properties specified via contracts
■ 16
Based on Floyd-Hoare logic (~1960-70) {P, C, Q}
P = Preconditions, C= Command in sequential imperative
language, Q =postconditions
Meyer (~1990-2009) to object-oriented programing
system substitutability
• Beugnard ~1999 to service oriented architectures
• Contracts as Interfaces (~2000)
• [T. Henzinger and L. De Alfaro]
• FP6 ASSERT and FP6 SPEEDS to model-based design (~2005-
2007)
• Assumptions and Guarantees are just properties (SPEEDS)
deployed in an architectural systems design to prove
correctness-by-construction approach
CPS STATE OF ART IN EU: CBD
■ 17
CBD IN THE ASSERT PROJECT guarantee
guarantee
assumption
Code ravenscar is a tailored Ada profile to real-time
systems
assumption
■ 18
CPS STATE OF THE ART IN EU
Composition with guarantees for
High-integrity Embedded
Software Components Assembly
Safety Certification of
Software-Intensive
Systems
with Reusable Components
Guaranteed Component
assembly with Round-Trip
Analysis for Energy Efficient
High-Integrity Multi-core Systems
■ 19
CPS STATE OF THE ART AT BERKELEY
Center for Hybrid and Embedded Software
Systems
Center for Hybrid and Embedded Software
Systems
■ 20
• we need to capture
• what the system is supposed to do
• the process of mapping a functionality
• how the system does what it is supposed to do
• with the elements that will be used to build a platform instance or an
architecture
• This process is the essential step for refinement and provides a mechanism
to proceed towards implementation in a structured way
CPS STATE OF THE ART AT BERKELEY
[Alberto Sangiovanni-Vincentelli. Quo Vadis, SDL: Reasoning
about Trends and Challenges of System-Level
Design Proceedings of the IEEE, 95(3):467-506, March 2007.]
■ 21
• The USA and EU communities are devoting effort to CPS
• Industrial and academic research
• EU founding
• Private founding
• What is expected
• Proving solutions to dynamic, heterogeneous, connected distributed
embedded systems
• Disruptive technologies
• Technological innovation
A LEARNED LESSON
■ 22
• Industrial problem
CONTRACT-BASED DESIGN AT L3S
Daniela Cancila, Elie Soubiran, Roberto Passerone Feasibility Study
in the use of contract-based approaches to deal with safety-related
properties. Ada User Journal, December 2014
FSF (Fiabilité et Surêté de Fonctionnement Reliability and Safety)
project. Technological Research Institute SystemX.
■ 23
• Industrial transfer to Alstom
• We adopt the ASAP (Advanced System Architect Program)
methodology (Alstom) [1, 2] and the supporting tools • Operational (why), functional (what) and constructional (how) views
• Integrating ASAP with CBD
• A contract is a pair (assumption, guarantee) [1] • the guarantee specifies the functionality provided by a component to the
environment;
• and the assumption sets forth the conditions required from the environment
in order for the component to accomplish its guarantee
CONTRACT-BASED DESIGN AT L3S
[3] D. Cancila, R. Passerone, T. Vardanega, and M. Panunzio, “Toward Correctness in the Specification
and Handling of Non-Functional Attributes of High-Integrity Real-Time Embedded Systems,” IEEE
Transactions on Industrial Informatics, May 2010
[1] ALSTOM, “Alstom ASAP methodology: Advanced System Architect Program.” OMG
[2] Marco Ferrogalini, Jean Le Bastard, “Return of experience on the implementation of the
System Engineering approach in Alstom.” OMG
■ 24
• Preliminary Industrial Feedback
CONTRACT-BASED DESIGN AT L3S
Daniela Cancila, Elie Soubiran, Roberto Passerone Feasibility Study in the use of contract-based
approaches to deal with safety-related properties. Ada User Journal, December 2014
FSF (Fiabilité et Surêté de Fonctionnement Reliability and Safety) project. Technological Research
Institute SystemX.
■ 25
• Industrial problem: Reduce the certification cost
• SW systems Safety Assurance, Goal, modular pre-certification
• HW systems Redundancy
• Device systems Production and test
• Preserving certification during the evolution of a mixed-criticality
system
• Contract-based design is a means to deal with modular pre-
certification
CONTRACT-BASED DESIGN AT L3S
HW
SIL4 SIL0
evolution
■ 26
• Industrial Problem: correct interaction between sw and hw
CONTRACT-BASED DESIGN AT L3S
Real-Time Micro-Kernel and HW
System
Sw components
Functional Embedded Sw components into model calculus